diff --git a/.editorconfig b/.editorconfig deleted file mode 100644 index 890d970..0000000 --- a/.editorconfig +++ /dev/null @@ -1,23 +0,0 @@ -root = true - -[*] -end_of_line = lf -insert_final_newline = true -indent_style = space -charset = utf-8 - -[*.nix] -indent_size = 2 -trim_trailing_whitespace = true - -[*.md] -indent_size = 2 -trim_trailing_whitespace = false - -[*.json] -indent_size = 2 -trim_trailing_whitespace = true - -[*.yaml] -indent_size = 2 -trim_trailing_whitespace = true diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index cc9178f..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,156 +0,0 @@ -keys: - - &admin_gpg_djerun EF643F59E008414882232C78FFA8331EEB7D6B70 - - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505 - - &admin_gpg_june 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - &admin_gpg_max 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB - - &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7 - - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t - - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 - - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt - - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae - - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch - - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r -creation_rules: - - path_regex: config/hosts/git/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - age: - - *host_age_git - - path_regex: config/hosts/forgejo-actions-runner/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - age: - - *host_age_forgejo_actions_runner - - path_regex: config/hosts/matrix/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - age: - - *host_age_matrix - - path_regex: config/hosts/public-web-static/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - age: - - *host_age_public_web_static - - path_regex: config/hosts/mjolnir/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - age: - - *host_age_mjolnir - - path_regex: config/hosts/woodpecker/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - age: - - *host_age_woodpecker - - path_regex: config/hosts/penpot/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - age: - - *host_age_penpot - - path_regex: config/hosts/yate/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - age: - - *host_age_yate - - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian -stores: - yaml: - indent: 2 diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 37eee6c..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) CCCHH - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/README.md b/README.md deleted file mode 100644 index 34690bd..0000000 --- a/README.md +++ /dev/null @@ -1,80 +0,0 @@ -# nix-infra - -nix infrastructure configuration for CCCHH. - -For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \ -To easily get a shell with `infra-rebuild` going, use the following command: - -``` -nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild -``` - -After that you can simply run the following to deploy e.g. the git and matrix hosts: - -``` -infra-rebuild switch git matrix -``` - -By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment. -However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used. -This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration. - -## Setting up secrets with sops-nix for a host - -1. Convert the hosts SSH host public key to an age public key. - This can be done by connecting to the host and running: - ``` - cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age - ``` -2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys. - It should be named something like: `host_age_hostname` -3. Add a new creation rule for the hosts config directory. - It should probably have all admin keys and the hosts age key. \ - You can use existing creation rules as a reference. -4. Create a file containing the relevant secrets in the hosts config directory. - This can be accomplished with a command similar to this: - ``` - sops config/hosts/hostname/secrets.yaml - ``` - Note: Nested keys don't seem to be compatible with sops-nix. -5. Add the following entry to the modules of the hosts `nixosConfiguration`: - ```nix - sops-nix.nixosModules.sops - ``` -6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`: - ```nix - { ... }: - - { - sops = { - defaultSopsFile = ./secrets.yaml; - }; - } - ``` -7. Make sure the `sops.nix` gets imported. For example in the `default.nix`. -8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following: - ```nix - sops.secrets."forgejo_git_smtp_password" = { - mode = "0440"; - owner = "forgejo"; - group = "forgejo"; - restartUnits = [ "forgejo.service" ]; - }; - ``` - This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host. - -## Build NixOS Proxmox VE Template - -Build a new NixOS Proxmox VE Template for the thinkcccore's: -```shell -nix build .#proxmox-nixos-template -``` -Build a new NixOS Proxmox VE Template for the chaosknoten: -```shell -nix build .#proxmox-chaosknoten-nixos-template -``` - -## License - -This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). -[`librespot_PR1528_conflicts_resolved.patch`](patches/librespot_PR1528_conflicts_resolved.patch) is a modified version of [librespot PR 1528](https://github.com/librespot-org/librespot/pull/1528) and is licensed under the [MIT license](https://github.com/librespot-org/librespot/blob/dev/LICENSE). diff --git a/config/common/admin-environment.nix b/config/common/admin-environment.nix deleted file mode 100644 index 5af7454..0000000 --- a/config/common/admin-environment.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - vim - joe - nano - htop - btop - ripgrep - fd - tmux - git - curl - rsync - ssh-to-age - usbutils - nix-tree - # For kitty terminfo. - kitty - ]; -} diff --git a/config/common/default-state-version.nix b/config/common/default-state-version.nix index a3343c7..090e729 100644 --- a/config/common/default-state-version.nix +++ b/config/common/default-state-version.nix @@ -13,5 +13,5 @@ # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = lib.mkDefault "24.05"; + system.stateVersion = lib.mkDefault "23.05"; } diff --git a/config/common/default.nix b/config/common/default.nix index 5457e4e..76bece1 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -3,7 +3,6 @@ { imports = [ ./acme.nix - ./admin-environment.nix ./default-host-platform.nix ./default-state-version.nix ./localization.nix diff --git a/config/common/nix.nix b/config/common/nix.nix index 1b253d6..f19f681 100644 --- a/config/common/nix.nix +++ b/config/common/nix.nix @@ -1,4 +1,4 @@ -{ ... }: +{ ... }: { nix = { diff --git a/config/common/users.nix b/config/common/users.nix index 4ddef2a..54970ec 100644 --- a/config/common/users.nix +++ b/config/common/users.nix @@ -6,29 +6,34 @@ # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings -{ config, pkgs, lib, authorizedKeysRepo, ... }: +{ config, pkgs, lib, ... }: let + authorizedKeysRepo = builtins.fetchGit { + url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git"; + ref = "trunk"; + rev = "6dbf11113603a4f6c12f781c2dc7a8980e65a131"; + }; authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); in -{ - users.mutableUsers = false; + { + users.mutableUsers = false; - users.users.chaos = { - isNormalUser = true; - description = "Chaos"; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = authorizedKeys; - }; + users.users.chaos = { + isNormalUser = true; + description = "Chaos"; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = authorizedKeys; + }; - users.users.colmena-deploy = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = authorizedKeys; - }; + users.users.colmena-deploy = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = authorizedKeys; + }; - nix.settings.trusted-users = [ "colmena-deploy" ]; + nix.settings.trusted-users = [ "colmena-deploy" ]; - # Since our user doesn't have a password, allow passwordless sudo for wheel. - security.sudo.wheelNeedsPassword = false; -} + # Since our user doesn't have a password, allow passwordless sudo for wheel. + security.sudo.wheelNeedsPassword = false; + } diff --git a/config/extra/prometheus-exporter.nix b/config/extra/prometheus-exporter.nix deleted file mode 100644 index 46477ed..0000000 --- a/config/extra/prometheus-exporter.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: - -{ - services.prometheus.exporters.node = { - enable = true; - openFirewall = true; - }; -} diff --git a/config/hosts/audio-hauptraum-kueche/audio.nix b/config/hosts/audio-hauptraum-kueche/audio.nix index 2a75d8a..aa49f2f 100644 --- a/config/hosts/audio-hauptraum-kueche/audio.nix +++ b/config/hosts/audio-hauptraum-kueche/audio.nix @@ -8,7 +8,6 @@ enable = true; name = "Audio Hauptraum Küche"; }; - services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music"; users.users.chaos.extraGroups = [ "pipewire" ]; } diff --git a/config/hosts/audio-hauptraum-kueche/configuration.nix b/config/hosts/audio-hauptraum-kueche/configuration.nix index 93a6b53..afab440 100644 --- a/config/hosts/audio-hauptraum-kueche/configuration.nix +++ b/config/hosts/audio-hauptraum-kueche/configuration.nix @@ -2,7 +2,6 @@ { networking = { hostName = "audio-hauptraum-kueche"; - domain = "z9.ccchh.net"; }; system.stateVersion = "23.05"; diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix index 6e1e7d8..ee01d0b 100644 --- a/config/hosts/audio-hauptraum-kueche/networking.nix +++ b/config/hosts/audio-hauptraum-kueche/networking.nix @@ -1,19 +1,20 @@ -{ ... }: +{ config, pkgs, ... }: { networking = { interfaces.net0 = { ipv4.addresses = [ { - address = "172.31.200.14"; + address = "10.31.210.10"; prefixLength = 23; } ]; }; - defaultGateway = "172.31.200.1"; - nameservers = [ "172.31.200.1" ]; + defaultGateway = "10.31.210.1"; + nameservers = [ + "10.31.210.1" + ]; }; - systemd.network.links."10-net0" = { matchConfig.MACAddress = "1E:EF:2D:92:81:DA"; linkConfig.Name = "net0"; diff --git a/config/hosts/audio-hauptraum-tafel/audio.nix b/config/hosts/audio-hauptraum-tafel/audio.nix index f090fd9..3389720 100644 --- a/config/hosts/audio-hauptraum-tafel/audio.nix +++ b/config/hosts/audio-hauptraum-tafel/audio.nix @@ -8,7 +8,6 @@ enable = true; name = "Audio Hauptraum Tafel"; }; - services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music"; users.users.chaos.extraGroups = [ "pipewire" ]; } diff --git a/config/hosts/audio-hauptraum-tafel/configuration.nix b/config/hosts/audio-hauptraum-tafel/configuration.nix index 2f14d0c..d7b128c 100644 --- a/config/hosts/audio-hauptraum-tafel/configuration.nix +++ b/config/hosts/audio-hauptraum-tafel/configuration.nix @@ -2,7 +2,6 @@ { networking = { hostName = "audio-hauptraum-tafel"; - domain = "z9.ccchh.net"; }; system.stateVersion = "23.05"; diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix index e357d38..6052909 100644 --- a/config/hosts/audio-hauptraum-tafel/networking.nix +++ b/config/hosts/audio-hauptraum-tafel/networking.nix @@ -1,19 +1,20 @@ -{ ... }: +{ config, pkgs, ... }: { networking = { interfaces.net0 = { ipv4.addresses = [ { - address = "172.31.200.15"; + address = "10.31.210.13"; prefixLength = 23; } ]; }; - defaultGateway = "172.31.200.1"; - nameservers = [ "172.31.200.1" ]; + defaultGateway = "10.31.210.1"; + nameservers = [ + "10.31.210.1" + ]; }; - systemd.network.links."10-net0" = { matchConfig.MACAddress = "D2:10:33:B1:72:C3"; linkConfig.Name = "net0"; diff --git a/config/hosts/esphome/configuration.nix b/config/hosts/esphome/configuration.nix index 0ef1dce..fc13d89 100644 --- a/config/hosts/esphome/configuration.nix +++ b/config/hosts/esphome/configuration.nix @@ -2,7 +2,6 @@ { networking = { hostName = "esphome"; - domain = "z9.ccchh.net"; }; system.stateVersion = "23.05"; diff --git a/config/hosts/esphome/default.nix b/config/hosts/esphome/default.nix index 8d5150d..cfe47bc 100644 --- a/config/hosts/esphome/default.nix +++ b/config/hosts/esphome/default.nix @@ -3,7 +3,6 @@ imports = [ ./configuration.nix ./esphome.nix - ./networking.nix ./nginx.nix ]; } diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix deleted file mode 100644 index 8a84112..0000000 --- a/config/hosts/esphome/networking.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "10.31.208.24"; - prefixLength = 23; - } - ]; - ipv6.addresses = [ - { - address = "2a07:c481:1:d0::66"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "10.31.208.1"; - defaultGateway6 = "2a07:c481:1:d0::1"; - nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ]; - search = [ "z9.ccchh.net" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "7E:3C:F0:77:8A:F4"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/esphome/nginx.nix b/config/hosts/esphome/nginx.nix index 2b154f0..ed93972 100644 --- a/config/hosts/esphome/nginx.nix +++ b/config/hosts/esphome/nginx.nix @@ -1,34 +1,35 @@ { config, ... }: - { services.nginx = { enable = true; virtualHosts = { - "esphome.ccchh.net" = { - forceSSL = true; + "acme-esphome.ccchh.net" = { enableACME = true; serverName = "esphome.ccchh.net"; + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "esphome.ccchh.net" = { + forceSSL = true; + useACMEHost = "esphome.ccchh.net"; + listen = [ { addr = "0.0.0.0"; port = 80; } - { - addr = "[::]"; - port = 80; - } { addr = "0.0.0.0"; port = 443; ssl = true; } - { - addr = "[::]"; - port = 443; - ssl = true; - } ]; locations."/" = { @@ -36,38 +37,9 @@ proxyWebsockets = true; }; }; - "esphome.z9.ccchh.net" = { - forceSSL = true; - useACMEHost = "esphome.ccchh.net"; - serverName = "esphome.z9.ccchh.net"; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "[::]"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "esphome.ccchh.net"; - redirectCode = 307; - }; }; }; - security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ]; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; + + networking.firewall.allowedTCPPorts = [ 80 443 31820 ]; } diff --git a/config/hosts/forgejo-actions-runner/configuration.nix b/config/hosts/forgejo-actions-runner/configuration.nix deleted file mode 100644 index d2a52da..0000000 --- a/config/hosts/forgejo-actions-runner/configuration.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hostName = "forgejo-actions-runner"; - - system.stateVersion = "23.11"; -} diff --git a/config/hosts/forgejo-actions-runner/default.nix b/config/hosts/forgejo-actions-runner/default.nix deleted file mode 100644 index f5a8ddd..0000000 --- a/config/hosts/forgejo-actions-runner/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./docker.nix - ./forgejo-actions-runner.nix - ./networking.nix - ./sops.nix - ]; -} diff --git a/config/hosts/forgejo-actions-runner/docker.nix b/config/hosts/forgejo-actions-runner/docker.nix deleted file mode 100644 index b626e9f..0000000 --- a/config/hosts/forgejo-actions-runner/docker.nix +++ /dev/null @@ -1,13 +0,0 @@ -# Sources for this configuration: -# - https://nixos.wiki/wiki/Docker -{ config, pkgs, ... }: - -{ - virtualisation.docker = { - enable = true; - autoPrune = { - enable = true; - dates = "weekly"; - }; - }; -} diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix deleted file mode 100644 index 4b4d4dc..0000000 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ /dev/null @@ -1,26 +0,0 @@ -# Sources for this configuration: -# - https://forgejo.org/docs/latest/admin/actions/ -# - https://forgejo.org/docs/latest/user/actions/ -# - https://docs.gitea.com/next/usage/actions/act-runner - -{ config, pkgs, ... }: - -{ - services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.ccchh-forgejo-global-docker = { - enable = true; - name = "Global Docker Forgejo Actions Runner"; - url = "https://git.hamburg.ccc.de/"; - tokenFile = "/run/secrets/forgejo_actions_runner_registration_token"; - labels = [ "docker:docker://node:current-bookworm" ]; - }; - }; - - sops.secrets."forgejo_actions_runner_registration_token" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ]; - }; -} diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix deleted file mode 100644 index 8990224..0000000 --- a/config/hosts/forgejo-actions-runner/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.155"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/forgejo-actions-runner/secrets.yaml b/config/hosts/forgejo-actions-runner/secrets.yaml deleted file mode 100644 index 456230a..0000000 --- a/config/hosts/forgejo-actions-runner/secrets.yaml +++ /dev/null @@ -1,233 +0,0 @@ -forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZEFkeThaUkhoVlVXV1V0 - eXBja2hueWJzZm5RNVdaNTdKNGp6OC9mVmt3Cit6S2tBQjNGb0N0RkdDdWtpR1Vv - REd5WjJrTnJYR0lGRkFGU2RXTjZkdncKLS0tIHJoV3I0YTNkcHdZQWZySVNyVm4y - TGR6Sm9uZ0ZQeEFNK1lJRE82eUluclUKL4mGDJkQ3mQu+7Xc2KflVqLUjbr/5a16 - VlYUplTqUCYXtkzq/3RKZV/pM4RVYBDHvuSzVr4hXBSxW5j93dhezA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T00:29:52Z" - mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str] - pgp: - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtARAAoDySYGJ2Xf27El8y/UTYOUaM51stw95ZfnU7JtKfPNyM - Ct+xymnyxAwR2OJ7oDluxwEItdPufp/Mr96zkw+TfrqI5lowTiH4YGtDsbioiScN - qxiZgHN4qVZcRHwzgmLcDa6GSIg6rEcDcBygakprmoI4Qeqp3Bioii0/OMuLeleN - igauRUzroFLIlS0QCgI5PaUSIPtSMxgKiEc5yM91EBh6w93RaoQmG0k9TWpfLmgo - ZVB164SYCCW45vts6T7WQ8cE7Pxkkti+rrOrjaDfB4ape1u4gS6xKc4dFJ+nWcE8 - 5l6MXoDLRd69VWRN6P+G5YGQzB5QRicNnuwk6H2q7CwIqZyi7ZqaCIZfcpvuUzCJ - OGJQInCFFVSdLj/3WFyXk+wemmZPna5xFxFb6WVwfSU1ikM/umrZ5yBly+mvDGzs - l+8YGcsZ9D//qjVIsWbiRwhGgeA3eU6f7SwdZdX/zOFy8bP85xwDcbwdOSkhifAA - l3Ud3rswmAnzSYAw5wK9tcSxS+G4JeCPU1iKABifugLohgME09Z31ljvyqWPBRe/ - Rct5zvcQV2yjMbToudXafvRUb9nU+uJuWUEUe8xFSrAC1ijA3mBYfIrGNvD2eVCY - MTYK1ugKA9X7Sgls3vQ0A7fLHeR6C3+zhl7SzGHUZC3bh5+oXTq6cuXD8DjCwV/U - ZgEJAhAkZc7MICSMkACItUHxyyEMbBYNpIJ6P7GQA6ErhLcV1VpKWo6abJVVES36 - j97RpaD1tL3OyGPfiivMkk650MkPrgpMKR0hasl770B8jkjVPyDV9mSn+sc7N+tK - D7IbDW18mA== - =EhAw - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2ARAArCPbAnHJrNpP4B755wKuDEzwVMsqCR+gumSX/XcuQJMI - O3/34FJOI+++S/+z94y4O+A7XPsG4xr+UpDIGdGFAsOQBrbxyqD7c0BIToJgq6iG - 22j7y6N6OZFo0g8hGkUVSMeAZXCkg/t70e2POeHeEwnlsNX3cRuFWC54KxfVwr4w - UjlQmjV26+r1uZd3DKj/+eMi5E63XTsgUhAlJqixpHt3PEKZ5UNtnCAbYXqF2FOF - qqNyB5X1M2ncee+RGzLqnXaQTSEdKmlEwteVlXWtsqBs4gICOz+6ehfA+gk6r+si - Hv5dW5W7OjHsZfRfLxaF05vBUqQ+M5FdYl0hBFZzco3zuNQ+c9om+c/3Fd+B0tZC - 0pUs4JiNa/chjuSCiJ0ZJE8kh7xCmmjIrFqsvWi4ZiTk2GWPEeuPq91TC/azfQea - ZV/Ozh09wAMGnGYUY0OqH7BIGsV6mEFKy/oEpwvoPuI1sNLiMig3ZAMHcIdqYzta - S16/JVmVirTnOTCL7p0CZLtiQuQH158gn9F2T7WCfX/XA8ifVSAyjWnYL3+rJUr1 - zuhndbJTXD+5K9RKVM+FXC+G5VRzmWKNN9riijtLFhPKuOqDwPDst81XGsO23gGn - QIFGGEfQ8vuC9lmF8jDPHZfgUWy3kMVaLW+ti7y5IWhWEJASYVXF2JknKeOw2zjS - XAE4hG6ck97ZiT9V5bKC/fk/Ep/GWPnQTMdISinbak9hZigPPQ3KCyf4WZoJ1+sE - r+rk9v7NO1N5rnVQokL+kO/sBCV/t9XrHuFDx16cZrSHpHubQUi9daxc6EQ1 - =7d/s - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ//QF80EGvpode+J0kDjrrFKdSXREPhfCtFU+EpmE+f+aGO - mMPZ0SEuBX4g+5K8u0IdeWR2weqYqY0O9Ar2m18YlpniSWFBZqzmW+/yk7vmDzqr - l9pV/SdRomGrKyXk9JehkLm5vwUrj/xlPAU0DQEKIPLZ/MMRh7bIfL5Fdujc9cLD - nybCqSXccYy59SDqVku5Q6A9FTTzLL8uFf5D3mthp/FgWpxIEQIau8G16PZm0aSJ - cBu2eZ3XDjmgIQLG+TMrW77lp/2AhFe23RtK4y5aZjzGhzO+Ax3Cn7pZI9zTGW6X - iF/ePoR+AQeXMWfwIujGR5Zy4NvdNKSfniFrjgXpsWSMjCp8pKTOlhkknL3gE+HU - etQDmPPCYvaVUwITpmrEAswTNPw0xekXGUe1HgETfhWAGw8zAEYRlOqw3Jt9mMX2 - QczfXc2sA5Z4TcylESIUcpTAFQVMVMB9bZM762tZu3bM9qg6qybNVJBk9UPpi0RW - ZFbXA6lkOnJLG5/m/Ie4UDoxXxtOOqkFzjV57GEBy/HtYuC15LeyOuAgDp0Ta57L - 0f/ufET/T3z5qBE8GN2zSTO7gGnFAEQ+028ZB0vGVR9C0JdCwVBMlGglC6NiaKqP - xPDLPdBqrCczUQyIJ4f7JJaFCfndLszuchb7IzCy95I7nMmATREpP06uRbnuRU3S - XAHno1TtKtfy/+T536cmGhke9gNLZXBjSg+W9ndHPo7r115Ytap5nlQqhM84qOyE - bhKZlipM9hkhfeT/6X2NzYL48/hsxJ7nh2sbmJQ0d/2DtmXT2gRGkbYq/f9+ - =tuO+ - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ/+IK+UPsLOltPFjdvN21ICHY4De1c6qqMrrDAskqeDWZet - 9eoal403d0fY6E03o1Acq3XlTzR4srWLp9qo+soAhruZ3+W5M/6zBaq/f2XF4fu2 - U+bjVplM5U/pHTtGb05nHJ+UN7dgq2OJkURAe7aLSwLLScxTH9cggHAo6wpsaUTQ - Uujbo508P5/Vt0efbnyNbk54M/UMH0s93YmWSuxu4XvyUPaVFcjXkh61Tfc8vY+v - l5P1qDEjQrRjSE11/xzqAmZ5x58cMK1Q9yB+cy5Lw6K+rFT+5r1jdJem5NBsIRFP - eJjmTj/rzehujAciA1EOCF16ZsVIG6HFb3SLcNoRRL3DDgQIHgjHT38qbKrobjGr - Ww2Trekg17t2C48+qa/fGZO8dSz+/97gfAMMA2DdWHPlZxVCraucZMG0p9CkNxcO - kEtpD5hYJE456MqJQJoF2x2m+/SylJntfeKstKDhD5MZevTkNhD3MRE/8XPW/abE - byO8hxz7g76l2OKSjJdOUkYTDsjr23qKAuYq3/tENOMC+Z0eTKjQbzyLdSitQkM4 - eOxRMm1qJZM7Y27kYLZcLadkewuBgmXqpDePcH6lHuLZp6S9o9LmrzvAsG79RjGs - wWiITzj4oG7ROT1Np9h9iCrfKiQ3fM/5/4zJvFvGm62DaeqNSwVT9NSLodrpj/XS - XAF3ozQWD5ib0d/yUKcwZZcbbJyn7HyaCn/95zxOMu+C4K0qhJLZeMyOYQOj2pfb - T7EnwyXB5vdL3JJlhVmnFCTMFv/RjhNOJX4qbDnV1sqTj5fFMgcbA067BLEQ - =TU7Q - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVAQ/8C0go1iw89B1ibjbrJTxnmYD6iep01wAwZjHNm9/cC3BV - yFRj/D7d84gO2YX2hZxnjlnFQYRsNez7HpsjZvUmp6FN9LpJNDp2NvukebtS5v86 - hrcqODTdHNa+/ffHIhUoXVSjw5kwpQNT0JI6PR3EyV7kjCGkFAFMzHbaNRbdup5O - vC5cD6Ty+aihB/E0st7/KUw2PH7bMiJ+lAlx53Z4v7xZYSxS0vFXRDAJRYd6Bt2t - LvHO68aRMF7czDB0JoV8BOSohSvv+ZXBqe2zCZwl8kUZoW3n9eym8iF7yZ+itT2M - OdLTOg6SIhhtxcm7qFRHsOsBMjmT+MuzQVNGKDQ6Gga6NiiboyuURso64L7F0SbA - 3MnHeYoTm39hUs50xqWXdFfi8G3d/SfYcxYghJJx+SwlTd1ZhdSDxQ1uJtUi7ccK - 8pHwIVCdkOF1hvko3w0/B9kHmnlWKBUF1wN8QHTmlViCOo4vIpepowzN4fLlpTug - VtyW08lbdMWqq17OcTUK3O7Z6hDDUaIKV8vGvjxrJ7wJp3kok5cI7jXOYEPjxfSr - ZjJpcdrAuJTZjSIsFFopGXFbUkI8bqRpo75lDuK2fA6x38WQqedwNo6YTXvtMn0V - bhYLeEt5VeRSohGWNsdGvpjB6BtPhKoD6hK+aQAeOhhxyuF2cH4o0/lFZSkDo0/S - XAFiYzGNuu1nJulLjaAGGeoiom42N+MEmQvlIfG7AR/XgMSXs5d0JH/COJkL3V6W - zyhAGxTzEmDYmddbhelxXn38obOnsAJU92GXwLg+PXT7ZkFHrCfg9jEvgwmT - =98Lv - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ/+M0Y24jgYhl4VEAT8ymoiCiNIsqGuk4yIXO6LrTIsNGlc - 6YwkJu9Gj52AH8XKdvLuBGtWstjVoVrBOFyTtS2vzW01Eh+sFKfm3tF8CywjSMZ+ - Xg/v+rtbj7s0EZ2JeE0DOk2X1zg26HsNd4X0HkIqTAm89gNVSTMWGGhDbTBSxtFx - ain5e14rUMM5qeIZg4IEMlY0mEbpGC7AqV1LKclN8pp2e0/6AS4fxamoMtPOhwld - /feF4/9AwZ04HIwF0ucbrDDkoZrW7YaYZPapxBTCMU0alkX4c+WTBMKTWICC1DkZ - lVF1zmLm2rhxebM0AaIw+eT2MymaecTcVrEHdhbtCGbfIL0sram2Qw0ZfeYDxIas - 5W2z0a+qSQtlaCZfq/kc3UBQpRgv0Vrc0CBoZJhFmhfsH0F7uPE5rThqeT1w6TMd - bc6Y09Yorfyio+ZhbB8BJ5fzlolEo8opSZLm1K3YAik5Tw7toIvZqeXZoS6DfZhk - o7K/uUJTDKHuscxRLAfFKqBoZOBuf7d+ski5arMcjMqOYvmGKCn2pzs0TuO0ZaDG - gKbvSz2a6KyUSU822W0l2HSfM36HxxH7bDdJ12iqbBtWPcob+KcKrLowpbzzHpMT - o23ct/g5qpKpEvH+AkXQ9nOO9VKXx7voQyFM0gS0LXZGJcXeeeVbttcD28Td7WvS - XAFWumenh3Yc2VUSF4PUICL4g7o/4sLPjHhctlNHQ4+iaF6beZljWD/lwFkKxbqt - oHFjNx+ajtTxQpzpBQgqO6twKwLjND4lQ1yRlXp3mGm3U0BI7QUCRp+D+RcK - =N//k - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoARAAtsPz8vCvZ84eAoI3bZwP69V1coDW0SgSVqAi0XDfsRbo - LJIU//nkp4pKjUMoBgc++TdLa94/mqeFVhXozAW2T7nFhYOOK2HoVl+JqvgvTGVy - ZhGEWTud++inzjSAKAEll6x89dYE07DLtbLNaLs8w3X/cSDF9fZekmTvyaks9AwQ - oI+RXPK1ao3Nvgw0pkvRzFze7HJansA25+Ojcr3wnhP3qtKqfHjbXRs5Qu46fB3b - mz3SPNcN/JihodKBhZ0suCk+HZx69EXbBV8i9EDBOX+2Azxn3aCGh0jlDAyCMMNp - CWiDuYduzYFV0mF5vAGQC8ifrQZDOjvJR1qqJ2115c2bB9cP0asTS7ZoJEEqfkz1 - mGLHsOhhuP/DkHhX2B61nDl0LQ+eoc1ZdZEcDV0hrKptiFlxmPySlOXD1LpOU+uk - JFBot/Sc9GEZzaInyNSmSvd2Y6SiNOl9t7QAwIPwmGYGY3iNDPD6RRl/CQb7raLG - rfNH04BYltboG7HQeEqiEEijn7xctTSNp1O3EKrcdEpg/sAlQzarCOmEUvLXWeBj - YhPRH6Z3+PMyn7m2Jb8VFO3hAX4zfb7eJcXhsKHBhfYIXViyuuzJNBoXYnorqSRK - n5OobCGQAhxeLHOrG2J059HbfUgGtfD/4MJNiGxuCGmXJc5oSJVRhy3d11ttGIzS - XAGuD/Vw5GUqWVZKNp/k2Kfuxauqu6jDPI534dLf35qaROkvbWz2bbfwPx4hxtkE - dZCVWILFq/BbXXiCVEMeJf6FrXcB2rJETBgknQWtxRP18Q7Rb4a2jybv5TDk - =ATJq - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqAQ//WVgNIjTv+F0kaoyM5stNqV7lDHPNF3jKVLOZBV1d8wbL - NhHnNRiadls8SwazCHgds/ahoaUTv+4IF9hvmyLvksN6iEN5/YnyHa1nFDBC8kow - pzA97WD6/bo5SjCk5oqLHjbR7ApKAYHOnI/XDum3QyWUV3KzO5wQQBAVki736l6q - ccUVeYLgjcnlTSlz42TcNnPw5DbudAizU4DRu4KyqQX1hBJEYA9lLDvFxvjrSidb - TzGWzyY0ERkrgrW73K9il9xqGsnyDZLvHPZ3f+nwEuNjM+ITxliZrsfxmqbWZ29f - sid5Z8Z9lZ88jIC2VR4+XW1q3LAe4WPhp3MjvhELfKLUWTRp3zRN6kabxuBtJcuC - 0s212dm2ctKbkTaDbn7Q0NyJ2CLX+5IMjWs/i1NoLAyjre6hFmie2Ldx0RGwxrJp - wCA7EiZ02UJcLQw4QT3o/2Pxg8Spi+eGmqxSmMV/PDJ1gSdUv85gPobdDcotky6n - ng3I3G1o2XRUKnfDwv//4mFbDHXsCPXs7fMLwsSYZi5Cp49NhfbCbQHeusCdchLY - dA0Eik9ckUDH6ihyEN8DyVcZyspxoIFONFqly21rNECcKy1i2HxTsq5SbkZmmUS5 - XiNQTGoLsx0CKI78oAXNfgY3wdpi02Xykkctjga4U2L/u8Wg7dVRgUFmq64rJfDS - XAGHB1X4194RVvPcpYP6tScEDnmQCs55wsiEuWPUyvclwb/aO8y5K1o6Uz5IW7/o - 8lfAj6gHs775Z5xZE3FD8O1NkXVOyLmzkH2bJbkZAQ+JVfQS2UKshMtnQgz7 - =dG/+ - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ/9He59UueuO4GXg4uBxLASQiaGKS/F1pPfTU9W4E1f+C4k - Dw8hwiLIZWRDsj0huYd+klyg2VJnjmPf0tB8qj5nrHo0bTKH0oJpiDpX8Bi/8j7d - WBNyS8LmUrSub3TdM3Ob1muUt/nHvgGQmWKt3dH+Jkc/um0B/+Og3Yka/JcKRF0Q - IAYkzVFlPdh95IhPEJ0Lo7zyN1FU0UwlyMasjB8Xae7VoyDhtgwur60gTktNIuyU - tAvLPKSSyu//Uz9olGW8RKw5//5A/EYNlP8WrVV0crDNBGegTlX68EsZlZQp1uXc - GK0ZB0OtphMUJiF9dUXNfzbGz02l3voLs5DUIpE+EAyEDu7hZEDgU8e9oTJRv05f - TumOjDlgSrhALyewO1ig92fU407JxxwW9aNl8gFv2Ph9lEbSaQWpo/VAHA178x/p - j5caXUUh5qUFGYhtOoHB9KtxL9X+F7Z5FjHmHxFQBtLrxP/olmQ/5jjbiz5sgf8A - iW7bRu2tBmiT5TrMcDxFSf3d+v5o0kOngwPl+8e9NC681uXuddI9g4s76f7KrpuE - bb483XW0CZUdpt8eFXAvk6CJ97gi9H9iZBrqhMKjGnWbE6e0683PE8WNTwCafoYz - mCelVHHjX1Qsk8Zg/vI0EBEHkeigCiev9O85dUVbCxHVniBkvIF4ZNo9n7NRnAbS - XAHQ23ARYRtF676DYWSH50sHJ5v98BTKn+Ca1QWMRCb2kyqUSfn+XzgyP9Sv2nqx - dT8DO2oTOraOaFS2+j9N3wRjbocVRuTV2EPwdgPVPg9IakNaO3qBUwEnNM+b - =EzwG - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAy+TLSybMtug+TfJVBd4WJP4q5V6Qf0yPtgj4YUF4YCsw - rUctAxIueheQq5uqoPm3bTeLUYeticEVf090hr0613uh+l5DZcD/vqoHUK5dx7Zs - 0lwBTi6sRElMIJiXplIvCMyYAOne/QZG3WaLx+LqqaNlNKPz8OVPhbokC++VNpwz - l5GE8Cv1ZoEDxbjLWurS772NiIumo+lAnjQMAxhHo4lVPXTxZZCqx3/98agyKQ== - =oiZp - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-05-26T00:28:49Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CARAAvnyyMeBLfWLFU6dBK2lNAzJy/gHb674YQbCe4W/w9Cjl - 2pbiw1Hhpe0P7d7MGy2mB3Hi7cLygklFZADkHnrOoRIaJ8KqJELsNSHjapIE4+jW - 8NWIcRSyZzOQFeKGFPNCJgyYd68clNmiLNlIAI/Xuxf4xSb3BLkBDRx1cIoug5gZ - pn7RrWYDPgrUyn9YfAJDr5OJsBcJD70sdi1TmCK6X6UCGZpNUI22yqS40LX6aCvj - WzZ6gd+nyjLlHXBBSG8R2lywPdoEVo4Y0pWvd5oK85Xl80gtlXSpFBfEg+EWbLCa - EkiAXthSAWwgBfjV0UCM+Qd5aiwNb8Q9j90AqPhIAawnsGWRrSL40finvJOdf4lW - f8R8Xk38RovBlHii1u0iw9O3Efur0UJ+aEntIEjaoND6K+32oJI56CWev0ARgR9N - ECROL+57Z1121S4QfDGp3LuClgAJDPB/LTL9ly39jOVaPZ7Ym+8qe45C0nkO3SDI - nyIkv+GA/gz9EuClfShc4N3T+XPjSe+wz7gt9hACpSai+Muea+2ruUpa9Kn8hasi - 1zq7qR+3+ueJc5+8P6xIyCKxBTneBM2VNlh2e0GZlCxqCrx5Vt0spr4fijM/JvEo - +/2oIRv75NtF9zAwk7foSbyw8WQCReW61hLr9rVnYMoCkhYhlEIEGBZiq/94SHzS - XAEUZMZIyLdgzXVIoP8GVEqCErVYT5qCpo8Ett/v8efm27ucV797SrRibqiFEwIo - SsEKMoULNyHXQfnuKviNnuG1ril/azjsAtiucJvTdol7pY2nRWeYXIVecX0G - =Dlro - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/forgejo-actions-runner/sops.nix b/config/hosts/forgejo-actions-runner/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/forgejo-actions-runner/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/git/default.nix b/config/hosts/git/default.nix index d3494e6..e2f517b 100644 --- a/config/hosts/git/default.nix +++ b/config/hosts/git/default.nix @@ -6,8 +6,6 @@ ./forgejo.nix ./networking.nix ./nginx.nix - ./opensearch.nix ./redis.nix - ./sops.nix ]; } diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix index 89f83c9..f907552 100644 --- a/config/hosts/git/forgejo.nix +++ b/config/hosts/git/forgejo.nix @@ -7,20 +7,13 @@ # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md # - https://forgejo.org/docs/latest/admin/email-setup/ -{ pkgs, ... }: +{ ... }: { services.forgejo = { enable = true; - package = pkgs.forgejo; database.type = "postgres"; - lfs.enable = true; - - secrets = { - mailer = { - PASSWD = "/run/secrets/forgejo_git_smtp_password"; - }; - }; + mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret"; settings = { DEFAULT = { @@ -34,7 +27,6 @@ ROOT_URL = "https://git.hamburg.ccc.de/"; # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # Doesn't need to be set. - OFFLINE_MODE = true; }; admin = { DISABLE_REGULAR_ORG_CREATION = false; @@ -49,20 +41,8 @@ }; service = { ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - ENABLE_INTERNAL_SIGNIN = false; DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; - ENABLE_BASIC_AUTHENTICATION = false; - ENABLE_NOTIFY_MAIL = true; - AUTO_WATCH_NEW_REPOS = false; - AUTO_WATCH_ON_CHANGES = false; - }; - repo = { - DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; - }; - actions = { - ENABLED = true; - ARTIFACT_RETENTION_DAYS = 30; }; mailer = { ENABLED = true; @@ -77,20 +57,17 @@ ADAPTER = "redis"; HOST = "redis+socket:///run/redis-forgejo/redis.sock"; }; - indexer = { - ISSUE_INDEXER_TYPE = "elasticsearch"; - ISSUE_INDEXER_CONN_STR = "http://127.0.0.1:9200"; - REPO_INDEXER_ENABLED = true; - REPO_INDEXER_TYPE = "elasticsearch"; - REPO_INDEXER_CONN_STR = "http://127.0.0.1:9200"; - }; }; }; - sops.secrets."forgejo_git_smtp_password" = { - mode = "0440"; - owner = "forgejo"; - group = "forgejo"; - restartUnits = [ "forgejo.service" ]; + deployment.keys = { + "forgejo-git-smtp-password.secret" = { + keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ]; + destDir = "/secrets"; + user = "forgejo"; + group = "forgejo"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/git/networking.nix b/config/hosts/git/networking.nix index 34159f9..088d7ea 100644 --- a/config/hosts/git/networking.nix +++ b/config/hosts/git/networking.nix @@ -1,33 +1,17 @@ -# Sources for this configuration: -# - https://nixos.wiki/wiki/Networking - { ... }: { - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "212.12.51.136"; - prefixLength = 28; - } - { - address = "172.31.17.154"; - prefixLength = 25; - } - ]; - ipv6.addresses = [ - { - address = "2a00:14b0:f000:23:51:136::1"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "212.12.51.129"; - defaultGateway6 = "2a00:14b0:f000:23::1"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; + networking.interfaces.net0 = { + ipv4.addresses = [ + { + address = "212.12.51.136"; + prefixLength = 28; + } + ]; }; + networking.defaultGateway = "212.12.51.129"; + networking.nameservers = [ "212.12.50.158" "192.76.134.90" ]; + networking.search = [ "hamburg.ccc.de" ]; systemd.network.links."10-net0" = { matchConfig.MACAddress = "92:7B:E6:12:A4:FA"; diff --git a/config/hosts/git/nginx.nix b/config/hosts/git/nginx.nix index ea1a2ac..1dd0aad 100644 --- a/config/hosts/git/nginx.nix +++ b/config/hosts/git/nginx.nix @@ -34,10 +34,6 @@ return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\""; }; }; - - # Disable checking of client request body size to make container registry - # image uploads work. - clientMaxBodySize = "0"; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; diff --git a/config/hosts/git/opensearch.nix b/config/hosts/git/opensearch.nix deleted file mode 100644 index 1dc4490..0000000 --- a/config/hosts/git/opensearch.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: - -{ - services.opensearch = { - enable = true; - }; - - systemd.services.forgejo = { - after = [ "opensearch.service" ]; - requires = [ "opensearch.service" ]; - }; -} diff --git a/config/hosts/git/secrets.yaml b/config/hosts/git/secrets.yaml deleted file mode 100644 index 85e2ccd..0000000 --- a/config/hosts/git/secrets.yaml +++ /dev/null @@ -1,233 +0,0 @@ -forgejo_git_smtp_password: ENC[AES256_GCM,data:ZRj5GpQKRlTxdu5CfbJirRGAKPCLAIG1F0V5USz5m5D49V3lu5uLomxHapmEwb0yYoE7e7ZLYK4VQUoQgpUnSw==,iv:K7+9E2gi8cdYu0lX/HgWitLxnxARywIwh5glEL0uOsM=,tag:s9UC8e+E5E3vM6cTKW7Vqw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZFhrMlF1YnV6bHlJZFp1 - SExjNXk0aTE3U2pBd0lHODlkZW9La1M2cHhjCjd1VTdKWkE2ZWxoMWFjREsvLzdS - K3lSSkRMZ3lLZ0tSaDZMRkt4MXBMeXcKLS0tIDFlVjNXcktpbHdJc2hraGNrNGJh - UHlJWFN4NW1tNWFCU2EyNjkveXZML3cKrKk1w3IBAgdmicuFyGOaU26fwpULAcy9 - eZPlcbRPUPHoRhy9GhNTAcXXDQzimKL39XZGAd0U29Kt9AvWAf8Qpg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-25T14:17:29Z" - mac: ENC[AES256_GCM,data:JeqYsVtogbB4oMWNEpLsF6zxsgUoAt7UzRUL2JzxDUtXDUndW/AxJxVxQaipYvblA3q2MzRyQN+j9khavlL02DR/ANtZFLQmH3OREV7M9eHmeeCa4Lm5D7gFYmqWkULJ7yEJsKz5AaiJTWlWgCcBITB901H3Z12dsz2a1+4WrUc=,iv:5Xm5Rjw8PS7hkTcRD1kj5XS5uiOgsPwXYeaMqUReB7E=,tag:2Y5R1/Why1TQd+ZYTF0qDA==,type:str] - pgp: - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtAQ/+Pw0v8i3ZGw4QNjAu9NX6ZJ5hvBHJgtcOWch3ZHlIAuxs - rNoPYhuKaYZL6QJcPTjP8AHVkFIEp+mVbXnsS3PCNUxPnwBS3DfAk+b9OmIJ5U8i - H0VYv4FpdAblyq59GPYx5cBaKUxAagATqlYmMh8b530DYBGcoAHPtzhCaZj+aJI9 - ybakmmNfSqtdhJoWwRaRekqhbZ++wmS7axeefawuicXpdlNxhypEMKBUpGA847cH - lI4hw1/+KvyN/BT1q66vQanYpM8NNFLyyamT6HeBxQ1lP6gfb/T0a805qnaCXaZY - z2Ui6XJL/lbUWzG/0xnSJIFiQc7hIqMGIz+EHyYep5NBu/hiIUK1RpIFL4ClEOh3 - kfVlWC16ys3fGHlFOTTBc3yJPGtyPjd5lGGfFmawwnegPH2wdNIt5tjrA7+vwKRE - f+RFNzvfc11o8rhGnbGd4ZGNgexuhxVaRGDSNqO0aixprSurcOa21Z1U76tvnJGq - IoeFtZf5KutqqLIyLoK0JM0YkSb92S/BHkIKpUO9fsKLRdQdnvm++8NRLJ/jXLVz - lZZnLxMC7QvKMyxE7J8GKye7nQa6S6CkEcqUsgXSMaxB3GMe9MiGWS9nqh16tHDX - p9YR9FVj8BUKWsTbIPKkomIaoxhRJvW6cakVcM7RG0rySVjGxrc2oAvYgjpVmmDU - aAEJAhAxPM/qlV+JghqnmnjP9Kn6KTIvGV2NGvX5YbY4k/NgL/sZ7VLsGZldemiu - 1ogKtLzjRnvtruPhXBXPv3Ivw+a4ie7YBPsyyyh4RFfnZq7abAwBVDZDVXPA2GUS - 9JOUdkYe2Q1T - =1km6 - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2ARAAiyKB1LVhFUxkC/bKs7TmtXGbA+2xWwrtt9gUACD+GNlT - P0jQJ4N7x0xpvgo+ELNx4Owq4EXFYH8bI27zUxW9FmJu672uFVIpud4nZX+2AfFs - +Iy7VBp95kfS77Mc9VClJTJEaLMZOvciqlY58p1FB6C4pNwOuEhMvZ7athLVLlEz - hOrKkJAAtnjWXOFLBkq7BKCBVsxSLOUXMBgmK1Fr4dTJPifiXIIbO2BdNXanzMpv - 8ANtENZ4JpqBHDW/DGoACkAh/hqu8p4B4TBC3L7szvFktsxy93w3i59CDXUroKXO - cG//41R5OH/EguctfO84qUWCe+eqA2D2ZuWIqSD6Aa4izQE+aTl+WDx/oxKuQcJB - UgKiLm/HXI7w1Zp7v2oRUt4BFr2EXHicsEkV+ztCGDMMPw0zBA3EE4fMFDmM9BXh - Y6bOT1cV/TQ1IgWvH6gMe4qdJscqYEfNMJNl6kZzylUSLBxK0YAfqxSnvV6lZ2D7 - 82KLl0TRZOiCWO0EMcRuN2L8AasrO4PaBGI/kbU2dCr8q4ku3qTjW7b77d6pVW29 - Gh2eV+goXcdnk9tJt4hPcmz3vYIFJL8Pbmy5mSO0BetFdFVFnIhBuQzrXwe+Iq7z - nQ2L1eeDT0WI4PMEIz+YM0QVCMM52d0fK+JeiVz8H/bO7NcPCYTylcK68BA6QaLS - XgEP7Vp6aB2qQPbLYI1CfNrjiHLyCHXBJwyWGR3sSFB6LmvHsfx3tsHWdKxyrz3E - 9AM9WvP+taIpK0F7OjDBcadaMo3Bzl74WVEtznaEmu9Vex7HxNXIMXXBHMj5RAU= - =CbYz - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ//RSjkwW/PxItmHjB0luZ8pP6sMP5iTrgvwie04F3y1gu6 - mIdAvh8QgCn/5Q/IqKZo7zdUzTQhyuq03DNUzuKyB/Sel6klohnW0QXes8Jt3vUe - W9bFFmIaFTk4mDc/tD5Vleph0ruNMXHlQRO4ia5wcYpVw0LtT3pKM5XApNl/9UKT - UFZ9/Fvad2a/p277Ai/N5dPUwM535s8H3Kkz473BvoS4Az7cjVnyxKHhguNQH9pw - n6hgXEjvyzDrzWvJwrX1T84KvCsPh0idAA9W5YfMU/4loL4RJUqvjkUvn2ErsPrl - gNoPTRY+BiivW2HV2uWRkiOyKTwVLdgs/oawZX7LB4aIaI9b5y8rcmHV4fKP8OEh - 3q7LB5HU1peGmd6agwu1/ejbIc3+4WytVfoqHDI7MJ7jPE3iyfAxaZm1x5PFbVhA - 7zmYs6tXs891l3ZJps84I/S1uSHjxJbMuGh954RHMmPHCrnLosS8yeNLEO2AHpQi - m2FFxbXCRFx7Xd8SvW2lAaKfeU+x36yUYCf7APaQeb59QLTnustIle6i4XQl070m - 7GK/Hj2uanq6TEhAKWJlyVAucw4gruCfrjC7extPyY4pC4yXVUpM0jqJO37yCw+F - k64syU8yhR6whTmOPA/c2JsYoGKbV22NYRj6WIK9cIyiL34ellZVO9Ccsz6QGgHS - XgHve1EpLmsR1h1OKCKyUJNnNjvOnehZwyjCFwqT/DrIS1NUgoOaFr7As50YMfhU - ymMhQyDGYjjMHdmGoqmgPMOrJf/MJIECdzx/K/0e+eKM1RsC5XpwZnwKme+cVJc= - =5GW+ - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ//djObFBa/PnDRF/Q9ngtQy6VmuyUfErLqj9x1OOojB0g6 - yMCvqH9zrN4JT82rb2xqvjbqEtZGq/35B2GccMXBifJy5JQj3SHOyTEPuoVr+yVK - 4fzZ9k6vEUYl7FicEZABud8uasfoIGC/jn7EpYgP4v49RtXsESF0aTCnrcwqg03E - /cVJW4ovtIQM6UiE/BQPIdbUNPgVrwbDSxilNQrShvJvu3jVfCkdXuyOqlhF/lnH - weR/P1dNRhtNzZKLFYHNJRiJA3RuS+h2BFxG1pKhBfMfI/s46g74GkP/R+SEX3o1 - l83P18t0br2pqqEE/qGHeLQ8PvEsTVHzxAzX8Qgx6qJQQfCDm2jDb6FlsxX6HT0y - TC3leI5q0u1A7Oj6nEl7p70/NjW2+W+cXWw4hmwMMnV0xNXsOBBDqk3sA9rJ8Mwx - oO6CuLqsWMsO0jGWptLebIzGnwMvaSWMGTMRgweW4gKNzcmiOXUrv5OT4ImJxgwt - 7rFFPGcrVWUzBdGtTquLryAN1Gf1Co59ndG2SS0LKxVnY1sYspwd1FINpJA6x+99 - kX4zJlK5qA8wcqkgj5WhTTXIQGLKD+R58pGjizEJzDt4aMB536uZa86ntP4bd1/5 - Q4zjzwF0aIMWX9FdaCilFMjWjT+iMOl6m2dI3EBcUuTzqL8JTKbBxQ9z+Hc+yELS - XgHe79QN5IUbyoH/Fi7jNA7XEUwI6WIrhZ8TWF4nS3HgZkVfsZ/oK1DFBdVcZ5Zd - /rJaKqgeQLCxoRFroI1vZYsBRKInRs+7yziK8YtbFhmX0azW5G0NiUtsYXBOguU= - =YSsr - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVAQ//byQSYLjXciKE2ryqYXiz3/OgDd0pIVr9HZLlxwUFJFMR - DLuxWPK+SxUj6F81mi4A9xq9CmTa3jMEVkGgblvjGoWjtEKKgJrdllMCvo5Q/Gcu - CLbMPXGfs/eDEjqEbX1rAdzR31TcFl9FI6bGUIXxGE21DeLIDCgInl5gNzVL+Ser - M5OAxpQCqe23wUMPya16XTzpaxug+mertfyOxC3XUk2A23y/8gey0pjAnaDTPIhD - q35ni2gA1eigiitJv2IWxIfbZ7rFuwmb9qi+vpBeqMTNLBBbhKgbSg4PUl6usFeC - 65uRvNJOeMeXfwpPgMlphtz7pABg4ihW7tusVe//Utrph7QJs8bsiokXA/RYtTQO - uMK8oYdre9c4FboINGL4hznzUi02ZRiMh2Hf+V4cf4VK+YoBKsRYfO79lHytFHPF - 6XCv9hh6qLuzTCHlUrAfOYbXbduS5mMLcfX6OYay4lYTEpx3dKBZz34wtg3TtMpP - eDuafUXNOfpx/E+4ZtB5X8Y99ax+3resPv9IQMTNOHQJ/vPa4JT8Avkrv/q4wIsJ - yMOixzR2bIPjetZbY4ykOwJxL2b0F/Bm5yu0rVHQp9+lYqrypjAzt5vhbdAMkDZD - CPxhEU/Kq7DC4fSE6ysTGEBBW+s4i7lwqvfds6RqHbQXL/0jginU4zSxZuZ26xvS - XgFinTWqnia1WkhfAZsH+UobDK92lKDiQRtM/xhWkNCB/WZQB4Q4EpJJeXIidTse - xQpG0tREIIuS75dJ6nD+Kh2CkOnalSVVvb3VVN8Ft9PEPLf76mE+x9Zk4Mu0vOc= - =BDOC - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ/+P1WAWxpVnCVQpoHmEFNnK8x1ZeDN9IyYvFFpFRbRJ4f5 - naL0ROxP/E19LGtD/bGbdBfVU4nNXdiXbGYtAlvAybAky9/8a8AJ97n2KVULR3xX - JnsXIjavi57MB3ty+Nop4Fgmv4p4AAsPOzDQtc07Uj5xzxrK9ARtv7w7UyJooOiG - Sp692SFChyskAjTVHWU9WKomqsqZY7XvbHJPQT6Y+wUbAjx9iAhpv0CEJcxX/irF - D3SkUD1tCJ0NHlzCZ0ORLdhDos+FNCASbhYZiCyUJn1mBfW6PcHmNevzaqSQQaoM - hd3vOxx5MFO81K3GtE/r1RA0waY/7knBHk0cBuscBOLhs6MC6i6mMfY711WoiOTj - Y9xCjAIYdOeK22fceg0Wk/FMtivFbgddpk+jOrAR6Wh6n2qJZDJFdxFpcaSF2fHj - dBZuJ/q5vRedjdLYFnL2uTejAKkQLthqL3F4m2Fzyr5wk80eGRYqQHDtSlwagVLD - ZoTLCtGp8qnSLF6Z+nnS9lmsf+X0286wAmRtxHsrTTGm2CDhBmvQjNeq086Bdhp4 - z6S3WlgX5oMbTS3hD0BIr4euKIUT3CZcbyXzicuS4iwYOq1iaQEMGvXJ2TKkaOsI - 9W2CPSySkIzp/z5Cpet4Z2JFBcO4QwgCvScm3yK53ZXkRoSwkUWBiWUO8GihgWzS - XgEGOQGCaBNxYr/B1ePYUTxZG7gz3qe3QzzrYebHUmYlEFcC1BkyD0CfWZy59oM6 - mHL30p7LuuoQbO0VocvsnxR8ObQhXsncc+EyZx03zyeDSIbOFqs1sSQ/w+K1708= - =dnme - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/+IDsMHXF8Xpm7Mz8EuZ6OjINDfe1aVJqkq6dislIuniSn - z62K3gIlYKVCkPC4uQ5KAQBC6mCv/IYmy82OFmexeaHO1uYhLiM5z+5efxkbChK6 - jxKYudsVe0l0vd7JpJVCO+GSw/jelALUhwtrr/A5URNQ+fQZrTAd5SE9bFEFf0P7 - exTBlw6Cus5671R+s7G7OGbKgx47Kf4CDzMizYruRBvjwDPkKOAPAGnoNApjl598 - m2uR4PmlqUJ0z/aFcBtcs1au05vGmVvckSMz8BiqpGsmlbZEVIQRiXqsZ5A7X88B - D6Nx0nb0t4WM1EV1UUbSLPFwwcVkOSHHfs8SGk3gaStCNWunkrPGQStUFBmU1TpL - 2exHEKopll2gQ+XKfvE+mPF0cqd8dq2SfZpLZgp80pKieuHXN/DJhEHoBSELixDe - zRXB5/s6Gr2Hlgd3lfp910UndiycP5ROJZbEwJ6O0x8QRxeIqbpk4eXiIK/4lxiK - ENepdeFSk8/DS/yEMc4M1kWxxm0rkQO/dxn3SvYV49eNFvkRMWkWimMrSbaIUKNM - k8KSLYr6JuoKP0v3NZHGcBZUGd8KuDi8R0A9KZtqz0pHyRIh/Ox+to+Gmlw7EP0r - ARPQOBQBUjcxqW6BRJ31onE24AxZN0b3pAAPMt7Z7KXmveHGGqolU1peZfeATKrS - XgHJDBQkCm1SOX89yw0O0DVZ43z0b9UqyP157R4JgdyEleNsMbPl+KDPCPx6vAnm - iGrsjpWeKMwA3s2biSYUb8T00KD48vH1nidc+XEjfQ/fBDJIsR8Ku7YMZtzKmNY= - =xEYv - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAAkAuIMiq8rw37IFlLlVv1tzQbGMmWjNhQndBAlwA/dAaf - zk8dNuKA8wlmAFv6uwbmfOzvdiwunoYq8cgIRdaP7ieNPRppHIm+pbojWKOvXoZZ - 6b2+ILacE6JBHpk5o+KbrILrnn1ciyfhGq6CX9gCi9+vvQkZk3+WexgaHEOfFL6x - zCp5jVEIbVeDMZIxVbDDVHMiXBy2qmpYrSDMnky05/szu9BBJodcsqZFAqgumVf2 - kBFFvnzdhJgKWBfJ2H2CfVOWx3CUhLXidqJyFgzs338aGhSNO4jGKvOn1Yx/PLlg - LSRphptnmzM83BS4ev9/ejvYiWbxorKSBTPZBqehpKFtPdNNUqbWMpq/lmAn3yLu - S+yAVAklCHSDtKEdS9YHAFqycgxvj1VNxLx1DI2mNPyUBoOgzfdD1NiUDQp2s3j4 - EX8EsH1+b1eKk93751yLKMaSfLjU6lnd2d/h++WIt5tDx71XvIJ91yV3NJVr2wIo - MVIUJFh16+zQOWvc6rKCQh8U5cu3AVcB8EfoRrn5fCNh6tu7Aw/fHxz/l/U0vzId - cWFZCYFrg4i3T5w3U+ZV5kgoMQaRDh6T8yVXZQTzKSi5qAQW/qeGn6h2zHWARznC - J3IJ6M9pX6zibz1ao9oc0ePhU3Vy2vNFdFcpGgLe3gl10BM7GbU7rrmAlHFgG4nS - XgHhWFZtUAcYwEuhuOVDfmN4J/QNWlzl20RML92pf0UNCx1VHrStAbA64MqyvE4V - Dgallu5Dr+u5SHLgAaNj9HfgAGuDLPCXGrCoYK8KLUR8fIYwkuO13FN2A0YnHOY= - =IKCU - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pARAAomxJSaPmNrFFIiqfWzwdemWBUK4oujqRSvfRmnK3fg7s - p+Q/eV8/jYqxPk1q/P9thQSu9gq3OXLkgT2TlMwcsFBG1+xnksu3Xcqr47ON7N9H - J5K6a0KPX07O9fuP6VZtn4cDatLq6ag7RYLp2D7v68eRMi1Kyc3W3mZyz2AlbrUO - 7T/tOqQzD1Zb/vwIy0Vfn8w2KMCPBi3TxlfSdohPsZWehrIAAKZHDRp2931iKPXQ - 0gDwjTd0sEdXwi+sfXxq00988R4uXIjJhBd+ZFOxIHg9yEcXSW02eUauVwETuLzv - 2ohAB/LOKQx59mVyE9gFxtMM7oo3vb5zWcnX9pHG+N0UE/RU2C+aR8a3KCOtysk9 - cHwBLT6Iv3zijeJCeKG7IvSgsp/WW71rqDZCMphs5cFZdzEola+lRXNPIpz6YJ/t - qyTFbu4BG76LZyRRTg+i35NhS/GiQCUMyZoUxW0mLgjDsbYS55FQdFP3xaH5BaPg - 81UrfF3hV1Vrwe6DHbSEYe3qutk3p4NMruHvIIJJLwimIe3i6+MP3/N+ACLV1wBl - caNH/e7H4KStDwuNFb3BjXEXHBLPgnnbdkTSTHZFtmEA0o2avrM/EzVDvvVxTCT2 - e9pbfNCAoXCNo6nstaWRPKjwP8u5HN7RCxjufpZnySt0H/5Ux4qy2v/01i7OARrS - XgE58F0/szyLPmsigEpWhFPIunfIF6esq+4u9OVyqBicYFZHfUddyqTLl64swDHk - r7vxwxH/A8QMGj2GSmQez25MDU/NBTBTotEzRSyxvqZFTxn7IOxKDblSYPhEfCY= - =Tf91 - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAhuqKLIrt0ortv8L+5ex4c8h3ZbiIDTLSGhML7jbMAUww - ntvI7quM3pEBFfdBT4BuPCrgka9gA9KRKGRwxYX3uSe5jPtgnH8GI1+gImeyWIu5 - 0l4BEMzlg3LOwADrDONa9xStlwAIlxgH53bqmCVQ2t6zHkxAcSGeHLn2y+aCh6wI - 9oicvnC69DuQLkMwBFMEMUNiQwwGH8EMfQRacoFAEtH5YqiwBT1qxsnOC8ALfZ+9 - =1uoR - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-05-25T14:42:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ/7BfqXXAGvvQVGeGJDi3+XhvZ0wKQvfS4UmjP7FFa4gm26 - 4W1eS5hM007yxpjOH7NAsVbWpej8jYA6dDfeuo7P34owws61F7LQLa0X61mC1qOZ - IXx4n4kdYSV/CyqJa8HrDe56B0dpou01vjbVZ383Pbf8+VzxaKeJ2X2y3ioRijZJ - +T+rCkDHx4neOrrUkutOTJhiezQaeOnFWPEAbNRVfdLAM9jFuuG0uKtnd7hkXf0W - 8sv7z1xEYN8VF3bE70IGuyZtiTeXwhbTD0gq5kze8LldMLwBIxsrTd/xrH/Oc5Od - nY8vvdiLMlAwBrI4z+JI12Hi+b1nglldk3Hu34KaV7jG8DjgBGBy8yolqvKo0cT/ - 9T4aAe9eLANvyHpYfA1CkcFW4CHWOBRS79rC2HcHM1tQ8+coq+jxrzlYEBRwQcpE - 2jBcP7mnIGPm1csIhB6u/UUKVMqlnZ57MdKHwwXja1vzxfnRNBqFdzq5uZEyU+OQ - dDJmURqxK4zCdhk+De7Nm/wR8J7xtIJLUszu2lDJ6SWQEsut2cNUVUvmd5XV1BWV - kZaIFKADZI9qcbivci6fpCEH1/qoU5jIZJ+zvOEOZLsIJXBw1M1/fgfSZ8Aosl2t - RpikITTF0S1HL2QLbWoogdgBp6X+6xjpoWIhHVi5lqm5CX8HTRwqrJL+hPi0GW3S - XgGQv0OqaxGfD6lwyVjokWvCSEoEfK0e7se+ZyJifwAlarGaLvG0PU/iW5cVUolV - QT3TwrxD94ZB412nL2+4/QPCT/ZtOXcO+9dhLiSLneHrNrSReByIAOE1s1ZU8MM= - =XvKN - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/git/sops.nix b/config/hosts/git/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/git/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix deleted file mode 100644 index a4c612e..0000000 --- a/config/hosts/hydra/configuration.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "hydra"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix deleted file mode 100644 index f621711..0000000 --- a/config/hosts/hydra/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./hydra.nix - ./networking.nix - ./nginx.nix - ./nix.nix - ]; -} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix deleted file mode 100644 index f315710..0000000 --- a/config/hosts/hydra/hydra.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: - -{ - services.hydra = { - enable = true; - listenHost = "localhost"; - port = 3000; - hydraURL = "https://hydra.hamburg.ccc.de/"; - # E-Mail configuration requires some work/investigation still. - notificationSender = "no-reply@hydra.hamburg.ccc.de"; - useSubstitutes = true; - minimumDiskFree = 8; - minimumDiskFreeEvaluator = 2; - }; -} diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix deleted file mode 100644 index 82cec55..0000000 --- a/config/hosts/hydra/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.163"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:45:7C:D6"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix deleted file mode 100644 index 49ca2e1..0000000 --- a/config/hosts/hydra/nginx.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, pkgs, ... }: - -let - domain = "hydra.hamburg.ccc.de"; -in -{ - services.nginx = { - enable = true; - - virtualHosts = { - "acme-${domain}" = { - default = true; - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - default = true; - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; -} diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix deleted file mode 100644 index b95e469..0000000 --- a/config/hosts/hydra/nix.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - # Allow Hydra to fetch flake inputs. - nix.settings.allowed-uris = [ - "github:" - "https://github.com/" - "https://git.hamburg.ccc.de/" - ]; -} diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix index 1c1f783..c0a7703 100644 --- a/config/hosts/matrix/default.nix +++ b/config/hosts/matrix/default.nix @@ -7,6 +7,5 @@ ./postgresql.nix ./matrix-synapse.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index dd92a5c..e574a59 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -39,21 +39,25 @@ media_store_path = "/mnt/data/synapse_media_store"; max_upload_size = "500M"; - + admin_contact = "mailto:yuri+ccchh@nekover.se"; }; extraConfigFiles = [ - "/run/secrets/matrix_registration_shared_secret" + "/secrets/matrix-registration-shared-secret.secret" ]; }; systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ]; - sops.secrets."matrix_registration_shared_secret" = { - mode = "0440"; - owner = "matrix-synapse"; - group = "matrix-synapse"; - restartUnits = [ "matrix-synapse.service" ]; + deployment.keys = { + "matrix-registration-shared-secret.secret" = { + keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ]; + destDir = "/secrets"; + user = "matrix-synapse"; + group = "matrix-synapse"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/matrix/networking.nix b/config/hosts/matrix/networking.nix index 5fa1aa1..370bbbd 100644 --- a/config/hosts/matrix/networking.nix +++ b/config/hosts/matrix/networking.nix @@ -1,19 +1,17 @@ { ... }: { - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.150"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; + networking.interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.150"; + prefixLength = 25; + } + ]; }; + networking.defaultGateway = "172.31.17.129"; + networking.nameservers = [ "212.12.50.158" "192.76.134.90" ]; + networking.search = [ "hamburg.ccc.de" ]; systemd.network.links."10-net0" = { matchConfig.MACAddress = "2A:A5:80:C3:8E:32"; diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 74d4291..03dba97 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -60,6 +60,6 @@ ''; }; }; - + networking.firewall.allowedTCPPorts = [ 8443 8448 31820 ]; } diff --git a/config/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix index 62b600e..a241efd 100644 --- a/config/hosts/matrix/postgresql.nix +++ b/config/hosts/matrix/postgresql.nix @@ -4,7 +4,7 @@ services.postgresql = { enable = true; package = pkgs.postgresql_15; - + initialScript = pkgs.writeText "synapse-init.sql" '' CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse'; CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" diff --git a/config/hosts/matrix/secrets.yaml b/config/hosts/matrix/secrets.yaml deleted file mode 100644 index 26253ce..0000000 --- a/config/hosts/matrix/secrets.yaml +++ /dev/null @@ -1,233 +0,0 @@ -matrix_registration_shared_secret: ENC[AES256_GCM,data:5fKfTqwoUreSIPbua5t1lYZFRnQQjNzFvrIBVIBfKWu20kH4BhlDboL/zYnhWLELq/KykX/EUvijoZxxTnUiN7T8H3L6fKOCQKacZkIwKfg/JjqLVnXIaY0JOwg=,iv:Cazhdo7YR0zSgiyQoHLsk2e4dWGSoSfEtOuMA1LEJcg=,tag:KsbnGvEyRbzbIXuAayQk5A==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZzNVUm1keldaNExycVNM - OEV5SUZQNC9uSW8zMVNZOHQrMUQrNm01Tmg0ClF4Wm9uSzRTL055ZnlHUlplUHFO - QmhXQU5yMFJDMytyMjFiaWFXa1RuR3cKLS0tIDM2d014TTRySXVtOEJieVRxdlVp - NG95TjFjUjZFMXh2STIyakxqbUJnRlUKQ64ahDiNJ4nPUQ5pLH4Jb5yidNrK11dT - YSg9QNr++FTdYaQ/TXmYTg0d4kF3yb/xyG1vZMcpZP6+omwN73DSfg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T00:55:05Z" - mac: ENC[AES256_GCM,data:ix01bcc6i1dTxoYkXbnEbLgMC1bcplI/hZhyO1mFzPAyjfn8h2d4AHUS9CG8UnIDYGky8Wx3BqrC6MmWMtt829m8bS6t83JTPxOEm1pFEa41sUkW9NYuNPL4LQ8X2BzwteQaI8nfscIuwOZ0nK5CmArZneuUookQEszAGX2R0Mw=,iv:mZlEG2pPfKLgZ+6k9iN+NexRzlibYi1HzqBzbrVFj3w=,tag:PIXA+vyOSaZdU0CaI+03/A==,type:str] - pgp: - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtAQ//Zi8QfQ8Ahr8WyEeaJIvXBRGUzmyg84aboRweI9D/MeJ2 - CnVm91xr74HylD6sAXbGcTnwTtWChrrgSJ7vGBj5t2UOuW9zpKFl/pgs7o4jzwoc - C2Kmgug7S/chaQJsfKTkAs0t/MTHO+DZru+O/pT90zgdQEig/19i1smnrseBuAiU - zow7lc9mwBTIEsTlkYoIr1+Ihoiizv/q9oeMvfaZr8hKV4wYTp1Cx9xCgXxVcv+X - SpzIqqTT/lm87znJcSWCQY9fTRrhAQu4RdhXzEIxTODljmFhQcx/Nug82EAc1Xjh - B7qMIsblbabJyrBUk5BypvDHJiso8qLd/6/i/rRztzK1q3vtT37XPKk8KIJz84cy - ZDqAGDWj8jWDctwac0xTAFKVr/5oF4TGIf1Ydwv7+GMOeXvn2ZInmiMGUKxdGhwW - vg2azqqatmRQxI+kHUHz+FBiQSTgKIkVplg8daCIhQVK4r4CkOU5dPvDjw7FLahV - LN7XVNVCZw7p9yACd5KkjWX2E7bfpHr/EADOr5epc/EZwOmblFmGPzFPNR/IfF+E - QJrw2bTDuMGZRzvn+6CozZOnOFpSrYtzbUHTvdt+iskHS1jD237NOvPe4j2Od401 - c2LjekRPo9BpkrufIlDQrgjflH6RGHOLdgqPE9j2zIOfmKjdIYiQlIIjNlh/xeDU - aAEJAhCoQ0WS+mj/YL0Y7lu2/GEf5FxjkOwa0o6SOd7iR17zrTwRkBdSfsSUAiu1 - pw4vkDFzgvwR+80vYfZcnYyCGOQKMYcn0PLtmnQfy/LUUGW+B1/kxqSHZDDhCuWr - o287s9GBxBoQ - =BImL - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ//VYKib9HvGAxzknrRfI15qFSHdvRxWDiR0M8Jo7JWTOCJ - e0BGytT/dkYAKXeZvLX4W/65jQ4GhBMi20NSnyfqsWt/ENoLc3v9mXX3JleBRceX - 8Gyz7tlqjg+pVW7lUtotz4vM6TeKBJUT6tHm5K0OiQBeAtjitphIkmakw4wrS0+Y - +3Y7dOpktefQDSWVDPtbDOImcMFS6EYn5JCPG9xOhsX7XoK7/wCmZuSF3p/q6/CV - 3NgTK0W2L68CiUye+ajrtn4545f3jnQXiu+JkZGcHdKsHaexW6dzpTsSgsSc1S+t - NlhEty6Q7kXXylG3OAtoEhsA3PP2Av2o0oaIpn1Syd5czHvmV7M+QT1M9HU6U96l - Nwio5cSX7faMrlGfaBNY681kVtOiOSFDMvDes8oPEqrqKEDkIiIQwMnh68iCTXzX - jRj+dpCLLfrHdo1+oB1JI151eB3ofUPbvTSdz/pASJ9gkFJBgGCl89atxZ7BDNQZ - oCbk0NxorDG4RBA2mliITnctqAe8ZcpBrOJoGO8oJ6u4fH2SNNuoc5A+7tMEHCqb - 2E06TYmUASROR87g0yZdtffK6+ZlLZzzNI4riTUGaGUu3wXDh1ZbXB1CwF5LJ67d - 4P3gJApHJ+ZDrJGnWr/4Tx0NlvPJgJ9bKNT6F45ZZcQzq6bt+RUh6RC1Axvdns7S - XgE7EN6IttIGME/AAeNdGh6O/1XnE2CEiqwqTePb9kgwIufoJWLarnz19qcbnMp6 - mfHNrJlF5FSVuipVtgCYgfWDos7ft1qDqvgRSD1awmdFIk/2ct3wjXKxyB52Vxg= - =5zOY - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ//cBAsMfpoC02vbVtRPf02VS4NIVu2lM1JdB/IcPo0BHSF - PHNaVh3bl2a3cqbfMvNG9nquFVpDgtAXcSaIvozlsWgMuBIukfYKgeoFNh4fhyy1 - Wgcl26wZj15Tpu4rYHK27CmXBHVusQUyTZVx2CUZwoSdtI2zveWqs7+Qvfhdjb6r - Yt1bDr+Zkrd+AxUuU5Njlp2eGOcuxINGLln2lh8jrdSytOzKll+G/nI8yBdk1Vql - P7iTQ4hHlCzs6HBsgeA7mpkJMP/h0Ts18DQ9sOYCi1SB8JR1eOqZWUu/1nSAk/hV - ntHk3+FnOta4wx7VqYNjRi2JROpvi935JBu0UqwGkVVMdqQNB33/qnJdzcdcfoa1 - 3o5UtsQNuFZW/SgJ3uiPYshIZZGujH3j05aKZV2yULyBRfP7j4KrIq+3dQLlW4J6 - TihPL1Y3aqVvlU0rGOjjKeBL/nTEbEQtbkyCcIrW6WjdWvUYtTeIGnBJt+ExkyH2 - cmuoch5XjiwMrXDnIFzOqeKbLsIZIAatFOzP0jsy66w2VAeNY9AyXCJI4cTqE6py - RVc1QK6+ynhrQ/zJ5XKJD4ATequVJidshC8ci900KBW/1R3XLm7zGQtw3gj5QQ6M - lMfA3bPS3H/DzFHq9NWbQ7Lfkm8N5W8ZSQwBKum9o1uWJC/79lFkyfgf4JqDjDzS - XgFfOjk/KKVSrS7P/3V6YHfQscFuq+Tiepr3LCNt8o+0IbNJbsr1Zg+sutuMFhrq - 2lblr+MKkvUpYBhUYYen/PULpr8c6QZYiVX14xJQqFzYk4U/4WoFZm/8dXuAQ8s= - =z9Gs - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ/+JcEj7POTdpKoqBO0W8sxpvNafGlxWBmGF9nVMKsCe6r0 - +z2iyj0TF2ffRe822djXoG0Kod4Gf1Ihg+u/EKGgoL41CRt3DhszervSesm/pHJU - 9+IMJYj7Wz64GekkIVkYgcLkJr7AeIYM47W9kr5XGWCI4ogQLHJEVgrwFMWVsynV - meIBjn8ntS1aI9xZQC0EePlBekD6zvwQHOyEkar1MD4NaMqLKf+9x7IAErY0msXz - czBfBVZY74q0Aq27YqfUcl2QkksxfLsti3WrB4Nb2YIqzGJ6bED9TsqRhy9CQRBf - TSN+jh9Snit8NgLMAD2eyBgGUcQbwvyW2OHEYWpDXqsMbGmXQ21wygBAN0vfSCyx - v9m2+DSJ0jG9icBj31JqZcztI5fRsaForxIRmuT6EwGHc0YfuJwk8LWW1YOTRhYq - KbOMzGZnB1aNI9i7jVYHgraU1vB6u6R3hU2hOJq0zzqP7w/XuSitzb4+EzwuFkw8 - zVRNJ406ZYJvMhZp8NQ878WkJRqsV3C++LevnLkHLNfMOfDcD+nltmctVXf99Fc6 - ebc7FQj6jOsUlbNQMxnqOZ/6fV9WesjPgCsUMJFxC7/5/5th8CU5VJHYOwwMUEMS - +zbwM41MxUeknII7dc22MHUXxMocVkhlmGPYNc+jRv85nuDwbYqMa9Ht4JychK7S - XgEZyWSvHupNW3XMwspeyYZMS3pSDO+2YExopgpP6c9Uq1TgvkHo2L66SXj/E4EA - RaUR/bY7EoEdNTrqWlHpuLyRihgqHLHzlRsdJZYBinaIfwmKzvINRiQbGjqhKLs= - =mbJg - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVAQ//Vo1ZEeqpfN2gJUEKHZs6L3dXmRSd5RedwTxivQSDUZaw - CS5CQgBHd6H8ly5Phc2+QrXSjn6sJubDPaCAVmWKOf4WTMOATgdbp7eNEKlX06iT - igr5UuptY04tM6AauuXNLatD9F/2p545VkLUYVNQriVMgXjrSd2MWo7/J3P7G7lA - xupGHMQ/L3gwU2A50sJUtAc1/SW6h9RMNwHjx6FVRvQtdWUdAoRYCT+r2fICKs1m - MKYOUzOA4CW3uURM2NZEFrVdmES0izv0vNAQqx0lVxAL/qhqwsGqTAZkXryef39J - WkIpqwQWWutvwmpVu07yBllfWU5XzoxaH+ye64p7+3SyrRwdrZc7IVW8NM9NSAru - +2lio54b/dp1Sh7GGV2Y3hNMmGuPOym/PEOLVG99mkfZaPDG+Ui6enV1Ol+dFRaJ - 9VqSa1zIo5N1QdW4iy/Rke7oMlTINcJDCA/KgYeLXK5IRz/iv6q1QyzhR+dNH/pu - JzxDSru/ZSTP+oMXZ1AgGf9UDUy258A7oDRt/ECN2c3oggj+Oh/HfnPXfD+9Mlzq - c/FGIRDQE7lLQoHqBaEgp9pejepAAocCci3UMgAO3ZTgIlXwJyE7fWZKrbATIqEX - GYr/tLNIyb1df4Cg2Pp+kS0i5+KnPqcbPkN+IhJq1BA3qG0rzFJiQtIR5Yn7BxXS - XgEVc+mwjUlUnQuVxFzfyZSlVh8tipwLZck6aG3IrLn/9WSHMY22GDOprsy3bMta - OOy9KLyPgZIdPr1v4BmX77x+2Z5EeijAEswFgfPvSPEuWKSiqkXvaVDy9w+U8kM= - =0phM - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fARAAleXLoRXh1RP5u4Hk4zsVpSbbhKKW8dypXDBVMa4trCi/ - Xq5Z7XM/Nip1iBCUHoLRaJdi2MlM2aDfVFo+PEx4JagpjxFjzqW21WUa5vqct9Fy - UVgdsssSVq8hNrMvlxDJwYVYfyQIOUqKyzDMbXOGh6AaOHaZsNsWtOBDJRqHMSXy - ULXMH9xxHmheDDV/ZnlOl4fOBJT+qC/F02Yo92Q7rMHWMcNs5NITGN3DDYrQqs6i - uHopbwuTpRMggnHldaMM2l2n4eCBiKxxz0dGit7FlpFL0kgsZROGBkQUyAZdkkwQ - LKnaqgodCv9t/6VZNATp8+iJP7ji5IvXeW6WQOztb8+h8JV3j8pHdadNzgXxH4av - LVnqAABQMhay9jEGlPzgQFT7zDbaAiUd3bSLz1i02Dyi/FYCIylHFEmBErr5RBsn - lqbG/vAxJPKOkiDL31nkjugd09UeFYNp2WqO1DpeoYQoMltFD26TvUnbOAQo+v/y - xxl7hhCTzbd6kF1VxSCNtv0LhDdirq0+eiFN89E+5ijLjhmpg23S2E90etuRgjuF - b050aoEJyXosRqgXVl0qkOEnXgQDbAXrEobbbRixrIQRHmNN1NjRCudzJjxs+p39 - tucfUPZJO5np8ITgE7XCt82IYxW7b3HO2kejJAluIfUxOkdBgORKuc79vEaP+rrS - XgGAqi7CdzN/lfoLononCBOhce9XgdgpbpQRohO+jLp+abqmbnEzI1ZnzxpWXo8Z - taWKvUIySWbN8bWhmiIky9TyUXEfRVKe9I0MUC3Q94NAnlnj+dNXXr3mS/AxNcQ= - =ZYXj - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoARAAsBC/uAbTVpBWv3dmzvVglih0Zlnumbz6wcDbeDTVP3r+ - XiUyiDFE/Hdnm5J0be2jSj7s5RIXj8Gb5BkXPoytAkGF6NMtHjZJLmeo7NciQ6Bo - wDf5IXCmv/PbyuydqkHJEztsSMWoCQbGQo+dMeWoAY+WKt+dQGyGmoB8BbeUjuH+ - lgKlUk3W1INTV74Qz6avuEQpwc+6hvb1w3Vb5kdzgRjplLUB4w45wP+79HE8Ub3V - 7PhhEQMza/CIyYqHEGQ8fKzd+tuX/naYXnbfTCu64eyKCz2fQZOMdqKNA49aMWGC - vo8K38Nd8haQ+tcJvT9Vuis3n5X0Qdzpk/8u+M2XM4UQLHSaKSQRnJLpslumLJGK - fI2ErQJoD/TR+vvwrKXmCOEeiFjs0GC8zQEVP6Qa1JE7Fr8iKIEtYYXmGK0Q5Sku - 5eUkrzJC9Lh4rBvGXLX1PZefBVxnnlBMNk0Cae7vGnKKKuARE4aYgRkIhzIp0GuG - pdwSir1iTVMKtfrkpJ7BqPANKxApbLzYHBi9rFWJboA7HAXe/E73HD4Ov0tIs1La - 9rwRiJ0LYUixsngf6YvtGuj0ZiuTe0t+VhYzg9sYOcBWW8z/AAuZ3FQoBWLdOFPA - GBVI2KV+vr5h4dy7+yCqPxpqhkKe5ObCdwksBrl9tiaPVoQuN6Zv63kLlCtkP7jS - XgFYwBL4tKcCPfG+9J61T3LqItNLmzrT56LMN6LIz3pvRtASRbSRRnqKuuPgAL9g - IeFHe8lblLErRwKz+iNre6wwQCEfwbVf5NPF+rLh3nfEIZzCf/CF3qrxBpdYzwQ= - =P+bx - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAAtl2tC6rlB5O8+4t+b7ZEo4GU578OHN06nJKxxFQHG5zn - mkcANcm5gVDSRAOecM2FyZe4ns18rH4OCvp+uegEQyMVN/XNUEj4/+bGzgXX0NZf - AazE5s2+0i2NETv9bhPjJB0RR+U47PEgx9vKf4EnvL9MAfWyPbGwzR6HdXXDEE/I - c3GNaIOY7YWBgXEuX5LnZbON5hQhbFADY/BRhP1S0d7Wzff6sYgtJhbtaTQFSX2p - j2+pTA3D+tI2h9VvKnZw3n1t8Jc9apP81KNFCURpNpdR8Jh8KQ0aSEcYWTusjah9 - QOX8RmsnFnvWKTN+gU6tffcSbu/r76gmXyUCF47mWvn89ETVA8azp/66zfLTTTvO - CmFVx8+2X1TK04SIKa+MQcpAuS5cTHH6bw7N8u1YfX6O8mbHX/ZH7NJi/Bhxmube - Cau4DtdZ8mX4yz0EjUF62skJoaYYUl3UBrkGXl5A4NXK75ZHlBHT9Cn4YQYIPP1b - 5MAnTsy6UtsGVBZPf6O/kvkA2gAQNjtOjQ2nB1FF6fjqEFFopzmLnAgGvW7lWkeo - lTbrylmv6SrrvX/0wN5Dsayni2iRb7pisEAFs7JAythm463PDrzaRmLoPBNBmJz9 - l88QlYWDQaet4QbJ1AnEaOu5K03coEy6CTzJYqgkTWdLuFC4tUyKsD3P/1EANonS - XgG1y8ifC6F27sgwQribg28RPRvwoiRSGszAXCAeIwo834NQLIvswid5C4VCvPje - XG4X8m9pipP+BoXF8UuX7naRFnIGfXBOVH9N+1+SoTeZtXRX4GIWUGcRtk4nrJQ= - =FQZ1 - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ/+MLPIERHeZTiyNPEUc6YnWYcfW3Zgnsnc7EzfFn7NJla7 - HpD82Y14w1gpQrUiPu7wdjzh7xeOQ3fnk2819g4wEXU32M5rCUay9XUWqWFnzpMZ - /Gy0tdwE9TgwrSQ6GDNd6JO93hLNByq1QqhsIkKEL640Wv6doLVfQW07O59hDrPd - AQ3UxWnohbNbD333yXa3kjfYcNugjtERM2wZ6qqZoXp58SG2RE0A2wMV77H0jOQj - Rx0arENCNBS5XZlIJW6v+I1Ak1wYnW5vAlVRMcUXo8vJNu93WaZ906EnmVCQ0cYn - LeNVH2ajcuOud/uiVntwdYKMr85rMBl9eOlsPP3dHqbhsrXn/+Oqagh7YUwEvJ8g - LK1krKc4Jlj9a5J6dPl0lCsEAv6vGaVCICJkNnd0JikTViu7DhajImfGrSLrA6y+ - 81hx/TTKqisAL1xBwOOu+LbwlhFZrkrTQaKnueswKzwrS3utxSX7OIepui7Ib7JK - h5R5VDq1bTCbRvo/rRpCaOt1KI6g4ZX+o5TI/60TUcGvzLRRAv7jZZ05PKhcfRuJ - 4ZrKoRu2qKVxA6+kcOfy4Gi5MgkI4Keue4tgJsYJ+LCP8tV7+Jntxf4XXVMLoFCH - jQDe3vIHOxNKqlPUEnLlVmv+g3K9Y7N5uBLuk3xkVYrxWRhBmY6e0WtTVEF/lWjS - XgFWqfLHx/JAJgIU2tiO9oLkJWcdHuXAHNYDvTKP+a8WLcJDZdS8X1feqOpWYbaH - zVbYkg4MGJqO7K9f3jlCtyszh3Kpu5CFbfXA0MZ3M2eRoJTv91iWViIWY7UP3VI= - =vsm4 - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdANu3CeUuv/SDkBQG+aROPeiWBauWaQBDUm6UdXAhEBXUw - Tuj49QiBBCQ440R3SBkHOzOOUUTMPkWo/wESnJm+EPla800tb9B8rOvUj7PnkbiY - 0l4Boe0q5XPHSysz9eIQ7zRwSKoClgd+zi/GOtcsvxkLWlISoBzAVOVEvk55OeKb - 7J70fuIMl5rZPPFBzbF9gjnCHxAtfSyze5774nPfFI/zoQo3WaDfL/9viRhP7Eqb - =i8o+ - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-05-26T00:53:53Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ/+N5yVnEm3ejyw10aDPkLjJoUIoxZl0Nof6pGZxdWYgiF5 - VrEsLv9vYQD8Wp7/nXuI2HW7OoA+vTG9KBZt2Tw9R0iPIMXpEf0fewPSBZ2n10lk - KJPvkMP4w2OV1AfGT+PrRPLaX8/2E4p6dE8BPviWEh9HptYKodhs9lRlcq2C3Kjh - sE88eJOSA+fQpASVZLNHKYn1UrXXENRTHE4tw3+OIpE2KSxHvIv7sI8LuXZb8Jxy - OpmUP+v9fmhsPJYIlP7SAvITMgZdMHceH7SDgOZn0kVU0inr7MJ+FCcNQkQOl7aP - jMp2B7qSXOdC2NHUmdYvzeUx6B8O9Bn19VM5LGte9n1RBnknw6TQfQO+fkQTjUyl - 3FhVqQAxrutOBjud5xn7H0Grj+7oqRI51LLUjLQdOzpEi4hul9Of3FfGnKxjOxUf - yVBHqZzFco5rcN2fzMgWytjuSED0AE8UPS/tcd01oXXEsTj4YBSKWox0gZuyn9B1 - mspU7vr9I39igceGVE6LJQ4EBnpR8xC7v5CDFpEbCr1qt4VlaH4nUgfN2tEGtOGW - 2mmrX2nGC1r1VRm0K+ACRW4htDsOsBzSxQttVJ/5IWkP5fqegcwIajjo18VXz8IH - BtZdJKzXuhQLG0B+sXndOAgACWkVQw4F2hD5CYRpiFtungAqUbtSDbeb43x7ICjS - XgFrmwLxkGfZYKOPehbp8L9glbHpfHYE4CopRHPtUkhLTNWTqzEyE7YQYYVu9Cui - E9Q3v2/+2swn6nKOQtB1Adu8ItCqu8Om+d3IJQvKVS24k4+fKPWa7/ccmkXz7OU= - =w7hs - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/matrix/sops.nix b/config/hosts/matrix/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/matrix/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/mjolnir/configuration.nix b/config/hosts/mjolnir/configuration.nix deleted file mode 100644 index 869c3de..0000000 --- a/config/hosts/mjolnir/configuration.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "mjolnir"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/mjolnir/default.nix b/config/hosts/mjolnir/default.nix deleted file mode 100644 index 7dca51b..0000000 --- a/config/hosts/mjolnir/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./mjolnir.nix - ./networking.nix - ./sops.nix - ]; -} diff --git a/config/hosts/mjolnir/mjolnir.nix b/config/hosts/mjolnir/mjolnir.nix deleted file mode 100644 index 91b184f..0000000 --- a/config/hosts/mjolnir/mjolnir.nix +++ /dev/null @@ -1,36 +0,0 @@ -# Sources for this configuration: -# - https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md -# - https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml - -{ ... }: - -{ - # Allow deprecated, apparently somewhat insecure libolm to be able to update - # the moderation bot. - # The security issues aren't real world exploitable apparently: - # https://matrix.org/blog/2024/08/libolm-deprecation/ - nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ]; - services.mjolnir = { - enable = true; - homeserverUrl = "https://matrix.hamburg.ccc.de"; - managementRoom = "#moderation-management:hamburg.ccc.de"; - settings = { - verboseLogging = false; - }; - pantalaimon = { - enable = true; - username = "moderation"; - passwordFile = "/run/secrets/matrix_moderation_user_password"; - options = { - ssl = true; - }; - }; - }; - - sops.secrets."matrix_moderation_user_password" = { - mode = "0440"; - owner = "mjolnir"; - group = "mjolnir"; - restartUnits = [ "mjolnir.service" ]; - }; -} diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix deleted file mode 100644 index a441814..0000000 --- a/config/hosts/mjolnir/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.161"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:C9:F8:C5"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/mjolnir/secrets.yaml b/config/hosts/mjolnir/secrets.yaml deleted file mode 100644 index 0aaa2f7..0000000 --- a/config/hosts/mjolnir/secrets.yaml +++ /dev/null @@ -1,233 +0,0 @@ -matrix_moderation_user_password: ENC[AES256_GCM,data:NXJrbRh0A+NQh6Jy9iVAfYhsGR1BSOSuk1LjmArSiVF6jnuJAP9f750cRP7bu7Ai8xgxTlhjAtv9ck6SqlJ6Vw==,iv:IN/siIPCFKE+Nfl/aogYRYAHVgEGhMtTbmEZKZWQYgM=,tag:xxlnl5GU+uusSeh1OvoU1g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEhUMThoY3Nuc253NnBX - ZkplNmRzOGZFNWlQNDVpL08yRk5VTHZDUkZNCnIxMUJoUHJBYlJpbUViMW9GUmhR - V1F6SWh2NjRGWk9RWjMycGZYZXFZbkkKLS0tIE5MNk0xekwxY0NYYm9mc1ZGZFlH - NDN2dUpuQWFFMTZQRzFIS0ZieTRzQm8KUDRpPJwcWwePKMp6KQMnQLhqqyvuhgQh - rXpKW5fjxyT0Sh2u3FM2ET/9U0TUfpBVYBJojAJBFs1ntI8kFmqSYg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-20T20:02:16Z" - mac: ENC[AES256_GCM,data:5BhSo3YpF3QNqgGnx6YnymaEQB6pchMhokaJqk4rHg22xhbUAzOhWg4BQepT7vrCQlfOZIq4o//dGO+NQxqliiyyywrSYm3CBWD4xfZ9cdfinHC7Pc9lj6Dd4uPNxRjgTRNFuMyC+ATIABI2mHKpg+T2bxSalroIlvNr4vXWZo4=,iv:yPHJZ5PvI5zJlQIMRdbJ6eKGe1xN+teKF5GluD2pyK8=,tag:s4hO9RCdkHDsQ1W+KfXq7A==,type:str] - pgp: - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtAQ//Y/GVthqtuK7bY8Ne5CNfn/CD1RUTdX1+KwX1zy3YsgUC - CGxhoFFy1UoXR3QB4Hxnk8R/vaFVHezCWKWY45MAuPtwM1VGwjVsuknrJnSs8k7/ - jrzVO9xXgTd26H6DLmPVfH1hKB0/lh84hwVgF5rlPS/P7l92LL0hDIIwZz3dB0kU - d6jLa1Fajqd4MSdLWbZRBPcioC5v1Ip/SXYAJp7IGLDgXm5MN+MnAdybAFsl1K5p - dCUmGqK5IjyPVP564TqL0ZEIXMxSSwex47in3cTYPaOO0L8P3kbKDNWxZQLaqZkn - 4RZC4/aBqlfD2STxMez/ksi6kCcPuC7UPRzuq4oH3kOcJHxwIN8Df+DZYA4PJKsl - T9QDL1EylHBhsPIZCoxpmnGl3j+hVmONj2V1awlCaOagbgDlClEUEMyw7QCVVbtK - CW4DOgVnnTxcUaLHep8BgHxKkYjIDIbDMmg315h2ekT86gGgZavL8IiFTWSLzSrK - XChIjUdjpKZhanmSWpj4w8ZpdGOOjernL2EBWtSC23AibBZmQe9OB/QzMpLTdCvV - 9t9mMoSayP61oJylBtOKhDnEW0Xib0U7tqzwpaow2V+CU2dr27qie1jh5GqMaoJR - qpu1KT3Z9eqpF3Dl8aI3dEovbmvDMVXErU3pmFu2zRJtm6TOXp4NNOYWCetUfxPU - aAEJAhCFerTI/ow/LWkCQ78cCMFjgKrYabA3lHu11Mr/PiHirwJ/vCmsUMiOhdRw - 49lsyqJlO3IA79yW4exG5tYXvPgeJMTdz36fseUEKsewfrPEqMUa2T4onet2+GN6 - GALPdepytjg+ - =v+qv - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQILA6EyPtWBEI+2AQ/2L7fbbhBH3BfgD7IbgtVn+nEhNJw5tWR2+0z1k72TIr9j - rPAvV6NQY8oVV2+uNLa4fMl+ueqYTFd3/E4IsRXkmexjx+vos27LjDNSu6w0OPJU - BSq5TFqZWYIPiWaivQz4+rt+vbxvpv4Lh3FAXlV9YubprJ4GRrlwyheve/l3F0BN - 3vCDLsfXijZjxaptb9nf7WiT9vvWrY0sD4g71ARZdWi7Lb+TgCxzbQMue+4VC0Zu - y/AWIymVo13BD+apoYltVYYvkn7yz3REzsx3NN4bkJyoCAevr6UeO2fGvlT7b7eG - F7CN/TusFlOqWV9M0VbiOGLfL7Q9tGAG3xDAyFh+yMQNadp0M3m9UiYUlHps5DRT - CVsIPnPUr3V/oycRm3s+UeVyBg3rpdzWyNtETOjNY/AqVmRQ0toqZOm//ZOg609U - 6+EX1Oc/GosfNoHWJuFmfKJRhPpy2gXZX2rQuLWaVJUXzzKM5sbLnycCV03S24PU - Fi7Z5lIu334QTLG8PV6agO5UprZb946qPmW+b/QnUol23XXcgh1GIgMV+lEK8+83 - UPT0aUkdtOTaKbWUg5xokx+0Ni9syJ4Nl7naQq57qOGiecMnBbeE3TYxaNOcjTBh - CY0/hdcrZYH6VPeDye4yghSDF9WCaNUvzZNePGzdqKK3F9O/NmBSiYd/cToyDdJe - AZMZCKxSw0/HyBqTRd3wC/VhC9uO2I4HWE3LuqBPUXYFWc4W1buJs+P8pFjqT5rZ - puHPH8IxIeIiVNO5SFhdL8ecSu/nawakvih65aMGSa102e6B2HfP6tD4SmarmA== - =tr5G - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJARAA02rGmKxyQkvxoXM1i2dLOiH6Gw/pUcdDxYSwKfdkNU3X - zc0He4FNG8CAURVq5jARD066VecamkBmlr+rwFJlaeqDPEiITfkz7DEGO8pPxKG0 - GBnFVA9r/+OU351yLjHYB+72jvw1ey0PPHvKg6/sKjovssYvQLipUcktH33kPqVQ - yJzuQWFMWA7Jn/wTa/TP/53o0e//Kw9df69J3BSmnw9F6rKHGsIXLBmyR9HpQsLR - KAuClMzjPqHszCICND7vUDEzUvCcOVyizZAcRzWfDi/llwKGUanvEGUVXvyDXw/E - Q/FyR+VJXCzRlhsFTTuavjy6nhDsRf/N8N0Vsd9euDXOPQ4wuPAgpvdi58CPBmzP - 8jU3xpFSXStYBIMt5u7t+UJT4IwdbjnClyIrSuyaV/7N5UQdYTv0fBy1mRrYLBAj - VhlRDa1y79n22Kg8mvDqJ16rC3VypkkQ6DaPvyDwlrG8iRLG/xi3Zz8HHnXxAGAm - SzliIolwEDHJZHI9ZE3YzpFJkB6UyOpXS1zMsDycupFvQ4jd2fQ0C7w5OaJHCkeQ - 3zTKgtufjJGo7R2Nf0bTWTfi85GU3jpMsOHCEcChgBVXcO32ZZ/zzmqtXa/u3m5v - sjUstyBXEmG9eyIaiEtRAMAblwRsJPMszLaCUuBpzQw+mm9uTCsIaf5Xdud7GFzS - XgH+whlmbv/UeUC7bo65uxrG8SgTVAaPZpcQ2dP3rXYs45zYmYGKJaZuW+Hrl+nZ - pd6zT6rb6R8TMmXkNA1TjhvZ/A+ONlza1fH0dmsh7U9oqINXNFJU7Qm2r7imFvg= - =ZIDr - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ//f51KkC9oViW/0EA0TLdWgXa76ZXMeu4b3UhWaQvYDT9+ - 8wuWE+slGEWsRnFZ+pgWZoV3HIv2p+xisX2lmBvepOufaRh6cyNpQaZNl0kFtpBo - ShQ66SmkorunYyM+OIh3ceI4PC7ca4KsRKB8nWkA935NWssFN9zMlkVW6GjqzTft - 2JVJFL8GRlhIRMhJwSzp8zZ3XiYD0sB/2y+ffCMAOSCnDVcDjANyiSds6MPxfPy0 - /kaNTXuUI7H50tHQP6vzJ3q1mRpAhUTIxubnmBTdvAQz/kaD0qPt55z+Q0xSXsLa - yfb+Zd2g/2o+IFiCrwqcki5yX49Ol89l69JRyIWe1T2VtqBSUVIiiYreX5OnmWPQ - OjJ1mAn9tpIlVSHzlaONtmJEmAJ+n55rP0itBMs1CrIBiQleLaCbSWqp6q3RfaJr - gpXnfHQpsU7cKEDQeyvxmH8qgrSR9AVh/knyGOJy8LnJQ93aQpr3xr/2MiFPYiKz - dcSrxHesrfx2Zl7bNB5OZ7VZTWFSunZQUnOn3F3+7yaaT9ePsvWsyTKBOSGUiA7s - VMxT5+P8QM6UOC8KxJj/q1eAVrWvN7vYbCA25+SzbdTtr1RweOVHzNgqZH5/Q2ZY - fguwHlCGg5Q7UKYKBk4QJFg6oClDgzBYCFL76K4aymtR7rxKl4sJxWoug84oP6DS - XgEZvNS3xsY8Pxm0bAmor93Q08Mii1svnNZ74Eqmbo9GxBjHReIGKDDZ08SaPhbc - NJxAP2C2sRUda2R4GvsNYmXHzGYfFTrfe+AXqEV42ZSD9vHDJMCiX9JrY/r4uSM= - =+F4l - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVARAAq/cP9y/7kxSXDFOD/xhI/3RjGzIN5dyHlfrmEQWJ8J7z - ov0VfBCJp6gFht37dGWuLtWi1qqWRgN+9hiBnkj2zONoph0SRGP9uNfadBSzYSD4 - wvlOFrWeM9cswnk4i0q8Go+qdCC6U0g1szjirdifF7I9KdqKpOFwXzjnzsPTF42o - 9oFCP32esOYv++DfTBgrSv8/STublJYABcs+lzjvURqBsFvdz7PBphH66++yxt7v - bTTmu8O9WHC8/5QTfUzOBAfgyu4CwF3YLRZd81ERtzO/udNYgGO3bifofCfpv+nY - MMyCbGxoiAfBWcAHhka+8nMnBj0as+ln220O99N6zH1rTmqqDxRQkEiYek1MqEU1 - f319u3KqB6STWmZvjlwQ5AhwSLCLT2VpIJX4CpMClWlLb3E2rpZ+B1uBRMQQ3fMe - jSynatL2vXn3rKWzxIEIxA/BkVKQ8zXgOT9JyqyCZdHTvjEmWuQitILi7wKWJb7/ - qhTGEBoQbjIKP2Bpso286RKhS3erE0wqLeXXFb7e6bkEEHXa/jVHCZk8/qDcAAIB - 3eIb5SNnLxQwo07JlWdDPzCvqeC4fx5AWxXmHsKWI+91PA0jdNjcEPt2sxwAEQYq - LWBW6BL22Hqo/VOBXhM1T5mFKomqySLSrxTYeWXtJLZwh0aHbm6RyGGMjHpCiU3S - XgE8EQeKefLHoTixb1Rl/amIvtOUUcTtdqlyat9hhIdMl/7ZMesmNuD1ZsEzdCJd - 20/DgHzFE7WvZKrjt73GDETUjwLHZSl5fydQMgcNFgzU2mdV6nYNhF18gE/af74= - =UA8K - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ//RVzQX4Ua5XZHTIe7ffYiqMxy/KoJdbCxpgjbdD0sx2ou - zCB13t13UkLjLo5GkTE7kRGtyKOdhQ/7NUA7tOZ+rwWOq3NehOTLfU0wMkgT7tOh - byWwNHrY9VHz3ndFnya5nNcnrqILA1rEn32PnioNyWcU6832jyUWvtRqwF+JRrKr - yRJMvz4T8vmLwrxqarB1uqU0OVHXy8bq8d9/pVrAmk6+C/H5FINFlApD0dKYftd2 - phoTSA5WG8j1e0v5p4+r9cRHlYXFMinMMkpzD/JMyNB1WVZ9aGQxU7WiuYzuv1bh - PKN/LEgfh3ypI8W960NHv/OMRjVs/VxA+G3ml3Lw6acRnaLr++MhF2G7ZBTx8rgi - fjyF6m4XtacwIKYZ7SNt9eQewGI8VU30o8np33qb9KeOt7v8PrMH1G3X+bTLnJGw - VjxjvaBaePmPplYYS7xaPuUnzFNabDXTE8XCQpdJMy26ef77gaWr6TQwXbRlZXrx - S60EecMLwUj+daR0PkVBkCDxXkW8+0uPkt6EEn5rmPdMXoh4DUw+4A14t7yyUU50 - j3M9tv6DuYs/KhgZYfLe+6hVD7fY4lAs5Ge6QGLA/TljAatE3zpSZQK+b7C4HKJS - 3eRpcAt6CJFhXaCBwl4+gigrg3voX1ykh62oqY/4ecKbAiiVXLIrcflv9kx2Ht7S - XgEDhoIRIvXoOUy6j/qjp/OFxwu5y6MpBX4vHxlpL36daL2yShMkCYyY3ajea4eX - 9k7B9fpRu3sjbDTNr1heffI+5n/HKc8j9a52hzu5eF0e+v+vKY32uk1jlUhZdj4= - =R/pX - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/+OHZshi2zBfbVQ91WKLqei7bT4CZGiPxQsl7aogv8JkyL - D8p+VgIReMvq4F5QFaIsA8yqMSnjxfIi5bFd9SKjuhOKvuQjyh1rSsFb0t8ESuYi - fHBnVw4tDNfTEGQa9YhNJPTq60TwR4P2xYFEgc//AQqfs9XH0cTbvkFS9dkug092 - u4yJfB2aZEJa0Eh0AenUYzP13bFH0sJwL1hQop1v9gF44JeKHpRNd0Yixlp0Yucs - Ccww+WaNFVQ4+zvyW7MnI8/D27/SQGRXXqQE6sOQlsg5SUzF2vIpYbIeuu1NR5WK - v1ZB0DlWVuOshIB7M9WUCZcAS5cMAWKc1vvZ/K0l+6tNskZvGE4p/lv1bmZ5zfc3 - gT/2L6ENuoKW7RoF071SsG9Xn7VJync+iNTtg0m7Je7HRAZAGGc8vfIkrTXAmoIE - QkGuog0R+EZxq9L1WMbppV/bnbBxiutFxwWOGTxzsn+DksVrVLvyI/EbHJvcEwzN - hISPFmAiCEKzGAGfaO24F5Xcs+U6AgumS5V5kwY6zA/kZpJEdQm38rcC12ZpXR9C - oHGs9ACtgf+g8H3/Ks5DL48FTbYuZADamVA5+pV97B7xCS8TxYChuFNPLwU2s52G - liiZV9NevlFlbsXFZS/EWgR8b0aH9Nhjl5TAPOajBOu0Nm/83XEP9nbbbjJjGRHS - XgHop/OMkJRuZZ35JQjUS6dIBzSivqplpr51wHbyilxbvOHdvuu6w9kqGY9VhuVt - nCszg+IQ0SM8YFuu1M5UPO4txYQTHx8zO5SD/d8kh5HEu9fmTNyJXblRcyAzYZc= - =TxDz - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqAQ//co7jg6v5QUB7eHXJPMLxsgtbC/VYp7C7QqXQda5qhohW - t0F9lysBybhIGoYuvfZGzNMYqqkVpFxzlOO2vFlcYFsQhjCpJrHBWYT4XOmIBR64 - 6Az/iKqNLS+cG+rFIIuc8BqRk3r4lrM32dCqz0a+3qRkdmbff4yKuzg8FTPlv1RI - O9SzRqfptcKDXItnQF+8CAziqcGyy4jL2wnl1Q2I2Pksr+Zw1eZVbFfHmCpG7A5C - TVihozz51jeXlggDp9/NPJOQDsmV+KdpvNx2Eqj6PQ6aGWtyYv5YZG3X/eRKW90+ - qUOJxwpW5KGcROnuvQt1AggcXquOTLHFyJ85M8tpJcl+JYVZsIeNDo+LO8sbrCTA - cjp/YSLOms+GullbGAwrJh4TYtwJE9sEKr9OAFUvd+AxVFWj08BqMe1eN5YBbwwB - vNurVdvjE8jaTCmZgPPOIP5KXSrsG8bA02YlZ4MnzodYidIhTudJ8VB4NYCtNgOL - G/x7h/KA5KYgDWEtr21z2oy0QkGijtrcNa02GpslirjufZ6TPGCbJjAeEsPbYBm7 - mDXm5+PzZpb1pbcSVNlVG5Ry73JrZxBpYCPGnxLs5yAmWOlNa/xcgDHBU+iXyVg0 - Wm8pHRAVNfbvL7NB8yeaxSDoTSE7/BsisL6tUHoV+bdlpVsTF26bQZBc/zhxiZrS - XgGJ8ChRZbpi2qUzP4nA2jPkYtQ4cquA+ftDx4i+ZqVNtAhVSnTiBZoYu/21+BUB - oxDa5m2vD0s0t0fGfmmIvpLZKZIF7NcwnCdNVQve/D3qNNa4T3YnXb8JTGH0PYc= - =mu1s - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ/8D4mAcC6vsHLkSryz1yIYoBqqtJnG62pITFEbafhVLR6V - nWAw/zP9DqNj15MsrM67xaQxlMVgkVM7QTchgp0CjXsyZ/gWPgDl0NaC92Uj93Ov - Gi2OpkfHQFaAW6JsAFl5NrF0ZBw/flx8X0l2klIxBV+ztpkLADEtXWsoGsmz5L4m - n41icEp9+nb9nwy7p+Je0s4jZCBB0sVlbkX9i4IpMOgEhA0HcWemc940VJp3UyRg - LkOs5C0J4Y4qjS12248y16gV/IhNaJ4PCPgVwSj1Xzz6VXauQosmWhnUbnqJbi3F - KWEV0IJJO+dlj5VShzFDnkN2bM1GeyQx1S+FkNp+Mmm6JNrUK+CZL8fUYka06O0V - DD/sg1Pyq8VawNG5RxwAWA5F1F1SIrJzF0T4HyIN1UFRCjWC466sdrBTQLtx472k - NdBCvabHS/bx5miPKF5iglJYzz4biUdevc3EU7q4hwgMYM2oep3m2EsaTbKWzjnY - PLB4d0bCsRlya0YfHaFX5f3xSNb/FzBcUlTHzX2asyB2DolMug1VqS3jCEkWGbk/ - vfNfR5yRuwkwNlJRqHbGIfH7fYEgwSTW+VW2iUdY7Dra7xjgTzqZgLi5W8QwKJqq - 1V5H4KlRQNYwloVJzQZCwoPcY+tBfTZ4LsDKtjyJzFY9vdTGGGqb9lAG7YBUdubS - XgE72UuZvbPQZuI7uVKMEORGVssQjwZFhs4InR/Ixe03a7hb8fdRHfu/ueS/3KQx - mRXVino/iVQ6M936mtibfeH9TpBpjqH8sBKNHv2hgnoap9QpkrVn1yWqrOcpht8= - =+sXL - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdA/tIZCvQv0E4dHN5jBHsAGclKEeLFhyf4lIQx+xa+uwQw - /VGCdNT8U13EawRC66KLXRrRgsNPpwUg15wAoTzQ8gW/tLpgvL5nsEYPfaowYwBD - 0l4BmNV4o4J+NHF7Tk1af2kx0pp6kF9eJynn6irr336tGzY004lZfZlqwgeOk+qN - 93XcSfdAOlIktfex1q1oTPrSpGIv32zsLPoRNVa50dO+IKu1tmYAxi9N9sQgbWa4 - =rnF9 - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-06-20T20:01:32Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ/9HNG41mTgq8VavF9DBX7+upnsmoDtwblck18l3rurJ1mo - k2ki7tWwIxRyLLHtsUxJ9S55cmXuhhPJK8Kzc32SnY5irDkqK/4JZnDvofg+z68B - 8pQOunN1BQp50k8vd4Mha43re8s24iqrM+fj59uHM2YYsQYt9TCR/NvUopOdi6l2 - 8OnKI2KdRvYhtzzCY3wmQKhG7p0hc8y8pP/0DmPW5IGQ6OP4zO+Qnc4EbVnA9Uhr - tZ4sTNn0o80kfvILKANkAm81v86KdSRXdd3+1IpH1c7rTqm9o+DEm8nKnwWOF63O - P0klsYLlfqiZyQ0AyS67RHPTw/y57mAyWVFbABDLtXQQHWcIkADMLKTJLpnhKkRn - Cp94EXBBBwViAUBUzzskE4lgKXncl1h5ogLum8btU+cLky0qa8Hzie5QqszlErf8 - fci0AEHV8u+Kf5EARf1FiY6K2aVnFOJchdeL98qllwRu6f8zz7+bfLq1UXcGBlQS - JnbAlXiL4vEBxQyW5awYYzpaMUTW1ejjujZUitdaUeIQJdv/IJvHe9y6/F0uukdt - AMrDI7E+JKa6hLPe4g6H1hUzh6GcaHuNU9z2NSDfzxcOHkqALsCDLVDxsjPhahCc - UZkSn8ebyqv7/jpTgWnsls0Fx8XqvKKJNoqXfK81oIvWlJsEwqSaBczkq9HQbO7S - XgH2N8XPOJWmqDc+xS26eERNJ8ZlhYaODWwatgqt2si6EdBpVRZL4PXsOrOlI8Xi - Uaag1/Uljqbk5mN18+CtSfSt0ded79d44B9zAbc70hgvkRrpcotDBnO8YQ9MxB0= - =O0Sg - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/mjolnir/sops.nix b/config/hosts/mjolnir/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/mjolnir/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix deleted file mode 100644 index 793807d..0000000 --- a/config/hosts/mqtt/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "mqtt"; - domain = "z9.ccchh.net"; - }; - - system.stateVersion = "23.11"; -} diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix deleted file mode 100644 index bc91d9f..0000000 --- a/config/hosts/mqtt/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: - -{ - imports = [ - ./configuration.nix - ./networking.nix - ./mosquitto.nix - ]; -} diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix deleted file mode 100644 index 9bc02b0..0000000 --- a/config/hosts/mqtt/mosquitto.nix +++ /dev/null @@ -1,34 +0,0 @@ -# Sources for this configuration: -# - https://search.nixos.org/options?sort=relevance&type=packages&query=services.mosquitto -# - https://mosquitto.org/man/mosquitto-conf-5.html -# - https://winkekatze24.de -{ ... }: - -{ - services.mosquitto = { - enable = true; - persistence = true; - - # set config for all listeners - listeners = [{ - settings.allow_anonymous = true; - omitPasswordAuth = true; - acl = [ "topic readwrite #" ]; - }]; - - bridges.winkekatz = { - addresses = [ - { address = "mqtt.winkekatze24.de"; } - ]; - topics = [ - "winkekatze/allcats/eye/set in 2" - "winkekatze/allcats in 2" - "+/command in 2 winkekatze/ \"\"" - "+/status out 2 winkekatze/ \"\"" - "+/connected out 2 winkekatze/ \"\"" - ]; - }; - }; - - networking.firewall.allowedTCPPorts = [ 1883 ]; -} diff --git a/config/hosts/mqtt/networking.nix b/config/hosts/mqtt/networking.nix deleted file mode 100644 index 7a34cbb..0000000 --- a/config/hosts/mqtt/networking.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "10.31.208.14"; - prefixLength = 23; - } - ]; - }; - defaultGateway = "10.31.208.1"; - nameservers = [ "10.31.210.1" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:48:85:73"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix new file mode 100644 index 0000000..50a584e --- /dev/null +++ b/config/hosts/netbox/configuration.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + networking.hostName = "netbox"; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/penpot/default.nix b/config/hosts/netbox/default.nix similarity index 73% rename from config/hosts/penpot/default.nix rename to config/hosts/netbox/default.nix index b6c8d81..d4a02cf 100644 --- a/config/hosts/penpot/default.nix +++ b/config/hosts/netbox/default.nix @@ -3,9 +3,9 @@ { imports = [ ./configuration.nix + ./netbox.nix ./networking.nix ./nginx.nix - ./penpot.nix - ./sops.nix + ./postgresql.nix ]; } diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix new file mode 100644 index 0000000..9c07233 --- /dev/null +++ b/config/hosts/netbox/netbox.nix @@ -0,0 +1,30 @@ +# Sources for this configuration: +# - https://docs.netbox.dev/en/stable/configuration/ +# - https://colmena.cli.rs/unstable/features/keys.html +# - https://colmena.cli.rs/unstable/reference/deployment.html +# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix + +{ config, pkgs, ... }: + +{ + services.netbox = { + enable = true; + package = pkgs.netbox; + secretKeyFile = "/secrets/netbox-secret-key.secret"; + settings = { + ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ]; + SESSION_COOKIE_SECURE = true; + }; + }; + + deployment.keys."netbox-secret-key.secret" = { + keyCommand = [ "env" "pass" "noc/vm-secrets/z9/netbox/netbox_secret_key" ]; + + destDir = "/secrets"; + user = "netbox"; + group = "netbox"; + permissions = "0440"; + + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/penpot/networking.nix b/config/hosts/netbox/networking.nix similarity index 50% rename from config/hosts/penpot/networking.nix rename to config/hosts/netbox/networking.nix index a96f70b..dbfe9a6 100644 --- a/config/hosts/penpot/networking.nix +++ b/config/hosts/netbox/networking.nix @@ -1,10 +1,16 @@ -{ ... }: +# Networking configuration for the host. +# Sources for this configuration: +# - https://nixos.org/manual/nixos/stable/#sec-networking +# - https://nixos.wiki/wiki/Systemd-networkd +# - https://wiki.archlinux.org/title/Systemd-networkd + +{ config, pkgs, ... }: { networking.interfaces.net0 = { ipv4.addresses = [ { - address = "172.31.17.162"; + address = "172.31.17.149"; prefixLength = 25; } ]; @@ -14,7 +20,7 @@ networking.search = [ "hamburg.ccc.de" ]; systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:26:1C:8A"; + matchConfig.MACAddress = "62:ED:44:20:7C:C1"; linkConfig.Name = "net0"; }; } diff --git a/config/hosts/woodpecker/woodpecker-server/nginx.nix b/config/hosts/netbox/nginx.nix similarity index 55% rename from config/hosts/woodpecker/woodpecker-server/nginx.nix rename to config/hosts/netbox/nginx.nix index 962183c..2673cdc 100644 --- a/config/hosts/woodpecker/woodpecker-server/nginx.nix +++ b/config/hosts/netbox/nginx.nix @@ -1,17 +1,21 @@ # Sources for this configuration: -# - https://woodpecker-ci.org/docs/administration/deployment/nixos -# - https://woodpecker-ci.org/docs/administration/proxy +# - https://nixos.org/manual/nixos/stable/#module-security-acme +# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix +# - https://docs.netbox.dev/en/stable/installation/5-http-server/ +# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf { config, pkgs, ... }: { services.nginx = { enable = true; + # So nginx can access the Netbox static files. + user = "netbox"; - virtualHosts."acme-woodpecker.hamburg.ccc.de" = { + virtualHosts."acme-netbox.hamburg.ccc.de" = { default = true; enableACME = true; - serverName = "woodpecker.hamburg.ccc.de"; + serverName = "netbox.hamburg.ccc.de"; listen = [ { @@ -21,10 +25,10 @@ ]; }; - virtualHosts."woodpecker.hamburg.ccc.de" = { + virtualHosts."netbox.hamburg.ccc.de" = { default = true; forceSSL = true; - useACMEHost = "woodpecker.hamburg.ccc.de"; + useACMEHost = "netbox.hamburg.ccc.de"; listen = [ { @@ -35,8 +39,12 @@ } ]; + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + locations."/" = { - proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}"; + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; }; extraConfig = '' @@ -48,6 +56,8 @@ # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; + + client_max_body_size 25m; ''; }; }; diff --git a/config/hosts/netbox/postgresql.nix b/config/hosts/netbox/postgresql.nix new file mode 100644 index 0000000..5f49f30 --- /dev/null +++ b/config/hosts/netbox/postgresql.nix @@ -0,0 +1,7 @@ +{ pkgs, config, ... }: + +{ + services.postgresql = { + package = pkgs.postgresql_15; + }; +} diff --git a/config/hosts/penpot/configuration.nix b/config/hosts/penpot/configuration.nix deleted file mode 100644 index 4608e1c..0000000 --- a/config/hosts/penpot/configuration.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hostName = "penpot"; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/penpot/nginx.nix b/config/hosts/penpot/nginx.nix deleted file mode 100644 index dc446f3..0000000 --- a/config/hosts/penpot/nginx.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ config, pkgs, ... }: - -let - domain = "design.hamburg.ccc.de"; -in -{ - services.nginx = { - enable = true; - - virtualHosts = { - "acme-${domain}" = { - default = true; - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - default = true; - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://127.0.0.1:9001"; - }; - - locations."/ws/notifications" = { - proxyPass = "http://127.0.0.1:9001"; - proxyWebsockets = true; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; -} diff --git a/config/hosts/penpot/penpot.nix b/config/hosts/penpot/penpot.nix deleted file mode 100644 index 0629d1f..0000000 --- a/config/hosts/penpot/penpot.nix +++ /dev/null @@ -1,198 +0,0 @@ -# Sources used for this configuration: -# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml -# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml -# - https://help.penpot.app/technical-guide/configuration/ -# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1 -# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/ - -{ config, pkgs, ... }: - -let - # Flags for both frontend and backend. - # https://help.penpot.app/technical-guide/configuration/#common - # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088 - commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc"; - penpotVersion = "2.1.3"; -in -{ - virtualisation.docker.enable = true; - virtualisation.oci-containers = { - backend = "docker"; - containers = { - "penpot-frontend" = { - autoStart = true; - image = "docker.io/penpotapp/frontend:${penpotVersion}"; - extraOptions = [ "--network=penpot" ]; - ports = [ "9001:80" ]; - volumes = [ "penpot_assets:/opt/data/assets" ]; - dependsOn = [ - "penpot-backend" - "penpot-exporter" - ]; - environment = { - # https://help.penpot.app/technical-guide/configuration/#frontend - # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78 - - PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding"; - }; - }; - - "penpot-backend" = { - autoStart = true; - image = "docker.io/penpotapp/backend:${penpotVersion}"; - extraOptions = [ "--network=penpot" ]; - volumes = [ "penpot_assets:/opt/data/assets" ]; - dependsOn = [ - "penpot-postgres" - "penpot-redis" - ]; - environment = { - # https://help.penpot.app/technical-guide/configuration/#backend - # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112 - - PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp"; - - # PENPOT_SECRET_KEY st via environmentFile. - PENPOT_TELEMETRY_ENABLED = "false"; - - # OpenID Connect configuration. - # https://help.penpot.app/technical-guide/configuration/#openid-connect - PENPOT_OIDC_CLIENT_ID = "penpot"; - PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/"; - # PENPOT_OIDC_CLIENT_SECRET set via environmentFile. - PENPOT_OIDC_ROLES = "user"; - PENPOT_OIDC_ROLES_ATTR = "roles"; - - # Database configuration. - # https://help.penpot.app/technical-guide/configuration/#database - PENPOT_DATABASE_USERNAME = "penpot"; - # PENPOT_DATABASE_PASSWORD set via environmentFile. - PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot"; - - # Email configuration. - # https://help.penpot.app/technical-guide/configuration/#email-(smtp) - PENPOT_SMTP_HOST = "cow.hamburg.ccc.de"; - PENPOT_SMTP_PORT = "465"; - PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de"; - # PENPOT_SMTP_PASSWORD set via environmentFile. - PENPOT_SMTP_SSL = "true"; - PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot "; - PENPOT_SMTP_DEFAULT_FROM = "Penpot "; - - # Storage - # https://help.penpot.app/technical-guide/configuration/#storage - PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs"; - PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets"; - - # Redis - # https://help.penpot.app/technical-guide/configuration/#redis - PENPOT_REDIS_URI = "redis://penpot-redis/0"; - - PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de"; - }; - environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ]; - }; - - "penpot-exporter" = { - autoStart = true; - image = "docker.io/penpotapp/exporter:${penpotVersion}"; - extraOptions = [ "--network=penpot" ]; - environment = { - # https://help.penpot.app/technical-guide/configuration/#exporter - # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221 - PENPOT_PUBLIC_URI = "http://penpot-frontend"; - PENPOT_REDIS_URI = "redis://penpot-redis/0"; - }; - }; - - "penpot-postgres" = { - autoStart = true; - image = "docker.io/library/postgres:15"; - extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ]; - volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ]; - environment = { - # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240 - - POSTGRES_INITDB_ARGS = "--data-checksums"; - POSTGRES_DB = "penpot"; - POSTGRES_USER = "penpot"; - # POSTGRES_PASSWORD set via environmentFile. - }; - environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ]; - }; - - "penpot-redis" = { - autoStart = true; - image = "docker.io/library/redis:7"; - extraOptions = [ "--network=penpot" ]; - }; - }; - }; - - # Docker networks. - systemd.services."docker-network-penpot" = { - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot"; - }; - script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot"; - requiredBy = [ - "docker-penpot-frontend.service" - "docker-penpot-backend.service" - "docker-penpot-exporter.service" - "docker-penpot-postgres.service" - "docker-penpot-redis.service" - ]; - before = [ - "docker-penpot-frontend.service" - "docker-penpot-backend.service" - "docker-penpot-exporter.service" - "docker-penpot-postgres.service" - "docker-penpot-redis.service" - ]; - }; - - # Pull docker images prior to starting container services, so that a container - # service isn't considered up, if it actually is still just pulling the - # relevant image. - systemd.services."docker-images-penpot" = { - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image} - ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image} - ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image} - ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image} - ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image} - ''; - requiredBy = [ - "docker-penpot-frontend.service" - "docker-penpot-backend.service" - "docker-penpot-exporter.service" - "docker-penpot-postgres.service" - "docker-penpot-redis.service" - ]; - before = [ - "docker-penpot-frontend.service" - "docker-penpot-backend.service" - "docker-penpot-exporter.service" - "docker-penpot-postgres.service" - "docker-penpot-redis.service" - ]; - }; - - sops.secrets."penpot_backend_environment_file" = { - mode = "0440"; - owner = "root"; - group = "root"; - }; - - sops.secrets."penpot_postgres_environment_file" = { - mode = "0440"; - owner = "root"; - group = "root"; - }; -} diff --git a/config/hosts/penpot/secrets.yaml b/config/hosts/penpot/secrets.yaml deleted file mode 100644 index 855590c..0000000 --- a/config/hosts/penpot/secrets.yaml +++ /dev/null @@ -1,234 +0,0 @@ -penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str] -penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZVA5WE9JcDBOQVdPbGkz - SnNkWEJvaUtGaWVOajd6SzJ6aGNxSXZQaVhnCmgwT01kNFRZa09Gd1o2ZURyZUJQ - N0dwK21vUmk1N1duOVNtV2wrVmlyNDQKLS0tIEJtUENHdXhGcXhRRjM5VkhpdEVG - Z3UzOGFFUDhwUndoQWtCdHlMenZETW8KI0FjoFG4E1fhOxYiCIxY2BnLOmGcpoyK - EbDdNFQEMngwppEm9r1KzG/1cGMoIij2qpmK4Jz1Hzgk/6dZwvGxzw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-10T15:40:27Z" - mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str] - pgp: - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtAQ/+JKe4fsuAKMJr6kuDt5vjv+hrXamWEwRLBfYPHHZHEUeK - AQBs9fG9Ni7Qpelv8RIbxWyophgt2TCEqP2d+7EcGTgDZkdLxx5s2LJuCh+tEZwT - bm0sPt+8eYY077MxA1ZtlBgkslMugvdnJaDckGc8xRPldUa7gRp0j3yaLULRxjA6 - T0nyALAqAaDa2uHgB7mTB3pXJYk4GxZpYbVc+wxAWXEDRLR/bpT18ywAcA6iSerd - KGDzWKjgOr1TTJqUxsguqDjnVp1c+xRPirC9uENGqW8mxI7h1+4B//dJvuXV/cYh - LKi0aDUTnma78mo2v9faUSJl23LkIehWZwbVG/+Mpkk3yxscLV124Vbwj56IFCzI - AiJ7m2QVxY5eXoVLodw6Po2S62gkwg7H5Aw3J4pppNuIAIr/8mJBpJoBy6poTsG3 - QhbQdEdsF5ikoLu/OV/H7mp86zJt42Q+74xGjKYx/qvLq6SDmDA03kqk9N71URyu - FRTEDysEkeAzreFFkxn3Q+K/cXvtv/2Knte1lmDTfpmhg4cFwsLPLPH37A2veaxJ - JTyWDLHgrJ8NFgii3gLrwj+XLOZOwmCY0puJKtdAnPaaQiLfyqYfeLVlt7Se4MMJ - 8XaFWcaQHBxL9nRZnx7WkE9LfHIG0e+414hT0F/aER+8iKboIbt6rdEHpEMGDWnU - aAEJAhD/TpW7E+yYjFVi/xSQ3kCAruHcm6x4BDTE7by0VeTLiRFW+culxiInOYiD - kdp+dATm5f7IrQp/qemL02/Me5yqURZlZrDHra7AiCI+MVBJiCRIY/x6xZSew7PX - HC+p9sB+PBFL - =1qbt - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ/+Ijn18W+K2je/hpolpY6HmQMTTRpQJZ8YtJ5G35o5WoVP - hH+znQMrBBAtnTWeFBeIuIzk4CHjPS0yfnsE4/rP7/lSa177A2xaeiCb74F6k/Es - MtDE/TApSlNdPFruN5nkd2I8jAWh1k37nS+/NUhszReR39NNmgA+aCSc2OK04aAz - dpPXmaJ+d3zMr7eFoL2NyhNI3A/ZdVP3UmZCp12juckDRl8oeei4PBlw2T6ODJP4 - tY08I9EyK/5K4auhYJyvayl1RWwRuShFV732ZjztkawLw152W0Rrg75Qoukhs9mr - TdyF0zcnVxAcOV4e5wRe13dDV6Ue7zeWFc9bb577thGzUm2Oue0u+oisty16qt9K - 0vw0tVSDtT/suodG8HpvSwGQ+/xcV7w8XCH8Yx28N9iO49VZCB1ZYXQBxTHVDl2b - J/8AivaK4OOFvPWNr4u6oLaO9nz1aaX6Qsap5zn0Qa2Ls2SSBwWk2Fp/f1dq3KOy - /jGR89ocuEuImVacr2G6zxPnbukfa4S8q/FUUDbswQUqmWMcDDq3dOQ1fFPRd7vy - 5a9u3P8LFW+ZPPHop3kgozgZ9pBGDOlw3nkjGjFl39lE33E+049gLE6I6+1+umG0 - EWkNI9y8X+HmHMthVuYapq23Ix09H6Wa452hZmEUxNgp33M8Zx+l3s6D7o7jfrjS - XgElPJuUWyGKPoUY9mFaINyVqjOJGEtEOYRP7jvCpFWDq/xQ8jbJvvv7qBy8+i0b - cpqRrMJrvMB2PSLeD6cNWymrNhKilLLFOcG9yaIEudDhiuv3L4/ub08QMroDmo8= - =80AM - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ//Vv7IVqc9ReeFgo8RWbYpl1W5atAHerZuUh0oYc4otGpb - UseJ2JInyykcUeQWlOGvTK+eauBVNET0E/6jylCoWb8lzffhSMJ4FFpvpsoYjPG9 - Q8s3r8soOCYB0xscfhinZwJg5to+I2MSd8mppWIp4UCQhxv7MqQpbqEzNTfVP7YO - QEUZ/lesVovLvxMzKc2YVWyZFSW2G6HK3LTaJIg8gy5ym/crlUB+awd2ZDePGk6F - Y7DcKwL1EpCL+hoPWGF9PclYKrOBIZVznYQuwHAqG+Bxr9Ln/NmS/OoCrJDMN6gG - 2YMZ3Q7GQ82zZESxYA7g+ef9/lGCm7DIkt80or72x7eS6/OP7c1bjGFgKLQNyHFU - Th6cOy/TzK8Sq2g1mWB2zyV3xk6mb9C0ETAFD5vvPGVC3Sb4549Y+epe1T3ZLFTA - t09nUIpTC05PEdGsWs5Z5MDp8ZCsPZpipbVrWENesNOfaFYG+p7aM0LjgTqZcadD - B/Foejayc3XYI0T/NoP43mAZ2nEOw2Bz9lBpwz0PeTfzyrhz9XlJ7Dw462XTFA3i - voTHA5+DzGNPf6zC1fH9GcESmpC2nqXit8ZV+Y7Zb9/cAsx3E05S8ayxdBZUrOtJ - JSWGOAfPuzGXgL6Ht3iKcmCxQ/pSi1aH0h+bYqlrxTvP9IMyNCrxmP6+YsXCv8XS - XgE0NjzRMClq4/HhQ5X0ANGHWxbZJLAbm8yfgK5rnnmvi53RNJhRUHDnNca93brF - n27gnVLKM+2FdwRjwNIznkbZV/iNM6zIfRWwmJs9gHRuX/J/XWzD1KjDsn2rmiQ= - =bAYZ - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1ARAAkdXjf9h4iyYtKPwR9V8hgIfpt3s3zMduuJN3u76ZHdfE - 87t5K8eL2yIVN2DeOqtXRG28Broy3LLwMlLOJhxVxS5LAOEjT4ScZyb9H7MLnDsp - boW210SLkeQ5vTW9hgjAU9V6wbemxoiNPYTcBUsuirI8a+jpnALLY0jeOILBEmHQ - c+wbeo+VnlTQkTKCFI7TwlG1JnRnv3DMATVkOjC2PXmXPNkhr04Ivvf0+yBELY/1 - hLirTfk/W6vFodPaoaRaeWjGJOo+FbqKLxr2xYzVu6SkF+i4CvDPb1x0t/laTpPA - qC6KJ1wyVwG4k7ZBLgRcf5Scn1zgGFzZexUAhdIYp0tKPycphUQxEMOI8/OeBP1V - 68gBcilvv42zs+ed2RUK4j1e9YklxazZgaUhPfdrBrw/HiDJ8ILaq6LQQZSNrxZx - koAV/qw8ylU7vkciyA8bGLOiWc/Ub9vkRSuEi5TMOhmT7bVZ+W/26bWgDcAMmCpa - 13H1uLXLuHnfDavdesh+RAxRgEavPTMz+HFbqhvkv8sy0RPCodyJv69J7dsS7a2C - 71Ub7jyZIQyRtTGGZH5EjMQVStBMccE2KrJRzZCKbCmQDofKb4M67caaHBnVrs7D - vyx8V7JQGkNOWIgWFb23dtCtRiMzFaRk31mihFmFF2tSgg6XMqNmTp0pc3zQBarS - XgFZKRlYE7H1tMUCDwyKB7G3r1jsxBlUSbH1J6XjUBWKkTD4iMHI/4YStvghLjm2 - 0qqgKH/Njd9xBXc3x4Ut7kh8tFMMa07xF7/V0Pgwq+7J7EgckEfKHKA5vcQt17Q= - =23io - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVAQ//RH/jOrYE9MD9IjkUfsQZ79rjEwDdtmsXs+gS/XUr0MpI - f/aDyw/vfvD7ZgY86yqp68x0OQLIyRIx9O05FNB3giVN4YFvZpFblLotpMzCFa2d - 5xKLIQ1oviDSnE0kKpNM+QKITKjCxyke7MgW/laXvF0zMaVdPj0qo3Zn07MUKULs - btxZgPhzwWLjveZGn+72QiBGTF0ce49TWoh6y/l7PDsXhojau2KP556hI3rp/nC0 - PunbLVRntpz+bOoyOk+xvKen+8b/Vwp+GYA2NBDbZSEY9H3YF5ugZBR/jUc8da7D - 9EBA35udmQVKtD2XZrIyfhETC1eqLXORo0JKld5oC03JPkqvV+QpMF+8JBjXe1Cy - qI4pBmdhTJYFoJHpvMH7eC4CWgZZRMD5mB2nk1hYd9oIiYUPABfdeGxKiFnC8zHH - cEY3jgGzetZTxnpk2mxZvFMMwFqyOJA2PnwMTv3IraARkFrLxGzUIG4uOjo+l2fp - igOKsw9p46RR1gkuKF4u3yB3/1RloDyqGCU1/n4BCWy5/UkjSQpWKShZt3qMd2G2 - A6si2zgSHIQ+ubR7MPB3Q3U/Rnw7pSbTbdDc73pZ2SPZfUuJplPSDUvXICGlj8cO - jO8s926qp4X9C4mi5um6EX5nLG+pfuKowIBdB2HWmxu2idwyrmNdlIgAcWcteazS - XgF9W6THXau4lEmrBqWEiC0K/9NA0cDJqRdvj6wqZ/OIAo86q3yRlm8yY8U7D00j - wNS8WSHq+EX0K9LpwQiHAJoxNXABEx/DbRqVeuLn2FaCocZigbvu3k/pePuOsK0= - =ZLl2 - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ//dCKpiens8kqp+I9HtwP2CQOVMLLAle1VYB7pJ5pfcyzI - /3tAmwcxBmg+jhkFiqheBQYV2yNmBMHc5ulx+MxSDKd9mzCTavlGlE+intPjON8k - sis68RnU5OFsnGVXSmJji1vN37cCY4jHkf2vYzz6HJ6FLPrda/W3ZfXI+ZnOCao5 - wGYrqPcYUj+7gnN1S42HM492oqeCNLcENDvegf8AxtBEgfp7UQ0V3ZC0wZEYhz0V - p9bdivFoEZ3Zo0sJTWKj3Df3IA5T6c4dbSPj8r7IZ5iNDguKAjvegXujco7pow51 - fNNJB02hnYHLMRAbeRqaWyJ7qUQSWbQEgb8NuonspnXnajKc/OddgoTN91gTRgMb - op2T3HOFv3lKZPA/xIeDZpIm6GqOW6eJLjqiLP39VGvvNRYg+zxhNg/ZBVkFuSAf - U5uDPUyIAr10zdm7NqJKL8wKRbQzBg5OYovrXqSl96+KNenJqbMNv1N7kfSF6FuF - x8joEDXIaBSwINE4oXD5SN7Z5L2SuuMJ2nvuXFmmXKerRlrBiGsBzUVMt1bGqKEU - KoAAwbInZ9SprSxqJ1EkSVXpNGnFFNlbBB1j2u9BoGygOkVM4ZxIS19DBDLG0Tls - Fq6GI5d3axcf7t024UmwcU9yaP1BzrV0bDvDg3X+Azuo5JqpT3pSUvqv+Sy1C3nS - XgHK1C7XTOfcvmcxJ1f++xELwRkgNo1OqSG3cIZ8i1tKZFKTyYCiNHa/ajSr+wER - 4phM7Tdr6ubjLkqvDkMeXvtiGyUoAvbtLC0wqSaE8sEZ28eFGEAaECV/uOW81X0= - =0jv9 - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/9GTEI65w8icqppqTuvQD50vaR+lCY1NjWT0HekgvNuCLV - 4gL1cYv7tJ5UU6jOnREoScamWnUTYf/sLINIfa+FgvH+apswQeQCFrdCb8/61/Xc - 3hsJ8gwmguP1zJabKFI6/Yo3vPPa+kpj0Am6M7dUUxEKw4Lqy6Hc32O6ULNJOvdo - 56oqr6KoemrpU0TzqkKTpgAZaQjFfVzPWfC8moUL1pvxrHm7rqDPiYcl7fZP3JFD - gQMZokH205u1elxiFxuQGtW8jbeBqCZUm1UorEgD2EJYEPfyphIaHaQnCpW8zXkI - gt9QT3cqJpGJAobCPbh6vKPtbGPEqZOzOaCMFl07pkOSGPAVGMVfV+FdsfszPYY6 - Rqsk7zlCFv/iNFWKpkdfI66JLvhmgNwXRv+rkYzH3QrQikjLmAeTzyL69SPujgDK - qXBRZiAPwEDScr2Qcum36jDVrT3jRfC1opzwpRxM2ompJ0F6caBPNVjY10BScl7Y - RWVmkFrPL9MdEelFLscG17K+y5S/50sLcU+sGbMkmPsmizA0boK5XBXJz3cTadYy - Asr2b4aWTqBS5iW1vbWIGJVrUUk3U1S4fFaSvsL3I6O0E+sOB3eEEpQZqpF9Genr - hCE8GVE5yQWb3YYK0ZA7j4u+dwA+QfRIuQuMWFoRKp8oqEitjjix3je2R3u8/ILS - XgFcAp8Jh+VbnQg/pq92u3dX6afGv6nENpMVPn73yob+sfE5xUFEfEzE1E1WCWdR - HiLZVOgpVOYmo2s8/UW60hLNBULpqyf6ZTQsr7IqaGw4g+Ew116cwDawywRSJMg= - =T0nI - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAApsnPRzTCIkbKT6jaVHixgP6wyCjfVmvgb0NnMrN2Ygup - pafb6GNWoFq9WdiSqwFIJPZlZxJFiIgSxplDI63Wj1MgfvQBEnKUQvnvR+UtnB22 - bGr9mIrq/wKgslhPLFB0qT81RK/GqJKvRNpI3trGmB1pBnDdb5jiFeDHStv41XrP - hezAvmDGBKlM74fehu0pKOanIspyvFAjs31NULSHGJGzBxyM6OGcg/XLt9ea6bI5 - jHwu3+M/7nixjtaIdCtEFPv/Mdimq9p64+c6AvbEVikUH/omRebRFIRrJCotYENT - ak6/2F+Fze2cof6pJPaq1KTF7LQHi1ZaQ/N+YNDsMJIYYuX3lVg/ClEjeo5k1HJ4 - Jc+ul2KF/dAh8UsJPIdhJDlxIPdnof7xBLax1xmOQTHpqsfhZe5BP/0KMeeXzG6s - TlozMaCY0ok4JiQmiJcs+TjHX+uiiih6Wi756v7qwpCk5u3/BM+veHB/slD5Xezn - KmuHzwcbaP1n5JlOtv1PLAPfqX9EDsAVr2xhYTBISZiIKXyfagUWzPNX6toYtBfV - cQ/m9nfc5/STna7XGucnKkYFG5U2a+olIqCcbbNkN4NcW5ly0M5g1VW3oh02NO8r - A/4aU8ECj+79XXx0XCuVojnkGdTT3SQex7bkV2stBpuc5xfESbuOMWXgK0qZrYrS - XgEfX0ySVVrCxhtJgsQvZl0zrOwIttomV6hlQgo+n23HNPwjEf4nf1p2sje0uPvb - bPC7u5y1eDdy5E0XyWkAg4hxPLg7yOj7ET84Bg9S3NE8cE0nM50qL0N6aCAb4II= - =Is94 - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ/7Bx/s7WlB9TE30vyqVWw6H4DoZS8s03Z21tDAtrUEK+k5 - QtMPvAIE0SG4lXersM3L6VMmhvPQlwZf+zSzBnO0J5vacvMG8dch4/ZH7YTM0VX6 - T0Ix9ScamEI8J5Fr1LAeBoqtTa8n1/3N2ILBVPRTTX5Wu4lSUw/voeePXAYxSSMv - 9vzrxJNcRgzbd/8Fbo3i2vzn4GvrP1JzsprLrUMVFaek5khD0hRDJMM0IhBWFRRh - L241zX/IBZDQVz0x1QVUBFmkoUjyNn94CTezTmGvqCXfkLRmcKzTZXd0dhORBPFa - LygVSLdor0v5ru70rMds6YN5WvqbmG7KUY8M3gcVXutvID58vw6ZE83T8ZAYj9S5 - r9hXegeb2e03tCvSrHmQFf37+298/E8/kBrBQgoevnHmm3p0yN3ZbrWLIRhbx2iF - NzL5s17PnGzmuSigoZERsN2Flx2fzUbtwVDP3AyLVpQ7NoqTZkJTcGQuvkYawnEa - 3RxUQySR+a7bED38wJ6zEpVg10ye7c8mVkzQnda1Qp3lnPZxz+1qg1n25I9hjNO6 - X1E8gtXx2EcwaoWcPO0W/sNBwE09SCM68KWSykwOLvZb5tq/HnhrwSisps5sAg9V - Z1c0OCwgJvYoTY46rqk7scN9YkE16LDCtAzgppZerli179E/f/7O3d59CA1mCEXS - XgHbdM2nxaBPCPgXXNRVq13R8JXiOokuxUZofwl6FaG8A6yc9z5F4Ygr/KKDeT0i - YMBezxQtQ5uKY0jIx5g2r6aSdly3QPNKiFS/rxDCrmtaBqw+OvhvLrnCn6IaRVY= - =XAoN - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAFvRDMKG3Vjs98kRqcs4ep+bYoUcBHbMA7WgzI7CcaGQw - FjdmSwvWaHJZQGEbGk4uDHKPHqXRD3HnD9d75Azu2HXnCA29aU2c0zn0PziIi7Aa - 0l4BbcavPKNBkZpJNgW0uII7xMYJWJ/9vStTxXG/WzNia6nk/Cv7PMJW7EwIeUga - +PWB4yGfPXgqJGnJj0H1EdCVPrM/+f19GcFxNKKzkGaKTyVTW9NxntlsFl1vbmRx - =YRc6 - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-08-09T01:28:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ/5ARLA8sAZHMwNhHJycVof+ZergR58hXCBjbIy5zgyAwYU - IJ5OwhTpWqniZjt0b9pvlzU4JO1k73B1WrF7mAYEOKET32GPVatrQ64yInQbORSZ - zNQgX3aQ8tEtyBsKAWqwqRjOaP6Plee6G0RCksJBAkjIZik0diTOBwi+ZhgYSRLE - G1NAETqMKkLleYQbUWCFNveJOd/7pfhE4xhAEaSxL3dgXNPV2TOngvjCqMXvz0K2 - hEz6OYC8idpmAJv+S+HOaZbKV+giCopsPyFnbeu8jf1UpbsBRbHPnLOO6lLby2gf - 2P9MhwSeMjjCZFX/ys8vHQ2jUwXK8jfW3xfVie4hVJgh6vO+uHcomjnk2b+34SRk - 7ttoozLbMFxwrcP9trV0TgT2uzjFCe4fHccpY1VLTCX/O0eYtlhDhur0Wojp1z9v - h5mcqySEtJfHXJbTXkgMA2+QSyUaTTfvZ6oJqX3yAoq5eIzC0CcF+IMa6NS1XkY0 - TNd3FEhwe7TvKGCy/3bJx6jMUnhT71r6KW/w7RVIHgdp1hfUS9JBhxVB+agQVyRv - +HBmvWHqUdwnFzotGRzLU1g6soWa+fRVQQ80qAi1U8e+u9IX3EG0KoIXLjpkvXxK - y520NcOdN4wR0xILPP/+47QDN+kM6lunm/EMgrff4YDE8J83qMhH2IP5s/tV023S - XgH1hiB0U4SYt0Rp6OGDV+CjBCFaCkPPlync/SVuXddfLC1owGlY9L3jwu7j2PR7 - jy2jPPTWrOvT0wZKEh4k501LRb0n6LGqW6gDTgOnZKNg2iQ6jybv2HeyyExYllg= - =1o5H - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/penpot/sops.nix b/config/hosts/penpot/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/penpot/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/ptouch-print-server/configuration.nix b/config/hosts/ptouch-print-server/configuration.nix deleted file mode 100644 index 33f9681..0000000 --- a/config/hosts/ptouch-print-server/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "ptouch-print-server"; - domain = "z9.ccchh.net"; - }; - - system.stateVersion = "23.11"; -} diff --git a/config/hosts/ptouch-print-server/default.nix b/config/hosts/ptouch-print-server/default.nix deleted file mode 100644 index 248bae6..0000000 --- a/config/hosts/ptouch-print-server/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./networking.nix - ./printing.nix - ]; -} diff --git a/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py deleted file mode 100644 index d42469c..0000000 --- a/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py +++ /dev/null @@ -1,84 +0,0 @@ -#!/usr/bin/env python3 - -# A script for usage with the ForceCommand sshd_config option. -# It calls lpr with some standard arguments, but also parses -# SSH_ORIGINAL_COMMAND to potentially provide a different set of arguments to -# lpr. -# -# This wrapper is written for interacting with the Brother QL 500 label printer. -# -# The following options can be provided as an SSH command and this script will -# then pass them to the lpr call: -# - MediaType can be one of: -# - Labels -# - Tape (this is the default) -# - PageSize can be one of: -# - 12mm -# - 12mm-circular -# - 17x54mm -# - 17x87mm -# - 23x23mm -# - 24mm-circular -# - 29mm -# - 29x90mm -# - 38mm -# - 38x90mm -# - 50mm -# - 54mm -# - 58mm-circular -# - 62mm -# - 62x29mm -# - 62x100mm -# - Custom.WIDTHxHEIGHT (with WIDTH and HEIGHT needing to be either one to -# three digits) -# - label-wide (this being a convenience alias for Custom.62x35mm and it also -# being the default) -# - label-item (this being a convenience alias for 38x90mm) -# -# So using these options in a complete setup would look like this for example: -# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net labels label-item -# This being equivalent to: -# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net Labels 38x90mm -# -# The options are case-insensitive. -# -# The options are derived from: lpoptions -p Brother-QL-500 -l - -import os, re, subprocess - -mediaType = "Tape" -pageSize = "Custom.62x35mm" - -def parseGivenOptions(): - givenOptionsString = os.environ["SSH_ORIGINAL_COMMAND"] - givenOptionsIterator = iter(givenOptionsString.split(" ")) - - givenMediaType = next(givenOptionsIterator, "") - givenPageSize = next(givenOptionsIterator, "") - - global mediaType - if givenMediaType.lower() == "labels": - mediaType = "Labels" - elif givenMediaType.lower() == "tape": - mediaType = "Tape" - - global pageSize - pageSizeRegex = re.compile(r"^((12mm(-circular)?)|(24mm-circular)|(58mm-circular)|(((17x(54|87))|(23x23)|((29|38)(x90)?)|(62x(29|100))|50|54|62)mm))$", re.ASCII | re.IGNORECASE) - pageSizeMatch = pageSizeRegex.match(givenPageSize) - pageSizeCustomRegex = re.compile(r"^custom\.(\d{1,3})x(\d{1,3})$", re.ASCII | re.IGNORECASE) - pageSizeCustomMatch = pageSizeCustomRegex.match(givenPageSize) - if givenPageSize.lower() == "label-wide": - pageSize = "Custom.62x35mm" - elif givenPageSize.lower() == "label-item": - pageSize = "38x90mm" - elif pageSizeMatch: - pageSize = givenPageSize.lower() - elif pageSizeCustomMatch: - width = pageSizeCustomMatch.group(1) - height = pageSizeCustomMatch.group(2) - pageSize = "Custom.{}x{}".format(width, height) - -if "SSH_ORIGINAL_COMMAND" in os.environ: - parseGivenOptions() - -subprocess.run(["lpr", "-P", "Brother-QL-500", "-o", "MediaType={}".format(mediaType), "-o", "PageSize={}".format(pageSize)]) diff --git a/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py b/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py deleted file mode 100644 index ef2b170..0000000 --- a/config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py +++ /dev/null @@ -1,7 +0,0 @@ -from distutils.core import setup - -setup( - name = "forcecommand-lpr-wrapper", - version = "0.0.1", - scripts = ["./forcecommand-lpr-wrapper.py"] -) diff --git a/config/hosts/ptouch-print-server/networking.nix b/config/hosts/ptouch-print-server/networking.nix deleted file mode 100644 index 83031a1..0000000 --- a/config/hosts/ptouch-print-server/networking.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "10.31.208.13"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "10.31.208.1"; - nameservers = [ "10.31.208.1" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:F2:CF:8F"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/ptouch-print-server/printing.nix b/config/hosts/ptouch-print-server/printing.nix deleted file mode 100644 index 23cacca..0000000 --- a/config/hosts/ptouch-print-server/printing.nix +++ /dev/null @@ -1,102 +0,0 @@ -# Sources for this configuration: -# - https://nixos.wiki/wiki/Printing - -{ pkgs, lib, ... }: - -let - # https://github.com/philpem/printer-driver-ptouch - printer-driver-ptouch = pkgs.stdenv.mkDerivation rec { - pname = "printer-driver-ptouch"; - version = "1.7"; - - src = pkgs.fetchgit { - url = "https://github.com/philpem/printer-driver-ptouch"; - rev = "v${version}"; - hash = "sha256-3ZotSHn7lERp53hAzx47Ct/k565rEoensCcltwX/Xls="; - }; - - nativeBuildInputs = [ - pkgs.autoreconfHook - pkgs.perl - ]; - - buildInputs = [ - pkgs.cups - pkgs.libpng - pkgs.perlPackages.XMLLibXML - pkgs.foomatic-db-engine - ]; - - patches = [ - # Add this patch to have the package actually build sucessfully. - # https://github.com/philpem/printer-driver-ptouch/pull/35 - (pkgs.fetchpatch { - name = "fix-brother-ql-600.xml.patch"; - url = "https://patch-diff.githubusercontent.com/raw/philpem/printer-driver-ptouch/pull/35.patch"; - hash = "sha256-y5bHKFeRXx8Wdl1++l4QNGgiY41LY5uzrRdOlaZyF9I="; - }) - ]; - - # Used the following as a reference on how to generate the ppd files. - # https://salsa.debian.org/printing-team/ptouch-driver/-/blob/4ba5d2c490ea1230374aa4b0bf711bf77f1ab0c7/debian/rules#L34 - postInstall = '' - mkdir -p $out/share/cups - FOOMATICDB=$out/share/foomatic ${pkgs.foomatic-db-engine}/bin/foomatic-compiledb -t ppd -d $out/share/cups/model - rm -r $out/share/foomatic - ''; - - postPatch = '' - patchShebangs --build foomaticalize - ''; - }; - forcecommand-lpr-wrapper = pkgs.python3Packages.buildPythonApplication { - name = "forcecommand-lpr-wrapper"; - src = ./forcecommand-lpr-wrapper; - - propagatedBuildInputs = [ - pkgs.cups - ]; - }; -in -{ - services.printing = { - enable = true; - drivers = [ printer-driver-ptouch ]; - stateless = true; - }; - - hardware.printers = { - ensurePrinters = [ - { - name = "Brother-QL-500"; - location = "Z9"; - deviceUri = "usb://Brother/QL-500?serial=J8Z249208"; - model = "Brother-QL-500-ptouch-ql.ppd"; - ppdOptions = { - PageSize = "Custom.62x35mm"; - }; - } - ]; - ensureDefaultPrinter = "Brother-QL-500"; - }; - - users.users.print = { - isNormalUser = true; - description = "User for printing via SSH."; - password = ""; - }; - - # PasswordAuthentication being set to false just puts "auth required - # pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable - # PasswordAuthentication to have it not do that. - services.openssh.settings.PasswordAuthentication = lib.mkForce true; - security.pam.services.sshd.allowNullPassword = true; - services.openssh.extraConfig = '' - Match User print - PubkeyAuthentication no - AuthenticationMethods none - PermitEmptyPasswords yes - ForceCommand ${forcecommand-lpr-wrapper}/bin/forcecommand-lpr-wrapper.py - Match User * - ''; -} diff --git a/config/hosts/public-reverse-proxy/configuration.nix b/config/hosts/public-reverse-proxy/configuration.nix index a80f516..31aa8e8 100644 --- a/config/hosts/public-reverse-proxy/configuration.nix +++ b/config/hosts/public-reverse-proxy/configuration.nix @@ -1,10 +1,7 @@ { config, pkgs, ... }: { - networking = { - hostName = "public-reverse-proxy"; - domain = "z9.ccchh.net"; - }; + networking.hostName = "public-reverse-proxy"; system.stateVersion = "23.05"; } diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix index 507b71a..f23e7a9 100644 --- a/config/hosts/public-reverse-proxy/nginx.nix +++ b/config/hosts/public-reverse-proxy/nginx.nix @@ -9,7 +9,6 @@ services.nginx.streamConfig = '' map $ssl_preread_server_name $address { status.ccchh.net 10.31.206.15:8443; - status.hamburg.ccc.de 10.31.206.15:8443; } # Listen on port 443 as a reverse proxy and use PROXY Protocol for the @@ -27,7 +26,6 @@ club-assistant.ccchh.net 10.31.208.10; netbox.ccchh.net 10.31.208.29:31820; light.ccchh.net 10.31.208.23; - light-werkstatt.ccchh.net 10.31.208.23; thinkcccore0.ccchh.net 10.31.242.3; thinkcccore1.ccchh.net 10.31.242.4; thinkcccore2.ccchh.net 10.31.242.5; diff --git a/config/hosts/public-web-static/default.nix b/config/hosts/public-web-static/default.nix index 9ef00e4..60487fe 100644 --- a/config/hosts/public-web-static/default.nix +++ b/config/hosts/public-web-static/default.nix @@ -6,7 +6,6 @@ ./networking.nix ./nginx.nix ./virtualHosts - ./sops.nix ./spaceapid.nix ]; } diff --git a/config/hosts/public-web-static/networking.nix b/config/hosts/public-web-static/networking.nix index cb22d40..34b36f3 100644 --- a/config/hosts/public-web-static/networking.nix +++ b/config/hosts/public-web-static/networking.nix @@ -1,19 +1,17 @@ { ... }: { - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.151"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; + networking.interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.151"; + prefixLength = 25; + } + ]; }; + networking.defaultGateway = "172.31.17.129"; + networking.nameservers = [ "212.12.50.158" "192.76.134.90" ]; + networking.search = [ "hamburg.ccc.de" ]; systemd.network.links."10-net0" = { matchConfig.MACAddress = "86:72:08:F6:C0:D6"; diff --git a/config/hosts/public-web-static/secrets.yaml b/config/hosts/public-web-static/secrets.yaml deleted file mode 100644 index 5802514..0000000 --- a/config/hosts/public-web-static/secrets.yaml +++ /dev/null @@ -1,233 +0,0 @@ -spaceapid_config_ccchh_credentials: ENC[AES256_GCM,data:5IClrKKMO/AztQuGabrnoRFItYNeEmVWGeafomVO94pL1RKzL1sCxBxnmzvJFPb/8Y+6FXMh+Mim4DP8B2RaJMLpmqCv+76N/5+527SZ6gn9i2Klg6q0kD9RzJv40qHq/NYLCa24tpcZDt7eB0EOgqLsKUmtX2LrQjjnN3NzjAevJGKQ5ypnb7xygjft2KrpvlR1hMnZ0XpSLDTNR1AmImxE24JtDaJKzwXbptr2IZvm1UFkNslxdqHPjN+N8+MSSLhqHy/FdcY2ADvsTX1jtjnjkb+9E30QOeCiFPKSmWtSGiQ9sPcQna1yr717Vk0EiNSAWDQ2fMZyJUgBXG6w3wiZbxfJmxvshLPs5KguF9NHER+Seps1QiE0p16c0IS/0Y24UYrK2GyUIcSReGufjxUFGTJHFSsNANac34H/RTs7BkoZ,iv:8WzTRaXVeH5GKmigMVTLVBnhy6nXZnTZHLAYHcqDs2s=,tag:jTdgz0gmruMWWDBQ3h70vw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclhsVmM1TTVCY1ljcmxz - TkNMQnhUMGsvWlQyTkZtQ1RDTjhoYVBhOWlFCk9ERUdvaTNBQ1QwamtleTJPbUo4 - dkpYYjVSR1J0UkJML3RtUlRXNEsvTFUKLS0tIHNTdEFGL01vYStRaVVmWFZySWZM - MzEvb2IvZUZwSTgrL282VU9WUVpGNEUKFg1INcr/YbkmV6/F/4hWbTXj3PCscAMY - dlr4Pii9Tbhn39yOXyzt3DF+XivkdMsG7fQTHSYdvzMAnvEJ1CLOtA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T01:21:16Z" - mac: ENC[AES256_GCM,data:ENLJIlcUXLEt+vXp/F2YATUZrc9ZjaE4AWwvG280etdsufEw/vGAWBhG2KT+CkcZLaJ4ctVvNlJEqU/pRzae+m/43SV3GNAG+jjT2VmNm0NyNYN27bpsj4tq11D27LPn7CkfBUB0gnmGJXVKalxhFkHBf+eq3ted8dPIv9YNRt8=,iv:Yfz7scjN3qDY9lV1SYOqrejiEwf4dVSPJhiFRJyFPio=,tag:SOw4Nhx6wwYIisRJl0SSRA==,type:str] - pgp: - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtARAAkz8cMmtau9sLQQFafUnjIkuq8UWKn9TFcAfjAWDjnLTx - WAP4RQE56FXzVCo3DXWvucOjOlVNR9Y86x99eXaMLgYLtJfOTZOCbn2nSIDxQI1S - XNHAPEXEH/UXEoQ2lffIjR+VfSOpJlwD6acfVEu13NZMvxlO9/51EOvAAo+qKa0L - EwMczgDh8QsYohBV13UIxC3Et1Hsj0Guawrx4M6pzL4OvXGUKkpDfw4NCx9to0XK - 3L4k+DHur3KhpZJg4QhrM1O1XJeb8RdlkCBMCrcteXkzKMQotVeee6Avr7kfti9s - R0hYuVswmiRJP+dxkQx1n84nnFkakY85LOxXIv7Mo3CT5xV/n/teUgZhyU+97aK0 - Soq68sBMBqo8v3Izrfi1wp5iF7nnjbkMBzkDVFsRkA7bqYlEpTqZenzTzdEhm/Kt - e+A1mY+hcWI5Gr3kkz8+LGOXgBHHjXjVslK5+KmOxzcpm77IBIQCXaTViUwTJPbW - kmrDT9MSiS+bpTHS6NPLgRz21FltbCL4d0QD7bCiMnLjdeYwfRzT+if/yR6YIGMb - 1I2odrB2Qf42CXHZooB/fV5OO5ziUXBpos3HZLxIvCUjOHyCYnoL1s4M3A6Zjf3v - 0rZvSOy0UNwYwSbxRe5G9Z2xfFddFCTE5dp0cPV2RUEVMVlNU/kgpsMtxCFwIN/U - ZgEJAhDOqBVfz4bsqSMs4t2I4Vys7oeOfYJveNT88qc/PNPqjXgEoWSWp2DZdSvV - dNHaoVQHHRyZbRxfIwe0q+xoNjv6H5NafDIMnRk0gWl0gCSJQpCIQ9j1IQrXUoPq - cArG8aqHSA== - =rUJB - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ/+PCUJ7JMkGZ37gSURfBI/fM9Ow1oRp1MH8mHiflICRsio - RJhrcuThlqWHYYSFE1OlQhha8Uu+s6oaps153LKS7ZH1dzomqr5H8LfuKsaO6GDg - QyuiSGGAfudtyQ5ILN1CHjO8ifh/4469J7P/SyKkQ2AhZGQePbGkrR4kqGhj5axn - fY3Ar8HreWssm30k797x6zSs0z3BDS5vUd8JZjpt2E1nmbVTX5dLcDud06UwE3ae - B6lC+T/lxwp4LptskgsaBiikPTYspPAL8M1yG5XxKvvQlU8a9Lta7jOoXWnJ0kYE - mLoSRFBxsQsrpir4msR3oEXS7H30gkCT5j8bLdON+vbbK3d6nE5v3SXkOZhJKm8P - Zhk70lkj1HWe1uh5XRRAjn5YDelnipuml6dQMUJdxw8YrUmnVXjL+AGT0p0gcf3S - kMU6FZfELOmdR1zqCt1HicVQDmQJA2wct2+2hXRRQ91M/FAxCILOA/mqq6jZNrw1 - uz1Sa43IlI5lz/ts9bIhR8rZj/Iuq18tRgmKdLhxtuJyZKcN1v1CDiIgNOvlc67x - ydVbVHygWVs95WZyya/PjF1+K5Tuq+VkfHMIJz3cW5xDy4PwYS8GsTqG6r8gEYbx - Qn2NC3h2gtrJ76/Qo8xs+8KCbQAUgST/uSJRK8peyhvqJXSrbhFBvq7ewvJbroHS - XAHl1yNdyWNwC9t2G9twEd9c2FjLuyXGhrincAcQ0gdH1jhKHY7/LoBiVIRMBJDe - kDD+RjcCB9jXRGln/l4teKs5TeCKzpaJiONEcecl2tSqjSaOzNE8rJh0kihH - =Edso - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJARAAzGzj3TJVDsnArDe7GziE2avL5WHkHFUJNoQcEBqNhfTU - PNu8RKSpKelWeOFEFzgr3Q1imapoR1+UXzTC1dP0QL+6sEWiqImxrbHygpm9tPSp - HvLMIvAvS0zPjX9q7HFgsw2fm489To0tuEK0oTFcayatAAijpWBl63KyslFbk5f+ - tHSnaYTeRZq9QkRZlNGI3uJgMXyrHnmoyUUIb5wdKKQ2tpt1nR5okh307kU6fwqb - vT5ylRSTEZ0eWDyQbb0hThJkQS2j8QnsBN/xabDN8QGTFORrPDDobW3iro22SKJv - iVyh1yAm7QiA9yTdqcB8J1QuYvnP4RzSoCSNCAK0gZ+DklPUGC9DIEK4VTdmUaWs - cJM/dZw861D8Jnavf2RToEa4binehYHvi/+TNv7vBE+2xe9cp2Y3UZq891gHKbmr - OdlaIUv5yvU6dJfV/aib33PoGxcim1jGmRnDDu+aYv215WqoUxfNniib/HcNFb9M - JT70R4Ixo6Hnp9DyvSh+wGKPGg2WRuwrspbAjFucwMdBuY4a3XoBE4QE8QhFjLWc - 2JTegdfx4yKovY9raJ1U5LxYWkErpfdvPgYOpn2xIvhHBy9Y9F8RgnI5CIyQ2haO - KL82cNunEeljvluG+vH5bhbWNOjWKcRXfy474+KOBGSu8UJsZJr3s8n6RSAjmN7S - XAE8nvvN86y/RxvwxG0qUX3tEjVZwvipqrzxeAcY2lEX1zFpW8HyHzqWlnpN2LlG - pfqdqn6A6wocTpuaKhCWNc34Ws4uJ+XJd59nrNP6j/4Wl6SenxcJef7bgqru - =X/V9 - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1ARAApyVhDae44C6aOlE8j+oAmoPWBiTc0j6VGAwo7y6OzRVx - p6W/l/ALDRd2eVfttzTtS/J3EZ85gQEt1RTOVTR/vTTL1j+XzNF6adPuC2+uJBAb - FFhiReuD9YGyT7aW84qmfI797kKFfdkjIUiUr62iGr+kJ/urC9JK2mNSnhKJVTct - lP0HA0vrUlEHzU1LACUWw2FylyOpO+248Nxx+SXgP8ol3kQk0hAGtEq3+p7ViQdl - K9fYMM5bxlNGmMav6WVaR8ipyjf7Q6jrwOrtNymVlxKoWfzuQy8o0ACsn2PADeG9 - QZsKAmbp33S1hVYdTeXajTlPwtHhNewkxIQdahP2Ni1netzV6I8kp3HHoGO1XN0i - TtHlqZnd9/aJb5Uvuqsz4Ei+nHL0WGS7UJYKphWfw58MaYGkJ9xwEZVxoEWY9+ZQ - prQrXbIwbt6XJnuDnlgO/XZQs76/h/SAK9JQoXV13mC00SwcNqB9iav7S9+d5U3H - QOerfUDzEOjE9AehSmeruaNIdqr/V54dY9eQFGQ5hrM30JTycWdhxl0TZkAYsT+d - qd79FKXceBSodL00kg4OUS1pGwI7w6pe7RsQZ0hl9O8X8JXsRebe8Ardyh5oGe+W - yiKKGj0xi63MdzVm8r6FH4HoWPnmfTq5gcI8urUB/157aU8jlJen3TM4i4bwydzS - XAEldvNa4/1McnNpPAWGDNPGObSg71kAIR/opGGkS8atywKgkNSCUJ6wAJhyksqd - FVdrCl5Mt3GSgk5uVWeYfDuuIxM/aZ8WMjxjtxQMyOnkXQYmQD+D6dgkqiTb - =q5Tx - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVAQ/8Dc0JtpbZLDLway7kk2YWhLvjTmBRzIZCAaa9WSEuDVWg - u1koIDIaeAi1Y7xNUbDeEACMo1gT23mRG7Dy6QSqi+6DUY4f4v7/UCwqyJdwAb0V - ig6ENedYzYoCKZ3t/kqeeZmKnQehj2hzmIci1avzQjUmsI+u1YGJOZGDCPK9W1CA - nkZ69BlsI7ZWwkaO7J9KKd8wLp1/XVcSnRjYxvowOHmUyDd1Mlm/I+umcqWZU9De - hXc9/4cPkUk+h5c4M9XeFFqxorOozMK0dyEBjFw7Dd7BMyPfyh5OnxPazp/aqgz3 - T6SxedaTv0kH8U8dNkPkGc5NYv+D8gfZb7kLdzDglGvcHwL3HTwq7JUCFVvzCD9y - PN5XvFYIzwd1cxAbozhzX54almMFgvd8d1v+03ioEjxOJbAqMXRTgd8C5xUbFvH8 - SJ8v4YsN5XksT6AME3MyZAZgWgbDqdQDAtUvP2cWlBFFJz4+43+71sec4AK9bqph - mG/aTXDHAQ+JjLUGH+hul87F+mIa5WspbSYJ0hky1Sz7JBr1153X1xutFMiIqafL - GwfUzkDqIY2AKZPocqyRthLUkSaf2axLdWMi3VfErzD8fu9XhpM7xY/sI1S7sCBs - HGfjBTF2zTvyNo4cS5SPW1QXGrGoAy6cpxJDkuOQMq/YvW2kIeO4Wv+as3TUtLzS - XAFxzoYXYbes+SGlxaRYY62CONNdFpvF66q8IgDN1/QNC0j8g0gE0bNc14KOamxr - Qg43kRmxOVlB+zbpY5lYI4YL7XbFusFGM9dKJVg9g390nRgDnD4yBZXfqkq/ - =rthq - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ/5AXvpR4o2fsfev/U/qdJ5Zz8jKwGpZ+xAhEEL8E64+f/P - Y542Oqig04emeGgvZat+jnc3ihKa+Z6k1ysSd4cod/yDUAy4NVtYzTsTziDekmaF - A1nEkbZoBrwXHQVGnO0PtFttqa0JEr5LcFlYgF8NIQRTQSQQgKp8p3llUFZYx+Pb - vuhOtWbZMFtl+yq0p03nDP3mrj32nPyyLIngvj82jMRQmw0em+Zw1JAwIIg3svWq - bp6F9a++PP2Pboc/piEGT3BIq/41gjKoIwz9m+p0NoSIcDRgmIIxflS9vzG/APC9 - E4lVM/U/px0OmLcrmlBTjQ7HwHhVEVEYjZiByeHCm5UjSYWF6yHcmyLp9etD3GsR - pPwFsmc2PWFiEWrM0aV+3EPGkSV1Kwkvd7v34sRqAsGkb8HO5KxtfIQMccMqwMRG - kwBUgLcVuft9H6k2N+MHY6yidr4LLopGfd2FZ8BkQGNy9kIVNdZw9v+6R5HkVpoD - cY0NpzwvX21M9CPuMoXzjwXLnoKHHt9sWoxL7L0XIjyTkvKmETFqvKIY7cPFU837 - 4uxnsPhVESL3UfXrIk3maCgIZfFFL60eglVHdSLUy9XvAIXkLrLzqZLTW0LVYsuY - ZAlqUkkqZ4jjrF9OlmHsjgn5znOiMlW35bcKppC+MonrNXCJHjCdGmpj1v0cc4nS - XAE0EBSF6XDG2rxXETyWzKJurkfveD1njjcRwYeBiBRZEXKKqWuICLIgR5h/WBQI - KPv2k2RhxjH6Zk6FWgc6EWhIWUM/6+zN24m5VnAgMg+DRp8d1mO6t4ZaS+WU - =p4B8 - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ//Z0+gyWwynvznK8WbrU9aP583JpI53BilDDl+dJ34P28f - Kd2wr/l/Aw6QZ43kp0JGA3ZMB9SbWKy56L6MXPcDXHM42ojRCN1Z3am6NZEx4M+K - cstyV9qHZp/bUQjlUna3eZBlehHgRM0tRCKn/83Gi08nNK15wRlfZR5tg0aNbdXT - 4ymxyUfA3+n8k4K/rZlBxJ59UESUcuUJCb/oPiUCrS7lXJwA8f85F5/M9t7D1xwO - 2AfkoYl5b2NU48JrICY7SQp+xYg0jwEB2nAC/Gpmk9FGxCMIeFIT4MfpGmMah0t6 - +2qDWQFQ86TEoAHVTqcW77Qmw7WLjNm8oLh0FWYb8VxaRo2B2jnbTtC0cosLWyl2 - TrOwSYfzOOclQQchbmoK1JQb5+dUV+qUN4BO4MuI0mSXk85QFys3CY9a9X2pRXSh - SW7uMCj3SQ784uoYDBNprIYv4qsfzTEgCxrG9Ev/h35JyuNUr/oKGVsVfsLETJC/ - Leepo2FjQIzr9qe52AVcUe9JH++jrPOgUM6JQEHHz+jp+N9arsuTGakxu/5saNjT - +E7WtWdBM5mtr82DDoTKsKLEUJKsMKFpQovFjvz5tgCAsoMhFP5oem2gbfOVi2+A - uQjQH+xJow4OMjb58Qx7fILcky6XYDTNWn9hlf2zrXmtEnhkSwf6U/Gyo71qCtDS - XAHIEr8bpFS9ndb1tchTO8mcDANnKLWttuqs/UdN/W0nl895hIP7C6esi7vLF1gM - OfYLVy+X8FyS5hpjd9rcEd5jj7XBMJ4kHaW7QLMGWHYS2zLjGOhYHS4rt7nk - =hag6 - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAAi01+TuUHgBT2UH75pacaptBmEYedNUkzqhUn98AA1yr5 - PtYV1NGNP/rq7LDXP367yXhCslrwr+1BO7qnfAsEsEFr6InAyhOyZmAs18u5ilwc - RxW5EXrANm8SQLODBPH3/gxltpW7vzfayxdTOTNyCUH0x22eKfYknawOfpaMevAm - 95nhILE05Unqd4FSoQId+Zw6djuMdSdQ6iAANKmvRpgs1Y8RNb9P/JG1TmbVvqQm - dbx5hfoLuNnLR4q0r64tGej0iVeBljSjUDrxusjMkhwgiinFTTz8oNoLoOuPjPMm - MymkjV1m6HzdwB9JMU7kMcHDEsqhXiKcxZ5mPDQJIXSG7TTuIZndRsln2ske9ibm - uZusIC7y1868R409UWhjGXjxsoFzqOKpOCo8tFoZSdE250E6o7U8PKOgSUxRAQlb - va7LUhP10ODZof5jM9xUDorrcamT1kbnmz4SlYDIOSliR0ofsmX0ObyxZmL3CZhN - /iC5BVv9D14U7iU0PsKZl0XUOP+urJwSZSCid0zq8rjUXdqy0YH81eBG9Y360ZHB - AlfhfeaYindnJYkPpZe1XWyI0yaKOjrKgdz8/vuDTZWyNseKAcofA7cgjUHtIUvu - uMPhFk+RHd0xZnk3yrlTnEOht8MiAZxVFPk3NK/P7W3D3r0li5D5f7+2ph8RsI/S - XAFXDSRXTIDsHCWPjvTAftTKbS8dq4A28yFHJg8+Ber+RxBbOWH7NpBIgmO2SNAJ - 9CkU9neCROJuNBY9h0Xl4Yp7g6XNOeFeWdgxqJgZWhoKYSR0W8ILzQD45PXj - =ALYc - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ/+L9uVnDe2jK1unhCFjKv0YhHobPNSQAhXaYoIiw2qTJ/q - ntduHgPFvLjQdeGT6EsfS+vxGcsLtS2FlG8woiLzX0iyc9sB0AmcwwKdG2FwyemY - +ZPE8BfjVKrGq0oiYASIceYxTfdp1kNX2aTIpuBzm36ccHQb/RSzUhEeZjyN4xtO - c6j8HJ6TANoh4eBG+X4LDVGFQPMToozqw/2hX5HPn+EDqP6Egprf/6hAetX4VcCk - csbP2AB2wl75U8Q8xSmlNUj/CTz4wpOpNj5tjsADP/ZlkH6EUcGIPk3+BC6ovy54 - zoydEnTi6uy+gMAZDLP2bRdSgjW887TIh3qPsZiyG0SEygC3B+Fb1EY/NIL7Yh5R - mJDdMbrAb9rBSXYS1ptLvq2QSjbyIpVK2n+PLtycySsaktsAEopotlwxlbf/QSBv - FCRgws0djwZ4+qtXJ/D1pMNSHD4sdRxGANPdqNJem7S4fHmegtlVWNphDP8V2bUa - krGYBc0pn/cTusEJgkccp898ghJQ7bjKxD41qtIkfceB8FnaKgdxBrNfIrucaMjb - xv0NLk5NLTCbv/ES5R6Pb4MDKEBpInUp6gygcbaDybyn5lu/jT+6pYFp8Sq0F81B - +Vk7+iz9MsV8Yz9dHJnqIiypZREF1KRPWpenNAK9XGdy5SxezfBS7Zz1VShYgoPS - XAGKmeK4A1VarYym4wSb/AXhT6HXLBM6VWB6OFvz3sXR02sAUI7GXuZOjY2raezt - Usn+dhqFnRUHgUqgtLYGXlgyXiSjUTGQnh4c18n/mkbApUKcTdX2VigoivLo - =Xjqf - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAEZMgepQuERqKK4S8uiXmIYIRdeN5swy6S4hmzdL3yj8w - E45ScSNMVsvKD3pQq8EqxTFPb5pQ+2LfpP8gbbhYoDomGDm4tcbr8pyH3AXXoFwl - 0lwBFFDJa1GSmHSgnJqrIaqmOZJgBE5t3IEIiDQksVjV7KTwPMwoU+wx42AAU/dS - hjxQwPAfpwO9mH6FN4JC8OTVSU1VfWLCO4e8HroG44c2gOxFfnflaMjaXuIsDA== - =kkiD - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-05-26T01:20:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ//Z5yRTQUt73bYUIrnaBPwQCLB4lmlutSICdQvdlQFcqDZ - Tw0kBNBS+4dEhxlYuEmCJgM6H+2KEH+6/M5IdFErlTz8Ly0R73adlSMu0R+os/6i - clLQQAwWIyFVuRaaNxSDdJ06sl4+hZyGZlbpo9kYBjslTUpJC4urvc+6xlRnlIuf - gae9+Zmh1K9+BpUH5svExyTERwWQI1HzvcqSc+tsEYugNvJitBHTyfpFN8xjtbns - h1aDXgKo4riFHzlZHftWfaLdot8++0jgluc7fCNXfnNVYf+nREIP49A/bkDFH4Re - Lwhq1iQte48KE0JKiaXDsAwLSanNYOfEZo5LSAFYAaEGJ6gUwnyoRgH+2T9FiWoJ - Z3myWbrm0SUr8Za2k1AA1FGz8tmGppxGZp3llyqaY/hbP84myfnfpvis6IUAzyfl - xMZOGs0Q3VlOJRAYXOWS64oM6cvCg9rJiOsPMr75P+9nWhz+Ur/X8hPTPr4ku/D1 - ewUhDd406/a7aAGe7m6RyRnVCK2mybuKKYt3BGu0usYvKcPIMUYq+g2zqt6/fQ5r - gS2c+uuvMqM6o9dxkRxZWt99o8E29cGH51yl9IdrXsr7F/EyymjBENQxbDApp9mG - DHokBg9QdRvwRyyC2YBttgob8QrkZTI4xE7oRFaq9wuZqhjv6VGZXO0jauIRYV7S - XAFidvRJ2EMZlPeVpDkosbXLsux2q4v0ECXy1ciRRYJn50vLN8Fqk2fKg4aKkqeV - riCQgu8aliCMtTRTa+/NQoTpXbqD9XaPz8hf9betygs+6y3zVyBn7k7WQqmj - =yfan - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/public-web-static/sops.nix b/config/hosts/public-web-static/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/public-web-static/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json index 2b1309f..f7688ff 100644 --- a/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json +++ b/config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json @@ -4,7 +4,27 @@ "temperature": [ { "sensor_data": { - "unit": "°C", + "unit": "C", + "location": "Hauptraum", + "description": "Sensor im Hauptraum" + }, + "allowed_credentials": [ + "club-assistant" + ] + }, + { + "sensor_data": { + "unit": "C", + "location": "Loetschlauch", + "description": "Sensor im Lötschlauch (Teil der Werkstatt)" + }, + "allowed_credentials": [ + "club-assistant" + ] + }, + { + "sensor_data": { + "unit": "C", "location": "Innenhof", "description": "Sensor im Innenhof (erreichbar durch das Flurfenster)" }, @@ -14,6 +34,26 @@ } ], "humidity": [ + { + "sensor_data": { + "unit": "%", + "location": "Hauptraum", + "description": "Sensor im Hauptraum" + }, + "allowed_credentials": [ + "club-assistant" + ] + }, + { + "sensor_data": { + "unit": "%", + "location": "Loetschlauch", + "description": "Sensor im Lötschlauch (Teil der Werkstatt)" + }, + "allowed_credentials": [ + "club-assistant" + ] + }, { "sensor_data": { "unit": "%", @@ -24,54 +64,6 @@ "club-assistant" ] } - ], - "ext_3d_printer_busy_state": [ - { - "sensor_data": { - "unit": "bool", - "location": "Loetschlauch", - "name": "mk4", - "description": "Prusa mk4 busy state" - }, - "allowed_credentials": [ - "club-assistant" - ] - }, - { - "sensor_data": { - "unit": "bool", - "location": "Loetschlauch", - "name": "mk3.5", - "description": "Prusa mk3.5 busy state" - }, - "allowed_credentials": [ - "club-assistant" - ] - } - ], - "ext_3d_printer_minutes_remaining": [ - { - "sensor_data": { - "unit": "minutes_remaining", - "location": "Loetschlauch", - "name": "mk4", - "description": "Prusa mk4 minutes remaining" - }, - "allowed_credentials": [ - "club-assistant" - ] - }, - { - "sensor_data": { - "unit": "minutes_remaining", - "location": "Loetschlauch", - "name": "mk3.5", - "description": "Prusa mk3.5 minutes remaining" - }, - "allowed_credentials": [ - "club-assistant" - ] - } ] }, "state": { diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json index b49b2da..47d11aa 100644 --- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json +++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json @@ -4,7 +4,7 @@ "14" ], "space": "CCCHH", - "logo": "https://hamburg.ccc.de/images/logo.svg", + "logo": "https://next.hamburg.ccc.de/images/logo.svg", "ext_ccc": "erfa", "url": "https://hamburg.ccc.de/", "location": { @@ -14,6 +14,7 @@ }, "contact": { "phone": "+49 40 23830150", + "irc": "ircs://irc.hackint.org:6697/#ccchh", "mastodon": "@ccchh@chaos.social", "email": "mail@hamburg.ccc.de", "ml": "talk@hamburg.ccc.de", @@ -32,7 +33,7 @@ "links": [ { "name": "Wiki", - "url": "https://wiki.hamburg.ccc.de" + "url": "https://wiki.ccchh.net" }, { "name": "Git (Forgejo)", diff --git a/config/hosts/public-web-static/spaceapid.nix b/config/hosts/public-web-static/spaceapid.nix index 3f1f8fe..f3aa25b 100644 --- a/config/hosts/public-web-static/spaceapid.nix +++ b/config/hosts/public-web-static/spaceapid.nix @@ -1,22 +1,17 @@ { pkgs, ... }: let - version = "v0.1.0"; - spaceapidSrc = pkgs.fetchgit { + spaceapidSrc = builtins.fetchGit { url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git"; - rev = version; - hash = "sha256-2SDhliltzyydPPZdNn/htDydiK/SHQcYyG/dQ0EyFrY="; + ref = "main"; + rev = "cf9678d7126e1951f9e4aabaa30d7350eb76973b"; }; - spaceapid = pkgs.buildGoModule rec { + spaceapid = pkgs.buildGoModule { pname = "spaceapid"; - inherit version; + version = "main"; src = spaceapidSrc; - ldflags = [ - "-X main.version=${version}" - ]; - # Since spaceapid doesn't have any dependencies, we can set this to null and # use the nonexistend vendored dependencies. vendorHash = null; @@ -39,7 +34,7 @@ in After = [ "network.target" "network-online.target" ]; }; serviceConfig = { - ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/run/secrets/spaceapid_config_ccchh_credentials"; + ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/secrets/spaceapid-config-ccchh-credentials.secret"; User = "spaceapi"; Group = "spaceapi"; Restart = "on-failure"; @@ -48,10 +43,14 @@ in wantedBy = [ "multi-user.target" ]; }; - sops.secrets."spaceapid_config_ccchh_credentials" = { - mode = "0440"; - owner = "spaceapi"; - group = "spaceapi"; - restartUnits = [ "spaceapid.service" ]; + deployment.keys = { + "spaceapid-config-ccchh-credentials.secret" = { + keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/public-web-static/spaceapid-config-ccchh-credentials" ]; + destDir = "/secrets"; + user = "spaceapi"; + group = "spaceapi"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index ff59fab..9533e93 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -1,19 +1,10 @@ { pkgs, ... }: -let - domain = "c3cat.de"; - dataDir = "/var/www/${domain}"; - deployUser = "c3cat-website-deploy"; -in { - security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ]; - +{ services.nginx.virtualHosts = { - "acme-${domain}" = { + "acme-c3cat.de" = { enableACME = true; - serverName = "${domain}"; - serverAliases = [ - "www.${domain}" - ]; + serverName = "c3cat.de"; listen = [ { @@ -23,9 +14,9 @@ in { ]; }; - "$www.${domain}" = { + "c3cat.de" = { forceSSL = true; - useACMEHost = "${domain}"; + useACMEHost = "c3cat.de"; listen = [ { @@ -37,42 +28,7 @@ in { ]; locations."/" = { - return = "302 https://c3cat.de$request_uri"; - }; - - locations."/manuals/eh22-rgb-ears" = { - return = "307 https://www.c3cat.de/rgb-ears.html"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - locations."/manuals/eh22-rgb-ears" = { - return = "307 https://c3cat.de/rgb-ears.html"; + return = "302 https://wiki.ccchh.net/club:c3cat:start"; }; extraConfig = '' @@ -87,17 +43,4 @@ in { ''; }; }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - users.users."${deployUser}" = { - isNormalUser = true; - group = "${deployUser}"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de" - ]; - }; - users.groups."${deployUser}" = { }; } diff --git a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix deleted file mode 100644 index 37d95b9..0000000 --- a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ ... }: - -let - domain = "cryptoparty-hamburg.de"; - dataDir = "/var/www/${domain}"; - deployUser = "cryptoparty-website-deploy"; -in -{ - security.acme.certs."${domain}".extraDomainNames = [ - "cryptoparty.hamburg.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "cryptoparty.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/".return = "302 https://${domain}$request_uri"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - error_page 404 /404.html; - - port_in_redirect off; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - users.users."${deployUser}" = { - isNormalUser = true; - group = "${deployUser}"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz+Lxi9scblM/SKJq4nl64UwvVn8SuF2xmzOuyQrzR+ deploy key for cryptoparty-hamburg.de" - ]; - }; - users.groups."${deployUser}" = { }; -} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 59e69e6..5036faf 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -4,18 +4,8 @@ imports = [ ./branding-resources.hamburg.ccc.de.nix ./c3cat.de.nix - ./cryptoparty-hamburg.de.nix ./element.hamburg.ccc.de.nix - ./hacker.tours.nix - ./hackertours.hamburg.ccc.de.nix - ./hamburg.ccc.de.nix + ./next.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix - ./staging.c3cat.de.nix - ./staging.cryptoparty-hamburg.de.nix - ./staging.hacker.tours.nix - ./staging.hackertours.hamburg.ccc.de.nix - ./staging.hamburg.ccc.de.nix - ./www.hamburg.ccc.de.nix - ./historic-easterhegg ]; } diff --git a/config/hosts/public-web-static/virtualHosts/element-web-config/config.json b/config/hosts/public-web-static/virtualHosts/element-web-config/config.json index 19cfdf0..393c215 100644 --- a/config/hosts/public-web-static/virtualHosts/element-web-config/config.json +++ b/config/hosts/public-web-static/virtualHosts/element-web-config/config.json @@ -49,7 +49,7 @@ "auth_header_logo_url": "https://branding-resources.hamburg.ccc.de/logo/ccchh-logo-no-background.png", "auth_footer_links": [ { "text": "Website", "url": "https://hamburg.ccc.de/" }, - { "text": "Wiki", "url": "https://wiki.hamburg.ccc.de/" }, + { "text": "Wiki", "url": "https://wiki.ccchh.net/" }, { "text": "Status", "url": "https://status.ccchh.net/status/main" } ] } diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index 9e919e2..a72703a 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.109"; element-web = pkgs.fetchzip { - url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-eKPClYJxUhCJznI1+dv9w2h0CoSKgZsBZCsuM3KH5ag="; + url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz"; + sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs="; }; elementSecurityHeaders = '' # Configuration best practices diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix deleted file mode 100644 index 1ee6180..0000000 --- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ pkgs, ... }: - -let - domain = "hacker.tours"; - dataDir = "/var/www/${domain}"; - deployUser = "hackertours-website-deploy"; -in -{ - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - error_page 404 /404.html; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - users.users."${deployUser}" = { - isNormalUser = true; - group = "${deployUser}"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours" - ]; - }; - users.groups."${deployUser}" = { }; -} diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix deleted file mode 100644 index b0104b6..0000000 --- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ pkgs, ... }: - -let - domain = "hackertours.hamburg.ccc.de"; - dataDir = "/var/www/${domain}"; - deployUser = "ht-ccchh-website-deploy"; -in -{ - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - error_page 404 /404.html; - - port_in_redirect off; - - rewrite ^/(de|en)/tours$ /$1/37c3 redirect; - rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - users.users."${deployUser}" = { - isNormalUser = true; - group = "${deployUser}"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de" - ]; - }; - users.groups."${deployUser}" = { }; -} diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix deleted file mode 100644 index b70f74a..0000000 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ pkgs, ... }: - -{ - services.nginx.virtualHosts = { - "acme-hamburg.ccc.de" = { - enableACME = true; - serverName = "hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "/var/www/hamburg.ccc.de/"; - - # Redirect the old spaceapi endpoint to the new one. - locations."/dooris/status.json" = { - return = "302 https://spaceapi.hamburg.ccc.de/"; - }; - - # Add .well-known/matrix stuff for Matrix to work. - locations."/.well-known/matrix/server" = { - return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'"; - extraConfig = '' - add_header Content-Type application/json; - ''; - }; - locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - ''; - }; - - # Redirect pages starting with 4 digits for redirecting the old blog - # article URLs. - # We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we - # just match the first 4 digits for simplicity. - locations."~ \"^/[\\d]{4}\"" = { - return = "302 https://$host/blog$request_uri"; - }; - - # Redirect pages, which previously lived on the old website, to their - # successors in the wiki. - locations."/club/satzung" = { - return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:satzung"; - }; - locations."/club/hausordnung" = { - return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:hausordnung"; - }; - locations."/club/vertrauenspersonen" = { - return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:vertrauenspersonen"; - }; - locations."/club/beitragsordnung" = { - return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:beitragsordnung"; - }; - locations."/club/mitgliedschaft" = { - return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:foemi-formular"; - }; - locations."/club/geschichte" = { - return = "302 https://wiki.hamburg.ccc.de/club:geschichte"; - }; - - # Redirect old feed location. - locations."/feed.xml" = { - return = "302 https://$host/blog/index.xml"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - error_page 404 /404.html; - - port_in_redirect off; - ''; - }; - }; - - users.users.ccchh-website-deploy = { - isNormalUser = true; - group = "ccchh-website-deploy"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key" - ]; - }; - users.groups.ccchh-website-deploy = { }; -} diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix deleted file mode 100644 index 69d8855..0000000 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: - -{ - imports = [ - ./eh03.nix - ./eh05.nix - ./eh07.nix - ./eh09.nix - ./eh11.nix - ./eh20.nix - ]; -} diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix deleted file mode 100644 index 2c5dd86..0000000 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ pkgs, ... }: - -let - eh03 = pkgs.fetchgit { - url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2003-website.git"; - rev = "74977c56486cd060566bf06678a936e801952f9e"; - hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk="; - }; -in -{ - security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [ - "eh2003.hamburg.ccc.de" - "www.eh2003.hamburg.ccc.de" - "easterhegg2003.hamburg.ccc.de" - "www.easterhegg2003.hamburg.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-eh03.easterhegg.eu" = { - enableACME = true; - serverName = "eh03.easterhegg.eu"; - serverAliases = [ - "eh2003.hamburg.ccc.de" - "www.eh2003.hamburg.ccc.de" - "easterhegg2003.hamburg.ccc.de" - "www.easterhegg2003.hamburg.ccc.de" - ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; - }; - - "easterhegg2003.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "eh03.easterhegg.eu"; - serverAliases = [ - "eh2003.hamburg.ccc.de" - "www.eh2003.hamburg.ccc.de" - "www.easterhegg2003.hamburg.ccc.de" - ]; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/".return = "302 https://eh03.easterhegg.eu"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "eh03.easterhegg.eu" = { - forceSSL = true; - useACMEHost = "eh03.easterhegg.eu"; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/" = { - index = "index.html"; - root = eh03; - extraConfig = '' - # Set default_type to html - default_type text/html; - # Enable SSI - ssi on; - ''; - }; - - extraConfig = '' - set $chosen_lang "de"; - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - # Enable SSI - ssi on; - ''; - }; - }; -} diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix deleted file mode 100644 index 37cb893..0000000 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ pkgs, ... }: - -let - eh05 = pkgs.fetchgit { - url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2005-website.git"; - rev = "f1455aee35b6462ab5c46f3d52c47e0b200c1315"; - hash = "sha256-lA4fxO05K39nosSYNfKUtSCrK+dja1yWKILqRklSNy8="; - }; -in -{ - security.acme.certs."eh05.easterhegg.eu".extraDomainNames = [ - "eh2005.hamburg.ccc.de" - "www.eh2005.hamburg.ccc.de" - "easterhegg2005.hamburg.ccc.de" - "www.easterhegg2005.hamburg.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-eh05.easterhegg.eu" = { - enableACME = true; - serverName = "eh05.easterhegg.eu"; - serverAliases = [ - "eh2005.hamburg.ccc.de" - "www.eh2005.hamburg.ccc.de" - "easterhegg2005.hamburg.ccc.de" - "www.easterhegg2005.hamburg.ccc.de" - ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; - }; - - "easterhegg2005.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "eh05.easterhegg.eu"; - serverAliases = [ - "eh2005.hamburg.ccc.de" - "www.eh2005.hamburg.ccc.de" - "www.easterhegg2005.hamburg.ccc.de" - ]; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/".return = "302 https://eh05.easterhegg.eu"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "eh05.easterhegg.eu" = { - forceSSL = true; - useACMEHost = "eh05.easterhegg.eu"; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/" = { - index = "index.shtml"; - root = eh05; - extraConfig = '' - # Set default_type to html - default_type text/html; - # Enable SSI - ssi on; - ''; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - # Enable SSI - ssi on; - ''; - }; - }; -} diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix deleted file mode 100644 index ebfa712..0000000 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ pkgs, ... }: - -let - eh07 = pkgs.fetchgit { - url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2007-website.git"; - rev = "0bb06fd2654814ddda28469a1bf9e50a9814dd9a"; - hash = "sha256-jMpDxgxbL3ipG3HLJo0ISTdWfYYrd2EfwpmoiWV0qCM="; - }; -in -{ - security.acme.certs."eh07.easterhegg.eu".extraDomainNames = [ - "eh2007.hamburg.ccc.de" - "www.eh2007.hamburg.ccc.de" - "eh07.hamburg.ccc.de" - "www.eh07.hamburg.ccc.de" - "easterhegg2007.hamburg.ccc.de" - "www.easterhegg2007.hamburg.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-eh07.easterhegg.eu" = { - enableACME = true; - serverName = "eh07.easterhegg.eu"; - serverAliases = [ - "eh2007.hamburg.ccc.de" - "www.eh2007.hamburg.ccc.de" - "eh07.hamburg.ccc.de" - "www.eh07.hamburg.ccc.de" - "easterhegg2007.hamburg.ccc.de" - "www.easterhegg2007.hamburg.ccc.de" - ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; - }; - - "easterhegg2007.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "eh07.easterhegg.eu"; - serverAliases = [ - "eh2007.hamburg.ccc.de" - "www.eh2007.hamburg.ccc.de" - "eh07.hamburg.ccc.de" - "www.eh07.hamburg.ccc.de" - "www.easterhegg2007.hamburg.ccc.de" - ]; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/".return = "302 https://eh07.easterhegg.eu"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "eh07.easterhegg.eu" = { - forceSSL = true; - useACMEHost = "eh07.easterhegg.eu"; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/" = { - index = "index.shtml"; - root = eh07; - extraConfig = '' - # Set default_type to html - default_type text/html; - # Enable SSI - ssi on; - ''; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - # Enable SSI - ssi on; - ''; - }; - }; -} diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix deleted file mode 100644 index ea274af..0000000 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ pkgs, ... }: - -let - eh09 = pkgs.fetchgit { - url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2009-website.git"; - rev = "6d4a50c5ab23870072f0b33dd0171b0c56d6cab5"; - hash = "sha256-kPJOrKseJD/scRxhYFa249DT1cYmeCjnK50Bt0IJZK8="; - }; -in -{ - security.acme.certs."eh09.easterhegg.eu".extraDomainNames = [ - "eh2009.hamburg.ccc.de" - "www.eh2009.hamburg.ccc.de" - "eh09.hamburg.ccc.de" - "www.eh09.hamburg.ccc.de" - "easterhegg2009.hamburg.ccc.de" - "www.easterhegg2009.hamburg.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-eh09.easterhegg.eu" = { - enableACME = true; - serverName = "eh09.easterhegg.eu"; - serverAliases = [ - "eh2009.hamburg.ccc.de" - "www.eh2009.hamburg.ccc.de" - "eh09.hamburg.ccc.de" - "www.eh09.hamburg.ccc.de" - "easterhegg2009.hamburg.ccc.de" - "www.easterhegg2009.hamburg.ccc.de" - ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; - }; - - "easterhegg2009.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "eh09.easterhegg.eu"; - serverAliases = [ - "eh2009.hamburg.ccc.de" - "www.eh2009.hamburg.ccc.de" - "eh09.hamburg.ccc.de" - "www.eh09.hamburg.ccc.de" - "www.easterhegg2009.hamburg.ccc.de" - ]; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/".return = "302 https://eh09.easterhegg.eu"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "eh09.easterhegg.eu" = { - forceSSL = true; - useACMEHost = "eh09.easterhegg.eu"; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/" = { - index = "index.shtml"; - root = eh09; - extraConfig = '' - # Set default_type to html - default_type text/html; - # Enable SSI - ssi on; - ''; - }; - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - # Enable SSI - ssi on; - ''; - }; - }; -} diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix deleted file mode 100644 index 39d7fad..0000000 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ pkgs, ... }: - -let - eh11 = pkgs.fetchgit { - url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2011-website.git"; - rev = "c20540af71d4a0bd1fa12f49962b92d04293415b"; - hash = "sha256-9hhtfU8fp2HOThcyQ4R7kuGQBjZktqMtiiYQhOas2QA="; - }; -in -{ - security.acme.certs."eh11.easterhegg.eu".extraDomainNames = [ - "eh2011.hamburg.ccc.de" - "www.eh2011.hamburg.ccc.de" - "eh11.hamburg.ccc.de" - "www.eh11.hamburg.ccc.de" - "easterhegg2011.hamburg.ccc.de" - "www.easterhegg2011.hamburg.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-eh11.easterhegg.eu" = { - enableACME = true; - serverName = "eh11.easterhegg.eu"; - serverAliases = [ - "eh2011.hamburg.ccc.de" - "www.eh2011.hamburg.ccc.de" - "eh11.hamburg.ccc.de" - "www.eh11.hamburg.ccc.de" - "easterhegg2011.hamburg.ccc.de" - "www.easterhegg2011.hamburg.ccc.de" - ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; - }; - - "easterhegg2011.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "eh11.easterhegg.eu"; - serverAliases = [ - "eh2011.hamburg.ccc.de" - "www.eh2011.hamburg.ccc.de" - "eh11.hamburg.ccc.de" - "www.eh11.hamburg.ccc.de" - "www.easterhegg2011.hamburg.ccc.de" - ]; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/".return = "302 https://eh11.easterhegg.eu"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "eh11.easterhegg.eu" = { - forceSSL = true; - useACMEHost = "eh11.easterhegg.eu"; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/" = { - index = "index.shtml"; - root = eh11; - extraConfig = '' - # Set default_type to html - default_type text/html; - # Enable SSI - ssi on; - ''; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - # Enable SSI - ssi on; - ''; - }; - }; -} diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix deleted file mode 100644 index afc93c1..0000000 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix +++ /dev/null @@ -1,91 +0,0 @@ -{ pkgs, ... }: - -let - eh20 = pkgs.fetchgit { - url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website.git"; - rev = "026932ef2f1fb85c99269e0fb547589a25d3687c"; - hash = "sha256-YYxHhPYIioJgyHXNieoX6ibasHcNw/AFk+qCNSOxke4="; - }; -in -{ - security.acme.certs."eh20.easterhegg.eu".extraDomainNames = [ - "www.eh20.easterhegg.eu" - "eh20.hamburg.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-eh20.easterhegg.eu" = { - enableACME = true; - serverName = "eh20.easterhegg.eu"; - serverAliases = [ - "www.eh20.easterhegg.eu" - "eh20.hamburg.ccc.de" - ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; - }; - - "www.eh20.easterhegg.eu" = { - forceSSL = true; - useACMEHost = "eh20.easterhegg.eu"; - serverAliases = [ - "eh20.hamburg.ccc.de" - ]; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/".return = "302 https://eh20.easterhegg.eu"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "eh20.easterhegg.eu" = { - forceSSL = true; - useACMEHost = "eh20.easterhegg.eu"; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/" = { - index = "start.html"; - root = "${eh20}/wiki_siteexport"; - }; - - # redirect doku.php?id=$pagename to /$pagename.html - locations."/doku.php" = { - return = "301 $scheme://$host/$arg_id.html"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; -} diff --git a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix similarity index 68% rename from config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix rename to config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix index f7e0752..a0dff81 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix @@ -2,9 +2,9 @@ { services.nginx.virtualHosts = { - "acme-staging.hamburg.ccc.de" = { + "acme-next.hamburg.ccc.de" = { enableACME = true; - serverName = "staging.hamburg.ccc.de"; + serverName = "next.hamburg.ccc.de"; listen = [ { @@ -14,9 +14,9 @@ ]; }; - "staging.hamburg.ccc.de" = { + "next.hamburg.ccc.de" = { forceSSL = true; - useACMEHost = "staging.hamburg.ccc.de"; + useACMEHost = "next.hamburg.ccc.de"; listen = [ { @@ -27,13 +27,7 @@ } ]; - root = "/var/www/staging.hamburg.ccc.de/"; - - # Disallow *, since this is staging and doesn't need to be in any search - # results. - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: *\\n\""; - }; + root = "/var/www/next.hamburg.ccc.de/"; extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and @@ -44,8 +38,6 @@ # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; - - port_in_redirect off; ''; }; }; @@ -54,7 +46,7 @@ isNormalUser = true; group = "ccchh-website-deploy"; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb next.hamburg.ccc.de deployment key" ]; }; users.groups.ccchh-website-deploy = { }; diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix deleted file mode 100644 index c91d283..0000000 --- a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ pkgs, ... }: - -let - domain = "staging.c3cat.de"; - dataDir = "/var/www/${domain}"; - deployUser = "c3cat-website-deploy"; -in { - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - # Disallow *, since this is staging and doesn't need to be in any search - # results. - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: *\\n\""; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - # c3cat deploy user already defined in c3cat.de.nix. -} diff --git a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix deleted file mode 100644 index 6733dad..0000000 --- a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix +++ /dev/null @@ -1,94 +0,0 @@ -{ ... }: - -let - domain = "staging.cryptoparty-hamburg.de"; - dataDir = "/var/www/${domain}"; - deployUser = "cryptoparty-website-deploy"; -in -{ - security.acme.certs."${domain}".extraDomainNames = [ - "staging.cryptoparty.hamburg.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "staging.cryptoparty.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/".return = "302 https://${domain}$request_uri"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - # Disallow *, since this is staging and doesn't need to be in any search - # results. - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: *\\n\""; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - port_in_redirect off; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - # Cryptoparty website deploy user already defined in cryptoparty-hamburg.de.nix. -} diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix deleted file mode 100644 index 14ede9b..0000000 --- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix +++ /dev/null @@ -1,61 +0,0 @@ -{ pkgs, ... }: - -let - domain = "staging.hacker.tours"; - dataDir = "/var/www/${domain}"; - deployUser = "hackertours-website-deploy"; -in -{ - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - # Disallow *, since this is staging and doesn't need to be in any search - # results. - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: *\\n\""; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - # Hackertours deploy user already defined in hacker.tours.nix. -} diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix deleted file mode 100644 index 79ca38c..0000000 --- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ pkgs, ... }: - -let - domain = "staging.hackertours.hamburg.ccc.de"; - dataDir = "/var/www/${domain}"; - deployUser = "ht-ccchh-website-deploy"; -in -{ - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - # Disallow *, since this is staging and doesn't need to be in any search - # results. - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: *\\n\""; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - error_page 404 /404.html; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - # Hackertours CCCHH deploy user already defined in hackertours.hamburg.ccc.de.nix. -} diff --git a/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix deleted file mode 100644 index a29fbd2..0000000 --- a/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ pkgs, ... }: - -{ - services.nginx.virtualHosts = { - "acme-www.hamburg.ccc.de" = { - enableACME = true; - serverName = "www.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "www.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "www.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - return = "302 https://hamburg.ccc.de$request_uri"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; -} diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix deleted file mode 100644 index c36dc63..0000000 --- a/config/hosts/status/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "status"; - domain = "z9.ccchh.net"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix deleted file mode 100644 index d8644c5..0000000 --- a/config/hosts/status/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./networking.nix - ./nginx.nix - ./uptime-kuma.nix - ]; -} diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix deleted file mode 100644 index 0bff4b5..0000000 --- a/config/hosts/status/networking.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "10.31.206.15"; - prefixLength = 23; - } - ]; - ipv6.addresses = [ - { - address = "2a07:c481:1:ce::a"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "10.31.206.1"; - defaultGateway6 = "2a07:c481:1:ce::1"; - nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; - search = [ "z9.ccchh.net" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:79:D3:E1"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix deleted file mode 100644 index 8eff61c..0000000 --- a/config/hosts/status/nginx.nix +++ /dev/null @@ -1,149 +0,0 @@ -# Sources for this configuration: -# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy - -{ config, ... }: - -{ - services.nginx = { - enable = true; - - virtualHosts = { - "status.hamburg.ccc.de" = { - forceSSL = true; - enableACME = true; - serverName = "status.hamburg.ccc.de"; - - listen = [ - { - addr = "[::]"; - port = 80; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; - }; - }; - "status-proxyprotocol.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.31.206.11; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - "status.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.ccchh.net"; - - listen = [ - { - addr = "[::]"; - port = 80; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - }; - "status-proxyprotocol.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.ccchh.net"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.31.206.11; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - "status.z9.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.z9.ccchh.net"; - - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "[::]"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - }; - }; - }; - - security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [ - "status.ccchh.net" - "status.z9.ccchh.net" - ]; - - networking.firewall.allowedTCPPorts = [ 80 443 8443 ]; -} diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix deleted file mode 100644 index 02411f2..0000000 --- a/config/hosts/status/uptime-kuma.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - services.uptime-kuma = { - enable = true; - }; -} diff --git a/config/hosts/woodpecker/configuration.nix b/config/hosts/woodpecker/configuration.nix deleted file mode 100644 index 45e228e..0000000 --- a/config/hosts/woodpecker/configuration.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hostName = "woodpecker"; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/woodpecker/default.nix b/config/hosts/woodpecker/default.nix deleted file mode 100644 index 1db0c8c..0000000 --- a/config/hosts/woodpecker/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./woodpecker-agent - ./woodpecker-server - ./configuration.nix - ./networking.nix - ./sops.nix - ]; -} diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix deleted file mode 100644 index 3301812..0000000 --- a/config/hosts/woodpecker/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.160"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:5F:A9:B7"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml deleted file mode 100644 index 091ca2e..0000000 --- a/config/hosts/woodpecker/secrets.yaml +++ /dev/null @@ -1,234 +0,0 @@ -woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str] -woodpecker_agent_environment_file: ENC[AES256_GCM,data:rwp6TYYFJ/IZH+3pGhPxjdZMLoyPMr/W1RXm4IkUGn+SmIjHZcdFZ8nEhvOfnkfrXNPc2MR+X6NXUmVOcBjSCbcBjh9sC653UpKimt9I3/Ec,iv:X9JH7dmTayw8BaEsXYil3PrykCdd+/ANGHVfEyRvc7A=,tag:/ErkX1WnruanNgTTBUT6LA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQlN5NmlaUjR5dGJ3Y3BP - bW4rWm1KaVFsbytwZDQ1QjV1d1VEOEZlSTJ3Cmgxc1BmMnBmWjRyNmNDWmpWcnJt - Q3lBZUFOY3FtREFUYmhJNCtKcTUxY0kKLS0tIHhKbVVBYjN4WHRzdERNbkRQeHlS - UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0 - YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-22T15:55:25Z" - mac: ENC[AES256_GCM,data:UmDbmxSRj8YfCkKEelQNMJ8mzbu5aQdB9yOr9JfUh5TB9r5Z5ttZ1wgJDJqHNtsII3JGXUvbgHbsmbPikkrj4Ege1rrgr4UttN1rtgeaAKlZIlqb9pOnV4//GJL8jbxCgFp2h2O80G05nAXG54DaY//4Y5hfTyPzgyDlGQ6jlhg=,iv:5e8lpFfGAJh8lTFcY4MlZG7PgnzM0UycsU0tB2KN+zQ=,tag:4xUEHg04wjDbhc9MOItzuQ==,type:str] - pgp: - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtAQ//QR84p3zGjW2CtPcPxlmdYui5nx8FV3MHog4R24s4RKNK - y4n9993z8m3y2at4yIWDi4LBKrhm/6mSLBHfoxnuiptoaSXSWXfaXebXkYiinkyP - GMvwegN6KkRZh4stJMD7W0g7w/trkNEAvPDoInqCnvT4NomrKIV+ZrZuCBLd1tXn - JRd2tsH8yYzoZr/PJBBDTZtke/nbosb6drjgG6ow/eHyF++HxKNTWfjCiWn4AWSb - c/E1VWsigYdBs8XSTbBkfSLr/b5FcXYb8tyy4gpGe9zOrxc7cW5diK5+x4bM8FHz - 85ShPA5S3PXXEnuifuk/ZK8+CEYWUS3MXUhuEFUo7F3Pt/Eb+5CtfTX6kvMe1xe9 - iqFAsRce/qm9Evns4ygZ4+LoI2ro2HFwgQ2fu1gi7PyZsDyW5eRL5P+vfxPUOxYY - z9cXXo+U1NEzWMDEBWt4mgoW9URye6O3k+WLQmYbQIhDkftUYmvRrPYQvP282m4k - NMucRIRUMkx7rpRQQP8yU6AlgZ1LsOmruV4XJYVxsTpSZq7YgTQP4kd3wMgBhwOV - j3hGc9gI9Sq06SdyU0C8PuUHt+mZGkVnYIOTw6BXHgY1tK8X5XnWK4NJXL9bR0pY - kfzDWLjD0hiiM3QYqieTbnDUiVTDGyf7Cop+EifYvy7um+CPjlYLLkDkEsWcy/HU - aAEJAhDEzP5eiU1e01GSNbWL49ghD7DqZiYdo0F/BGMk6jQloM1HUDnkhgBhVSZo - TjNPV3UFBxeRnT5DvouD6uJ8SDs42ARdb4F80vJVHknt0yBvGWfCQsXqKwuRDd1j - zkj4zG7btJRv - =sgSP - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ//V6IIW3Hr3xuQWOWitDGn1bo+x95jePPpXNayKGJuaSMf - 00gaOyMpqP5hRd3lEQRyqHgPtmszlGrxq2y77CxnnZMbE6n+axwQQLoMzROBGyGF - iqe6hNbNFZPjWv5BTAl3iOHWrw3x/TpgcNmSBDfctU+CZlMWzCMuXJw1bK57wQd4 - B6xcoBxidK55Ubc7GQ8mlAEuZ89fYorTRBfv2rBgUh8ZAAsUmn1jEz7HsQMMd2a8 - 5V4TzicdzXO2cZ+0DqU8Xqt5U9C0IjGgZRPzDYkh7slkbyYomAIfCq+zN5ieecz9 - Mp8vvuMYfT66P+heNRZ7w/sgmGlarcmNKlOcXlakVYm5qVddPMx6M5Ovl4O5sABz - V4O4NRehYx0XFbjzXr59LCzpusS9xQoh49288dLTFudOInHUYq6ss0TbGfFJMDYU - mjHokzdG3ds8C9/lMR82X9rbyZDchUytHUwX4eGxUDMmhydFpgJko0bbozPbE2ll - NTlWegCc1yrkSGn6U9EYKtibitJnIMdas5HapcErMH2vYILsJOl9ifG1GIsuWe1+ - ipPyZy7jqP7p18WCcDnUhgaGdQ67UjSLqX2zz0SZDcfI46SUeyeSelFVpTlmKriS - 4bW6hC1FSe+bLkPZ0y5aRLgL5ipK6jdlZepAj/DNXdKAtchLHcddF3rKdBdzsxrS - XgFvvZPgj1JleYr+q/+ju4k1d4cE0HnQZIBnkAfKXZHwSPCw1d9vbeLipuRTJrEH - 2CpOjtiXl3S2ZcCS1ama9lgAqPBOOoH7jgHvoCzqfkBsi3/QlIpQs+C8ro4hXE8= - =KZWk - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJARAA5+vcORn/YX2bHcAno9KCUGTzeiCP/DOoSePMdsCAmABj - P8XoYJOyZoZgW3qgvtKZ4pLGB26FuJXC2y6Z3yyQ4Xj2PeBj1og9xM8p7GnF6T6n - 7wqALwJOamyer3A+OXx2Gc8kZ0ObqgBbbn5QTPnHzsRljC3Irgk+ZZE8ZRshoPmu - 6TEuMW0NT5INmijtPAxer/eaAor3KKxMTf+sqqr/VGNopAyFUCGZynlnjcei6X+T - tVKh6zqr/eaTlnhoP2kr4u+wKcHvLV8an8sfsyIGL90O11LNcX8Sf4EyPDYSXOe7 - AXTFcvfw9+ALu3cbTVPN0aI2e8fCir2S00F8x28Ffc2xDSrXjWEDCXLuRNVXz5KA - Mjq4afyQN6mtVZ6ZmtvaLQoG8D2f2sGzvrsBjaXwxPLHKPpUFZVBiiP0C08yokUR - 7FrYaOjnvQVALLxGJMAhMf02g2dYDFxMw18cY2a+bLrYUVd9EMbuFwCJNzmU0of7 - EpSvXrA0wTKddk+vL3JoJgIrOxz2IQbaC24NiCUzbyakhT+qDX/oXXILxL2x0GfR - RaTL1inkTQO//ooAjlPeMA3OIDQo5CdoV4VlvSUgagYfDvMfDCAO04Xxvezh1uvz - //4Jz13+LFoUgbtVUYiT4oqWyfTKOV0D8ILYWKZJtjJt4TeYpEfbQFEzIYyF3OHS - XgE7aGyB0ArPBovSr55eQGmW+FaeG1VtH7TRLU367FyQmGep5O2SUxQXqFFiWyDy - bseIYdRqNsmlgdXBnADdkVCFJtF4C/VA2DOk+wOO8XtQoMQ8zrIl+0Viq1s66OY= - =xc00 - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ//abtgoFEWd+zbeSbiwey8nCNQUSklHV9kbLuBK8+ipX/Q - qjweWnnPVN6ODhgfXm93k1tSqeJjYqjqfxVsAEUiXC61UhvS6JBZuVUt4nRUWHk2 - cdu3eKlBx7Nhm6th1gZ+Wf7PcryT5fmJQP5a8VEM/nUuRjnAmG7RuSiWbNzBbTDx - 4jh4GTvlFkupxZvLsXYf2T+7qn0eHymdQI8+5WSHQH6kApBvINYoq1m55it5ilEp - M0tYNFMzi10OjKVbNRQXuKhROzzYGtW8qWGtc33WBB5rvkRVelSDmleTbRywWjE0 - rNo7vj97SbmGdCHydzcEwPIBOd11ZgFWpamX/36ALeKCxgHgc3HsnjIkDsEffpoN - SFHAhyYqXTDRqq5/HuBQBDBJLVVcIbqlJo3us47gI3rhojjSayzTBd5TnGOZt5N0 - rFOqoZ1i3vf3C5sjKivTzCJ/P3yFgD271hQjv49jSqXgSF8ZIvzaDr0xLiy+XnZ+ - EsUyqxZBKWy246BtyZ4qBvRjVKbezpxQFh6MzxccY+toUaG2v2I5muvFJRHe7qEA - fT6XDl7W6aQ/RBL/Ij9OWYvCMWS27mzkLQi0uBH5gyA1t6Bg9O6+CjGpK6Mmd8fx - 1Q2Ml5ClzLnEq94FX3f2hpqLdSlwREPoBYULeJNr+WhayDvfRjuh5+MvN+wjbs/S - XgGYwgGCrFmzXN1mWElNGc3+3sMEpiuvJp6Z1nRfr17YvIPUrtCU7zVHWR1lWFKU - gjJacBX/Qw9Kly+5jADM0UorWkZxaby+q+j8rN43nPatjDlDRI+BrNta0l0ulOA= - =2cbn - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVARAAu8l79uJlVLz++foLhk83zrPSZsX+1TQduJl06Kx2VrJ+ - dZX/0okzpHmHeZGhGH+e1Gv7MpyM4UxAGwE03NIk32p43LF/biad0zc4TB8yr9r6 - N3Sr/ZbaB0oYC/K4r1Sj8W1XWmuYZB8lc1dyfwhf96KIXGutvG22O5XI0pOA9yHL - x4AWt8OHYsaWCt941M6pbFtBsJEl/TaKgYF7YNITvsfj/oG7cPESKLOkcJdmhN1r - ADpJRcs6rVvMLWxUBjZICqZvDlwnXK5gCu30MmLs/oQbFmHjBRB01Ird+Mb5e6l4 - vrYC+zO3RG3dZ+VXJD0rBn+56nDMtiKISJCy4I4Vz/ekwx94cIci+BlD9/3YYix7 - HVgR6flBgInZEvaBxyj2e0G5i2gKvYTfea5+6bwPpszLUaYba/YLQQ2mSXcwWPsV - ipuNSjJ8swK2OpOFTfzs7Ua1OZChCOhhduxiKCwASYrbncfexObsQfeobj3wrwXH - N4M+h5ghm+y7UFKDW+gfN79WGfltWiMdy9vZNwwEYF0NE8jkwPfIt2dLvyU73MFU - NivYWp6kUj+gbLkb3gLClAi4CyYqNQyBjbKEbt+470UIMZ44WWMEJy7bMwAVzLBk - VxBHphqSuP04pgb5a+PHPApCZC6KEntnW1zX+DKrCn3/+NhoD6COhCvetWxq4f7S - XgFop4XZPWYJb6ypqkFLbkHIg7tCbr/xae4HABncVj0BaS1Z7TBdMiGi8SQvHti5 - 70rNGZIpQe/59DmBrLT06VdQRY5rt20bDoN+DaUrE2tc0k5h+uwI71TG4//Db2A= - =m4ec - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ//Tz2g90bOkkY942MaLO5/k8MFMf4QEDMZAiw9tVZ39Rqf - udMTcGyOX6zLzr+xxNX3gwn8X+bl0yw4Tg/FiyOzl9RjMZDxvzUaj1gYZI9kKPne - aEmAYcP2mv+ITUDnApZonDZE5hUnLGAyfEZMU6ExF9XkU94dXFdU4nd+gF5XHzou - STiNryBYaxWP1WMkW4SlZqdJiCfrkI0Z7iTF86QtXN5S8qLSIyjP3hIv5QxJg5Xo - NwK5IXQhV/0ZHp1Wl8Xys2iUw3iuwPga7sBrMHdJ0PHVBg3Wg/bG7YtrfEAfUbcr - UHt9rNGFZluuqNctvcvkSUjv5DISCgl8lSSbzC8DK/vT9o0DQYWvySNpVwXO3tqs - 9aCxKc8trCXrd9qePnO259Ni0ALRjyh/GHZipzhZo/mgyUWc5nAdTLM49MsmAKHc - PnBBSntXnVHfFoFvgyBAmyISVuH/L5j8mezQ/37AevcTfuWemjDRGWIiIJZ73CyF - tG6ida5En9QouMO18gKBBzfR/2s6tt60bEp4bE3j2rRgEhwblBfl1NtGSw2WGVVZ - bU8KormLDT8aurMIp/Rd1pzAxDpEhDa13TV1IfRECOQvY35aBC59upt+XLwJ83ch - Zgi5cRGtSoj1G9OziQGCtJjGqkZoFy7Htou6AyFUEln+2Px0EKGJC3yCUcOF0orS - XgEtK2wEJNnJ84LctjrRM4ZSeb/8nycfWiR9riJi1lq6J+WSeiGME3cvhgObDTtG - EwuAjG6vhwUdr3aovsENQhvHnQWID844CeBtB9jMHbFJy41vbt0rC0JJG/6RoRg= - =5Ijl - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ//dwisvTFgYUCFICbaNZ+8jttF4lTQ2fjdP6UHb0evav84 - PUYpqUfmMF1BUvxDx0rwzzP1OaSKuesxAG46i1Nha1Tq/LOURtzZtXPW4+xSHWge - ifbcbGTBkACviKkRuVUqaQBAbzDnFIHtcQy7nbILmzM0aRwm1IC1WzKpPRBgzAy0 - o/UE4geZjPuNqkix4mcLz8sXvKMz11FE3QpZ44JqiRhmAITTDVo2ymhbvA6R2C1w - AL0tjJwKRb0qfoBegyPbuUW399l3CCtEE7voW8AxZ3Y6EGO8DQ1i/MkR81zymFep - PUDVYDmhqmh38Z79v5iKqnruzS+rOaitzMRqsUfOJfa4UoFkjO6tYdi5cOY8T4cD - w0rgCpvWriaGKGHDuRIdu031GFyf26+SvOWEbiOhMv+h18Hj5P7uT+Is+VuEhHEo - i7EYTqzsRwyIfybNkb0mBVluvXb4CpZRdRq5AzC49qu4IezvKoAT99KG1yf7XJvI - Ijc/ZITFqCBxE7REA4JBDuivPHfML4CgxG+5PiBJ3JDdaP+xRuoVQQv5E55Y4YwF - NM+NTNcvsTv2vKXJ8mmWLBn9xMxN32gmDyy7jW0elW46AQidIL6C+W2Zhxn6GNvc - 2faDhNQ3yV0A9mIsgQjdWeQemqhsiVU6Sg4Mmattm/b6plGCM1DIcJgMV2RRAobS - XgGt7zD15Ju4S+fQqL7MVGGD3y5v0C5eLx78MScygpNQKS0vfTfTE2+wRCzCjZAG - /6HU85E6ru1VeXc0TwQBrpX3Wi2ga/momalsCGoh3oHBd+jRqzwpRxojKLy65qU= - =g4RA - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAAmTOXbn+qa0wgjSvK3juGqVemxKvaD2zFG57ivYdC1Jdn - PIVi5aBCvZ8KY/0W9k83LVcGUY1f8eRkCU8ohJU+rmRbiTvT0qo1hfLzxrqaNbke - gN+YsYW8bgXioF6nHVWI158GvqNfmvRl4WyJzBQ41cAyMpdGXiIzUoCba3Y6f+1N - muljMhgvEtWUddf4zheZX89xV+aLa9Mga6aQbwRcL451UcKxmE2nk4+00rMn7R7R - vmsC677/RrKkI7RxubzCVFFlzaH+ZZ1Ott6ozKUWs2vCcB6vTzwwvmrJwmr760lC - pozfNp/+WzLZOkA3rO2qAvIUc1DxYA6CgukrAAObCbvmcgMeLtVR29wwWs01qxI+ - cTxmH+btbiM0PL8+/sW2KlC19hfMmeryiJXxbUN30a3fMDJz1wVor54DsaqG9kIJ - zIxGsQ6t8fzfaVfeQwoxODnTWqUClWCY4is251O4Gxw3C0oPWZvzoPvxljaPrYYY - SE3dcktWmGoOxLj56lLfceKq0qAtYmJD4Q5k2GDYYU+8dwp95UTf0lbRwauMBROT - OMe4r/emH4Z1LiG2/HLoM4QuV5VVQGSAqoE3c42YjjS9uh/aOtmeNNLehwS93F5E - J/bXNY6VnHcALRGMZF60g5OxM3QUioNkGqcCWGjSaRPcKhwaXvvIaTCdz8apnBHS - XgHeuszpU9/O1nCsNPF2vQUjcNxz+KsL39RwHCVJBVJskxd4HcJQUM7uArV1Fjbk - fl4nQuueBrZ4tXzimRK2QOjgy8F2n/Kxpjlr4rXn+Pi9jyhx0Jq4Blu3wrR4LAg= - =4Xvm - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ//fo1yfBspyD2O84d8UCHWoUJTNYql2p26H/vC2BsVzAmL - 6nylQACeslISLlXbrW+ILPOFZ5x21THOFcJdvCGAQAkY+jC7Ry3D2gwsZi/RLFpP - wbEgbzk9hcimmvuHW/NJtrqvXiTJy7GH7el5Zwqe6rtUkTW5IUtaOmZjn2fQBVoq - 9mMT86vOYlqgIISG1o5x4pciRd+fb3JPiPeJiLcyUBEXYqg2THlyYwwp2paFomYf - a6Ls/pVT9ICSblFlnfILOexDpqhxcPH+V2nwlbSlOETq3ACcVIgufIRndTkGhDzi - HS3GlD5nIb/ep12Gj+qOgKZBsbUdNIAVojNY2qlK2yQJpE5B1aDjmkAZUkk/LqF3 - 76ZRBDzigU0jfYKh2iGDY3F8cWDsRqjqcTjVB9KF32+1SeUAO4NqDnDpMZgBh2i5 - rvDOJCJfTgo7DfPqWPyeFM58sow9EEglygASA/XTaDV+CmLzRlqxwlJwpbRrz3OV - Mp1gewfGASLPS4xh6gtROac9DAuokmN5VgNg2g+emN8lUNJ/7V7u30TvCEfGP0j0 - 1Sd6RrNn/ZDMJtOoE8gDua6njbOi9Zk/RN4Y4NKWcmiNZxz/Xi/8XU7F0yk0yEL1 - DUxYsCEHImib+lAESQ0fF4VMXx3DSXq2/Yt5z782ZvgNrGoGw3B9qVA5FyG5Bt3S - XgGgfz/6fGZ0DEtTv3B8Rhqbm6TvwPFgIg+3WuQRXxf3rjjoX1AN0jcuz8OIIfGk - o1GuRG0/sYg7P32ysgQMvS1F+rX2PR/myHsz4YMM10soG7OduHgXmiJ0eUq8EtM= - =WLCQ - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAUMjy8rV2Zy5nmeMOBsANIUVyhAvVBUF1yunc+EgVeVQw - yd4hPHMnQSkasXmcMDS0y2gwixgTOeQbG5PaOr0FA7eGEItLlqwSxz3+GnuD/gEw - 0l4BFrUbimEX+/tfI8aymapMVYXFXWe4dUZw9foKN5HqkpPKhusozd9bqPPNKggZ - 09tvIJViKP/QufK0WyLYZGWrG+leogDX39GBtAU1SOllFqtq2G0X1qH+s88GVpaO - =hxWV - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-06-21T22:42:59Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ//SK6MVXhRsRxYV8jL9HrVTovc84kNFr24nbHHi5z6fuCA - 6ZjPr5Btx5Xxi716mEmdDBUSGfeJOOSt6hw4fCqj5ehnCeMLr9GvmJdZx9s2n88m - h4Fzd1XF67NMbSAYMPrXpk5dlxBNsgmsAWTaEet9gqGWWYsrZHWPvae7z+GaJJzz - h3dix5oVV3tM2OVP9hFhRtu9tv9a0sj5Eu6mz8UsDFwEPynlSDPKUQA0jFTXJnYo - yT8UTPSZAUlwnU88JPIhHKCmU8nqUIgDURVNgK4BsuoKSAZ27ueSHr/4IzBiavVD - 6V1b1Ttt8usKFp21OCqfNuoiIeEipUdLMFSTjSXqOp38QTaqoDaCsAPc6j3HCvlV - vMm1lbSKK+Llpk9WOmqvHQriL50lQGYpa2X/jS8FtlotKFm0uGJoJXZ5Ujc4Wmy9 - J79/cXLULGFCxdPsoxmd8wJFqz0eiVPHIBFB2Y8Tan+Mg44WeBuY8sAWGzYPp+kB - sEOIQ5I9N1Gt+58i1hDTRlqO4I8ihusqKeRemJa954rlzz8YTmZL+JAD5gsMtzuH - gMjnfBnNJKw3UmnHMMQm348CRB6SuF6rmjc7Xk1qsnie87HtYbM3dJYh7ixddr/a - kTHy66zDX4j3e/y2JdEPQw8/WhhdGnyj6eDioQLNFfvApI7doi5C+XDCR08YxJnS - XgG0kP/bfDBkwzzHkr3khuvdtmUEmsxGbR/3abyjLfvM+g3HM6Eqq0uDwuGgYinR - DYfWUZTas5uWrgxAWYbBCbhPcevu7CsyJFsBtG4ExTXPSsP2c79+LwtmJjbLQqo= - =9C2P - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/woodpecker/sops.nix b/config/hosts/woodpecker/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/woodpecker/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix deleted file mode 100644 index 279d2bb..0000000 --- a/config/hosts/woodpecker/woodpecker-agent/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./docker.nix - ./woodpecker-agent.nix - ]; -} diff --git a/config/hosts/woodpecker/woodpecker-agent/docker.nix b/config/hosts/woodpecker/woodpecker-agent/docker.nix deleted file mode 100644 index af13f4c..0000000 --- a/config/hosts/woodpecker/woodpecker-agent/docker.nix +++ /dev/null @@ -1,12 +0,0 @@ -# Sources for this configuration: -# - https://woodpecker-ci.org/docs/administration/deployment/nixos -# - https://woodpecker-ci.org/docs/administration/backends/docker -# - https://nixos.wiki/wiki/Docker - -{ config, pkgs, ... }: - -{ - virtualisation.docker = { - enable = true; - }; -} diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix deleted file mode 100644 index 8c6847b..0000000 --- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix +++ /dev/null @@ -1,29 +0,0 @@ -# Sources for this configuration: -# - https://woodpecker-ci.org/docs/administration/deployment/nixos -# - https://woodpecker-ci.org/docs/administration/agent-config -# - https://woodpecker-ci.org/docs/administration/backends/docker - -{ config, pkgs, ... }: - -{ - services.woodpecker-agents.agents."docker" = { - enable = true; - package = pkgs.woodpecker-agent; - extraGroups = [ "docker" ]; - environment = { - WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}"; - WOODPECKER_MAX_WORKFLOWS = "4"; - WOODPECKER_BACKEND = "docker"; - # Set via enviornmentFile: - # WOODPECKER_AGENT_SECRET - }; - environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ]; - }; - - sops.secrets."woodpecker_agent_environment_file" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "woodpecker-agent-docker.service" ]; - }; -} diff --git a/config/hosts/woodpecker/woodpecker-server/default.nix b/config/hosts/woodpecker/woodpecker-server/default.nix deleted file mode 100644 index a713746..0000000 --- a/config/hosts/woodpecker/woodpecker-server/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./nginx.nix - ./postgresql.nix - ./woodpecker-server.nix - ]; -} diff --git a/config/hosts/woodpecker/woodpecker-server/postgresql.nix b/config/hosts/woodpecker/woodpecker-server/postgresql.nix deleted file mode 100644 index e715650..0000000 --- a/config/hosts/woodpecker/woodpecker-server/postgresql.nix +++ /dev/null @@ -1,18 +0,0 @@ -# Sources for this configuration: -# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069 - -{ config, pkgs, ... }: - -{ - services.postgresql = { - enable = true; - package = pkgs.postgresql_15; - ensureDatabases = [ "woodpecker-server" ]; - ensureUsers = [ - { - name = "woodpecker-server"; - ensureDBOwnership = true; - } - ]; - }; -} diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix deleted file mode 100644 index 1836b73..0000000 --- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix +++ /dev/null @@ -1,44 +0,0 @@ -# Sources for this configuration: -# - https://woodpecker-ci.org/docs/administration/deployment/nixos -# - https://woodpecker-ci.org/docs/administration/server-config -# - https://woodpecker-ci.org/docs/administration/database -# - https://woodpecker-ci.org/docs/administration/forges/forgejo -# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING - -{ config, pkgs, ... }: - -{ - services.woodpecker-server = { - enable = true; - package = pkgs.woodpecker-server; - environment = { - WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de"; - WOODPECKER_SERVER_ADDR = ":8001"; - WOODPECKER_GRPC_ADDR = ":9000"; - WOODPECKER_ADMIN = "june"; - WOODPECKER_OPEN = "true"; - WOODPECKER_ORGS = "CCCHH"; - WOODPECKER_DATABASE_DRIVER = "postgres"; - WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql"; - WOODPECKER_FORGEJO = "true"; - WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de"; - WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB - # Set via enviornmentFile: - # WOODPECKER_FORGEJO_CLIENT - # WOODPECKER_FORGEJO_SECRET - }; - environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ]; - }; - - systemd.services.woodpecker-server.serviceConfig = { - User = "woodpecker-server"; - Group = "woodpecker-server"; - }; - - sops.secrets."woodpecker_server_environment_file" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "woodpecker-server.service" ]; - }; -} diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix deleted file mode 100644 index 6b1fa99..0000000 --- a/config/hosts/yate/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "yate"; - domain = "z9.ccchh.net"; - }; - - system.stateVersion = "23.11"; -} diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix deleted file mode 100644 index 66738e8..0000000 --- a/config/hosts/yate/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./networking.nix - ./yate.nix - ./sops.nix - ]; -} diff --git a/config/hosts/yate/networking.nix b/config/hosts/yate/networking.nix deleted file mode 100644 index a06a019..0000000 --- a/config/hosts/yate/networking.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "10.31.208.12"; - prefixLength = 23; - } - ]; - }; - defaultGateway = "10.31.208.1"; - nameservers = [ - "10.31.210.1" - ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:73:3E:F7"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml deleted file mode 100644 index 6235c17..0000000 --- a/config/hosts/yate/secrets.yaml +++ /dev/null @@ -1,233 +0,0 @@ -git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP - TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw - KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS - bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 - xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-08T18:35:07Z" - mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str] - pgp: - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg - do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL - r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0 - cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl - Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa - JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi - ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk - YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa - QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy - aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg - GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U - ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ - ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ - et8Y1DEjVg== - =u7aP - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9 - Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S - YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4 - twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2 - uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx - Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ - gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU - JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng - mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji - yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp - E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S - XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq - vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX - =advR - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz - 7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec - ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa - RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty - y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE - L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8 - glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ - B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl - L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl - o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO - Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS - XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb - fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy - =vqhH - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd - +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7 - Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4 - LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un - kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2 - cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn - 3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh - 7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU - K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb - QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3 - Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S - XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj - IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C - =hGXq - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg - YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi - LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ - +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG - SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io - 5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq - 1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1 - 1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll - CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U - pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF - EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS - XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7 - uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9 - =vZLC - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x - p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3 - XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa - oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB - SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS - 5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG - oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ - XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo - IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc - 2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa - XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS - XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/ - fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I - =SLD4 - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp - 8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+ - 0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19 - sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB - NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI - K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX - 4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9 - SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0 - TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva - 7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR - oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S - XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t - LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII - =MQ9C - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF - XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe - 5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/ - Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc - abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di - +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk - nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7 - BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf - T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76 - VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm - jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS - XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY - 6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ - =uyf4 - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st - V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2 - 8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/ - i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d - V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE - zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz - TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p - FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF - aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO - 5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym - NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS - XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn - kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr - =7R+0 - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw - cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13 - 0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi - I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww== - =0G+m - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-08-05T20:33:02Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX - KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l - MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy - p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k - YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs - yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O - oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv - 3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre - FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF - 3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm - k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS - XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh - B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI - =ZgbM - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.9.0 diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix deleted file mode 100644 index 38b06f9..0000000 --- a/config/hosts/yate/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} \ No newline at end of file diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix deleted file mode 100644 index 236e1f0..0000000 --- a/config/hosts/yate/yate.nix +++ /dev/null @@ -1,78 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = [ - pkgs.yate - pkgs.git - pkgs.tcpdump - pkgs.tmux - ]; - - # Just disable it for now. - networking.firewall.enable = false; - - users = { - users.yate = { - description = "yate service user"; - group = "yate-config"; - isNormalUser = true; - }; - - groups.yate-config = { - members = [ "colmema-deploy" "chaos" "root" "yate"]; - }; - }; - - environment.etc.yate = { - user = "yate"; - group = "yate-config"; - mode = "symlink"; - source = "/var/lib/yate"; - }; - - sops.secrets."git_clone_key" = { - mode = "0600"; - owner = "yate"; - group = "yate-config"; - restartUnits = [ "yate.service" ]; - }; - - systemd.services.yate = { - enable = true; - description = "Yate telehony engine"; - unitConfig = { - After= "network-online.target"; - }; - serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; - Type="simple"; - Restart="always"; - User="yate"; - Group="yate-config"; - StateDirectory = "yate"; - StateDirectoryMode = "0775"; - }; - wantedBy = [ "default.target" ]; - requires = [ "network-online.target" ]; - preStart = '' - echo "\n" >> /run/secrets/git_clone_key - sleep 5 - id - echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git" - SSH_SUCCESS=1 - ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 - if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then - rm -rf /var/lib/yate/* - rm -rf /var/lib/yate/.* - env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate - ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate" - fi - ''; - reload= '' - id - ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate - /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master - ''; - }; -} diff --git a/deployment_configuration.json b/deployment_configuration.json deleted file mode 100644 index 9c2f99a..0000000 --- a/deployment_configuration.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "default": { - "targetUser": "colmena-deploy" - }, - "hosts": { - "matrix": { - "targetHostname": "matrix-intern.hamburg.ccc.de" - }, - "public-web-static": { - "targetHostname": "public-web-static-intern.hamburg.ccc.de" - }, - "git": { - "targetHostname": "git.hamburg.ccc.de" - }, - "forgejo-actions-runner": { - "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" - }, - "mjolnir": { - "targetHostname": "mjolnir-intern.hamburg.ccc.de" - }, - "woodpecker": { - "targetHostname": "woodpecker-intern.hamburg.ccc.de" - }, - "penpot": { - "targetHostname": "penpot-intern.hamburg.ccc.de" - }, - "hydra": { - "targetHostname": "hydra-intern.hamburg.ccc.de" - } - } -} diff --git a/flake.lock b/flake.lock index 559f116..51cd067 100644 --- a/flake.lock +++ b/flake.lock @@ -1,26 +1,12 @@ { "nodes": { - "authorizedKeysRepo": { - "flake": false, - "locked": { - "lastModified": 1745870473, - "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=", - "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6", - "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz" - } - }, "nixlib": { "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "lastModified": 1693701915, + "narHash": "sha256-waHPLdDYUOHSEtMKKabcKIMhlUOHPOOPQ9UyFeEoovs=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "rev": "f5af57d3ef9947a70ac86e42695231ac1ad00c25", "type": "github" }, "original": { @@ -32,14 +18,16 @@ "nixos-generators": { "inputs": { "nixlib": "nixlib", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", + "lastModified": 1701689616, + "narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", + "rev": "246219bc21b943c6f6812bb7744218ba0df08600", "type": "github" }, "original": { @@ -50,62 +38,41 @@ }, "nixpkgs": { "locked": { - "lastModified": 1736657626, - "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=", - "owner": "NixOS", + "lastModified": 1705044370, + "narHash": "sha256-QmzSiphBSOCvhzMNUzhtZT/HpK4VyXqWEYRRPNtIfMQ=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e", + "rev": "76fc2dd7efd18cb4251db2f35ab6655ee746e961", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", + "owner": "nixos", + "ref": "nixos-23.11-small", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs_2": { + "nixpkgs-unstable": { "locked": { - "lastModified": 1753115646, - "narHash": "sha256-yLuz5cz5Z+sn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c=", + "lastModified": 1705069489, + "narHash": "sha256-kXk4DUZS5uEdowgcv5PWVJ1s37xZKPvhpD/CFNdWMbs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "92c2e04a475523e723c67ef872d8037379073681", + "rev": "391d29cb04fe2ca9a4744c10d6b8a7783f6b0f6d", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-unstable-small", "repo": "nixpkgs", "type": "github" } }, "root": { "inputs": { - "authorizedKeysRepo": "authorizedKeysRepo", "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs_2", - "sops-nix": "sops-nix" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1752544651, - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "2c8def626f54708a9c38a5861866660395bb3461", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable" } } }, diff --git a/flake.nix b/flake.nix index e8a53a9..086c076 100644 --- a/flake.nix +++ b/flake.nix @@ -5,275 +5,202 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11-small"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; # Add nixos-generators as an input. # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake nixos-generators = { url = "github:nix-community/nixos-generators"; - #inputs.nixpkgs.follows = "nixpkgs"; - }; - - # Add sops-nix as an input for secret management. - # See here: https://github.com/Mic92/sops-nix?tab=readme-ov-file#flakes-current-recommendation - sops-nix = { - url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - - authorizedKeysRepo = { - url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"; - flake = false; - }; }; - outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }: + outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, ... }: let - specialArgs = { - inherit authorizedKeysRepo; + # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support. + shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: { + shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: { + # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md + configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ]; + buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ]; + # Use specific Shairport Sync and nqptp versions, since with those the + # following error doesn't happen: + # fatal error: The nqptp service on this system, which is required for + # Shairport Sync to operate, does not seem to be initialised. + # + # Also use a more recent dev version to fix Pipewire stuttering issue. + # See: + # https://github.com/mikebrady/shairport-sync/issues/1736 + # https://github.com/mikebrady/shairport-sync/blob/a65ec2d7f1f380bbae196d7f8f1cd6a88ef5777b/RELEASENOTES-DEVELOPMENT.md#version-432-dev-51-g98679bbb + src = final.fetchFromGitHub { + owner = "mikebrady"; + repo = finalAttr.pname; + rev = "98679bbb54f5aaeda859e34aa28425647b8d179e"; + hash = "sha256-k0kcgtWk2xlG34lP0ryEaqdskYMNM68YnIRLwFR3jaY="; + }; + }); + nqptp = prev.nqptp.overrideAttrs (finalAttr: previousAttr: { + # See Shairport Sync version note. + src = final.fetchFromGitHub { + owner = "mikebrady"; + repo = finalAttr.pname; + rev = "1.2.4"; + hash = "sha256-roTNcr3v2kzE6vQ5plAVtlw1+2yJplltOYsGGibtoZo="; + }; + # Custom install phase to avoid setcap. + # See: + # https://github.com/mikebrady/nqptp/blob/1.2.4/Makefile.am#L23 + installPhase = '' + mkdir -p $out/bin + cp nqptp $out/bin/ + ''; + }); }; - system = "x86_64-linux"; - in - { - nixosModules = { - common = ./config/common; - proxmox-vm = ./config/proxmox-vm; - prometheus-exporter = ./config/extra/prometheus-exporter.nix; - }; - overlays = { - matrixSynapseFix = final: prev: { - matrix-synapse-unwrapped = prev.matrix-synapse-unwrapped.overrideAttrs (finalAttrs: prevAttrs: rec { - version = "1.135.2"; - src = prev.fetchFromGitHub { - owner = "element-hq"; - repo = "synapse"; - rev = "v${version}"; - hash = "sha256-4HAA9Xq4C3DHxz0BgqBitfM4wZwPSEu+IO/OPfHzLVw="; - }; - cargoDeps = final.rustPlatform.fetchCargoVendor { - inherit src; - hash = "sha256-4J92s6cSgsEIYQpbU6OOLI/USIJX2Gc7UdEHgWQgmXc="; - }; - patches = []; - }); - }; - librespotFixOverlay = final: prev: { - librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec { - # Build dev branch. - name = "${prevAttr.pname}-${version}"; - version = "dev"; - src = prev.fetchFromGitHub { - owner = "librespot-org"; - repo = "librespot"; - rev = "dev"; - sha256 = "sha256-s9JpIbqXiVXMlhEuIuKio+rD1rM3kc7bAT0+8+5s35w="; - }; - cargoDeps = final.rustPlatform.fetchCargoVendor { - inherit src; - hash = "sha256-Lujz2revTAok9B0hzdl8NVQ5XMRY9ACJzoQHIkIgKMg="; - }; - # Fix librespot failing with "Unable to load audio item: Error { kind: Unavailable, error: StatusCode(500) }". - patches = (prevAttr.patches or []) ++ [ - ./patches/librespot_PR1528_conflicts_resolved.patch - ]; - }); - }; - }; - nixosConfigurations = { - audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - ./config/hosts/audio-hauptraum-kueche - ]; - }; - - audio-hauptraum-tafel = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - ./config/hosts/audio-hauptraum-tafel - { nixpkgs.overlays = [ self.overlays.librespotFixOverlay ]; } - ]; - }; - - esphome = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - ./config/hosts/esphome - ]; - }; - - public-reverse-proxy = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - ./config/hosts/public-reverse-proxy - ]; - }; - - matrix = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/matrix - { nixpkgs.overlays = [ self.overlays.matrixSynapseFix ]; } - ]; - }; - - public-web-static = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/public-web-static - ]; - }; - - git = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/git - ]; - }; - - forgejo-actions-runner = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/forgejo-actions-runner - ]; - }; - - ptouch-print-server = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - ./config/hosts/ptouch-print-server - ]; - }; - - yate = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - ./config/hosts/yate - ]; - }; - - mqtt = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - ./config/hosts/mqtt - ]; - }; - - mjolnir = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/mjolnir - ]; - }; - - woodpecker = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/woodpecker - ]; - }; - - status = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - ./config/hosts/status - ]; - }; - - penpot = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/penpot - ]; - }; - - hydra = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - self.nixosModules.prometheus-exporter - ./config/hosts/hydra - ]; + in { + colmena = { + meta = { + nixpkgs = nixpkgs.legacyPackages."x86_64-linux"; + nodeNixpkgs = { + audio-hauptraum-kueche = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay; + audio-hauptraum-tafel = nixpkgs-unstable.legacyPackages."x86_64-linux".extend shairportSync431ExtendedNixpkgsUnstableOverlay; }; }; - packages.x86_64-linux = { - proxmox-nixos-template = nixos-generators.nixosGenerate { - inherit specialArgs; - system = "x86_64-linux"; - modules = [ - ./config/nixos-generators/proxmox.nix - self.nixosModules.common - self.nixosModules.proxmox-vm - ]; - format = "proxmox"; - }; - - proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate { - inherit specialArgs; - system = "x86_64-linux"; - modules = [ - ./config/nixos-generators/proxmox-chaosknoten.nix - ./config/proxmox-chaosknoten-additional-initial-config.nix - self.nixosModules.common - self.nixosModules.proxmox-vm - ]; - format = "proxmox"; + audio-hauptraum-kueche = { + deployment = { + targetHost = "audio-hauptraum-kueche.z9.ccchh.net"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "thinkcccluster" ]; }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/audio-hauptraum-kueche + ]; }; - formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; + audio-hauptraum-tafel = { + deployment = { + targetHost = "audio-hauptraum-tafel.z9.ccchh.net"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "thinkcccluster" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/audio-hauptraum-tafel + ]; + }; - hydraJobs = { - inherit (self) packages; - nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations; + esphome = { + deployment = { + targetHost = "esphome.z9.ccchh.net"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "thinkcccluster" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/esphome + ]; + }; + + public-reverse-proxy = { + deployment = { + targetHost = "public-reverse-proxy.z9.ccchh.net"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "thinkcccluster" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/public-reverse-proxy + ]; + }; + + netbox = { + deployment = { + targetHost = "netbox-intern.hamburg.ccc.de"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "chaosknoten" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/netbox + ]; + }; + + matrix = { + deployment = { + targetHost = "matrix-intern.hamburg.ccc.de"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "chaosknoten" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/matrix + ]; + }; + + public-web-static = { + deployment = { + targetHost = "public-web-static-intern.hamburg.ccc.de"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "chaosknoten" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/public-web-static + ]; + }; + + git = { + deployment = { + targetHost = "git.hamburg.ccc.de"; + targetPort = 22; + targetUser = "colmena-deploy"; + tags = [ "chaosknoten" ]; + }; + imports = [ + ./config/common + ./config/proxmox-vm + ./config/hosts/git + ]; }; }; + + packages.x86_64-linux = { + proxmox-nixos-template = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./config/nixos-generators/proxmox.nix + ./config/common + ./config/proxmox-vm + ]; + format = "proxmox"; + }; + + proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + ./config/nixos-generators/proxmox-chaosknoten.nix + ./config/proxmox-chaosknoten-additional-initial-config.nix + ./config/common + ./config/proxmox-vm + ]; + format = "proxmox"; + }; + }; + }; } diff --git a/modules/services/audio/default.nix b/modules/services/audio/default.nix index f9aa6b3..6e8a43b 100644 --- a/modules/services/audio/default.nix +++ b/modules/services/audio/default.nix @@ -11,7 +11,7 @@ in { imports = [ ./librespot.nix - ./mpd.nix + ./networking.nix ./pipewire.nix ./shairport-sync.nix ]; diff --git a/modules/services/audio/librespot.nix b/modules/services/audio/librespot.nix index 3be5c86..fa4e9ed 100644 --- a/modules/services/audio/librespot.nix +++ b/modules/services/audio/librespot.nix @@ -19,11 +19,11 @@ in enable = true; description = "Spotify Connect Receiver Using librespot"; unitConfig = { - Requires = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ]; - After = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ]; + Requires = [ "network-online.target" "pipewire.service" ]; + After = [ "network-online.target" "pipewire.service" ]; }; serviceConfig = { - ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --zeroconf-backend avahi"; + ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --quiet"; User = "librespot"; Group = "librespot"; }; @@ -34,7 +34,7 @@ in users.librespot = { isSystemUser = true; group = "librespot"; - extraGroups = [ "pipewire" "audio" ]; + extraGroups = [ "pipewire" ]; }; groups.librespot = { }; }; diff --git a/modules/services/audio/mpd.nix b/modules/services/audio/mpd.nix deleted file mode 100644 index 048e979..0000000 --- a/modules/services/audio/mpd.nix +++ /dev/null @@ -1,35 +0,0 @@ -# Links & Resources: -# - https://mpd.readthedocs.io/en/stable/user.html - -{ config, pkgs, lib, ... }: - -with lib; - -let - - cfg = config.ccchh.services.audio; - -in - -{ - config = mkIf cfg.enable { - services.mpd = { - enable = true; - network.listenAddress = "any"; - extraConfig = '' - audio_output { - type "pipewire" - name "Pipewire" - mixer_type "software" - } - restore_paused "yes" - ''; - }; - - users.users.mpd.extraGroups = [ "pipewire" ]; - - networking.firewall = { - allowedTCPPorts = [ 6600 ]; - }; - }; -} diff --git a/modules/services/audio/networking.nix b/modules/services/audio/networking.nix new file mode 100644 index 0000000..b0fbf22 --- /dev/null +++ b/modules/services/audio/networking.nix @@ -0,0 +1,16 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + + cfg = config.ccchh.services.audio; + +in + +{ + config = mkIf cfg.enable { + # Disable IPv6, since Shairport-Sync doesn't work with IPv6. Unclear why. + networking.enableIPv6 = false; + }; +} diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix index 43d1285..adf5911 100644 --- a/modules/services/audio/shairport-sync.nix +++ b/modules/services/audio/shairport-sync.nix @@ -17,11 +17,10 @@ in config = mkIf cfg.enable { services.shairport-sync = { enable = true; - package = pkgs.shairport-sync-airplay2; - arguments = "-o pw -v"; + arguments = "-o pw"; }; - users.users.shairport.extraGroups = [ "pipewire" "audio" ]; + users.users.shairport.extraGroups = [ "pipewire" ]; environment.etc.shairport-sync-config = { enable = true; diff --git a/patches/librespot_PR1528_conflicts_resolved.patch b/patches/librespot_PR1528_conflicts_resolved.patch deleted file mode 100644 index f97a38a..0000000 --- a/patches/librespot_PR1528_conflicts_resolved.patch +++ /dev/null @@ -1,223 +0,0 @@ -From c4c968e594edcfce231682db5563f7186da7c6f0 Mon Sep 17 00:00:00 2001 -From: Timon de Groot -Date: Thu, 7 Aug 2025 12:22:56 +0200 -Subject: [PATCH 1/5] spclient: Specify base url for metadata requests - -This fixes #1527 ---- - core/src/spclient.rs | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/core/src/spclient.rs b/core/src/spclient.rs -index 87a6098..56c4287 100644 ---- a/core/src/spclient.rs -+++ b/core/src/spclient.rs -@@ -55,6 +55,7 @@ const CONNECTION_ID: HeaderName = HeaderName::from_static("x-spotify-connection- - const NO_METRICS_AND_SALT: RequestOptions = RequestOptions { - metrics: false, - salt: false, -+ base_url: None, - }; - - #[derive(Debug, Error)] -@@ -86,6 +87,7 @@ impl Default for RequestStrategy { - pub struct RequestOptions { - metrics: bool, - salt: bool, -+ base_url: Option, - } - - impl Default for RequestOptions { -@@ -93,6 +95,7 @@ impl Default for RequestOptions { - Self { - metrics: true, - salt: true, -+ base_url: None, - } - } - } -@@ -449,7 +452,10 @@ impl SpClient { - - // Reconnection logic: retrieve the endpoint every iteration, so we can try - // another access point when we are experiencing network issues (see below). -- let mut url = self.base_url().await?; -+ let mut url = match &options.base_url { -+ Some(base_url) => base_url.clone(), -+ None => self.base_url().await?, -+ }; - url.push_str(endpoint); - - // Add metrics. There is also an optional `partner` key with a value like -@@ -566,7 +572,12 @@ impl SpClient { - - pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult { - let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?); -- self.request(&Method::GET, &endpoint, None, None).await -+ let options = RequestOptions { -+ base_url: Some(String::from("https://spclient.wg.spotify.com")), -+ ..Default::default() -+ }; -+ self.request_with_options(&Method::GET, &endpoint, None, None, &options) -+ .await - } - - pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult { --- -2.49.0 - - -From 2b72f3fbdf6519321feeaaecc1ea6e1bb042074e Mon Sep 17 00:00:00 2001 -From: Timon de Groot -Date: Thu, 7 Aug 2025 13:51:55 +0200 -Subject: [PATCH 2/5] spclient: Change RequestOptions to &str - -This will allocate less strings and makes it possible to have const -request option values. - -Also document why the metadata base url workaround is needed. ---- - core/src/spclient.rs | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/core/src/spclient.rs b/core/src/spclient.rs -index 56c4287..11bcef4 100644 ---- a/core/src/spclient.rs -+++ b/core/src/spclient.rs -@@ -87,7 +87,7 @@ impl Default for RequestStrategy { - pub struct RequestOptions { - metrics: bool, - salt: bool, -- base_url: Option, -+ base_url: Option<&'static str>, - } - - impl Default for RequestOptions { -@@ -453,7 +453,7 @@ impl SpClient { - // Reconnection logic: retrieve the endpoint every iteration, so we can try - // another access point when we are experiencing network issues (see below). - let mut url = match &options.base_url { -- Some(base_url) => base_url.clone(), -+ Some(base_url) => base_url.to_owned().to_string(), - None => self.base_url().await?, - }; - url.push_str(endpoint); -@@ -572,8 +572,11 @@ impl SpClient { - - pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult { - let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?); -+ // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com. -+ // Otherwise, the API will respond with 500 Internal Server Error responses. -+ // Context: https://github.com/librespot-org/librespot/issues/1527 - let options = RequestOptions { -- base_url: Some(String::from("https://spclient.wg.spotify.com")), -+ base_url: Some("https://spclient.wg.spotify.com"), - ..Default::default() - }; - self.request_with_options(&Method::GET, &endpoint, None, None, &options) --- -2.49.0 - - -From 73ed5c50849bb660834cd0d7aaa7110c01397055 Mon Sep 17 00:00:00 2001 -From: Timon de Groot -Date: Sat, 9 Aug 2025 09:28:51 +0200 -Subject: [PATCH 3/5] spclient: Make const request options for get_metadata - ---- - core/src/spclient.rs | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/core/src/spclient.rs b/core/src/spclient.rs -index 11bcef4..cbcf092 100644 ---- a/core/src/spclient.rs -+++ b/core/src/spclient.rs -@@ -58,6 +58,12 @@ const NO_METRICS_AND_SALT: RequestOptions = RequestOptions { - base_url: None, - }; - -+const SPCLIENT_FALLBACK_ENDPOINT: RequestOptions = RequestOptions { -+ metrics: true, -+ salt: true, -+ base_url: Some("https://spclient.wg.spotify.com"), -+}; -+ - #[derive(Debug, Error)] - pub enum SpClientError { - #[error("missing attribute {0}")] -@@ -575,12 +581,14 @@ impl SpClient { - // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com. - // Otherwise, the API will respond with 500 Internal Server Error responses. - // Context: https://github.com/librespot-org/librespot/issues/1527 -- let options = RequestOptions { -- base_url: Some("https://spclient.wg.spotify.com"), -- ..Default::default() -- }; -- self.request_with_options(&Method::GET, &endpoint, None, None, &options) -- .await -+ self.request_with_options( -+ &Method::GET, -+ &endpoint, -+ None, -+ None, -+ &SPCLIENT_FALLBACK_ENDPOINT, -+ ) -+ .await - } - - pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult { --- -2.49.0 - - -From 6adca21fdf64bd8026a2d6df04c42dd2b1239358 Mon Sep 17 00:00:00 2001 -From: Timon de Groot -Date: Sat, 9 Aug 2025 09:40:20 +0200 -Subject: [PATCH 4/5] spclient: Simplify base url init - ---- - core/src/spclient.rs | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/core/src/spclient.rs b/core/src/spclient.rs -index cbcf092..272975d 100644 ---- a/core/src/spclient.rs -+++ b/core/src/spclient.rs -@@ -458,8 +458,8 @@ impl SpClient { - - // Reconnection logic: retrieve the endpoint every iteration, so we can try - // another access point when we are experiencing network issues (see below). -- let mut url = match &options.base_url { -- Some(base_url) => base_url.to_owned().to_string(), -+ let mut url = match options.base_url { -+ Some(base_url) => base_url.to_string(), - None => self.base_url().await?, - }; - url.push_str(endpoint); --- -2.49.0 - - -From 0b5b1eb6c73a9291057b3856939f416113fdd8bb Mon Sep 17 00:00:00 2001 -From: Timon de Groot -Date: Sat, 9 Aug 2025 10:14:02 +0200 -Subject: [PATCH 5/5] Update CHANGELOG.md - ---- - CHANGELOG.md | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/CHANGELOG.md b/CHANGELOG.md -index 560de2b..b62e9f8 100644 ---- a/CHANGELOG.md -+++ b/CHANGELOG.md -@@ -51,6 +51,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - - [connect] Correctly apply playing/paused state when transferring playback - - [player] Saturate invalid seek positions to track duration - - [audio] Fall back to other URLs in case of a failure when downloading from CDN -+- [core] Metadata requests failing with 500 Internal Server Error - - ### Deprecated - --- -2.49.0 -