diff --git a/.sops.yaml b/.sops.yaml index 9a6ae2d..dedf3c1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,6 +13,7 @@ keys: - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7 - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk + - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae @@ -67,6 +68,22 @@ creation_rules: - *admin_gpg_dante age: - *host_age_matrix + - path_regex: config/hosts/netbox/.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_dante + age: + - *host_age_netbox - path_regex: config/hosts/public-web-static/.* key_groups: - pgp: diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix new file mode 100644 index 0000000..ff45e49 --- /dev/null +++ b/config/hosts/eh22-wiki/configuration.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + networking.hostName = "eh22-wiki"; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix new file mode 100644 index 0000000..2d90c6b --- /dev/null +++ b/config/hosts/eh22-wiki/default.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./configuration.nix + ./dokuwiki.nix + ./networking.nix + ]; +} diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix new file mode 100644 index 0000000..f9a7cbd --- /dev/null +++ b/config/hosts/eh22-wiki/dokuwiki.nix @@ -0,0 +1,166 @@ +# Sources for this configuration: +# - https://www.dokuwiki.org/dokuwiki +# - https://www.dokuwiki.org/install +# - https://www.dokuwiki.org/requirements +# - https://www.dokuwiki.org/install:php +# - https://www.dokuwiki.org/security +# - https://www.dokuwiki.org/config:xsendfile +# - https://www.dokuwiki.org/install:nginx +# - https://www.dokuwiki.org/faq:uploadsize +# - https://nixos.wiki/wiki/Phpfpm +# - https://wiki.archlinux.org/title/Nginx#FastCGI +# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix +# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf +# - https://www.php.net/manual/en/install.fpm.php +# - https://www.php.net/manual/en/install.fpm.configuration.php + +{ config, pkgs, ... }: + +let + # This is also used for user and group names. + app = "dokuwiki"; + domain = "eh22.easterhegg.eu"; + dataDir = "/srv/www/${domain}"; +in +{ + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${app} ${app}" + ]; + + services.phpfpm.pools."${app}" = { + user = "${app}"; + group = "${app}"; + phpOptions = '' + short_open_tag = Off + open_basedir = + output_buffering = Off + output_handler = + zlib.output_compression = Off + implicit_flush = Off + allow_call_time_pass_reference = Off + max_execution_time = 30 + max_input_time = 60 + max_input_vars = 10000 + memory_limit = 128M + error_reporting = E_ALL & ~E_NOTICE + display_errors = Off + display_startup_errors = Off + log_errors = On + ; error_log should be handled by NixOS. + variables_order = "EGPCS" + register_argc_argv = Off + file_uploads = On + upload_max_filesize = 20M + post_max_size = 20M + session.use_cookies = 1 + ; Checked the default NixOS PHP extensions and the only one missing from + ; DokuWikis list of PHP extensions was bz2, so add that. + ; Checked with NixOS 23.11 on 2024-05-02. + extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so + ''; + settings = { + "listen.owner" = "${config.services.nginx.user}"; + "listen.group" = "${config.services.nginx.group}"; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + }; + + services.nginx = { + enable = true; + + virtualHosts."acme-${domain}" = { + default = true; + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + virtualHosts."${domain}" = { + default = true; + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + locations = { + "~ /(conf|bin|inc|vendor)/" = { + extraConfig = "deny all;"; + }; + + "~ /install.php" = { + extraConfig = "deny all;"; + }; + + "~ ^/data/" = { + extraConfig = "internal;"; + }; + + "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { + extraConfig = "expires 31d;"; + }; + + "/" = { + index = "doku.php"; + extraConfig = "try_files $uri $uri/ @dokuwiki;"; + }; + + "@dokuwiki" = { + extraConfig = '' + # Rewrites "doku.php/" out of the URLs if the userwrite setting is + # set to .htaccess in the DokuWiki config page. + rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; + rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; + rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; + rewrite ^/(.*) /doku.php?id=$1&$args last; + ''; + }; + + "~ \\.php$" = { + extraConfig = '' + try_files $uri $uri/ /doku.php; + include ${config.services.nginx.package}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param REDIRECT_STATUS 200; + fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket}; + ''; + }; + }; + + extraConfig = '' + # Set maximum file upload size to 20MB (same as upload_max_filesize and + # post_max_size in the phpOptions). + client_max_body_size 20M; + client_body_buffer_size 128k; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 31820 ]; + networking.firewall.allowedUDPPorts = [ 8443 ]; + + users.users."${app}" = { + isSystemUser = true; + group = "${app}"; + }; + users.groups."${app}" = { }; +} diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix new file mode 100644 index 0000000..fba2da9 --- /dev/null +++ b/config/hosts/eh22-wiki/networking.nix @@ -0,0 +1,22 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.159"; + prefixLength = 25; + } + ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:37:F0:AB"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix index 8a84112..a2c64d3 100644 --- a/config/hosts/esphome/networking.nix +++ b/config/hosts/esphome/networking.nix @@ -11,14 +11,14 @@ ]; ipv6.addresses = [ { - address = "2a07:c481:1:d0::66"; + address = "2a07:c480:0:1d0::66"; prefixLength = 64; } ]; }; defaultGateway = "10.31.208.1"; - defaultGateway6 = "2a07:c481:1:d0::1"; - nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ]; + defaultGateway6 = "2a07:c480:0:1d0::1"; + nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ]; search = [ "z9.ccchh.net" ]; }; diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix index 89f83c9..85b13e6 100644 --- a/config/hosts/git/forgejo.nix +++ b/config/hosts/git/forgejo.nix @@ -49,7 +49,6 @@ }; service = { ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - ENABLE_INTERNAL_SIGNIN = false; DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix index 9bc02b0..d093bd8 100644 --- a/config/hosts/mqtt/mosquitto.nix +++ b/config/hosts/mqtt/mosquitto.nix @@ -23,7 +23,6 @@ topics = [ "winkekatze/allcats/eye/set in 2" "winkekatze/allcats in 2" - "+/command in 2 winkekatze/ \"\"" "+/status out 2 winkekatze/ \"\"" "+/connected out 2 winkekatze/ \"\"" ]; diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix new file mode 100644 index 0000000..50a584e --- /dev/null +++ b/config/hosts/netbox/configuration.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + networking.hostName = "netbox"; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix new file mode 100644 index 0000000..6ef3469 --- /dev/null +++ b/config/hosts/netbox/default.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./configuration.nix + ./netbox.nix + ./networking.nix + ./nginx.nix + ./postgresql.nix + ./sops.nix + ]; +} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix new file mode 100644 index 0000000..f816016 --- /dev/null +++ b/config/hosts/netbox/netbox.nix @@ -0,0 +1,61 @@ +# Sources for this configuration: +# - https://docs.netbox.dev/en/stable/configuration/ +# - https://colmena.cli.rs/unstable/features/keys.html +# - https://colmena.cli.rs/unstable/reference/deployment.html +# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix + +{ config, pkgs, ... }: + +{ + services.netbox = { + enable = true; + # Explicitly use the patched NetBox package. + package = pkgs.netbox_4_1; + secretKeyFile = "/run/secrets/netbox_secret_key"; + keycloakClientSecret = "/run/secrets/netbox_keycloak_secret"; + settings = { + ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ]; + SESSION_COOKIE_SECURE = true; + # CCCHH ID (Keycloak) integration. + # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7 + # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html + REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2"; + SOCIAL_AUTH_KEYCLOAK_KEY = "netbox"; + # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option. + SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB"; + SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"; + SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"; + SOCIAL_AUTH_PIPELINE = [ + # The default pipeline as can be found in: + # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py + "social_core.pipeline.social_auth.social_details" + "social_core.pipeline.social_auth.social_uid" + "social_core.pipeline.social_auth.social_user" + "social_core.pipeline.user.get_username" + "social_core.pipeline.user.create_user" + "social_core.pipeline.social_auth.associate_user" + "netbox.authentication.user_default_groups_handler" + "social_core.pipeline.social_auth.load_extra_data" + "social_core.pipeline.user.user_details" + # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay. + # See: https://docs.goauthentik.io/integrations/services/netbox/ + "netbox.custom_pipeline.add_groups" + "netbox.custom_pipeline.remove_groups" + "netbox.custom_pipeline.set_roles" + ]; + }; + }; + + sops.secrets."netbox_secret_key" = { + mode = "0440"; + owner = "netbox"; + group = "netbox"; + restartUnits = [ "netbox.service" "netbox-rq.service" ]; + }; + sops.secrets."netbox_keycloak_secret" = { + mode = "0440"; + owner = "netbox"; + group = "netbox"; + restartUnits = [ "netbox.service" "netbox-rq.service" ]; + }; +} diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix new file mode 100644 index 0000000..a0abcfe --- /dev/null +++ b/config/hosts/netbox/networking.nix @@ -0,0 +1,22 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.149"; + prefixLength = 25; + } + ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "62:ED:44:20:7C:C1"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix new file mode 100644 index 0000000..2673cdc --- /dev/null +++ b/config/hosts/netbox/nginx.nix @@ -0,0 +1,67 @@ +# Sources for this configuration: +# - https://nixos.org/manual/nixos/stable/#module-security-acme +# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix +# - https://docs.netbox.dev/en/stable/installation/5-http-server/ +# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf + +{ config, pkgs, ... }: + +{ + services.nginx = { + enable = true; + # So nginx can access the Netbox static files. + user = "netbox"; + + virtualHosts."acme-netbox.hamburg.ccc.de" = { + default = true; + enableACME = true; + serverName = "netbox.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + virtualHosts."netbox.hamburg.ccc.de" = { + default = true; + forceSSL = true; + useACMEHost = "netbox.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + + locations."/" = { + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + client_max_body_size 25m; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 31820 ]; + networking.firewall.allowedUDPPorts = [ 8443 ]; +} diff --git a/config/hosts/netbox/postgresql.nix b/config/hosts/netbox/postgresql.nix new file mode 100644 index 0000000..5f49f30 --- /dev/null +++ b/config/hosts/netbox/postgresql.nix @@ -0,0 +1,7 @@ +{ pkgs, config, ... }: + +{ + services.postgresql = { + package = pkgs.postgresql_15; + }; +} diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml new file mode 100644 index 0000000..831a7a1 --- /dev/null +++ b/config/hosts/netbox/secrets.yaml @@ -0,0 +1,234 @@ +netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str] +netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX + c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5 + dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU + V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw + a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-08T23:54:23Z" + mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str] + pgp: + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul + UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb + YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9 + e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb + fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8 + 29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9 + g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME + Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4 + 2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG + ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS + 7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU + aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p + Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p + 6PA24RxtGxVm + =ES/O + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr + kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+ + UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6 + t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7 + 2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK + MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra + PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI + Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4 + W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM + Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6 + NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS + XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB + zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc= + =zG3F + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm + wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8 + o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ + yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va + y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs + vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O + OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM + xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu + +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J + 9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY + 9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS + XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa + CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg= + =PqbF + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6 + eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una + 5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E + /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N + E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI + aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN + U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT + 5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT + vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D + Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/ + PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS + XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF + 9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U= + =o7cj + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY + QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6 + 2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY + NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM + vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu + PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW + FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B + n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8 + nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM + TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa + ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS + XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH + fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY= + =4agQ + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G + H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ + JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn + ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv + blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm + fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg + APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/ + H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ + dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+ + VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho + FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS + XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw + Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g= + =x1QX + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ + RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH + I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz + GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw + Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg + arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF + dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA + cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj + 6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG + jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC + rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S + XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq + pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc= + =FXTF + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq + /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo + FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j + wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h + 3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC + Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a + 6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8 + wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf + wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C + 7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM + N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS + XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS + z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE= + =7WGw + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ + nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu + 3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO + 07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92 + fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W + 24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb + QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi + BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U + 3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP + zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe + RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS + XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ + yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs= + =pFkW + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw + kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58 + 0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16 + 5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN + =Lvnj + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2024-05-26T01:07:22Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB + 77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg + XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7 + 4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/ + T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV + k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug + QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o + 9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk + U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2 + kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX + 1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS + XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU + 02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow= + =WqHP + -----END PGP MESSAGE----- + fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/config/hosts/netbox/sops.nix b/config/hosts/netbox/sops.nix new file mode 100644 index 0000000..b4548ed --- /dev/null +++ b/config/hosts/netbox/sops.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/nix-box-june/configuration.nix b/config/hosts/nix-box-june/configuration.nix new file mode 100644 index 0000000..7dddcc1 --- /dev/null +++ b/config/hosts/nix-box-june/configuration.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + networking.hostName = "nix-box-june"; + + system.stateVersion = "23.11"; +} diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix new file mode 100644 index 0000000..489fd67 --- /dev/null +++ b/config/hosts/nix-box-june/default.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./configuration.nix + ./emulated-systems.nix + ./networking.nix + ./users.nix + ]; +} diff --git a/config/hosts/nix-box-june/emulated-systems.nix b/config/hosts/nix-box-june/emulated-systems.nix new file mode 100644 index 0000000..b6065dd --- /dev/null +++ b/config/hosts/nix-box-june/emulated-systems.nix @@ -0,0 +1,5 @@ +{ config, pkgs, ... }: + +{ + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; +} diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix new file mode 100644 index 0000000..2c1faee --- /dev/null +++ b/config/hosts/nix-box-june/networking.nix @@ -0,0 +1,22 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.158"; + prefixLength = 25; + } + ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:6A:33:5F"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix new file mode 100644 index 0000000..dfb333e --- /dev/null +++ b/config/hosts/nix-box-june/users.nix @@ -0,0 +1,59 @@ +{ lib, ... }: + +{ + users.users = { + chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ]; + colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ]; + + djerun = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local" + ]; + }; + june = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ]; + }; + jtbx = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ]; + }; + dario = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ]; + }; + yuri = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + ]; + }; + max = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ]; + }; + haegar = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ]; + }; + stb = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ]; + }; + hansenerd = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ]; + }; + echtnurich = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ]; + }; + c6ristian = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ]; + }; + }; +} diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index ff59fab..91d3a40 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -40,10 +40,6 @@ in { return = "302 https://c3cat.de$request_uri"; }; - locations."/manuals/eh22-rgb-ears" = { - return = "307 https://www.c3cat.de/rgb-ears.html"; - }; - extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy @@ -71,10 +67,6 @@ in { root = "${dataDir}"; - locations."/manuals/eh22-rgb-ears" = { - return = "307 https://c3cat.de/rgb-ears.html"; - }; - extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index 3c85954..1836f25 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let - elementWebVersion = "1.11.95"; + elementWebVersion = "1.11.84"; element-web = pkgs.fetchzip { - url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc="; + url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; + sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4="; }; elementSecurityHeaders = '' # Configuration best practices diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix index 0bff4b5..e7f1932 100644 --- a/config/hosts/status/networking.nix +++ b/config/hosts/status/networking.nix @@ -11,14 +11,14 @@ ]; ipv6.addresses = [ { - address = "2a07:c481:1:ce::a"; + address = "2a07:c480:0:1ce::f"; prefixLength = 64; } ]; }; defaultGateway = "10.31.206.1"; - defaultGateway6 = "2a07:c481:1:ce::1"; - nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; + defaultGateway6 = "2a07:c480:0:1ce::1"; + nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ]; search = [ "z9.ccchh.net" ]; }; diff --git a/deployment_configuration.json b/deployment_configuration.json index 9c2f99a..20b9f00 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -3,6 +3,9 @@ "targetUser": "colmena-deploy" }, "hosts": { + "netbox": { + "targetHostname": "netbox-intern.hamburg.ccc.de" + }, "matrix": { "targetHostname": "matrix-intern.hamburg.ccc.de" }, @@ -15,6 +18,12 @@ "forgejo-actions-runner": { "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" }, + "eh22-wiki": { + "targetHostname": "eh22-wiki-intern.hamburg.ccc.de" + }, + "nix-box-june": { + "targetHostname": "nix-box-june-intern.hamburg.ccc.de" + }, "mjolnir": { "targetHostname": "mjolnir-intern.hamburg.ccc.de" }, diff --git a/flake.lock b/flake.lock index d8bfc27..259f97a 100644 --- a/flake.lock +++ b/flake.lock @@ -3,15 +3,15 @@ "authorizedKeysRepo": { "flake": false, "locked": { - "lastModified": 1745870473, - "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=", - "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6", + "lastModified": 1731276342, + "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", + "rev": "686a6af22f6696f0c0595c56f463c078550049fc", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" }, "original": { "type": "tarball", - "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz" + "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" } }, "nixlib": { @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1747663185, - "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", + "lastModified": 1737057290, + "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", + "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453", "type": "github" }, "original": { @@ -66,16 +66,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1749727998, - "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=", + "lastModified": 1737665804, + "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd", + "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-24.11-small", "repo": "nixpkgs", "type": "github" } @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1747603214, - "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", + "lastModified": 1737411508, + "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", + "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 53bf4ca..5ecee98 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small"; # Add nixos-generators as an input. # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake @@ -22,7 +22,7 @@ }; authorizedKeysRepo = { - url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"; + url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"; flake = false; }; }; @@ -40,6 +40,13 @@ proxmox-vm = ./config/proxmox-vm; prometheus-exporter = ./config/extra/prometheus-exporter.nix; }; + overlays = { + netbox41OIDCMappingOverlay = final: prev: { + netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: { + patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ]; + }); + }; + }; nixosConfigurations = { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { inherit system specialArgs; @@ -77,6 +84,18 @@ ]; }; + netbox = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + self.nixosModules.common + self.nixosModules.proxmox-vm + sops-nix.nixosModules.sops + self.nixosModules.prometheus-exporter + ./config/hosts/netbox + { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; } + ]; + }; + matrix = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ @@ -130,6 +149,26 @@ ]; }; + eh22-wiki = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + self.nixosModules.common + self.nixosModules.proxmox-vm + self.nixosModules.prometheus-exporter + ./config/hosts/eh22-wiki + ]; + }; + + nix-box-june = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + self.nixosModules.common + self.nixosModules.proxmox-vm + self.nixosModules.prometheus-exporter + ./config/hosts/nix-box-june + ]; + }; + yate = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch new file mode 100644 index 0000000..89f805a --- /dev/null +++ b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch @@ -0,0 +1,61 @@ +diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py +new file mode 100644 +index 000000000..470f388dc +--- /dev/null ++++ b/netbox/netbox/custom_pipeline.py +@@ -0,0 +1,55 @@ ++# Licensed under Creative Commons: CC BY-SA 4.0 license. ++# https://github.com/goauthentik/authentik/blob/main/LICENSE ++# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md ++# https://docs.goauthentik.io/integrations/services/netbox/ ++from netbox.authentication import Group ++ ++class AuthFailed(Exception): ++ pass ++ ++def add_groups(response, user, backend, *args, **kwargs): ++ try: ++ groups = response['groups'] ++ except KeyError: ++ pass ++ ++ # Add all groups from oAuth token ++ for group in groups: ++ group, created = Group.objects.get_or_create(name=group) ++ user.groups.add(group) ++ ++def remove_groups(response, user, backend, *args, **kwargs): ++ try: ++ groups = response['groups'] ++ except KeyError: ++ # Remove all groups if no groups in oAuth token ++ user.groups.clear() ++ pass ++ ++ # Get all groups of user ++ user_groups = [item.name for item in user.groups.all()] ++ # Get groups of user which are not part of oAuth token ++ delete_groups = list(set(user_groups) - set(groups)) ++ ++ # Delete non oAuth token groups ++ for delete_group in delete_groups: ++ group = Group.objects.get(name=delete_group) ++ user.groups.remove(group) ++ ++ ++def set_roles(response, user, backend, *args, **kwargs): ++ # Remove Roles temporary ++ user.is_superuser = False ++ user.is_staff = False ++ try: ++ groups = response['groups'] ++ except KeyError: ++ # When no groups are set ++ # save the user without Roles ++ user.save() ++ pass ++ ++ # Set roles is role (superuser or staff) is in groups ++ user.is_superuser = True if 'superusers' in groups else False ++ user.is_staff = True if 'staff' in groups else False ++ user.save()