diff --git a/.sops.yaml b/.sops.yaml
index 9a6ae2d..ec660ec 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,8 +13,8 @@ keys:
- &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
- &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
- &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
+ - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
- - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
- &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
- &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
- &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
@@ -67,6 +67,22 @@ creation_rules:
- *admin_gpg_dante
age:
- *host_age_matrix
+ - path_regex: config/hosts/netbox/.*
+ key_groups:
+ - pgp:
+ - *admin_gpg_djerun
+ - *admin_gpg_stb
+ - *admin_gpg_jtbx
+ - *admin_gpg_yuri
+ - *admin_gpg_june
+ - *admin_gpg_haegar
+ - *admin_gpg_dario
+ - *admin_gpg_echtnurich
+ - *admin_gpg_max
+ - *admin_gpg_c6ristian
+ - *admin_gpg_dante
+ age:
+ - *host_age_netbox
- path_regex: config/hosts/public-web-static/.*
key_groups:
- pgp:
@@ -131,22 +147,6 @@ creation_rules:
- *admin_gpg_dante
age:
- *host_age_penpot
- - path_regex: config/hosts/yate/.*
- key_groups:
- - pgp:
- - *admin_gpg_djerun
- - *admin_gpg_stb
- - *admin_gpg_jtbx
- - *admin_gpg_yuri
- - *admin_gpg_june
- - *admin_gpg_haegar
- - *admin_gpg_dario
- - *admin_gpg_echtnurich
- - *admin_gpg_max
- - *admin_gpg_c6ristian
- - *admin_gpg_dante
- age:
- - *host_age_yate
- key_groups:
- pgp:
- *admin_gpg_djerun
diff --git a/LICENSE b/LICENSE
deleted file mode 100644
index 37eee6c..0000000
--- a/LICENSE
+++ /dev/null
@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) CCCHH
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
diff --git a/README.md b/README.md
index def4e60..bd3a29a 100644
--- a/README.md
+++ b/README.md
@@ -73,8 +73,3 @@ Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell
nix build .#proxmox-chaosknoten-nixos-template
```
-
-## License
-
-This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
-[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.
diff --git a/config/common/users.nix b/config/common/users.nix
index 4ddef2a..59682c4 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -6,9 +6,14 @@
# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
-{ config, pkgs, lib, authorizedKeysRepo, ... }:
+{ config, pkgs, lib, ... }:
let
+ authorizedKeysRepo = pkgs.fetchgit {
+ url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
+ rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
+ hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
+ };
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in
{
diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix
index 6e1e7d8..0118db4 100644
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@@ -5,13 +5,13 @@
interfaces.net0 = {
ipv4.addresses = [
{
- address = "172.31.200.14";
+ address = "10.31.210.10";
prefixLength = 23;
}
];
};
- defaultGateway = "172.31.200.1";
- nameservers = [ "172.31.200.1" ];
+ defaultGateway = "10.31.210.1";
+ nameservers = [ "10.31.210.1" ];
};
systemd.network.links."10-net0" = {
diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix
index e357d38..37185b7 100644
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@@ -5,13 +5,13 @@
interfaces.net0 = {
ipv4.addresses = [
{
- address = "172.31.200.15";
+ address = "10.31.210.13";
prefixLength = 23;
}
];
};
- defaultGateway = "172.31.200.1";
- nameservers = [ "172.31.200.1" ];
+ defaultGateway = "10.31.210.1";
+ nameservers = [ "10.31.210.1" ];
};
systemd.network.links."10-net0" = {
diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix
new file mode 100644
index 0000000..ff45e49
--- /dev/null
+++ b/config/hosts/eh22-wiki/configuration.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+ networking.hostName = "eh22-wiki";
+
+ system.stateVersion = "23.11";
+}
diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix
new file mode 100644
index 0000000..2d90c6b
--- /dev/null
+++ b/config/hosts/eh22-wiki/default.nix
@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./configuration.nix
+ ./dokuwiki.nix
+ ./networking.nix
+ ];
+}
diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
new file mode 100644
index 0000000..c0eafaa
--- /dev/null
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -0,0 +1,165 @@
+# Sources for this configuration:
+# - https://www.dokuwiki.org/dokuwiki
+# - https://www.dokuwiki.org/install
+# - https://www.dokuwiki.org/requirements
+# - https://www.dokuwiki.org/install:php
+# - https://www.dokuwiki.org/security
+# - https://www.dokuwiki.org/config:xsendfile
+# - https://www.dokuwiki.org/install:nginx
+# - https://www.dokuwiki.org/faq:uploadsize
+# - https://nixos.wiki/wiki/Phpfpm
+# - https://wiki.archlinux.org/title/Nginx#FastCGI
+# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
+# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
+# - https://www.php.net/manual/en/install.fpm.php
+# - https://www.php.net/manual/en/install.fpm.configuration.php
+
+{ config, pkgs, ... }:
+
+let
+ # This is also used for user and group names.
+ app = "dokuwiki";
+ domain = "eh22.easterhegg.eu";
+ dataDir = "/srv/www/${domain}";
+in {
+ systemd.tmpfiles.rules = [
+ "d ${dataDir} 0755 ${app} ${app}"
+ ];
+
+ services.phpfpm.pools."${app}" = {
+ user = "${app}";
+ group = "${app}";
+ phpOptions = ''
+ short_open_tag = Off
+ open_basedir =
+ output_buffering = Off
+ output_handler =
+ zlib.output_compression = Off
+ implicit_flush = Off
+ allow_call_time_pass_reference = Off
+ max_execution_time = 30
+ max_input_time = 60
+ max_input_vars = 10000
+ memory_limit = 128M
+ error_reporting = E_ALL & ~E_NOTICE
+ display_errors = Off
+ display_startup_errors = Off
+ log_errors = On
+ ; error_log should be handled by NixOS.
+ variables_order = "EGPCS"
+ register_argc_argv = Off
+ file_uploads = On
+ upload_max_filesize = 20M
+ post_max_size = 20M
+ session.use_cookies = 1
+ ; Checked the default NixOS PHP extensions and the only one missing from
+ ; DokuWikis list of PHP extensions was bz2, so add that.
+ ; Checked with NixOS 23.11 on 2024-05-02.
+ extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
+ '';
+ settings = {
+ "listen.owner" = "${config.services.nginx.user}";
+ "listen.group" = "${config.services.nginx.group}";
+ "pm" = "dynamic";
+ "pm.max_children" = 32;
+ "pm.start_servers" = 2;
+ "pm.min_spare_servers" = 2;
+ "pm.max_spare_servers" = 4;
+ "pm.max_requests" = 500;
+ };
+ };
+
+ services.nginx = {
+ enable = true;
+
+ virtualHosts."acme-${domain}" = {
+ default = true;
+ enableACME = true;
+ serverName = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 31820;
+ }
+ ];
+ };
+
+ virtualHosts."${domain}" = {
+ default = true;
+ forceSSL = true;
+ useACMEHost = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ root = "${dataDir}";
+
+ locations = {
+ "~ /(conf|bin|inc|vendor)/" = {
+ extraConfig = "deny all;";
+ };
+
+ "~ /install.php" = {
+ extraConfig = "deny all;";
+ };
+
+ "~ ^/data/" = {
+ extraConfig = "internal;";
+ };
+
+ "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
+ extraConfig = "expires 31d;";
+ };
+
+ "/" = {
+ index = "doku.php";
+ extraConfig = "try_files $uri $uri/ @dokuwiki;";
+ };
+
+ "@dokuwiki" = {
+ extraConfig = ''
+ # Rewrites "doku.php/" out of the URLs if the userwrite setting is
+ # set to .htaccess in the DokuWiki config page.
+ rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
+ rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
+ rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
+ rewrite ^/(.*) /doku.php?id=$1&$args last;
+ '';
+ };
+
+ "~ \\.php$" = {
+ extraConfig = ''
+ try_files $uri $uri/ /doku.php;
+ include ${config.services.nginx.package}/conf/fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param REDIRECT_STATUS 200;
+ fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
+ '';
+ };
+ };
+
+ extraConfig = ''
+ # Set maximum file upload size to 20MB (same as upload_max_filesize and
+ # post_max_size in the phpOptions).
+ client_max_body_size 20M;
+ client_body_buffer_size 128k;
+ '';
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+ networking.firewall.allowedUDPPorts = [ 8443 ];
+
+ users.users."${app}" = {
+ isSystemUser = true;
+ group = "${app}";
+ };
+ users.groups."${app}" = { };
+}
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
new file mode 100644
index 0000000..fba2da9
--- /dev/null
+++ b/config/hosts/eh22-wiki/networking.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.159";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
+ };
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "BC:24:11:37:F0:AB";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index 8a84112..a2c64d3 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -11,14 +11,14 @@
];
ipv6.addresses = [
{
- address = "2a07:c481:1:d0::66";
+ address = "2a07:c480:0:1d0::66";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.208.1";
- defaultGateway6 = "2a07:c481:1:d0::1";
- nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ];
+ defaultGateway6 = "2a07:c480:0:1d0::1";
+ nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
search = [ "z9.ccchh.net" ];
};
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 89f83c9..a57a37f 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -7,20 +7,13 @@
# - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
# - https://forgejo.org/docs/latest/admin/email-setup/
-{ pkgs, ... }:
+{ pkgs-unstable, ... }:
{
services.forgejo = {
enable = true;
- package = pkgs.forgejo;
database.type = "postgres";
- lfs.enable = true;
-
- secrets = {
- mailer = {
- PASSWD = "/run/secrets/forgejo_git_smtp_password";
- };
- };
+ mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
settings = {
DEFAULT = {
@@ -49,7 +42,6 @@
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
- ENABLE_INTERNAL_SIGNIN = false;
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix
index 793807d..18d0184 100644
--- a/config/hosts/mqtt/configuration.nix
+++ b/config/hosts/mqtt/configuration.nix
@@ -1,10 +1,10 @@
{ ... }:
{
- networking = {
- hostName = "mqtt";
- domain = "z9.ccchh.net";
- };
+ networking = {
+ hostName = "mqtt";
+ domain = "z9.ccchh.net";
+ };
- system.stateVersion = "23.11";
-}
+ system.stateVersion = "23.11";
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix
index bc91d9f..bb61c12 100644
--- a/config/hosts/mqtt/default.nix
+++ b/config/hosts/mqtt/default.nix
@@ -1,9 +1,9 @@
{ pkgs, ... }:
{
- imports = [
- ./configuration.nix
- ./networking.nix
- ./mosquitto.nix
- ];
-}
+ imports = [
+ ./configuration.nix
+ ./networking.nix
+ ./mosquitto.nix
+ ];
+}
\ No newline at end of file
diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
index 9bc02b0..672c05d 100644
--- a/config/hosts/mqtt/mosquitto.nix
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -5,30 +5,29 @@
{ ... }:
{
- services.mosquitto = {
- enable = true;
- persistence = true;
+ services.mosquitto = {
+ enable = true;
+ persistence = true;
- # set config for all listeners
- listeners = [{
- settings.allow_anonymous = true;
- omitPasswordAuth = true;
- acl = [ "topic readwrite #" ];
- }];
+ # set config for all listeners
+ listeners = [ {
+ settings.allow_anonymous = true;
+ omitPasswordAuth = true;
+ acl = ["topic readwrite #"];
+ } ];
- bridges.winkekatz = {
- addresses = [
- { address = "mqtt.winkekatze24.de"; }
- ];
- topics = [
- "winkekatze/allcats/eye/set in 2"
- "winkekatze/allcats in 2"
- "+/command in 2 winkekatze/ \"\""
- "+/status out 2 winkekatze/ \"\""
- "+/connected out 2 winkekatze/ \"\""
- ];
+ bridges.winkekatz = {
+ addresses = [
+ { address = "mqtt.winkekatze24.de"; }
+ ];
+ topics = [
+ "winkekatze/allcats/eye/set in 2"
+ "winkekatze/allcats in 2"
+ "+/status out 2 winkekatze/ \"\""
+ "+/connected out 2 winkekatze/ \"\""
+ ];
+ };
};
- };
- networking.firewall.allowedTCPPorts = [ 1883 ];
-}
+ networking.firewall.allowedTCPPorts = [ 1883 ];
+}
\ No newline at end of file
diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix
new file mode 100644
index 0000000..50a584e
--- /dev/null
+++ b/config/hosts/netbox/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+ networking.hostName = "netbox";
+
+ system.stateVersion = "23.05";
+}
diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix
new file mode 100644
index 0000000..6ef3469
--- /dev/null
+++ b/config/hosts/netbox/default.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./configuration.nix
+ ./netbox.nix
+ ./networking.nix
+ ./nginx.nix
+ ./postgresql.nix
+ ./sops.nix
+ ];
+}
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
new file mode 100644
index 0000000..e0f2df9
--- /dev/null
+++ b/config/hosts/netbox/netbox.nix
@@ -0,0 +1,42 @@
+# Sources for this configuration:
+# - https://docs.netbox.dev/en/stable/configuration/
+# - https://colmena.cli.rs/unstable/features/keys.html
+# - https://colmena.cli.rs/unstable/reference/deployment.html
+# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix
+
+{ config, pkgs, ... }:
+
+{
+ services.netbox = {
+ enable = true;
+ package = pkgs.netbox;
+ secretKeyFile = "/run/secrets/netbox_secret_key";
+ keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
+ settings = {
+ ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
+ SESSION_COOKIE_SECURE = true;
+ # CCCHH ID (Keycloak) integration.
+ # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
+ # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
+ REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
+ SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
+ # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
+ SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
+ SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
+ SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
+ };
+ };
+
+ sops.secrets."netbox_secret_key" = {
+ mode = "0440";
+ owner = "netbox";
+ group = "netbox";
+ restartUnits = [ "netbox.service" "netbox-rq.service" ];
+ };
+ sops.secrets."netbox_keycloak_secret" = {
+ mode = "0440";
+ owner = "netbox";
+ group = "netbox";
+ restartUnits = [ "netbox.service" "netbox-rq.service" ];
+ };
+}
diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix
new file mode 100644
index 0000000..a0abcfe
--- /dev/null
+++ b/config/hosts/netbox/networking.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.149";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
+ };
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "62:ED:44:20:7C:C1";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix
new file mode 100644
index 0000000..2673cdc
--- /dev/null
+++ b/config/hosts/netbox/nginx.nix
@@ -0,0 +1,67 @@
+# Sources for this configuration:
+# - https://nixos.org/manual/nixos/stable/#module-security-acme
+# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix
+# - https://docs.netbox.dev/en/stable/installation/5-http-server/
+# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf
+
+{ config, pkgs, ... }:
+
+{
+ services.nginx = {
+ enable = true;
+ # So nginx can access the Netbox static files.
+ user = "netbox";
+
+ virtualHosts."acme-netbox.hamburg.ccc.de" = {
+ default = true;
+ enableACME = true;
+ serverName = "netbox.hamburg.ccc.de";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 31820;
+ }
+ ];
+ };
+
+ virtualHosts."netbox.hamburg.ccc.de" = {
+ default = true;
+ forceSSL = true;
+ useACMEHost = "netbox.hamburg.ccc.de";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ locations."/static/" = {
+ alias = "${config.services.netbox.dataDir}/static/";
+ };
+
+ locations."/" = {
+ proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
+ };
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+
+ client_max_body_size 25m;
+ '';
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+ networking.firewall.allowedUDPPorts = [ 8443 ];
+}
diff --git a/config/hosts/netbox/postgresql.nix b/config/hosts/netbox/postgresql.nix
new file mode 100644
index 0000000..5f49f30
--- /dev/null
+++ b/config/hosts/netbox/postgresql.nix
@@ -0,0 +1,7 @@
+{ pkgs, config, ... }:
+
+{
+ services.postgresql = {
+ package = pkgs.postgresql_15;
+ };
+}
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
new file mode 100644
index 0000000..831a7a1
--- /dev/null
+++ b/config/hosts/netbox/secrets.yaml
@@ -0,0 +1,234 @@
+netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
+netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
+ c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
+ dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
+ V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
+ a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-10-08T23:54:23Z"
+ mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
+ pgp:
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
+ UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
+ YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
+ e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
+ fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
+ 29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
+ g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
+ Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
+ 2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
+ ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
+ 7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
+ aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
+ Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
+ 6PA24RxtGxVm
+ =ES/O
+ -----END PGP MESSAGE-----
+ fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
+ kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
+ UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
+ t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
+ 2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
+ MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
+ PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
+ Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
+ W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
+ Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
+ NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
+ XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
+ zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
+ =zG3F
+ -----END PGP MESSAGE-----
+ fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
+ wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
+ o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
+ yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
+ y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
+ vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
+ OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
+ xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
+ +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
+ 9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
+ 9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
+ XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
+ CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
+ =PqbF
+ -----END PGP MESSAGE-----
+ fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
+ eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
+ 5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
+ /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
+ E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
+ aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
+ U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
+ 5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
+ vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
+ Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
+ PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
+ XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
+ 9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
+ =o7cj
+ -----END PGP MESSAGE-----
+ fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
+ QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
+ 2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
+ NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
+ vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
+ PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
+ FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
+ n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
+ nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
+ TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
+ ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
+ XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
+ fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
+ =4agQ
+ -----END PGP MESSAGE-----
+ fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
+ H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
+ JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
+ ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
+ blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
+ fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
+ APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
+ H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
+ dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
+ VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
+ FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
+ XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
+ Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
+ =x1QX
+ -----END PGP MESSAGE-----
+ fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
+ RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
+ I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
+ GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
+ Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
+ arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
+ dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
+ cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
+ 6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
+ jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
+ rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
+ XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
+ pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
+ =FXTF
+ -----END PGP MESSAGE-----
+ fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
+ /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
+ FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
+ wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
+ 3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
+ Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
+ 6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
+ wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
+ wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
+ 7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
+ N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
+ XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
+ z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
+ =7WGw
+ -----END PGP MESSAGE-----
+ fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
+ nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
+ 3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
+ 07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
+ fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
+ 24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
+ QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
+ BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
+ 3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
+ zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
+ RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
+ XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
+ yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
+ =pFkW
+ -----END PGP MESSAGE-----
+ fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
+ kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
+ 0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
+ 5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
+ =Lvnj
+ -----END PGP MESSAGE-----
+ fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+ - created_at: "2024-05-26T01:07:22Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
+ 77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
+ XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
+ 4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
+ T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
+ k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
+ QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
+ 9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
+ U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
+ kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
+ 1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
+ XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
+ 02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
+ =WqHP
+ -----END PGP MESSAGE-----
+ fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
diff --git a/config/hosts/yate/sops.nix b/config/hosts/netbox/sops.nix
similarity index 97%
rename from config/hosts/yate/sops.nix
rename to config/hosts/netbox/sops.nix
index 38b06f9..b4548ed 100644
--- a/config/hosts/yate/sops.nix
+++ b/config/hosts/netbox/sops.nix
@@ -4,4 +4,4 @@
sops = {
defaultSopsFile = ./secrets.yaml;
};
-}
\ No newline at end of file
+}
diff --git a/config/hosts/nix-box-june/configuration.nix b/config/hosts/nix-box-june/configuration.nix
new file mode 100644
index 0000000..7dddcc1
--- /dev/null
+++ b/config/hosts/nix-box-june/configuration.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+
+{
+ networking.hostName = "nix-box-june";
+
+ system.stateVersion = "23.11";
+}
diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix
new file mode 100644
index 0000000..489fd67
--- /dev/null
+++ b/config/hosts/nix-box-june/default.nix
@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ ./configuration.nix
+ ./emulated-systems.nix
+ ./networking.nix
+ ./users.nix
+ ];
+}
diff --git a/config/hosts/nix-box-june/emulated-systems.nix b/config/hosts/nix-box-june/emulated-systems.nix
new file mode 100644
index 0000000..b6065dd
--- /dev/null
+++ b/config/hosts/nix-box-june/emulated-systems.nix
@@ -0,0 +1,5 @@
+{ config, pkgs, ... }:
+
+{
+ boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+}
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
new file mode 100644
index 0000000..2c1faee
--- /dev/null
+++ b/config/hosts/nix-box-june/networking.nix
@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+ networking = {
+ interfaces.net0 = {
+ ipv4.addresses = [
+ {
+ address = "172.31.17.158";
+ prefixLength = 25;
+ }
+ ];
+ };
+ defaultGateway = "172.31.17.129";
+ nameservers = [ "212.12.50.158" "192.76.134.90" ];
+ search = [ "hamburg.ccc.de" ];
+ };
+
+ systemd.network.links."10-net0" = {
+ matchConfig.MACAddress = "BC:24:11:6A:33:5F";
+ linkConfig.Name = "net0";
+ };
+}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
new file mode 100644
index 0000000..9f1b217
--- /dev/null
+++ b/config/hosts/nix-box-june/users.nix
@@ -0,0 +1,59 @@
+{ lib, ... }:
+
+{
+ users.users = {
+ chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+ colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+
+ djerun = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
+ ];
+ };
+ june = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
+ };
+ jtbx = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
+ };
+ dario = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
+ };
+ yuri = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
+ ];
+ };
+ max = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
+ };
+ haegar = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
+ };
+ stb = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
+ };
+ hansenerd = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
+ };
+ echtnurich = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
+ };
+ c6ristian = {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
+ };
+ };
+}
diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
index b49b2da..2428ec0 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
@@ -14,6 +14,7 @@
},
"contact": {
"phone": "+49 40 23830150",
+ "irc": "ircs://irc.hackint.org:6697/#ccchh",
"mastodon": "@ccchh@chaos.social",
"email": "mail@hamburg.ccc.de",
"ml": "talk@hamburg.ccc.de",
@@ -26,7 +27,7 @@
},
"calendar": {
"type": "ical",
- "url": "webcal://cloud.hamburg.ccc.de/remote.php/dav/public-calendars/QJAdExziSnNJEz5g/?export"
+ "url": "https://cloud.hamburg.ccc.de/remote.php/dav/public-calendars/QJAdExziSnNJEz5g/?export"
}
},
"links": [
diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index ff59fab..f1ad527 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -1,19 +1,10 @@
{ pkgs, ... }:
-let
- domain = "c3cat.de";
- dataDir = "/var/www/${domain}";
- deployUser = "c3cat-website-deploy";
-in {
- security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
-
+{
services.nginx.virtualHosts = {
- "acme-${domain}" = {
+ "acme-c3cat.de" = {
enableACME = true;
- serverName = "${domain}";
- serverAliases = [
- "www.${domain}"
- ];
+ serverName = "c3cat.de";
listen = [
{
@@ -23,9 +14,9 @@ in {
];
};
- "$www.${domain}" = {
+ "c3cat.de" = {
forceSSL = true;
- useACMEHost = "${domain}";
+ useACMEHost = "c3cat.de";
listen = [
{
@@ -37,42 +28,7 @@ in {
];
locations."/" = {
- return = "302 https://c3cat.de$request_uri";
- };
-
- locations."/manuals/eh22-rgb-ears" = {
- return = "307 https://www.c3cat.de/rgb-ears.html";
- };
-
- extraConfig = ''
- # Make use of the ngx_http_realip_module to set the $remote_addr and
- # $remote_port to the client address and client port, when using proxy
- # protocol.
- # First set our proxy protocol proxy as trusted.
- set_real_ip_from 172.31.17.140;
- # Then tell the realip_module to get the addreses from the proxy protocol
- # header.
- real_ip_header proxy_protocol;
- '';
- };
-
- "${domain}" = {
- forceSSL = true;
- useACMEHost = "${domain}";
-
- listen = [
- {
- addr = "0.0.0.0";
- port = 8443;
- ssl = true;
- proxyProtocol = true;
- }
- ];
-
- root = "${dataDir}";
-
- locations."/manuals/eh22-rgb-ears" = {
- return = "307 https://c3cat.de/rgb-ears.html";
+ return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
};
extraConfig = ''
@@ -87,17 +43,4 @@ in {
'';
};
};
-
- systemd.tmpfiles.rules = [
- "d ${dataDir} 0755 ${deployUser} ${deployUser}"
- ];
-
- users.users."${deployUser}" = {
- isNormalUser = true;
- group = "${deployUser}";
- openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
- ];
- };
- users.groups."${deployUser}" = { };
}
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index c9d77ef..dac4fa4 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -9,7 +9,6 @@
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix
- ./staging.c3cat.de.nix
./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix
diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 3c85954..5f0792f 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
{ pkgs, ... }:
let
- elementWebVersion = "1.11.95";
+ elementWebVersion = "1.11.80";
element-web = pkgs.fetchzip {
- url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
- sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc=";
+ url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
+ sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
};
elementSecurityHeaders = ''
# Configuration best practices
diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
index 1ee6180..7eaa086 100644
--- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
@@ -4,8 +4,7 @@ let
domain = "hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
-in
-{
+in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
index b0104b6..2077ca7 100644
--- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@@ -4,8 +4,7 @@ let
domain = "hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
-in
-{
+in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
index 69d8855..fe53d04 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{...}:
{
imports = [
@@ -9,4 +9,4 @@
./eh11.nix
./eh20.nix
];
-}
+}
\ No newline at end of file
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
index 2c5dd86..60d4f21 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
@@ -6,7 +6,7 @@ let
rev = "74977c56486cd060566bf06678a936e801952f9e";
hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
};
-in
+in
{
security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
"eh2003.hamburg.ccc.de"
@@ -48,7 +48,7 @@ in
}];
locations."/".return = "302 https://eh03.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
index 37cb893..7651666 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
@@ -48,7 +48,7 @@ in
}];
locations."/".return = "302 https://eh05.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -60,7 +60,7 @@ in
real_ip_header proxy_protocol;
'';
};
-
+
"eh05.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
@@ -71,7 +71,7 @@ in
ssl = true;
proxyProtocol = true;
}];
-
+
locations."/" = {
index = "index.shtml";
root = eh05;
@@ -80,7 +80,7 @@ in
default_type text/html;
# Enable SSI
ssi on;
- '';
+ '';
};
extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
index ebfa712..40fe480 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
@@ -54,7 +54,7 @@ in
}];
locations."/".return = "302 https://eh07.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
default_type text/html;
# Enable SSI
ssi on;
- '';
+ '';
};
extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
index ea274af..f7416ed 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
@@ -54,7 +54,7 @@ in
}];
locations."/".return = "302 https://eh09.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
default_type text/html;
# Enable SSI
ssi on;
- '';
+ '';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
index 39d7fad..c409641 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
@@ -54,7 +54,7 @@ in
}];
locations."/".return = "302 https://eh11.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
default_type text/html;
# Enable SSI
ssi on;
- '';
+ '';
};
extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
deleted file mode 100644
index c91d283..0000000
--- a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{ pkgs, ... }:
-
-let
- domain = "staging.c3cat.de";
- dataDir = "/var/www/${domain}";
- deployUser = "c3cat-website-deploy";
-in {
- services.nginx.virtualHosts = {
- "acme-${domain}" = {
- enableACME = true;
- serverName = "${domain}";
-
- listen = [
- {
- addr = "0.0.0.0";
- port = 31820;
- }
- ];
- };
-
- "${domain}" = {
- forceSSL = true;
- useACMEHost = "${domain}";
-
- listen = [
- {
- addr = "0.0.0.0";
- port = 8443;
- ssl = true;
- proxyProtocol = true;
- }
- ];
-
- root = "${dataDir}";
-
- # Disallow *, since this is staging and doesn't need to be in any search
- # results.
- locations."/robots.txt" = {
- return = "200 \"User-agent: *\\nDisallow: *\\n\"";
- };
-
- extraConfig = ''
- # Make use of the ngx_http_realip_module to set the $remote_addr and
- # $remote_port to the client address and client port, when using proxy
- # protocol.
- # First set our proxy protocol proxy as trusted.
- set_real_ip_from 172.31.17.140;
- # Then tell the realip_module to get the addreses from the proxy protocol
- # header.
- real_ip_header proxy_protocol;
- '';
- };
- };
-
- systemd.tmpfiles.rules = [
- "d ${dataDir} 0755 ${deployUser} ${deployUser}"
- ];
-
- # c3cat deploy user already defined in c3cat.de.nix.
-}
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
index 14ede9b..382f1b6 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
@@ -4,8 +4,7 @@ let
domain = "staging.hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
-in
-{
+in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
index 79ca38c..4b71d53 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@@ -4,8 +4,7 @@ let
domain = "staging.hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
-in
-{
+in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
index 0bff4b5..e7f1932 100644
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@@ -11,14 +11,14 @@
];
ipv6.addresses = [
{
- address = "2a07:c481:1:ce::a";
+ address = "2a07:c480:0:1ce::f";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.206.1";
- defaultGateway6 = "2a07:c481:1:ce::1";
- nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ];
+ defaultGateway6 = "2a07:c480:0:1ce::1";
+ nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
search = [ "z9.ccchh.net" ];
};
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
index 8c6847b..dc89021 100644
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -3,12 +3,13 @@
# - https://woodpecker-ci.org/docs/administration/agent-config
# - https://woodpecker-ci.org/docs/administration/backends/docker
-{ config, pkgs, ... }:
+{ config, pkgs, pkgs-unstable, ... }:
{
services.woodpecker-agents.agents."docker" = {
enable = true;
- package = pkgs.woodpecker-agent;
+ # Since we use woodpecker-server from unstable, use the agent from unstable as well.
+ package = pkgs-unstable.woodpecker-agent;
extraGroups = [ "docker" ];
environment = {
WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index 1836b73..464af13 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -5,12 +5,14 @@
# - https://woodpecker-ci.org/docs/administration/forges/forgejo
# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
-{ config, pkgs, ... }:
+{ config, pkgs, pkgs-unstable, ... }:
{
services.woodpecker-server = {
enable = true;
- package = pkgs.woodpecker-server;
+ # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
+ # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
+ package = pkgs-unstable.woodpecker-server;
environment = {
WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
WOODPECKER_SERVER_ADDR = ":8001";
@@ -22,7 +24,6 @@
WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
WOODPECKER_FORGEJO = "true";
WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
- WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
# Set via enviornmentFile:
# WOODPECKER_FORGEJO_CLIENT
# WOODPECKER_FORGEJO_SECRET
diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
index 6b1fa99..6b4bb71 100644
--- a/config/hosts/yate/configuration.nix
+++ b/config/hosts/yate/configuration.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ config, pkgs, ... }:
{
networking = {
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 66738e8..5304abd 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -1,10 +1,10 @@
-{ ... }:
+{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./networking.nix
./yate.nix
- ./sops.nix
+ ./service.nix
];
}
diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml
deleted file mode 100644
index 6235c17..0000000
--- a/config/hosts/yate/secrets.yaml
+++ /dev/null
@@ -1,233 +0,0 @@
-git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str]
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age:
- - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP
- TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw
- KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS
- bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1
- xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw==
- -----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-09-08T18:35:07Z"
- mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str]
- pgp:
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg
- do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL
- r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0
- cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl
- Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa
- JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi
- ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk
- YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa
- QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy
- aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg
- GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U
- ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ
- ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ
- et8Y1DEjVg==
- =u7aP
- -----END PGP MESSAGE-----
- fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9
- Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S
- YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4
- twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2
- uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx
- Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ
- gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU
- JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng
- mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji
- yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp
- E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S
- XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq
- vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX
- =advR
- -----END PGP MESSAGE-----
- fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz
- 7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec
- ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa
- RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty
- y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE
- L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8
- glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ
- B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl
- L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl
- o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO
- Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS
- XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb
- fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy
- =vqhH
- -----END PGP MESSAGE-----
- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd
- +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7
- Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4
- LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un
- kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2
- cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn
- 3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh
- 7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU
- K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb
- QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3
- Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S
- XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj
- IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C
- =hGXq
- -----END PGP MESSAGE-----
- fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg
- YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi
- LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ
- +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG
- SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io
- 5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq
- 1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1
- 1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll
- CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U
- pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF
- EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS
- XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7
- uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9
- =vZLC
- -----END PGP MESSAGE-----
- fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x
- p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3
- XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa
- oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB
- SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS
- 5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG
- oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ
- XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo
- IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc
- 2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa
- XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS
- XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/
- fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I
- =SLD4
- -----END PGP MESSAGE-----
- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp
- 8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+
- 0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19
- sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB
- NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI
- K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX
- 4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9
- SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0
- TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva
- 7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR
- oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S
- XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t
- LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII
- =MQ9C
- -----END PGP MESSAGE-----
- fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF
- XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe
- 5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/
- Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc
- abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di
- +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk
- nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7
- BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf
- T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76
- VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm
- jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS
- XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY
- 6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ
- =uyf4
- -----END PGP MESSAGE-----
- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st
- V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2
- 8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/
- i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d
- V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE
- zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz
- TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p
- FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF
- aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO
- 5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym
- NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS
- XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn
- kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr
- =7R+0
- -----END PGP MESSAGE-----
- fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw
- cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13
- 0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi
- I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww==
- =0G+m
- -----END PGP MESSAGE-----
- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- - created_at: "2024-08-05T20:33:02Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX
- KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l
- MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy
- p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k
- YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs
- yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O
- oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv
- 3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre
- FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF
- 3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm
- k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS
- XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh
- B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI
- =ZgbM
- -----END PGP MESSAGE-----
- fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
- unencrypted_suffix: _unencrypted
- version: 3.9.0
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
new file mode 100644
index 0000000..e426a31
--- /dev/null
+++ b/config/hosts/yate/service.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+{
+ systemd.services.yate = {
+ enable = true;
+ description = "Yate telehony engine";
+ unitConfig = {
+ Type = "simple";
+ After="network.target";
+ };
+ serviceConfig = {
+ ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
+ Type="simple";
+ Restart="always";
+ # ...
+ };
+ wantedBy = [ "default.target" ];
+ requiredBy = [ "network.target" ];
+ # ...
+ };
+}
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 236e1f0..c4834bb 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
{
environment.systemPackages = [
@@ -10,69 +10,4 @@
# Just disable it for now.
networking.firewall.enable = false;
-
- users = {
- users.yate = {
- description = "yate service user";
- group = "yate-config";
- isNormalUser = true;
- };
-
- groups.yate-config = {
- members = [ "colmema-deploy" "chaos" "root" "yate"];
- };
- };
-
- environment.etc.yate = {
- user = "yate";
- group = "yate-config";
- mode = "symlink";
- source = "/var/lib/yate";
- };
-
- sops.secrets."git_clone_key" = {
- mode = "0600";
- owner = "yate";
- group = "yate-config";
- restartUnits = [ "yate.service" ];
- };
-
- systemd.services.yate = {
- enable = true;
- description = "Yate telehony engine";
- unitConfig = {
- After= "network-online.target";
- };
- serviceConfig = {
- ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
- Type="simple";
- Restart="always";
- User="yate";
- Group="yate-config";
- StateDirectory = "yate";
- StateDirectoryMode = "0775";
- };
- wantedBy = [ "default.target" ];
- requires = [ "network-online.target" ];
- preStart = ''
- echo "\n" >> /run/secrets/git_clone_key
- sleep 5
- id
- echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git"
- SSH_SUCCESS=1
- ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0
- if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then
- rm -rf /var/lib/yate/*
- rm -rf /var/lib/yate/.*
- env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
- ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate"
- fi
- '';
- reload= ''
- id
- ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
- /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
- /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master
- '';
- };
}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 9c2f99a..20b9f00 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -3,6 +3,9 @@
"targetUser": "colmena-deploy"
},
"hosts": {
+ "netbox": {
+ "targetHostname": "netbox-intern.hamburg.ccc.de"
+ },
"matrix": {
"targetHostname": "matrix-intern.hamburg.ccc.de"
},
@@ -15,6 +18,12 @@
"forgejo-actions-runner": {
"targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
},
+ "eh22-wiki": {
+ "targetHostname": "eh22-wiki-intern.hamburg.ccc.de"
+ },
+ "nix-box-june": {
+ "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
+ },
"mjolnir": {
"targetHostname": "mjolnir-intern.hamburg.ccc.de"
},
diff --git a/flake.lock b/flake.lock
index 57a29de..24f50dd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,26 +1,12 @@
{
"nodes": {
- "authorizedKeysRepo": {
- "flake": false,
- "locked": {
- "lastModified": 1745870473,
- "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=",
- "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6",
- "type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6"
- },
- "original": {
- "type": "tarball",
- "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"
- }
- },
"nixlib": {
"locked": {
- "lastModified": 1736643958,
- "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
+ "lastModified": 1729386149,
+ "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
+ "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
"type": "github"
},
"original": {
@@ -32,14 +18,16 @@
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
- "nixpkgs": "nixpkgs"
+ "nixpkgs": [
+ "nixpkgs"
+ ]
},
"locked": {
- "lastModified": 1747663185,
- "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
+ "lastModified": 1729472750,
+ "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
+ "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
"type": "github"
},
"original": {
@@ -50,41 +38,57 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1736657626,
- "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=",
- "owner": "NixOS",
+ "lastModified": 1730428893,
+ "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
+ "owner": "nixos",
"repo": "nixpkgs",
- "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e",
+ "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
"type": "github"
},
"original": {
- "owner": "NixOS",
- "ref": "nixpkgs-unstable",
+ "owner": "nixos",
+ "ref": "nixos-24.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
- "nixpkgs_2": {
+ "nixpkgs-stable": {
"locked": {
- "lastModified": 1747485343,
- "narHash": "sha256-YbsZyuRE1tobO9sv0PUwg81QryYo3L1F3R3rF9bcG38=",
+ "lastModified": 1729973466,
+ "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "release-24.05",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-unstable": {
+ "locked": {
+ "lastModified": 1730449684,
+ "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "9b5ac7ad45298d58640540d0323ca217f32a6762",
+ "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
"type": "github"
},
"original": {
"owner": "nixos",
- "ref": "nixos-24.11",
+ "ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
- "authorizedKeysRepo": "authorizedKeysRepo",
"nixos-generators": "nixos-generators",
- "nixpkgs": "nixpkgs_2",
+ "nixpkgs": "nixpkgs",
+ "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
@@ -92,14 +96,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
- ]
+ ],
+ "nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1747603214,
- "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+ "lastModified": 1729999681,
+ "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+ "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index a95ee8e..b787f78 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,13 +5,14 @@
# Use the NixOS small channels for nixpkgs.
# https://nixos.org/manual/nixos/stable/#sec-upgrading
# https://github.com/NixOS/nixpkgs
- nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
+ nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
# Add nixos-generators as an input.
# See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
nixos-generators = {
url = "github:nix-community/nixos-generators";
- #inputs.nixpkgs.follows = "nixpkgs";
+ inputs.nixpkgs.follows = "nixpkgs";
};
# Add sops-nix as an input for secret management.
@@ -20,184 +21,214 @@
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
-
- authorizedKeysRepo = {
- url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz";
- flake = false;
- };
};
- outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
+ outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
let
- specialArgs = {
- inherit authorizedKeysRepo;
- };
system = "x86_64-linux";
+ shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
+ shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
+ # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
+ configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
+ buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
+ });
+ };
+ pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
in
{
- nixosModules = {
- common = ./config/common;
- proxmox-vm = ./config/proxmox-vm;
- prometheus-exporter = ./config/extra/prometheus-exporter.nix;
- };
nixosConfigurations = {
audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
+ { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
./config/hosts/audio-hauptraum-kueche
];
};
audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
+ { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
./config/hosts/audio-hauptraum-tafel
];
};
esphome = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
./config/hosts/esphome
];
};
public-reverse-proxy = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
./config/hosts/public-reverse-proxy
];
};
- matrix = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ netbox = nixpkgs.lib.nixosSystem {
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
sops-nix.nixosModules.sops
- self.nixosModules.prometheus-exporter
+ ./config/extra/prometheus-exporter.nix
+ ./config/hosts/netbox
+ ];
+ };
+
+ matrix = nixpkgs.lib.nixosSystem {
+ inherit system;
+ modules = [
+ ./config/common
+ ./config/proxmox-vm
+ sops-nix.nixosModules.sops
+ ./config/extra/prometheus-exporter.nix
./config/hosts/matrix
];
};
public-web-static = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
sops-nix.nixosModules.sops
- self.nixosModules.prometheus-exporter
+ ./config/extra/prometheus-exporter.nix
./config/hosts/public-web-static
];
};
git = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
sops-nix.nixosModules.sops
- self.nixosModules.prometheus-exporter
+ ./config/extra/prometheus-exporter.nix
./config/hosts/git
];
};
forgejo-actions-runner = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
sops-nix.nixosModules.sops
- self.nixosModules.prometheus-exporter
+ ./config/extra/prometheus-exporter.nix
./config/hosts/forgejo-actions-runner
];
};
ptouch-print-server = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
./config/hosts/ptouch-print-server
];
};
- yate = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ eh22-wiki = nixpkgs.lib.nixosSystem {
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
- sops-nix.nixosModules.sops
+ ./config/common
+ ./config/proxmox-vm
+ ./config/extra/prometheus-exporter.nix
+ ./config/hosts/eh22-wiki
+ ];
+ };
+
+ nix-box-june = nixpkgs.lib.nixosSystem {
+ inherit system;
+ modules = [
+ ./config/common
+ ./config/proxmox-vm
+ ./config/extra/prometheus-exporter.nix
+ ./config/hosts/nix-box-june
+ ];
+ };
+
+ yate = nixpkgs.lib.nixosSystem {
+ inherit system;
+ modules = [
+ ./config/common
+ ./config/proxmox-vm
./config/hosts/yate
];
};
mqtt = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
./config/hosts/mqtt
];
};
mjolnir = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
sops-nix.nixosModules.sops
- self.nixosModules.prometheus-exporter
+ ./config/extra/prometheus-exporter.nix
./config/hosts/mjolnir
];
};
woodpecker = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
sops-nix.nixosModules.sops
- self.nixosModules.prometheus-exporter
+ ./config/extra/prometheus-exporter.nix
./config/hosts/woodpecker
];
+ specialArgs = {
+ inherit pkgs-unstable;
+ };
};
status = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
sops-nix.nixosModules.sops
./config/hosts/status
];
};
penpot = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
sops-nix.nixosModules.sops
- self.nixosModules.prometheus-exporter
+ ./config/extra/prometheus-exporter.nix
./config/hosts/penpot
];
};
hydra = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
+ inherit system;
modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
- self.nixosModules.prometheus-exporter
+ ./config/common
+ ./config/proxmox-vm
+ ./config/extra/prometheus-exporter.nix
./config/hosts/hydra
];
};
@@ -205,24 +236,22 @@
packages.x86_64-linux = {
proxmox-nixos-template = nixos-generators.nixosGenerate {
- inherit specialArgs;
system = "x86_64-linux";
modules = [
./config/nixos-generators/proxmox.nix
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
];
format = "proxmox";
};
proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
- inherit specialArgs;
system = "x86_64-linux";
modules = [
./config/nixos-generators/proxmox-chaosknoten.nix
./config/proxmox-chaosknoten-additional-initial-config.nix
- self.nixosModules.common
- self.nixosModules.proxmox-vm
+ ./config/common
+ ./config/proxmox-vm
];
format = "proxmox";
};
diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix
index 43d1285..cbc58e7 100644
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@@ -17,7 +17,6 @@ in
config = mkIf cfg.enable {
services.shairport-sync = {
enable = true;
- package = pkgs.shairport-sync-airplay2;
arguments = "-o pw -v";
};