From e4f5655c8806c223ed9d540843b400b9329b9cef Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 12 Nov 2024 22:36:51 +0100
Subject: [PATCH 01/46] add required nixConfig option
---
flake.nix | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/flake.nix b/flake.nix
index b787f78..7295b4c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,10 @@
{
description = "CCCHH Nix Infrastructure";
+ nixConfig = {
+ allow-import-from-derivation = true;
+ };
+
inputs = {
# Use the NixOS small channels for nixpkgs.
# https://nixos.org/manual/nixos/stable/#sec-upgrading
From cf46da9df7a9036a8c600701042fe390c5c842d8 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 12 Nov 2024 23:06:01 +0100
Subject: [PATCH 02/46] public-web-static: make c3cat.de and www work as well
as staging
---
.../virtualHosts/c3cat.de.nix | 61 +++++++++++++++++--
.../virtualHosts/default.nix | 1 +
.../virtualHosts/staging.c3cat.de.nix | 60 ++++++++++++++++++
3 files changed, 116 insertions(+), 6 deletions(-)
create mode 100644 config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index f1ad527..91d3a40 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -1,10 +1,19 @@
{ pkgs, ... }:
-{
+let
+ domain = "c3cat.de";
+ dataDir = "/var/www/${domain}";
+ deployUser = "c3cat-website-deploy";
+in {
+ security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
+
services.nginx.virtualHosts = {
- "acme-c3cat.de" = {
+ "acme-${domain}" = {
enableACME = true;
- serverName = "c3cat.de";
+ serverName = "${domain}";
+ serverAliases = [
+ "www.${domain}"
+ ];
listen = [
{
@@ -14,9 +23,9 @@
];
};
- "c3cat.de" = {
+ "$www.${domain}" = {
forceSSL = true;
- useACMEHost = "c3cat.de";
+ useACMEHost = "${domain}";
listen = [
{
@@ -28,7 +37,7 @@
];
locations."/" = {
- return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
+ return = "302 https://c3cat.de$request_uri";
};
extraConfig = ''
@@ -42,5 +51,45 @@
real_ip_header proxy_protocol;
'';
};
+
+ "${domain}" = {
+ forceSSL = true;
+ useACMEHost = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ root = "${dataDir}";
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
};
+
+ systemd.tmpfiles.rules = [
+ "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+ ];
+
+ users.users."${deployUser}" = {
+ isNormalUser = true;
+ group = "${deployUser}";
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
+ ];
+ };
+ users.groups."${deployUser}" = { };
}
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index dac4fa4..c9d77ef 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -9,6 +9,7 @@
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix
+ ./staging.c3cat.de.nix
./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix
diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
new file mode 100644
index 0000000..c91d283
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+let
+ domain = "staging.c3cat.de";
+ dataDir = "/var/www/${domain}";
+ deployUser = "c3cat-website-deploy";
+in {
+ services.nginx.virtualHosts = {
+ "acme-${domain}" = {
+ enableACME = true;
+ serverName = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 31820;
+ }
+ ];
+ };
+
+ "${domain}" = {
+ forceSSL = true;
+ useACMEHost = "${domain}";
+
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 8443;
+ ssl = true;
+ proxyProtocol = true;
+ }
+ ];
+
+ root = "${dataDir}";
+
+ # Disallow *, since this is staging and doesn't need to be in any search
+ # results.
+ locations."/robots.txt" = {
+ return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+ };
+
+ extraConfig = ''
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from 172.31.17.140;
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+ '';
+ };
+ };
+
+ systemd.tmpfiles.rules = [
+ "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+ ];
+
+ # c3cat deploy user already defined in c3cat.de.nix.
+}
From d98aa099e1d42f5e3705b860463ddea95058fd55 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 10 Nov 2024 18:14:42 +0100
Subject: [PATCH 03/46] license this repo under the MIT license
All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(https://git.hamburg.ccc.de/CCCHH/nix-infra/pulls/12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.
Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467
MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/
---
LICENSE | 21 +++++++++++++++++++++
README.md | 4 ++++
2 files changed, 25 insertions(+)
create mode 100644 LICENSE
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..37eee6c
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) CCCHH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
index bd3a29a..186f14a 100644
--- a/README.md
+++ b/README.md
@@ -73,3 +73,7 @@ Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell
nix build .#proxmox-chaosknoten-nixos-template
```
+
+## License
+
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
From c25d6c6326fec50b815ff6ab46dc185a12180d5f Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 03:02:17 +0100
Subject: [PATCH 04/46] revert: useing pkgs.fetchGit for authorized keys
reverts the changes from ec64eebfd6c3b006b7ff5d5c3bda750cf04a5662
it brakes some of the flake process we use,
setting 'allow-import-from-derivation' doesn't seem like a good fix to me and doesn't work in all cases.
I couldn't find any other solution to fix it for now,
so we will revert it for now, until we have a better solution.
---
config/common/users.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/common/users.nix b/config/common/users.nix
index 026929b..400a106 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -9,10 +9,10 @@
{ config, pkgs, lib, ... }:
let
- authorizedKeysRepo = pkgs.fetchgit {
- url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
+ authorizedKeysRepo = builtins.fetchGit {
+ url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
+ ref = "trunk";
rev = "686a6af22f6696f0c0595c56f463c078550049fc";
- hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
};
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in
From 7d58a3db4a4ac864aab7717ea87b0db8c3ac5adc Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 00:02:41 +0100
Subject: [PATCH 05/46] move overlay to overlays output
---
flake.nix | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/flake.nix b/flake.nix
index b787f78..7fd9b80 100644
--- a/flake.nix
+++ b/flake.nix
@@ -26,23 +26,25 @@
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
let
system = "x86_64-linux";
- shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
- shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
- # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
- configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
- buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
- });
- };
pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
in
{
+ overlays = {
+ shairportSyncAirplay2 = final: prev: {
+ shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
+ # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
+ configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
+ buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
+ });
+ };
+ };
nixosConfigurations = {
audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./config/common
./config/proxmox-vm
- { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
+ { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
./config/hosts/audio-hauptraum-kueche
];
};
@@ -52,7 +54,7 @@
modules = [
./config/common
./config/proxmox-vm
- { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
+ { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
./config/hosts/audio-hauptraum-tafel
];
};
From 6c85b91efbfc0a5e46f06b8308575507c9bba20d Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:43:53 +0100
Subject: [PATCH 06/46] make use of nixosModules output
---
flake.nix | 111 ++++++++++++++++++++++++++++--------------------------
1 file changed, 58 insertions(+), 53 deletions(-)
diff --git a/flake.nix b/flake.nix
index 7fd9b80..da7b32e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -38,12 +38,17 @@
});
};
};
+ nixosModules = {
+ common = ./config/common;
+ proxmox-vm = ./config/proxmox-vm;
+ prometheus-exporter = ./config/extra/prometheus-exporter.nix;
+ };
nixosConfigurations = {
audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
{ nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
./config/hosts/audio-hauptraum-kueche
];
@@ -52,8 +57,8 @@
audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
{ nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
./config/hosts/audio-hauptraum-tafel
];
@@ -62,8 +67,8 @@
esphome = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
./config/hosts/esphome
];
};
@@ -71,8 +76,8 @@
public-reverse-proxy = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
./config/hosts/public-reverse-proxy
];
};
@@ -80,10 +85,10 @@
netbox = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.prometheus-exporter
./config/hosts/netbox
];
};
@@ -91,10 +96,10 @@
matrix = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.prometheus-exporter
./config/hosts/matrix
];
};
@@ -102,10 +107,10 @@
public-web-static = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.prometheus-exporter
./config/hosts/public-web-static
];
};
@@ -113,10 +118,10 @@
git = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.prometheus-exporter
./config/hosts/git
];
};
@@ -124,10 +129,10 @@
forgejo-actions-runner = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.prometheus-exporter
./config/hosts/forgejo-actions-runner
];
};
@@ -135,8 +140,8 @@
ptouch-print-server = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
./config/hosts/ptouch-print-server
];
};
@@ -144,9 +149,9 @@
eh22-wiki = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
+ self.nixosModules.prometheus-exporter
./config/hosts/eh22-wiki
];
};
@@ -154,9 +159,9 @@
nix-box-june = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
+ self.nixosModules.prometheus-exporter
./config/hosts/nix-box-june
];
};
@@ -164,8 +169,8 @@
yate = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
./config/hosts/yate
];
};
@@ -173,8 +178,8 @@
mqtt = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
./config/hosts/mqtt
];
};
@@ -182,10 +187,10 @@
mjolnir = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.prometheus-exporter
./config/hosts/mjolnir
];
};
@@ -193,10 +198,10 @@
woodpecker = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.prometheus-exporter
./config/hosts/woodpecker
];
specialArgs = {
@@ -207,8 +212,8 @@
status = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
./config/hosts/status
];
@@ -217,10 +222,10 @@
penpot = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.prometheus-exporter
./config/hosts/penpot
];
};
@@ -228,9 +233,9 @@
hydra = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
- ./config/common
- ./config/proxmox-vm
- ./config/extra/prometheus-exporter.nix
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
+ self.nixosModules.prometheus-exporter
./config/hosts/hydra
];
};
@@ -241,8 +246,8 @@
system = "x86_64-linux";
modules = [
./config/nixos-generators/proxmox.nix
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
];
format = "proxmox";
};
@@ -252,8 +257,8 @@
modules = [
./config/nixos-generators/proxmox-chaosknoten.nix
./config/proxmox-chaosknoten-additional-initial-config.nix
- ./config/common
- ./config/proxmox-vm
+ self.nixosModules.common
+ self.nixosModules.proxmox-vm
];
format = "proxmox";
};
From f7ebe660fe961a4ee7944aca10cf4ca3c50cd407 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:52:02 +0100
Subject: [PATCH 07/46] format files with `nix fmt`
---
config/hosts/eh22-wiki/dokuwiki.nix | 5 ++-
config/hosts/mqtt/configuration.nix | 12 ++---
config/hosts/mqtt/default.nix | 12 ++---
config/hosts/mqtt/mosquitto.nix | 44 +++++++++----------
config/hosts/nix-box-june/users.nix | 2 +-
.../virtualHosts/hacker.tours.nix | 3 +-
.../hackertours.hamburg.ccc.de.nix | 3 +-
.../historic-easterhegg/default.nix | 4 +-
.../virtualHosts/historic-easterhegg/eh03.nix | 4 +-
.../virtualHosts/historic-easterhegg/eh05.nix | 8 ++--
.../virtualHosts/historic-easterhegg/eh07.nix | 4 +-
.../virtualHosts/historic-easterhegg/eh09.nix | 4 +-
.../virtualHosts/historic-easterhegg/eh11.nix | 4 +-
.../virtualHosts/staging.hacker.tours.nix | 3 +-
.../staging.hackertours.hamburg.ccc.de.nix | 3 +-
config/hosts/yate/service.nix | 8 ++--
16 files changed, 64 insertions(+), 59 deletions(-)
diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
index c0eafaa..f9a7cbd 100644
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ b/config/hosts/eh22-wiki/dokuwiki.nix
@@ -21,7 +21,8 @@ let
app = "dokuwiki";
domain = "eh22.easterhegg.eu";
dataDir = "/srv/www/${domain}";
-in {
+in
+{
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${app} ${app}"
];
@@ -76,7 +77,7 @@ in {
default = true;
enableACME = true;
serverName = "${domain}";
-
+
listen = [
{
addr = "0.0.0.0";
diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix
index 18d0184..793807d 100644
--- a/config/hosts/mqtt/configuration.nix
+++ b/config/hosts/mqtt/configuration.nix
@@ -1,10 +1,10 @@
{ ... }:
{
- networking = {
- hostName = "mqtt";
- domain = "z9.ccchh.net";
- };
+ networking = {
+ hostName = "mqtt";
+ domain = "z9.ccchh.net";
+ };
- system.stateVersion = "23.11";
-}
\ No newline at end of file
+ system.stateVersion = "23.11";
+}
diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix
index bb61c12..bc91d9f 100644
--- a/config/hosts/mqtt/default.nix
+++ b/config/hosts/mqtt/default.nix
@@ -1,9 +1,9 @@
{ pkgs, ... }:
{
- imports = [
- ./configuration.nix
- ./networking.nix
- ./mosquitto.nix
- ];
-}
\ No newline at end of file
+ imports = [
+ ./configuration.nix
+ ./networking.nix
+ ./mosquitto.nix
+ ];
+}
diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
index 672c05d..d093bd8 100644
--- a/config/hosts/mqtt/mosquitto.nix
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -5,29 +5,29 @@
{ ... }:
{
- services.mosquitto = {
- enable = true;
- persistence = true;
+ services.mosquitto = {
+ enable = true;
+ persistence = true;
- # set config for all listeners
- listeners = [ {
- settings.allow_anonymous = true;
- omitPasswordAuth = true;
- acl = ["topic readwrite #"];
- } ];
+ # set config for all listeners
+ listeners = [{
+ settings.allow_anonymous = true;
+ omitPasswordAuth = true;
+ acl = [ "topic readwrite #" ];
+ }];
- bridges.winkekatz = {
- addresses = [
- { address = "mqtt.winkekatze24.de"; }
- ];
- topics = [
- "winkekatze/allcats/eye/set in 2"
- "winkekatze/allcats in 2"
- "+/status out 2 winkekatze/ \"\""
- "+/connected out 2 winkekatze/ \"\""
- ];
- };
+ bridges.winkekatz = {
+ addresses = [
+ { address = "mqtt.winkekatze24.de"; }
+ ];
+ topics = [
+ "winkekatze/allcats/eye/set in 2"
+ "winkekatze/allcats in 2"
+ "+/status out 2 winkekatze/ \"\""
+ "+/connected out 2 winkekatze/ \"\""
+ ];
};
+ };
- networking.firewall.allowedTCPPorts = [ 1883 ];
-}
\ No newline at end of file
+ networking.firewall.allowedTCPPorts = [ 1883 ];
+}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
index 9f1b217..dfb333e 100644
--- a/config/hosts/nix-box-june/users.nix
+++ b/config/hosts/nix-box-june/users.nix
@@ -26,7 +26,7 @@
};
yuri = {
isNormalUser = true;
- openssh.authorizedKeys.keys = [
+ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
];
diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
index 7eaa086..1ee6180 100644
--- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix
@@ -4,7 +4,8 @@ let
domain = "hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
-in {
+in
+{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
index 2077ca7..b0104b6 100644
--- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
@@ -4,7 +4,8 @@ let
domain = "hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
-in {
+in
+{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
index fe53d04..69d8855 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
@@ -1,4 +1,4 @@
-{...}:
+{ ... }:
{
imports = [
@@ -9,4 +9,4 @@
./eh11.nix
./eh20.nix
];
-}
\ No newline at end of file
+}
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
index 60d4f21..2c5dd86 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
@@ -6,7 +6,7 @@ let
rev = "74977c56486cd060566bf06678a936e801952f9e";
hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
};
-in
+in
{
security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
"eh2003.hamburg.ccc.de"
@@ -48,7 +48,7 @@ in
}];
locations."/".return = "302 https://eh03.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
index 7651666..37cb893 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
@@ -48,7 +48,7 @@ in
}];
locations."/".return = "302 https://eh05.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -60,7 +60,7 @@ in
real_ip_header proxy_protocol;
'';
};
-
+
"eh05.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
@@ -71,7 +71,7 @@ in
ssl = true;
proxyProtocol = true;
}];
-
+
locations."/" = {
index = "index.shtml";
root = eh05;
@@ -80,7 +80,7 @@ in
default_type text/html;
# Enable SSI
ssi on;
- '';
+ '';
};
extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
index 40fe480..ebfa712 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
@@ -54,7 +54,7 @@ in
}];
locations."/".return = "302 https://eh07.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
default_type text/html;
# Enable SSI
ssi on;
- '';
+ '';
};
extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
index f7416ed..ea274af 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
@@ -54,7 +54,7 @@ in
}];
locations."/".return = "302 https://eh09.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
default_type text/html;
# Enable SSI
ssi on;
- '';
+ '';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
index c409641..39d7fad 100644
--- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
+++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
@@ -54,7 +54,7 @@ in
}];
locations."/".return = "302 https://eh11.easterhegg.eu";
-
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -86,7 +86,7 @@ in
default_type text/html;
# Enable SSI
ssi on;
- '';
+ '';
};
extraConfig = ''
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
index 382f1b6..14ede9b 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
@@ -4,7 +4,8 @@ let
domain = "staging.hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
-in {
+in
+{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
index 4b71d53..79ca38c 100644
--- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
@@ -4,7 +4,8 @@ let
domain = "staging.hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
-in {
+in
+{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
index e426a31..e031d4d 100644
--- a/config/hosts/yate/service.nix
+++ b/config/hosts/yate/service.nix
@@ -6,16 +6,16 @@
description = "Yate telehony engine";
unitConfig = {
Type = "simple";
- After="network.target";
+ After = "network.target";
};
serviceConfig = {
ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
- Type="simple";
- Restart="always";
+ Type = "simple";
+ Restart = "always";
# ...
};
wantedBy = [ "default.target" ];
- requiredBy = [ "network.target" ];
+ requiredBy = [ "network.target" ];
# ...
};
}
From e404d4740f4e2c365db07d754e34cc5c8dfd61f0 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Tue, 5 Nov 2024 22:56:55 +0100
Subject: [PATCH 08/46] remove nixpkgs-unstable
the current version of woodpecker-server in stable now has the features this was original used for, not other usages of unstable are in tree left so removing it.
---
.../woodpecker-agent/woodpecker-agent.nix | 5 ++---
.../woodpecker-server/woodpecker-server.nix | 6 ++----
flake.lock | 17 -----------------
flake.nix | 7 +------
4 files changed, 5 insertions(+), 30 deletions(-)
diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
index dc89021..8c6847b 100644
--- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
+++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
@@ -3,13 +3,12 @@
# - https://woodpecker-ci.org/docs/administration/agent-config
# - https://woodpecker-ci.org/docs/administration/backends/docker
-{ config, pkgs, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
{
services.woodpecker-agents.agents."docker" = {
enable = true;
- # Since we use woodpecker-server from unstable, use the agent from unstable as well.
- package = pkgs-unstable.woodpecker-agent;
+ package = pkgs.woodpecker-agent;
extraGroups = [ "docker" ];
environment = {
WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index 464af13..2baafc5 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -5,14 +5,12 @@
# - https://woodpecker-ci.org/docs/administration/forges/forgejo
# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
-{ config, pkgs, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
{
services.woodpecker-server = {
enable = true;
- # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
- # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
- package = pkgs-unstable.woodpecker-server;
+ package = pkgs.woodpecker-server;
environment = {
WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
WOODPECKER_SERVER_ADDR = ":8001";
diff --git a/flake.lock b/flake.lock
index 58d521b..74a5396 100644
--- a/flake.lock
+++ b/flake.lock
@@ -68,27 +68,10 @@
"type": "github"
}
},
- "nixpkgs-unstable": {
- "locked": {
- "lastModified": 1731265036,
- "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
- "owner": "nixos",
- "repo": "nixpkgs",
- "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
- "type": "github"
- },
- "original": {
- "owner": "nixos",
- "ref": "nixos-unstable-small",
- "repo": "nixpkgs",
- "type": "github"
- }
- },
"root": {
"inputs": {
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs",
- "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix"
}
},
diff --git a/flake.nix b/flake.nix
index da7b32e..f575ac6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -6,7 +6,6 @@
# https://nixos.org/manual/nixos/stable/#sec-upgrading
# https://github.com/NixOS/nixpkgs
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
- nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
# Add nixos-generators as an input.
# See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
@@ -23,10 +22,9 @@
};
};
- outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
+ outputs = { self, nixpkgs, nixos-generators, sops-nix, ... }:
let
system = "x86_64-linux";
- pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
in
{
overlays = {
@@ -204,9 +202,6 @@
self.nixosModules.prometheus-exporter
./config/hosts/woodpecker
];
- specialArgs = {
- inherit pkgs-unstable;
- };
};
status = nixpkgs.lib.nixosSystem {
From 53e33a6641791d61d58c9bd007d4ea05d96e82a6 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 20:24:35 +0100
Subject: [PATCH 09/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'nixos-generators':
'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565' (2024-10-21)
→ 'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101' (2024-11-14)
• Updated input 'nixos-generators/nixlib':
'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e' (2024-10-20)
→ 'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a' (2024-11-10)
• Updated input 'nixos-generators/nixpkgs':
follows 'nixpkgs'
→ 'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f' (2024-11-10)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
→ 'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682' (2024-11-17)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
→ 'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978' (2024-11-17)
• Removed input 'sops-nix/nixpkgs-stable'
---
flake.lock | 65 ++++++++++++++++++++++++++----------------------------
flake.nix | 2 +-
2 files changed, 32 insertions(+), 35 deletions(-)
diff --git a/flake.lock b/flake.lock
index 74a5396..a41bdb5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
"nodes": {
"nixlib": {
"locked": {
- "lastModified": 1729386149,
- "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
+ "lastModified": 1731200463,
+ "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
+ "rev": "e04234d263750db01c78a412690363dc2226e68a",
"type": "github"
},
"original": {
@@ -18,16 +18,14 @@
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
- "nixpkgs": [
- "nixpkgs"
- ]
+ "nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1729472750,
- "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
+ "lastModified": 1731546190,
+ "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
+ "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
"type": "github"
},
"original": {
@@ -38,11 +36,27 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1731133565,
- "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
+ "lastModified": 1731245184,
+ "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixpkgs-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
+ "locked": {
+ "lastModified": 1731842749,
+ "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
+ "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
"type": "github"
},
"original": {
@@ -52,26 +66,10 @@
"type": "github"
}
},
- "nixpkgs-stable": {
- "locked": {
- "lastModified": 1730602179,
- "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
- "owner": "NixOS",
- "repo": "nixpkgs",
- "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
- "type": "github"
- },
- "original": {
- "owner": "NixOS",
- "ref": "release-24.05",
- "repo": "nixpkgs",
- "type": "github"
- }
- },
"root": {
"inputs": {
"nixos-generators": "nixos-generators",
- "nixpkgs": "nixpkgs",
+ "nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix"
}
},
@@ -79,15 +77,14 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
- ],
- "nixpkgs-stable": "nixpkgs-stable"
+ ]
},
"locked": {
- "lastModified": 1731213149,
- "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
+ "lastModified": 1731862312,
+ "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
+ "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index f575ac6..5d1d5e3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
# See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
nixos-generators = {
url = "github:nix-community/nixos-generators";
- inputs.nixpkgs.follows = "nixpkgs";
+ #inputs.nixpkgs.follows = "nixpkgs";
};
# Add sops-nix as an input for secret management.
From 20033671089a3bc90e2cb4259b212c24a893de14 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Sun, 17 Nov 2024 20:29:04 +0100
Subject: [PATCH 10/46] move authorized keys to flake input
---
config/common/users.nix | 7 +-----
flake.lock | 19 ++++++++++++++++
flake.nix | 50 ++++++++++++++++++++++++-----------------
3 files changed, 50 insertions(+), 26 deletions(-)
diff --git a/config/common/users.nix b/config/common/users.nix
index 400a106..4ddef2a 100644
--- a/config/common/users.nix
+++ b/config/common/users.nix
@@ -6,14 +6,9 @@
# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, authorizedKeysRepo, ... }:
let
- authorizedKeysRepo = builtins.fetchGit {
- url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
- ref = "trunk";
- rev = "686a6af22f6696f0c0595c56f463c078550049fc";
- };
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in
{
diff --git a/flake.lock b/flake.lock
index a41bdb5..bd78ff8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,23 @@
{
"nodes": {
+ "authorizedKeysRepo": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1731276342,
+ "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
+ "ref": "trunk",
+ "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+ "revCount": 17,
+ "type": "git",
+ "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+ },
+ "original": {
+ "ref": "trunk",
+ "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+ "type": "git",
+ "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+ }
+ },
"nixlib": {
"locked": {
"lastModified": 1731200463,
@@ -68,6 +86,7 @@
},
"root": {
"inputs": {
+ "authorizedKeysRepo": "authorizedKeysRepo",
"nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix"
diff --git a/flake.nix b/flake.nix
index 5d1d5e3..b7424db 100644
--- a/flake.nix
+++ b/flake.nix
@@ -20,10 +20,18 @@
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
+
+ authorizedKeysRepo = {
+ url = "git+https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+ flake = false;
+ };
};
- outputs = { self, nixpkgs, nixos-generators, sops-nix, ... }:
+ outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
let
+ specialArgs = {
+ inherit authorizedKeysRepo;
+ };
system = "x86_64-linux";
in
{
@@ -43,7 +51,7 @@
};
nixosConfigurations = {
audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -53,7 +61,7 @@
};
audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -63,7 +71,7 @@
};
esphome = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -72,7 +80,7 @@
};
public-reverse-proxy = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -81,7 +89,7 @@
};
netbox = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -92,7 +100,7 @@
};
matrix = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -103,7 +111,7 @@
};
public-web-static = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -114,7 +122,7 @@
};
git = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -125,7 +133,7 @@
};
forgejo-actions-runner = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -136,7 +144,7 @@
};
ptouch-print-server = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -145,7 +153,7 @@
};
eh22-wiki = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -155,7 +163,7 @@
};
nix-box-june = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -165,7 +173,7 @@
};
yate = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -174,7 +182,7 @@
};
mqtt = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -183,7 +191,7 @@
};
mjolnir = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -194,7 +202,7 @@
};
woodpecker = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -205,7 +213,7 @@
};
status = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -215,7 +223,7 @@
};
penpot = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -226,7 +234,7 @@
};
hydra = nixpkgs.lib.nixosSystem {
- inherit system;
+ inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
@@ -238,6 +246,7 @@
packages.x86_64-linux = {
proxmox-nixos-template = nixos-generators.nixosGenerate {
+ inherit specialArgs;
system = "x86_64-linux";
modules = [
./config/nixos-generators/proxmox.nix
@@ -248,6 +257,7 @@
};
proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
+ inherit specialArgs;
system = "x86_64-linux";
modules = [
./config/nixos-generators/proxmox-chaosknoten.nix
From ecd9fe4adf1c148dab447b3ad175754274687155 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 21:04:47 +0100
Subject: [PATCH 11/46] fix: use http clone url from forgejo
---
flake.lock | 4 ++--
flake.nix | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/flake.lock b/flake.lock
index bd78ff8..2d7ddf8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,13 +9,13 @@
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"revCount": 17,
"type": "git",
- "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+ "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
},
"original": {
"ref": "trunk",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "git",
- "url": "https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"
+ "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
}
},
"nixlib": {
diff --git a/flake.nix b/flake.nix
index b7424db..273a82c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
};
authorizedKeysRepo = {
- url = "git+https://git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+ url = "git+https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
flake = false;
};
};
From e3c677ea9bcecf541e8e90b9bd27c27ef363c65d Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Sun, 17 Nov 2024 21:14:46 +0100
Subject: [PATCH 12/46] fix: use tar file
---
flake.lock | 12 ++++--------
flake.nix | 2 +-
2 files changed, 5 insertions(+), 9 deletions(-)
diff --git a/flake.lock b/flake.lock
index 2d7ddf8..be287b5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,17 +5,13 @@
"locked": {
"lastModified": 1731276342,
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
- "ref": "trunk",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
- "revCount": 17,
- "type": "git",
- "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
+ "type": "tarball",
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
},
"original": {
- "ref": "trunk",
- "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
- "type": "git",
- "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git"
+ "type": "tarball",
+ "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
}
},
"nixlib": {
diff --git a/flake.nix b/flake.nix
index 273a82c..b7b74a4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
};
authorizedKeysRepo = {
- url = "git+https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git?ref=trunk&rev=686a6af22f6696f0c0595c56f463c078550049fc";
+ url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
flake = false;
};
};
From c78c27862749e1ff3fe3b288330b4ab395c7be50 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 17 Nov 2024 22:43:51 +0100
Subject: [PATCH 13/46] Set WOODPECKER_LIMIT_MEM to 6 GB for woodpecker
so pipelines don't get killed by OOM.
---
config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
index 2baafc5..1836b73 100644
--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@@ -22,6 +22,7 @@
WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
WOODPECKER_FORGEJO = "true";
WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+ WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
# Set via enviornmentFile:
# WOODPECKER_FORGEJO_CLIENT
# WOODPECKER_FORGEJO_SECRET
From 67ab856b82f90ad45a62018ad8af1482f4162ce3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 8 Dec 2024 18:57:36 +0100
Subject: [PATCH 14/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'authorizedKeysRepo':
'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
→ 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixos-generators':
'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101?narHash=sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8%2BErehqI%3D' (2024-11-14)
→ 'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e?narHash=sha256-bNXO%2BOGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8%3D' (2024-12-05)
• Updated input 'nixos-generators/nixlib':
'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a?narHash=sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg%3D' (2024-11-10)
→ 'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e?narHash=sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8%3D' (2024-12-01)
• Updated input 'nixos-generators/nixpkgs':
'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f?narHash=sha256-vmLS8%2Bx%2BgHRv1yzj3n%2BGTAEObwmhxmkkukB2DwtJRdU%3D' (2024-11-10)
→ 'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a?narHash=sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw%3D' (2024-12-02)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17)
→ 'github:nixos/nixpkgs/65d98ad2a50103eee5f72335bf69b7bae9d92612?narHash=sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII%3D' (2024-12-08)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978?narHash=sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM%3D' (2024-11-17)
→ 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02)
---
flake.lock | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/flake.lock b/flake.lock
index be287b5..9037a60 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
},
"original": {
"type": "tarball",
@@ -16,11 +16,11 @@
},
"nixlib": {
"locked": {
- "lastModified": 1731200463,
- "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
+ "lastModified": 1733015484,
+ "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "e04234d263750db01c78a412690363dc2226e68a",
+ "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e",
"type": "github"
},
"original": {
@@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1731546190,
- "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
+ "lastModified": 1733360821,
+ "narHash": "sha256-bNXO+OGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
+ "rev": "8cdaf8885c9c85d9d27b594dbe882406aadfe00e",
"type": "github"
},
"original": {
@@ -50,11 +50,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1731245184,
- "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+ "lastModified": 1733097829,
+ "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+ "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a",
"type": "github"
},
"original": {
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1731842749,
- "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
+ "lastModified": 1733647408,
+ "narHash": "sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
+ "rev": "65d98ad2a50103eee5f72335bf69b7bae9d92612",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1731862312,
- "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
+ "lastModified": 1733128155,
+ "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
+ "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
"type": "github"
},
"original": {
From a039b3febf08f37f26fa590e8e0ada1c33e26850 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 8 Dec 2024 22:21:15 +0100
Subject: [PATCH 15/46] update nixpkgs to 24.11 (small)
Also use non-lts forgejo and adjust config for 24.11.
---
config/hosts/git/forgejo.nix | 10 ++++++++--
flake.lock | 8 ++++----
flake.nix | 2 +-
3 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index a57a37f..665815d 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -7,13 +7,19 @@
# - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
# - https://forgejo.org/docs/latest/admin/email-setup/
-{ pkgs-unstable, ... }:
+{ pkgs, ... }:
{
services.forgejo = {
enable = true;
+ package = pkgs.forgejo;
database.type = "postgres";
- mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
+
+ secrets = {
+ mailer = {
+ PASSWD = "/run/secrets/forgejo_git_smtp_password";
+ };
+ };
settings = {
DEFAULT = {
diff --git a/flake.lock b/flake.lock
index 9037a60..f6666c8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,16 +66,16 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1733647408,
- "narHash": "sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII=",
+ "lastModified": 1733642008,
+ "narHash": "sha256-ijS1XixgnF1UW1wnsO5J7rw5li0n6SZCBQWCYSfJwXw=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "65d98ad2a50103eee5f72335bf69b7bae9d92612",
+ "rev": "5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0",
"type": "github"
},
"original": {
"owner": "nixos",
- "ref": "nixos-24.05-small",
+ "ref": "nixos-24.11-small",
"repo": "nixpkgs",
"type": "github"
}
diff --git a/flake.nix b/flake.nix
index b7b74a4..9e66803 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
# Use the NixOS small channels for nixpkgs.
# https://nixos.org/manual/nixos/stable/#sec-upgrading
# https://github.com/NixOS/nixpkgs
- nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
# Add nixos-generators as an input.
# See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
From 8764841759382651691620c7c4ba607e02036b98 Mon Sep 17 00:00:00 2001
From: jopejoe1 <johannes@joens.email>
Date: Mon, 9 Dec 2024 21:21:17 +0100
Subject: [PATCH 16/46] shairport-sync: use airplay2 variant instead of custome
overlay
---
flake.nix | 11 -----------
modules/services/audio/shairport-sync.nix | 1 +
2 files changed, 1 insertion(+), 11 deletions(-)
diff --git a/flake.nix b/flake.nix
index 9e66803..dd85023 100644
--- a/flake.nix
+++ b/flake.nix
@@ -35,15 +35,6 @@
system = "x86_64-linux";
in
{
- overlays = {
- shairportSyncAirplay2 = final: prev: {
- shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
- # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
- configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
- buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
- });
- };
- };
nixosModules = {
common = ./config/common;
proxmox-vm = ./config/proxmox-vm;
@@ -55,7 +46,6 @@
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
- { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
./config/hosts/audio-hauptraum-kueche
];
};
@@ -65,7 +55,6 @@
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
- { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
./config/hosts/audio-hauptraum-tafel
];
};
diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix
index cbc58e7..43d1285 100644
--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@@ -17,6 +17,7 @@ in
config = mkIf cfg.enable {
services.shairport-sync = {
enable = true;
+ package = pkgs.shairport-sync-airplay2;
arguments = "-o pw -v";
};
From fa9c8e7ac1edfb47979cc7722c95ebf8243ff1d1 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 16 Dec 2024 22:50:00 +0100
Subject: [PATCH 17/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'authorizedKeysRepo':
'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
→ 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixos-generators':
'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e' (2024-12-05)
→ 'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16)
• Updated input 'nixos-generators/nixlib':
'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e' (2024-12-01)
→ 'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15)
• Updated input 'nixos-generators/nixpkgs':
'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a' (2024-12-02)
→ 'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0' (2024-12-08)
→ 'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856' (2024-12-02)
→ 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12)
---
flake.lock | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/flake.lock b/flake.lock
index f6666c8..18512ce 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
},
"original": {
"type": "tarball",
@@ -16,11 +16,11 @@
},
"nixlib": {
"locked": {
- "lastModified": 1733015484,
- "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=",
+ "lastModified": 1734224914,
+ "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e",
+ "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77",
"type": "github"
},
"original": {
@@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1733360821,
- "narHash": "sha256-bNXO+OGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8=",
+ "lastModified": 1734311693,
+ "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "8cdaf8885c9c85d9d27b594dbe882406aadfe00e",
+ "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb",
"type": "github"
},
"original": {
@@ -50,11 +50,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1733097829,
- "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=",
+ "lastModified": 1734126203,
+ "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a",
+ "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
"type": "github"
},
"original": {
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1733642008,
- "narHash": "sha256-ijS1XixgnF1UW1wnsO5J7rw5li0n6SZCBQWCYSfJwXw=",
+ "lastModified": 1734298236,
+ "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0",
+ "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1733128155,
- "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=",
+ "lastModified": 1733965552,
+ "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856",
+ "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
"type": "github"
},
"original": {
From d36ff73123b6cad8b07e5fc83cf619f1c57a7316 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Thu, 9 Jan 2025 21:44:31 +0100
Subject: [PATCH 18/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'nixos-generators':
'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16)
→ 'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4' (2024-12-23)
• Updated input 'nixos-generators/nixlib':
'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15)
→ 'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c' (2024-12-22)
• Updated input 'nixos-generators/nixpkgs':
'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13)
→ 'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee' (2024-12-17)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15)
→ 'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6' (2025-01-09)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12)
→ 'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773' (2025-01-06)
---
flake.lock | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/flake.lock b/flake.lock
index 18512ce..4625fa3 100644
--- a/flake.lock
+++ b/flake.lock
@@ -16,11 +16,11 @@
},
"nixlib": {
"locked": {
- "lastModified": 1734224914,
- "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=",
+ "lastModified": 1734829460,
+ "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77",
+ "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
"type": "github"
},
"original": {
@@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1734311693,
- "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=",
+ "lastModified": 1734915500,
+ "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb",
+ "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
"type": "github"
},
"original": {
@@ -50,11 +50,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1734126203,
- "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=",
+ "lastModified": 1734435836,
+ "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2",
+ "rev": "4989a246d7a390a859852baddb1013f825435cee",
"type": "github"
},
"original": {
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1734298236,
- "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
+ "lastModified": 1736408508,
+ "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
+ "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1733965552,
- "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
+ "lastModified": 1736203741,
+ "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
+ "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
"type": "github"
},
"original": {
From 5676b1a4680dbe706686f38902f5607ec33330ff Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 14 Jan 2025 20:49:14 +0100
Subject: [PATCH 19/46] netbox: configure and patch NetBox for OIDC group and
role mapping
The custom pipeline code is licensed under the Creative Commons: CC
BY-SA 4.0 license.
See:
https://github.com/goauthentik/authentik/blob/main/LICENSE
https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
https://docs.goauthentik.io/integrations/services/netbox/
---
README.md | 3 +-
config/hosts/netbox/netbox.nix | 21 ++++++-
flake.nix | 8 +++
...oup_and_role_mapping_custom_pipeline.patch | 61 +++++++++++++++++++
4 files changed, 91 insertions(+), 2 deletions(-)
create mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
diff --git a/README.md b/README.md
index 186f14a..def4e60 100644
--- a/README.md
+++ b/README.md
@@ -76,4 +76,5 @@ nix build .#proxmox-chaosknoten-nixos-template
## License
-This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
+[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
index e0f2df9..f816016 100644
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@@ -9,7 +9,8 @@
{
services.netbox = {
enable = true;
- package = pkgs.netbox;
+ # Explicitly use the patched NetBox package.
+ package = pkgs.netbox_4_1;
secretKeyFile = "/run/secrets/netbox_secret_key";
keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
settings = {
@@ -24,6 +25,24 @@
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
+ SOCIAL_AUTH_PIPELINE = [
+ # The default pipeline as can be found in:
+ # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
+ "social_core.pipeline.social_auth.social_details"
+ "social_core.pipeline.social_auth.social_uid"
+ "social_core.pipeline.social_auth.social_user"
+ "social_core.pipeline.user.get_username"
+ "social_core.pipeline.user.create_user"
+ "social_core.pipeline.social_auth.associate_user"
+ "netbox.authentication.user_default_groups_handler"
+ "social_core.pipeline.social_auth.load_extra_data"
+ "social_core.pipeline.user.user_details"
+ # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
+ # See: https://docs.goauthentik.io/integrations/services/netbox/
+ "netbox.custom_pipeline.add_groups"
+ "netbox.custom_pipeline.remove_groups"
+ "netbox.custom_pipeline.set_roles"
+ ];
};
};
diff --git a/flake.nix b/flake.nix
index dd85023..fb4ed26 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,6 +40,13 @@
proxmox-vm = ./config/proxmox-vm;
prometheus-exporter = ./config/extra/prometheus-exporter.nix;
};
+ overlays = {
+ netbox41OIDCMappingOverlay = final: prev: {
+ netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
+ patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
+ });
+ };
+ };
nixosConfigurations = {
audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
@@ -85,6 +92,7 @@
sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter
./config/hosts/netbox
+ { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
];
};
diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
new file mode 100644
index 0000000..89f805a
--- /dev/null
+++ b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
@@ -0,0 +1,61 @@
+diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
+new file mode 100644
+index 000000000..470f388dc
+--- /dev/null
++++ b/netbox/netbox/custom_pipeline.py
+@@ -0,0 +1,55 @@
++# Licensed under Creative Commons: CC BY-SA 4.0 license.
++# https://github.com/goauthentik/authentik/blob/main/LICENSE
++# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
++# https://docs.goauthentik.io/integrations/services/netbox/
++from netbox.authentication import Group
++
++class AuthFailed(Exception):
++ pass
++
++def add_groups(response, user, backend, *args, **kwargs):
++ try:
++ groups = response['groups']
++ except KeyError:
++ pass
++
++ # Add all groups from oAuth token
++ for group in groups:
++ group, created = Group.objects.get_or_create(name=group)
++ user.groups.add(group)
++
++def remove_groups(response, user, backend, *args, **kwargs):
++ try:
++ groups = response['groups']
++ except KeyError:
++ # Remove all groups if no groups in oAuth token
++ user.groups.clear()
++ pass
++
++ # Get all groups of user
++ user_groups = [item.name for item in user.groups.all()]
++ # Get groups of user which are not part of oAuth token
++ delete_groups = list(set(user_groups) - set(groups))
++
++ # Delete non oAuth token groups
++ for delete_group in delete_groups:
++ group = Group.objects.get(name=delete_group)
++ user.groups.remove(group)
++
++
++def set_roles(response, user, backend, *args, **kwargs):
++ # Remove Roles temporary
++ user.is_superuser = False
++ user.is_staff = False
++ try:
++ groups = response['groups']
++ except KeyError:
++ # When no groups are set
++ # save the user without Roles
++ user.save()
++ pass
++
++ # Set roles is role (superuser or staff) is in groups
++ user.is_superuser = True if 'superusers' in groups else False
++ user.is_staff = True if 'staff' in groups else False
++ user.save()
From f5bc9024b1036fd3591e759f4bd8ee4d62e27572 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 14 Jan 2025 21:06:26 +0100
Subject: [PATCH 20/46] audio-hauptraum-*: move audio VMs to client network
Do this per request to hopefully improve mDNS discovery.
---
config/hosts/audio-hauptraum-kueche/networking.nix | 6 +++---
config/hosts/audio-hauptraum-tafel/networking.nix | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix
index 0118db4..6e1e7d8 100644
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@@ -5,13 +5,13 @@
interfaces.net0 = {
ipv4.addresses = [
{
- address = "10.31.210.10";
+ address = "172.31.200.14";
prefixLength = 23;
}
];
};
- defaultGateway = "10.31.210.1";
- nameservers = [ "10.31.210.1" ];
+ defaultGateway = "172.31.200.1";
+ nameservers = [ "172.31.200.1" ];
};
systemd.network.links."10-net0" = {
diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix
index 37185b7..e357d38 100644
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@@ -5,13 +5,13 @@
interfaces.net0 = {
ipv4.addresses = [
{
- address = "10.31.210.13";
+ address = "172.31.200.15";
prefixLength = 23;
}
];
};
- defaultGateway = "10.31.210.1";
- nameservers = [ "10.31.210.1" ];
+ defaultGateway = "172.31.200.1";
+ nameservers = [ "172.31.200.1" ];
};
systemd.network.links."10-net0" = {
From d55438f104683955be6f81e9a521a32347c48b5a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 19 Jan 2025 20:28:05 +0100
Subject: [PATCH 21/46] public-web-static: remove irc from spaceapi response as
it's deprecated
---
.../hosts/public-web-static/spaceapid-config/ccchh-response.json | 1 -
1 file changed, 1 deletion(-)
diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
index 9a5793e..b49b2da 100644
--- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
+++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json
@@ -14,7 +14,6 @@
},
"contact": {
"phone": "+49 40 23830150",
- "irc": "ircs://irc.hackint.org:6697/#ccchh",
"mastodon": "@ccchh@chaos.social",
"email": "mail@hamburg.ccc.de",
"ml": "talk@hamburg.ccc.de",
From 2904ebee158b1c3f447dea79417f2635dbd5a4e5 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Sat, 8 Jun 2024 22:18:23 +0200
Subject: [PATCH 22/46] add yate service for autostart
introduce /etc/yate, clone/reset on service start
Fix config via git
make yate systemd service
create yate service user
recreate the full config everytime
decolour the log because of blob data
make sure source is available before deleting config
change yate-config repo
fix yate deploy key
fix yate-config not pulling
---
.sops.yaml | 17 ++
config/hosts/yate/configuration.nix | 2 +
config/hosts/yate/default.nix | 1 +
config/hosts/yate/secrets.yaml | 233 ++++++++++++++++++++++++++++
config/hosts/yate/service.nix | 39 ++++-
config/hosts/yate/sops.nix | 7 +
config/hosts/yate/yate.nix | 15 ++
flake.nix | 1 +
8 files changed, 309 insertions(+), 6 deletions(-)
create mode 100644 config/hosts/yate/secrets.yaml
create mode 100644 config/hosts/yate/sops.nix
diff --git a/.sops.yaml b/.sops.yaml
index ec660ec..dedf3c1 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -15,6 +15,7 @@ keys:
- &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
- &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+ - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
- &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
- &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
- &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
@@ -147,6 +148,22 @@ creation_rules:
- *admin_gpg_dante
age:
- *host_age_penpot
+ - path_regex: config/hosts/yate/.*
+ key_groups:
+ - pgp:
+ - *admin_gpg_djerun
+ - *admin_gpg_stb
+ - *admin_gpg_jtbx
+ - *admin_gpg_yuri
+ - *admin_gpg_june
+ - *admin_gpg_haegar
+ - *admin_gpg_dario
+ - *admin_gpg_echtnurich
+ - *admin_gpg_max
+ - *admin_gpg_c6ristian
+ - *admin_gpg_dante
+ age:
+ - *host_age_yate
- key_groups:
- pgp:
- *admin_gpg_djerun
diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
index 6b4bb71..f350966 100644
--- a/config/hosts/yate/configuration.nix
+++ b/config/hosts/yate/configuration.nix
@@ -6,5 +6,7 @@
domain = "z9.ccchh.net";
};
+# users.users.chaos.password = "yes";
+
system.stateVersion = "23.11";
}
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 5304abd..009e1a1 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -6,5 +6,6 @@
./networking.nix
./yate.nix
./service.nix
+ ./sops.nix
];
}
diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml
new file mode 100644
index 0000000..6235c17
--- /dev/null
+++ b/config/hosts/yate/secrets.yaml
@@ -0,0 +1,233 @@
+git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP
+ TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw
+ KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS
+ bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1
+ xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-09-08T18:35:07Z"
+ mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str]
+ pgp:
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg
+ do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL
+ r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0
+ cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl
+ Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa
+ JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi
+ ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk
+ YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa
+ QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy
+ aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg
+ GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U
+ ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ
+ ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ
+ et8Y1DEjVg==
+ =u7aP
+ -----END PGP MESSAGE-----
+ fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9
+ Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S
+ YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4
+ twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2
+ uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx
+ Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ
+ gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU
+ JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng
+ mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji
+ yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp
+ E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S
+ XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq
+ vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX
+ =advR
+ -----END PGP MESSAGE-----
+ fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz
+ 7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec
+ ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa
+ RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty
+ y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE
+ L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8
+ glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ
+ B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl
+ L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl
+ o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO
+ Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS
+ XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb
+ fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy
+ =vqhH
+ -----END PGP MESSAGE-----
+ fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd
+ +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7
+ Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4
+ LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un
+ kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2
+ cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn
+ 3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh
+ 7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU
+ K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb
+ QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3
+ Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S
+ XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj
+ IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C
+ =hGXq
+ -----END PGP MESSAGE-----
+ fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg
+ YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi
+ LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ
+ +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG
+ SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io
+ 5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq
+ 1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1
+ 1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll
+ CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U
+ pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF
+ EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS
+ XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7
+ uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9
+ =vZLC
+ -----END PGP MESSAGE-----
+ fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x
+ p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3
+ XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa
+ oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB
+ SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS
+ 5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG
+ oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ
+ XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo
+ IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc
+ 2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa
+ XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS
+ XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/
+ fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I
+ =SLD4
+ -----END PGP MESSAGE-----
+ fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp
+ 8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+
+ 0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19
+ sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB
+ NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI
+ K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX
+ 4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9
+ SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0
+ TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva
+ 7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR
+ oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S
+ XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t
+ LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII
+ =MQ9C
+ -----END PGP MESSAGE-----
+ fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF
+ XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe
+ 5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/
+ Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc
+ abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di
+ +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk
+ nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7
+ BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf
+ T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76
+ VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm
+ jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS
+ XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY
+ 6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ
+ =uyf4
+ -----END PGP MESSAGE-----
+ fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st
+ V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2
+ 8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/
+ i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d
+ V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE
+ zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz
+ TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p
+ FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF
+ aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO
+ 5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym
+ NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS
+ XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn
+ kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr
+ =7R+0
+ -----END PGP MESSAGE-----
+ fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw
+ cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13
+ 0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi
+ I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww==
+ =0G+m
+ -----END PGP MESSAGE-----
+ fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+ - created_at: "2024-08-05T20:33:02Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX
+ KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l
+ MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy
+ p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k
+ YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs
+ yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O
+ oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv
+ 3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre
+ FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF
+ 3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm
+ k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS
+ XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh
+ B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI
+ =ZgbM
+ -----END PGP MESSAGE-----
+ fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+ unencrypted_suffix: _unencrypted
+ version: 3.9.0
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
index e031d4d..9013060 100644
--- a/config/hosts/yate/service.nix
+++ b/config/hosts/yate/service.nix
@@ -1,21 +1,48 @@
{ config, pkgs, ... }:
{
+# systemd.managerEnvironment = {
+# SYSTEMD_LOG_LEVEL = "debug";
+# };
+
+
+
+ sops.secrets."git_clone_key" = {
+ mode = "0600";
+ owner = "yate";
+ group = "yate-config";
+ restartUnits = [ "yate.service" ];
+};
+
systemd.services.yate = {
enable = true;
description = "Yate telehony engine";
unitConfig = {
- Type = "simple";
- After = "network.target";
+ After= "network-online.target";
};
serviceConfig = {
- ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
- Type = "simple";
- Restart = "always";
+ ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+ Type="simple";
+ Restart="always";
+ User="yate";
+ Group="yate-config";
+ StateDirectory = "yate";
+ StateDirectoryMode = "0775";
# ...
};
wantedBy = [ "default.target" ];
- requiredBy = [ "network.target" ];
+ requires = [ "network-online.target" ];
+ preStart = "echo \"\n\" >> /run/secrets/git_clone_key
+ sleep 5
+ SSH_SUCCESS=1
+ ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0
+ if [ $SSH_SUCCESS = 1 ]; then
+ rm -rf /var/lib/yate/*
+ rm -rf /var/lib/yate/.*
+ env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+ ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+ fi";
+
# ...
};
}
diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix
new file mode 100644
index 0000000..38b06f9
--- /dev/null
+++ b/config/hosts/yate/sops.nix
@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+ sops = {
+ defaultSopsFile = ./secrets.yaml;
+ };
+}
\ No newline at end of file
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index c4834bb..3f9b054 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -10,4 +10,19 @@
# Just disable it for now.
networking.firewall.enable = false;
+
+ users.users.yate = {
+ description = "yate service user";
+ group = "yate-config";
+ isNormalUser = true;
+ };
+
+
+ users.groups.yate-config = {};
+ users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"];
+
+ environment.etc.yate.user = "yate";
+ environment.etc.yate.group = "yate-config";
+ environment.etc.yate.mode = "symlink";
+ environment.etc.yate.source = "/var/lib/yate";
}
diff --git a/flake.nix b/flake.nix
index fb4ed26..5ecee98 100644
--- a/flake.nix
+++ b/flake.nix
@@ -174,6 +174,7 @@
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
+ sops-nix.nixosModules.sops
./config/hosts/yate
];
};
From 8045681bb5ab6896cf6fb30a30c47b507c29e589 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 19 Jan 2025 19:05:15 +0100
Subject: [PATCH 23/46] yate: clean up and nicely format nix configuration
---
config/hosts/yate/configuration.nix | 4 +-
config/hosts/yate/default.nix | 3 +-
config/hosts/yate/service.nix | 48 ----------------------
config/hosts/yate/yate.nix | 64 ++++++++++++++++++++++++-----
4 files changed, 55 insertions(+), 64 deletions(-)
delete mode 100644 config/hosts/yate/service.nix
diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix
index f350966..6b1fa99 100644
--- a/config/hosts/yate/configuration.nix
+++ b/config/hosts/yate/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ ... }:
{
networking = {
@@ -6,7 +6,5 @@
domain = "z9.ccchh.net";
};
-# users.users.chaos.password = "yes";
-
system.stateVersion = "23.11";
}
diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix
index 009e1a1..66738e8 100644
--- a/config/hosts/yate/default.nix
+++ b/config/hosts/yate/default.nix
@@ -1,11 +1,10 @@
-{ config, pkgs, ... }:
+{ ... }:
{
imports = [
./configuration.nix
./networking.nix
./yate.nix
- ./service.nix
./sops.nix
];
}
diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix
deleted file mode 100644
index 9013060..0000000
--- a/config/hosts/yate/service.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-# systemd.managerEnvironment = {
-# SYSTEMD_LOG_LEVEL = "debug";
-# };
-
-
-
- sops.secrets."git_clone_key" = {
- mode = "0600";
- owner = "yate";
- group = "yate-config";
- restartUnits = [ "yate.service" ];
-};
-
- systemd.services.yate = {
- enable = true;
- description = "Yate telehony engine";
- unitConfig = {
- After= "network-online.target";
- };
- serviceConfig = {
- ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
- Type="simple";
- Restart="always";
- User="yate";
- Group="yate-config";
- StateDirectory = "yate";
- StateDirectoryMode = "0775";
- # ...
- };
- wantedBy = [ "default.target" ];
- requires = [ "network-online.target" ];
- preStart = "echo \"\n\" >> /run/secrets/git_clone_key
- sleep 5
- SSH_SUCCESS=1
- ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0
- if [ $SSH_SUCCESS = 1 ]; then
- rm -rf /var/lib/yate/*
- rm -rf /var/lib/yate/.*
- env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
- ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
- fi";
-
- # ...
- };
-}
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 3f9b054..d3ed2f9 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
{
environment.systemPackages = [
@@ -11,18 +11,60 @@
# Just disable it for now.
networking.firewall.enable = false;
- users.users.yate = {
- description = "yate service user";
- group = "yate-config";
- isNormalUser = true;
+ users = {
+ users.yate = {
+ description = "yate service user";
+ group = "yate-config";
+ isNormalUser = true;
+ };
+
+ groups.yate-config = {
+ members = [ "colmema-deploy" "chaos" "root" "yate"];
+ };
};
+ environment.etc.yate = {
+ user = "yate";
+ group = "yate-config";
+ mode = "symlink";
+ source = "/var/lib/yate";
+ };
- users.groups.yate-config = {};
- users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"];
+ sops.secrets."git_clone_key" = {
+ mode = "0600";
+ owner = "yate";
+ group = "yate-config";
+ restartUnits = [ "yate.service" ];
+ };
- environment.etc.yate.user = "yate";
- environment.etc.yate.group = "yate-config";
- environment.etc.yate.mode = "symlink";
- environment.etc.yate.source = "/var/lib/yate";
+ systemd.services.yate = {
+ enable = true;
+ description = "Yate telehony engine";
+ unitConfig = {
+ After= "network-online.target";
+ };
+ serviceConfig = {
+ ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+ Type="simple";
+ Restart="always";
+ User="yate";
+ Group="yate-config";
+ StateDirectory = "yate";
+ StateDirectoryMode = "0775";
+ };
+ wantedBy = [ "default.target" ];
+ requires = [ "network-online.target" ];
+ preStart = ''
+ echo \"\n\" >> /run/secrets/git_clone_key
+ sleep 5
+ SSH_SUCCESS=1
+ ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0
+ if [ $SSH_SUCCESS = 1 ]; then
+ rm -rf /var/lib/yate/*
+ rm -rf /var/lib/yate/.*
+ env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+ ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+ fi
+ '';
+ };
}
From d57c47437ff20dcb3c0008ab666b927de1181121 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Thu, 23 Jan 2025 20:15:37 +0100
Subject: [PATCH 24/46] Add reload script for refreshing config during runtime
---
config/hosts/yate/yate.nix | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index d3ed2f9..d5e64f1 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -45,6 +45,11 @@
};
serviceConfig = {
ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
+ ExecReload= ''
+ ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
+ /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
+ /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main
+ '';
Type="simple";
Restart="always";
User="yate";
From 73fa9d1e067e626fec76eb713342644f72647c65 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 24 Jan 2025 11:44:29 +0100
Subject: [PATCH 25/46] git: enable Git LFS
---
config/hosts/git/forgejo.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 665815d..85b13e6 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -14,6 +14,7 @@
enable = true;
package = pkgs.forgejo;
database.type = "postgres";
+ lfs.enable = true;
secrets = {
mailer = {
From 4530608c9900901ece7f0c2448e4035369c8f15b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Fri, 24 Jan 2025 11:45:32 +0100
Subject: [PATCH 26/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'authorizedKeysRepo':
'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
→ 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixos-generators':
'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4?narHash=sha256-A7CTIQ8SW0hfbhKlwK%2BvSsu4pD%2BOaelw3v6goX6go%2BU%3D' (2024-12-23)
→ 'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453?narHash=sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL%2BtIBm49vpepwL1MQ%3D' (2025-01-16)
• Updated input 'nixos-generators/nixlib':
'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c?narHash=sha256-dPhc%2Bf2wkmhMqMIfq%2BhColJdysgVxKP9ilZ5bR0NRZI%3D' (2024-12-22)
→ 'github:nix-community/nixpkgs.lib/1418bc28a52126761c02dd3d89b2d8ca0f521181?narHash=sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s%3D' (2025-01-12)
• Updated input 'nixos-generators/nixpkgs':
'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee?narHash=sha256-kMBQ5PRiFLagltK0sH%2B08aiNt3zGERC2297iB6vrvlU%3D' (2024-12-17)
→ 'github:NixOS/nixpkgs/2f9e2f85cb14a46410a1399aa9ea7ecf433e422e?narHash=sha256-FWlPMUzp0lkQBdhKlPqtQdqmp%2B/C%2B1MBiEytaYfrCTY%3D' (2025-01-12)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6?narHash=sha256-WIGZ3DPw5H%2BSPszUXVacK%2BKTh3sJZShP1vGtDwhquNM%3D' (2025-01-09)
→ 'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c?narHash=sha256-fY95Rp63NFzOwRFO6%2BRGi/UTyxgqmFmKtQ/DWg%2B6vsQ%3D' (2025-01-23)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773?narHash=sha256-eSjkBwBdQk%2BTZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4%3D' (2025-01-06)
→ 'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4?narHash=sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw%3D' (2025-01-20)
---
flake.lock | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/flake.lock b/flake.lock
index 4625fa3..259f97a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
},
"original": {
"type": "tarball",
@@ -16,11 +16,11 @@
},
"nixlib": {
"locked": {
- "lastModified": 1734829460,
- "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
+ "lastModified": 1736643958,
+ "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
+ "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
"type": "github"
},
"original": {
@@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1734915500,
- "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
+ "lastModified": 1737057290,
+ "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
+ "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
"type": "github"
},
"original": {
@@ -50,11 +50,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1734435836,
- "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
+ "lastModified": 1736657626,
+ "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "4989a246d7a390a859852baddb1013f825435cee",
+ "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e",
"type": "github"
},
"original": {
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1736408508,
- "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=",
+ "lastModified": 1737665804,
+ "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6",
+ "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1736203741,
- "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
+ "lastModified": 1737411508,
+ "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
+ "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
"type": "github"
},
"original": {
From bb0af02e5c28952c9c9d937861007955ac25e490 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Fri, 24 Jan 2025 18:00:26 +0100
Subject: [PATCH 27/46] use nix option for ExecReload
---
config/hosts/yate/yate.nix | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index d5e64f1..89f225e 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -45,11 +45,6 @@
};
serviceConfig = {
ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
- ExecReload= ''
- ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
- /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
- /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main
- '';
Type="simple";
Restart="always";
User="yate";
@@ -61,15 +56,22 @@
requires = [ "network-online.target" ];
preStart = ''
echo \"\n\" >> /run/secrets/git_clone_key
+ id
sleep 5
SSH_SUCCESS=1
${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0
if [ $SSH_SUCCESS = 1 ]; then
rm -rf /var/lib/yate/*
rm -rf /var/lib/yate/.*
- env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
- ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+ env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+ ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate"
fi
'';
+ reload= ''
+ id
+ ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
+ /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
+ /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master
+ '';
};
}
From 5cf9cffa77b4e1e1179305b9ad7eca6d40cce177 Mon Sep 17 00:00:00 2001
From: echtnurich <ich@echtnurich.de>
Date: Fri, 24 Jan 2025 19:54:31 +0100
Subject: [PATCH 28/46] add more checks before config reinit
---
config/hosts/yate/yate.nix | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix
index 89f225e..236e1f0 100644
--- a/config/hosts/yate/yate.nix
+++ b/config/hosts/yate/yate.nix
@@ -55,12 +55,13 @@
wantedBy = [ "default.target" ];
requires = [ "network-online.target" ];
preStart = ''
- echo \"\n\" >> /run/secrets/git_clone_key
- id
+ echo "\n" >> /run/secrets/git_clone_key
sleep 5
+ id
+ echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git"
SSH_SUCCESS=1
${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0
- if [ $SSH_SUCCESS = 1 ]; then
+ if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then
rm -rf /var/lib/yate/*
rm -rf /var/lib/yate/.*
env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
From 934f29a84a32d8770faf6a657ee7519960cd0ed7 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 4 Feb 2025 21:31:09 +0100
Subject: [PATCH 29/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'authorizedKeysRepo':
'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
→ 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c' (2025-01-23)
→ 'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8' (2025-02-04)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4' (2025-01-20)
→ 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7' (2025-01-31)
---
flake.lock | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/flake.lock b/flake.lock
index 259f97a..7f1207b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
},
"original": {
"type": "tarball",
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1737665804,
- "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=",
+ "lastModified": 1738663689,
+ "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c",
+ "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1737411508,
- "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
+ "lastModified": 1738291974,
+ "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
+ "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
"type": "github"
},
"original": {
From a665aa15f4001151eb7590c83c877bf30be55b7b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 10 Feb 2025 23:43:05 +0100
Subject: [PATCH 30/46] eh22-wiki: remove because of migration to ansible-infra
---
config/hosts/eh22-wiki/configuration.nix | 7 -
config/hosts/eh22-wiki/default.nix | 9 --
config/hosts/eh22-wiki/dokuwiki.nix | 166 -----------------------
config/hosts/eh22-wiki/networking.nix | 22 ---
flake.nix | 10 --
5 files changed, 214 deletions(-)
delete mode 100644 config/hosts/eh22-wiki/configuration.nix
delete mode 100644 config/hosts/eh22-wiki/default.nix
delete mode 100644 config/hosts/eh22-wiki/dokuwiki.nix
delete mode 100644 config/hosts/eh22-wiki/networking.nix
diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix
deleted file mode 100644
index ff45e49..0000000
--- a/config/hosts/eh22-wiki/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
- networking.hostName = "eh22-wiki";
-
- system.stateVersion = "23.11";
-}
diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix
deleted file mode 100644
index 2d90c6b..0000000
--- a/config/hosts/eh22-wiki/default.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- imports = [
- ./configuration.nix
- ./dokuwiki.nix
- ./networking.nix
- ];
-}
diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix
deleted file mode 100644
index f9a7cbd..0000000
--- a/config/hosts/eh22-wiki/dokuwiki.nix
+++ /dev/null
@@ -1,166 +0,0 @@
-# Sources for this configuration:
-# - https://www.dokuwiki.org/dokuwiki
-# - https://www.dokuwiki.org/install
-# - https://www.dokuwiki.org/requirements
-# - https://www.dokuwiki.org/install:php
-# - https://www.dokuwiki.org/security
-# - https://www.dokuwiki.org/config:xsendfile
-# - https://www.dokuwiki.org/install:nginx
-# - https://www.dokuwiki.org/faq:uploadsize
-# - https://nixos.wiki/wiki/Phpfpm
-# - https://wiki.archlinux.org/title/Nginx#FastCGI
-# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
-# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
-# - https://www.php.net/manual/en/install.fpm.php
-# - https://www.php.net/manual/en/install.fpm.configuration.php
-
-{ config, pkgs, ... }:
-
-let
- # This is also used for user and group names.
- app = "dokuwiki";
- domain = "eh22.easterhegg.eu";
- dataDir = "/srv/www/${domain}";
-in
-{
- systemd.tmpfiles.rules = [
- "d ${dataDir} 0755 ${app} ${app}"
- ];
-
- services.phpfpm.pools."${app}" = {
- user = "${app}";
- group = "${app}";
- phpOptions = ''
- short_open_tag = Off
- open_basedir =
- output_buffering = Off
- output_handler =
- zlib.output_compression = Off
- implicit_flush = Off
- allow_call_time_pass_reference = Off
- max_execution_time = 30
- max_input_time = 60
- max_input_vars = 10000
- memory_limit = 128M
- error_reporting = E_ALL & ~E_NOTICE
- display_errors = Off
- display_startup_errors = Off
- log_errors = On
- ; error_log should be handled by NixOS.
- variables_order = "EGPCS"
- register_argc_argv = Off
- file_uploads = On
- upload_max_filesize = 20M
- post_max_size = 20M
- session.use_cookies = 1
- ; Checked the default NixOS PHP extensions and the only one missing from
- ; DokuWikis list of PHP extensions was bz2, so add that.
- ; Checked with NixOS 23.11 on 2024-05-02.
- extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
- '';
- settings = {
- "listen.owner" = "${config.services.nginx.user}";
- "listen.group" = "${config.services.nginx.group}";
- "pm" = "dynamic";
- "pm.max_children" = 32;
- "pm.start_servers" = 2;
- "pm.min_spare_servers" = 2;
- "pm.max_spare_servers" = 4;
- "pm.max_requests" = 500;
- };
- };
-
- services.nginx = {
- enable = true;
-
- virtualHosts."acme-${domain}" = {
- default = true;
- enableACME = true;
- serverName = "${domain}";
-
- listen = [
- {
- addr = "0.0.0.0";
- port = 31820;
- }
- ];
- };
-
- virtualHosts."${domain}" = {
- default = true;
- forceSSL = true;
- useACMEHost = "${domain}";
-
- listen = [
- {
- addr = "0.0.0.0";
- port = 8443;
- ssl = true;
- proxyProtocol = true;
- }
- ];
-
- root = "${dataDir}";
-
- locations = {
- "~ /(conf|bin|inc|vendor)/" = {
- extraConfig = "deny all;";
- };
-
- "~ /install.php" = {
- extraConfig = "deny all;";
- };
-
- "~ ^/data/" = {
- extraConfig = "internal;";
- };
-
- "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
- extraConfig = "expires 31d;";
- };
-
- "/" = {
- index = "doku.php";
- extraConfig = "try_files $uri $uri/ @dokuwiki;";
- };
-
- "@dokuwiki" = {
- extraConfig = ''
- # Rewrites "doku.php/" out of the URLs if the userwrite setting is
- # set to .htaccess in the DokuWiki config page.
- rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
- rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
- rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
- rewrite ^/(.*) /doku.php?id=$1&$args last;
- '';
- };
-
- "~ \\.php$" = {
- extraConfig = ''
- try_files $uri $uri/ /doku.php;
- include ${config.services.nginx.package}/conf/fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param REDIRECT_STATUS 200;
- fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
- '';
- };
- };
-
- extraConfig = ''
- # Set maximum file upload size to 20MB (same as upload_max_filesize and
- # post_max_size in the phpOptions).
- client_max_body_size 20M;
- client_body_buffer_size 128k;
- '';
- };
- };
-
- networking.firewall.allowedTCPPorts = [ 8443 31820 ];
- networking.firewall.allowedUDPPorts = [ 8443 ];
-
- users.users."${app}" = {
- isSystemUser = true;
- group = "${app}";
- };
- users.groups."${app}" = { };
-}
diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix
deleted file mode 100644
index fba2da9..0000000
--- a/config/hosts/eh22-wiki/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
- networking = {
- interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.159";
- prefixLength = 25;
- }
- ];
- };
- defaultGateway = "172.31.17.129";
- nameservers = [ "212.12.50.158" "192.76.134.90" ];
- search = [ "hamburg.ccc.de" ];
- };
-
- systemd.network.links."10-net0" = {
- matchConfig.MACAddress = "BC:24:11:37:F0:AB";
- linkConfig.Name = "net0";
- };
-}
diff --git a/flake.nix b/flake.nix
index 5ecee98..347294b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -149,16 +149,6 @@
];
};
- eh22-wiki = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
- modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
- self.nixosModules.prometheus-exporter
- ./config/hosts/eh22-wiki
- ];
- };
-
nix-box-june = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [
From fe5e6cebdc0f0df330b0541c1756cdfc859f1bec Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:02:31 +0100
Subject: [PATCH 31/46] netbox: remove because of migration to ansible-infra
---
.sops.yaml | 17 --
config/hosts/netbox/configuration.nix | 7 -
config/hosts/netbox/default.nix | 12 -
config/hosts/netbox/netbox.nix | 61 -----
config/hosts/netbox/networking.nix | 22 --
config/hosts/netbox/nginx.nix | 67 -----
config/hosts/netbox/postgresql.nix | 7 -
config/hosts/netbox/secrets.yaml | 234 ------------------
config/hosts/netbox/sops.nix | 7 -
deployment_configuration.json | 3 -
flake.nix | 19 --
...oup_and_role_mapping_custom_pipeline.patch | 61 -----
12 files changed, 517 deletions(-)
delete mode 100644 config/hosts/netbox/configuration.nix
delete mode 100644 config/hosts/netbox/default.nix
delete mode 100644 config/hosts/netbox/netbox.nix
delete mode 100644 config/hosts/netbox/networking.nix
delete mode 100644 config/hosts/netbox/nginx.nix
delete mode 100644 config/hosts/netbox/postgresql.nix
delete mode 100644 config/hosts/netbox/secrets.yaml
delete mode 100644 config/hosts/netbox/sops.nix
delete mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
diff --git a/.sops.yaml b/.sops.yaml
index dedf3c1..9a6ae2d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -13,7 +13,6 @@ keys:
- &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
- &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
- &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
- - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
- &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
- &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
@@ -68,22 +67,6 @@ creation_rules:
- *admin_gpg_dante
age:
- *host_age_matrix
- - path_regex: config/hosts/netbox/.*
- key_groups:
- - pgp:
- - *admin_gpg_djerun
- - *admin_gpg_stb
- - *admin_gpg_jtbx
- - *admin_gpg_yuri
- - *admin_gpg_june
- - *admin_gpg_haegar
- - *admin_gpg_dario
- - *admin_gpg_echtnurich
- - *admin_gpg_max
- - *admin_gpg_c6ristian
- - *admin_gpg_dante
- age:
- - *host_age_netbox
- path_regex: config/hosts/public-web-static/.*
key_groups:
- pgp:
diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix
deleted file mode 100644
index 50a584e..0000000
--- a/config/hosts/netbox/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- networking.hostName = "netbox";
-
- system.stateVersion = "23.05";
-}
diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix
deleted file mode 100644
index 6ef3469..0000000
--- a/config/hosts/netbox/default.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- imports = [
- ./configuration.nix
- ./netbox.nix
- ./networking.nix
- ./nginx.nix
- ./postgresql.nix
- ./sops.nix
- ];
-}
diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix
deleted file mode 100644
index f816016..0000000
--- a/config/hosts/netbox/netbox.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-# Sources for this configuration:
-# - https://docs.netbox.dev/en/stable/configuration/
-# - https://colmena.cli.rs/unstable/features/keys.html
-# - https://colmena.cli.rs/unstable/reference/deployment.html
-# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix
-
-{ config, pkgs, ... }:
-
-{
- services.netbox = {
- enable = true;
- # Explicitly use the patched NetBox package.
- package = pkgs.netbox_4_1;
- secretKeyFile = "/run/secrets/netbox_secret_key";
- keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
- settings = {
- ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
- SESSION_COOKIE_SECURE = true;
- # CCCHH ID (Keycloak) integration.
- # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
- # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
- REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
- SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
- # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
- SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
- SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
- SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
- SOCIAL_AUTH_PIPELINE = [
- # The default pipeline as can be found in:
- # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
- "social_core.pipeline.social_auth.social_details"
- "social_core.pipeline.social_auth.social_uid"
- "social_core.pipeline.social_auth.social_user"
- "social_core.pipeline.user.get_username"
- "social_core.pipeline.user.create_user"
- "social_core.pipeline.social_auth.associate_user"
- "netbox.authentication.user_default_groups_handler"
- "social_core.pipeline.social_auth.load_extra_data"
- "social_core.pipeline.user.user_details"
- # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
- # See: https://docs.goauthentik.io/integrations/services/netbox/
- "netbox.custom_pipeline.add_groups"
- "netbox.custom_pipeline.remove_groups"
- "netbox.custom_pipeline.set_roles"
- ];
- };
- };
-
- sops.secrets."netbox_secret_key" = {
- mode = "0440";
- owner = "netbox";
- group = "netbox";
- restartUnits = [ "netbox.service" "netbox-rq.service" ];
- };
- sops.secrets."netbox_keycloak_secret" = {
- mode = "0440";
- owner = "netbox";
- group = "netbox";
- restartUnits = [ "netbox.service" "netbox-rq.service" ];
- };
-}
diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix
deleted file mode 100644
index a0abcfe..0000000
--- a/config/hosts/netbox/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
- networking = {
- interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.149";
- prefixLength = 25;
- }
- ];
- };
- defaultGateway = "172.31.17.129";
- nameservers = [ "212.12.50.158" "192.76.134.90" ];
- search = [ "hamburg.ccc.de" ];
- };
-
- systemd.network.links."10-net0" = {
- matchConfig.MACAddress = "62:ED:44:20:7C:C1";
- linkConfig.Name = "net0";
- };
-}
diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix
deleted file mode 100644
index 2673cdc..0000000
--- a/config/hosts/netbox/nginx.nix
+++ /dev/null
@@ -1,67 +0,0 @@
-# Sources for this configuration:
-# - https://nixos.org/manual/nixos/stable/#module-security-acme
-# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix
-# - https://docs.netbox.dev/en/stable/installation/5-http-server/
-# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf
-
-{ config, pkgs, ... }:
-
-{
- services.nginx = {
- enable = true;
- # So nginx can access the Netbox static files.
- user = "netbox";
-
- virtualHosts."acme-netbox.hamburg.ccc.de" = {
- default = true;
- enableACME = true;
- serverName = "netbox.hamburg.ccc.de";
-
- listen = [
- {
- addr = "0.0.0.0";
- port = 31820;
- }
- ];
- };
-
- virtualHosts."netbox.hamburg.ccc.de" = {
- default = true;
- forceSSL = true;
- useACMEHost = "netbox.hamburg.ccc.de";
-
- listen = [
- {
- addr = "0.0.0.0";
- port = 8443;
- ssl = true;
- proxyProtocol = true;
- }
- ];
-
- locations."/static/" = {
- alias = "${config.services.netbox.dataDir}/static/";
- };
-
- locations."/" = {
- proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
- };
-
- extraConfig = ''
- # Make use of the ngx_http_realip_module to set the $remote_addr and
- # $remote_port to the client address and client port, when using proxy
- # protocol.
- # First set our proxy protocol proxy as trusted.
- set_real_ip_from 172.31.17.140;
- # Then tell the realip_module to get the addreses from the proxy protocol
- # header.
- real_ip_header proxy_protocol;
-
- client_max_body_size 25m;
- '';
- };
- };
-
- networking.firewall.allowedTCPPorts = [ 8443 31820 ];
- networking.firewall.allowedUDPPorts = [ 8443 ];
-}
diff --git a/config/hosts/netbox/postgresql.nix b/config/hosts/netbox/postgresql.nix
deleted file mode 100644
index 5f49f30..0000000
--- a/config/hosts/netbox/postgresql.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ pkgs, config, ... }:
-
-{
- services.postgresql = {
- package = pkgs.postgresql_15;
- };
-}
diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml
deleted file mode 100644
index 831a7a1..0000000
--- a/config/hosts/netbox/secrets.yaml
+++ /dev/null
@@ -1,234 +0,0 @@
-netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
-netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age:
- - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
- enc: |
- -----BEGIN AGE ENCRYPTED FILE-----
- YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
- c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
- dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
- V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
- a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
- -----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-10-08T23:54:23Z"
- mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
- pgp:
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
- UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
- YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
- e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
- fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
- 29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
- g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
- Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
- 2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
- ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
- 7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
- aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
- Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
- 6PA24RxtGxVm
- =ES/O
- -----END PGP MESSAGE-----
- fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
- kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
- UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
- t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
- 2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
- MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
- PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
- Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
- W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
- Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
- NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
- XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
- zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
- =zG3F
- -----END PGP MESSAGE-----
- fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
- wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
- o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
- yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
- y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
- vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
- OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
- xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
- +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
- 9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
- 9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
- XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
- CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
- =PqbF
- -----END PGP MESSAGE-----
- fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
- eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
- 5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
- /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
- E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
- aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
- U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
- 5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
- vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
- Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
- PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
- XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
- 9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
- =o7cj
- -----END PGP MESSAGE-----
- fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
- QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
- 2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
- NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
- vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
- PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
- FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
- n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
- nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
- TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
- ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
- XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
- fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
- =4agQ
- -----END PGP MESSAGE-----
- fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
- H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
- JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
- ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
- blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
- fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
- APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
- H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
- dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
- VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
- FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
- XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
- Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
- =x1QX
- -----END PGP MESSAGE-----
- fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
- RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
- I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
- GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
- Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
- arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
- dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
- cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
- 6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
- jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
- rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
- XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
- pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
- =FXTF
- -----END PGP MESSAGE-----
- fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
- /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
- FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
- wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
- 3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
- Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
- 6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
- wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
- wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
- 7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
- N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
- XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
- z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
- =7WGw
- -----END PGP MESSAGE-----
- fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
- nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
- 3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
- 07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
- fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
- 24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
- QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
- BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
- 3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
- zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
- RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
- XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
- yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
- =pFkW
- -----END PGP MESSAGE-----
- fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
- kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
- 0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
- 5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
- =Lvnj
- -----END PGP MESSAGE-----
- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- - created_at: "2024-05-26T01:07:22Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
- 77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
- XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
- 4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
- T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
- k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
- QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
- 9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
- U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
- kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
- 1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
- XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
- 02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
- =WqHP
- -----END PGP MESSAGE-----
- fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
- unencrypted_suffix: _unencrypted
- version: 3.8.1
diff --git a/config/hosts/netbox/sops.nix b/config/hosts/netbox/sops.nix
deleted file mode 100644
index b4548ed..0000000
--- a/config/hosts/netbox/sops.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ ... }:
-
-{
- sops = {
- defaultSopsFile = ./secrets.yaml;
- };
-}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 20b9f00..6ac5254 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -3,9 +3,6 @@
"targetUser": "colmena-deploy"
},
"hosts": {
- "netbox": {
- "targetHostname": "netbox-intern.hamburg.ccc.de"
- },
"matrix": {
"targetHostname": "matrix-intern.hamburg.ccc.de"
},
diff --git a/flake.nix b/flake.nix
index 347294b..7c7cfe0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -40,13 +40,6 @@
proxmox-vm = ./config/proxmox-vm;
prometheus-exporter = ./config/extra/prometheus-exporter.nix;
};
- overlays = {
- netbox41OIDCMappingOverlay = final: prev: {
- netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
- patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
- });
- };
- };
nixosConfigurations = {
audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
@@ -84,18 +77,6 @@
];
};
- netbox = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
- modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
- sops-nix.nixosModules.sops
- self.nixosModules.prometheus-exporter
- ./config/hosts/netbox
- { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
- ];
- };
-
matrix = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [
diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
deleted file mode 100644
index 89f805a..0000000
--- a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
-new file mode 100644
-index 000000000..470f388dc
---- /dev/null
-+++ b/netbox/netbox/custom_pipeline.py
-@@ -0,0 +1,55 @@
-+# Licensed under Creative Commons: CC BY-SA 4.0 license.
-+# https://github.com/goauthentik/authentik/blob/main/LICENSE
-+# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
-+# https://docs.goauthentik.io/integrations/services/netbox/
-+from netbox.authentication import Group
-+
-+class AuthFailed(Exception):
-+ pass
-+
-+def add_groups(response, user, backend, *args, **kwargs):
-+ try:
-+ groups = response['groups']
-+ except KeyError:
-+ pass
-+
-+ # Add all groups from oAuth token
-+ for group in groups:
-+ group, created = Group.objects.get_or_create(name=group)
-+ user.groups.add(group)
-+
-+def remove_groups(response, user, backend, *args, **kwargs):
-+ try:
-+ groups = response['groups']
-+ except KeyError:
-+ # Remove all groups if no groups in oAuth token
-+ user.groups.clear()
-+ pass
-+
-+ # Get all groups of user
-+ user_groups = [item.name for item in user.groups.all()]
-+ # Get groups of user which are not part of oAuth token
-+ delete_groups = list(set(user_groups) - set(groups))
-+
-+ # Delete non oAuth token groups
-+ for delete_group in delete_groups:
-+ group = Group.objects.get(name=delete_group)
-+ user.groups.remove(group)
-+
-+
-+def set_roles(response, user, backend, *args, **kwargs):
-+ # Remove Roles temporary
-+ user.is_superuser = False
-+ user.is_staff = False
-+ try:
-+ groups = response['groups']
-+ except KeyError:
-+ # When no groups are set
-+ # save the user without Roles
-+ user.save()
-+ pass
-+
-+ # Set roles is role (superuser or staff) is in groups
-+ user.is_superuser = True if 'superusers' in groups else False
-+ user.is_staff = True if 'staff' in groups else False
-+ user.save()
From 02328a8ba8d00b5e97b192475fe99c3a85f22c5c Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:03:14 +0100
Subject: [PATCH 32/46] eh22-wiki: remove leftover deployment configuration
---
deployment_configuration.json | 3 ---
1 file changed, 3 deletions(-)
diff --git a/deployment_configuration.json b/deployment_configuration.json
index 6ac5254..cc2fb6d 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -15,9 +15,6 @@
"forgejo-actions-runner": {
"targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
},
- "eh22-wiki": {
- "targetHostname": "eh22-wiki-intern.hamburg.ccc.de"
- },
"nix-box-june": {
"targetHostname": "nix-box-june-intern.hamburg.ccc.de"
},
From fd2414ec91a2acc7823158976499004ce744547e Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 00:04:58 +0100
Subject: [PATCH 33/46] nix-box-june: remove nix-box-june as its being
decommissioned
nix-infra is built back in general, so remove nix-box-june as well.
---
config/hosts/nix-box-june/configuration.nix | 7 ---
config/hosts/nix-box-june/default.nix | 10 ----
.../hosts/nix-box-june/emulated-systems.nix | 5 --
config/hosts/nix-box-june/networking.nix | 22 -------
config/hosts/nix-box-june/users.nix | 59 -------------------
deployment_configuration.json | 3 -
flake.nix | 10 ----
7 files changed, 116 deletions(-)
delete mode 100644 config/hosts/nix-box-june/configuration.nix
delete mode 100644 config/hosts/nix-box-june/default.nix
delete mode 100644 config/hosts/nix-box-june/emulated-systems.nix
delete mode 100644 config/hosts/nix-box-june/networking.nix
delete mode 100644 config/hosts/nix-box-june/users.nix
diff --git a/config/hosts/nix-box-june/configuration.nix b/config/hosts/nix-box-june/configuration.nix
deleted file mode 100644
index 7dddcc1..0000000
--- a/config/hosts/nix-box-june/configuration.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- networking.hostName = "nix-box-june";
-
- system.stateVersion = "23.11";
-}
diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix
deleted file mode 100644
index 489fd67..0000000
--- a/config/hosts/nix-box-june/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- imports = [
- ./configuration.nix
- ./emulated-systems.nix
- ./networking.nix
- ./users.nix
- ];
-}
diff --git a/config/hosts/nix-box-june/emulated-systems.nix b/config/hosts/nix-box-june/emulated-systems.nix
deleted file mode 100644
index b6065dd..0000000
--- a/config/hosts/nix-box-june/emulated-systems.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-}
diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix
deleted file mode 100644
index 2c1faee..0000000
--- a/config/hosts/nix-box-june/networking.nix
+++ /dev/null
@@ -1,22 +0,0 @@
-{ ... }:
-
-{
- networking = {
- interfaces.net0 = {
- ipv4.addresses = [
- {
- address = "172.31.17.158";
- prefixLength = 25;
- }
- ];
- };
- defaultGateway = "172.31.17.129";
- nameservers = [ "212.12.50.158" "192.76.134.90" ];
- search = [ "hamburg.ccc.de" ];
- };
-
- systemd.network.links."10-net0" = {
- matchConfig.MACAddress = "BC:24:11:6A:33:5F";
- linkConfig.Name = "net0";
- };
-}
diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix
deleted file mode 100644
index dfb333e..0000000
--- a/config/hosts/nix-box-june/users.nix
+++ /dev/null
@@ -1,59 +0,0 @@
-{ lib, ... }:
-
-{
- users.users = {
- chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
- colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
-
- djerun = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
- ];
- };
- june = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
- };
- jtbx = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
- };
- dario = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
- };
- yuri = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
- ];
- };
- max = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
- };
- haegar = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
- };
- stb = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
- };
- hansenerd = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
- };
- echtnurich = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
- };
- c6ristian = {
- isNormalUser = true;
- openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
- };
- };
-}
diff --git a/deployment_configuration.json b/deployment_configuration.json
index cc2fb6d..9c2f99a 100644
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@@ -15,9 +15,6 @@
"forgejo-actions-runner": {
"targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
},
- "nix-box-june": {
- "targetHostname": "nix-box-june-intern.hamburg.ccc.de"
- },
"mjolnir": {
"targetHostname": "mjolnir-intern.hamburg.ccc.de"
},
diff --git a/flake.nix b/flake.nix
index 7c7cfe0..d7bda34 100644
--- a/flake.nix
+++ b/flake.nix
@@ -130,16 +130,6 @@
];
};
- nix-box-june = nixpkgs.lib.nixosSystem {
- inherit system specialArgs;
- modules = [
- self.nixosModules.common
- self.nixosModules.proxmox-vm
- self.nixosModules.prometheus-exporter
- ./config/hosts/nix-box-june
- ];
- };
-
yate = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [
From dabaf18dc32ccc3322c0e836543f81857caa0a44 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 18 Feb 2025 02:52:22 +0100
Subject: [PATCH 34/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'authorizedKeysRepo':
'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
→ 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8?narHash=sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE%3D' (2025-02-04)
→ 'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791?narHash=sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE%3D' (2025-02-17)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7?narHash=sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320%3D' (2025-01-31)
→ 'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975?narHash=sha256-7JAGezJ0Dn5qIyA2%2BT4Dt/xQgAbhCglh6lzCekTVMeU%3D' (2025-02-11)
---
flake.lock | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/flake.lock b/flake.lock
index 7f1207b..d6bc2dc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
},
"original": {
"type": "tarball",
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1738663689,
- "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=",
+ "lastModified": 1739758141,
+ "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8",
+ "rev": "c618e28f70257593de75a7044438efc1c1fc0791",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1738291974,
- "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=",
+ "lastModified": 1739262228,
+ "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7",
+ "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
"type": "github"
},
"original": {
From 7c13dd1e35618b860a122c078462d03df005ec6a Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 19 Feb 2025 21:56:23 +0100
Subject: [PATCH 35/46] git: disable internal login, to force login via SSO
---
config/hosts/git/forgejo.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix
index 85b13e6..89f83c9 100644
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@@ -49,6 +49,7 @@
};
service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+ ENABLE_INTERNAL_SIGNIN = false;
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
From 535cc518dada1e5c7a3b2ac0aa73d595db0b0ccd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matthias=20K=C3=BChlke?= <mad@unserver.de>
Date: Fri, 28 Feb 2025 23:25:59 +0100
Subject: [PATCH 36/46] MQTT: Make cats accessible from winkekatze24.de
---
config/hosts/mqtt/mosquitto.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix
index d093bd8..9bc02b0 100644
--- a/config/hosts/mqtt/mosquitto.nix
+++ b/config/hosts/mqtt/mosquitto.nix
@@ -23,6 +23,7 @@
topics = [
"winkekatze/allcats/eye/set in 2"
"winkekatze/allcats in 2"
+ "+/command in 2 winkekatze/ \"\""
"+/status out 2 winkekatze/ \"\""
"+/connected out 2 winkekatze/ \"\""
];
From 3fc170389d73312e1ff5477e237a64646d6b2182 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 2 Mar 2025 22:00:19 +0100
Subject: [PATCH 37/46] Update to new IPv6 prefix
---
config/hosts/esphome/networking.nix | 6 +++---
config/hosts/status/networking.nix | 6 +++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index a2c64d3..32c38f2 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -11,14 +11,14 @@
];
ipv6.addresses = [
{
- address = "2a07:c480:0:1d0::66";
+ address = "2a07:c481:1:2::66";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.208.1";
- defaultGateway6 = "2a07:c480:0:1d0::1";
- nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
+ defaultGateway6 = "2a07:c481:1:2::66";
+ nameservers = [ "10.31.208.1" "2a07:c481:1:2::66" ];
search = [ "z9.ccchh.net" ];
};
diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
index e7f1932..0a16795 100644
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@@ -11,14 +11,14 @@
];
ipv6.addresses = [
{
- address = "2a07:c480:0:1ce::f";
+ address = "2a07:c481:1:1::a";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.206.1";
- defaultGateway6 = "2a07:c480:0:1ce::1";
- nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
+ defaultGateway6 = "2a07:c481:1:1::1";
+ nameservers = [ "10.31.206.1" "2a07:c481:1:1::1" ];
search = [ "z9.ccchh.net" ];
};
From be351c6ded795a0ea819d80d548fdab1005e62ce Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 14 Mar 2025 20:25:19 +0100
Subject: [PATCH 38/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'authorizedKeysRepo':
'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
→ 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
• Updated input 'nixos-generators':
'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453' (2025-01-16)
→ 'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791' (2025-02-17)
→ 'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975' (2025-02-11)
→ 'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13)
---
flake.lock | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/flake.lock b/flake.lock
index d6bc2dc..ef7bc8d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
},
"original": {
"type": "tarball",
@@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1737057290,
- "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
+ "lastModified": 1740947705,
+ "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
+ "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
"type": "github"
},
"original": {
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1739758141,
- "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=",
+ "lastModified": 1741969460,
+ "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "c618e28f70257593de75a7044438efc1c1fc0791",
+ "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1739262228,
- "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+ "lastModified": 1741861888,
+ "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+ "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f",
"type": "github"
},
"original": {
From 15f69c20a4514c3f4249613cd4ab0c819a6d7819 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 14 Mar 2025 20:33:29 +0100
Subject: [PATCH 39/46] bump element version
---
.../virtualHosts/element.hamburg.ccc.de.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
index 1836f25..3c85954 100644
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@@ -1,10 +1,10 @@
{ pkgs, ... }:
let
- elementWebVersion = "1.11.84";
+ elementWebVersion = "1.11.95";
element-web = pkgs.fetchzip {
- url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
- sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
+ url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
+ sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc=";
};
elementSecurityHeaders = ''
# Configuration best practices
From 341d839265a7d26cb90ce61a8354831d23a6de4e Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 14 Apr 2025 20:47:51 +0200
Subject: [PATCH 40/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'nixos-generators':
'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02)
→ 'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11' (2025-03-21)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14)
→ 'github:nixos/nixpkgs/260f6989b03d130d64d521445892dd47f8ea545a' (2025-04-13)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13)
→ 'github:Mic92/sops-nix/7e147a1ae90f0d4a374938cdc3df3cdaecb9d388' (2025-04-13)
---
flake.lock | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/flake.lock b/flake.lock
index ef7bc8d..214f589 100644
--- a/flake.lock
+++ b/flake.lock
@@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1740947705,
- "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
+ "lastModified": 1742568034,
+ "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
+ "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
"type": "github"
},
"original": {
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1741969460,
- "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
+ "lastModified": 1744568866,
+ "narHash": "sha256-9I7fRg0vp1oGagbkUszgP6zPjG18qY1HQtdvkJwp5Jo=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
+ "rev": "260f6989b03d130d64d521445892dd47f8ea545a",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1741861888,
- "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=",
+ "lastModified": 1744518500,
+ "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f",
+ "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
"type": "github"
},
"original": {
From e61fbec5efd76e393f5b06c24c3ab1bfadf33759 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 14 Apr 2025 21:28:59 +0200
Subject: [PATCH 41/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/260f6989b03d130d64d521445892dd47f8ea545a' (2025-04-13)
→ 'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d' (2025-04-12)
---
flake.lock | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/flake.lock b/flake.lock
index 214f589..3e957bb 100644
--- a/flake.lock
+++ b/flake.lock
@@ -66,16 +66,16 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1744568866,
- "narHash": "sha256-9I7fRg0vp1oGagbkUszgP6zPjG18qY1HQtdvkJwp5Jo=",
+ "lastModified": 1744440957,
+ "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "260f6989b03d130d64d521445892dd47f8ea545a",
+ "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
"type": "github"
},
"original": {
"owner": "nixos",
- "ref": "nixos-24.11-small",
+ "ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
From aee3f4b385a7e955268e9585f95b0e750ee00c88 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sat, 19 Apr 2025 15:01:59 +0200
Subject: [PATCH 42/46] c3cat fix
---
config/hosts/public-web-static/virtualHosts/c3cat.de.nix | 8 ++++++++
flake.lock | 6 +++---
flake.nix | 2 +-
3 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
index 91d3a40..ff59fab 100644
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@@ -40,6 +40,10 @@ in {
return = "302 https://c3cat.de$request_uri";
};
+ locations."/manuals/eh22-rgb-ears" = {
+ return = "307 https://www.c3cat.de/rgb-ears.html";
+ };
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
@@ -67,6 +71,10 @@ in {
root = "${dataDir}";
+ locations."/manuals/eh22-rgb-ears" = {
+ return = "307 https://c3cat.de/rgb-ears.html";
+ };
+
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
diff --git a/flake.lock b/flake.lock
index 3e957bb..00e5e12 100644
--- a/flake.lock
+++ b/flake.lock
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1744518500,
- "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=",
+ "lastModified": 1744669848,
+ "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388",
+ "rev": "61154300d945f0b147b30d24ddcafa159148026a",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index d7bda34..2c34373 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,7 +5,7 @@
# Use the NixOS small channels for nixpkgs.
# https://nixos.org/manual/nixos/stable/#sec-upgrading
# https://github.com/NixOS/nixpkgs
- nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
+ nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
# Add nixos-generators as an input.
# See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
From 2c3b7854891e6e940c7eacfc83e5a759aa368af3 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 23 Apr 2025 19:04:21 +0200
Subject: [PATCH 43/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'authorizedKeysRepo':
'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10)
→ 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d?narHash=sha256-FHlSkNqFmPxPJvy%2B6fNLaNeWnF1lZSgqVCl/eWaJRc4%3D' (2025-04-12)
→ 'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3?narHash=sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo%3D' (2025-04-21)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/61154300d945f0b147b30d24ddcafa159148026a?narHash=sha256-pXyanHLUzLNd3MX9vsWG%2B6Z2hTU8niyphWstYEP3/GU%3D' (2025-04-14)
→ 'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c?narHash=sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA%3D' (2025-04-22)
---
flake.lock | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/flake.lock b/flake.lock
index 00e5e12..7591512 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,7 +7,7 @@
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
},
"original": {
"type": "tarball",
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1744440957,
- "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=",
+ "lastModified": 1745279238,
+ "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d",
+ "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1744669848,
- "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=",
+ "lastModified": 1745310711,
+ "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "61154300d945f0b147b30d24ddcafa159148026a",
+ "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
"type": "github"
},
"original": {
From 2395748e7a0ab46910c98d62e8297ad51bc628e9 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 28 Apr 2025 20:50:42 +0200
Subject: [PATCH 44/46] esphome: set new v6 address
---
config/hosts/esphome/networking.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix
index 32c38f2..8a84112 100644
--- a/config/hosts/esphome/networking.nix
+++ b/config/hosts/esphome/networking.nix
@@ -11,14 +11,14 @@
];
ipv6.addresses = [
{
- address = "2a07:c481:1:2::66";
+ address = "2a07:c481:1:d0::66";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.208.1";
- defaultGateway6 = "2a07:c481:1:2::66";
- nameservers = [ "10.31.208.1" "2a07:c481:1:2::66" ];
+ defaultGateway6 = "2a07:c481:1:d0::1";
+ nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ];
search = [ "z9.ccchh.net" ];
};
From f2a174750777b40dc55803f0f06853b1472ab1ff Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Mon, 28 Apr 2025 21:46:00 +0200
Subject: [PATCH 45/46] status: set new v6 address
---
config/hosts/status/networking.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix
index 0a16795..0bff4b5 100644
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@@ -11,14 +11,14 @@
];
ipv6.addresses = [
{
- address = "2a07:c481:1:1::a";
+ address = "2a07:c481:1:ce::a";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.206.1";
- defaultGateway6 = "2a07:c481:1:1::1";
- nameservers = [ "10.31.206.1" "2a07:c481:1:1::1" ];
+ defaultGateway6 = "2a07:c481:1:ce::1";
+ nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ];
search = [ "z9.ccchh.net" ];
};
From 3803d6038e7d044a4ea50d72772e188e9f374318 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 20 May 2025 19:39:46 +0200
Subject: [PATCH 46/46] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Flake lock file updates:
• Updated input 'authorizedKeysRepo':
'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10)
→ 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D&rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6' (2025-04-28)
• Updated input 'nixos-generators':
'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11' (2025-03-21)
→ 'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19)
• Updated input 'nixpkgs':
'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3' (2025-04-21)
→ 'github:nixos/nixpkgs/9b5ac7ad45298d58640540d0323ca217f32a6762' (2025-05-17)
• Updated input 'sops-nix':
'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c' (2025-04-22)
→ 'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18)
---
flake.lock | 28 ++++++++++++++--------------
flake.nix | 2 +-
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/flake.lock b/flake.lock
index 7591512..57a29de 100644
--- a/flake.lock
+++ b/flake.lock
@@ -3,15 +3,15 @@
"authorizedKeysRepo": {
"flake": false,
"locked": {
- "lastModified": 1731276342,
- "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
- "rev": "686a6af22f6696f0c0595c56f463c078550049fc",
+ "lastModified": 1745870473,
+ "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=",
+ "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6",
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+ "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6"
},
"original": {
"type": "tarball",
- "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
+ "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"
}
},
"nixlib": {
@@ -35,11 +35,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
- "lastModified": 1742568034,
- "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+ "lastModified": 1747663185,
+ "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
"owner": "nix-community",
"repo": "nixos-generators",
- "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+ "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
"type": "github"
},
"original": {
@@ -66,11 +66,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1745279238,
- "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=",
+ "lastModified": 1747485343,
+ "narHash": "sha256-YbsZyuRE1tobO9sv0PUwg81QryYo3L1F3R3rF9bcG38=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3",
+ "rev": "9b5ac7ad45298d58640540d0323ca217f32a6762",
"type": "github"
},
"original": {
@@ -95,11 +95,11 @@
]
},
"locked": {
- "lastModified": 1745310711,
- "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+ "lastModified": 1747603214,
+ "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+ "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index 2c34373..a95ee8e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,7 +22,7 @@
};
authorizedKeysRepo = {
- url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
+ url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz";
flake = false;
};
};