diff --git a/README.md b/README.md index def4e60..186f14a 100644 --- a/README.md +++ b/README.md @@ -76,5 +76,4 @@ nix build .#proxmox-chaosknoten-nixos-template ## License -This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). -[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license. +This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix index 6e1e7d8..0118db4 100644 --- a/config/hosts/audio-hauptraum-kueche/networking.nix +++ b/config/hosts/audio-hauptraum-kueche/networking.nix @@ -5,13 +5,13 @@ interfaces.net0 = { ipv4.addresses = [ { - address = "172.31.200.14"; + address = "10.31.210.10"; prefixLength = 23; } ]; }; - defaultGateway = "172.31.200.1"; - nameservers = [ "172.31.200.1" ]; + defaultGateway = "10.31.210.1"; + nameservers = [ "10.31.210.1" ]; }; systemd.network.links."10-net0" = { diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix index e357d38..37185b7 100644 --- a/config/hosts/audio-hauptraum-tafel/networking.nix +++ b/config/hosts/audio-hauptraum-tafel/networking.nix @@ -5,13 +5,13 @@ interfaces.net0 = { ipv4.addresses = [ { - address = "172.31.200.15"; + address = "10.31.210.13"; prefixLength = 23; } ]; }; - defaultGateway = "172.31.200.1"; - nameservers = [ "172.31.200.1" ]; + defaultGateway = "10.31.210.1"; + nameservers = [ "10.31.210.1" ]; }; systemd.network.links."10-net0" = { diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix index 665815d..a57a37f 100644 --- a/config/hosts/git/forgejo.nix +++ b/config/hosts/git/forgejo.nix @@ -7,19 +7,13 @@ # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md # - https://forgejo.org/docs/latest/admin/email-setup/ -{ pkgs, ... }: +{ pkgs-unstable, ... }: { services.forgejo = { enable = true; - package = pkgs.forgejo; database.type = "postgres"; - - secrets = { - mailer = { - PASSWD = "/run/secrets/forgejo_git_smtp_password"; - }; - }; + mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password"; settings = { DEFAULT = { diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix index f816016..e0f2df9 100644 --- a/config/hosts/netbox/netbox.nix +++ b/config/hosts/netbox/netbox.nix @@ -9,8 +9,7 @@ { services.netbox = { enable = true; - # Explicitly use the patched NetBox package. - package = pkgs.netbox_4_1; + package = pkgs.netbox; secretKeyFile = "/run/secrets/netbox_secret_key"; keycloakClientSecret = "/run/secrets/netbox_keycloak_secret"; settings = { @@ -25,24 +24,6 @@ SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB"; SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"; SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"; - SOCIAL_AUTH_PIPELINE = [ - # The default pipeline as can be found in: - # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py - "social_core.pipeline.social_auth.social_details" - "social_core.pipeline.social_auth.social_uid" - "social_core.pipeline.social_auth.social_user" - "social_core.pipeline.user.get_username" - "social_core.pipeline.user.create_user" - "social_core.pipeline.social_auth.associate_user" - "netbox.authentication.user_default_groups_handler" - "social_core.pipeline.social_auth.load_extra_data" - "social_core.pipeline.user.user_details" - # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay. - # See: https://docs.goauthentik.io/integrations/services/netbox/ - "netbox.custom_pipeline.add_groups" - "netbox.custom_pipeline.remove_groups" - "netbox.custom_pipeline.set_roles" - ]; }; }; diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix index 1836b73..2baafc5 100644 --- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix +++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix @@ -22,7 +22,6 @@ WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql"; WOODPECKER_FORGEJO = "true"; WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de"; - WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB # Set via enviornmentFile: # WOODPECKER_FORGEJO_CLIENT # WOODPECKER_FORGEJO_SECRET diff --git a/flake.lock b/flake.lock index 4625fa3..be287b5 100644 --- a/flake.lock +++ b/flake.lock @@ -16,11 +16,11 @@ }, "nixlib": { "locked": { - "lastModified": 1734829460, - "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=", + "lastModified": 1731200463, + "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c", + "rev": "e04234d263750db01c78a412690363dc2226e68a", "type": "github" }, "original": { @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1734915500, - "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=", + "lastModified": 1731546190, + "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4", + "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101", "type": "github" }, "original": { @@ -50,11 +50,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734435836, - "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=", + "lastModified": 1731245184, + "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4989a246d7a390a859852baddb1013f825435cee", + "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f", "type": "github" }, "original": { @@ -66,16 +66,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1736408508, - "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=", + "lastModified": 1731842749, + "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6", + "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.11-small", + "ref": "nixos-24.05-small", "repo": "nixpkgs", "type": "github" } @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1736203741, - "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=", + "lastModified": 1731862312, + "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773", + "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 5ecee98..3ccf708 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small"; # Add nixos-generators as an input. # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake @@ -35,24 +35,27 @@ system = "x86_64-linux"; in { + overlays = { + shairportSyncAirplay2 = final: prev: { + shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: { + # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md + configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ]; + buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ]; + }); + }; + }; nixosModules = { common = ./config/common; proxmox-vm = ./config/proxmox-vm; prometheus-exporter = ./config/extra/prometheus-exporter.nix; }; - overlays = { - netbox41OIDCMappingOverlay = final: prev: { - netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: { - patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ]; - }); - }; - }; nixosConfigurations = { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ self.nixosModules.common self.nixosModules.proxmox-vm + { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; } ./config/hosts/audio-hauptraum-kueche ]; }; @@ -62,6 +65,7 @@ modules = [ self.nixosModules.common self.nixosModules.proxmox-vm + { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; } ./config/hosts/audio-hauptraum-tafel ]; }; @@ -92,7 +96,6 @@ sops-nix.nixosModules.sops self.nixosModules.prometheus-exporter ./config/hosts/netbox - { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; } ]; }; diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix index 43d1285..cbc58e7 100644 --- a/modules/services/audio/shairport-sync.nix +++ b/modules/services/audio/shairport-sync.nix @@ -17,7 +17,6 @@ in config = mkIf cfg.enable { services.shairport-sync = { enable = true; - package = pkgs.shairport-sync-airplay2; arguments = "-o pw -v"; }; diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch deleted file mode 100644 index 89f805a..0000000 --- a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py -new file mode 100644 -index 000000000..470f388dc ---- /dev/null -+++ b/netbox/netbox/custom_pipeline.py -@@ -0,0 +1,55 @@ -+# Licensed under Creative Commons: CC BY-SA 4.0 license. -+# https://github.com/goauthentik/authentik/blob/main/LICENSE -+# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md -+# https://docs.goauthentik.io/integrations/services/netbox/ -+from netbox.authentication import Group -+ -+class AuthFailed(Exception): -+ pass -+ -+def add_groups(response, user, backend, *args, **kwargs): -+ try: -+ groups = response['groups'] -+ except KeyError: -+ pass -+ -+ # Add all groups from oAuth token -+ for group in groups: -+ group, created = Group.objects.get_or_create(name=group) -+ user.groups.add(group) -+ -+def remove_groups(response, user, backend, *args, **kwargs): -+ try: -+ groups = response['groups'] -+ except KeyError: -+ # Remove all groups if no groups in oAuth token -+ user.groups.clear() -+ pass -+ -+ # Get all groups of user -+ user_groups = [item.name for item in user.groups.all()] -+ # Get groups of user which are not part of oAuth token -+ delete_groups = list(set(user_groups) - set(groups)) -+ -+ # Delete non oAuth token groups -+ for delete_group in delete_groups: -+ group = Group.objects.get(name=delete_group) -+ user.groups.remove(group) -+ -+ -+def set_roles(response, user, backend, *args, **kwargs): -+ # Remove Roles temporary -+ user.is_superuser = False -+ user.is_staff = False -+ try: -+ groups = response['groups'] -+ except KeyError: -+ # When no groups are set -+ # save the user without Roles -+ user.save() -+ pass -+ -+ # Set roles is role (superuser or staff) is in groups -+ user.is_superuser = True if 'superusers' in groups else False -+ user.is_staff = True if 'staff' in groups else False -+ user.save()