add yate service for autostart

introduce /etc/yate, clone/reset on service start

Fix config via git

make yate systemd service

create yate service user

recreate the full config everytime

decolour the log because of blob data

make sure source is available before deleting config

change yate-config repo

fix yate deploy key

fix yate-config not pulling

.sops.yaml

@@ -15,6 +15,7 @@ keys:
   - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
   - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
   - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
+  - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
   - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
   - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
   - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
@@ -147,6 +148,22 @@ creation_rules:
           - *admin_gpg_dante
         age:
           - *host_age_penpot
+  - path_regex: config/hosts/yate/.*
+    key_groups:
+      - pgp:
+          - *admin_gpg_djerun
+          - *admin_gpg_stb
+          - *admin_gpg_jtbx
+          - *admin_gpg_yuri
+          - *admin_gpg_june
+          - *admin_gpg_haegar
+          - *admin_gpg_dario
+          - *admin_gpg_echtnurich
+          - *admin_gpg_max
+          - *admin_gpg_c6ristian
+          - *admin_gpg_dante
+        age:
+          - *host_age_yate
   - key_groups:
       - pgp:
           - *admin_gpg_djerun

README.md

@@ -77,3 +77,4 @@ nix build .#proxmox-chaosknoten-nixos-template
 ## License
 
 This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).  
+[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.

config/hosts/audio-hauptraum-kueche/networking.nix

@@ -5,13 +5,13 @@
     interfaces.net0 = {
       ipv4.addresses = [
         {
-          address = "10.31.210.10";
+          address = "172.31.200.14";
           prefixLength = 23;
         }
       ];
     };
-    defaultGateway = "10.31.210.1";
+    defaultGateway = "172.31.200.1";
-    nameservers = [ "10.31.210.1" ];
+    nameservers = [ "172.31.200.1" ];
   };
 
   systemd.network.links."10-net0" = {

config/hosts/audio-hauptraum-tafel/networking.nix

@@ -5,13 +5,13 @@
     interfaces.net0 = {
       ipv4.addresses = [
         {
-          address = "10.31.210.13";
+          address = "172.31.200.15";
           prefixLength = 23;
         }
       ];
     };
-    defaultGateway = "10.31.210.1";
+    defaultGateway = "172.31.200.1";
-    nameservers = [ "10.31.210.1" ];
+    nameservers = [ "172.31.200.1" ];
   };
 
   systemd.network.links."10-net0" = {

config/hosts/git/forgejo.nix

@@ -7,13 +7,19 @@
 # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
 # - https://forgejo.org/docs/latest/admin/email-setup/
 
-{ pkgs-unstable, ... }:
+{ pkgs, ... }:
 
 {
   services.forgejo = {
     enable = true;
+    package = pkgs.forgejo;
     database.type = "postgres";
-    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
+
+    secrets = {
+      mailer = {
+        PASSWD = "/run/secrets/forgejo_git_smtp_password";
+      };
+    };
 
     settings = {
       DEFAULT = {

config/hosts/netbox/netbox.nix

@@ -9,7 +9,8 @@
 {
   services.netbox = {
     enable = true;
-    package = pkgs.netbox;
+    # Explicitly use the patched NetBox package.
+    package = pkgs.netbox_4_1;
     secretKeyFile = "/run/secrets/netbox_secret_key";
     keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
     settings = {
@@ -24,6 +25,24 @@
       SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
       SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
       SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
+      SOCIAL_AUTH_PIPELINE = [
+        # The default pipeline as can be found in:
+        # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
+        "social_core.pipeline.social_auth.social_details"
+        "social_core.pipeline.social_auth.social_uid"
+        "social_core.pipeline.social_auth.social_user"
+        "social_core.pipeline.user.get_username"
+        "social_core.pipeline.user.create_user"
+        "social_core.pipeline.social_auth.associate_user"
+        "netbox.authentication.user_default_groups_handler"
+        "social_core.pipeline.social_auth.load_extra_data"
+        "social_core.pipeline.user.user_details"
+        # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
+        # See: https://docs.goauthentik.io/integrations/services/netbox/
+        "netbox.custom_pipeline.add_groups"
+        "netbox.custom_pipeline.remove_groups"
+        "netbox.custom_pipeline.set_roles"
+      ];
     };
   };
 

config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix

@@ -22,6 +22,7 @@
       WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
       WOODPECKER_FORGEJO = "true";
       WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+      WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
       # Set via enviornmentFile:
       # WOODPECKER_FORGEJO_CLIENT
       # WOODPECKER_FORGEJO_SECRET

config/hosts/yate/configuration.nix

@@ -6,5 +6,7 @@
     domain = "z9.ccchh.net";
   };
 
+#  users.users.chaos.password = "yes";
+
   system.stateVersion = "23.11";
 }

config/hosts/yate/default.nix

@@ -6,5 +6,6 @@
     ./networking.nix
     ./yate.nix
     ./service.nix
+    ./sops.nix
   ];
 }

config/hosts/yate/secrets.yaml

@@ -0,0 +1,233 @@
+git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP
+        TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw
+        KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS
+        bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1
+        xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-08T18:35:07Z"
+  mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str]
+  pgp:
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg
+        do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL
+        r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0
+        cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl
+        Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa
+        JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi
+        ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk
+        YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa
+        QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy
+        aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg
+        GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U
+        ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ
+        ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ
+        et8Y1DEjVg==
+        =u7aP
+        -----END PGP MESSAGE-----
+      fp: EF643F59E008414882232C78FFA8331EEB7D6B70
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9
+        Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S
+        YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4
+        twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2
+        uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx
+        Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ
+        gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU
+        JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng
+        mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji
+        yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp
+        E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S
+        XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq
+        vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX
+        =advR
+        -----END PGP MESSAGE-----
+      fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz
+        7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec
+        ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa
+        RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty
+        y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE
+        L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8
+        glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ
+        B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl
+        L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl
+        o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO
+        Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS
+        XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb
+        fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy
+        =vqhH
+        -----END PGP MESSAGE-----
+      fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd
+        +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7
+        Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4
+        LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un
+        kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2
+        cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn
+        3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh
+        7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU
+        K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb
+        QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3
+        Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S
+        XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj
+        IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C
+        =hGXq
+        -----END PGP MESSAGE-----
+      fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg
+        YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi
+        LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ
+        +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG
+        SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io
+        5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq
+        1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1
+        1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll
+        CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U
+        pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF
+        EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS
+        XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7
+        uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9
+        =vZLC
+        -----END PGP MESSAGE-----
+      fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x
+        p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3
+        XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa
+        oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB
+        SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS
+        5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG
+        oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ
+        XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo
+        IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc
+        2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa
+        XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS
+        XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/
+        fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I
+        =SLD4
+        -----END PGP MESSAGE-----
+      fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp
+        8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+
+        0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19
+        sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB
+        NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI
+        K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX
+        4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9
+        SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0
+        TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva
+        7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR
+        oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S
+        XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t
+        LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII
+        =MQ9C
+        -----END PGP MESSAGE-----
+      fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF
+        XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe
+        5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/
+        Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc
+        abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di
+        +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk
+        nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7
+        BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf
+        T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76
+        VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm
+        jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS
+        XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY
+        6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ
+        =uyf4
+        -----END PGP MESSAGE-----
+      fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st
+        V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2
+        8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/
+        i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d
+        V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE
+        zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz
+        TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p
+        FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF
+        aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO
+        5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym
+        NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS
+        XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn
+        kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr
+        =7R+0
+        -----END PGP MESSAGE-----
+      fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw
+        cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13
+        0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi
+        I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww==
+        =0G+m
+        -----END PGP MESSAGE-----
+      fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
+    - created_at: "2024-08-05T20:33:02Z"
+      enc: |-
+        -----BEGIN PGP MESSAGE-----
+
+        hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX
+        KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l
+        MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy
+        p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k
+        YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs
+        yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O
+        oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv
+        3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre
+        FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF
+        3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm
+        k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS
+        XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh
+        B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI
+        =ZgbM
+        -----END PGP MESSAGE-----
+      fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0

config/hosts/yate/service.nix

@@ -1,21 +1,48 @@
 { config, pkgs, ... }:
 
 {
+#  systemd.managerEnvironment = {
+#    SYSTEMD_LOG_LEVEL = "debug";
+#  };
+
+  
+
+  sops.secrets."git_clone_key" = {
+    mode = "0600";
+    owner = "yate";
+    group = "yate-config";
+    restartUnits = [ "yate.service" ];
+};
+
   systemd.services.yate = {
     enable = true;
     description = "Yate telehony engine";
     unitConfig = {
-      Type = "simple";
+      After= "network-online.target";
-      After = "network.target";
     };
     serviceConfig = {
-      ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
+      ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
-      Type = "simple";
+      Type="simple";
-      Restart = "always";
+      Restart="always";
+      User="yate";
+      Group="yate-config";
+      StateDirectory = "yate";
+      StateDirectoryMode = "0775";
       # ...
     };
     wantedBy = [ "default.target" ];
-    requiredBy = [ "network.target" ];
+    requires = [ "network-online.target" ]; 
+    preStart = "echo \"\n\" >> /run/secrets/git_clone_key
+                sleep 5
+                SSH_SUCCESS=1
+                ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG  || SSH_SUCCESS=0
+                if [ $SSH_SUCCESS = 1 ]; then
+                rm -rf /var/lib/yate/*
+                rm -rf /var/lib/yate/.*
+                env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
+                ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\"
+                fi";
+
     # ...
   };
 }

config/hosts/yate/sops.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+  };
+}

config/hosts/yate/yate.nix

@@ -10,4 +10,19 @@
 
   # Just disable it for now.
   networking.firewall.enable = false;
+
+  users.users.yate = {
+    description = "yate service user";
+    group = "yate-config";
+    isNormalUser = true;
+  };
+
+
+  users.groups.yate-config = {};
+  users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"];
+
+  environment.etc.yate.user = "yate";
+  environment.etc.yate.group = "yate-config";
+  environment.etc.yate.mode = "symlink";
+  environment.etc.yate.source = "/var/lib/yate";
 }

flake.lock

@@ -16,11 +16,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1731200463,
+        "lastModified": 1734829460,
-        "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
+        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "e04234d263750db01c78a412690363dc2226e68a",
+        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
         "type": "github"
       },
       "original": {
@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1731546190,
+        "lastModified": 1734915500,
-        "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
+        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
+        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731245184,
+        "lastModified": 1734435836,
-        "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+        "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+        "rev": "4989a246d7a390a859852baddb1013f825435cee",
         "type": "github"
       },
       "original": {
@@ -66,16 +66,16 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1731842749,
+        "lastModified": 1736408508,
-        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
+        "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
+        "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05-small",
+        "ref": "nixos-24.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1731862312,
+        "lastModified": 1736203741,
-        "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
+        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
+        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,7 +5,7 @@
     # Use the NixOS small channels for nixpkgs.
     # https://nixos.org/manual/nixos/stable/#sec-upgrading
     # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
 
     # Add nixos-generators as an input.
     # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
@@ -35,27 +35,24 @@
       system = "x86_64-linux";
     in
     {
-      overlays = {
-        shairportSyncAirplay2 = final: prev: {
-          shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
-            # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
-            configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
-            buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-          });
-        };
-      };
       nixosModules = {
         common = ./config/common;
         proxmox-vm = ./config/proxmox-vm;
         prometheus-exporter = ./config/extra/prometheus-exporter.nix;
       };
+      overlays = {
+        netbox41OIDCMappingOverlay = final: prev: {
+          netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
+            patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
+          });
+        };
+      };
       nixosConfigurations = {
         audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
           inherit system specialArgs;
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-kueche
           ];
         };
@@ -65,7 +62,6 @@
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
             ./config/hosts/audio-hauptraum-tafel
           ];
         };
@@ -96,6 +92,7 @@
             sops-nix.nixosModules.sops
             self.nixosModules.prometheus-exporter
             ./config/hosts/netbox
+            { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
           ];
         };
 
@@ -177,6 +174,7 @@
           modules = [
             self.nixosModules.common
             self.nixosModules.proxmox-vm
+            sops-nix.nixosModules.sops
             ./config/hosts/yate
           ];
         };

modules/services/audio/shairport-sync.nix

@@ -17,6 +17,7 @@ in
   config = mkIf cfg.enable {
     services.shairport-sync = {
       enable = true;
+      package = pkgs.shairport-sync-airplay2;
       arguments = "-o pw -v";
     };
 

patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch

@@ -0,0 +1,61 @@
+diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
+new file mode 100644
+index 000000000..470f388dc
+--- /dev/null
++++ b/netbox/netbox/custom_pipeline.py
+@@ -0,0 +1,55 @@
++# Licensed under Creative Commons: CC BY-SA 4.0 license.
++# https://github.com/goauthentik/authentik/blob/main/LICENSE
++# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
++# https://docs.goauthentik.io/integrations/services/netbox/
++from netbox.authentication import Group
++
++class AuthFailed(Exception):
++    pass
++
++def add_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        pass
++
++    # Add all groups from oAuth token
++    for group in groups:
++        group, created = Group.objects.get_or_create(name=group)
++        user.groups.add(group)
++
++def remove_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        # Remove all groups if no groups in oAuth token
++        user.groups.clear()
++        pass
++
++    # Get all groups of user
++    user_groups = [item.name for item in user.groups.all()]
++    # Get groups of user which are not part of oAuth token
++    delete_groups = list(set(user_groups) - set(groups))
++
++    # Delete non oAuth token groups
++    for delete_group in delete_groups:
++        group = Group.objects.get(name=delete_group)
++        user.groups.remove(group)
++
++
++def set_roles(response, user, backend, *args, **kwargs):
++    # Remove Roles temporary
++    user.is_superuser = False
++    user.is_staff = False
++    try:
++        groups = response['groups']
++    except KeyError:
++        # When no groups are set
++        # save the user without Roles
++        user.save()
++        pass
++
++    # Set roles is role (superuser or staff) is in groups
++    user.is_superuser = True if 'superusers' in groups else False
++    user.is_staff = True if 'staff' in groups else False
++    user.save()