add yate service for autostart

introduce /etc/yate, clone/reset on service start Fix config via git make yate systemd service create yate service user recreate the full config everytime decolour the log because of blob data make sure source is available before deleting config change yate-config repo fix yate deploy key fix yate-config not pulling
audio-hauptraum-*: move audio VMs to client network
2025-01-18 21:00:53 +01:00 · 2025-01-14 21:06:26 +01:00 · 2025-01-14 20:49:14 +01:00 · 2025-01-09 21:44:31 +01:00 · 2024-12-16 22:50:00 +01:00 · 2024-12-09 21:21:17 +01:00
10 changed files with 124 additions and 38 deletions
--- a/README.md
+++ b/README.md
@ -76,4 +76,5 @@ nix build .#proxmox-chaosknoten-nixos-template

 ## License

-This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).  
+[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.
--- a/config/hosts/audio-hauptraum-kueche/networking.nix
+++ b/config/hosts/audio-hauptraum-kueche/networking.nix
@ -5,13 +5,13 @@
    interfaces.net0 = {
      ipv4.addresses = [
        {
-          address = "10.31.210.10";
+          address = "172.31.200.14";
          prefixLength = 23;
        }
      ];
    };
-    defaultGateway = "10.31.210.1";
-    nameservers = [ "10.31.210.1" ];
+    defaultGateway = "172.31.200.1";
+    nameservers = [ "172.31.200.1" ];
  };

  systemd.network.links."10-net0" = {
--- a/config/hosts/audio-hauptraum-tafel/networking.nix
+++ b/config/hosts/audio-hauptraum-tafel/networking.nix
@ -5,13 +5,13 @@
    interfaces.net0 = {
      ipv4.addresses = [
        {
-          address = "10.31.210.13";
+          address = "172.31.200.15";
          prefixLength = 23;
        }
      ];
    };
-    defaultGateway = "10.31.210.1";
-    nameservers = [ "10.31.210.1" ];
+    defaultGateway = "172.31.200.1";
+    nameservers = [ "172.31.200.1" ];
  };

  systemd.network.links."10-net0" = {
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@ -7,13 +7,19 @@
 # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
 # - https://forgejo.org/docs/latest/admin/email-setup/

-{ pkgs-unstable, ... }:
+{ pkgs, ... }:

 {
  services.forgejo = {
    enable = true;
+    package = pkgs.forgejo;
    database.type = "postgres";
-    mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
+
+    secrets = {
+      mailer = {
+        PASSWD = "/run/secrets/forgejo_git_smtp_password";
+      };
+    };

    settings = {
      DEFAULT = {
--- a/config/hosts/netbox/netbox.nix
+++ b/config/hosts/netbox/netbox.nix
@ -9,7 +9,8 @@
 {
  services.netbox = {
    enable = true;
-    package = pkgs.netbox;
+    # Explicitly use the patched NetBox package.
+    package = pkgs.netbox_4_1;
    secretKeyFile = "/run/secrets/netbox_secret_key";
    keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
    settings = {
@ -24,6 +25,24 @@
      SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
      SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
      SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
+      SOCIAL_AUTH_PIPELINE = [
+        # The default pipeline as can be found in:
+        # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py
+        "social_core.pipeline.social_auth.social_details"
+        "social_core.pipeline.social_auth.social_uid"
+        "social_core.pipeline.social_auth.social_user"
+        "social_core.pipeline.user.get_username"
+        "social_core.pipeline.user.create_user"
+        "social_core.pipeline.social_auth.associate_user"
+        "netbox.authentication.user_default_groups_handler"
+        "social_core.pipeline.social_auth.load_extra_data"
+        "social_core.pipeline.user.user_details"
+        # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay.
+        # See: https://docs.goauthentik.io/integrations/services/netbox/
+        "netbox.custom_pipeline.add_groups"
+        "netbox.custom_pipeline.remove_groups"
+        "netbox.custom_pipeline.set_roles"
+      ];
    };
  };

--- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
+++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
@ -22,6 +22,7 @@
      WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
      WOODPECKER_FORGEJO = "true";
      WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+      WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
      # Set via enviornmentFile:
      # WOODPECKER_FORGEJO_CLIENT
      # WOODPECKER_FORGEJO_SECRET
--- a/flake.lock
+++ b/flake.lock
@ -16,11 +16,11 @@
    },
    "nixlib": {
      "locked": {
-        "lastModified": 1731200463,
-        "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
+        "lastModified": 1734829460,
+        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
        "owner": "nix-community",
        "repo": "nixpkgs.lib",
-        "rev": "e04234d263750db01c78a412690363dc2226e68a",
+        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
        "type": "github"
      },
      "original": {
@ -35,11 +35,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1731546190,
-        "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
+        "lastModified": 1734915500,
+        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
        "owner": "nix-community",
        "repo": "nixos-generators",
-        "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
+        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
        "type": "github"
      },
      "original": {
@ -50,11 +50,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731245184,
-        "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
+        "lastModified": 1734435836,
+        "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
+        "rev": "4989a246d7a390a859852baddb1013f825435cee",
        "type": "github"
      },
      "original": {
@ -66,16 +66,16 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1731842749,
-        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
+        "lastModified": 1736408508,
+        "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
+        "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-24.05-small",
+        "ref": "nixos-24.11-small",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -95,11 +95,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731862312,
-        "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
+        "lastModified": 1736203741,
+        "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
+        "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -5,7 +5,7 @@
    # Use the NixOS small channels for nixpkgs.
    # https://nixos.org/manual/nixos/stable/#sec-upgrading
    # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";

    # Add nixos-generators as an input.
    # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
@ -35,27 +35,24 @@
      system = "x86_64-linux";
    in
    {
-      overlays = {
-        shairportSyncAirplay2 = final: prev: {
-          shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
-            # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
-            configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
-            buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
-          });
-        };
-      };
      nixosModules = {
        common = ./config/common;
        proxmox-vm = ./config/proxmox-vm;
        prometheus-exporter = ./config/extra/prometheus-exporter.nix;
      };
+      overlays = {
+        netbox41OIDCMappingOverlay = final: prev: {
+          netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: {
+            patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ];
+          });
+        };
+      };
      nixosConfigurations = {
        audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
            ./config/hosts/audio-hauptraum-kueche
          ];
        };
@ -65,7 +62,6 @@
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
-            { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
            ./config/hosts/audio-hauptraum-tafel
          ];
        };
@ -96,6 +92,7 @@
            sops-nix.nixosModules.sops
            self.nixosModules.prometheus-exporter
            ./config/hosts/netbox
+            { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; }
          ];
        };

--- a/modules/services/audio/shairport-sync.nix
+++ b/modules/services/audio/shairport-sync.nix
@ -17,6 +17,7 @@ in
  config = mkIf cfg.enable {
    services.shairport-sync = {
      enable = true;
+      package = pkgs.shairport-sync-airplay2;
      arguments = "-o pw -v";
    };

--- a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
+++ b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch
@ -0,0 +1,61 @@
+diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
+new file mode 100644
+index 000000000..470f388dc
+--- /dev/null
+++ b/netbox/netbox/custom_pipeline.py
+@@ -0,0 +1,55 @@
+# Licensed under Creative Commons: CC BY-SA 4.0 license.
+# https://github.com/goauthentik/authentik/blob/main/LICENSE
+# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
+# https://docs.goauthentik.io/integrations/services/netbox/
+from netbox.authentication import Group
+
+class AuthFailed(Exception):
+    pass
+
+def add_groups(response, user, backend, *args, **kwargs):
+    try:
+        groups = response['groups']
+    except KeyError:
+        pass
+
+    # Add all groups from oAuth token
+    for group in groups:
+        group, created = Group.objects.get_or_create(name=group)
+        user.groups.add(group)
+
+def remove_groups(response, user, backend, *args, **kwargs):
+    try:
+        groups = response['groups']
+    except KeyError:
+        # Remove all groups if no groups in oAuth token
+        user.groups.clear()
+        pass
+
+    # Get all groups of user
+    user_groups = [item.name for item in user.groups.all()]
+    # Get groups of user which are not part of oAuth token
+    delete_groups = list(set(user_groups) - set(groups))
+
+    # Delete non oAuth token groups
+    for delete_group in delete_groups:
+        group = Group.objects.get(name=delete_group)
+        user.groups.remove(group)
+
+
+def set_roles(response, user, backend, *args, **kwargs):
+    # Remove Roles temporary
+    user.is_superuser = False
+    user.is_staff = False
+    try:
+        groups = response['groups']
+    except KeyError:
+        # When no groups are set
+        # save the user without Roles
+        user.save()
+        pass
+
+    # Set roles is role (superuser or staff) is in groups
+    user.is_superuser = True if 'superusers' in groups else False
+    user.is_staff = True if 'staff' in groups else False
+    user.save()
Author	SHA1	Message	Date
echtnurich	4467c2172d	add yate service for autostart introduce /etc/yate, clone/reset on service start Fix config via git make yate systemd service create yate service user recreate the full config everytime decolour the log because of blob data make sure source is available before deleting config change yate-config repo fix yate deploy key fix yate-config not pulling	2025-01-18 21:00:53 +01:00
June	f5bc9024b1	audio-hauptraum-*: move audio VMs to client network Do this per request to hopefully improve mDNS discovery.	2025-01-14 21:06:26 +01:00
June	5676b1a468	netbox: configure and patch NetBox for OIDC group and role mapping The custom pipeline code is licensed under the Creative Commons: CC BY-SA 4.0 license. See: https://github.com/goauthentik/authentik/blob/main/LICENSE https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md https://docs.goauthentik.io/integrations/services/netbox/	2025-01-14 20:49:14 +01:00
c6ristian	d36ff73123	flake.lock: Update Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16) → 'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4' (2024-12-23) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15) → 'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c' (2024-12-22) • Updated input 'nixos-generators/nixpkgs': 'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13) → 'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee' (2024-12-17) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15) → 'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6' (2025-01-09) • Updated input 'sops-nix': 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12) → 'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773' (2025-01-06)	2025-01-09 21:44:31 +01:00
c6ristian	fa9c8e7ac1	flake.lock: Update Flake lock file updates: • Updated input 'authorizedKeysRepo': '`686a6af22f`.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) → '`686a6af22f`.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e' (2024-12-05) → 'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e' (2024-12-01) → 'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15) • Updated input 'nixos-generators/nixpkgs': 'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a' (2024-12-02) → 'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0' (2024-12-08) → 'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15) • Updated input 'sops-nix': 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856' (2024-12-02) → 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12)	2024-12-16 22:50:00 +01:00
jopejoe1	8764841759	shairport-sync: use airplay2 variant instead of custome overlay	2024-12-09 21:21:17 +01:00
June	a039b3febf	update nixpkgs to 24.11 (small) Also use non-lts forgejo and adjust config for 24.11.	2024-12-08 22:21:15 +01:00
June	67ab856b82	flake.lock: Update Flake lock file updates: • Updated input 'authorizedKeysRepo': '`686a6af22f`.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) → '`686a6af22f`.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101?narHash=sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8%2BErehqI%3D' (2024-11-14) → 'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e?narHash=sha256-bNXO%2BOGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8%3D' (2024-12-05) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a?narHash=sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg%3D' (2024-11-10) → 'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e?narHash=sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8%3D' (2024-12-01) • Updated input 'nixos-generators/nixpkgs': 'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f?narHash=sha256-vmLS8%2Bx%2BgHRv1yzj3n%2BGTAEObwmhxmkkukB2DwtJRdU%3D' (2024-11-10) → 'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a?narHash=sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw%3D' (2024-12-02) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17) → 'github:nixos/nixpkgs/65d98ad2a50103eee5f72335bf69b7bae9d92612?narHash=sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII%3D' (2024-12-08) • Updated input 'sops-nix': 'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978?narHash=sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM%3D' (2024-11-17) → 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02)	2024-12-08 18:57:36 +01:00
c6ristian	c78c278627	Set WOODPECKER_LIMIT_MEM to 6 GB for woodpecker so pipelines don't get killed by OOM.	2024-11-17 22:43:51 +01:00