Compare commits
9 commits
877bd44764
...
d98aa099e1
Author | SHA1 | Date | |
---|---|---|---|
June | d98aa099e1 | ||
June | cf46da9df7 | ||
fi | c84d9e7d0a | ||
christian | 33b2cbf5d0 | ||
christian | afb4fc71ce | ||
christian | 1fcd8c6421 | ||
christian | ff1a12846a | ||
June | 2ba371f8cd | ||
June | c8e7bd1ccf |
21
LICENSE
Normal file
21
LICENSE
Normal file
|
@ -0,0 +1,21 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) CCCHH
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
15
README.md
15
README.md
|
@ -62,3 +62,18 @@ This is exactly what we're doing to set the default deployment user to `colmena-
|
|||
};
|
||||
```
|
||||
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
|
||||
|
||||
## Build NixOS Proxmox VE Template
|
||||
|
||||
Build a new NixOS Proxmox VE Template for the thinkcccore's:
|
||||
```shell
|
||||
nix build .#proxmox-nixos-template
|
||||
```
|
||||
Build a new NixOS Proxmox VE Template for the chaosknoten:
|
||||
```shell
|
||||
nix build .#proxmox-chaosknoten-nixos-template
|
||||
```
|
||||
|
||||
## License
|
||||
|
||||
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
|
||||
|
|
|
@ -11,8 +11,8 @@
|
|||
let
|
||||
authorizedKeysRepo = pkgs.fetchgit {
|
||||
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
|
||||
rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
|
||||
hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
|
||||
rev = "686a6af22f6696f0c0595c56f463c078550049fc";
|
||||
hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
|
||||
};
|
||||
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
|
||||
in
|
||||
|
|
|
@ -45,6 +45,9 @@
|
|||
DEFAULT_USER_VISIBILITY = "limited";
|
||||
DEFAULT_KEEP_EMAIL_PRIVATE = true;
|
||||
ENABLE_BASIC_AUTHENTICATION = false;
|
||||
ENABLE_NOTIFY_MAIL = true;
|
||||
AUTO_WATCH_NEW_REPOS = false;
|
||||
AUTO_WATCH_ON_CHANGES = false;
|
||||
};
|
||||
repo = {
|
||||
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
|
||||
|
|
|
@ -1,10 +1,19 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
let
|
||||
domain = "c3cat.de";
|
||||
dataDir = "/var/www/${domain}";
|
||||
deployUser = "c3cat-website-deploy";
|
||||
in {
|
||||
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"acme-c3cat.de" = {
|
||||
"acme-${domain}" = {
|
||||
enableACME = true;
|
||||
serverName = "c3cat.de";
|
||||
serverName = "${domain}";
|
||||
serverAliases = [
|
||||
"www.${domain}"
|
||||
];
|
||||
|
||||
listen = [
|
||||
{
|
||||
|
@ -14,9 +23,9 @@
|
|||
];
|
||||
};
|
||||
|
||||
"c3cat.de" = {
|
||||
"$www.${domain}" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "c3cat.de";
|
||||
useACMEHost = "${domain}";
|
||||
|
||||
listen = [
|
||||
{
|
||||
|
@ -28,7 +37,7 @@
|
|||
];
|
||||
|
||||
locations."/" = {
|
||||
return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
|
||||
return = "302 https://c3cat.de$request_uri";
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
|
@ -42,5 +51,45 @@
|
|||
real_ip_header proxy_protocol;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
"${domain}" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "${domain}";
|
||||
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 8443;
|
||||
ssl = true;
|
||||
proxyProtocol = true;
|
||||
}
|
||||
];
|
||||
|
||||
root = "${dataDir}";
|
||||
|
||||
extraConfig = ''
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
|
||||
];
|
||||
|
||||
users.users."${deployUser}" = {
|
||||
isNormalUser = true;
|
||||
group = "${deployUser}";
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
|
||||
];
|
||||
};
|
||||
users.groups."${deployUser}" = { };
|
||||
}
|
||||
|
|
|
@ -9,6 +9,7 @@
|
|||
./hackertours.hamburg.ccc.de.nix
|
||||
./hamburg.ccc.de.nix
|
||||
./spaceapi.hamburg.ccc.de.nix
|
||||
./staging.c3cat.de.nix
|
||||
./staging.hacker.tours.nix
|
||||
./staging.hackertours.hamburg.ccc.de.nix
|
||||
./staging.hamburg.ccc.de.nix
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
elementWebVersion = "1.11.80";
|
||||
elementWebVersion = "1.11.84";
|
||||
element-web = pkgs.fetchzip {
|
||||
url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
|
||||
sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
|
||||
sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
|
||||
};
|
||||
elementSecurityHeaders = ''
|
||||
# Configuration best practices
|
||||
|
|
|
@ -0,0 +1,60 @@
|
|||
{ pkgs, ... }:
|
||||
|
||||
let
|
||||
domain = "staging.c3cat.de";
|
||||
dataDir = "/var/www/${domain}";
|
||||
deployUser = "c3cat-website-deploy";
|
||||
in {
|
||||
services.nginx.virtualHosts = {
|
||||
"acme-${domain}" = {
|
||||
enableACME = true;
|
||||
serverName = "${domain}";
|
||||
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 31820;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
"${domain}" = {
|
||||
forceSSL = true;
|
||||
useACMEHost = "${domain}";
|
||||
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 8443;
|
||||
ssl = true;
|
||||
proxyProtocol = true;
|
||||
}
|
||||
];
|
||||
|
||||
root = "${dataDir}";
|
||||
|
||||
# Disallow *, since this is staging and doesn't need to be in any search
|
||||
# results.
|
||||
locations."/robots.txt" = {
|
||||
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
|
||||
];
|
||||
|
||||
# c3cat deploy user already defined in c3cat.de.nix.
|
||||
}
|
24
flake.lock
24
flake.lock
|
@ -38,11 +38,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1730428893,
|
||||
"narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
|
||||
"lastModified": 1731133565,
|
||||
"narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "38edd08881ce4dc24056eec173b43587a93c990f",
|
||||
"rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -54,11 +54,11 @@
|
|||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1729973466,
|
||||
"narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
|
||||
"lastModified": 1730602179,
|
||||
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
|
||||
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -70,11 +70,11 @@
|
|||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1730449684,
|
||||
"narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
|
||||
"lastModified": 1731265036,
|
||||
"narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
|
||||
"rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -100,11 +100,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729999681,
|
||||
"narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
|
||||
"lastModified": 1731213149,
|
||||
"narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
|
||||
"rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
Loading…
Reference in a new issue