Compare commits

..

9 commits

Author SHA1 Message Date
June d98aa099e1
license this repo under the MIT license
All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(#12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.

Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467

MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/
2024-11-14 22:56:50 +01:00
June cf46da9df7
public-web-static: make c3cat.de and www work as well as staging 2024-11-12 23:06:01 +01:00
fi c84d9e7d0a
Update element to 1.11.84 2024-11-11 02:43:08 +01:00
christian 33b2cbf5d0
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f' (2024-11-01)
  → 'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88' (2024-11-01)
  → 'github:nixos/nixpkgs/8aed22ecd71e5b67e5299efae8b9dc580dec711c' (2024-11-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56' (2024-10-27)
  → 'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950' (2024-10-26)
  → 'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c' (2024-11-03)
2024-11-10 23:14:58 +01:00
christian afb4fc71ce
Update infrastructure-authorized-keys rev 2024-11-10 23:10:50 +01:00
christian 1fcd8c6421
fix typo and writing improvement 2024-11-10 20:18:59 +01:00
christian ff1a12846a
Add how to generate the NixOS Proxmox VE templates 2024-11-10 20:18:59 +01:00
June 2ba371f8cd
git: disable making org users auto watch new repos on creation
Also explicitly disable making users auto watch repos after their first
commit to it.
2024-11-10 19:38:05 +01:00
June c8e7bd1ccf
git: enable sending of e-mails to watchers of repositories 2024-11-10 19:26:26 +01:00
8 changed files with 146 additions and 22 deletions

View file

@ -63,6 +63,17 @@ This is exactly what we're doing to set the default deployment user to `colmena-
```
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
## Build NixOS Proxmox VE Template
Build a new NixOS Proxmox VE Template for the thinkcccore's:
```shell
nix build .#proxmox-nixos-template
```
Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell
nix build .#proxmox-chaosknoten-nixos-template
```
## License
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).

View file

@ -11,8 +11,8 @@
let
authorizedKeysRepo = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
rev = "686a6af22f6696f0c0595c56f463c078550049fc";
hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
};
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in

View file

@ -45,6 +45,9 @@
DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
ENABLE_NOTIFY_MAIL = true;
AUTO_WATCH_NEW_REPOS = false;
AUTO_WATCH_ON_CHANGES = false;
};
repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";

View file

@ -1,10 +1,19 @@
{ pkgs, ... }:
{
let
domain = "c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
services.nginx.virtualHosts = {
"acme-c3cat.de" = {
"acme-${domain}" = {
enableACME = true;
serverName = "c3cat.de";
serverName = "${domain}";
serverAliases = [
"www.${domain}"
];
listen = [
{
@ -14,9 +23,9 @@
];
};
"c3cat.de" = {
"$www.${domain}" = {
forceSSL = true;
useACMEHost = "c3cat.de";
useACMEHost = "${domain}";
listen = [
{
@ -28,7 +37,7 @@
];
locations."/" = {
return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
return = "302 https://c3cat.de$request_uri";
};
extraConfig = ''
@ -42,5 +51,45 @@
real_ip_header proxy_protocol;
'';
};
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
];
};
users.groups."${deployUser}" = { };
}

View file

@ -9,6 +9,7 @@
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix
./staging.c3cat.de.nix
./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix

View file

@ -1,10 +1,10 @@
{ pkgs, ... }:
let
elementWebVersion = "1.11.80";
elementWebVersion = "1.11.84";
element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
};
elementSecurityHeaders = ''
# Configuration best practices

View file

@ -0,0 +1,60 @@
{ pkgs, ... }:
let
domain = "staging.c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# c3cat deploy user already defined in c3cat.de.nix.
}

View file

@ -38,11 +38,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1730428893,
"narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
"lastModified": 1731133565,
"narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "38edd08881ce4dc24056eec173b43587a93c990f",
"rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
"type": "github"
},
"original": {
@ -54,11 +54,11 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1729973466,
"narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
@ -70,11 +70,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1730449684,
"narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
"lastModified": 1731265036,
"narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
"rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
"type": "github"
},
"original": {
@ -100,11 +100,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1729999681,
"narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
"lastModified": 1731213149,
"narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
"rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
"type": "github"
},
"original": {