diff --git a/config/hosts/forgejo-actions-runner/configuration.nix b/config/hosts/forgejo-actions-runner/configuration.nix index 713e795..d2a52da 100644 --- a/config/hosts/forgejo-actions-runner/configuration.nix +++ b/config/hosts/forgejo-actions-runner/configuration.nix @@ -1,10 +1,7 @@ { config, pkgs, ... }: { - networking = { - hostName = "forgejo-actions-runner"; - domain = "hosts.hamburg.ccc.de"; - }; + networking.hostName = "forgejo-actions-runner"; system.stateVersion = "23.11"; } diff --git a/config/hosts/forgejo-actions-runner/docker.nix b/config/hosts/forgejo-actions-runner/docker.nix index 043f272..b626e9f 100644 --- a/config/hosts/forgejo-actions-runner/docker.nix +++ b/config/hosts/forgejo-actions-runner/docker.nix @@ -9,8 +9,5 @@ enable = true; dates = "weekly"; }; - daemon.settings = { - ipv6 = true; - }; }; } diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix index 2efeefe..d5a93c1 100644 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix @@ -15,9 +15,6 @@ tokenFile = "/run/secrets/forgejo_actions_runner_registration_token"; labels = [ "docker:docker://node:current-bookworm" ]; settings = { - container = { - enable_ipv6 = true; - }; cache = { proxy_port = 45540; }; @@ -38,9 +35,6 @@ "alpine-latest:docker://node:current-alpine" ]; settings = { - container = { - enable_ipv6 = true; - }; cache = { proxy_port = 45541; }; diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix index 0c09eda..71aa47a 100644 --- a/config/hosts/forgejo-actions-runner/networking.nix +++ b/config/hosts/forgejo-actions-runner/networking.nix @@ -5,14 +5,14 @@ let in { networking = { interfaces.net0 = { - ipv6.addresses = [ + ipv4.addresses = [ { - address = "2a00:14b0:42:102::18"; - prefixLength = 64; + address = "172.31.17.155"; + prefixLength = 25; } ]; }; - defaultGateway6 = "2a00:14b0:42:102::1"; + defaultGateway = "172.31.17.129"; nameservers = [ "212.12.50.158" "192.76.134.90" ]; search = [ "hamburg.ccc.de" ]; }; diff --git a/config/hosts/public-web-static/configuration.nix b/config/hosts/public-web-static/configuration.nix index a8e5f29..9e2aebc 100644 --- a/config/hosts/public-web-static/configuration.nix +++ b/config/hosts/public-web-static/configuration.nix @@ -1,10 +1,7 @@ { ... }: { - networking = { - hostName = "public-web-static"; - domain = "hosts.hamburg.ccc.de"; - }; + networking.hostName = "public-web-static"; system.stateVersion = "23.05"; } diff --git a/config/hosts/public-web-static/networking.nix b/config/hosts/public-web-static/networking.nix index 2758338..cb22d40 100644 --- a/config/hosts/public-web-static/networking.nix +++ b/config/hosts/public-web-static/networking.nix @@ -3,14 +3,14 @@ { networking = { interfaces.net0 = { - ipv6.addresses = [ + ipv4.addresses = [ { - address = "2a00:14b0:42:102::17"; - prefixLength = 64; + address = "172.31.17.151"; + prefixLength = 25; } ]; }; - defaultGateway6 = "2a00:14b0:42:102::1"; + defaultGateway = "172.31.17.129"; nameservers = [ "212.12.50.158" "192.76.134.90" ]; search = [ "hamburg.ccc.de" ]; }; diff --git a/config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix index edeca47..a28f77c 100644 --- a/config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix @@ -14,10 +14,6 @@ in serverName = "branding-resources.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -30,12 +26,6 @@ in useACMEHost = "branding-resources.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index 54b7462..95f9b59 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -16,10 +16,6 @@ in { ]; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -32,12 +28,6 @@ in { useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -71,12 +61,6 @@ in { useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/c3dog.de.nix b/config/hosts/public-web-static/virtualHosts/c3dog.de.nix index dcca75a..3589418 100644 --- a/config/hosts/public-web-static/virtualHosts/c3dog.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3dog.de.nix @@ -3,7 +3,7 @@ let domain = "c3dog.de"; dataDir = "/var/www/${domain}"; - deployUser = "c3dog-website-deploy"; + deployUser = "c3cat-website-deploy"; in { security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ]; @@ -16,10 +16,6 @@ in { ]; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -32,12 +28,6 @@ in { useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -67,12 +57,6 @@ in { useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -99,13 +83,4 @@ in { systemd.tmpfiles.rules = [ "d ${dataDir} 0755 ${deployUser} ${deployUser}" ]; - - users.users."${deployUser}" = { - isNormalUser = true; - group = "${deployUser}"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7iXsVArl4SbDczb4U3zGkZCiVO/lfn12gkOEOnKmEX deploy key for c3dog.de" - ]; - }; - users.groups."${deployUser}" = { }; } diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix index 79f6fb4..d2e779a 100644 --- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -17,10 +17,6 @@ in serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -34,12 +30,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -91,20 +81,12 @@ in "local.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/".return = "302 https://cpu.ccc.de"; diff --git a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix index 59934eb..37d95b9 100644 --- a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix +++ b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix @@ -16,10 +16,6 @@ in serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -32,12 +28,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -65,12 +55,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index d1c1355..dfac565 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -13,16 +13,13 @@ ./hacker.tours.nix ./hackertours.hamburg.ccc.de.nix ./hamburg.ccc.de.nix - ./infra-docs.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix ./staging.c3cat.de.nix - ./staging.c3dog.de.nix ./staging.cryptoparty-hamburg.de.nix ./staging.docs.c3voc.de.nix ./staging.hacker.tours.nix ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix - ./staging.infra-docs.hamburg.ccc.de.nix ./www.hamburg.ccc.de.nix ./diday.org.nix ./staging.diday.org.nix diff --git a/config/hosts/public-web-static/virtualHosts/diday.org.nix b/config/hosts/public-web-static/virtualHosts/diday.org.nix index d9f3b31..547c797 100644 --- a/config/hosts/public-web-static/virtualHosts/diday.org.nix +++ b/config/hosts/public-web-static/virtualHosts/diday.org.nix @@ -16,10 +16,6 @@ in serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -32,12 +28,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -46,6 +36,10 @@ in } ]; + basicAuth = { + "preview" = "liebe"; + }; + extraConfig = '' return 301 https://diday.org; ''; @@ -56,12 +50,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -70,6 +58,10 @@ in } ]; + basicAuth = { + "preview" = "liebe"; + }; + root = "${dataDir}"; extraConfig = '' diff --git a/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix b/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix index 956baf4..a91edc1 100644 --- a/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix @@ -11,10 +11,6 @@ in { serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -27,12 +23,6 @@ in { useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -52,8 +42,6 @@ in { # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; - - port_in_redirect off; ''; }; }; diff --git a/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix index 8ee4336..670b191 100644 --- a/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix @@ -1,14 +1,14 @@ { config, pkgs, ... }: let - elementAdminVersion = "0.1.11"; + elementAdminVersion = "0.1.10"; elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { pname = "element-admin"; version = elementAdminVersion; src = pkgs.fetchzip { url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; - sha256 = "sha256-tSUTDPspQJjvP1KN4nUr4LYyjNQFj4pKMMA8JmavIxo="; + sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI="; }; nativeBuildInputs = [ @@ -19,7 +19,7 @@ let pnpmDeps = pkgs.pnpm.fetchDeps { inherit (finalAttrs) pname version src; fetcherVersion = 2; - hash = "sha256-Hf4PWey5bczSNbc3QQ9z9X3OVUZ7VHXw7BHGQqJWPac="; + hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4="; }; buildPhase = '' @@ -40,10 +40,6 @@ in serverName = "element-admin.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -56,12 +52,6 @@ in useACMEHost = "element-admin.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index f781dc0..360fb76 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let - elementWebVersion = "1.12.18"; + elementWebVersion = "1.12.0"; element-web = pkgs.fetchzip { url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-RvPJg28hgOgFs0GFZ9EPypQkUPkAns0alXYJeNst4Bk="; + sha256 = "sha256-2kXQFUhLYyEKuXYw+n94JGlTN2VJHRpjmu78u8gdaro="; }; elementSecurityHeaders = '' # Configuration best practices @@ -24,10 +24,6 @@ in serverName = "element.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -40,12 +36,6 @@ in useACMEHost = "element.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix index dd6fc90..20bb644 100644 --- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix +++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix @@ -12,10 +12,6 @@ in serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -26,18 +22,12 @@ in "${domain}" = { forceSSL = true; useACMEHost = "${domain}"; - + locations."/shop" = { return = "302 https://tickets.hamburg.ccc.de"; }; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix index 269aa92..eeb7778 100644 --- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix @@ -12,10 +12,6 @@ in serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -28,12 +24,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index 8b2177c..1c967c9 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -7,10 +7,6 @@ serverName = "hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -24,12 +20,6 @@ default = true; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -99,14 +89,6 @@ return = "302 https://cloud.hamburg.ccc.de/apps/calendar/embed/QJAdExziSnNJEz5g"; }; - # Redirects for blog post edits. - locations."/blog/2026/05/23/der-ccchh-sagt-nein-zu-olympia-in-hamburg" = { - return = "302 https://hamburg.ccc.de/blog/2026/05/31/der-ccchh-sagt-nein-zu-olympia-in-hamburg/"; - }; - locations."/blog/2026/05/23/der-ccchh-sagt-nein-zu-olympia-in-hamburg/" = { - return = "302 https://hamburg.ccc.de/blog/2026/05/31/der-ccchh-sagt-nein-zu-olympia-in-hamburg/"; - }; - extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix index bb8bd6e..2c5dd86 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix @@ -25,16 +25,10 @@ in "easterhegg2003.hamburg.ccc.de" "www.easterhegg2003.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 31820; + }]; }; "easterhegg2003.hamburg.ccc.de" = { @@ -46,20 +40,12 @@ in "www.easterhegg2003.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/".return = "302 https://eh03.easterhegg.eu"; @@ -79,26 +65,18 @@ in forceSSL = true; useACMEHost = "eh03.easterhegg.eu"; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/" = { index = "index.html"; root = eh03; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix index a6b6f80..37cb893 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix @@ -25,16 +25,10 @@ in "easterhegg2005.hamburg.ccc.de" "www.easterhegg2005.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 31820; + }]; }; "easterhegg2005.hamburg.ccc.de" = { @@ -46,20 +40,12 @@ in "www.easterhegg2005.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/".return = "302 https://eh05.easterhegg.eu"; @@ -79,26 +65,18 @@ in forceSSL = true; useACMEHost = "eh05.easterhegg.eu"; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/" = { index = "index.shtml"; root = eh05; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix index 80a404b..ebfa712 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix @@ -29,16 +29,10 @@ in "easterhegg2007.hamburg.ccc.de" "www.easterhegg2007.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 31820; + }]; }; "easterhegg2007.hamburg.ccc.de" = { @@ -52,20 +46,12 @@ in "www.easterhegg2007.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/".return = "302 https://eh07.easterhegg.eu"; @@ -85,26 +71,18 @@ in forceSSL = true; useACMEHost = "eh07.easterhegg.eu"; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/" = { index = "index.shtml"; root = eh07; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix index f2720f4..ea274af 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix @@ -29,16 +29,10 @@ in "easterhegg2009.hamburg.ccc.de" "www.easterhegg2009.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 31820; + }]; }; "easterhegg2009.hamburg.ccc.de" = { @@ -52,20 +46,12 @@ in "www.easterhegg2009.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/".return = "302 https://eh09.easterhegg.eu"; @@ -85,26 +71,18 @@ in forceSSL = true; useACMEHost = "eh09.easterhegg.eu"; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/" = { index = "index.shtml"; root = eh09; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix index e44d0f5..39d7fad 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix @@ -29,16 +29,10 @@ in "easterhegg2011.hamburg.ccc.de" "www.easterhegg2011.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 31820; + }]; }; "easterhegg2011.hamburg.ccc.de" = { @@ -52,20 +46,12 @@ in "www.easterhegg2011.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/".return = "302 https://eh11.easterhegg.eu"; @@ -85,26 +71,18 @@ in forceSSL = true; useACMEHost = "eh11.easterhegg.eu"; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/" = { index = "index.shtml"; root = eh11; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix index c72a72b..afc93c1 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix @@ -21,16 +21,10 @@ in "www.eh20.easterhegg.eu" "eh20.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 31820; + }]; }; "www.eh20.easterhegg.eu" = { @@ -40,20 +34,12 @@ in "eh20.hamburg.ccc.de" ]; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/".return = "302 https://eh20.easterhegg.eu"; @@ -73,20 +59,12 @@ in forceSSL = true; useACMEHost = "eh20.easterhegg.eu"; - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; locations."/" = { index = "start.html"; diff --git a/config/hosts/public-web-static/virtualHosts/infra-docs.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/infra-docs.hamburg.ccc.de.nix deleted file mode 100644 index 5bb565d..0000000 --- a/config/hosts/public-web-static/virtualHosts/infra-docs.hamburg.ccc.de.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ pkgs, ... }: - -let - domain = "infra-docs.hamburg.ccc.de"; - dataDir = "/var/www/${domain}"; - deployUser = "infra-docs-deploy"; -in { - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - port_in_redirect off; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - users.users."${deployUser}" = { - isNormalUser = true; - group = "${deployUser}"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfwfy9f3R/tDOiUeG5DA9oIGDDEAP270MqFG3V1P11L deploy key for infra-docs" - ]; - }; - users.groups."${deployUser}" = { }; -} diff --git a/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix index 105c0e5..7852639 100644 --- a/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix @@ -7,10 +7,6 @@ serverName = "spaceapi.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -23,12 +19,6 @@ useACMEHost = "spaceapi.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix index 3f9f7a3..c91d283 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix @@ -11,10 +11,6 @@ in { serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -27,12 +23,6 @@ in { useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix deleted file mode 100644 index 697ac69..0000000 --- a/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ pkgs, ... }: - -let - domain = "staging.c3dog.de"; - dataDir = "/var/www/${domain}"; - deployUser = "c3dog-website-deploy"; -in { - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - # Disallow *, since this is staging and doesn't need to be in any search - # results. - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: *\\n\""; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - # c3dog deploy user already defined in c3dog.de.nix. -} diff --git a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix index 21ef153..6733dad 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix @@ -16,10 +16,6 @@ in serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -32,12 +28,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -65,12 +55,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix index c6afb80..b165348 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix @@ -21,12 +21,6 @@ in forceSSL = true; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -35,6 +29,10 @@ in } ]; + basicAuth = { + "preview" = "liebe"; + }; + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix index b70af70..5b3d387 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix @@ -11,10 +11,6 @@ in { serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -27,12 +23,6 @@ in { useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; @@ -58,8 +48,6 @@ in { # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; - - port_in_redirect off; ''; }; }; diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix index 7e44a84..14ede9b 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix @@ -12,10 +12,6 @@ in serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -28,12 +24,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix index 0c7cd28..79ca38c 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix @@ -12,10 +12,6 @@ in serverName = "${domain}"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -28,12 +24,6 @@ in useACMEHost = "${domain}"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix index 624b632..f7e0752 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix @@ -7,10 +7,6 @@ serverName = "staging.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -23,12 +19,6 @@ useACMEHost = "staging.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.infra-docs.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.infra-docs.hamburg.ccc.de.nix deleted file mode 100644 index 7ed3d69..0000000 --- a/config/hosts/public-web-static/virtualHosts/staging.infra-docs.hamburg.ccc.de.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ pkgs, ... }: - -let - domain = "staging.infra-docs.hamburg.ccc.de"; - dataDir = "/var/www/${domain}"; - deployUser = "infra-docs-deploy"; -in { - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "[::]"; - port = 31820; - } - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - # Disallow *, since this is staging and doesn't need to be in any search - # results. - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: *\\n\""; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - port_in_redirect off; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - # infra-docs deploy user already defined in infra-docs.hamburg.ccc.de.nix. -} diff --git a/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix index 4f241f1..a29fbd2 100644 --- a/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix @@ -7,10 +7,6 @@ serverName = "www.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 31820; - } { addr = "0.0.0.0"; port = 31820; @@ -23,12 +19,6 @@ useACMEHost = "www.hamburg.ccc.de"; listen = [ - { - addr = "[::]"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/woodpecker/configuration.nix b/config/hosts/woodpecker/configuration.nix new file mode 100644 index 0000000..45e228e --- /dev/null +++ b/config/hosts/woodpecker/configuration.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + networking.hostName = "woodpecker"; + + system.stateVersion = "24.05"; +} diff --git a/config/hosts/woodpecker/default.nix b/config/hosts/woodpecker/default.nix new file mode 100644 index 0000000..1db0c8c --- /dev/null +++ b/config/hosts/woodpecker/default.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./woodpecker-agent + ./woodpecker-server + ./configuration.nix + ./networking.nix + ./sops.nix + ]; +} diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix new file mode 100644 index 0000000..3301812 --- /dev/null +++ b/config/hosts/woodpecker/networking.nix @@ -0,0 +1,22 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.160"; + prefixLength = 25; + } + ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:5F:A9:B7"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml new file mode 100644 index 0000000..5fae897 --- /dev/null +++ b/config/hosts/woodpecker/secrets.yaml @@ -0,0 +1,149 @@ +woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str] +woodpecker_agent_environment_file: ENC[AES256_GCM,data:rwp6TYYFJ/IZH+3pGhPxjdZMLoyPMr/W1RXm4IkUGn+SmIjHZcdFZ8nEhvOfnkfrXNPc2MR+X6NXUmVOcBjSCbcBjh9sC653UpKimt9I3/Ec,iv:X9JH7dmTayw8BaEsXYil3PrykCdd+/ANGHVfEyRvc7A=,tag:/ErkX1WnruanNgTTBUT6LA==,type:str] +sops: + age: + - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdUhjQUJIS2QvWk1Yc3pR + M1daYlRubnlsQk9tcytBNWdYMUU4bG1DVHhZCnVKK00ySDdBZFhzRXlaQ2xVaTBh + bVVVNzRraUpHSFFuRStzWFprUGRoMGcKLS0tIEVBUWh4STBIaGdTelFKcnB0TkNR + SEd1VTZQZWlkYXVKcVRPbVA1U3VWbFUKnuaPGc29kKE86nh+xEto0Jb6BQ0uH3pr + Q1QPgfiOCYGkuUewy3LlGnLTuMxHBBWAjg4zgaYPHU2F/HCS5DB5nw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdVJNK1ljNWwrTy9qc1p1 + N1MweERxdkNXZVZITWRRdGFQRHRQeTNFTTI4CjFkSVJQMFBKY2tRWE1DeXdMOUZY + Qm5oYTU1azFzVEpYZUptcTVhRCsxL28KLS0tIEI0czljekgvQlc1SlVGSUpGb1N3 + NytOaE5nQ3E4bFhCQ1ZDU3MyM3p5cmcK3LGva0vDjitqOBqBo6jHqRBaH8T8cOim + IF8ygc0i/dbaec59ZcCMhS0n8yv0lVHO2WiUwPaKTh5hkti9LhKlaA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-22T15:55:25Z" + mac: ENC[AES256_GCM,data:UmDbmxSRj8YfCkKEelQNMJ8mzbu5aQdB9yOr9JfUh5TB9r5Z5ttZ1wgJDJqHNtsII3JGXUvbgHbsmbPikkrj4Ege1rrgr4UttN1rtgeaAKlZIlqb9pOnV4//GJL8jbxCgFp2h2O80G05nAXG54DaY//4Y5hfTyPzgyDlGQ6jlhg=,iv:5e8lpFfGAJh8lTFcY4MlZG7PgnzM0UycsU0tB2KN+zQ=,tag:4xUEHg04wjDbhc9MOItzuQ==,type:str] + pgp: + - created_at: "2026-02-17T22:22:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ/+NzRul1VZa2BLnjCsdUP7YErHvLsJqc/KwEFgGX8yN1Bg + VOHgm0MBYC14KtMu0Zb+Cm6ypqyaa4j+MXNVWLDTOLt1aLibashBmyPbwHNr0XwO + 6tr9qYAPixaoWFeiCtATKLUzWzQ68eDv9JHNNQvKGNjet9E1yOIxWHj6RxyV/EeZ + 50nf+7AO7cFkqRGFxrGKAYchzetajNPLtbS2htFCc3Vt9m38jusafvYdjeG+HQHe + 6INzdNqvM7vhfWJlIiTPCXGKvx0NhLg6sVvcXpq5mKbMAhja80KyUdl772L8Kr6P + ZYvmj+Ey8+GM+opGGxcaSBmgw3ZLRIZ1tks3LlRf/UiAZD5MqJoRL1DEJMtHzYnp + IqxOEiuMLAL1/TxG4KhJfT5Gs9Kf3Cnr6djhhsYg3GYXSQdhiyaBDaLpu68nEIRN + JSdA/7pCjxhvlgFl9XvPaMzQD5GZNlVapJPn1c9Ambi9cs4kB8nds+Xx4KgIN3li + 85flJnEtQWRI2DL8qJgoYJ1cXevkPVzKLFnQEHfLuozIzfPl1Wq1Sb3EQk9YZer9 + yfVHRngBBhmfNMtFy9gq8FLod0Odas3KQDAa7ndPMMx6oL5DoNeI3DpuYW4eQIZK + EbT5iHLMrTXHb2XKTHfXdjl6ttED+12GAby69jdGXjt6UVAM6b0UorWfSLLoqabS + XgG1w128eegSl4tqdYO/KDL30c9J1K8LqaJmg+9eFAi9Da/zmPAck+DlS7XUkeiX + OqZiOXLul0N2Qe/tWkpJD8F3HV+K6Xt0MSx8VsmeliicG4Rpme1Xysau+7kht3U= + =KUjN + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2026-02-17T22:22:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAAxH+TtzvFlUZfD3U7BNRr9SyWVxnkR3U2zvvDG5A3I28K + fI1U1am6Z+gSvYdId38hiMPxDmDIMl2wCYCXd17q+PSycsJ1Bbzy1zaht6KcpSJb + s9jmNmf+5mazSRZ/COBy4mMq+2mam4/vu+xS85IsgxyxK9ygnCurmzMqn3lxatm0 + ICxvoLMAamA+tAfxtw+a5lEMok7pHdKndZmrKvxO7nLXM0292sJ3VHp5Uy9k487W + PznpjM1st/f/0gTu1mgb8rnUkSszw1odBeQ+xw2JvcDHE6Ow7PpCk83oTWXil6c4 + bEsrtvaFLWXN9/gssnayoMWHb/TCHKVe4AGrMevFkRdEFDRV5FRZGqzuGDP++X10 + KYyMN0/Wo/XU7Rn3+7HmKvz0qeaAI/IRTrhdXUDtQQ13/waxGrJEquwS5Xuwea6l + LlA6hwnAERSVrVkMQ60ITOD6n7lvAPA7jD/HhI3P2Xy4mDFW9ZnfnWi0xI9pRCsk + w+ZnQ1Ckacv0gJUirvsVSdUYHwvEvpFEVSsZsv5QbNsaWi5jn5XDH0eqlXQE80aO + o3vPFTNCHNixspiaIO4V8etyv6nSh7BxwDvIH4nZVxr8HmxILs0Occw9anvA81md + roF3pyb+ZFRIwcBh72VSdAm1D/n4h14lnmMj+19HEA3zvbPnZQejtGFMY1Oe2VTS + XgHMI0aRJANXczMA7LSg9vxDYvWXE2KR526oBsC1E7otCNGkxj3hhmng25K3tmIU + E2AAaAIk/RukMnydb93XGciPquCZsWlmpwlTGXCqoqiNBilvIE1lXH6rhym78ko= + =nRW4 + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2026-02-17T22:22:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DerEtaFuTeewSAQdAPWizx2khKtlshnLwE5PRszAdTvTlsEEiWVV5xJx3PnAw + 9Gj2lZZX4F0AXoKInElg2N02FXpIo24ZZUPXGqpswfSv93NFNNK+FWwqUCRZhuCM + 0l4Blkyy4PthGwIAtXqZ8GGxjoDGBLIAE/zrY9tdNB5XAnkiy7J82kora0dphpkq + Llb1Jgh0+ZK8RQzaf5wcgWf867MhJLhv0N+qLsFVutGpqFy1W/1vaLQ5au5Ty2Tw + =460I + -----END PGP MESSAGE----- + fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 + - created_at: "2026-02-17T22:22:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//Rzcsq0Yay/3g/MzqHI1izkSWsdycz3LE6qM4qhX4f7wZ + 4Ymzu2jbSq43IavCjGPOLIKVJ4nlnPd7rcprYNV5DOcGAkXG5x7PbnVta3SPI300 + CXnSGQB1KHUCCYZN1BkL9ZSQyTx0ex19mnsSEtZh8NB97cCZx9zMowdHKd5ySu/O + +CMFkQ6Uoh2FxBtqM1y1YbDiuDJnAlAQSKlDIVdCdMssutWRs9Nf6eiLtcmb4U5l + sNyKQnPrr3vjkaTbVdBKQjjMSa8Z/1Tf95GxNhzrUGm2APLKVYdHkMVlQwcr/ZfH + jGiZqxgBmrtNe3EypdKCDnlPvlxs8mnO5whxzDZW2NFV3piMmOmvLI/Po1ASi/t1 + PW9h05Foh2764Jfp74BkRTvhBfi465wKkON0VOckwWBkl/n7w7POfHCXdK1/AnGj + 9ywj6P4zg50vKiTMkZStq6YKXAEkVcN6YzhVVDFwDwAE1VKFCMKlmwuYT1FuKXBp + 7maF578qVyb0lXP9jaX10Y9dhC4vU2rJB3vtRhxjqeMEe/WOyhEyalrC9phPfBKS + wVKzdd3vvaNGfQSAwseFAn1upvELFwccPw1aRIqqLhzWTY2m48yyW2aEN6+7SqkR + dOBJpZDE4NxOhbQl0rllZdeLUznIgeOKM2iNg/3kM7cWcsLZRm3+l1ZuiCEy5XPS + XgHbwfJlyZYoQyKCntbdA/5VRS/5s0oPJIjuofoBZb35fIqtYPIpUeNccpklXYsO + atiSRwJeiluCFUag0uV3nq0zltOlqdS6piEVqU6xiGLAZe04jkaMBxL6VQQHYU0= + =811X + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2026-02-17T22:22:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/9EvULxQSjfO/V600iqRhsQsuuHWY5IfVN+XBCmzmeUX2a + 8qFN8L5gk3pYEoIu4khSCSeIpVyOdX1XeWMMNB15C/pAvgi7emH0y8UxAvCLfW5L + CzP3qLQsbpKUGntPlHaye/G16M/+m4QPc6Y7qwEtUThOei9haPhIU06Tb61IpfLk + AKticUro4ap3Xt/fjDH0NHZsGG33V6LprTt+8LaEcpcwZK/yOWdG4wTV4j6X8LbA + ueCmKunAr1skJrd+hVuwP2e8UkasYgo33pcupsS5jcyXJT9Kf3p/nqOJ3QGlwOtP + lf0DUifdd/QrEXWcMBu+zc9HgtUzpyU3KAoVrxo4JQLaoRlq3kwk3mOOFA0Fzd16 + neuJL2wp/RPuL47StHwA9HxQP+3znXkNxmt9yXGzeyeOBpK4O9qoQ9y7Rbd/FR2u + wEl5uAjhhH2xmAUnIKp5Y1UAFSLqZEaiJjjCHMHycaTpCucjEcChpaBGDAXYS1h+ + x/r6R46UgIzMvjpd2vy+C1aQg0p1Z6P65ifOkdAYIghpSkp+F6SUHHkL3w/kRRjE + dBF8YWFm/yl9P9qenakC5NsAA+bR4ZpNWpv32sYuVjIuoV20GdS7UIVQnvos8bBK + NfqoFmz4n8Eo1jLRcCJ376ow7bSEhRIJlJxdq7bFjZ/3Wtk9vt9dG6XV7wLdJwXS + XgGRxjv94TYLFowYA8/uu9fWxvf2i2lLqctjrvbZkW0Rdn2Ym5GXjg6St3Diug6r + y87PJPSN7CYE4jzCDPaSnGcBvwDHrQsLHLAmenfrAi2Jnweg/THpm9UAftoC7AY= + =Fxot + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2026-02-17T22:22:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAnZq75P7GPcuBCBLUOVPK8w1IBxd4XzoEWW3+T80bFTZE + ZjPAvfiGcOqIfc8CPzpS1drviWiRkuEV4EKCuDmX9GReI0SUlvaoiddUA9V62f4b + akBrzqR0nNnWWvjph4/5PRAQO+xO4wQy2r9thCw4oej3QgvKtLRRRY35TkGqlS0t + ej4d80KaqGGsfIPQ5L9f+lqarrKvYx3DMK6CujN13Kot44Uom4L5TeIdPSAW14jS + 13fa/I1Irq56ME9kNctsuAkRkhrW+KchFJqkYXSS82SbXUDDNcVA7knXSzxVR+iU + NJXb8bQO4Ymi8sWPWKHW/GXUkReiTLl8MkLi+mCwL7qo5fMQcBg/KWo0hReQYCj3 + G9DZPs3xWYFcwcmrSV86LSqjMt5g8ZKjPm6ODQcZVA/ZsGlmdTkjsWNn6WRZI55m + 8kkg7BoRMq7p6b15tW4e/w2rr/bTmGQ9dV03KIpmBG6+OUzwgfB2/w2dGmB7Vor6 + JMzvt+1I/PSHsCC/7GurTurAP63x8NO/9HYX2Qg0qzsOusnTKrCoo4lX/tA5YfIt + OKr6zqy8s5Dv/lGUhofkJrhHr/QTRHFVrFtPNn4yfSzo+8uhomHGsmxBGOOiY83L + 3zwYm+9BlzO/ve7PIvs54hIHQaKsP9Ktsgq/+dM7PVlIb5qfwGNvgoS2QXFqCF/S + XgHWy41J0zTGoyEpooGkheVKvgEPvv6YIlm9oTucYP03AkKWxBr9MTNq/+JcLRvw + Zey10uVJnYPUuH2b9f8N8lNBZlkQCBq/AEu0MsygsK8bcVfQL1Qs58xh1uA7gL8= + =wduB + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2026-02-17T22:22:03Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA4Y8j9A4ECAds0oJlP50Td1HpYIhywjXKi+pT7CTPXQ8w + 95+hUucTE8WQO/9u4HV2Y2nuyQPwmaYK0iGbNV3YxgI3Zdtf1T680hQxT4y55E1/ + 0l4B+70h9ojiHZkpVKVmFFZdY+tS/jQIFIRxqTW1AAfDf+chO3sUxbRe2qZhOXoY + b/QKU11wFpmOZmzznurOoxkqdNgGNcFm9+Ntb4ZSLSYzx7wrjzmWsaTdFd+coO1j + =V+rP + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/config/hosts/woodpecker/sops.nix b/config/hosts/woodpecker/sops.nix new file mode 100644 index 0000000..b4548ed --- /dev/null +++ b/config/hosts/woodpecker/sops.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix new file mode 100644 index 0000000..279d2bb --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-agent/default.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./docker.nix + ./woodpecker-agent.nix + ]; +} diff --git a/config/hosts/woodpecker/woodpecker-agent/docker.nix b/config/hosts/woodpecker/woodpecker-agent/docker.nix new file mode 100644 index 0000000..af13f4c --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-agent/docker.nix @@ -0,0 +1,12 @@ +# Sources for this configuration: +# - https://woodpecker-ci.org/docs/administration/deployment/nixos +# - https://woodpecker-ci.org/docs/administration/backends/docker +# - https://nixos.wiki/wiki/Docker + +{ config, pkgs, ... }: + +{ + virtualisation.docker = { + enable = true; + }; +} diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix new file mode 100644 index 0000000..8c6847b --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix @@ -0,0 +1,29 @@ +# Sources for this configuration: +# - https://woodpecker-ci.org/docs/administration/deployment/nixos +# - https://woodpecker-ci.org/docs/administration/agent-config +# - https://woodpecker-ci.org/docs/administration/backends/docker + +{ config, pkgs, ... }: + +{ + services.woodpecker-agents.agents."docker" = { + enable = true; + package = pkgs.woodpecker-agent; + extraGroups = [ "docker" ]; + environment = { + WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}"; + WOODPECKER_MAX_WORKFLOWS = "4"; + WOODPECKER_BACKEND = "docker"; + # Set via enviornmentFile: + # WOODPECKER_AGENT_SECRET + }; + environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ]; + }; + + sops.secrets."woodpecker_agent_environment_file" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "woodpecker-agent-docker.service" ]; + }; +} diff --git a/config/hosts/woodpecker/woodpecker-server/default.nix b/config/hosts/woodpecker/woodpecker-server/default.nix new file mode 100644 index 0000000..a713746 --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-server/default.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./nginx.nix + ./postgresql.nix + ./woodpecker-server.nix + ]; +} diff --git a/config/hosts/woodpecker/woodpecker-server/nginx.nix b/config/hosts/woodpecker/woodpecker-server/nginx.nix new file mode 100644 index 0000000..962183c --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-server/nginx.nix @@ -0,0 +1,57 @@ +# Sources for this configuration: +# - https://woodpecker-ci.org/docs/administration/deployment/nixos +# - https://woodpecker-ci.org/docs/administration/proxy + +{ config, pkgs, ... }: + +{ + services.nginx = { + enable = true; + + virtualHosts."acme-woodpecker.hamburg.ccc.de" = { + default = true; + enableACME = true; + serverName = "woodpecker.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + virtualHosts."woodpecker.hamburg.ccc.de" = { + default = true; + forceSSL = true; + useACMEHost = "woodpecker.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/" = { + proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}"; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 31820 ]; + networking.firewall.allowedUDPPorts = [ 8443 ]; +} diff --git a/config/hosts/woodpecker/woodpecker-server/postgresql.nix b/config/hosts/woodpecker/woodpecker-server/postgresql.nix new file mode 100644 index 0000000..e715650 --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-server/postgresql.nix @@ -0,0 +1,18 @@ +# Sources for this configuration: +# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069 + +{ config, pkgs, ... }: + +{ + services.postgresql = { + enable = true; + package = pkgs.postgresql_15; + ensureDatabases = [ "woodpecker-server" ]; + ensureUsers = [ + { + name = "woodpecker-server"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix new file mode 100644 index 0000000..1836b73 --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix @@ -0,0 +1,44 @@ +# Sources for this configuration: +# - https://woodpecker-ci.org/docs/administration/deployment/nixos +# - https://woodpecker-ci.org/docs/administration/server-config +# - https://woodpecker-ci.org/docs/administration/database +# - https://woodpecker-ci.org/docs/administration/forges/forgejo +# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING + +{ config, pkgs, ... }: + +{ + services.woodpecker-server = { + enable = true; + package = pkgs.woodpecker-server; + environment = { + WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de"; + WOODPECKER_SERVER_ADDR = ":8001"; + WOODPECKER_GRPC_ADDR = ":9000"; + WOODPECKER_ADMIN = "june"; + WOODPECKER_OPEN = "true"; + WOODPECKER_ORGS = "CCCHH"; + WOODPECKER_DATABASE_DRIVER = "postgres"; + WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql"; + WOODPECKER_FORGEJO = "true"; + WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de"; + WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB + # Set via enviornmentFile: + # WOODPECKER_FORGEJO_CLIENT + # WOODPECKER_FORGEJO_SECRET + }; + environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ]; + }; + + systemd.services.woodpecker-server.serviceConfig = { + User = "woodpecker-server"; + Group = "woodpecker-server"; + }; + + sops.secrets."woodpecker_server_environment_file" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "woodpecker-server.service" ]; + }; +} diff --git a/deployment_configuration.json b/deployment_configuration.json index eddd7b0..3ae44cc 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -6,9 +6,15 @@ "matrix": { "targetHostname": "matrix-intern.hamburg.ccc.de" }, + "public-web-static": { + "targetHostname": "public-web-static-intern.hamburg.ccc.de" + }, "git": { "targetHostname": "git.hamburg.ccc.de" }, + "forgejo-actions-runner": { + "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" + }, "woodpecker": { "targetHostname": "woodpecker-intern.hamburg.ccc.de" }, diff --git a/flake.lock b/flake.lock index b2142ed..8f672b0 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1778430510, - "narHash": "sha256-Ti+ZBvW6yrWWAg2szExVTwCd4qOJ3KlVr1tFHfyfi8Q=", + "lastModified": 1775002709, + "narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8fd9daa3db09ced9700431c5b7ad0e8ba199b575", + "rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e", "type": "github" }, "original": { @@ -35,11 +35,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1778672786, - "narHash": "sha256-Blg88K1jwG+P0Mr27+rKMFCufdrWkV3wWh9AdYtz0FQ=", + "lastModified": 1775126147, + "narHash": "sha256-J0dZU4atgcfo4QvM9D92uQ0Oe1eLTxBVXjJzdEMQpD0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "eef00dfd8a712b34af845f9350bac681b1228bd1", + "rev": "8d8c1fa5b412c223ffa47410867813290cdedfef", "type": "github" }, "original": { @@ -64,11 +64,11 @@ ] }, "locked": { - "lastModified": 1777944972, - "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", + "lastModified": 1775188331, + "narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c591bf665727040c6cc5cb409079acb22dcce33c", + "rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index f16409b..3b28ef2 100644 --- a/flake.nix +++ b/flake.nix @@ -159,6 +159,17 @@ ]; }; + woodpecker = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + self.nixosModules.common + self.nixosModules.proxmox-vm + sops-nix.nixosModules.sops + self.nixosModules.prometheus-exporter + ./config/hosts/woodpecker + ]; + }; + penpot = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [