Compare commits

..

12 commits

Author SHA1 Message Date
christian 25573d9dc8
fix typo and writing improvement 2024-10-30 21:56:02 +01:00
christian 78971c542a
Add how to generate the NixOS Proxmox VE templates 2024-10-30 21:56:02 +01:00
June 4f789adb21
hydra: configure hydra host 2024-10-30 01:44:12 +01:00
June ec64eebfd6
common: use pkgs.fetchgit and git commit hash for authorized keys repo
Do this to be in line with other places, where resources get fetched
using git and to hopefully avoid errors such as:
Cannot find Git revision 'da9d3ead9d97ce0fef7538638326264957e2f1b4' in ref 'trunk' of repository 'ssh://forgejo@git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git'! Please make sure that the rev exists on the ref you've specified or add allRefs = true; to fetchGit.
This issue was discovered while trying to make the new hydra work.
2024-10-29 23:17:31 +01:00
June fefff391b7
add hydraJobs for packages and nixosConfigurations 2024-10-29 21:30:16 +01:00
dequis 9d1521c485
spaceapid: adjustments to 3d printer state sensors
- Prefix sensor names with ext_ as the spec says we should use that for
  extensions (this also improves attribute access for tools that don't
  like fields starting with a number)
- Rename printer state to printer busy state, to make it clearer.
- Add ext_3d_printer_minutes_remaining sensors
2024-10-24 16:25:40 +02:00
June accd31173b
public-web-static: turn off ports to prevent broken redirects to 8443 2024-10-21 21:35:10 +02:00
June 8165d22159
public-web-static: prevent staging ht ccchh from search machine indexing 2024-10-21 21:30:36 +02:00
June ecdaa2d5f6
public-web-static: redirect EH20 doku.php?id=$pagename to new format
See:
CCCHH/easterhegg-eh20-website#2 (comment)
2024-10-13 22:09:20 +02:00
Stefan Bethke de2390c78d
public-web-static: redirect old hackertours 37C3 urls to proper url 2024-10-13 20:59:04 +02:00
June 2fe65b0513
public-web-static: add staging for hackertours.hamburg.ccc.de 2024-10-12 22:14:42 +02:00
June 804094aaeb
public-web-static: add hackertours.hamburg.ccc.de static web host
It can be deployed using a corresponding deploy key in the same manner
hacker.tours and hamburg.ccc.de can be deployed.
2024-10-12 20:03:04 +02:00
16 changed files with 316 additions and 8 deletions

View file

@ -9,10 +9,10 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
authorizedKeysRepo = builtins.fetchGit { authorizedKeysRepo = pkgs.fetchgit {
url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"; url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
ref = "trunk"; rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
rev = "da9d3ead9d97ce0fef7538638326264957e2f1b4"; hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
}; };
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in in

View file

@ -0,0 +1,9 @@
{ ... }:
{
networking = {
hostName = "hydra";
};
system.stateVersion = "24.05";
}

View file

@ -0,0 +1,11 @@
{ ... }:
{
imports = [
./configuration.nix
./hydra.nix
./networking.nix
./nginx.nix
./nix.nix
];
}

View file

@ -0,0 +1,15 @@
{ ... }:
{
services.hydra = {
enable = true;
listenHost = "localhost";
port = 3000;
hydraURL = "https://hydra.hamburg.ccc.de/";
# E-Mail configuration requires some work/investigation still.
notificationSender = "no-reply@hydra.hamburg.ccc.de";
useSubstitutes = true;
minimumDiskFree = 8;
minimumDiskFreeEvaluator = 2;
};
}

View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.163";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:45:7C:D6";
linkConfig.Name = "net0";
};
}

View file

@ -0,0 +1,58 @@
{ config, pkgs, ... }:
let
domain = "hydra.hamburg.ccc.de";
in
{
services.nginx = {
enable = true;
virtualHosts = {
"acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

View file

@ -0,0 +1,10 @@
{ ... }:
{
# Allow Hydra to fetch flake inputs.
nix.settings.allowed-uris = [
"github:"
"https://github.com/"
"https://git.hamburg.ccc.de/"
];
}

View file

@ -25,13 +25,13 @@
] ]
} }
], ],
"3d_printer_state": [ "ext_3d_printer_busy_state": [
{ {
"sensor_data": { "sensor_data": {
"unit": "bool", "unit": "bool",
"location": "Loetschlauch", "location": "Loetschlauch",
"name": "mk4", "name": "mk4",
"description": "Prusa mk4 state" "description": "Prusa mk4 busy state"
}, },
"allowed_credentials": [ "allowed_credentials": [
"club-assistant" "club-assistant"
@ -42,7 +42,31 @@
"unit": "bool", "unit": "bool",
"location": "Loetschlauch", "location": "Loetschlauch",
"name": "mk3.5", "name": "mk3.5",
"description": "Prusa mk3.5 state" "description": "Prusa mk3.5 busy state"
},
"allowed_credentials": [
"club-assistant"
]
}
],
"ext_3d_printer_minutes_remaining": [
{
"sensor_data": {
"unit": "minutes_remaining",
"location": "Loetschlauch",
"name": "mk4",
"description": "Prusa mk4 minutes remaining"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "minutes_remaining",
"location": "Loetschlauch",
"name": "mk3.5",
"description": "Prusa mk3.5 minutes remaining"
}, },
"allowed_credentials": [ "allowed_credentials": [
"club-assistant" "club-assistant"

View file

@ -6,9 +6,11 @@
./c3cat.de.nix ./c3cat.de.nix
./element.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix
./hacker.tours.nix ./hacker.tours.nix
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix ./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix
./staging.hacker.tours.nix ./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix
./www.hamburg.ccc.de.nix ./www.hamburg.ccc.de.nix
./historic-easterhegg ./historic-easterhegg

View file

@ -0,0 +1,68 @@
{ pkgs, ... }:
let
domain = "hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
rewrite ^/(de|en)/tours$ /$1/37c3 redirect;
rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de"
];
};
users.groups."${deployUser}" = { };
}

View file

@ -94,6 +94,8 @@
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
error_page 404 /404.html; error_page 404 /404.html;
port_in_redirect off;
''; '';
}; };
}; };

View file

@ -71,6 +71,11 @@ in
root = "${eh20}/wiki_siteexport"; root = "${eh20}/wiki_siteexport";
}; };
# redirect doku.php?id=$pagename to /$pagename.html
locations."/doku.php" = {
return = "301 $scheme://$host/$arg_id.html";
};
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

View file

@ -0,0 +1,62 @@
{ pkgs, ... }:
let
domain = "staging.hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# Hackertours CCCHH deploy user already defined in hackertours.hamburg.ccc.de.nix.
}

View file

@ -44,6 +44,8 @@
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
port_in_redirect off;
''; '';
}; };
}; };

View file

@ -32,6 +32,9 @@
}, },
"penpot": { "penpot": {
"targetHostname": "penpot-intern.hamburg.ccc.de" "targetHostname": "penpot-intern.hamburg.ccc.de"
},
"hydra": {
"targetHostname": "hydra-intern.hamburg.ccc.de"
} }
} }
} }

View file

@ -23,7 +23,7 @@
}; };
}; };
outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }: outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
let let
system = "x86_64-linux"; system = "x86_64-linux";
# Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support. # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
@ -254,6 +254,16 @@
./config/hosts/penpot ./config/hosts/penpot
]; ];
}; };
hydra = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./config/common
./config/proxmox-vm
./config/extra/prometheus-exporter.nix
./config/hosts/hydra
];
};
}; };
packages.x86_64-linux = { packages.x86_64-linux = {
@ -280,5 +290,10 @@
}; };
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
hydraJobs = {
inherit (self) packages;
nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations;
};
}; };
} }