From cf46da9df7a9036a8c600701042fe390c5c842d8 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 12 Nov 2024 23:06:01 +0100 Subject: [PATCH 1/7] public-web-static: make c3cat.de and www work as well as staging --- .../virtualHosts/c3cat.de.nix | 61 +++++++++++++++++-- .../virtualHosts/default.nix | 1 + .../virtualHosts/staging.c3cat.de.nix | 60 ++++++++++++++++++ 3 files changed, 116 insertions(+), 6 deletions(-) create mode 100644 config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index f1ad527..91d3a40 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -1,10 +1,19 @@ { pkgs, ... }: -{ +let + domain = "c3cat.de"; + dataDir = "/var/www/${domain}"; + deployUser = "c3cat-website-deploy"; +in { + security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ]; + services.nginx.virtualHosts = { - "acme-c3cat.de" = { + "acme-${domain}" = { enableACME = true; - serverName = "c3cat.de"; + serverName = "${domain}"; + serverAliases = [ + "www.${domain}" + ]; listen = [ { @@ -14,9 +23,9 @@ ]; }; - "c3cat.de" = { + "$www.${domain}" = { forceSSL = true; - useACMEHost = "c3cat.de"; + useACMEHost = "${domain}"; listen = [ { @@ -28,7 +37,7 @@ ]; locations."/" = { - return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start"; + return = "302 https://c3cat.de$request_uri"; }; extraConfig = '' @@ -42,5 +51,45 @@ real_ip_header proxy_protocol; ''; }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de" + ]; + }; + users.groups."${deployUser}" = { }; } diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index dac4fa4..c9d77ef 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -9,6 +9,7 @@ ./hackertours.hamburg.ccc.de.nix ./hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix + ./staging.c3cat.de.nix ./staging.hacker.tours.nix ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix new file mode 100644 index 0000000..c91d283 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix @@ -0,0 +1,60 @@ +{ pkgs, ... }: + +let + domain = "staging.c3cat.de"; + dataDir = "/var/www/${domain}"; + deployUser = "c3cat-website-deploy"; +in { + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + # Disallow *, since this is staging and doesn't need to be in any search + # results. + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: *\\n\""; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + # c3cat deploy user already defined in c3cat.de.nix. +} From d98aa099e1d42f5e3705b860463ddea95058fd55 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 10 Nov 2024 18:14:42 +0100 Subject: [PATCH 2/7] license this repo under the MIT license All previous contributors are asked to sign off on licensing this repo under the MIT license in PR 12 (https://git.hamburg.ccc.de/CCCHH/nix-infra/pulls/12). Once all contributors signed-off, this commit will be merged into the main branch and this repo will be licensed under the MIT license. Don't track copyright years in the license, as that is cumbersome and also not done in other projects anymore: https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/ https://github.com/rails/rails/pull/47467 MIT License: https://opensource.org/license/MIT https://choosealicense.com/licenses/mit/ --- LICENSE | 21 +++++++++++++++++++++ README.md | 4 ++++ 2 files changed, 25 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..37eee6c --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) CCCHH + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index bd3a29a..186f14a 100644 --- a/README.md +++ b/README.md @@ -73,3 +73,7 @@ Build a new NixOS Proxmox VE Template for the chaosknoten: ```shell nix build .#proxmox-chaosknoten-nixos-template ``` + +## License + +This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). From c25d6c6326fec50b815ff6ab46dc185a12180d5f Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sun, 17 Nov 2024 03:02:17 +0100 Subject: [PATCH 3/7] revert: useing pkgs.fetchGit for authorized keys reverts the changes from ec64eebfd6c3b006b7ff5d5c3bda750cf04a5662 it brakes some of the flake process we use, setting 'allow-import-from-derivation' doesn't seem like a good fix to me and doesn't work in all cases. I couldn't find any other solution to fix it for now, so we will revert it for now, until we have a better solution. --- config/common/users.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/common/users.nix b/config/common/users.nix index 026929b..400a106 100644 --- a/config/common/users.nix +++ b/config/common/users.nix @@ -9,10 +9,10 @@ { config, pkgs, lib, ... }: let - authorizedKeysRepo = pkgs.fetchgit { - url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys"; + authorizedKeysRepo = builtins.fetchGit { + url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git"; + ref = "trunk"; rev = "686a6af22f6696f0c0595c56f463c078550049fc"; - hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc="; }; authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); in From 7d58a3db4a4ac864aab7717ea87b0db8c3ac5adc Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Tue, 5 Nov 2024 00:02:41 +0100 Subject: [PATCH 4/7] move overlay to overlays output --- flake.nix | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/flake.nix b/flake.nix index b787f78..7fd9b80 100644 --- a/flake.nix +++ b/flake.nix @@ -26,23 +26,25 @@ outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }: let system = "x86_64-linux"; - shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: { - shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: { - # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md - configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ]; - buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ]; - }); - }; pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux"; in { + overlays = { + shairportSyncAirplay2 = final: prev: { + shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: { + # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md + configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ]; + buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ]; + }); + }; + }; nixosConfigurations = { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { inherit system; modules = [ ./config/common ./config/proxmox-vm - { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; } + { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; } ./config/hosts/audio-hauptraum-kueche ]; }; @@ -52,7 +54,7 @@ modules = [ ./config/common ./config/proxmox-vm - { nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; } + { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; } ./config/hosts/audio-hauptraum-tafel ]; }; From 6c85b91efbfc0a5e46f06b8308575507c9bba20d Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Tue, 5 Nov 2024 22:43:53 +0100 Subject: [PATCH 5/7] make use of nixosModules output --- flake.nix | 111 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 58 insertions(+), 53 deletions(-) diff --git a/flake.nix b/flake.nix index 7fd9b80..da7b32e 100644 --- a/flake.nix +++ b/flake.nix @@ -38,12 +38,17 @@ }); }; }; + nixosModules = { + common = ./config/common; + proxmox-vm = ./config/proxmox-vm; + prometheus-exporter = ./config/extra/prometheus-exporter.nix; + }; nixosConfigurations = { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; } ./config/hosts/audio-hauptraum-kueche ]; @@ -52,8 +57,8 @@ audio-hauptraum-tafel = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; } ./config/hosts/audio-hauptraum-tafel ]; @@ -62,8 +67,8 @@ esphome = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm ./config/hosts/esphome ]; }; @@ -71,8 +76,8 @@ public-reverse-proxy = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm ./config/hosts/public-reverse-proxy ]; }; @@ -80,10 +85,10 @@ netbox = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops - ./config/extra/prometheus-exporter.nix + self.nixosModules.prometheus-exporter ./config/hosts/netbox ]; }; @@ -91,10 +96,10 @@ matrix = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops - ./config/extra/prometheus-exporter.nix + self.nixosModules.prometheus-exporter ./config/hosts/matrix ]; }; @@ -102,10 +107,10 @@ public-web-static = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops - ./config/extra/prometheus-exporter.nix + self.nixosModules.prometheus-exporter ./config/hosts/public-web-static ]; }; @@ -113,10 +118,10 @@ git = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops - ./config/extra/prometheus-exporter.nix + self.nixosModules.prometheus-exporter ./config/hosts/git ]; }; @@ -124,10 +129,10 @@ forgejo-actions-runner = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops - ./config/extra/prometheus-exporter.nix + self.nixosModules.prometheus-exporter ./config/hosts/forgejo-actions-runner ]; }; @@ -135,8 +140,8 @@ ptouch-print-server = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm ./config/hosts/ptouch-print-server ]; }; @@ -144,9 +149,9 @@ eh22-wiki = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm - ./config/extra/prometheus-exporter.nix + self.nixosModules.common + self.nixosModules.proxmox-vm + self.nixosModules.prometheus-exporter ./config/hosts/eh22-wiki ]; }; @@ -154,9 +159,9 @@ nix-box-june = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm - ./config/extra/prometheus-exporter.nix + self.nixosModules.common + self.nixosModules.proxmox-vm + self.nixosModules.prometheus-exporter ./config/hosts/nix-box-june ]; }; @@ -164,8 +169,8 @@ yate = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm ./config/hosts/yate ]; }; @@ -173,8 +178,8 @@ mqtt = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm ./config/hosts/mqtt ]; }; @@ -182,10 +187,10 @@ mjolnir = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops - ./config/extra/prometheus-exporter.nix + self.nixosModules.prometheus-exporter ./config/hosts/mjolnir ]; }; @@ -193,10 +198,10 @@ woodpecker = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops - ./config/extra/prometheus-exporter.nix + self.nixosModules.prometheus-exporter ./config/hosts/woodpecker ]; specialArgs = { @@ -207,8 +212,8 @@ status = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops ./config/hosts/status ]; @@ -217,10 +222,10 @@ penpot = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm sops-nix.nixosModules.sops - ./config/extra/prometheus-exporter.nix + self.nixosModules.prometheus-exporter ./config/hosts/penpot ]; }; @@ -228,9 +233,9 @@ hydra = nixpkgs.lib.nixosSystem { inherit system; modules = [ - ./config/common - ./config/proxmox-vm - ./config/extra/prometheus-exporter.nix + self.nixosModules.common + self.nixosModules.proxmox-vm + self.nixosModules.prometheus-exporter ./config/hosts/hydra ]; }; @@ -241,8 +246,8 @@ system = "x86_64-linux"; modules = [ ./config/nixos-generators/proxmox.nix - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm ]; format = "proxmox"; }; @@ -252,8 +257,8 @@ modules = [ ./config/nixos-generators/proxmox-chaosknoten.nix ./config/proxmox-chaosknoten-additional-initial-config.nix - ./config/common - ./config/proxmox-vm + self.nixosModules.common + self.nixosModules.proxmox-vm ]; format = "proxmox"; }; From f7ebe660fe961a4ee7944aca10cf4ca3c50cd407 Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Tue, 5 Nov 2024 22:52:02 +0100 Subject: [PATCH 6/7] format files with `nix fmt` --- config/hosts/eh22-wiki/dokuwiki.nix | 5 ++- config/hosts/mqtt/configuration.nix | 12 ++--- config/hosts/mqtt/default.nix | 12 ++--- config/hosts/mqtt/mosquitto.nix | 44 +++++++++---------- config/hosts/nix-box-june/users.nix | 2 +- .../virtualHosts/hacker.tours.nix | 3 +- .../hackertours.hamburg.ccc.de.nix | 3 +- .../historic-easterhegg/default.nix | 4 +- .../virtualHosts/historic-easterhegg/eh03.nix | 4 +- .../virtualHosts/historic-easterhegg/eh05.nix | 8 ++-- .../virtualHosts/historic-easterhegg/eh07.nix | 4 +- .../virtualHosts/historic-easterhegg/eh09.nix | 4 +- .../virtualHosts/historic-easterhegg/eh11.nix | 4 +- .../virtualHosts/staging.hacker.tours.nix | 3 +- .../staging.hackertours.hamburg.ccc.de.nix | 3 +- config/hosts/yate/service.nix | 8 ++-- 16 files changed, 64 insertions(+), 59 deletions(-) diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix index c0eafaa..f9a7cbd 100644 --- a/config/hosts/eh22-wiki/dokuwiki.nix +++ b/config/hosts/eh22-wiki/dokuwiki.nix @@ -21,7 +21,8 @@ let app = "dokuwiki"; domain = "eh22.easterhegg.eu"; dataDir = "/srv/www/${domain}"; -in { +in +{ systemd.tmpfiles.rules = [ "d ${dataDir} 0755 ${app} ${app}" ]; @@ -76,7 +77,7 @@ in { default = true; enableACME = true; serverName = "${domain}"; - + listen = [ { addr = "0.0.0.0"; diff --git a/config/hosts/mqtt/configuration.nix b/config/hosts/mqtt/configuration.nix index 18d0184..793807d 100644 --- a/config/hosts/mqtt/configuration.nix +++ b/config/hosts/mqtt/configuration.nix @@ -1,10 +1,10 @@ { ... }: { - networking = { - hostName = "mqtt"; - domain = "z9.ccchh.net"; - }; + networking = { + hostName = "mqtt"; + domain = "z9.ccchh.net"; + }; - system.stateVersion = "23.11"; -} \ No newline at end of file + system.stateVersion = "23.11"; +} diff --git a/config/hosts/mqtt/default.nix b/config/hosts/mqtt/default.nix index bb61c12..bc91d9f 100644 --- a/config/hosts/mqtt/default.nix +++ b/config/hosts/mqtt/default.nix @@ -1,9 +1,9 @@ { pkgs, ... }: { - imports = [ - ./configuration.nix - ./networking.nix - ./mosquitto.nix - ]; -} \ No newline at end of file + imports = [ + ./configuration.nix + ./networking.nix + ./mosquitto.nix + ]; +} diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix index 672c05d..d093bd8 100644 --- a/config/hosts/mqtt/mosquitto.nix +++ b/config/hosts/mqtt/mosquitto.nix @@ -5,29 +5,29 @@ { ... }: { - services.mosquitto = { - enable = true; - persistence = true; + services.mosquitto = { + enable = true; + persistence = true; - # set config for all listeners - listeners = [ { - settings.allow_anonymous = true; - omitPasswordAuth = true; - acl = ["topic readwrite #"]; - } ]; + # set config for all listeners + listeners = [{ + settings.allow_anonymous = true; + omitPasswordAuth = true; + acl = [ "topic readwrite #" ]; + }]; - bridges.winkekatz = { - addresses = [ - { address = "mqtt.winkekatze24.de"; } - ]; - topics = [ - "winkekatze/allcats/eye/set in 2" - "winkekatze/allcats in 2" - "+/status out 2 winkekatze/ \"\"" - "+/connected out 2 winkekatze/ \"\"" - ]; - }; + bridges.winkekatz = { + addresses = [ + { address = "mqtt.winkekatze24.de"; } + ]; + topics = [ + "winkekatze/allcats/eye/set in 2" + "winkekatze/allcats in 2" + "+/status out 2 winkekatze/ \"\"" + "+/connected out 2 winkekatze/ \"\"" + ]; }; + }; - networking.firewall.allowedTCPPorts = [ 1883 ]; -} \ No newline at end of file + networking.firewall.allowedTCPPorts = [ 1883 ]; +} diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix index 9f1b217..dfb333e 100644 --- a/config/hosts/nix-box-june/users.nix +++ b/config/hosts/nix-box-june/users.nix @@ -26,7 +26,7 @@ }; yuri = { isNormalUser = true; - openssh.authorizedKeys.keys = [ + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" ]; diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix index 7eaa086..1ee6180 100644 --- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix +++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix @@ -4,7 +4,8 @@ let domain = "hacker.tours"; dataDir = "/var/www/${domain}"; deployUser = "hackertours-website-deploy"; -in { +in +{ services.nginx.virtualHosts = { "acme-${domain}" = { enableACME = true; diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix index 2077ca7..b0104b6 100644 --- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix @@ -4,7 +4,8 @@ let domain = "hackertours.hamburg.ccc.de"; dataDir = "/var/www/${domain}"; deployUser = "ht-ccchh-website-deploy"; -in { +in +{ services.nginx.virtualHosts = { "acme-${domain}" = { enableACME = true; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix index fe53d04..69d8855 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix @@ -1,4 +1,4 @@ -{...}: +{ ... }: { imports = [ @@ -9,4 +9,4 @@ ./eh11.nix ./eh20.nix ]; -} \ No newline at end of file +} diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix index 60d4f21..2c5dd86 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix @@ -6,7 +6,7 @@ let rev = "74977c56486cd060566bf06678a936e801952f9e"; hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk="; }; -in +in { security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [ "eh2003.hamburg.ccc.de" @@ -48,7 +48,7 @@ in }]; locations."/".return = "302 https://eh03.easterhegg.eu"; - + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix index 7651666..37cb893 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix @@ -48,7 +48,7 @@ in }]; locations."/".return = "302 https://eh05.easterhegg.eu"; - + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy @@ -60,7 +60,7 @@ in real_ip_header proxy_protocol; ''; }; - + "eh05.easterhegg.eu" = { forceSSL = true; useACMEHost = "eh05.easterhegg.eu"; @@ -71,7 +71,7 @@ in ssl = true; proxyProtocol = true; }]; - + locations."/" = { index = "index.shtml"; root = eh05; @@ -80,7 +80,7 @@ in default_type text/html; # Enable SSI ssi on; - ''; + ''; }; extraConfig = '' diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix index 40fe480..ebfa712 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix @@ -54,7 +54,7 @@ in }]; locations."/".return = "302 https://eh07.easterhegg.eu"; - + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy @@ -86,7 +86,7 @@ in default_type text/html; # Enable SSI ssi on; - ''; + ''; }; extraConfig = '' diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix index f7416ed..ea274af 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix @@ -54,7 +54,7 @@ in }]; locations."/".return = "302 https://eh09.easterhegg.eu"; - + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy @@ -86,7 +86,7 @@ in default_type text/html; # Enable SSI ssi on; - ''; + ''; }; extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix index c409641..39d7fad 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix @@ -54,7 +54,7 @@ in }]; locations."/".return = "302 https://eh11.easterhegg.eu"; - + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy @@ -86,7 +86,7 @@ in default_type text/html; # Enable SSI ssi on; - ''; + ''; }; extraConfig = '' diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix index 382f1b6..14ede9b 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix @@ -4,7 +4,8 @@ let domain = "staging.hacker.tours"; dataDir = "/var/www/${domain}"; deployUser = "hackertours-website-deploy"; -in { +in +{ services.nginx.virtualHosts = { "acme-${domain}" = { enableACME = true; diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix index 4b71d53..79ca38c 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix @@ -4,7 +4,8 @@ let domain = "staging.hackertours.hamburg.ccc.de"; dataDir = "/var/www/${domain}"; deployUser = "ht-ccchh-website-deploy"; -in { +in +{ services.nginx.virtualHosts = { "acme-${domain}" = { enableACME = true; diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index e426a31..e031d4d 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -6,16 +6,16 @@ description = "Yate telehony engine"; unitConfig = { Type = "simple"; - After="network.target"; + After = "network.target"; }; serviceConfig = { ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do"; - Type="simple"; - Restart="always"; + Type = "simple"; + Restart = "always"; # ... }; wantedBy = [ "default.target" ]; - requiredBy = [ "network.target" ]; + requiredBy = [ "network.target" ]; # ... }; } From e404d4740f4e2c365db07d754e34cc5c8dfd61f0 Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Tue, 5 Nov 2024 22:56:55 +0100 Subject: [PATCH 7/7] remove nixpkgs-unstable the current version of woodpecker-server in stable now has the features this was original used for, not other usages of unstable are in tree left so removing it. --- .../woodpecker-agent/woodpecker-agent.nix | 5 ++--- .../woodpecker-server/woodpecker-server.nix | 6 ++---- flake.lock | 17 ----------------- flake.nix | 7 +------ 4 files changed, 5 insertions(+), 30 deletions(-) diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix index dc89021..8c6847b 100644 --- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix +++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix @@ -3,13 +3,12 @@ # - https://woodpecker-ci.org/docs/administration/agent-config # - https://woodpecker-ci.org/docs/administration/backends/docker -{ config, pkgs, pkgs-unstable, ... }: +{ config, pkgs, ... }: { services.woodpecker-agents.agents."docker" = { enable = true; - # Since we use woodpecker-server from unstable, use the agent from unstable as well. - package = pkgs-unstable.woodpecker-agent; + package = pkgs.woodpecker-agent; extraGroups = [ "docker" ]; environment = { WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}"; diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix index 464af13..2baafc5 100644 --- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix +++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix @@ -5,14 +5,12 @@ # - https://woodpecker-ci.org/docs/administration/forges/forgejo # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING -{ config, pkgs, pkgs-unstable, ... }: +{ config, pkgs, ... }: { services.woodpecker-server = { enable = true; - # Use package from unstable to get at least version 2.6.0 for native Forgejo support. - # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0 - package = pkgs-unstable.woodpecker-server; + package = pkgs.woodpecker-server; environment = { WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de"; WOODPECKER_SERVER_ADDR = ":8001"; diff --git a/flake.lock b/flake.lock index 58d521b..74a5396 100644 --- a/flake.lock +++ b/flake.lock @@ -68,27 +68,10 @@ "type": "github" } }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1731265036, - "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } }, diff --git a/flake.nix b/flake.nix index da7b32e..f575ac6 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,6 @@ # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; # Add nixos-generators as an input. # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake @@ -23,10 +22,9 @@ }; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }: + outputs = { self, nixpkgs, nixos-generators, sops-nix, ... }: let system = "x86_64-linux"; - pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux"; in { overlays = { @@ -204,9 +202,6 @@ self.nixosModules.prometheus-exporter ./config/hosts/woodpecker ]; - specialArgs = { - inherit pkgs-unstable; - }; }; status = nixpkgs.lib.nixosSystem {