From c249553b2e66dc4d73a596c1f8dca0f471e5df85 Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Sun, 17 Nov 2024 22:05:25 +0100 Subject: [PATCH 01/51] add woodpecker ci --- .woodpecker/flake-check.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .woodpecker/flake-check.yaml diff --git a/.woodpecker/flake-check.yaml b/.woodpecker/flake-check.yaml new file mode 100644 index 0000000..a127e68 --- /dev/null +++ b/.woodpecker/flake-check.yaml @@ -0,0 +1,8 @@ +when: + - event: pull_request + +steps: + - name: "Run nix flake check" + image: docker.nix-community.org/nixpkgs/nix-flakes + commands: + - nix flake check From c78c27862749e1ff3fe3b288330b4ab395c7be50 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sun, 17 Nov 2024 22:43:51 +0100 Subject: [PATCH 02/51] Set WOODPECKER_LIMIT_MEM to 6 GB for woodpecker so pipelines don't get killed by OOM. --- config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix index 2baafc5..1836b73 100644 --- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix +++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix @@ -22,6 +22,7 @@ WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql"; WOODPECKER_FORGEJO = "true"; WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de"; + WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB # Set via enviornmentFile: # WOODPECKER_FORGEJO_CLIENT # WOODPECKER_FORGEJO_SECRET From 44c2a6c3aa801341b97b09789fc56d7e8338975b Mon Sep 17 00:00:00 2001 From: c6ristian Date: Mon, 18 Nov 2024 00:36:07 +0100 Subject: [PATCH 03/51] Lets just look how its going to be with lix --- .woodpecker/flake-check.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.woodpecker/flake-check.yaml b/.woodpecker/flake-check.yaml index a127e68..1e0989d 100644 --- a/.woodpecker/flake-check.yaml +++ b/.woodpecker/flake-check.yaml @@ -1,8 +1,11 @@ when: - event: pull_request + - event: push + path: + - '.woodpecker/**' steps: - name: "Run nix flake check" - image: docker.nix-community.org/nixpkgs/nix-flakes + image: ghcr.io/lix-project/lix:latest commands: - - nix flake check + - nix --extra-experimental-features 'nix-command flakes' flake check From 67ab856b82f90ad45a62018ad8af1482f4162ce3 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 8 Dec 2024 18:57:36 +0100 Subject: [PATCH 04/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101?narHash=sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8%2BErehqI%3D' (2024-11-14) → 'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e?narHash=sha256-bNXO%2BOGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8%3D' (2024-12-05) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a?narHash=sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg%3D' (2024-11-10) → 'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e?narHash=sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8%3D' (2024-12-01) • Updated input 'nixos-generators/nixpkgs': 'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f?narHash=sha256-vmLS8%2Bx%2BgHRv1yzj3n%2BGTAEObwmhxmkkukB2DwtJRdU%3D' (2024-11-10) → 'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a?narHash=sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw%3D' (2024-12-02) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17) → 'github:nixos/nixpkgs/65d98ad2a50103eee5f72335bf69b7bae9d92612?narHash=sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII%3D' (2024-12-08) • Updated input 'sops-nix': 'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978?narHash=sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM%3D' (2024-11-17) → 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856?narHash=sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc%3D' (2024-12-02) --- flake.lock | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index be287b5..9037a60 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", "rev": "686a6af22f6696f0c0595c56f463c078550049fc", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" }, "original": { "type": "tarball", @@ -16,11 +16,11 @@ }, "nixlib": { "locked": { - "lastModified": 1731200463, - "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=", + "lastModified": 1733015484, + "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "e04234d263750db01c78a412690363dc2226e68a", + "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", "type": "github" }, "original": { @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1731546190, - "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=", + "lastModified": 1733360821, + "narHash": "sha256-bNXO+OGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101", + "rev": "8cdaf8885c9c85d9d27b594dbe882406aadfe00e", "type": "github" }, "original": { @@ -50,11 +50,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1731245184, - "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=", + "lastModified": 1733097829, + "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "aebe249544837ce42588aa4b2e7972222ba12e8f", + "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1731842749, - "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=", + "lastModified": 1733647408, + "narHash": "sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682", + "rev": "65d98ad2a50103eee5f72335bf69b7bae9d92612", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1731862312, - "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { From a039b3febf08f37f26fa590e8e0ada1c33e26850 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 8 Dec 2024 22:21:15 +0100 Subject: [PATCH 05/51] update nixpkgs to 24.11 (small) Also use non-lts forgejo and adjust config for 24.11. --- config/hosts/git/forgejo.nix | 10 ++++++++-- flake.lock | 8 ++++---- flake.nix | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix index a57a37f..665815d 100644 --- a/config/hosts/git/forgejo.nix +++ b/config/hosts/git/forgejo.nix @@ -7,13 +7,19 @@ # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md # - https://forgejo.org/docs/latest/admin/email-setup/ -{ pkgs-unstable, ... }: +{ pkgs, ... }: { services.forgejo = { enable = true; + package = pkgs.forgejo; database.type = "postgres"; - mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password"; + + secrets = { + mailer = { + PASSWD = "/run/secrets/forgejo_git_smtp_password"; + }; + }; settings = { DEFAULT = { diff --git a/flake.lock b/flake.lock index 9037a60..f6666c8 100644 --- a/flake.lock +++ b/flake.lock @@ -66,16 +66,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1733647408, - "narHash": "sha256-t9/YFvqti1dE/tqeTunf8LGgjlwS6iSE8xl5KV/zcII=", + "lastModified": 1733642008, + "narHash": "sha256-ijS1XixgnF1UW1wnsO5J7rw5li0n6SZCBQWCYSfJwXw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "65d98ad2a50103eee5f72335bf69b7bae9d92612", + "rev": "5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.05-small", + "ref": "nixos-24.11-small", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index b7b74a4..9e66803 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small"; # Add nixos-generators as an input. # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake From 8764841759382651691620c7c4ba607e02036b98 Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Mon, 9 Dec 2024 21:21:17 +0100 Subject: [PATCH 06/51] shairport-sync: use airplay2 variant instead of custome overlay --- flake.nix | 11 ----------- modules/services/audio/shairport-sync.nix | 1 + 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/flake.nix b/flake.nix index 9e66803..dd85023 100644 --- a/flake.nix +++ b/flake.nix @@ -35,15 +35,6 @@ system = "x86_64-linux"; in { - overlays = { - shairportSyncAirplay2 = final: prev: { - shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: { - # See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md - configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ]; - buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ]; - }); - }; - }; nixosModules = { common = ./config/common; proxmox-vm = ./config/proxmox-vm; @@ -55,7 +46,6 @@ modules = [ self.nixosModules.common self.nixosModules.proxmox-vm - { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; } ./config/hosts/audio-hauptraum-kueche ]; }; @@ -65,7 +55,6 @@ modules = [ self.nixosModules.common self.nixosModules.proxmox-vm - { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; } ./config/hosts/audio-hauptraum-tafel ]; }; diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix index cbc58e7..43d1285 100644 --- a/modules/services/audio/shairport-sync.nix +++ b/modules/services/audio/shairport-sync.nix @@ -17,6 +17,7 @@ in config = mkIf cfg.enable { services.shairport-sync = { enable = true; + package = pkgs.shairport-sync-airplay2; arguments = "-o pw -v"; }; From fa9c8e7ac1edfb47979cc7722c95ebf8243ff1d1 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Mon, 16 Dec 2024 22:50:00 +0100 Subject: [PATCH 07/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/8cdaf8885c9c85d9d27b594dbe882406aadfe00e' (2024-12-05) → 'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/0e4fdd4a0ab733276b6d2274ff84ae353f17129e' (2024-12-01) → 'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15) • Updated input 'nixos-generators/nixpkgs': 'github:NixOS/nixpkgs/2c15aa59df0017ca140d9ba302412298ab4bf22a' (2024-12-02) → 'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0' (2024-12-08) → 'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15) • Updated input 'sops-nix': 'github:Mic92/sops-nix/c6134b6fff6bda95a1ac872a2a9d5f32e3c37856' (2024-12-02) → 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12) --- flake.lock | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index f6666c8..18512ce 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", "rev": "686a6af22f6696f0c0595c56f463c078550049fc", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc" }, "original": { "type": "tarball", @@ -16,11 +16,11 @@ }, "nixlib": { "locked": { - "lastModified": 1733015484, - "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", + "lastModified": 1734224914, + "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", + "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77", "type": "github" }, "original": { @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1733360821, - "narHash": "sha256-bNXO+OGxrOjAxv/Lnyj84tNDicJ/FdLyLJHzOKSzYU8=", + "lastModified": 1734311693, + "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "8cdaf8885c9c85d9d27b594dbe882406aadfe00e", + "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb", "type": "github" }, "original": { @@ -50,11 +50,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1733097829, - "narHash": "sha256-9hbb1rqGelllb4kVUCZ307G2k3/UhmA8PPGBoyuWaSw=", + "lastModified": 1734126203, + "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2c15aa59df0017ca140d9ba302412298ab4bf22a", + "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1733642008, - "narHash": "sha256-ijS1XixgnF1UW1wnsO5J7rw5li0n6SZCBQWCYSfJwXw=", + "lastModified": 1734298236, + "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5e7591e5e8c8cddc1e9c7cad01033e6c2d560cd0", + "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1733128155, - "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", + "lastModified": 1733965552, + "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", + "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004", "type": "github" }, "original": { From d36ff73123b6cad8b07e5fc83cf619f1c57a7316 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Thu, 9 Jan 2025 21:44:31 +0100 Subject: [PATCH 08/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/a5278f7c326205681f1f42a90fa46a75a13627eb' (2024-12-16) → 'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4' (2024-12-23) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/538697b664a64fade8ce628d01f35d1f1fd82d77' (2024-12-15) → 'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c' (2024-12-22) • Updated input 'nixos-generators/nixpkgs': 'github:NixOS/nixpkgs/71a6392e367b08525ee710a93af2e80083b5b3e2' (2024-12-13) → 'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee' (2024-12-17) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/eb919d9300b6a18f8583f58aef16db458fbd7bec' (2024-12-15) → 'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6' (2025-01-09) • Updated input 'sops-nix': 'github:Mic92/sops-nix/2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004' (2024-12-12) → 'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773' (2025-01-06) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 18512ce..4625fa3 100644 --- a/flake.lock +++ b/flake.lock @@ -16,11 +16,11 @@ }, "nixlib": { "locked": { - "lastModified": 1734224914, - "narHash": "sha256-hKWALzQ/RxxXdKWsLKXULru6XTag9Cc5exgVyS4a/AE=", + "lastModified": 1734829460, + "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "538697b664a64fade8ce628d01f35d1f1fd82d77", + "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c", "type": "github" }, "original": { @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1734311693, - "narHash": "sha256-ODRrnbaUsOe3e4kp+uHl+iJxey5zE3kqiBqJWQxrlnY=", + "lastModified": 1734915500, + "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "a5278f7c326205681f1f42a90fa46a75a13627eb", + "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4", "type": "github" }, "original": { @@ -50,11 +50,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734126203, - "narHash": "sha256-0XovF7BYP50rTD2v4r55tR5MuBLet7q4xIz6Rgh3BBU=", + "lastModified": 1734435836, + "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "71a6392e367b08525ee710a93af2e80083b5b3e2", + "rev": "4989a246d7a390a859852baddb1013f825435cee", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1734298236, - "narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=", + "lastModified": 1736408508, + "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec", + "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1733965552, - "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=", + "lastModified": 1736203741, + "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004", + "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773", "type": "github" }, "original": { From 5676b1a4680dbe706686f38902f5607ec33330ff Mon Sep 17 00:00:00 2001 From: June Date: Tue, 14 Jan 2025 20:49:14 +0100 Subject: [PATCH 09/51] netbox: configure and patch NetBox for OIDC group and role mapping The custom pipeline code is licensed under the Creative Commons: CC BY-SA 4.0 license. See: https://github.com/goauthentik/authentik/blob/main/LICENSE https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md https://docs.goauthentik.io/integrations/services/netbox/ --- README.md | 3 +- config/hosts/netbox/netbox.nix | 21 ++++++- flake.nix | 8 +++ ...oup_and_role_mapping_custom_pipeline.patch | 61 +++++++++++++++++++ 4 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch diff --git a/README.md b/README.md index 186f14a..def4e60 100644 --- a/README.md +++ b/README.md @@ -76,4 +76,5 @@ nix build .#proxmox-chaosknoten-nixos-template ## License -This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). +This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). +[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license. diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix index e0f2df9..f816016 100644 --- a/config/hosts/netbox/netbox.nix +++ b/config/hosts/netbox/netbox.nix @@ -9,7 +9,8 @@ { services.netbox = { enable = true; - package = pkgs.netbox; + # Explicitly use the patched NetBox package. + package = pkgs.netbox_4_1; secretKeyFile = "/run/secrets/netbox_secret_key"; keycloakClientSecret = "/run/secrets/netbox_keycloak_secret"; settings = { @@ -24,6 +25,24 @@ SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB"; SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"; SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"; + SOCIAL_AUTH_PIPELINE = [ + # The default pipeline as can be found in: + # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py + "social_core.pipeline.social_auth.social_details" + "social_core.pipeline.social_auth.social_uid" + "social_core.pipeline.social_auth.social_user" + "social_core.pipeline.user.get_username" + "social_core.pipeline.user.create_user" + "social_core.pipeline.social_auth.associate_user" + "netbox.authentication.user_default_groups_handler" + "social_core.pipeline.social_auth.load_extra_data" + "social_core.pipeline.user.user_details" + # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay. + # See: https://docs.goauthentik.io/integrations/services/netbox/ + "netbox.custom_pipeline.add_groups" + "netbox.custom_pipeline.remove_groups" + "netbox.custom_pipeline.set_roles" + ]; }; }; diff --git a/flake.nix b/flake.nix index dd85023..fb4ed26 100644 --- a/flake.nix +++ b/flake.nix @@ -40,6 +40,13 @@ proxmox-vm = ./config/proxmox-vm; prometheus-exporter = ./config/extra/prometheus-exporter.nix; }; + overlays = { + netbox41OIDCMappingOverlay = final: prev: { + netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: { + patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ]; + }); + }; + }; nixosConfigurations = { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { inherit system specialArgs; @@ -85,6 +92,7 @@ sops-nix.nixosModules.sops self.nixosModules.prometheus-exporter ./config/hosts/netbox + { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; } ]; }; diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch new file mode 100644 index 0000000..89f805a --- /dev/null +++ b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch @@ -0,0 +1,61 @@ +diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py +new file mode 100644 +index 000000000..470f388dc +--- /dev/null ++++ b/netbox/netbox/custom_pipeline.py +@@ -0,0 +1,55 @@ ++# Licensed under Creative Commons: CC BY-SA 4.0 license. ++# https://github.com/goauthentik/authentik/blob/main/LICENSE ++# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md ++# https://docs.goauthentik.io/integrations/services/netbox/ ++from netbox.authentication import Group ++ ++class AuthFailed(Exception): ++ pass ++ ++def add_groups(response, user, backend, *args, **kwargs): ++ try: ++ groups = response['groups'] ++ except KeyError: ++ pass ++ ++ # Add all groups from oAuth token ++ for group in groups: ++ group, created = Group.objects.get_or_create(name=group) ++ user.groups.add(group) ++ ++def remove_groups(response, user, backend, *args, **kwargs): ++ try: ++ groups = response['groups'] ++ except KeyError: ++ # Remove all groups if no groups in oAuth token ++ user.groups.clear() ++ pass ++ ++ # Get all groups of user ++ user_groups = [item.name for item in user.groups.all()] ++ # Get groups of user which are not part of oAuth token ++ delete_groups = list(set(user_groups) - set(groups)) ++ ++ # Delete non oAuth token groups ++ for delete_group in delete_groups: ++ group = Group.objects.get(name=delete_group) ++ user.groups.remove(group) ++ ++ ++def set_roles(response, user, backend, *args, **kwargs): ++ # Remove Roles temporary ++ user.is_superuser = False ++ user.is_staff = False ++ try: ++ groups = response['groups'] ++ except KeyError: ++ # When no groups are set ++ # save the user without Roles ++ user.save() ++ pass ++ ++ # Set roles is role (superuser or staff) is in groups ++ user.is_superuser = True if 'superusers' in groups else False ++ user.is_staff = True if 'staff' in groups else False ++ user.save() From f5bc9024b1036fd3591e759f4bd8ee4d62e27572 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 14 Jan 2025 21:06:26 +0100 Subject: [PATCH 10/51] audio-hauptraum-*: move audio VMs to client network Do this per request to hopefully improve mDNS discovery. --- config/hosts/audio-hauptraum-kueche/networking.nix | 6 +++--- config/hosts/audio-hauptraum-tafel/networking.nix | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/hosts/audio-hauptraum-kueche/networking.nix b/config/hosts/audio-hauptraum-kueche/networking.nix index 0118db4..6e1e7d8 100644 --- a/config/hosts/audio-hauptraum-kueche/networking.nix +++ b/config/hosts/audio-hauptraum-kueche/networking.nix @@ -5,13 +5,13 @@ interfaces.net0 = { ipv4.addresses = [ { - address = "10.31.210.10"; + address = "172.31.200.14"; prefixLength = 23; } ]; }; - defaultGateway = "10.31.210.1"; - nameservers = [ "10.31.210.1" ]; + defaultGateway = "172.31.200.1"; + nameservers = [ "172.31.200.1" ]; }; systemd.network.links."10-net0" = { diff --git a/config/hosts/audio-hauptraum-tafel/networking.nix b/config/hosts/audio-hauptraum-tafel/networking.nix index 37185b7..e357d38 100644 --- a/config/hosts/audio-hauptraum-tafel/networking.nix +++ b/config/hosts/audio-hauptraum-tafel/networking.nix @@ -5,13 +5,13 @@ interfaces.net0 = { ipv4.addresses = [ { - address = "10.31.210.13"; + address = "172.31.200.15"; prefixLength = 23; } ]; }; - defaultGateway = "10.31.210.1"; - nameservers = [ "10.31.210.1" ]; + defaultGateway = "172.31.200.1"; + nameservers = [ "172.31.200.1" ]; }; systemd.network.links."10-net0" = { From d55438f104683955be6f81e9a521a32347c48b5a Mon Sep 17 00:00:00 2001 From: June Date: Sun, 19 Jan 2025 20:28:05 +0100 Subject: [PATCH 11/51] public-web-static: remove irc from spaceapi response as it's deprecated --- .../hosts/public-web-static/spaceapid-config/ccchh-response.json | 1 - 1 file changed, 1 deletion(-) diff --git a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json index 9a5793e..b49b2da 100644 --- a/config/hosts/public-web-static/spaceapid-config/ccchh-response.json +++ b/config/hosts/public-web-static/spaceapid-config/ccchh-response.json @@ -14,7 +14,6 @@ }, "contact": { "phone": "+49 40 23830150", - "irc": "ircs://irc.hackint.org:6697/#ccchh", "mastodon": "@ccchh@chaos.social", "email": "mail@hamburg.ccc.de", "ml": "talk@hamburg.ccc.de", From 2904ebee158b1c3f447dea79417f2635dbd5a4e5 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Sat, 8 Jun 2024 22:18:23 +0200 Subject: [PATCH 12/51] add yate service for autostart introduce /etc/yate, clone/reset on service start Fix config via git make yate systemd service create yate service user recreate the full config everytime decolour the log because of blob data make sure source is available before deleting config change yate-config repo fix yate deploy key fix yate-config not pulling --- .sops.yaml | 17 ++ config/hosts/yate/configuration.nix | 2 + config/hosts/yate/default.nix | 1 + config/hosts/yate/secrets.yaml | 233 ++++++++++++++++++++++++++++ config/hosts/yate/service.nix | 39 ++++- config/hosts/yate/sops.nix | 7 + config/hosts/yate/yate.nix | 15 ++ flake.nix | 1 + 8 files changed, 309 insertions(+), 6 deletions(-) create mode 100644 config/hosts/yate/secrets.yaml create mode 100644 config/hosts/yate/sops.nix diff --git a/.sops.yaml b/.sops.yaml index ec660ec..dedf3c1 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -15,6 +15,7 @@ keys: - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 + - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r @@ -147,6 +148,22 @@ creation_rules: - *admin_gpg_dante age: - *host_age_penpot + - path_regex: config/hosts/yate/.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_dante + age: + - *host_age_yate - key_groups: - pgp: - *admin_gpg_djerun diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index 6b4bb71..f350966 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -6,5 +6,7 @@ domain = "z9.ccchh.net"; }; +# users.users.chaos.password = "yes"; + system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 5304abd..009e1a1 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -6,5 +6,6 @@ ./networking.nix ./yate.nix ./service.nix + ./sops.nix ]; } diff --git a/config/hosts/yate/secrets.yaml b/config/hosts/yate/secrets.yaml new file mode 100644 index 0000000..6235c17 --- /dev/null +++ b/config/hosts/yate/secrets.yaml @@ -0,0 +1,233 @@ +git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP + TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw + KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS + bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1 + xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-08T18:35:07Z" + mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str] + pgp: + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg + do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL + r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0 + cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl + Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa + JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi + ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk + YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa + QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy + aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg + GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U + ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ + ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ + et8Y1DEjVg== + =u7aP + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9 + Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S + YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4 + twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2 + uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx + Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ + gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU + JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng + mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji + yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp + E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S + XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq + vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX + =advR + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz + 7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec + ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa + RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty + y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE + L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8 + glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ + B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl + L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl + o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO + Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS + XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb + fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy + =vqhH + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd + +uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7 + Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4 + LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un + kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2 + cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn + 3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh + 7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU + K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb + QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3 + Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S + XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj + IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C + =hGXq + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg + YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi + LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ + +07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG + SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io + 5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq + 1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1 + 1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll + CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U + pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF + EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS + XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7 + uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9 + =vZLC + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x + p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3 + XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa + oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB + SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS + 5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG + oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ + XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo + IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc + 2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa + XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS + XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/ + fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I + =SLD4 + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp + 8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+ + 0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19 + sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB + NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI + K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX + 4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9 + SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0 + TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva + 7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR + oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S + XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t + LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII + =MQ9C + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF + XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe + 5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/ + Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc + abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di + +BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk + nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7 + BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf + T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76 + VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm + jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS + XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY + 6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ + =uyf4 + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st + V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2 + 8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/ + i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d + V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE + zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz + TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p + FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF + aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO + 5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym + NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS + XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn + kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr + =7R+0 + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw + cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13 + 0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi + I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww== + =0G+m + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2024-08-05T20:33:02Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX + KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l + MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy + p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k + YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs + yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O + oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv + 3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre + FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF + 3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm + k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS + XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh + B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI + =ZgbM + -----END PGP MESSAGE----- + fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix index e031d4d..9013060 100644 --- a/config/hosts/yate/service.nix +++ b/config/hosts/yate/service.nix @@ -1,21 +1,48 @@ { config, pkgs, ... }: { +# systemd.managerEnvironment = { +# SYSTEMD_LOG_LEVEL = "debug"; +# }; + + + + sops.secrets."git_clone_key" = { + mode = "0600"; + owner = "yate"; + group = "yate-config"; + restartUnits = [ "yate.service" ]; +}; + systemd.services.yate = { enable = true; description = "Yate telehony engine"; unitConfig = { - Type = "simple"; - After = "network.target"; + After= "network-online.target"; }; serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do"; - Type = "simple"; - Restart = "always"; + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; + Type="simple"; + Restart="always"; + User="yate"; + Group="yate-config"; + StateDirectory = "yate"; + StateDirectoryMode = "0775"; # ... }; wantedBy = [ "default.target" ]; - requiredBy = [ "network.target" ]; + requires = [ "network-online.target" ]; + preStart = "echo \"\n\" >> /run/secrets/git_clone_key + sleep 5 + SSH_SUCCESS=1 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 + if [ $SSH_SUCCESS = 1 ]; then + rm -rf /var/lib/yate/* + rm -rf /var/lib/yate/.* + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate + ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + fi"; + # ... }; } diff --git a/config/hosts/yate/sops.nix b/config/hosts/yate/sops.nix new file mode 100644 index 0000000..38b06f9 --- /dev/null +++ b/config/hosts/yate/sops.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} \ No newline at end of file diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index c4834bb..3f9b054 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -10,4 +10,19 @@ # Just disable it for now. networking.firewall.enable = false; + + users.users.yate = { + description = "yate service user"; + group = "yate-config"; + isNormalUser = true; + }; + + + users.groups.yate-config = {}; + users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"]; + + environment.etc.yate.user = "yate"; + environment.etc.yate.group = "yate-config"; + environment.etc.yate.mode = "symlink"; + environment.etc.yate.source = "/var/lib/yate"; } diff --git a/flake.nix b/flake.nix index fb4ed26..5ecee98 100644 --- a/flake.nix +++ b/flake.nix @@ -174,6 +174,7 @@ modules = [ self.nixosModules.common self.nixosModules.proxmox-vm + sops-nix.nixosModules.sops ./config/hosts/yate ]; }; From 8045681bb5ab6896cf6fb30a30c47b507c29e589 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 19 Jan 2025 19:05:15 +0100 Subject: [PATCH 13/51] yate: clean up and nicely format nix configuration --- config/hosts/yate/configuration.nix | 4 +- config/hosts/yate/default.nix | 3 +- config/hosts/yate/service.nix | 48 ---------------------- config/hosts/yate/yate.nix | 64 ++++++++++++++++++++++++----- 4 files changed, 55 insertions(+), 64 deletions(-) delete mode 100644 config/hosts/yate/service.nix diff --git a/config/hosts/yate/configuration.nix b/config/hosts/yate/configuration.nix index f350966..6b1fa99 100644 --- a/config/hosts/yate/configuration.nix +++ b/config/hosts/yate/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { networking = { @@ -6,7 +6,5 @@ domain = "z9.ccchh.net"; }; -# users.users.chaos.password = "yes"; - system.stateVersion = "23.11"; } diff --git a/config/hosts/yate/default.nix b/config/hosts/yate/default.nix index 009e1a1..66738e8 100644 --- a/config/hosts/yate/default.nix +++ b/config/hosts/yate/default.nix @@ -1,11 +1,10 @@ -{ config, pkgs, ... }: +{ ... }: { imports = [ ./configuration.nix ./networking.nix ./yate.nix - ./service.nix ./sops.nix ]; } diff --git a/config/hosts/yate/service.nix b/config/hosts/yate/service.nix deleted file mode 100644 index 9013060..0000000 --- a/config/hosts/yate/service.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: - -{ -# systemd.managerEnvironment = { -# SYSTEMD_LOG_LEVEL = "debug"; -# }; - - - - sops.secrets."git_clone_key" = { - mode = "0600"; - owner = "yate"; - group = "yate-config"; - restartUnits = [ "yate.service" ]; -}; - - systemd.services.yate = { - enable = true; - description = "Yate telehony engine"; - unitConfig = { - After= "network-online.target"; - }; - serviceConfig = { - ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; - Type="simple"; - Restart="always"; - User="yate"; - Group="yate-config"; - StateDirectory = "yate"; - StateDirectoryMode = "0775"; - # ... - }; - wantedBy = [ "default.target" ]; - requires = [ "network-online.target" ]; - preStart = "echo \"\n\" >> /run/secrets/git_clone_key - sleep 5 - SSH_SUCCESS=1 - ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 - if [ $SSH_SUCCESS = 1 ]; then - rm -rf /var/lib/yate/* - rm -rf /var/lib/yate/.* - env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate - ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" - fi"; - - # ... - }; -} diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index 3f9b054..d3ed2f9 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { environment.systemPackages = [ @@ -11,18 +11,60 @@ # Just disable it for now. networking.firewall.enable = false; - users.users.yate = { - description = "yate service user"; - group = "yate-config"; - isNormalUser = true; + users = { + users.yate = { + description = "yate service user"; + group = "yate-config"; + isNormalUser = true; + }; + + groups.yate-config = { + members = [ "colmema-deploy" "chaos" "root" "yate"]; + }; }; + environment.etc.yate = { + user = "yate"; + group = "yate-config"; + mode = "symlink"; + source = "/var/lib/yate"; + }; - users.groups.yate-config = {}; - users.groups.yate-config.members = [ "colmema-deploy" "chaos" "root" "yate"]; + sops.secrets."git_clone_key" = { + mode = "0600"; + owner = "yate"; + group = "yate-config"; + restartUnits = [ "yate.service" ]; + }; - environment.etc.yate.user = "yate"; - environment.etc.yate.group = "yate-config"; - environment.etc.yate.mode = "symlink"; - environment.etc.yate.source = "/var/lib/yate"; + systemd.services.yate = { + enable = true; + description = "Yate telehony engine"; + unitConfig = { + After= "network-online.target"; + }; + serviceConfig = { + ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; + Type="simple"; + Restart="always"; + User="yate"; + Group="yate-config"; + StateDirectory = "yate"; + StateDirectoryMode = "0775"; + }; + wantedBy = [ "default.target" ]; + requires = [ "network-online.target" ]; + preStart = '' + echo \"\n\" >> /run/secrets/git_clone_key + sleep 5 + SSH_SUCCESS=1 + ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 + if [ $SSH_SUCCESS = 1 ]; then + rm -rf /var/lib/yate/* + rm -rf /var/lib/yate/.* + env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate + ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + fi + ''; + }; } From d57c47437ff20dcb3c0008ab666b927de1181121 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Thu, 23 Jan 2025 20:15:37 +0100 Subject: [PATCH 14/51] Add reload script for refreshing config during runtime --- config/hosts/yate/yate.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index d3ed2f9..d5e64f1 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -45,6 +45,11 @@ }; serviceConfig = { ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; + ExecReload= '' + ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate + /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all + /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main + ''; Type="simple"; Restart="always"; User="yate"; From 73fa9d1e067e626fec76eb713342644f72647c65 Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Jan 2025 11:44:29 +0100 Subject: [PATCH 15/51] git: enable Git LFS --- config/hosts/git/forgejo.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix index 665815d..85b13e6 100644 --- a/config/hosts/git/forgejo.nix +++ b/config/hosts/git/forgejo.nix @@ -14,6 +14,7 @@ enable = true; package = pkgs.forgejo; database.type = "postgres"; + lfs.enable = true; secrets = { mailer = { From 4530608c9900901ece7f0c2448e4035369c8f15b Mon Sep 17 00:00:00 2001 From: June Date: Fri, 24 Jan 2025 11:45:32 +0100 Subject: [PATCH 16/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4?narHash=sha256-A7CTIQ8SW0hfbhKlwK%2BvSsu4pD%2BOaelw3v6goX6go%2BU%3D' (2024-12-23) → 'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453?narHash=sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL%2BtIBm49vpepwL1MQ%3D' (2025-01-16) • Updated input 'nixos-generators/nixlib': 'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c?narHash=sha256-dPhc%2Bf2wkmhMqMIfq%2BhColJdysgVxKP9ilZ5bR0NRZI%3D' (2024-12-22) → 'github:nix-community/nixpkgs.lib/1418bc28a52126761c02dd3d89b2d8ca0f521181?narHash=sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s%3D' (2025-01-12) • Updated input 'nixos-generators/nixpkgs': 'github:NixOS/nixpkgs/4989a246d7a390a859852baddb1013f825435cee?narHash=sha256-kMBQ5PRiFLagltK0sH%2B08aiNt3zGERC2297iB6vrvlU%3D' (2024-12-17) → 'github:NixOS/nixpkgs/2f9e2f85cb14a46410a1399aa9ea7ecf433e422e?narHash=sha256-FWlPMUzp0lkQBdhKlPqtQdqmp%2B/C%2B1MBiEytaYfrCTY%3D' (2025-01-12) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/530de2c83360057c1650fb8a37ef48cb9ad8f6a6?narHash=sha256-WIGZ3DPw5H%2BSPszUXVacK%2BKTh3sJZShP1vGtDwhquNM%3D' (2025-01-09) → 'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c?narHash=sha256-fY95Rp63NFzOwRFO6%2BRGi/UTyxgqmFmKtQ/DWg%2B6vsQ%3D' (2025-01-23) • Updated input 'sops-nix': 'github:Mic92/sops-nix/c9c88f08e3ee495e888b8d7c8624a0b2519cb773?narHash=sha256-eSjkBwBdQk%2BTZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4%3D' (2025-01-06) → 'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4?narHash=sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw%3D' (2025-01-20) --- flake.lock | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/flake.lock b/flake.lock index 4625fa3..259f97a 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", "rev": "686a6af22f6696f0c0595c56f463c078550049fc", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" }, "original": { "type": "tarball", @@ -16,11 +16,11 @@ }, "nixlib": { "locked": { - "lastModified": 1734829460, - "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=", + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", "type": "github" }, "original": { @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1734915500, - "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=", + "lastModified": 1737057290, + "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4", + "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453", "type": "github" }, "original": { @@ -50,11 +50,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1734435836, - "narHash": "sha256-kMBQ5PRiFLagltK0sH+08aiNt3zGERC2297iB6vrvlU=", + "lastModified": 1736657626, + "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4989a246d7a390a859852baddb1013f825435cee", + "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1736408508, - "narHash": "sha256-WIGZ3DPw5H+SPszUXVacK+KTh3sJZShP1vGtDwhquNM=", + "lastModified": 1737665804, + "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "530de2c83360057c1650fb8a37ef48cb9ad8f6a6", + "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1736203741, - "narHash": "sha256-eSjkBwBdQk+TZWFlLbclF2rAh4JxbGg8az4w/Lfe7f4=", + "lastModified": 1737411508, + "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c9c88f08e3ee495e888b8d7c8624a0b2519cb773", + "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4", "type": "github" }, "original": { From bb0af02e5c28952c9c9d937861007955ac25e490 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Fri, 24 Jan 2025 18:00:26 +0100 Subject: [PATCH 17/51] use nix option for ExecReload --- config/hosts/yate/yate.nix | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index d5e64f1..89f225e 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -45,11 +45,6 @@ }; serviceConfig = { ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share"; - ExecReload= '' - ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate - /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all - /usr/bin/env GIT_SSH_COMMAND=\\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\\" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/main - ''; Type="simple"; Restart="always"; User="yate"; @@ -61,15 +56,22 @@ requires = [ "network-online.target" ]; preStart = '' echo \"\n\" >> /run/secrets/git_clone_key + id sleep 5 SSH_SUCCESS=1 ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 if [ $SSH_SUCCESS = 1 ]; then rm -rf /var/lib/yate/* rm -rf /var/lib/yate/.* - env GIT_SSH_COMMAND=\"${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key\" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate - ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory \"/var/lib/yate\" + env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate + ${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate" fi ''; + reload= '' + id + ${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate + /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all + /usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master + ''; }; } From 5cf9cffa77b4e1e1179305b9ad7eca6d40cce177 Mon Sep 17 00:00:00 2001 From: echtnurich Date: Fri, 24 Jan 2025 19:54:31 +0100 Subject: [PATCH 18/51] add more checks before config reinit --- config/hosts/yate/yate.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/hosts/yate/yate.nix b/config/hosts/yate/yate.nix index 89f225e..236e1f0 100644 --- a/config/hosts/yate/yate.nix +++ b/config/hosts/yate/yate.nix @@ -55,12 +55,13 @@ wantedBy = [ "default.target" ]; requires = [ "network-online.target" ]; preStart = '' - echo \"\n\" >> /run/secrets/git_clone_key - id + echo "\n" >> /run/secrets/git_clone_key sleep 5 + id + echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git" SSH_SUCCESS=1 ${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0 - if [ $SSH_SUCCESS = 1 ]; then + if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then rm -rf /var/lib/yate/* rm -rf /var/lib/yate/.* env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate From 934f29a84a32d8770faf6a657ee7519960cd0ed7 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 4 Feb 2025 21:31:09 +0100 Subject: [PATCH 19/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c' (2025-01-23) → 'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8' (2025-02-04) • Updated input 'sops-nix': 'github:Mic92/sops-nix/015d461c16678fc02a2f405eb453abb509d4e1d4' (2025-01-20) → 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7' (2025-01-31) --- flake.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 259f97a..7f1207b 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", "rev": "686a6af22f6696f0c0595c56f463c078550049fc", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc" }, "original": { "type": "tarball", @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1737665804, - "narHash": "sha256-fY95Rp63NFzOwRFO6+RGi/UTyxgqmFmKtQ/DWg+6vsQ=", + "lastModified": 1738663689, + "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c87f6eefb71ddde46ecc7fb128dd3f86e48ae69c", + "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1737411508, - "narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=", + "lastModified": 1738291974, + "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=", "owner": "Mic92", "repo": "sops-nix", - "rev": "015d461c16678fc02a2f405eb453abb509d4e1d4", + "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7", "type": "github" }, "original": { From a665aa15f4001151eb7590c83c877bf30be55b7b Mon Sep 17 00:00:00 2001 From: June Date: Mon, 10 Feb 2025 23:43:05 +0100 Subject: [PATCH 20/51] eh22-wiki: remove because of migration to ansible-infra --- config/hosts/eh22-wiki/configuration.nix | 7 - config/hosts/eh22-wiki/default.nix | 9 -- config/hosts/eh22-wiki/dokuwiki.nix | 166 ----------------------- config/hosts/eh22-wiki/networking.nix | 22 --- flake.nix | 10 -- 5 files changed, 214 deletions(-) delete mode 100644 config/hosts/eh22-wiki/configuration.nix delete mode 100644 config/hosts/eh22-wiki/default.nix delete mode 100644 config/hosts/eh22-wiki/dokuwiki.nix delete mode 100644 config/hosts/eh22-wiki/networking.nix diff --git a/config/hosts/eh22-wiki/configuration.nix b/config/hosts/eh22-wiki/configuration.nix deleted file mode 100644 index ff45e49..0000000 --- a/config/hosts/eh22-wiki/configuration.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - networking.hostName = "eh22-wiki"; - - system.stateVersion = "23.11"; -} diff --git a/config/hosts/eh22-wiki/default.nix b/config/hosts/eh22-wiki/default.nix deleted file mode 100644 index 2d90c6b..0000000 --- a/config/hosts/eh22-wiki/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./configuration.nix - ./dokuwiki.nix - ./networking.nix - ]; -} diff --git a/config/hosts/eh22-wiki/dokuwiki.nix b/config/hosts/eh22-wiki/dokuwiki.nix deleted file mode 100644 index f9a7cbd..0000000 --- a/config/hosts/eh22-wiki/dokuwiki.nix +++ /dev/null @@ -1,166 +0,0 @@ -# Sources for this configuration: -# - https://www.dokuwiki.org/dokuwiki -# - https://www.dokuwiki.org/install -# - https://www.dokuwiki.org/requirements -# - https://www.dokuwiki.org/install:php -# - https://www.dokuwiki.org/security -# - https://www.dokuwiki.org/config:xsendfile -# - https://www.dokuwiki.org/install:nginx -# - https://www.dokuwiki.org/faq:uploadsize -# - https://nixos.wiki/wiki/Phpfpm -# - https://wiki.archlinux.org/title/Nginx#FastCGI -# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix -# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf -# - https://www.php.net/manual/en/install.fpm.php -# - https://www.php.net/manual/en/install.fpm.configuration.php - -{ config, pkgs, ... }: - -let - # This is also used for user and group names. - app = "dokuwiki"; - domain = "eh22.easterhegg.eu"; - dataDir = "/srv/www/${domain}"; -in -{ - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${app} ${app}" - ]; - - services.phpfpm.pools."${app}" = { - user = "${app}"; - group = "${app}"; - phpOptions = '' - short_open_tag = Off - open_basedir = - output_buffering = Off - output_handler = - zlib.output_compression = Off - implicit_flush = Off - allow_call_time_pass_reference = Off - max_execution_time = 30 - max_input_time = 60 - max_input_vars = 10000 - memory_limit = 128M - error_reporting = E_ALL & ~E_NOTICE - display_errors = Off - display_startup_errors = Off - log_errors = On - ; error_log should be handled by NixOS. - variables_order = "EGPCS" - register_argc_argv = Off - file_uploads = On - upload_max_filesize = 20M - post_max_size = 20M - session.use_cookies = 1 - ; Checked the default NixOS PHP extensions and the only one missing from - ; DokuWikis list of PHP extensions was bz2, so add that. - ; Checked with NixOS 23.11 on 2024-05-02. - extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so - ''; - settings = { - "listen.owner" = "${config.services.nginx.user}"; - "listen.group" = "${config.services.nginx.group}"; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 4; - "pm.max_requests" = 500; - }; - }; - - services.nginx = { - enable = true; - - virtualHosts."acme-${domain}" = { - default = true; - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - virtualHosts."${domain}" = { - default = true; - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - locations = { - "~ /(conf|bin|inc|vendor)/" = { - extraConfig = "deny all;"; - }; - - "~ /install.php" = { - extraConfig = "deny all;"; - }; - - "~ ^/data/" = { - extraConfig = "internal;"; - }; - - "~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = { - extraConfig = "expires 31d;"; - }; - - "/" = { - index = "doku.php"; - extraConfig = "try_files $uri $uri/ @dokuwiki;"; - }; - - "@dokuwiki" = { - extraConfig = '' - # Rewrites "doku.php/" out of the URLs if the userwrite setting is - # set to .htaccess in the DokuWiki config page. - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1&$args last; - ''; - }; - - "~ \\.php$" = { - extraConfig = '' - try_files $uri $uri/ /doku.php; - include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param REDIRECT_STATUS 200; - fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket}; - ''; - }; - }; - - extraConfig = '' - # Set maximum file upload size to 20MB (same as upload_max_filesize and - # post_max_size in the phpOptions). - client_max_body_size 20M; - client_body_buffer_size 128k; - ''; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; - - users.users."${app}" = { - isSystemUser = true; - group = "${app}"; - }; - users.groups."${app}" = { }; -} diff --git a/config/hosts/eh22-wiki/networking.nix b/config/hosts/eh22-wiki/networking.nix deleted file mode 100644 index fba2da9..0000000 --- a/config/hosts/eh22-wiki/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.159"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:37:F0:AB"; - linkConfig.Name = "net0"; - }; -} diff --git a/flake.nix b/flake.nix index 5ecee98..347294b 100644 --- a/flake.nix +++ b/flake.nix @@ -149,16 +149,6 @@ ]; }; - eh22-wiki = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - self.nixosModules.prometheus-exporter - ./config/hosts/eh22-wiki - ]; - }; - nix-box-june = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ From fe5e6cebdc0f0df330b0541c1756cdfc859f1bec Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 00:02:31 +0100 Subject: [PATCH 21/51] netbox: remove because of migration to ansible-infra --- .sops.yaml | 17 -- config/hosts/netbox/configuration.nix | 7 - config/hosts/netbox/default.nix | 12 - config/hosts/netbox/netbox.nix | 61 ----- config/hosts/netbox/networking.nix | 22 -- config/hosts/netbox/nginx.nix | 67 ----- config/hosts/netbox/postgresql.nix | 7 - config/hosts/netbox/secrets.yaml | 234 ------------------ config/hosts/netbox/sops.nix | 7 - deployment_configuration.json | 3 - flake.nix | 19 -- ...oup_and_role_mapping_custom_pipeline.patch | 61 ----- 12 files changed, 517 deletions(-) delete mode 100644 config/hosts/netbox/configuration.nix delete mode 100644 config/hosts/netbox/default.nix delete mode 100644 config/hosts/netbox/netbox.nix delete mode 100644 config/hosts/netbox/networking.nix delete mode 100644 config/hosts/netbox/nginx.nix delete mode 100644 config/hosts/netbox/postgresql.nix delete mode 100644 config/hosts/netbox/secrets.yaml delete mode 100644 config/hosts/netbox/sops.nix delete mode 100644 patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch diff --git a/.sops.yaml b/.sops.yaml index dedf3c1..9a6ae2d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,7 +13,6 @@ keys: - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7 - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - - &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae @@ -68,22 +67,6 @@ creation_rules: - *admin_gpg_dante age: - *host_age_matrix - - path_regex: config/hosts/netbox/.* - key_groups: - - pgp: - - *admin_gpg_djerun - - *admin_gpg_stb - - *admin_gpg_jtbx - - *admin_gpg_yuri - - *admin_gpg_june - - *admin_gpg_haegar - - *admin_gpg_dario - - *admin_gpg_echtnurich - - *admin_gpg_max - - *admin_gpg_c6ristian - - *admin_gpg_dante - age: - - *host_age_netbox - path_regex: config/hosts/public-web-static/.* key_groups: - pgp: diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix deleted file mode 100644 index 50a584e..0000000 --- a/config/hosts/netbox/configuration.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hostName = "netbox"; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix deleted file mode 100644 index 6ef3469..0000000 --- a/config/hosts/netbox/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./configuration.nix - ./netbox.nix - ./networking.nix - ./nginx.nix - ./postgresql.nix - ./sops.nix - ]; -} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix deleted file mode 100644 index f816016..0000000 --- a/config/hosts/netbox/netbox.nix +++ /dev/null @@ -1,61 +0,0 @@ -# Sources for this configuration: -# - https://docs.netbox.dev/en/stable/configuration/ -# - https://colmena.cli.rs/unstable/features/keys.html -# - https://colmena.cli.rs/unstable/reference/deployment.html -# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix - -{ config, pkgs, ... }: - -{ - services.netbox = { - enable = true; - # Explicitly use the patched NetBox package. - package = pkgs.netbox_4_1; - secretKeyFile = "/run/secrets/netbox_secret_key"; - keycloakClientSecret = "/run/secrets/netbox_keycloak_secret"; - settings = { - ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ]; - SESSION_COOKIE_SECURE = true; - # CCCHH ID (Keycloak) integration. - # https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7 - # https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html - REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2"; - SOCIAL_AUTH_KEYCLOAK_KEY = "netbox"; - # SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option. - SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB"; - SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth"; - SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token"; - SOCIAL_AUTH_PIPELINE = [ - # The default pipeline as can be found in: - # /nix/store/q2jsn56bgkj0nkz0j4w48x3klyn2x4gp-netbox-4.1.7/opt/netbox/netbox/netbox/settings.py - "social_core.pipeline.social_auth.social_details" - "social_core.pipeline.social_auth.social_uid" - "social_core.pipeline.social_auth.social_user" - "social_core.pipeline.user.get_username" - "social_core.pipeline.user.create_user" - "social_core.pipeline.social_auth.associate_user" - "netbox.authentication.user_default_groups_handler" - "social_core.pipeline.social_auth.load_extra_data" - "social_core.pipeline.user.user_details" - # Use custom pipeline functions patched in via netbox41OIDCMappingOverlay. - # See: https://docs.goauthentik.io/integrations/services/netbox/ - "netbox.custom_pipeline.add_groups" - "netbox.custom_pipeline.remove_groups" - "netbox.custom_pipeline.set_roles" - ]; - }; - }; - - sops.secrets."netbox_secret_key" = { - mode = "0440"; - owner = "netbox"; - group = "netbox"; - restartUnits = [ "netbox.service" "netbox-rq.service" ]; - }; - sops.secrets."netbox_keycloak_secret" = { - mode = "0440"; - owner = "netbox"; - group = "netbox"; - restartUnits = [ "netbox.service" "netbox-rq.service" ]; - }; -} diff --git a/config/hosts/netbox/networking.nix b/config/hosts/netbox/networking.nix deleted file mode 100644 index a0abcfe..0000000 --- a/config/hosts/netbox/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.149"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "62:ED:44:20:7C:C1"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix deleted file mode 100644 index 2673cdc..0000000 --- a/config/hosts/netbox/nginx.nix +++ /dev/null @@ -1,67 +0,0 @@ -# Sources for this configuration: -# - https://nixos.org/manual/nixos/stable/#module-security-acme -# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix -# - https://docs.netbox.dev/en/stable/installation/5-http-server/ -# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf - -{ config, pkgs, ... }: - -{ - services.nginx = { - enable = true; - # So nginx can access the Netbox static files. - user = "netbox"; - - virtualHosts."acme-netbox.hamburg.ccc.de" = { - default = true; - enableACME = true; - serverName = "netbox.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - virtualHosts."netbox.hamburg.ccc.de" = { - default = true; - forceSSL = true; - useACMEHost = "netbox.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/static/" = { - alias = "${config.services.netbox.dataDir}/static/"; - }; - - locations."/" = { - proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - client_max_body_size 25m; - ''; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; -} diff --git a/config/hosts/netbox/postgresql.nix b/config/hosts/netbox/postgresql.nix deleted file mode 100644 index 5f49f30..0000000 --- a/config/hosts/netbox/postgresql.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, config, ... }: - -{ - services.postgresql = { - package = pkgs.postgresql_15; - }; -} diff --git a/config/hosts/netbox/secrets.yaml b/config/hosts/netbox/secrets.yaml deleted file mode 100644 index 831a7a1..0000000 --- a/config/hosts/netbox/secrets.yaml +++ /dev/null @@ -1,234 +0,0 @@ -netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str] -netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX - c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5 - dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU - V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw - a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-08T23:54:23Z" - mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str] - pgp: - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul - UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb - YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9 - e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb - fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8 - 29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9 - g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME - Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4 - 2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG - ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS - 7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU - aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p - Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p - 6PA24RxtGxVm - =ES/O - -----END PGP MESSAGE----- - fp: EF643F59E008414882232C78FFA8331EEB7D6B70 - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr - kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+ - UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6 - t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7 - 2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK - MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra - PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI - Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4 - W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM - Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6 - NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS - XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB - zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc= - =zG3F - -----END PGP MESSAGE----- - fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm - wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8 - o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ - yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va - y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs - vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O - OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM - xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu - +J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J - 9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY - 9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS - XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa - CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg= - =PqbF - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6 - eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una - 5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E - /0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N - E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI - aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN - U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT - 5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT - vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D - Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/ - PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS - XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF - 9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U= - =o7cj - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY - QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6 - 2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY - NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM - vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu - PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW - FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B - n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8 - nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM - TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa - ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS - XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH - fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY= - =4agQ - -----END PGP MESSAGE----- - fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G - H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ - JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn - ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv - blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm - fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg - APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/ - H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ - dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+ - VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho - FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS - XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw - Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g= - =x1QX - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ - RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH - I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz - GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw - Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg - arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF - dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA - cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj - 6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG - jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC - rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S - XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq - pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc= - =FXTF - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq - /iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo - FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j - wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h - 3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC - Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a - 6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8 - wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf - wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C - 7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM - N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS - XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS - z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE= - =7WGw - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ - nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu - 3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO - 07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92 - fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W - 24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb - QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi - BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U - 3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP - zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe - RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS - XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ - yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs= - =pFkW - -----END PGP MESSAGE----- - fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw - kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58 - 0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16 - 5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN - =Lvnj - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - - created_at: "2024-05-26T01:07:22Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB - 77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg - XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7 - 4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/ - T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV - k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug - QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o - 9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk - U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2 - kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX - 1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS - XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU - 02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow= - =WqHP - -----END PGP MESSAGE----- - fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/netbox/sops.nix b/config/hosts/netbox/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/netbox/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/deployment_configuration.json b/deployment_configuration.json index 20b9f00..6ac5254 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -3,9 +3,6 @@ "targetUser": "colmena-deploy" }, "hosts": { - "netbox": { - "targetHostname": "netbox-intern.hamburg.ccc.de" - }, "matrix": { "targetHostname": "matrix-intern.hamburg.ccc.de" }, diff --git a/flake.nix b/flake.nix index 347294b..7c7cfe0 100644 --- a/flake.nix +++ b/flake.nix @@ -40,13 +40,6 @@ proxmox-vm = ./config/proxmox-vm; prometheus-exporter = ./config/extra/prometheus-exporter.nix; }; - overlays = { - netbox41OIDCMappingOverlay = final: prev: { - netbox_4_1 = prev.netbox_4_1.overrideAttrs (finalAttr: previousAttr: { - patches = previousAttr.patches ++ [ ./patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch ]; - }); - }; - }; nixosConfigurations = { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { inherit system specialArgs; @@ -84,18 +77,6 @@ ]; }; - netbox = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/netbox - { nixpkgs.overlays = [ self.overlays.netbox41OIDCMappingOverlay ]; } - ]; - }; - matrix = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ diff --git a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch b/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch deleted file mode 100644 index 89f805a..0000000 --- a/patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py -new file mode 100644 -index 000000000..470f388dc ---- /dev/null -+++ b/netbox/netbox/custom_pipeline.py -@@ -0,0 +1,55 @@ -+# Licensed under Creative Commons: CC BY-SA 4.0 license. -+# https://github.com/goauthentik/authentik/blob/main/LICENSE -+# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md -+# https://docs.goauthentik.io/integrations/services/netbox/ -+from netbox.authentication import Group -+ -+class AuthFailed(Exception): -+ pass -+ -+def add_groups(response, user, backend, *args, **kwargs): -+ try: -+ groups = response['groups'] -+ except KeyError: -+ pass -+ -+ # Add all groups from oAuth token -+ for group in groups: -+ group, created = Group.objects.get_or_create(name=group) -+ user.groups.add(group) -+ -+def remove_groups(response, user, backend, *args, **kwargs): -+ try: -+ groups = response['groups'] -+ except KeyError: -+ # Remove all groups if no groups in oAuth token -+ user.groups.clear() -+ pass -+ -+ # Get all groups of user -+ user_groups = [item.name for item in user.groups.all()] -+ # Get groups of user which are not part of oAuth token -+ delete_groups = list(set(user_groups) - set(groups)) -+ -+ # Delete non oAuth token groups -+ for delete_group in delete_groups: -+ group = Group.objects.get(name=delete_group) -+ user.groups.remove(group) -+ -+ -+def set_roles(response, user, backend, *args, **kwargs): -+ # Remove Roles temporary -+ user.is_superuser = False -+ user.is_staff = False -+ try: -+ groups = response['groups'] -+ except KeyError: -+ # When no groups are set -+ # save the user without Roles -+ user.save() -+ pass -+ -+ # Set roles is role (superuser or staff) is in groups -+ user.is_superuser = True if 'superusers' in groups else False -+ user.is_staff = True if 'staff' in groups else False -+ user.save() From 02328a8ba8d00b5e97b192475fe99c3a85f22c5c Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 00:03:14 +0100 Subject: [PATCH 22/51] eh22-wiki: remove leftover deployment configuration --- deployment_configuration.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/deployment_configuration.json b/deployment_configuration.json index 6ac5254..cc2fb6d 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -15,9 +15,6 @@ "forgejo-actions-runner": { "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" }, - "eh22-wiki": { - "targetHostname": "eh22-wiki-intern.hamburg.ccc.de" - }, "nix-box-june": { "targetHostname": "nix-box-june-intern.hamburg.ccc.de" }, From fd2414ec91a2acc7823158976499004ce744547e Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 00:04:58 +0100 Subject: [PATCH 23/51] nix-box-june: remove nix-box-june as its being decommissioned nix-infra is built back in general, so remove nix-box-june as well. --- config/hosts/nix-box-june/configuration.nix | 7 --- config/hosts/nix-box-june/default.nix | 10 ---- .../hosts/nix-box-june/emulated-systems.nix | 5 -- config/hosts/nix-box-june/networking.nix | 22 ------- config/hosts/nix-box-june/users.nix | 59 ------------------- deployment_configuration.json | 3 - flake.nix | 10 ---- 7 files changed, 116 deletions(-) delete mode 100644 config/hosts/nix-box-june/configuration.nix delete mode 100644 config/hosts/nix-box-june/default.nix delete mode 100644 config/hosts/nix-box-june/emulated-systems.nix delete mode 100644 config/hosts/nix-box-june/networking.nix delete mode 100644 config/hosts/nix-box-june/users.nix diff --git a/config/hosts/nix-box-june/configuration.nix b/config/hosts/nix-box-june/configuration.nix deleted file mode 100644 index 7dddcc1..0000000 --- a/config/hosts/nix-box-june/configuration.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hostName = "nix-box-june"; - - system.stateVersion = "23.11"; -} diff --git a/config/hosts/nix-box-june/default.nix b/config/hosts/nix-box-june/default.nix deleted file mode 100644 index 489fd67..0000000 --- a/config/hosts/nix-box-june/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./configuration.nix - ./emulated-systems.nix - ./networking.nix - ./users.nix - ]; -} diff --git a/config/hosts/nix-box-june/emulated-systems.nix b/config/hosts/nix-box-june/emulated-systems.nix deleted file mode 100644 index b6065dd..0000000 --- a/config/hosts/nix-box-june/emulated-systems.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ config, pkgs, ... }: - -{ - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -} diff --git a/config/hosts/nix-box-june/networking.nix b/config/hosts/nix-box-june/networking.nix deleted file mode 100644 index 2c1faee..0000000 --- a/config/hosts/nix-box-june/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.158"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:6A:33:5F"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/nix-box-june/users.nix b/config/hosts/nix-box-june/users.nix deleted file mode 100644 index dfb333e..0000000 --- a/config/hosts/nix-box-june/users.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ lib, ... }: - -{ - users.users = { - chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ]; - colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ]; - - djerun = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local" - ]; - }; - june = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ]; - }; - jtbx = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ]; - }; - dario = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ]; - }; - yuri = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" - ]; - }; - max = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ]; - }; - haegar = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ]; - }; - stb = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ]; - }; - hansenerd = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ]; - }; - echtnurich = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ]; - }; - c6ristian = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ]; - }; - }; -} diff --git a/deployment_configuration.json b/deployment_configuration.json index cc2fb6d..9c2f99a 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -15,9 +15,6 @@ "forgejo-actions-runner": { "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" }, - "nix-box-june": { - "targetHostname": "nix-box-june-intern.hamburg.ccc.de" - }, "mjolnir": { "targetHostname": "mjolnir-intern.hamburg.ccc.de" }, diff --git a/flake.nix b/flake.nix index 7c7cfe0..d7bda34 100644 --- a/flake.nix +++ b/flake.nix @@ -130,16 +130,6 @@ ]; }; - nix-box-june = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - self.nixosModules.prometheus-exporter - ./config/hosts/nix-box-june - ]; - }; - yate = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ From dabaf18dc32ccc3322c0e836543f81857caa0a44 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 18 Feb 2025 02:52:22 +0100 Subject: [PATCH 24/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/11e2214d91f0d06ea8575087e3cd8e246c550bd8?narHash=sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE%3D' (2025-02-04) → 'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791?narHash=sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE%3D' (2025-02-17) • Updated input 'sops-nix': 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7?narHash=sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320%3D' (2025-01-31) → 'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975?narHash=sha256-7JAGezJ0Dn5qIyA2%2BT4Dt/xQgAbhCglh6lzCekTVMeU%3D' (2025-02-11) --- flake.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 7f1207b..d6bc2dc 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", "rev": "686a6af22f6696f0c0595c56f463c078550049fc", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" }, "original": { "type": "tarball", @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1738663689, - "narHash": "sha256-L9CwNfoGcvAUpPu6DSkhpdT4tczeWREJWj7ah0Q/qTE=", + "lastModified": 1739758141, + "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "11e2214d91f0d06ea8575087e3cd8e246c550bd8", + "rev": "c618e28f70257593de75a7044438efc1c1fc0791", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1738291974, - "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=", + "lastModified": 1739262228, + "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7", + "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", "type": "github" }, "original": { From 7c13dd1e35618b860a122c078462d03df005ec6a Mon Sep 17 00:00:00 2001 From: June Date: Wed, 19 Feb 2025 21:56:23 +0100 Subject: [PATCH 25/51] git: disable internal login, to force login via SSO --- config/hosts/git/forgejo.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix index 85b13e6..89f83c9 100644 --- a/config/hosts/git/forgejo.nix +++ b/config/hosts/git/forgejo.nix @@ -49,6 +49,7 @@ }; service = { ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + ENABLE_INTERNAL_SIGNIN = false; DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; From 535cc518dada1e5c7a3b2ac0aa73d595db0b0ccd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20K=C3=BChlke?= Date: Fri, 28 Feb 2025 23:25:59 +0100 Subject: [PATCH 26/51] MQTT: Make cats accessible from winkekatze24.de --- config/hosts/mqtt/mosquitto.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/mqtt/mosquitto.nix b/config/hosts/mqtt/mosquitto.nix index d093bd8..9bc02b0 100644 --- a/config/hosts/mqtt/mosquitto.nix +++ b/config/hosts/mqtt/mosquitto.nix @@ -23,6 +23,7 @@ topics = [ "winkekatze/allcats/eye/set in 2" "winkekatze/allcats in 2" + "+/command in 2 winkekatze/ \"\"" "+/status out 2 winkekatze/ \"\"" "+/connected out 2 winkekatze/ \"\"" ]; From 3fc170389d73312e1ff5477e237a64646d6b2182 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sun, 2 Mar 2025 22:00:19 +0100 Subject: [PATCH 27/51] Update to new IPv6 prefix --- config/hosts/esphome/networking.nix | 6 +++--- config/hosts/status/networking.nix | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix index a2c64d3..32c38f2 100644 --- a/config/hosts/esphome/networking.nix +++ b/config/hosts/esphome/networking.nix @@ -11,14 +11,14 @@ ]; ipv6.addresses = [ { - address = "2a07:c480:0:1d0::66"; + address = "2a07:c481:1:2::66"; prefixLength = 64; } ]; }; defaultGateway = "10.31.208.1"; - defaultGateway6 = "2a07:c480:0:1d0::1"; - nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ]; + defaultGateway6 = "2a07:c481:1:2::66"; + nameservers = [ "10.31.208.1" "2a07:c481:1:2::66" ]; search = [ "z9.ccchh.net" ]; }; diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix index e7f1932..0a16795 100644 --- a/config/hosts/status/networking.nix +++ b/config/hosts/status/networking.nix @@ -11,14 +11,14 @@ ]; ipv6.addresses = [ { - address = "2a07:c480:0:1ce::f"; + address = "2a07:c481:1:1::a"; prefixLength = 64; } ]; }; defaultGateway = "10.31.206.1"; - defaultGateway6 = "2a07:c480:0:1ce::1"; - nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ]; + defaultGateway6 = "2a07:c481:1:1::1"; + nameservers = [ "10.31.206.1" "2a07:c481:1:1::1" ]; search = [ "z9.ccchh.net" ]; }; From be351c6ded795a0ea819d80d548fdab1005e62ce Mon Sep 17 00:00:00 2001 From: c6ristian Date: Fri, 14 Mar 2025 20:25:19 +0100 Subject: [PATCH 28/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453' (2025-01-16) → 'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c618e28f70257593de75a7044438efc1c1fc0791' (2025-02-17) → 'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14) • Updated input 'sops-nix': 'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975' (2025-02-11) → 'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13) --- flake.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index d6bc2dc..ef7bc8d 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", "rev": "686a6af22f6696f0c0595c56f463c078550049fc", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc" }, "original": { "type": "tarball", @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1737057290, - "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=", + "lastModified": 1740947705, + "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453", + "rev": "507911df8c35939050ae324caccc7cf4ffb76565", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1739758141, - "narHash": "sha256-uq6A2L7o1/tR6VfmYhZWoVAwb3gTy7j4Jx30MIrH0rE=", + "lastModified": 1741969460, + "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c618e28f70257593de75a7044438efc1c1fc0791", + "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1739262228, - "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", + "lastModified": 1741861888, + "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", + "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f", "type": "github" }, "original": { From 15f69c20a4514c3f4249613cd4ab0c819a6d7819 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Fri, 14 Mar 2025 20:33:29 +0100 Subject: [PATCH 29/51] bump element version --- .../virtualHosts/element.hamburg.ccc.de.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index 1836f25..3c85954 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let - elementWebVersion = "1.11.84"; + elementWebVersion = "1.11.95"; element-web = pkgs.fetchzip { - url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4="; + url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; + sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc="; }; elementSecurityHeaders = '' # Configuration best practices From 341d839265a7d26cb90ce61a8354831d23a6de4e Mon Sep 17 00:00:00 2001 From: c6ristian Date: Mon, 14 Apr 2025 20:47:51 +0200 Subject: [PATCH 30/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565' (2025-03-02) → 'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11' (2025-03-21) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4' (2025-03-14) → 'github:nixos/nixpkgs/260f6989b03d130d64d521445892dd47f8ea545a' (2025-04-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/d016ce0365b87d848a57c12ffcfdc71da7a2b55f' (2025-03-13) → 'github:Mic92/sops-nix/7e147a1ae90f0d4a374938cdc3df3cdaecb9d388' (2025-04-13) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ef7bc8d..214f589 100644 --- a/flake.lock +++ b/flake.lock @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1740947705, - "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=", + "lastModified": 1742568034, + "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "507911df8c35939050ae324caccc7cf4ffb76565", + "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1741969460, - "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=", + "lastModified": 1744568866, + "narHash": "sha256-9I7fRg0vp1oGagbkUszgP6zPjG18qY1HQtdvkJwp5Jo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4", + "rev": "260f6989b03d130d64d521445892dd47f8ea545a", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1741861888, - "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=", + "lastModified": 1744518500, + "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=", "owner": "Mic92", "repo": "sops-nix", - "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f", + "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388", "type": "github" }, "original": { From e61fbec5efd76e393f5b06c24c3ab1bfadf33759 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Mon, 14 Apr 2025 21:28:59 +0200 Subject: [PATCH 31/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/260f6989b03d130d64d521445892dd47f8ea545a' (2025-04-13) → 'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d' (2025-04-12) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 214f589..3e957bb 100644 --- a/flake.lock +++ b/flake.lock @@ -66,16 +66,16 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1744568866, - "narHash": "sha256-9I7fRg0vp1oGagbkUszgP6zPjG18qY1HQtdvkJwp5Jo=", + "lastModified": 1744440957, + "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "260f6989b03d130d64d521445892dd47f8ea545a", + "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-24.11-small", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } From aee3f4b385a7e955268e9585f95b0e750ee00c88 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sat, 19 Apr 2025 15:01:59 +0200 Subject: [PATCH 32/51] c3cat fix --- config/hosts/public-web-static/virtualHosts/c3cat.de.nix | 8 ++++++++ flake.lock | 6 +++--- flake.nix | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index 91d3a40..ff59fab 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -40,6 +40,10 @@ in { return = "302 https://c3cat.de$request_uri"; }; + locations."/manuals/eh22-rgb-ears" = { + return = "307 https://www.c3cat.de/rgb-ears.html"; + }; + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy @@ -67,6 +71,10 @@ in { root = "${dataDir}"; + locations."/manuals/eh22-rgb-ears" = { + return = "307 https://c3cat.de/rgb-ears.html"; + }; + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy diff --git a/flake.lock b/flake.lock index 3e957bb..00e5e12 100644 --- a/flake.lock +++ b/flake.lock @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1744518500, - "narHash": "sha256-lv52pnfiRGp5+xkZEgWr56DWiRgkMFXpiGba3eJ3krE=", + "lastModified": 1744669848, + "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "7e147a1ae90f0d4a374938cdc3df3cdaecb9d388", + "rev": "61154300d945f0b147b30d24ddcafa159148026a", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d7bda34..2c34373 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; # Add nixos-generators as an input. # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake From 2c3b7854891e6e940c7eacfc83e5a759aa368af3 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 23 Apr 2025 19:04:21 +0200 Subject: [PATCH 33/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D&rev=686a6af22f6696f0c0595c56f463c078550049fc' (2024-11-10) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/26d499fc9f1d567283d5d56fcf367edd815dba1d?narHash=sha256-FHlSkNqFmPxPJvy%2B6fNLaNeWnF1lZSgqVCl/eWaJRc4%3D' (2025-04-12) → 'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3?narHash=sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo%3D' (2025-04-21) • Updated input 'sops-nix': 'github:Mic92/sops-nix/61154300d945f0b147b30d24ddcafa159148026a?narHash=sha256-pXyanHLUzLNd3MX9vsWG%2B6Z2hTU8niyphWstYEP3/GU%3D' (2025-04-14) → 'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c?narHash=sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA%3D' (2025-04-22) --- flake.lock | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 00e5e12..7591512 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", "rev": "686a6af22f6696f0c0595c56f463c078550049fc", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" }, "original": { "type": "tarball", @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1744440957, - "narHash": "sha256-FHlSkNqFmPxPJvy+6fNLaNeWnF1lZSgqVCl/eWaJRc4=", + "lastModified": 1745279238, + "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "26d499fc9f1d567283d5d56fcf367edd815dba1d", + "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1744669848, - "narHash": "sha256-pXyanHLUzLNd3MX9vsWG+6Z2hTU8niyphWstYEP3/GU=", + "lastModified": 1745310711, + "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "61154300d945f0b147b30d24ddcafa159148026a", + "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c", "type": "github" }, "original": { From 2395748e7a0ab46910c98d62e8297ad51bc628e9 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 28 Apr 2025 20:50:42 +0200 Subject: [PATCH 34/51] esphome: set new v6 address --- config/hosts/esphome/networking.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/esphome/networking.nix b/config/hosts/esphome/networking.nix index 32c38f2..8a84112 100644 --- a/config/hosts/esphome/networking.nix +++ b/config/hosts/esphome/networking.nix @@ -11,14 +11,14 @@ ]; ipv6.addresses = [ { - address = "2a07:c481:1:2::66"; + address = "2a07:c481:1:d0::66"; prefixLength = 64; } ]; }; defaultGateway = "10.31.208.1"; - defaultGateway6 = "2a07:c481:1:2::66"; - nameservers = [ "10.31.208.1" "2a07:c481:1:2::66" ]; + defaultGateway6 = "2a07:c481:1:d0::1"; + nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ]; search = [ "z9.ccchh.net" ]; }; From f2a174750777b40dc55803f0f06853b1472ab1ff Mon Sep 17 00:00:00 2001 From: June Date: Mon, 28 Apr 2025 21:46:00 +0200 Subject: [PATCH 35/51] status: set new v6 address --- config/hosts/status/networking.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix index 0a16795..0bff4b5 100644 --- a/config/hosts/status/networking.nix +++ b/config/hosts/status/networking.nix @@ -11,14 +11,14 @@ ]; ipv6.addresses = [ { - address = "2a07:c481:1:1::a"; + address = "2a07:c481:1:ce::a"; prefixLength = 64; } ]; }; defaultGateway = "10.31.206.1"; - defaultGateway6 = "2a07:c481:1:1::1"; - nameservers = [ "10.31.206.1" "2a07:c481:1:1::1" ]; + defaultGateway6 = "2a07:c481:1:ce::1"; + nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; search = [ "z9.ccchh.net" ]; }; From 3803d6038e7d044a4ea50d72772e188e9f374318 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 20 May 2025 19:39:46 +0200 Subject: [PATCH 36/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?narHash=sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc%3D' (2024-11-10) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D&rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6' (2025-04-28) • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11' (2025-03-21) → 'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/9684b53175fc6c09581e94cc85f05ab77464c7e3' (2025-04-21) → 'github:nixos/nixpkgs/9b5ac7ad45298d58640540d0323ca217f32a6762' (2025-05-17) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5e3e92b16d6fdf9923425a8d4df7496b2434f39c' (2025-04-22) → 'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18) --- flake.lock | 28 ++++++++++++++-------------- flake.nix | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 7591512..57a29de 100644 --- a/flake.lock +++ b/flake.lock @@ -3,15 +3,15 @@ "authorizedKeysRepo": { "flake": false, "locked": { - "lastModified": 1731276342, - "narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=", - "rev": "686a6af22f6696f0c0595c56f463c078550049fc", + "lastModified": 1745870473, + "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=", + "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6" }, "original": { "type": "tarball", - "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz" + "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz" } }, "nixlib": { @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1742568034, - "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=", + "lastModified": 1747663185, + "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11", + "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1745279238, - "narHash": "sha256-AQ7M9wTa/Pa/kK5pcGTgX/DGqMHyzsyINfN7ktsI7Fo=", + "lastModified": 1747485343, + "narHash": "sha256-YbsZyuRE1tobO9sv0PUwg81QryYo3L1F3R3rF9bcG38=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9684b53175fc6c09581e94cc85f05ab77464c7e3", + "rev": "9b5ac7ad45298d58640540d0323ca217f32a6762", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1745310711, - "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=", + "lastModified": 1747603214, + "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c", + "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 2c34373..a95ee8e 100644 --- a/flake.nix +++ b/flake.nix @@ -22,7 +22,7 @@ }; authorizedKeysRepo = { - url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"; + url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"; flake = false; }; }; From bb9653657e59fb664d3f6f0807f8227f353843c7 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Mon, 2 Jun 2025 19:43:15 +0200 Subject: [PATCH 37/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/9b5ac7ad45298d58640540d0323ca217f32a6762' (2025-05-17) → 'github:nixos/nixpkgs/78add7b7abb61689e34fc23070a8f55e1d26185b' (2025-05-28) • Added input 'nixpkgs-25-05': 'github:nixos/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346' (2025-05-31) --- flake.lock | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 57a29de..c3f607b 100644 --- a/flake.lock +++ b/flake.lock @@ -64,13 +64,29 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs-25-05": { "locked": { - "lastModified": 1747485343, - "narHash": "sha256-YbsZyuRE1tobO9sv0PUwg81QryYo3L1F3R3rF9bcG38=", + "lastModified": 1748708770, + "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9b5ac7ad45298d58640540d0323ca217f32a6762", + "rev": "a59eb7800787c926045d51b70982ae285faa2346", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1748421225, + "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b", "type": "github" }, "original": { @@ -85,6 +101,7 @@ "authorizedKeysRepo": "authorizedKeysRepo", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs_2", + "nixpkgs-25-05": "nixpkgs-25-05", "sops-nix": "sops-nix" } }, From 8440b4e1ea3b8a1f6b2292e74c410ca1c5411bba Mon Sep 17 00:00:00 2001 From: c6ristian Date: Mon, 2 Jun 2025 19:45:08 +0200 Subject: [PATCH 38/51] woodpecker nixos25.05 --- flake.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index a95ee8e..728fb5e 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,8 @@ # https://github.com/NixOS/nixpkgs nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-25-05.url = "github:nixos/nixpkgs/nixos-25.05"; + # Add nixos-generators as an input. # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake nixos-generators = { @@ -27,7 +29,7 @@ }; }; - outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }: + outputs = { self, nixpkgs, nixpkgs-25-05, nixos-generators, sops-nix, authorizedKeysRepo, ... }: let specialArgs = { inherit authorizedKeysRepo; @@ -160,7 +162,7 @@ ]; }; - woodpecker = nixpkgs.lib.nixosSystem { + woodpecker = nixpkgs-25-05.lib.nixosSystem { inherit system specialArgs; modules = [ self.nixosModules.common From 2fda28ca5dce464d806019b7bb6e1fb238668a7c Mon Sep 17 00:00:00 2001 From: June Date: Sat, 14 Jun 2025 17:32:27 +0200 Subject: [PATCH 39/51] Upgrade to NixOS 25.05 --- flake.lock | 25 ++++--------------------- flake.nix | 8 +++----- 2 files changed, 7 insertions(+), 26 deletions(-) diff --git a/flake.lock b/flake.lock index c3f607b..d8bfc27 100644 --- a/flake.lock +++ b/flake.lock @@ -64,13 +64,13 @@ "type": "github" } }, - "nixpkgs-25-05": { + "nixpkgs_2": { "locked": { - "lastModified": 1748708770, - "narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=", + "lastModified": 1749727998, + "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a59eb7800787c926045d51b70982ae285faa2346", + "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd", "type": "github" }, "original": { @@ -80,28 +80,11 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1748421225, - "narHash": "sha256-XXILOc80tvlvEQgYpYFnze8MkQQmp3eQxFbTzb3m/R0=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "78add7b7abb61689e34fc23070a8f55e1d26185b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "authorizedKeysRepo": "authorizedKeysRepo", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs_2", - "nixpkgs-25-05": "nixpkgs-25-05", "sops-nix": "sops-nix" } }, diff --git a/flake.nix b/flake.nix index 728fb5e..53bf4ca 100644 --- a/flake.nix +++ b/flake.nix @@ -5,9 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; - - nixpkgs-25-05.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; # Add nixos-generators as an input. # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake @@ -29,7 +27,7 @@ }; }; - outputs = { self, nixpkgs, nixpkgs-25-05, nixos-generators, sops-nix, authorizedKeysRepo, ... }: + outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }: let specialArgs = { inherit authorizedKeysRepo; @@ -162,7 +160,7 @@ ]; }; - woodpecker = nixpkgs-25-05.lib.nixosSystem { + woodpecker = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ self.nixosModules.common From 7d7e45750f419098ce5673454d8bea09a8130f0c Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 24 Jun 2025 22:36:36 +0200 Subject: [PATCH 40/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/fd487183437963a59ba763c0cc4f27e3447dd6dd' (2025-06-12) → 'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22) • Updated input 'sops-nix': 'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18) → 'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index d8bfc27..d14aa58 100644 --- a/flake.lock +++ b/flake.lock @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1749727998, - "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=", + "lastModified": 1750622754, + "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd", + "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1747603214, - "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", + "lastModified": 1750119275, + "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", + "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2", "type": "github" }, "original": { From f541a5dd6aaabffc94f22bce00f532ea339f985c Mon Sep 17 00:00:00 2001 From: c6ristian Date: Fri, 18 Jul 2025 21:33:30 +0200 Subject: [PATCH 41/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19) → 'github:nix-community/nixos-generators/032decf9db65efed428afd2fa39d80f7089085eb' (2025-07-07) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22) → 'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e' (2025-07-15) • Updated input 'sops-nix': 'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17) → 'github:Mic92/sops-nix/2c8def626f54708a9c38a5861866660395bb3461' (2025-07-15) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index d14aa58..2ab41bb 100644 --- a/flake.lock +++ b/flake.lock @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1747663185, - "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", + "lastModified": 1751903740, + "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", + "rev": "032decf9db65efed428afd2fa39d80f7089085eb", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1750622754, - "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", + "lastModified": 1752620740, + "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", + "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1750119275, - "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=", + "lastModified": 1752544651, + "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2", + "rev": "2c8def626f54708a9c38a5861866660395bb3461", "type": "github" }, "original": { From 0383e604a42d9f03a4270c84e6da4b7ad5689aaa Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sat, 19 Jul 2025 20:59:07 +0200 Subject: [PATCH 42/51] element update --- .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index 3c85954..d0da920 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let - elementWebVersion = "1.11.95"; + elementWebVersion = "1.11.106"; element-web = pkgs.fetchzip { url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc="; + sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo="; }; elementSecurityHeaders = '' # Configuration best practices From a0d0d24d91dfad6c33f286f43785778a801c1a1c Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sun, 20 Jul 2025 20:35:02 +0200 Subject: [PATCH 43/51] sops updatekeys junes new key --- .sops.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 9a6ae2d..cc9178f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,7 +3,7 @@ keys: - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505 - - &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - &admin_gpg_june 057870A2C72CD82566A3EC983695F4FCBCAE4912 - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A @@ -32,7 +32,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_git - path_regex: config/hosts/forgejo-actions-runner/.* @@ -48,7 +47,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_forgejo_actions_runner - path_regex: config/hosts/matrix/.* @@ -64,7 +62,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_matrix - path_regex: config/hosts/public-web-static/.* @@ -80,7 +77,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_public_web_static - path_regex: config/hosts/mjolnir/.* @@ -96,7 +92,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_mjolnir - path_regex: config/hosts/woodpecker/.* @@ -112,7 +107,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_woodpecker - path_regex: config/hosts/penpot/.* @@ -128,7 +122,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_penpot - path_regex: config/hosts/yate/.* @@ -144,7 +137,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_yate - key_groups: @@ -159,7 +151,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante stores: yaml: indent: 2 From 44c1b795979ae71710a2c202cb97af2f4720df5b Mon Sep 17 00:00:00 2001 From: June Date: Wed, 23 Jul 2025 20:53:55 +0200 Subject: [PATCH 44/51] Add cryptoparty-hamburg.de static web host and a staging environment Also redirect cryptoparty.hamburg.ccc.de there. --- .../virtualHosts/cryptoparty-hamburg.de.nix | 97 +++++++++++++++++++ .../virtualHosts/default.nix | 2 + .../staging.cryptoparty-hamburg.de.nix | 94 ++++++++++++++++++ 3 files changed, 193 insertions(+) create mode 100644 config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix create mode 100644 config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix new file mode 100644 index 0000000..37d95b9 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix @@ -0,0 +1,97 @@ +{ ... }: + +let + domain = "cryptoparty-hamburg.de"; + dataDir = "/var/www/${domain}"; + deployUser = "cryptoparty-website-deploy"; +in +{ + security.acme.certs."${domain}".extraDomainNames = [ + "cryptoparty.hamburg.ccc.de" + ]; + + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "cryptoparty.hamburg.ccc.de" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/".return = "302 https://${domain}$request_uri"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + error_page 404 /404.html; + + port_in_redirect off; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz+Lxi9scblM/SKJq4nl64UwvVn8SuF2xmzOuyQrzR+ deploy key for cryptoparty-hamburg.de" + ]; + }; + users.groups."${deployUser}" = { }; +} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index c9d77ef..59e69e6 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -4,12 +4,14 @@ imports = [ ./branding-resources.hamburg.ccc.de.nix ./c3cat.de.nix + ./cryptoparty-hamburg.de.nix ./element.hamburg.ccc.de.nix ./hacker.tours.nix ./hackertours.hamburg.ccc.de.nix ./hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix ./staging.c3cat.de.nix + ./staging.cryptoparty-hamburg.de.nix ./staging.hacker.tours.nix ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix new file mode 100644 index 0000000..6733dad --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix @@ -0,0 +1,94 @@ +{ ... }: + +let + domain = "staging.cryptoparty-hamburg.de"; + dataDir = "/var/www/${domain}"; + deployUser = "cryptoparty-website-deploy"; +in +{ + security.acme.certs."${domain}".extraDomainNames = [ + "staging.cryptoparty.hamburg.ccc.de" + ]; + + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "staging.cryptoparty.hamburg.ccc.de" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/".return = "302 https://${domain}$request_uri"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + # Disallow *, since this is staging and doesn't need to be in any search + # results. + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: *\\n\""; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + port_in_redirect off; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + # Cryptoparty website deploy user already defined in cryptoparty-hamburg.de.nix. +} From 071eb88afa67740f792a6e7fb7612509ef596acb Mon Sep 17 00:00:00 2001 From: June Date: Thu, 24 Jul 2025 02:15:19 +0200 Subject: [PATCH 45/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'authorizedKeysRepo': 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D&rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6' (2025-04-28) → 'https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?narHash=sha256-GMU6gfG1%2B3OjTuoiIYQg9yefzrz%2BRVVesqXa8jmOuCE%3D' (2025-04-28) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e?narHash=sha256-f3pO%2B9lg66mV7IMmmIqG4PL3223TYMlnlw%2Bpnpelbss%3D' (2025-07-15) → 'github:nixos/nixpkgs/92c2e04a475523e723c67ef872d8037379073681?narHash=sha256-yLuz5cz5Z%2Bsn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c%3D' (2025-07-21) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 2ab41bb..559f116 100644 --- a/flake.lock +++ b/flake.lock @@ -7,7 +7,7 @@ "narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=", "rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6", "type": "tarball", - "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz?rev=fc95460e9e6ae759b2b08c93b10a8e010e9e14e6" + "url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz" }, "original": { "type": "tarball", @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1752620740, - "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=", + "lastModified": 1753115646, + "narHash": "sha256-yLuz5cz5Z+sn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c=", "owner": "nixos", "repo": "nixpkgs", - "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e", + "rev": "92c2e04a475523e723c67ef872d8037379073681", "type": "github" }, "original": { From df365e67f98be2882280e79aff4834e6158e1ab8 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 11 Aug 2025 04:18:41 +0200 Subject: [PATCH 46/51] audio: fix librespot playback and use avahi for mDNS Fix librespot playback by building the dev branch and applying the changes from librespot PR 1528 (https://github.com/librespot-org/librespot/pull/1528) fixing librespot issue 1527 (https://github.com/librespot-org/librespot/issues/1527). Also make librespot use Avahi, since shairport-sync already uses that. --- README.md | 2 +- flake.nix | 24 ++ modules/services/audio/librespot.nix | 6 +- .../librespot_PR1528_conflicts_resolved.patch | 223 ++++++++++++++++++ 4 files changed, 251 insertions(+), 4 deletions(-) create mode 100644 patches/librespot_PR1528_conflicts_resolved.patch diff --git a/README.md b/README.md index def4e60..34690bd 100644 --- a/README.md +++ b/README.md @@ -77,4 +77,4 @@ nix build .#proxmox-chaosknoten-nixos-template ## License This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). -[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](patches/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license. +[`librespot_PR1528_conflicts_resolved.patch`](patches/librespot_PR1528_conflicts_resolved.patch) is a modified version of [librespot PR 1528](https://github.com/librespot-org/librespot/pull/1528) and is licensed under the [MIT license](https://github.com/librespot-org/librespot/blob/dev/LICENSE). diff --git a/flake.nix b/flake.nix index 53bf4ca..39183bf 100644 --- a/flake.nix +++ b/flake.nix @@ -40,6 +40,29 @@ proxmox-vm = ./config/proxmox-vm; prometheus-exporter = ./config/extra/prometheus-exporter.nix; }; + overlays = { + librespotFixOverlay = final: prev: { + librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec { + # Build dev branch. + name = "${prevAttr.pname}-${version}"; + version = "dev"; + src = prev.fetchFromGitHub { + owner = "librespot-org"; + repo = "librespot"; + rev = "dev"; + sha256 = "sha256-s9JpIbqXiVXMlhEuIuKio+rD1rM3kc7bAT0+8+5s35w="; + }; + cargoDeps = final.rustPlatform.fetchCargoVendor { + inherit src; + hash = "sha256-Lujz2revTAok9B0hzdl8NVQ5XMRY9ACJzoQHIkIgKMg="; + }; + # Fix librespot failing with "Unable to load audio item: Error { kind: Unavailable, error: StatusCode(500) }". + patches = (prevAttr.patches or []) ++ [ + ./patches/librespot_PR1528_conflicts_resolved.patch + ]; + }); + }; + }; nixosConfigurations = { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { inherit system specialArgs; @@ -56,6 +79,7 @@ self.nixosModules.common self.nixosModules.proxmox-vm ./config/hosts/audio-hauptraum-tafel + { nixpkgs.overlays = [ self.overlays.librespotFixOverlay ]; } ]; }; diff --git a/modules/services/audio/librespot.nix b/modules/services/audio/librespot.nix index 4c0fadb..3be5c86 100644 --- a/modules/services/audio/librespot.nix +++ b/modules/services/audio/librespot.nix @@ -19,11 +19,11 @@ in enable = true; description = "Spotify Connect Receiver Using librespot"; unitConfig = { - Requires = [ "network-online.target" "pipewire.service" ]; - After = [ "network-online.target" "pipewire.service" ]; + Requires = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ]; + After = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ]; }; serviceConfig = { - ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache"; + ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --zeroconf-backend avahi"; User = "librespot"; Group = "librespot"; }; diff --git a/patches/librespot_PR1528_conflicts_resolved.patch b/patches/librespot_PR1528_conflicts_resolved.patch new file mode 100644 index 0000000..f97a38a --- /dev/null +++ b/patches/librespot_PR1528_conflicts_resolved.patch @@ -0,0 +1,223 @@ +From c4c968e594edcfce231682db5563f7186da7c6f0 Mon Sep 17 00:00:00 2001 +From: Timon de Groot +Date: Thu, 7 Aug 2025 12:22:56 +0200 +Subject: [PATCH 1/5] spclient: Specify base url for metadata requests + +This fixes #1527 +--- + core/src/spclient.rs | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/core/src/spclient.rs b/core/src/spclient.rs +index 87a6098..56c4287 100644 +--- a/core/src/spclient.rs ++++ b/core/src/spclient.rs +@@ -55,6 +55,7 @@ const CONNECTION_ID: HeaderName = HeaderName::from_static("x-spotify-connection- + const NO_METRICS_AND_SALT: RequestOptions = RequestOptions { + metrics: false, + salt: false, ++ base_url: None, + }; + + #[derive(Debug, Error)] +@@ -86,6 +87,7 @@ impl Default for RequestStrategy { + pub struct RequestOptions { + metrics: bool, + salt: bool, ++ base_url: Option, + } + + impl Default for RequestOptions { +@@ -93,6 +95,7 @@ impl Default for RequestOptions { + Self { + metrics: true, + salt: true, ++ base_url: None, + } + } + } +@@ -449,7 +452,10 @@ impl SpClient { + + // Reconnection logic: retrieve the endpoint every iteration, so we can try + // another access point when we are experiencing network issues (see below). +- let mut url = self.base_url().await?; ++ let mut url = match &options.base_url { ++ Some(base_url) => base_url.clone(), ++ None => self.base_url().await?, ++ }; + url.push_str(endpoint); + + // Add metrics. There is also an optional `partner` key with a value like +@@ -566,7 +572,12 @@ impl SpClient { + + pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult { + let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?); +- self.request(&Method::GET, &endpoint, None, None).await ++ let options = RequestOptions { ++ base_url: Some(String::from("https://spclient.wg.spotify.com")), ++ ..Default::default() ++ }; ++ self.request_with_options(&Method::GET, &endpoint, None, None, &options) ++ .await + } + + pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult { +-- +2.49.0 + + +From 2b72f3fbdf6519321feeaaecc1ea6e1bb042074e Mon Sep 17 00:00:00 2001 +From: Timon de Groot +Date: Thu, 7 Aug 2025 13:51:55 +0200 +Subject: [PATCH 2/5] spclient: Change RequestOptions to &str + +This will allocate less strings and makes it possible to have const +request option values. + +Also document why the metadata base url workaround is needed. +--- + core/src/spclient.rs | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/core/src/spclient.rs b/core/src/spclient.rs +index 56c4287..11bcef4 100644 +--- a/core/src/spclient.rs ++++ b/core/src/spclient.rs +@@ -87,7 +87,7 @@ impl Default for RequestStrategy { + pub struct RequestOptions { + metrics: bool, + salt: bool, +- base_url: Option, ++ base_url: Option<&'static str>, + } + + impl Default for RequestOptions { +@@ -453,7 +453,7 @@ impl SpClient { + // Reconnection logic: retrieve the endpoint every iteration, so we can try + // another access point when we are experiencing network issues (see below). + let mut url = match &options.base_url { +- Some(base_url) => base_url.clone(), ++ Some(base_url) => base_url.to_owned().to_string(), + None => self.base_url().await?, + }; + url.push_str(endpoint); +@@ -572,8 +572,11 @@ impl SpClient { + + pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult { + let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?); ++ // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com. ++ // Otherwise, the API will respond with 500 Internal Server Error responses. ++ // Context: https://github.com/librespot-org/librespot/issues/1527 + let options = RequestOptions { +- base_url: Some(String::from("https://spclient.wg.spotify.com")), ++ base_url: Some("https://spclient.wg.spotify.com"), + ..Default::default() + }; + self.request_with_options(&Method::GET, &endpoint, None, None, &options) +-- +2.49.0 + + +From 73ed5c50849bb660834cd0d7aaa7110c01397055 Mon Sep 17 00:00:00 2001 +From: Timon de Groot +Date: Sat, 9 Aug 2025 09:28:51 +0200 +Subject: [PATCH 3/5] spclient: Make const request options for get_metadata + +--- + core/src/spclient.rs | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/core/src/spclient.rs b/core/src/spclient.rs +index 11bcef4..cbcf092 100644 +--- a/core/src/spclient.rs ++++ b/core/src/spclient.rs +@@ -58,6 +58,12 @@ const NO_METRICS_AND_SALT: RequestOptions = RequestOptions { + base_url: None, + }; + ++const SPCLIENT_FALLBACK_ENDPOINT: RequestOptions = RequestOptions { ++ metrics: true, ++ salt: true, ++ base_url: Some("https://spclient.wg.spotify.com"), ++}; ++ + #[derive(Debug, Error)] + pub enum SpClientError { + #[error("missing attribute {0}")] +@@ -575,12 +581,14 @@ impl SpClient { + // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com. + // Otherwise, the API will respond with 500 Internal Server Error responses. + // Context: https://github.com/librespot-org/librespot/issues/1527 +- let options = RequestOptions { +- base_url: Some("https://spclient.wg.spotify.com"), +- ..Default::default() +- }; +- self.request_with_options(&Method::GET, &endpoint, None, None, &options) +- .await ++ self.request_with_options( ++ &Method::GET, ++ &endpoint, ++ None, ++ None, ++ &SPCLIENT_FALLBACK_ENDPOINT, ++ ) ++ .await + } + + pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult { +-- +2.49.0 + + +From 6adca21fdf64bd8026a2d6df04c42dd2b1239358 Mon Sep 17 00:00:00 2001 +From: Timon de Groot +Date: Sat, 9 Aug 2025 09:40:20 +0200 +Subject: [PATCH 4/5] spclient: Simplify base url init + +--- + core/src/spclient.rs | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/core/src/spclient.rs b/core/src/spclient.rs +index cbcf092..272975d 100644 +--- a/core/src/spclient.rs ++++ b/core/src/spclient.rs +@@ -458,8 +458,8 @@ impl SpClient { + + // Reconnection logic: retrieve the endpoint every iteration, so we can try + // another access point when we are experiencing network issues (see below). +- let mut url = match &options.base_url { +- Some(base_url) => base_url.to_owned().to_string(), ++ let mut url = match options.base_url { ++ Some(base_url) => base_url.to_string(), + None => self.base_url().await?, + }; + url.push_str(endpoint); +-- +2.49.0 + + +From 0b5b1eb6c73a9291057b3856939f416113fdd8bb Mon Sep 17 00:00:00 2001 +From: Timon de Groot +Date: Sat, 9 Aug 2025 10:14:02 +0200 +Subject: [PATCH 5/5] Update CHANGELOG.md + +--- + CHANGELOG.md | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/CHANGELOG.md b/CHANGELOG.md +index 560de2b..b62e9f8 100644 +--- a/CHANGELOG.md ++++ b/CHANGELOG.md +@@ -51,6 +51,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 + - [connect] Correctly apply playing/paused state when transferring playback + - [player] Saturate invalid seek positions to track duration + - [audio] Fall back to other URLs in case of a failure when downloading from CDN ++- [core] Metadata requests failing with 500 Internal Server Error + + ### Deprecated + +-- +2.49.0 + From c7ae6a7ee30ea3a67acc1f253eb737a306fb5daa Mon Sep 17 00:00:00 2001 From: June Date: Mon, 11 Aug 2025 20:09:05 +0200 Subject: [PATCH 47/51] bump element web to 1.11.109 --- .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index d0da920..9e919e2 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let - elementWebVersion = "1.11.106"; + elementWebVersion = "1.11.109"; element-web = pkgs.fetchzip { url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo="; + sha256 = "sha256-eKPClYJxUhCJznI1+dv9w2h0CoSKgZsBZCsuM3KH5ag="; }; elementSecurityHeaders = '' # Configuration best practices From 0c0457793ff759c5b6f376dcbc074a5072d1a561 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 12 Aug 2025 01:11:31 +0200 Subject: [PATCH 48/51] bump Matrix Synapse to version 1.135.2 --- flake.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/flake.nix b/flake.nix index 39183bf..e8a53a9 100644 --- a/flake.nix +++ b/flake.nix @@ -41,6 +41,22 @@ prometheus-exporter = ./config/extra/prometheus-exporter.nix; }; overlays = { + matrixSynapseFix = final: prev: { + matrix-synapse-unwrapped = prev.matrix-synapse-unwrapped.overrideAttrs (finalAttrs: prevAttrs: rec { + version = "1.135.2"; + src = prev.fetchFromGitHub { + owner = "element-hq"; + repo = "synapse"; + rev = "v${version}"; + hash = "sha256-4HAA9Xq4C3DHxz0BgqBitfM4wZwPSEu+IO/OPfHzLVw="; + }; + cargoDeps = final.rustPlatform.fetchCargoVendor { + inherit src; + hash = "sha256-4J92s6cSgsEIYQpbU6OOLI/USIJX2Gc7UdEHgWQgmXc="; + }; + patches = []; + }); + }; librespotFixOverlay = final: prev: { librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec { # Build dev branch. @@ -109,6 +125,7 @@ sops-nix.nixosModules.sops self.nixosModules.prometheus-exporter ./config/hosts/matrix + { nixpkgs.overlays = [ self.overlays.matrixSynapseFix ]; } ]; }; From e8dec24077b5e203bea41375f433ebc127fed4df Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Sep 2025 19:12:28 +0200 Subject: [PATCH 49/51] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/92c2e04a475523e723c67ef872d8037379073681?narHash=sha256-yLuz5cz5Z%2Bsn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c%3D' (2025-07-21) → 'github:nixos/nixpkgs/9a094440e02a699be5c57453a092a8baf569bdad?narHash=sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs%3D' (2025-09-14) • Updated input 'sops-nix': 'github:Mic92/sops-nix/2c8def626f54708a9c38a5861866660395bb3461?narHash=sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U%3D' (2025-07-15) → 'github:Mic92/sops-nix/f77d4cfa075c3de66fc9976b80e0c4fc69e2c139?narHash=sha256-HYnwlbY6RE5xVd5rh0bYw77pnD8lOgbT4mlrfjgNZ0c%3D' (2025-09-16) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 559f116..58d6972 100644 --- a/flake.lock +++ b/flake.lock @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1753115646, - "narHash": "sha256-yLuz5cz5Z+sn8DRAfNkrd2Z1cV6DaYO9JMrEz4KZo/c=", + "lastModified": 1757810152, + "narHash": "sha256-Vp9K5ol6h0J90jG7Rm4RWZsCB3x7v5VPx588TQ1dkfs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "92c2e04a475523e723c67ef872d8037379073681", + "rev": "9a094440e02a699be5c57453a092a8baf569bdad", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1752544651, - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", + "lastModified": 1758007585, + "narHash": "sha256-HYnwlbY6RE5xVd5rh0bYw77pnD8lOgbT4mlrfjgNZ0c=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2c8def626f54708a9c38a5861866660395bb3461", + "rev": "f77d4cfa075c3de66fc9976b80e0c4fc69e2c139", "type": "github" }, "original": { From dc4cc0469db4ee7b59f09afb9364a0fe7f7ebfdd Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Sep 2025 19:13:39 +0200 Subject: [PATCH 50/51] remove synapse overlay as there is now a recent enough version upstream --- flake.nix | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/flake.nix b/flake.nix index e8a53a9..39183bf 100644 --- a/flake.nix +++ b/flake.nix @@ -41,22 +41,6 @@ prometheus-exporter = ./config/extra/prometheus-exporter.nix; }; overlays = { - matrixSynapseFix = final: prev: { - matrix-synapse-unwrapped = prev.matrix-synapse-unwrapped.overrideAttrs (finalAttrs: prevAttrs: rec { - version = "1.135.2"; - src = prev.fetchFromGitHub { - owner = "element-hq"; - repo = "synapse"; - rev = "v${version}"; - hash = "sha256-4HAA9Xq4C3DHxz0BgqBitfM4wZwPSEu+IO/OPfHzLVw="; - }; - cargoDeps = final.rustPlatform.fetchCargoVendor { - inherit src; - hash = "sha256-4J92s6cSgsEIYQpbU6OOLI/USIJX2Gc7UdEHgWQgmXc="; - }; - patches = []; - }); - }; librespotFixOverlay = final: prev: { librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec { # Build dev branch. @@ -125,7 +109,6 @@ sops-nix.nixosModules.sops self.nixosModules.prometheus-exporter ./config/hosts/matrix - { nixpkgs.overlays = [ self.overlays.matrixSynapseFix ]; } ]; }; From ca65a4940cc174ccbf44c17e12dc3968e2d8e936 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 16 Sep 2025 19:45:02 +0200 Subject: [PATCH 51/51] redirect /calendar to the Nextcloud calendar to make this location work Apparently this location gets used in several locations, so create a redirect. --- .../hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index b70f74a..8277b5f 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -83,6 +83,11 @@ return = "302 https://$host/blog/index.xml"; }; + # Redirect /calendar to the Nextcloud calendar, as this location apparently gets used in several locations. + locations."/calendar" = { + return = "302 https://cloud.hamburg.ccc.de/apps/calendar/embed/QJAdExziSnNJEz5g"; + }; + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy