From 877bd447645c46216b4ea7dd6c071eb1539fed33 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 10 Nov 2024 18:14:42 +0100 Subject: [PATCH 01/10] license this repo under the MIT license All previous contributors are asked to sign off on licensing this repo under the MIT license in PR 12 (https://git.hamburg.ccc.de/CCCHH/nix-infra/pulls/12). Once all contributors signed-off, this commit will be merged into the main branch and this repo will be licensed under the MIT license. Don't track copyright years in the license, as that is cumbersome and also not done in other projects anymore: https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/ https://github.com/rails/rails/pull/47467 MIT License: https://opensource.org/license/MIT https://choosealicense.com/licenses/mit/ --- LICENSE | 21 +++++++++++++++++++++ README.md | 4 ++++ 2 files changed, 25 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..37eee6c --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) CCCHH + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index b55e1f2..ecf8a0a 100644 --- a/README.md +++ b/README.md @@ -62,3 +62,7 @@ This is exactly what we're doing to set the default deployment user to `colmena- }; ``` This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host. + +## License + +This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). From c8e7bd1ccfd1b23f8dce95b36a0ec7cab471cfc2 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 10 Nov 2024 19:26:26 +0100 Subject: [PATCH 02/10] git: enable sending of e-mails to watchers of repositories --- config/hosts/git/forgejo.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix index bb7099f..d7e7c1b 100644 --- a/config/hosts/git/forgejo.nix +++ b/config/hosts/git/forgejo.nix @@ -45,6 +45,7 @@ DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; + ENABLE_NOTIFY_MAIL = true; }; repo = { DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; From 2ba371f8cd0a97e5f95765cc0b09dfe113638e0f Mon Sep 17 00:00:00 2001 From: June Date: Sun, 10 Nov 2024 19:38:05 +0100 Subject: [PATCH 03/10] git: disable making org users auto watch new repos on creation Also explicitly disable making users auto watch repos after their first commit to it. --- config/hosts/git/forgejo.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/hosts/git/forgejo.nix b/config/hosts/git/forgejo.nix index d7e7c1b..a57a37f 100644 --- a/config/hosts/git/forgejo.nix +++ b/config/hosts/git/forgejo.nix @@ -46,6 +46,8 @@ DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; ENABLE_NOTIFY_MAIL = true; + AUTO_WATCH_NEW_REPOS = false; + AUTO_WATCH_ON_CHANGES = false; }; repo = { DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; From ff1a12846afa1fc25cd9a98f3e31eceb954b2b09 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 11 Jun 2024 23:19:13 +0200 Subject: [PATCH 04/10] Add how to generate the NixOS Proxmox VE templates --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index b55e1f2..f7ae196 100644 --- a/README.md +++ b/README.md @@ -62,3 +62,14 @@ This is exactly what we're doing to set the default deployment user to `colmena- }; ``` This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host. + +## Build NixOS Proxmox VE Template + +Build a now NixOS Proxmox VE Template for the thinkcccore's +```shell +nix build .#proxmox-nixos-template +``` +Build a now NixOS Proxmox VE Template for the chaosknoten +```shell +nix build .#proxmox-chaosknoten-nixos-template +``` \ No newline at end of file From 1fcd8c64215c2f59617e17d21e806ae15fcf823c Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sat, 22 Jun 2024 15:56:13 +0200 Subject: [PATCH 05/10] fix typo and writing improvement --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f7ae196..bd3a29a 100644 --- a/README.md +++ b/README.md @@ -65,11 +65,11 @@ This is exactly what we're doing to set the default deployment user to `colmena- ## Build NixOS Proxmox VE Template -Build a now NixOS Proxmox VE Template for the thinkcccore's +Build a new NixOS Proxmox VE Template for the thinkcccore's: ```shell nix build .#proxmox-nixos-template ``` -Build a now NixOS Proxmox VE Template for the chaosknoten +Build a new NixOS Proxmox VE Template for the chaosknoten: ```shell nix build .#proxmox-chaosknoten-nixos-template -``` \ No newline at end of file +``` From afb4fc71cef9691a56fc1afc8eb80dbd289faf91 Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sun, 10 Nov 2024 23:10:50 +0100 Subject: [PATCH 06/10] Update infrastructure-authorized-keys rev --- config/common/users.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/common/users.nix b/config/common/users.nix index 59682c4..026929b 100644 --- a/config/common/users.nix +++ b/config/common/users.nix @@ -11,8 +11,8 @@ let authorizedKeysRepo = pkgs.fetchgit { url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys"; - rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413"; - hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA="; + rev = "686a6af22f6696f0c0595c56f463c078550049fc"; + hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc="; }; authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); in From 33b2cbf5d098c87db3904740ad27c803055547ec Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sun, 10 Nov 2024 23:14:58 +0100 Subject: [PATCH 07/10] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f' (2024-11-01) → 'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88' (2024-11-01) → 'github:nixos/nixpkgs/8aed22ecd71e5b67e5299efae8b9dc580dec711c' (2024-11-10) • Updated input 'sops-nix': 'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56' (2024-10-27) → 'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10) • Updated input 'sops-nix/nixpkgs-stable': 'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950' (2024-10-26) → 'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c' (2024-11-03) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 24f50dd..58d521b 100644 --- a/flake.lock +++ b/flake.lock @@ -38,11 +38,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730428893, - "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=", + "lastModified": 1731133565, + "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "38edd08881ce4dc24056eec173b43587a93c990f", + "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2", "type": "github" }, "original": { @@ -54,11 +54,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1729973466, - "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=", + "lastModified": 1730602179, + "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950", + "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730449684, - "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=", + "lastModified": 1731265036, + "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88", + "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c", "type": "github" }, "original": { @@ -100,11 +100,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1729999681, - "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=", + "lastModified": 1731213149, + "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=", "owner": "Mic92", "repo": "sops-nix", - "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56", + "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7", "type": "github" }, "original": { From c84d9e7d0af00a8ca8adcf59616473bee14efc89 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 11 Nov 2024 02:43:08 +0100 Subject: [PATCH 08/10] Update element to 1.11.84 --- .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index 5f0792f..1836f25 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let - elementWebVersion = "1.11.80"; + elementWebVersion = "1.11.84"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8="; + sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4="; }; elementSecurityHeaders = '' # Configuration best practices From cf46da9df7a9036a8c600701042fe390c5c842d8 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 12 Nov 2024 23:06:01 +0100 Subject: [PATCH 09/10] public-web-static: make c3cat.de and www work as well as staging --- .../virtualHosts/c3cat.de.nix | 61 +++++++++++++++++-- .../virtualHosts/default.nix | 1 + .../virtualHosts/staging.c3cat.de.nix | 60 ++++++++++++++++++ 3 files changed, 116 insertions(+), 6 deletions(-) create mode 100644 config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index f1ad527..91d3a40 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -1,10 +1,19 @@ { pkgs, ... }: -{ +let + domain = "c3cat.de"; + dataDir = "/var/www/${domain}"; + deployUser = "c3cat-website-deploy"; +in { + security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ]; + services.nginx.virtualHosts = { - "acme-c3cat.de" = { + "acme-${domain}" = { enableACME = true; - serverName = "c3cat.de"; + serverName = "${domain}"; + serverAliases = [ + "www.${domain}" + ]; listen = [ { @@ -14,9 +23,9 @@ ]; }; - "c3cat.de" = { + "$www.${domain}" = { forceSSL = true; - useACMEHost = "c3cat.de"; + useACMEHost = "${domain}"; listen = [ { @@ -28,7 +37,7 @@ ]; locations."/" = { - return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start"; + return = "302 https://c3cat.de$request_uri"; }; extraConfig = '' @@ -42,5 +51,45 @@ real_ip_header proxy_protocol; ''; }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de" + ]; + }; + users.groups."${deployUser}" = { }; } diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index dac4fa4..c9d77ef 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -9,6 +9,7 @@ ./hackertours.hamburg.ccc.de.nix ./hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix + ./staging.c3cat.de.nix ./staging.hacker.tours.nix ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix new file mode 100644 index 0000000..c91d283 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix @@ -0,0 +1,60 @@ +{ pkgs, ... }: + +let + domain = "staging.c3cat.de"; + dataDir = "/var/www/${domain}"; + deployUser = "c3cat-website-deploy"; +in { + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + # Disallow *, since this is staging and doesn't need to be in any search + # results. + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: *\\n\""; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + # c3cat deploy user already defined in c3cat.de.nix. +} From d98aa099e1d42f5e3705b860463ddea95058fd55 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 10 Nov 2024 18:14:42 +0100 Subject: [PATCH 10/10] license this repo under the MIT license All previous contributors are asked to sign off on licensing this repo under the MIT license in PR 12 (https://git.hamburg.ccc.de/CCCHH/nix-infra/pulls/12). Once all contributors signed-off, this commit will be merged into the main branch and this repo will be licensed under the MIT license. Don't track copyright years in the license, as that is cumbersome and also not done in other projects anymore: https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/ https://github.com/rails/rails/pull/47467 MIT License: https://opensource.org/license/MIT https://choosealicense.com/licenses/mit/ --- LICENSE | 21 +++++++++++++++++++++ README.md | 4 ++++ 2 files changed, 25 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..37eee6c --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) CCCHH + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md index bd3a29a..186f14a 100644 --- a/README.md +++ b/README.md @@ -73,3 +73,7 @@ Build a new NixOS Proxmox VE Template for the chaosknoten: ```shell nix build .#proxmox-chaosknoten-nixos-template ``` + +## License + +This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).