CCCHH/nix-infra
CCCHH/nix-infra
2
3
Fork 3
Code Issues Pull requests 2 Projects Wiki Activity

Compare commits

base: CCCHH:d98aa099e1d42f5e3705b860463ddea95058fd55
Branches Tags
CCCHH:main
CCCHH:ci-check-lix
CCCHH:ci-check
CCCHH:yate
CCCHH:simple-clean-up
CCCHH:nixOptions
CCCHH:spaceapi
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid
..
compare: CCCHH:877bd447645c46216b4ea7dd6c071eb1539fed33
Branches Tags
CCCHH:ci-check-lix
CCCHH:main
CCCHH:ci-check
CCCHH:yate
CCCHH:simple-clean-up
CCCHH:nixOptions
CCCHH:spaceapi
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid

1 commit
d98aa099e1 ... 877bd44764

Author SHA1 Message Date
June 877bd44764
license this repo under the MIT license 
All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(#12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.

Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467

MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/
 2024-11-10 18:14:42 +01:00
8 changed files with 22 additions and 146 deletions
Show stats Expand all files Collapse all files

11
README.md
View file

@ -63,17 +63,6 @@ This is exactly what we're doing to set the default deployment user to `colmena-
``` ```
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host. This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
## Build NixOS Proxmox VE Template
Build a new NixOS Proxmox VE Template for the thinkcccore's:
```shell
nix build .#proxmox-nixos-template
```
Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell
nix build .#proxmox-chaosknoten-nixos-template
```
## License ## License
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE). This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).

4
config/common/users.nix
View file

@ -11,8 +11,8 @@
let let
authorizedKeysRepo = pkgs.fetchgit { authorizedKeysRepo = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys"; url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
rev = "686a6af22f6696f0c0595c56f463c078550049fc"; rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc="; hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
}; };
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in in

3
config/hosts/git/forgejo.nix
View file

@ -45,9 +45,6 @@
DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true; DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false; ENABLE_BASIC_AUTHENTICATION = false;
ENABLE_NOTIFY_MAIL = true;
AUTO_WATCH_NEW_REPOS = false;
AUTO_WATCH_ON_CHANGES = false;
}; };
repo = { repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";

61
config/hosts/public-web-static/virtualHosts/c3cat.de.nix
View file

@ -1,19 +1,10 @@
{ pkgs, ... }: { pkgs, ... }:
let {
domain = "c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-c3cat.de" = {
enableACME = true; enableACME = true;
serverName = "${domain}"; serverName = "c3cat.de";
serverAliases = [
"www.${domain}"
];
listen = [ listen = [
{ {
@ -23,9 +14,9 @@ in {
]; ];
}; };
"$www.${domain}" = { "c3cat.de" = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; useACMEHost = "c3cat.de";
listen = [ listen = [
{ {
@ -37,7 +28,7 @@ in {
]; ];
locations."/" = { locations."/" = {
return = "302 https://c3cat.de$request_uri"; return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
}; };
extraConfig = '' extraConfig = ''
@ -51,45 +42,5 @@ in {
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
}; };
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
];
};
users.groups."${deployUser}" = { };
} }

1
config/hosts/public-web-static/virtualHosts/default.nix
View file

@ -9,7 +9,6 @@
./hackertours.hamburg.ccc.de.nix ./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix ./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix
./staging.c3cat.de.nix
./staging.hacker.tours.nix ./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix ./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix

4
config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
View file

@ -1,10 +1,10 @@
{ pkgs, ... }: { pkgs, ... }:
let let
elementWebVersion = "1.11.84"; elementWebVersion = "1.11.80";
element-web = pkgs.fetchzip { element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4="; sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
}; };
elementSecurityHeaders = '' elementSecurityHeaders = ''
# Configuration best practices # Configuration best practices

60
config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
View file

@ -1,60 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# c3cat deploy user already defined in c3cat.de.nix.
}

24
flake.lock
View file

@ -38,11 +38,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1731133565, "lastModified": 1730428893,
"narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=", "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2", "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,11 +54,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1730602179, "lastModified": 1729973466,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -70,11 +70,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1731265036, "lastModified": 1730449684,
"narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=", "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c", "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -100,11 +100,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1731213149, "lastModified": 1729999681,
"narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=", "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7", "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
"type": "github" "type": "github"
}, },
"original": { "original": {