license this repo under the MIT license

All previous contributors are asked to sign off on licensing this repo under the MIT license in PR 12 (#12). Once all contributors signed-off, this commit will be merged into the main branch and this repo will be licensed under the MIT license. Don't track copyright years in the license, as that is cumbersome and also not done in other projects anymore: https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/ https://github.com/rails/rails/pull/47467 MIT License: https://opensource.org/license/MIT https://choosealicense.com/licenses/mit/
2024-11-10 18:14:42 +01:00
8 changed files with 22 additions and 146 deletions
--- a/README.md
+++ b/README.md
@ -63,17 +63,6 @@ This is exactly what we're doing to set the default deployment user to `colmena-
   ```
   This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.

-## Build NixOS Proxmox VE Template
-
-Build a new NixOS Proxmox VE Template for the thinkcccore's:
-```shell
-nix build .#proxmox-nixos-template
-```
-Build a new NixOS Proxmox VE Template for the chaosknoten:
-```shell
-nix build .#proxmox-chaosknoten-nixos-template
-```
-
 ## License

 This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
--- a/config/common/users.nix
+++ b/config/common/users.nix
@ -11,8 +11,8 @@
 let
  authorizedKeysRepo = pkgs.fetchgit {
    url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
-    rev = "686a6af22f6696f0c0595c56f463c078550049fc";
-    hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
+    rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
+    hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
  };
  authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in
--- a/config/hosts/git/forgejo.nix
+++ b/config/hosts/git/forgejo.nix
@ -45,9 +45,6 @@
        DEFAULT_USER_VISIBILITY = "limited";
        DEFAULT_KEEP_EMAIL_PRIVATE = true;
        ENABLE_BASIC_AUTHENTICATION = false;
-        ENABLE_NOTIFY_MAIL = true;
-        AUTO_WATCH_NEW_REPOS = false;
-        AUTO_WATCH_ON_CHANGES = false;
      };
      repo = {
        DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@ -1,19 +1,10 @@
 { pkgs, ... }:

-let
-  domain = "c3cat.de";
-  dataDir = "/var/www/${domain}";
-  deployUser = "c3cat-website-deploy";
-in {
-  security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
-
+{
  services.nginx.virtualHosts = {
-    "acme-${domain}" = {
+    "acme-c3cat.de" = {
      enableACME = true;
-      serverName = "${domain}";
-      serverAliases = [
-        "www.${domain}"
-      ];
+      serverName = "c3cat.de";

      listen = [
        {
@ -23,9 +14,9 @@ in {
      ];
    };

-    "$www.${domain}" = {
+    "c3cat.de" = {
      forceSSL = true;
-      useACMEHost = "${domain}";
+      useACMEHost = "c3cat.de";

      listen = [
        {
@ -37,7 +28,7 @@ in {
      ];

      locations."/" = {
-        return = "302 https://c3cat.de$request_uri";
+        return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
      };

      extraConfig = ''
@ -51,45 +42,5 @@ in {
        real_ip_header proxy_protocol;
      '';
    };
-
-    "${domain}" = {
-      forceSSL = true;
-      useACMEHost = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 8443;
-          ssl = true;
-          proxyProtocol = true;
-        }
-      ];
-
-      root = "${dataDir}";
-
-      extraConfig = ''
-        # Make use of the ngx_http_realip_module to set the $remote_addr and
-        # $remote_port to the client address and client port, when using proxy
-        # protocol.
-        # First set our proxy protocol proxy as trusted.
-        set_real_ip_from 172.31.17.140;
-        # Then tell the realip_module to get the addreses from the proxy protocol
-        # header.
-        real_ip_header proxy_protocol;
-      '';
-    };
  };
-
-  systemd.tmpfiles.rules = [
-    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
-  ];
-
-  users.users."${deployUser}" = {
-    isNormalUser = true;
-    group = "${deployUser}";
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
-    ];
-  };
-  users.groups."${deployUser}" = { };
 }
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@ -9,7 +9,6 @@
    ./hackertours.hamburg.ccc.de.nix
    ./hamburg.ccc.de.nix
    ./spaceapi.hamburg.ccc.de.nix
-    ./staging.c3cat.de.nix
    ./staging.hacker.tours.nix
    ./staging.hackertours.hamburg.ccc.de.nix
    ./staging.hamburg.ccc.de.nix
--- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
@ -1,10 +1,10 @@
 { pkgs, ... }:

 let
-  elementWebVersion = "1.11.84";
+  elementWebVersion = "1.11.80";
  element-web = pkgs.fetchzip {
    url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
+    sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
  };
  elementSecurityHeaders = ''
    # Configuration best practices
--- a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
@ -1,60 +0,0 @@
-{ pkgs, ... }:
-
-let
-  domain = "staging.c3cat.de";
-  dataDir = "/var/www/${domain}";
-  deployUser = "c3cat-website-deploy";
-in {
-  services.nginx.virtualHosts = {
-    "acme-${domain}" = {
-      enableACME = true;
-      serverName = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 31820;
-        }
-      ];
-    };
-
-    "${domain}" = {
-      forceSSL = true;
-      useACMEHost = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 8443;
-          ssl = true;
-          proxyProtocol = true;
-        }
-      ];
-
-      root = "${dataDir}";
-
-      # Disallow *, since this is staging and doesn't need to be in any search
-      # results.
-      locations."/robots.txt" = {
-        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
-      };
-
-      extraConfig = ''
-        # Make use of the ngx_http_realip_module to set the $remote_addr and
-        # $remote_port to the client address and client port, when using proxy
-        # protocol.
-        # First set our proxy protocol proxy as trusted.
-        set_real_ip_from 172.31.17.140;
-        # Then tell the realip_module to get the addreses from the proxy protocol
-        # header.
-        real_ip_header proxy_protocol;
-      '';
-    };
-  };
-
-  systemd.tmpfiles.rules = [
-    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
-  ];
-
-  # c3cat deploy user already defined in c3cat.de.nix.
-}
--- a/flake.lock
+++ b/flake.lock
@ -38,11 +38,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731133565,
-        "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
+        "lastModified": 1730428893,
+        "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
+        "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
        "type": "github"
      },
      "original": {
@ -54,11 +54,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1730602179,
-        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
+        "lastModified": 1729973466,
+        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
+        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
        "type": "github"
      },
      "original": {
@ -70,11 +70,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1731265036,
-        "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
+        "lastModified": 1730449684,
+        "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
+        "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
        "type": "github"
      },
      "original": {
@ -100,11 +100,11 @@
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
-        "lastModified": 1731213149,
-        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
+        "lastModified": 1729999681,
+        "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
+        "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
        "type": "github"
      },
      "original": {