diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix index 376fde6..24e1472 100644 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix @@ -3,11 +3,11 @@ # - https://forgejo.org/docs/latest/user/actions/ # - https://docs.gitea.com/next/usage/actions/act-runner -{ config, pkgs, ... }: +{ config, pkgs-unstable, ... }: { services.gitea-actions-runner = { - package = pkgs.forgejo-runner; + package = pkgs-unstable.forgejo-actions-runner; instances.ccchh-forgejo-global-docker = { enable = true; name = "Global Docker Forgejo Actions Runner"; diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix new file mode 100644 index 0000000..a4c612e --- /dev/null +++ b/config/hosts/hydra/configuration.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + networking = { + hostName = "hydra"; + }; + + system.stateVersion = "24.05"; +} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix new file mode 100644 index 0000000..f621711 --- /dev/null +++ b/config/hosts/hydra/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + imports = [ + ./configuration.nix + ./hydra.nix + ./networking.nix + ./nginx.nix + ./nix.nix + ]; +} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix new file mode 100644 index 0000000..f315710 --- /dev/null +++ b/config/hosts/hydra/hydra.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + services.hydra = { + enable = true; + listenHost = "localhost"; + port = 3000; + hydraURL = "https://hydra.hamburg.ccc.de/"; + # E-Mail configuration requires some work/investigation still. + notificationSender = "no-reply@hydra.hamburg.ccc.de"; + useSubstitutes = true; + minimumDiskFree = 8; + minimumDiskFreeEvaluator = 2; + }; +} diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix new file mode 100644 index 0000000..82cec55 --- /dev/null +++ b/config/hosts/hydra/networking.nix @@ -0,0 +1,22 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.163"; + prefixLength = 25; + } + ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:45:7C:D6"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix new file mode 100644 index 0000000..49ca2e1 --- /dev/null +++ b/config/hosts/hydra/nginx.nix @@ -0,0 +1,58 @@ +{ config, pkgs, ... }: + +let + domain = "hydra.hamburg.ccc.de"; +in +{ + services.nginx = { + enable = true; + + virtualHosts = { + "acme-${domain}" = { + default = true; + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + default = true; + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/" = { + proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}"; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 31820 ]; + networking.firewall.allowedUDPPorts = [ 8443 ]; +} diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix new file mode 100644 index 0000000..b95e469 --- /dev/null +++ b/config/hosts/hydra/nix.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + # Allow Hydra to fetch flake inputs. + nix.settings.allowed-uris = [ + "github:" + "https://github.com/" + "https://git.hamburg.ccc.de/" + ]; +} diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix index 4d4693d..a441814 100644 --- a/config/hosts/mjolnir/networking.nix +++ b/config/hosts/mjolnir/networking.nix @@ -1,24 +1,18 @@ { ... }: { - networking.useDHCP = false; - - services.cloud-init = { - enable = true; - network.enable = true; - - # Version without ssh of: - # https://github.com/NixOS/nixpkgs/blob/3c9db02515ef1d9b6b709fc60ba9a540957f661c/nixos/modules/services/system/cloud-init.nix#L145 - # So we don't get ssh hostkey regenerations. - settings.cloud_config_modules = [ - "disk_setup" - "mounts" - "ssh-import-id" - "set-passwords" - "timezone" - "disable-ec2-metadata" - "runcmd" + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.161"; + prefixLength = 25; + } ]; + }; + defaultGateway = "172.31.17.129"; + nameservers = [ "212.12.50.158" "192.76.134.90" ]; + search = [ "hamburg.ccc.de" ]; }; systemd.network.links."10-net0" = { diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix index 68c30c2..507b71a 100644 --- a/config/hosts/public-reverse-proxy/nginx.nix +++ b/config/hosts/public-reverse-proxy/nginx.nix @@ -6,6 +6,22 @@ { config, pkgs, ... }: { + services.nginx.streamConfig = '' + map $ssl_preread_server_name $address { + status.ccchh.net 10.31.206.15:8443; + status.hamburg.ccc.de 10.31.206.15:8443; + } + + # Listen on port 443 as a reverse proxy and use PROXY Protocol for the + # upstreams. + server { + listen 0.0.0.0:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; + services.nginx.appendHttpConfig = '' map $host $upstream_acme_challenge_host { club-assistant.ccchh.net 10.31.208.10; @@ -19,6 +35,7 @@ zigbee2mqtt.ccchh.net 10.31.208.25:31820; esphome.ccchh.net 10.31.208.24:31820; proxmox-backup-server.ccchh.net 10.31.208.28; + status.ccchh.net 10.31.206.15:31820; default ""; } ''; diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix index b69e60b..9d0e173 100644 --- a/config/hosts/public-web-static/nginx.nix +++ b/config/hosts/public-web-static/nginx.nix @@ -1,12 +1,7 @@ { ... }: { - services.nginx = { - enable = true; - appendHttpConfig = '' - access_log off; - ''; - }; + services.nginx.enable = true; networking.firewall.allowedTCPPorts = [ 8443 31820 ]; networking.firewall.allowedUDPPorts = [ 8443 ]; diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index 95f9b59..ff59fab 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -23,7 +23,7 @@ in { ]; }; - "www.${domain}" = { + "$www.${domain}" = { forceSSL = true; useACMEHost = "${domain}"; diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix deleted file mode 100644 index d2e779a..0000000 --- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ ... }: - -let - domain = "cpu.ccc.de"; - dataDir = "/var/www/${domain}"; - deployUser = "cpuccc-website-deploy"; -in -{ - security.acme.certs."cpu.ccc.de".extraDomainNames = [ - "lokal.ccc.de" - "local.ccc.de" - ]; - - services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - # https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf - "${domain}" = { - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - root = "${dataDir}"; - - extraConfig = '' - index index.html; - default_type text/plain; - - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - - port_in_redirect off; - ''; - - locations."/" = { - tryFiles = "$uri $uri/ =404"; - - extraConfig = '' - location /feed/ { - default_type application/rss+xml; - types { - text/xml application/rss+xml; - } - } - - location /rss { - default_type application/rss+xml; - } - ''; - }; - }; - - "lokal.ccc.de" = { - forceSSL = true; - useACMEHost = "cpu.ccc.de"; - serverAliases = [ - "local.ccc.de" - ]; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; - - locations."/".return = "302 https://cpu.ccc.de"; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - - systemd.tmpfiles.rules = [ - "d ${dataDir} 0755 ${deployUser} ${deployUser}" - ]; - - users.users."${deployUser}" = { - isNormalUser = true; - group = "${deployUser}"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de" - ]; - }; - users.groups."${deployUser}" = { }; -} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 3532c25..793829a 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -4,7 +4,6 @@ imports = [ ./branding-resources.hamburg.ccc.de.nix ./c3cat.de.nix - ./cpu.ccc.de.nix ./cryptoparty-hamburg.de.nix ./element-admin.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index 1c967c9..8277b5f 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -17,7 +17,6 @@ "hamburg.ccc.de" = { forceSSL = true; useACMEHost = "hamburg.ccc.de"; - default = true; listen = [ { diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix new file mode 100644 index 0000000..c36dc63 --- /dev/null +++ b/config/hosts/status/configuration.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + networking = { + hostName = "status"; + domain = "z9.ccchh.net"; + }; + + system.stateVersion = "24.05"; +} diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix new file mode 100644 index 0000000..d8644c5 --- /dev/null +++ b/config/hosts/status/default.nix @@ -0,0 +1,10 @@ +{ ... }: + +{ + imports = [ + ./configuration.nix + ./networking.nix + ./nginx.nix + ./uptime-kuma.nix + ]; +} diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix new file mode 100644 index 0000000..0bff4b5 --- /dev/null +++ b/config/hosts/status/networking.nix @@ -0,0 +1,29 @@ +{ ... }: + +{ + networking = { + interfaces.net0 = { + ipv4.addresses = [ + { + address = "10.31.206.15"; + prefixLength = 23; + } + ]; + ipv6.addresses = [ + { + address = "2a07:c481:1:ce::a"; + prefixLength = 64; + } + ]; + }; + defaultGateway = "10.31.206.1"; + defaultGateway6 = "2a07:c481:1:ce::1"; + nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; + search = [ "z9.ccchh.net" ]; + }; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:79:D3:E1"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix new file mode 100644 index 0000000..8eff61c --- /dev/null +++ b/config/hosts/status/nginx.nix @@ -0,0 +1,149 @@ +# Sources for this configuration: +# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy + +{ config, ... }: + +{ + services.nginx = { + enable = true; + + virtualHosts = { + "status.hamburg.ccc.de" = { + forceSSL = true; + enableACME = true; + serverName = "status.hamburg.ccc.de"; + + listen = [ + { + addr = "[::]"; + port = 80; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + ]; + + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + }; + "status-proxyprotocol.hamburg.ccc.de" = { + forceSSL = true; + useACMEHost = "status.hamburg.ccc.de"; + serverName = "status.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/" = { + proxyPass = "http://localhost:3001"; + proxyWebsockets = true; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 10.31.206.11; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + "status.ccchh.net" = { + forceSSL = true; + useACMEHost = "status.hamburg.ccc.de"; + serverName = "status.ccchh.net"; + + listen = [ + { + addr = "[::]"; + port = 80; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + ]; + + globalRedirect = "status.hamburg.ccc.de"; + redirectCode = 307; + }; + "status-proxyprotocol.ccchh.net" = { + forceSSL = true; + useACMEHost = "status.hamburg.ccc.de"; + serverName = "status.ccchh.net"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + globalRedirect = "status.hamburg.ccc.de"; + redirectCode = 307; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 10.31.206.11; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + "status.z9.ccchh.net" = { + forceSSL = true; + useACMEHost = "status.hamburg.ccc.de"; + serverName = "status.z9.ccchh.net"; + + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "[::]"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::]"; + port = 443; + ssl = true; + } + ]; + + globalRedirect = "status.hamburg.ccc.de"; + redirectCode = 307; + }; + }; + }; + + security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [ + "status.ccchh.net" + "status.z9.ccchh.net" + ]; + + networking.firewall.allowedTCPPorts = [ 80 443 8443 ]; +} diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix new file mode 100644 index 0000000..02411f2 --- /dev/null +++ b/config/hosts/status/uptime-kuma.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + services.uptime-kuma = { + enable = true; + }; +} diff --git a/deployment_configuration.json b/deployment_configuration.json index 1bb46e7..9c2f99a 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -16,13 +16,16 @@ "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" }, "mjolnir": { - "targetHostname": "mjolnir.hosts.hamburg.ccc.de" + "targetHostname": "mjolnir-intern.hamburg.ccc.de" }, "woodpecker": { "targetHostname": "woodpecker-intern.hamburg.ccc.de" }, "penpot": { "targetHostname": "penpot-intern.hamburg.ccc.de" + }, + "hydra": { + "targetHostname": "hydra-intern.hamburg.ccc.de" } } } diff --git a/flake.lock b/flake.lock index 3230d75..76a3fc3 100644 --- a/flake.lock +++ b/flake.lock @@ -19,27 +19,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1768621446, - "narHash": "sha256-6YwHV1cjv6arXdF/PQc365h1j+Qje3Pydk501Rm4Q+4=", + "lastModified": 1761173472, + "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "72ac591e737060deab2b86d6952babd1f896d7c5", + "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1768661221, - "narHash": "sha256-MJwOjrIISfOpdI9x4C+5WFQXvHtOuj5mqLZ4TMEtk1M=", + "lastModified": 1761349956, + "narHash": "sha256-tH3wHnOJms+U4k/rK2Nn1RfBrhffX92jLP/2VndSn0w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3327b113f2ef698d380df83fbccefad7e83d7769", + "rev": "02f2cb8e0feb4596d20cc52fda73ccee960e3538", "type": "github" }, "original": { @@ -64,11 +64,11 @@ ] }, "locked": { - "lastModified": 1768709255, - "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=", + "lastModified": 1760998189, + "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9", + "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e976c25..be9e8fb 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; # # Add nixos-generators as an input. @@ -147,6 +147,7 @@ ]; specialArgs = { inherit authorizedKeysRepo; + inherit pkgs-unstable; }; }; @@ -200,6 +201,16 @@ ]; }; + status = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + self.nixosModules.common + self.nixosModules.proxmox-vm + sops-nix.nixosModules.sops + ./config/hosts/status + ]; + }; + penpot = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ @@ -210,6 +221,16 @@ ./config/hosts/penpot ]; }; + + hydra = nixpkgs.lib.nixosSystem { + inherit system specialArgs; + modules = [ + self.nixosModules.common + self.nixosModules.proxmox-vm + self.nixosModules.prometheus-exporter + ./config/hosts/hydra + ]; + }; }; # packages.x86_64-linux = { @@ -238,5 +259,10 @@ # }; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; + + hydraJobs = { + inherit (self) packages; + nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations; + }; }; }