CCCHH/nix-infra
CCCHH/nix-infra
2
3
Fork 3
Code Issues Pull requests 2 Wiki Activity

Compare commits

base: CCCHH:main
Branches Tags
CCCHH:main
CCCHH:shairport-sync-cleanup
CCCHH:ci-check
CCCHH:ci-check-lix
CCCHH:nixOptions
CCCHH:spaceapi
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid
bendodroid:main
..
compare: bendodroid:main
Branches Tags
bendodroid:main
CCCHH:main
CCCHH:shairport-sync-cleanup
CCCHH:ci-check
CCCHH:ci-check-lix
CCCHH:nixOptions
CCCHH:spaceapi
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid

No commits in common. "main" and "main" have entirely different histories.
main ... main

130 changed files with 669 additions and 5359 deletions
Download patch file Download diff file Expand all files Collapse all files

23
.editorconfig
View file

@ -1,23 +0,0 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
indent_style = space
charset = utf-8
[*.nix]
indent_size = 2
trim_trailing_whitespace = true
[*.md]
indent_size = 2
trim_trailing_whitespace = false
[*.json]
indent_size = 2
trim_trailing_whitespace = true
[*.yaml]
indent_size = 2
trim_trailing_whitespace = true

123
.sops.yaml
View file

@ -1,123 +0,0 @@
keys:
- &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
- &admin_gpg_june 057870A2C72CD82566A3EC983695F4FCBCAE4912
- &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
- &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
- &admin_age_lilly age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
- &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
- &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
- &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
- &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
- &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
- &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
creation_rules:
- path_regex: config/hosts/git/.*
key_groups:
- pgp:
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_c6ristian
age:
- *admin_age_lilly
- *host_age_git
- path_regex: config/hosts/forgejo-actions-runner/.*
key_groups:
- pgp:
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_c6ristian
age:
- *admin_age_lilly
- *host_age_forgejo_actions_runner
- path_regex: config/hosts/matrix/.*
key_groups:
- pgp:
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_c6ristian
age:
- *admin_age_lilly
- *host_age_matrix
- path_regex: config/hosts/public-web-static/.*
key_groups:
- pgp:
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_c6ristian
age:
- *admin_age_lilly
- *host_age_public_web_static
- path_regex: config/hosts/woodpecker/.*
key_groups:
- pgp:
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_c6ristian
age:
- *admin_age_lilly
- *host_age_woodpecker
- path_regex: config/hosts/penpot/.*
key_groups:
- pgp:
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_c6ristian
age:
- *admin_age_lilly
- *host_age_penpot
- path_regex: config/hosts/yate/.*
key_groups:
- pgp:
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_c6ristian
age:
- *admin_age_lilly
- *host_age_yate
- key_groups:
- pgp:
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_c6ristian
- age:
- *admin_age_lilly
stores:
yaml:
indent: 2

21
LICENSE
View file

@ -1,21 +0,0 @@
MIT License
Copyright (c) CCCHH
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

80
README.md
View file

@ -1,80 +0,0 @@
# nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \
To easily get a shell with `infra-rebuild` going, use the following command:
```
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
```
After that you can simply run the following to deploy e.g. the git and matrix hosts:
```
infra-rebuild switch git matrix
```
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
## Setting up secrets with sops-nix for a host
1. Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
It should be named something like: `host_age_hostname`
3. Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key. \
You can use existing creation rules as a reference.
4. Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
5. Add the following entry to the modules of the hosts `nixosConfiguration`:
```nix
sops-nix.nixosModules.sops
```
6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
```nix
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}
```
7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
```nix
sops.secrets."forgejo_git_smtp_password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
};
```
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
## Build NixOS Proxmox VE Template
Build a new NixOS Proxmox VE Template for the thinkcccore's:
```shell
nix build .#proxmox-nixos-template
```
Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell
nix build .#proxmox-chaosknoten-nixos-template
```
## License
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
[`librespot_PR1528_conflicts_resolved.patch`](patches/librespot_PR1528_conflicts_resolved.patch) is a modified version of [librespot PR 1528](https://github.com/librespot-org/librespot/pull/1528) and is licensed under the [MIT license](https://github.com/librespot-org/librespot/blob/dev/LICENSE).

22
config/common/admin-environment.nix
View file

@ -1,22 +0,0 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
vim
joe
nano
htop
btop
ripgrep
fd
tmux
git
curl
rsync
ssh-to-age
usbutils
nix-tree
# For kitty terminfo.
kitty
];
}

2
config/common/default-state-version.nix
View file

@ -13,5 +13,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = lib.mkDefault "24.05"; system.stateVersion = lib.mkDefault "23.05";
} }

1
config/common/default.nix
View file

@ -3,7 +3,6 @@
{ {
imports = [ imports = [
./acme.nix ./acme.nix
./admin-environment.nix
./default-host-platform.nix ./default-host-platform.nix
./default-state-version.nix ./default-state-version.nix
./localization.nix ./localization.nix

1
config/common/ssh.nix
View file

@ -20,7 +20,6 @@
"ecdh-sha2-nistp384" "ecdh-sha2-nistp384"
"ecdh-sha2-nistp256" "ecdh-sha2-nistp256"
"diffie-hellman-group-exchange-sha256" "diffie-hellman-group-exchange-sha256"
"mlkem768x25519-sha256"
]; ];
# Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09. # Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
# Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09. # Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.

41
config/common/users.nix
View file

@ -6,29 +6,34 @@
# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
{ config, pkgs, lib, authorizedKeysRepo, ... }: { config, pkgs, lib, ... }:
let let
authorizedKeysRepo = builtins.fetchGit {
url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git";
ref = "trunk";
rev = "6dbf11113603a4f6c12f781c2dc7a8980e65a131";
};
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in in
{ {
users.mutableUsers = false; users.mutableUsers = false;
users.users.chaos = { users.users.chaos = {
isNormalUser = true; isNormalUser = true;
description = "Chaos"; description = "Chaos";
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = authorizedKeys; openssh.authorizedKeys.keys = authorizedKeys;
}; };
users.users.colmena-deploy = { users.users.colmena-deploy = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = authorizedKeys; openssh.authorizedKeys.keys = authorizedKeys;
}; };
nix.settings.trusted-users = [ "colmena-deploy" ]; nix.settings.trusted-users = [ "colmena-deploy" ];
# Since our user doesn't have a password, allow passwordless sudo for wheel. # Since our user doesn't have a password, allow passwordless sudo for wheel.
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
} }

8
config/extra/prometheus-exporter.nix
View file

@ -1,8 +0,0 @@
{ ... }:
{
services.prometheus.exporters.node = {
enable = true;
openFirewall = true;
};
}

1
config/hosts/audio-hauptraum-kueche/audio.nix
View file

@ -8,7 +8,6 @@
enable = true; enable = true;
name = "Audio Hauptraum Küche"; name = "Audio Hauptraum Küche";
}; };
services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
users.users.chaos.extraGroups = [ "pipewire" ]; users.users.chaos.extraGroups = [ "pipewire" ];
} }

1
config/hosts/audio-hauptraum-kueche/configuration.nix
View file

@ -2,7 +2,6 @@
{ {
networking = { networking = {
hostName = "audio-hauptraum-kueche"; hostName = "audio-hauptraum-kueche";
domain = "z9.ccchh.net";
}; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";

11
config/hosts/audio-hauptraum-kueche/networking.nix
View file

@ -1,19 +1,20 @@
{ ... }: { config, pkgs, ... }:
{ {
networking = { networking = {
interfaces.net0 = { interfaces.net0 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "172.31.200.14"; address = "10.31.210.10";
prefixLength = 23; prefixLength = 23;
} }
]; ];
}; };
defaultGateway = "172.31.200.1"; defaultGateway = "10.31.210.1";
nameservers = [ "172.31.200.1" ]; nameservers = [
"10.31.210.1"
];
}; };
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "1E:EF:2D:92:81:DA"; matchConfig.MACAddress = "1E:EF:2D:92:81:DA";
linkConfig.Name = "net0"; linkConfig.Name = "net0";

1
config/hosts/audio-hauptraum-tafel/audio.nix
View file

@ -8,7 +8,6 @@
enable = true; enable = true;
name = "Audio Hauptraum Tafel"; name = "Audio Hauptraum Tafel";
}; };
services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
users.users.chaos.extraGroups = [ "pipewire" ]; users.users.chaos.extraGroups = [ "pipewire" ];
} }

1
config/hosts/audio-hauptraum-tafel/configuration.nix
View file

@ -2,7 +2,6 @@
{ {
networking = { networking = {
hostName = "audio-hauptraum-tafel"; hostName = "audio-hauptraum-tafel";
domain = "z9.ccchh.net";
}; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";

11
config/hosts/audio-hauptraum-tafel/networking.nix
View file

@ -1,19 +1,20 @@
{ ... }: { config, pkgs, ... }:
{ {
networking = { networking = {
interfaces.net0 = { interfaces.net0 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "172.31.200.15"; address = "10.31.210.13";
prefixLength = 23; prefixLength = 23;
} }
]; ];
}; };
defaultGateway = "172.31.200.1"; defaultGateway = "10.31.210.1";
nameservers = [ "172.31.200.1" ]; nameservers = [
"10.31.210.1"
];
}; };
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "D2:10:33:B1:72:C3"; matchConfig.MACAddress = "D2:10:33:B1:72:C3";
linkConfig.Name = "net0"; linkConfig.Name = "net0";

1
config/hosts/esphome/configuration.nix
View file

@ -2,7 +2,6 @@
{ {
networking = { networking = {
hostName = "esphome"; hostName = "esphome";
domain = "z9.ccchh.net";
}; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";

1
config/hosts/esphome/default.nix
View file

@ -3,7 +3,6 @@
imports = [ imports = [
./configuration.nix ./configuration.nix
./esphome.nix ./esphome.nix
./networking.nix
./nginx.nix ./nginx.nix
]; ];
} }

29
config/hosts/esphome/networking.nix
View file

@ -1,29 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.24";
prefixLength = 23;
}
];
ipv6.addresses = [
{
address = "2a07:c481:1:d0::66";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.208.1";
defaultGateway6 = "2a07:c481:1:d0::1";
nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ];
search = [ "z9.ccchh.net" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
linkConfig.Name = "net0";
};
}

56
config/hosts/esphome/nginx.nix
View file

@ -1,34 +1,35 @@
{ config, ... }: { config, ... }:
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"esphome.ccchh.net" = { "acme-esphome.ccchh.net" = {
forceSSL = true;
enableACME = true; enableACME = true;
serverName = "esphome.ccchh.net"; serverName = "esphome.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"esphome.ccchh.net" = {
forceSSL = true;
useACMEHost = "esphome.ccchh.net";
listen = [ listen = [
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 80; port = 80;
} }
{
addr = "[::]";
port = 80;
}
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 443; port = 443;
ssl = true; ssl = true;
} }
{
addr = "[::]";
port = 443;
ssl = true;
}
]; ];
locations."/" = { locations."/" = {
@ -36,38 +37,9 @@
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
"esphome.z9.ccchh.net" = {
forceSSL = true;
useACMEHost = "esphome.ccchh.net";
serverName = "esphome.z9.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::]";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
];
globalRedirect = "esphome.ccchh.net";
redirectCode = 307;
};
}; };
}; };
security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
} }

7
config/hosts/forgejo-actions-runner/configuration.nix
View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
networking.hostName = "forgejo-actions-runner";
system.stateVersion = "23.11";
}

11
config/hosts/forgejo-actions-runner/default.nix
View file

@ -1,11 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./docker.nix
./forgejo-actions-runner.nix
./networking.nix
./sops.nix
];
}

13
config/hosts/forgejo-actions-runner/docker.nix
View file

@ -1,13 +0,0 @@
# Sources for this configuration:
# - https://nixos.wiki/wiki/Docker
{ config, pkgs, ... }:
{
virtualisation.docker = {
enable = true;
autoPrune = {
enable = true;
dates = "weekly";
};
};
}

60
config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
View file

@ -1,60 +0,0 @@
# Sources for this configuration:
# - https://forgejo.org/docs/latest/admin/actions/
# - https://forgejo.org/docs/latest/user/actions/
# - https://docs.gitea.com/next/usage/actions/act-runner
{ config, pkgs, ... }:
{
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.ccchh-forgejo-global-docker = {
enable = true;
name = "Global Docker Forgejo Actions Runner";
url = "https://git.hamburg.ccc.de/";
tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
labels = [ "docker:docker://node:current-bookworm" ];
settings = {
cache = {
proxy_port = 45540;
};
runner = {
capacity = 4;
};
};
};
instances.ccchh-codeberg-org-diday = {
enable = true;
name = "ccchh runner for codeberg.org/di-day";
url = "https://codeberg.org/";
tokenFile = "/run/secrets/codeberg_org_diday_runner_registration_token";
labels = [
"docker:docker://node:current-bookworm"
"debian-latest:docker://node:current-bookworm"
"alpine-latest:docker://node:current-alpine"
];
settings = {
cache = {
proxy_port = 45541;
};
runner = {
capacity = 4;
};
};
};
};
sops.secrets."forgejo_actions_runner_registration_token" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ];
};
sops.secrets."codeberg_org_diday_runner_registration_token" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "gitea-runner-ccchh\\x2dcodeberg\\x2dorg\\x2ddiday.service" ];
};
}

27
config/hosts/forgejo-actions-runner/networking.nix
View file

@ -1,27 +0,0 @@
{ lib, config, ... }:
let
runnerInstances = lib.attrValues config.services.gitea-actions-runner.instances;
runnerCachePorts = lib.map (i: i.settings.cache.proxy_port) runnerInstances;
in {
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.155";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
linkConfig.Name = "net0";
};
# open ports for runner cache proxy so that we can use the cache action
networking.firewall.allowedTCPPorts = runnerCachePorts;
}

149
config/hosts/forgejo-actions-runner/secrets.yaml
View file

@ -1,149 +0,0 @@
forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str]
codeberg_org_diday_runner_registration_token: ENC[AES256_GCM,data:thTsLo/eXVPbXt4b8ldae+kGnOR4GbYKOqr1hVJgaL7wZ5GgqWSPcOuhow96Jw==,iv:Fzi+DsKj+4PrwQGEosUntm9l7s78NwzhkmF6e/sfF+s=,tag:oa7mnbGR0J5xi9ruCgRJtQ==,type:str]
sops:
age:
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjZEpMZkt6OU5nMEtYcHc0
OGdsVDZBcE5nK2ZLbDhaWEVMM2lJcllLVnlzCmNUTXpaVHBLMjlILzJwdDFLMVky
ZXdEVmE3aTFMZDJnQ2tqWGRMb1NnZUkKLS0tIDhGWGpoYWNtL24wRnVRejQ5ZkVN
YjZFMTh3OTNkOUE0SmZTQXpKSmdGWlEK+Xb6blAdiWoKvffLEQagu5tFpWALJaXm
F65M+RNNkJ/YsSJGAWFJepw3ncCMFbmQgGXw5XnyqTlYFhrQ8x5qJg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQblJIdFAwOFRqbWEvQzVF
ODVpQ04xTVpxTERGU3BOMjV4KytBU21neEYwCmoraHhlNjhDelAzR0VxcVNlekhT
QkI5ckd1dVFjMHBoTVFTQjlzbTdnTzgKLS0tIGlTY1p0bWxrQWoyM0RwSmx1aDhy
TklLZWM0cDBKaGJJM2tQQWRLZXhFYU0Ko7cyvzMvwlGCCP3UAX1+5uTI4srhZ5l9
DPaHySiC+rLy+8R9UqEuTKbP4/Aw4NZ/UcfjNnVkqqqNJIODmLoOhg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-18T09:51:37Z"
mac: ENC[AES256_GCM,data:4fWsE3U6WxRqlKHKC4ipE+RQ7MPjiZZcTFMSblxty7JjJHAdKUHbthFB+R8gIWxZEjX5WG+IPgUP+AcCLSI9fdcXMqIFMuDun2hiktwqxzLPGYAoCXdTBAd1uCUagvB/rFty6y8umD4J5ITgEGba9pvGdUcng9WVRV+LGDftS1g=,iv:tD9tlcylQWapNCARxPXrKofZXf2BHTt2c4PQqFNj6X8=,tag:pQ8lOqJEFCcCcJot3BYTmQ==,type:str]
pgp:
- created_at: "2026-02-17T22:21:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ/7BFboCbCEG1DY5Twf+1cRSAmXs8CSrnoJcmyxrF9daqTB
GAqItZcym6I7YbtYMb33jTZDAMFcexvJ+V7+WVBK/v/TISzinJ3m5BafE0DrgsB5
HQT8tsFzxIdu/KsUp0C5VQg6gsb2u2T7aFG0wTS4vas2FjcsoJRKNWTv7a1sNWYZ
dFRxeyklWEX14kCHeKIxO7+Qe3NVV+6MuwYR8X3YJaAyLtVMIdBp/poE+7Gcsa58
rOewheWW/FROTxLZIk3sren6z7M0ZrOz5res2evRDMI9noN3pYMnkNCL/XIvRf9U
GqFSruzDoC0a2JcEvSmthSmEHA6wXeOY/EuzXKLoW4luZDsSXshFgBxK0qqGvzbd
jIXXYvBWPCMYWRMSqQenLkjfhOQXuSXcywGfKpuQblUL8RiflIqia2o68Vbd9Hq4
x9Od+qkauMHZUzsKQoym9pkbrEWpjckg6FevZ1W4o5Qhe9i+JMmE2KIvoYH8tK9F
5KQ87jktx4i9df9TJy3n/xbbrWXpo76y5Aoa2LaiD9Nc6lo7sFs3Pegq4wKmYSIh
6uaZxa5sto/5kywHrJQGqEyh/fDdNmsh5FlDW7gfFEm9Ti2KSE3m9IvIwppFD4j0
xFkHiwHvNn/WMLciVh9qG8auGyxjoXnRRx61QHF31RIYprxWgDoyH/rVz95IuxzS
XgEIJk7MnHv9tYCy/lOjbgqLAUGO0+xuO+IfmsvtiD4nfrnaEJAh0+SW3wuCKzaF
tx1ZHCYH9j3s50Q624pUgtzDad5QV5IIEgCRyr0NvEvrXvG6U0aXkOEbOcFSZsk=
=v3FY
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-02-17T22:21:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/9H+Kn4rF7yUsIdTp5rYhG6EkYkJ/jCeUBJvaOuA95b8HM
6csTXj+ttVcFvbU1hQVbOsd7J8Wpmuj/TqMrpFvu/0EYUW5n04y1YI8kpNXDMrFF
X/0gk+I+w2eF2X3gJQasVY39DNx56KSRJ0BwGYw287rdeKh8cbiFw64r0rs6zX5j
2nqrWgSqxXtWcjhC7Y4Rq8ysWv7dEF2E9Tt2cHYVjn5cs9Vb52PWUA0TxzBzUUqa
M1YWat3fwLah6qEs6/9c89LB66SbgH088lEzQHtRIXdOZ9tPOu7/E3iNqYExuIKB
eMV0bdW0/tZlnWxAwXrL4rptxjGDqB+Ynv36IeLKZ86ljqSPqaQA7ihCVXnMo2TW
IfdlbOtAJiE3IliQf8C1Ajyn32epePBAUyw8o0k2D6UyNyvk8fe0z9++H6Uz+Z7G
oLRrxzOHjh6oWK9WBwJQhZ9dnb1n1UYZfvCDwFZBTmUkhIs6UQllIiF5ZjMy4/cc
E3FEouu/6VPPjq9d8pGEFcjOvXkLtUErhXP+A8Xvl/fHmtfM0/o1e6gPnMmxGn4k
0yXvU+pNO/ID6fc6qMs0nBZRAKGraaeH+wTjpm1exUhhNB2yJviySnElJFyq9vtr
AfacrbuW//JQ+19rSKViV9xStRG//xfW7EpknOh3juB7WfnyOXqdfZqT2zQwrvjS
XgEoHXmbR7aiDvBCc4CGTmBhWD4An+p3m3m7iSOp27kBqJ3+YSKdVA7mdIo0tpTn
9p5Pgz6GHBA5eMwZCb/z3Y7+20PuuEb4/tEBAniw9/Rp0sDJ+9C+V1SdHtbYq8k=
=kkQW
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-02-17T22:21:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAdgME/v0CVfcRZ1zr9SRZksN7vDHDk63g+5k5a/FOvmow
0l/6kH1l7p4aOKaAGFbMHzDzljuACB1a4IOJypRA2DokYWRUgqBKwvcHplgXr4l0
0l4B2vxPl9W1kcbAg4m+V4PlvXTBGhPUglljtjWy80TisUL1zCXpl3PEvmrypZs7
NM47K09RsDiicwTKjxd0Oii2Evz8riLFIth8IWOKXPHoKhiYwN891g1qLSvsrDzE
=6B/b
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-02-17T22:21:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAjz8RObyKYVAmNwiBsNVNGt0qSIexSYpsMR5SyuBMKShJ
NSD4yA6B7Tj+h/ik4VyggOT+9Qfr7zFvFyEHYFXI7k/r+Noyw4uscqr9gNnz0t9N
rx4/ZNowsW/3dL+Gab3hjDKObHF41Y1lzojNwcieU8qZmssHZMjIIzyAUePL210f
2i87hix9PkK6kKuisORDShnFifEOEPOcijXFL4kH9DilVoZ0Ut5fJoiA+QkQQpaa
uHd+Q7F6u9jZrzRLN1SJkb76ElxQAvJYcgTN2s3+c4002DkKVdwCW0qyPlF9wOxT
xTngl46NyZ1MH3ByW2xeOgaDYUcBt8qUF4gTMmIaDTIZ+K5XWGu3hmCzNZHD5Nxi
bhVKJ8jGENUhM/IfT8CjppRIg5wwU0K/EQE/QQHhIykpz9NaIjikDCxcraBa9DkA
rgjp74W9vgR3pBwXJIAsylOZZHy+35rca/JvWWxm2tdeao2WxTA9jdsNdsUOhNyz
3xQGGM63ZSUcV0ZgCyhEYeKBzCyRWpFX+GQHboZDp7IaYK68qYZgxnQtoSwl3lJR
Qc1IaADnncIDyGEIDTciLbjbDx7TId4wrpRWUPxVY2FVY+hV+oRNaoYMuT2jiDVw
PimQ5iVUhl/ThHWPLqok6d3ypROZtVS6EUFzd4ASUrYRYB5Twvoujr7Yg7jSZV/S
XgFcxQ31/i/Vi9owjwX7u0/eclU/3XE2/MqUCcoMntnq2dCN/IpF3rROit5Tzs+W
BT7i57cpGh9ZXf1dbNSyRwydp/C8tjnwDqf3RJ5hj4fmlK6zLJqtPFPdusOO4SU=
=z1tc
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-02-17T22:21:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+K1+QTZ8N3Ha0nErrRWClBu5Cxec5/eb2Q/n4dfNGkrxx
xBk0thoGAyoYpifSqhXbVi/MA8+tzHdtPlKJFCn5NETrnEdu84+sJQE4zfDljLiX
fXZZ/+YQ0P3VosR2NI3W1r/hJWs4oJ9oPz4FfMlfPK+/UOOdQEtGkx9rjYaus9Ax
VI6s5qvYM6XD5rkLxTqZZhEa+CjLtSjD5WqNbCT/8fX5ErnU06jW6jXvRNQSq1Mt
hpqMIBygUE39K2apEuphE9RRD3bS1M2VjCB882yVSM2QZyepilRBjS5ryyQhKK/9
Q0mdIw9mxhdgaCzoglN2k1c6WjddZ409osdnYcMtsH4+NlHDtNfSFLIk6JrxAXIQ
bNR8gtr4D85LoQki/RvEweUd4M40DneIO1dTK4/WG71Lcle3B6p0ynDMjmXq1coY
Qn0c4KAh1RIX/eEJGS23Wle/XZbp89yaFFEF667+HmwL0CY6I5pcVEn/iuXLoNHI
93y/9h7mhB8ZGICPbF7nXBfQQTrxjfc9vZq0PVdjlXPIMRjZcbZOzlKByYLsQIW0
UtzLScfFyKsogcUGJIlGrcQyAmLb3dr7i1elVWlanggCXdKnecBRbSkEfK7SmwiN
t8hRaaM06P3kRbTHWxt+4sjTQWofo+C76qsMZYHFpI0TTOP/jwnn/h3E9dQxdaHS
XgHzVEsJkQiQ51w7pPP1LcKkCxQv1KA9QC+LAFGhmWXnQ1m8E3whao2S07UjlTVw
XMAtuOVT2r09dYGgpcEaMiK2Hb9UNg/ma9o29fSm+2rLuxw3qSldgNNx/s8hyzc=
=0kev
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-02-17T22:21:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//ZYw2qRn+YhiEoBpbUsW95NJpZJFizwssh1dC/Lda5qFs
55G1Jls9FHHQ+LmRnE6wyx26bbpQ257FNzCsxsfwAuiznx31j1yHc6LZbuJ3+DsJ
slRaad13RdLyGgo2psaXbBMEgr22FAFDm+S98aYnyv8yvtOZvutEljGm9yhHLGKy
XnFf8LwvvqdT4RolfxiPncGsd9hbFYZh7/zcJTSzfYSnHI30Ly5Na74vSaamuIwR
oPnSxlf8jIX5RUzssjyOHGLQLd327fKuveVxX9CUK/PGWLgQYuTL5PWZwQGhzgSY
E+2EerpGLVJzSQB0TUU5xGwOQkDlPveSSUg0IoDlivMnrphWUFd+bcIMbipVXolf
qpiJeO1t0YW1WAQBzkQ3J+uXgX0dJqWfzfMsbn3j4/WZq5ZlEX6x+ovHv6Z7ZXTz
6lcF6Gn0dH/omhkqduK3bLwBWAkmh7gWNssEXdPQWGWA8j3WM+IPZKIegpecflKN
pv7jOyD95othMUul/iiH/E3aSbCggN5maoZHG2Cp1TGXkGOLFCNs143LGTVligOU
yD8n0uAQ8e50J7YwytSi2g0pzFkZyriLmrZqKFt9UUOfANivrO9p8J0Bo9wEHjY0
OdKKu8ASgjYk0t4VHGeZF3GPSaGE/k7LaUb9+5t02sxypxeVqQXpvjU/D8c/0wPS
XgGQs2bjszJIyRwcTmUHD8YAvuxf0MkyKCKpJSsnbJ4XmgkI+gGQpg0GLQROXjZ4
8GqLzKb+3d3QDUPQmh+z5Ur1nFcVS214wycICWSTsIUyam59+4rVxV1i33DcAs4=
=BJfi
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-02-17T22:21:57Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdA7rerN+IVKpzyAdXVuAN19+CIjQ6DnHatGr92/YhAEiQw
J913tdR+Yb/FdPWQrn0NR2eTUuKm/Es0NRvJY/YEnhQble+3qYvxFP6dI+vm1cmz
0l4BNxMhGqyOmsDFf58yrJmrHdnapBOmiqCkJBTc9gAQH534di0Ps+grV04jzkXW
DUO/sIPANPpvqqCJNt1uekKNH2J57OMaagnBTivMBTq0HAuRN1RhcrjGof9ttCj1
=desh
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
unencrypted_suffix: _unencrypted
version: 3.11.0

7
config/hosts/forgejo-actions-runner/sops.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

2
config/hosts/git/default.nix
View file

@ -6,8 +6,6 @@
./forgejo.nix ./forgejo.nix
./networking.nix ./networking.nix
./nginx.nix ./nginx.nix
./opensearch.nix
./redis.nix ./redis.nix
./sops.nix
]; ];
} }

45
config/hosts/git/forgejo.nix
View file

@ -7,20 +7,13 @@
# - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
# - https://forgejo.org/docs/latest/admin/email-setup/ # - https://forgejo.org/docs/latest/admin/email-setup/
{ pkgs, ... }: { ... }:
{ {
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = pkgs.forgejo;
database.type = "postgres"; database.type = "postgres";
lfs.enable = true; mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret";
secrets = {
mailer = {
PASSWD = "/run/secrets/forgejo_git_smtp_password";
};
};
settings = { settings = {
DEFAULT = { DEFAULT = {
@ -34,7 +27,6 @@
ROOT_URL = "https://git.hamburg.ccc.de/"; ROOT_URL = "https://git.hamburg.ccc.de/";
# LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
# Doesn't need to be set. # Doesn't need to be set.
OFFLINE_MODE = true;
}; };
admin = { admin = {
DISABLE_REGULAR_ORG_CREATION = false; DISABLE_REGULAR_ORG_CREATION = false;
@ -49,20 +41,8 @@
}; };
service = { service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
ENABLE_INTERNAL_SIGNIN = false;
DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true; DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
ENABLE_NOTIFY_MAIL = true;
AUTO_WATCH_NEW_REPOS = false;
AUTO_WATCH_ON_CHANGES = false;
};
repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
};
actions = {
ENABLED = true;
ARTIFACT_RETENTION_DAYS = 30;
}; };
mailer = { mailer = {
ENABLED = true; ENABLED = true;
@ -77,20 +57,17 @@
ADAPTER = "redis"; ADAPTER = "redis";
HOST = "redis+socket:///run/redis-forgejo/redis.sock"; HOST = "redis+socket:///run/redis-forgejo/redis.sock";
}; };
indexer = {
ISSUE_INDEXER_TYPE = "elasticsearch";
ISSUE_INDEXER_CONN_STR = "http://127.0.0.1:9200";
REPO_INDEXER_ENABLED = true;
REPO_INDEXER_TYPE = "elasticsearch";
REPO_INDEXER_CONN_STR = "http://127.0.0.1:9200";
};
}; };
}; };
sops.secrets."forgejo_git_smtp_password" = { deployment.keys = {
mode = "0440"; "forgejo-git-smtp-password.secret" = {
owner = "forgejo"; keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ];
group = "forgejo"; destDir = "/secrets";
restartUnits = [ "forgejo.service" ]; user = "forgejo";
group = "forgejo";
permissions = "0640";
uploadAt = "pre-activation";
};
}; };
} }

36
config/hosts/git/networking.nix
View file

@ -1,33 +1,17 @@
# Sources for this configuration:
# - https://nixos.wiki/wiki/Networking
{ ... }: { ... }:
{ {
networking = { networking.interfaces.net0 = {
interfaces.net0 = { ipv4.addresses = [
ipv4.addresses = [ {
{ address = "212.12.51.136";
address = "212.12.51.136"; prefixLength = 28;
prefixLength = 28; }
} ];
{
address = "172.31.17.154";
prefixLength = 25;
}
];
ipv6.addresses = [
{
address = "2a00:14b0:f000:23:51:136::1";
prefixLength = 64;
}
];
};
defaultGateway = "212.12.51.129";
defaultGateway6 = "2a00:14b0:f000:23::1";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
}; };
networking.defaultGateway = "212.12.51.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "92:7B:E6:12:A4:FA"; matchConfig.MACAddress = "92:7B:E6:12:A4:FA";

4
config/hosts/git/nginx.nix
View file

@ -34,10 +34,6 @@
return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\""; return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
}; };
}; };
# Disable checking of client request body size to make container registry
# image uploads work.
clientMaxBodySize = "0";
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

12
config/hosts/git/opensearch.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
services.opensearch = {
enable = true;
};
systemd.services.forgejo = {
after = [ "opensearch.service" ];
requires = [ "opensearch.service" ];
};
}

148
config/hosts/git/secrets.yaml
View file

@ -1,148 +0,0 @@
forgejo_git_smtp_password: ENC[AES256_GCM,data:ZRj5GpQKRlTxdu5CfbJirRGAKPCLAIG1F0V5USz5m5D49V3lu5uLomxHapmEwb0yYoE7e7ZLYK4VQUoQgpUnSw==,iv:K7+9E2gi8cdYu0lX/HgWitLxnxARywIwh5glEL0uOsM=,tag:s9UC8e+E5E3vM6cTKW7Vqw==,type:str]
sops:
age:
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpeGkrV2d0clRqTnNVa25P
VUJTQ1I0YUtSYmRwVWIzaEUycjFkbUQ4NXpZCmNnbTVTdGp3R1VET0k1Z05ySHg3
M2NWaVNiMnB5RllFb1FzOVRRNkk1c0EKLS0tIHBQL01BMjZNMkFBZU43SE5Yc2RV
SEtGVldxa0l5c2t0d0Z1ME5SNlFPYlEK75G9DZxOUGIAEVtUo6BDFZ3NGB6/cfm7
0leD7YW7g4mJ+raI/9wVb41BmGdFrYzr0xSjj/1vjJ2aTJEB7pBiTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTR21UUEdiZHVKOVBXZlVn
bW8xMGlSbElYQmxQN2IrTzlIeU11WSthSlRVCitIU3ozV0ZDUnhTTk9TRjR3V2Jh
ZDVvcjMzMjhkUmlKSjI5Z09nV3VzSTAKLS0tIDZNQldPcFFWeTJZVWhUMDNKWTVp
VmJxSU1Wa3orQ2tTNEFWdUdKM0RhQmsKfQm3qBSSY/7Pt98HNgXp+THAkOSRRrDF
8QE6EboB4EJql1hcu2ZHgCGqLNpW/YO5lD3IHt0ujNI0Pd4uYIL1tw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-25T14:17:29Z"
mac: ENC[AES256_GCM,data:JeqYsVtogbB4oMWNEpLsF6zxsgUoAt7UzRUL2JzxDUtXDUndW/AxJxVxQaipYvblA3q2MzRyQN+j9khavlL02DR/ANtZFLQmH3OREV7M9eHmeeCa4Lm5D7gFYmqWkULJ7yEJsKz5AaiJTWlWgCcBITB901H3Z12dsz2a1+4WrUc=,iv:5Xm5Rjw8PS7hkTcRD1kj5XS5uiOgsPwXYeaMqUReB7E=,tag:2Y5R1/Why1TQd+ZYTF0qDA==,type:str]
pgp:
- created_at: "2026-02-17T22:21:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//aGNw4mAzDqvpfu1FOQwoU6q3C7RlL77VIy6xw93BsahP
c8yIEoTOiDa1wtsLKHMaqxNADsxuQBmx4lQYQZ786SUFMVndfJzU6tf59SnOF+5U
/FztmZQsDEzKzKWESIEQMMavEAanr8DEGpACOITZAe61mTJAn8vcc92jMYhmnsHh
zlhS+ryg+j6VRp5i/s1Yocec/iYR9GlUKn3FVHrVDA0TBxOHJ8KjneN7CG0XFuBg
YmRpokZJrLxLntSyMZVSfksuOK8ORlYYpsGvKZNyzA726WjrYg8bJNN10iZHIbwR
PBmDvvP7SWDcJ1/YuzHE2vwJwbRupE3RLQoFRtmANi5QE0mzyMZPz7IF7d/TrXSV
fW3Hb/73SI+QjgdMtHJCtsxBh7rbGTJMP14TJzmETP7eCwLF+92goz/ruhG+HWFf
vc2g/SLAzUjoiX3MjuPjaLZTfgqhC2b/OnZ+MbFMbpgBtXlNhOkDSb75g/gOaB14
9CHmQoJt2JeeCCVkH+YQeq6oK9S5lD2WUhigFxdFaHjE6fmKkwxIBMwPwZ7QY7Ep
ljxJuSfMvl3XkZxpxD1+Ep9C1ZIvDXmvdhXx7H/3SaUtefCHO6Ab46ibtKa8wh2w
4gzPinJJdDYJfzylNDVMZxJ/P9y8XcYSSDGasG7QOGVNm4T2MrLjFaFhrU7lN9TS
XgHr8/8XgnlBIupmjeJTpLpcF0u5zeKIOiKkJBRQR1aUmzmi76lJVStuEJzfymXl
baOviVQywJOe3bVilDmUuVc71FVICnKgwdAvvgG15nOfOUBagLhM0IrgRrGmGSM=
=+Oww
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-02-17T22:21:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//VsCz5H85LzK29rlmzv1BZaZb6tj86PsO0TydE6+re29Y
i7uu7i54BbjhyC9C2m2J2dzfDsIZyt80n7/1/QooWw4+/h+CD1aFYFb/fiwV6/oq
IAwdnoEio96r6LZcA1t4MSuAcRlrVMrG+OPh0QdCE0uFNiaDcmD6m0XiKL17m6Mk
F9xoYe5e+QMQdq/IcRLVfnlOWMn9qkqixbe4s6YfwttPV9Zx9fDRNz7qf9JiOdbT
sDbnbCDUVyHaRwQ5KMiJOsv0+vVKmDLqlHuFp+21k8/CSAOHzqD+4x9+JMNG5tja
g7Oh2n62UAsCHAr1BPiiWdRpBpIpEbF2/aKjdnlTKaR+niIg4EllkL4XYiFfz3+j
E+IT439U4eqj6AZyblrNgjL2BKUOvR2sQ/PvKA/JHuHCO8C7md0ID1BGlusuN8qX
AZh73AXe5vrrK16k/BX6Pbq0XOAPv8IKa115ZTmfKNH1Iy/LKiwRZT7/QYvYF+Dx
4RZJkRZgR5gQ4iDytyKUOeMLZyhEQCmHYL4jGvFVa95eNHM87PqI7Eh97tGyO9V6
FchBk5MTWXnqyXbaC+NEhFduNOh7lNDGNkjjv9PnYdOAgyFY0x4dkKK7bA0Bnzvj
cSiQyCsnF2epK1t5vmbu74vOIfJrXsvp/JwilqEaIiYLywOuVstKFmDyBWnqblnS
XgEhibKGUk2lqS9CmIAzcTsK0GSRkQaI88NljE2zQfORQcEKQ8HziKFf4NrDRYf+
heln/SYu+bas1gZQBtQRippUbje9xe8uCUez9tgTwbpxYywcq90LvAUZ9F8lVQM=
=cFEl
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-02-17T22:21:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAo/PITsPBAKUdwzsLGOegBkKgjkMyuBM9ghjsu+rSl3Yw
AmuZrtFRAB1ue+eAkEHRUbw4VzxlTVib717P9JEnKED+MXhoQaJiHT9q6qH1SFMk
0l4B8FmPdQMGgXuLVGmJuGqcSLiLlFnBR+GXSbMT5mv3JxfTJhdslAss3eaWIeg+
3hfMVA27mVcxxmenCpi0tSFMXQqh3mSGtb/p93fFz2bi5uFga+CfmyuJTPClJIyb
=tRXn
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-02-17T22:21:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/8D7Ili77aorhPn6Eg3+9wpxkhd1KU0a0fZh5O8aV0qQk/
oAvq3+NZYULpMzPb2utLvFKFmKS2d4odbdTV8BhE6rWukRR7Kv5YZYksVjOobCTj
+uhpSA3BSccC5PNNYODRgUF+2sQkzis8raF/El7f+/Ec/owB5qnrWd7Tja4uW5Qt
5r5q4nH9tb1HtIalrpI8tRcpZ+0JOzdHm2w65eCEirF+12gTSX1QP71KtjkjlKGy
+20ofHdjXpkUT4E9SsVVHpRK70IrPCqi7iv6dwKzUGhfckHDfGCoPEwk6/0WZsjX
r8EU50QxJIJxXkSBIcNVjvw3NviliJiwtPHR35noyYkXJXWlS/FVauxF44sSVvO4
T2uTCdMhmKp1on518/bUcYWtINAy5w74hOZ+qojo2g5bAAu4mQ7bFwCK8bs08bL8
beASn5XYkTr/a/oE5kdj1+EB2/VdZZED7w57NiiOEYXoHXNuHAd1DTCeoPz4VvqM
TrY+Cjal7YBg9GAGm4L8ZtqpfqmU5NQnmEYHhzXZhOjhrMtu8QyvlM2KichKnSfW
/AcADQSYwR6O+pLui9tXwUPNGEYQGHx8Wlmjvq6hvfcD+IlyzK5iM9Jg03nerQCf
1IlEmyNLVt5kQqdtNh8V7kskgPrDsKuQ1kQta5Vq5btbCbIOlIEuzuv9RWXgNerS
XgGH29dML0Fta1z0/LKkWSA/U4V+jUviQDNpbQ2t/WaGQAAK2Mhj34WT55BFcVCe
CvqsHQ28CjAKKaLZ77Wyy03zFHEZ5HwdmJhpXAJFzUdM8jNBQDqc99iNlerFHxA=
=BLfs
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-02-17T22:21:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/9GiQ8HBWqxVKFiWt1Rpltpjqp2wJG+TSP/6RZNcJxn/Z0
n6+SYdeeIIBr/cavORPlaY19bMD3NQMgqhNFiLo2q/ZXTm9QF1YJPRFpzEVovia8
bF6K022kdEQYFirKNXPtyYsqbZ0hHiJG5cTlacfd2k2Nbx6QTWq0f3Ksm49zzdJh
or1hCoPHTqnuRwiBQtkwx+4jo0SAAe0xO2Cs5jCcNt8j7KYwmRKmH1Qgtclsb3cq
vqhh2WQLXD3HoVJxnjcyIElkCPCDpWtLYT+ZEqiWbiSkLwzsBHjtavgSAs3b8ZV1
v7zq76ofB0YKN2LRbcpdygvFseqNBpU6uukcScpwhIsfj0DrHZQ9sufl/JIFF97S
27pf/9hyJLmjTclaUfTREtPb8icyhwOE+d/Atw0sZxOKY4+hV4WF9pbDGiUOgZqi
a7E3qY+Iywk7jDgmU1eQGkY+G3PPXHbdhYr8v+Ig2lbp4uU1H+ab+d6r4C83pJzD
PrDXcletKkA4APwq/duyzox6CoxCpoBcFUtz7rHcYi78EfdFi4oMWVYimAlQCdng
JqeDXAArdoz1rj/yDwlFYybnHtXb65T01wF53brPtOkAVq6tE11hxe9dCiD6klk4
SI5j9VE8wUEV0lf73AFW+gectZzkr5+7/QKe0IG2G5DkftK/J1nHA4ERFw7w0R7S
XgHrnYShza9Jovn/qGjZrvZFf6Pcs/KK92CpSBi1oMl7Lhll4R0tH+uG4b8pWuXF
uLSpKPsnhnxkfVczNRIFeDZ51ZuyjmYSrpt+YZnDGf7H853ROAC83gej00E4Mcg=
=SVTV
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-02-17T22:21:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//czgS1KbONIAv+/0g6iwcMPmBld0BDwJw3G0jlJCuSW6g
nSa1bq87WQzXUL/iM5XzURGzuMY5picYy/QTu/fi/XNG04lZpN7ZzATEkSwwyNzC
JsAei0QKAWPRRFTKSnsoL8QEhKD7asJmgfBDFhj0iYxClBQIXOSjQlAAfeK9o+Xw
oM7EfRSY9zUtJAziZs9LpkQKu7eJlq+n6IGGH9Jy1h0hKcxRuSujgz7MepNvLFc9
wJO9LGieAgynZgOsvVLHN8N0v/PKew5LXnbDo6I35z4ASG76n+zlFDwYp3RDkU4q
Is9LqLJUAxPtIa2NLGRuFOO7fOg9IhhdRHdhylah1boM7+ElACDDbbt+v9d5qu/L
/GBZIn1pgSe0hlxfa2eAKZCS1cYlpBIKen768hJncKuTzV5LGDguJcQMKaBmbFOH
tCfvNFzWmWZBc/h8xkBpm0Hp9c2XFwcvzTL9BmaOgGzjUbZM8DSwFE+vlg/O7Ggv
lyoi78OEWktVLYUXxSBq3XhVxncOgNifL9w9bIb4lTJLjMVYmughFntHwSZH/8eq
nLw6sPQrINcjIMJEw/LUCnO4kmzrvCgqY5GtDvyV62c8k5nWXhpkl938EX7DZOCe
q5ZKMUfu0cUvyIQWIZly8ZsPDkPz6XQJGu3pifXs3vIiARUJY4qv0iAKRD2u85rS
XgFf4gDAoga+9rJD9Gj4Vhyjps7YmU94588/CeHesl1/Zy9+neRTrHMoo+KqUpC+
O+CTgW85eVnRT9mgDlLDsFqZElZZWkdn1yJfD9NlhMvswsn/NkbB2yT06HbeKAI=
=Uh/J
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-02-17T22:21:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAYl5yJyayyLJfKcs7YoVj5SorGPw8k+39iR3k3bCbSwww
PKSvjI7m1dLxzGqsYIfavX4sYqP1az/ljDxKKgMI5fX2FUGcWT6/MXF0HTLxDPLR
0l4BbD2ZIYnL39K7vGc0OY4qi/BkPh1xKY5XMBe1tBsTqTHNboIpW5vKYO/lS7bu
PXyFZTolOiZfefybYoD1DEoPgNUCCnnqq+TM6g1eOtTQ4IsoUH3IjZS/QjPy/jsE
=uSMN
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
unencrypted_suffix: _unencrypted
version: 3.8.1

7
config/hosts/git/sops.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

2
config/hosts/matrix/default.nix
View file

@ -3,11 +3,9 @@
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./mas.nix
./networking.nix ./networking.nix
./postgresql.nix ./postgresql.nix
./matrix-synapse.nix ./matrix-synapse.nix
./nginx.nix ./nginx.nix
./sops.nix
]; ];
} }

124
config/hosts/matrix/mas.nix
View file

@ -1,124 +0,0 @@
{ pkgs, ... }:
let
masSettings = {
http = {
listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
}
];
binds = [{
host = "localhost";
port = 8080;
}];
proxy_protocol = false;
}
{
name = "internal";
resources = [{
name = "health";
}];
binds = [{
host = "localhost";
port = 8081;
}];
proxy_protocol = false;
}
{
name = "admin";
resources = [{
name = "adminapi";
}];
binds = [{
host = "localhost";
port = 8082;
}];
proxy_protocol = false;
}
];
trusted_proxies = [
"127.0.0.1/8"
"::1/128"
];
public_base = "https://mas.hamburg.ccc.de";
};
database = {
uri = "postgresql://mas_user:mas@localhost/mas";
max_connections = 10;
min_connections = 0;
connect_timeout = 30;
idle_timeout = 600;
max_lifetime = 1800;
};
email = {
from = "\"Authentication Service\" <root@localhost>";
reply_to = "\"Authentication Service\" <root@localhost>";
# Don't send any emails.
transport = "blackhole";
};
passwords = {
enabled = true;
schemes = [
{
version = 1;
algorithm = "bcrypt";
unicode_normalization = true;
}
{
version = 2;
algorithm = "argon2id";
}
];
minimum_complexity = 8;
};
};
# matrix and secrets sections in secret
masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
in
{
environment.systemPackages = with pkgs; [
matrix-authentication-service
];
systemd.services.matrix-authentication-service = {
description = "Matrix Authentication Service";
after = [ "network-online.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/run/secrets/mas_secrets_config --config=/run/secrets/mas_matrix_config";
WorkingDirectory = "${pkgs.matrix-authentication-service}";
User = "matrix-synapse";
Group = "matrix-synapse";
};
wantedBy = [
"multi-user.target"
];
};
sops.secrets."mas_secrets_config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-authentication-service.service" ];
};
sops.secrets."mas_matrix_config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-authentication-service.service" ];
};
}

26
config/hosts/matrix/matrix-synapse.nix
View file

@ -41,29 +41,23 @@
max_upload_size = "500M"; max_upload_size = "500M";
admin_contact = "mailto:yuri+ccchh@nekover.se"; admin_contact = "mailto:yuri+ccchh@nekover.se";
default_room_version = "12";
}; };
extraConfigFiles = [ extraConfigFiles = [
"/run/secrets/matrix_registration_shared_secret" "/secrets/matrix-registration-shared-secret.secret"
"/run/secrets/matrix_mas_config"
]; ];
}; };
systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ]; systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ];
sops.secrets."matrix_registration_shared_secret" = { deployment.keys = {
mode = "0440"; "matrix-registration-shared-secret.secret" = {
owner = "matrix-synapse"; keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ];
group = "matrix-synapse"; destDir = "/secrets";
restartUnits = [ "matrix-synapse.service" ]; user = "matrix-synapse";
}; group = "matrix-synapse";
permissions = "0640";
sops.secrets."matrix_mas_config" = { uploadAt = "pre-activation";
mode = "0440"; };
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
}; };
} }

22
config/hosts/matrix/networking.nix
View file

@ -1,19 +1,17 @@
{ ... }: { ... }:
{ {
networking = { networking.interfaces.net0 = {
interfaces.net0 = { ipv4.addresses = [
ipv4.addresses = [ {
{ address = "172.31.17.150";
address = "172.31.17.150"; prefixLength = 25;
prefixLength = 25; }
} ];
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
}; };
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "2A:A5:80:C3:8E:32"; matchConfig.MACAddress = "2A:A5:80:C3:8E:32";

77
config/hosts/matrix/nginx.nix
View file

@ -17,18 +17,6 @@
]; ];
}; };
virtualHosts."acme-mas.hamburg.ccc.de" = {
enableACME = true;
serverName = "mas.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."matrix.hamburg.ccc.de" = { virtualHosts."matrix.hamburg.ccc.de" = {
default = true; default = true;
forceSSL = true; forceSSL = true;
@ -49,11 +37,6 @@
} }
]; ];
locations."~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
proxyPass = "http://localhost:8080";
priority = 999;
};
locations."~ ^(/_matrix|/_synapse/client)" = { locations."~ ^(/_matrix|/_synapse/client)" = {
# Only proxy to the local host on IPv4, because localhost doesn't seem to work # Only proxy to the local host on IPv4, because localhost doesn't seem to work
# even if matrix-synapse is listening on ::1 as well. # even if matrix-synapse is listening on ::1 as well.
@ -65,66 +48,6 @@
''; '';
}; };
locations."~ ^/_synapse/admin" = {
# Only proxy to the local host on IPv4, because localhost doesn't seem to work
# even if matrix-synapse is listening on ::1 as well.
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Restrict access to admin API.
allow 185.161.129.132/32; # z9
allow 2a07:c480:0:100::/56; # z9
allow 2a07:c481:1::/48; # z9 new ipv6
allow 213.240.180.39/32; # stbe home
allow 2a01:170:118b::1/64; # stbe home
deny all;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
virtualHosts."mas.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "mas.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://localhost:8080";
};
locations."~ ^/api/admin" = {
proxyPass = "http://localhost:8082";
extraConfig = ''
# Restrict access to admin API.
allow 185.161.129.132/32; # z9
allow 2a07:c480:0:100::/56; # z9
allow 2a07:c481:1::/48; # z9 new ipv6
allow 213.240.180.39/32; # stbe home
allow 2a01:170:118b::1/64; # stbe home
deny all;
'';
};
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

5
config/hosts/matrix/postgresql.nix
View file

@ -11,11 +11,6 @@
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas';
CREATE DATABASE "mas" WITH OWNER "mas_user"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
''; '';
dataDir = "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; dataDir = "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";

151
config/hosts/matrix/secrets.yaml
View file

@ -1,151 +0,0 @@
matrix_registration_shared_secret: ENC[AES256_GCM,data:5fKfTqwoUreSIPbua5t1lYZFRnQQjNzFvrIBVIBfKWu20kH4BhlDboL/zYnhWLELq/KykX/EUvijoZxxTnUiN7T8H3L6fKOCQKacZkIwKfg/JjqLVnXIaY0JOwg=,iv:Cazhdo7YR0zSgiyQoHLsk2e4dWGSoSfEtOuMA1LEJcg=,tag:KsbnGvEyRbzbIXuAayQk5A==,type:str]
matrix_mas_config: ENC[AES256_GCM,data:FxZHMYlqAlr/0rtjO3R58h2Au7hXY6zYv56bQD+LufA9Jrzi2vIDQe2RPQmJdkQ48sDgFiSGtJ1kqZVCDc21FPtjbYcJuCYKZK/opJag9MnXae/ZKBlsWk2QWtxGtWM48mwIw+8aBrSctOHA9Ibq76yQb8l2ubyjtHn3wYM=,iv:0YRfVkim4NNAUmV9MzErQoXZhdVKwa102D+hBT1is/w=,tag:l+9NkxOjXoxD1WalDgQlJA==,type:str]
mas_secrets_config: ENC[AES256_GCM,data:lgfGW/zkJ3sdmXehzEMGiBUjIvcjnSma+BjBshxAKTPKTxQtllk4GN8VI7AII91u9mG0231bcTb+sq7wm+nuVLxOY9wCuCGA4/Tsa0QZmphXqWzRXx0yuHawW6WCC3U3EmyPiG9m0/a+Xt7by7+ep1p4n4QrDKZBCFkdANCera2MA1VuzVUr0o7xCul26khpdN0dZ539wrUGdocKNw831s+KUdqadB6I9iQ7f+/l0EFi7HlWQ+vvF7/KAYuoUh2jS0MGhBTRgSDqr17QZ9TB7PEQRpztQygqgoqYIl+IVYi/AfmiyY10Zf7GFE9yHn3cd7N1gRRGj7jpKlW38QP/GOF/6w4pOJxovdsNzJRT9lAuFSyQqudgXgM3/uJQwQbguBf/aSGS5pWDp1LxQffLiKzQnfC5RJnYJ87f9n2908eZ53jlhSRYDtAqfbbwQNUsVvATOigcUFKmaDMwGyKKdyiDE3+mXH9Twal5K48pl3LgjOtajR9E23fR/3lJ5HfFCqCdL7rn8AYxFzS0B5G9r59ik7yhHSWiB1jPVhIQTBtbPzdeuIQUkWmRjpxi/I1eMgPGMoHlPNRJowg7Rsa0hvfYrV8caO/TVILd927MmtmqQ8BRDeCxHNNRC3fZVkqcVcMe5vFzafH3NlY+spsNPUJiA3yQX3ahKpByJP/NM5zlSR+y2ZgyM+eXVFW9ORJT6gvZnAtq6rWTEyMXk3iIQUgbw9ume1VN7H/TQur2Vwdaz646TqzYSn2KSXCOwoY/mNNlSbufXvK/76XrW9Ckhhl+tdvHGlzbVTzZJJM8j5/PI9XukCEgPbbrvL/DzXv5KlSme1B6JmGJZlqsaJTBrYBItWzAxiGKQg0e/f72Ay9mjoYqVCPVYG0ms8WECfw4S+45Q9gNoPvG1XLrOzlRNDT0UKnuE0am5H1x6vlmketzgnPMKSZVkWqNcgPA/6BlUkxF7Ne/+Q+506d6w7AyXgXfhFwg+cEyAqXjBtB3paFSLkm0U1OHfSBWsgbgMK0Xn8GyA/KLBV8bLINwR+qTp5Gdz+WgBQTfTb1m4OWhyolx1SkxjnUFveLdZRon3CXH/K34S7X4S8B4y/6z3UHGmQcK5g6HOYNQtuCGKlLAbZHBhQgmNJpdGFuwcdC2bdgHfcNl6eEazB9k90COjJTU030N5fzYq5hOGVL3xBUmvj1LaYEsnJldsfXjfas3JA6iAB9lcOfK2su6F1M1v+qr1SJbbGjeUmFt6q7B7LjrPnZ34Q/CO3PDR+UiuQD5dMpHGc+L6yB5VbMYs6hirlWVQlySvFYnOhaHiUbospLMzxwSi8nWKiMRiFGYojg/2YrpFlVv3T684vBGGGdL/MG7docgEdBANsOrf52nsvvT1921A09z/mL1PxHHJN0XkaSV5cUd1vLv2Ba3dHMs046ls/TrCKcMXQbl3FibSBP+yEg75xzk9aWzjSPUfnQcaslOo1T3UIrYLaPGjmzoMtLBhtNB1hOQh4tQpybHL3sMr52zxzj0vwA3dCZTy8+5SS7tD5hmy1qlnk19+aXaAFPgUZXETBk3r8c208Qi2lbjCHI/zgeQD/1J1ihtSu0EeJR5Kz9a99ztUD5AnyrZXpawsPYDcxjhAVFDmqMClV2pjO/Bt+QcFVMt46XKFftzGk0nXhN/9ziVwTpFYxegq7hJoebU0qG37tTHol8KiaZ6RtsVNwDAuFY4lGgDbnS4oLDxzVDoqY2vsk6WldowAtk8Gl4sicsXmC0WtyVF3KYn3h//nUty+KgxwxF30PMzrxaiK2BmJRSmUQecaYfv4xtcq4DcXkreG4HsnsEsExcMMW1xURfAVG5OC75RWW6yKy0mSVkUGUox2TSEvvJWuvX0yyYXaU0VfXqUTfw9ZFQEHKC0IvP/MtLxyCh5fWGuTGoDyin99b9v+Rf12LwZtkaLxqdzGz8ZuR+JVIhfE0cy/1/M0JEw3NexIPUf9b9svppQA/VGzRAQcwCfeZ4/S4LDC1xWPZCZi3+B4nrCYV1L6eZJIKhGQQzrF33abQ4KPmY3+NyGgA65308G3PhIerJzpvpq+SwRBtrLjXIM5wH2t6Azk8AEVYruZ+2SqLAyFXmt+Zn1uuMK+Zfscj+ji7rZ/Qyfr/r0m2Vc5XVZth0FCQHdL1Mal8bIW31q6tF4LVtMmK/7KrjypjRqCH7D1kUiaafQ74O60YYoS+sPF7emz7xTZ4PNdY5w50qBWcdm3WUW/ObBFR1YZyGd/OEEQXqcUzsSYJ5aMS1ohyIDMkWeUUAvu2digiQgHzyY1XrvjWzHGL56nsWe+x2VTS600d6aY9FYZ5/yY+h3B96hcs258vn9xTTJsMZHIV8V8ZoC1f6Gb4zHpulYNiAA9PjXHHORU3N4DXNjI4jpFmIgQvF7ZQAd7CzUHXXbdwHVD9IQeKrDTrcvl3ErmQumuM/fVD77OtegrBKDYQ/VVS1bPQfX7rnaQQ2hD2LEchJAPXTfI5eiEuH4nJ2TK0uSWHG4Yxau72gx8ASPeNsX5sHf8yIDlx9wlNSRnO6A1rs65uYfSSwTtOX9irkWvDvBUQvYJGtenk2mABAJf9+qoupuF2WfpOCYc1dWka9+vWxj3g+sxIN2KV4HUoAk5fkWOffsdiNVKyxKprrKHZX+X7e3+6azxVbEqQoEQo4yqE31dOPfZBjPntRwt1dVmpKGAQClrVcBfCD7J0+8J8R4r45a4Svwe7zAmef5Icvk3RHCUHKm0ZD+yIaDzoABDLXX+68vwrM2AgNNw2J3QcoKakpyyGtCC+oRlutqn8wAodC3NvnNmeBMuCJaZaTvypDoTnOyvNTmgK6rJZPt3RWACpZvq81tBrEgTjdWFLqPwlFzNhXGvKxIf9Md/ivau6pREa7vBxT1fBqV7ZjGOD1nWsXuq2FM0tKJXNL6cU3DzxVzK3Vll60qFa0s/MZjKL+1lKJaDTtQA156en2mQJo23fQ5uJxZt6mDOY6Qrty5/L5BkiY/vRDp/78orTh7UyW0zLK4Bgjk8/lfiUodliFjTgDnV619XyUK7J2PLzg9HAlbOTFczZS2JImEQKzLGSe3Byy7U/I45bD6TUFlzCBmDqmeIAmIbiu5IVGedqdbuLSJHp3JweR0/Hjho4SzQ3evgMMPG4B5wtYzKhASBcqLhny7Vrn4LmXGlIgRYSp5SxbgsufkORfa1IRviUFoePRVQahCTU+O6DyrwqFWIrAIk2W+O7rYuw83OjGDdFJtU8KDh0AQ6SAry1XLFervHwEtj125Tav9+fg622VnClFpkJV+7QxbtejulREc3BjmTqsPuW99D8lbQrne+BkAFSvNdy/DnHMvPNRYGoU9y39qvGWawfiE9bi39UNDDr+7oPJpnQX4AvrDlF9VNHFB9W3O5772Nh6cd3R39Jzb6jnNg3wC/WRgchKs5kS4WR0T/xhNFDMoAk1Hx59MdhsR/BKQKCUHZGW2tuUBH3Mls90xx4cmZwPQrvaR4NbanTc6MhMkXBDD9828lMC2UK3yv+VL66g2Q2uVTLjAlQaXDVIlSzzpgHJyi35o3CupTDOhUhS80sYA68dcNEcvqHpwoZ1apL98kc8XPQvf7I/885NNLhl3K3MHLiasFoLsFlp7xwXUFSuFz0sI7l/xGkotazDvWdhCS7uZJY+zVxV6Yzus2+ql4fh23kFVVNni9OVGcrDbv0zIWUH956KI0u4r0n3+QinCcUinTTFbrlDL+/WX3c7VlzRUcQ==,iv:DdcflAdm5G82WzP9hDBK+Cy2X6ncETdYdxYJmd8LG1U=,tag:3lp3SO4WI8/gRp0OJLYK2g==,type:str]
mas_matrix_config: ENC[AES256_GCM,data:W7tyChbHM+LWYJYuuWSXL1wg8hKFA6UWHjVFOBQMSnFgguwcE7cg5LSnt1Sr/6TaPQP7+2y0sma0fyKlJ+zcUc1k2OPbJLjsrdjNjz7eMSlzmDESRLo3TBSyNjAKjlgWkEftMZRrrwFmA/cR0PdPchTLfBJnvP2vcLpDPEdoitrQFKk=,iv:FvkXV9emW7l1q1KRk2CP2Ec2pIZfBJ6JlpcIx37mVcg=,tag:p/NaElAD08dSPAWOA/Htvg==,type:str]
sops:
age:
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTHIvZ0ZPRTdrc2VmY3F4
T1NqMWU3NzdKSEdqQy9OOWwyaUErWG56MEdJCmpFUmphd2lhUEluT2NrSjE3YWJO
OVRHVk1YTWQzdmgyM3dmMWtCeUgrT0kKLS0tIEZSWlZGVWpUWHQ0aUY2VkdWb005
Um1hd2FCUzliUjlvY3JGVTJtV2NxWkUKYShPlhmFB3f/8fSdJKue61LR7NqSW3bq
JsmPKkofk3bzMbkUGm9fWey273nOLG3SNcx+ANDCxJUhOQ8KutaOVA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcFdrdlhNYlVmYmhoMU9Y
aWZxVVVmOTRHNkJWSVpGSytQOGNSOWZ2NmwwCkdENlRPdnk3WDFRMFM5Z0xEMFVT
NVBJWXo3L1lRNTc5eko5dHdyMjEwajAKLS0tIHQvZkticURkNFp3MlkvazlzN1N1
R282OFVBVXZPcGNWQllXRS9HTXhobUkKpyfxx4gEcWFX//ntF/pWc7HNmeRIlF4K
DxjEnRn+PJol8kpBqttXPSYr5EydboA2O2Fv4EmQc7l3VQKdncrlOQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-10-12T02:48:54Z"
mac: ENC[AES256_GCM,data:xmxSQJ75JwsMPzPIGUgmtijRre7HnU3wpCvaPJo+XVXsC3wRnSwhRGc38DWxKIljx9HAKGMXV+n0iT3+bnTkeUNYGaUMROs82cyfqxfCd9pn6Qi9ytUb/Oec+oignDlojg8sMKZJGyUguN9sdSRootgSe3/Z4Di/IxhXhW3cDZ4=,iv:cLtqVhLcFxrlzFim+jgVpFlmJaRzmm4zdPkRCKOd6CE=,tag:MnZrm5lwYH/7YEjG+vCIKA==,type:str]
pgp:
- created_at: "2026-02-17T22:22:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAsLBqwVkmgFjAHkgg1Js4o1G0wxf4wSmWfBqGGlQYzuZo
Wn/RojGmly81Vx3GYc9qC9+H+1UKdOGOHeAeBftaverwJdpAay/DdAKaZ5FJxI0b
OgiACiQxaaSTVLAPIZYw8xCKkVItoR6i1M4d0GGwr26hFNUgj4fSdVR2348KFNmZ
tKZIDipjS7WMbAW1etMdY0oPRAxQfhxRVp7lW/Z2bJYbmnug8FGaj5EwzRrSqGrI
li907EswOElX7YijnjrJ2I2B3Et3sHkwxq9jSEZX89EBHJbwy+fFWD81oKugDkwv
HP6a6qMhYBmp9D+hGcHAyyHYXmdQa6HXSv7PJvicHTAQ0iLodPEFz+Z9gblHV1Y9
xq0ciM0N8NbTmGl6JOfeg4dB1CzH9N9TH6q/+Yp+ZZnMJfzjx+dV89VCPvt8KAH2
+fj5Ru3gwGD6NpvNP0aDIAIygzlJE0Q1b8AtMXzHNKfA8jlGqGalkNM5/Q0+rJAA
IleUVMXJz07o8QvrDZKTq+FYq6qbcPFGjvV7c9mBcW6/I6rT59OLiX/eJHbfvUAE
SrLpGDi7kOOiWlFmALLG7+pj7XNxxNlmeG+UBWa0ZEMW6onc5HufjpS6FkPeSfAQ
dXSHq2wamtt1o6B3TsBmZAliZ7b/DbFKTl8ErE/XnWGLNAMqJD6pCDtJSwvDpC7S
XgE11hisql+hIYGrjXrHe9DeNtgZlKd6sYQKGhaMtA/GeH933XVXjA3NsN3GyXDG
MzJjKPkRAGCfRu2VfLv6hnqjzREgsiBpS+XLitZezW2/MtkEVvYN9BwWbe+MUsA=
=v4J/
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-02-17T22:22:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAuY3IZqvQw2evpOBN/A+15eqpxK7uS8YCzxxQC9Bjn4LB
kwO1b7eh/Q3mTYAG4Xl5tix0Q9uOFM5epftk165xCUu9p388V4Hgx/pGvn4ODhwH
AqIRdXiv4rOp3uN22ZLQPQE9hdLIg8AUK2s87R/vUaB79vZttY76N5ucBDRB5KGC
tPQvggsMi6vCXs59o75nlUbMtVTRZMvERwf+0bv809vGLX81QaZUItcGZyOvpM2t
qhRjYZCI4g7ZDLact0nJA79msJqrjSBsMifmvcfUFoaWps7P1S3DuvBzd6tt2dzU
LKwS/e0BLluawwla9FdoPXy8Dd57zPFVnO0FmsDYtC8qZGQl4BiUtQqvmDxrVmV8
VvcBMdyyLWyYbCvWLqpxpAN40whis2zGkfN3llK5G6SAhIqhX/KnlOLmIj3HN0pm
HuAls9/y5pebxgBFrPdhYRvsxehQRGmffjr3WW2Co5o6y7Mazss4KLO8FiRvfbRa
OIBEkx+V2CokjRnNnCaOFgBbpzinabfW64eP/6F4pTcYerRVp/EEgioa6iYA5kJE
vPjc6QRh15hdjLKpdGXOFS8JLMlk9mrTECmuQZNb0Uo2BJtbxbOqCMSdX0woF6/M
zRNZJfTvRtaiUFCCXOyU3RhMtqMK+Qwbw57DMDklh2qHsAR1UpS6k9RtYN3j3PDS
XgEgaPSPrGE0E68ydgguomvtl/kVS/P5GGSo9DQ0YhXMPyBV/MIkMD3mIpNmbEbn
nDNtvDvOjCdmfEotALsWs5VeRTqO9J/GcpPxC/+b0gTIvAjnWj3ptTsz11Jnf1E=
=Wkdq
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-02-17T22:22:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAWCQaHsUsVRZ81mhzxREzdj0xMReLH38JmXu515OSFSUw
76iHcTSqMeclrg1Uio4xhGTctSMhAv2t4yic/ocP6EYNsM4yQUsBLtM+xm7Bu2Qu
0l4BXcl9T+kQ+xICQySM1g6g+sHxrKCgtzNB22vG/jqeQatdh19OOWlibCXhicTl
Bv4qKPSBGBdk9KYwAN9fstUfmbGX21E5DXJlFGhfdnvWIh8biw/0aJ4floOk1st+
=dh/i
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-02-17T22:22:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//VnKyJB+ogP2eCVpjvzkXs8ip5xe1aYj06M/cIw8I8Awf
aVVBo3DTYGrX1ke+E0WbTvwbd37T/M2RyYHlFQclIfnZCfa12gSrg+5ggInZGRl2
D/d3Zxdz8HjML5DpXGQ3dLGi1SbWn048gmdx2V34JLWvxu5XpOMv1RBBLcDIoqVS
HWGa+/tXAbyT9xwZJAOEVErlrTWXKyCYPLsTL89x8E5jqPijJoDTFle2G8+uv70J
/Gn2Cs957jFocPrZEqIDVwkf0jgQllkTELTNq08dm4wqCHbScxLgUxUyCSobeCk8
yedGAJ6tFrXywUb3fEoKcnGF/5TG+3XatJC1aefsnsBxAkDT8PX0nTlBxhHwu3RO
IEBtlU5icVKenRPM3mFEkmEIR3B3+zONLGJ+8PqbZ6OCZuImxHgVat8FI+vXE509
1Dd/l54an5jskXpqreDJEDfeZpeUYkMMxjHdg8x+ilZlxMHoi+NeF9ocEfTrLA2y
U0bUguEmqW7thA+J6bcoJNHlXsd077+97mN1l8paBctsllVwzZYoQp64ICAx7PPY
N9GvWBuupnbrWxMS0nnMpF0oPKnN4tknflrC3ZacPtscRo7BISy0RHhvJG3SZ212
eRCM/maYnV8omAaIMuFfbuv45yPKkLq1MPE9NID3wGHkJqmIpm2ggwA0A6g/h+fS
XgHmJuXEV6v9lxtaRD4iFsbLL3+hqfVfQ9W2IPbARNbOKIYplgJu0tWw96y6fnIf
R1h+z00a84R27N3NmuV96Vyg4TvWKTAmWZzmZYIM/QfzQtMszwQ9PWOUZeHGVXs=
=TcqO
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-02-17T22:22:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAmnSREMlYFwDLJ/9LoUAO2NqrylMZhIPvwU7HQleKe7u2
cdhGZKXbPCMLlWgCM6Z7wpVFeUT2OPI0vkDIL6NNlJ/l09j6CunNfWY/4qKc9YzS
J4I0tfY/cvnDRQrpPcg7rIgM+ukxpOcxmfc02NGqK8EMyZurFNmrmJLdob8nsoIl
ZlyPHMEw2KuSzDsX688OzO9HozcHAJVlG5Aw1lD4TCq4Fq9HTPRnmq+oem0gteDT
VZ2Np+Q5zc1NYXU36lmkBSHPAc7KDIplkc7eC1g8w56xk8mMrrEwz/qUhgIYNQ1L
wicf9nVHxaIiPdUpjznL0yGJS2BEbFfQPV9p1dkKX+X+3rBJiVXvGWzlIT1v5AhA
ixXNMYjwpQ6hgytw372q2FltXAcwSggBcmIIgq9DNHP9YtCmI0v3jfu2ZY7HVJNJ
MIJlozlrUrzKjmjhNUXjAjct/N8rKkBtjwruKWWaPERFs0OT7oHPjVphTHo1UDd3
OhYBZ72cjYCDZyNYk1z79OiGey83o9JAFZv3yWx+LDVJ9l94dGkO43ONXOE50aSE
VSvZlDL12IRg47b6gm+a3DtP7+8mFMaHhvCxNiOpkoFZJQVtZdoFXtwdf1ZAOUXa
sx9tdnWLLGEAR6d9MFXEYyJx4ykfp+Ew8+/eo213ZL4ns3ASGw0wGw78SQebUn/S
XgHeLtKQqx5qhIRcFz78GMZZUkMyljFVddUz3rMy4npPRQoGkyJYiY/pQI55rcHV
8ShFKDpZurafdf1kEk045SqFzwWvubet+k3VpkxPAlFBlLwstpvz1CQpRqhwZCk=
=HQM8
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-02-17T22:22:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAq1tt3Yc0tQ3alerxjWUNSBzpa3Nq5W1bhZ8d+qMDWm8f
SsIBYUMNbPHvWOA6tLIzeMBIoBFneQwWW7fw5vpGzaATURTaMiu+Ws8Q2h7JhYaH
cTO/0QLTNtrwCMJOWkofgauf/3eQCwz+QNBByULSMESyyxYqaY/Sp5Vkfp9ddNUc
dy6YOKWGwxpUU3OrKvSeO08aIXL1dpw2bVaroOW34xf1MPBX/hEV4ix1bfkPUrDj
Oc+kXlCLrJSf5TqQhiYYOijRWCNmy31b6ww03mb5OKOHbs4zGAs6Wa1KFxy3b5C6
AV/v+JWHMOBvbU4jhhrIsPXUzp3AyZfTmFbOFn8LHQmlB4wS/poEU5qczJbzVsyU
OlZE8OVsdLDn7KvjoUDk4PClxLMk8LjQWDdoB9XxxmCV6jtou1GB8BPecoa2zknT
BSzC9JDGmoKnXk53YiPe59YNTs9Gxk9OeuCovmygaQbKXeKNe4eg+3UH6Kd6Illz
osSutJjTJC6dkq8oV/7YkMgDodNyrVE6QqrY/F/FOMfqzftMfRg5S+B3NFg8r5JA
sgxxzGYTEpWv0PlK2nuWo8M4tWoso06loMBfRR2ViNmOtCvu+TDHJLAFim+yJOk0
vzGifrUzvCRysvfXLj09gWPCoG8mNWLWD0xV/XiKLzE2cONRXMbuFeqqBdxkDZ7S
XgGdbwGy/jDBXe3422JPimFUhUKxTuFlcinjL5BhBUnaU9nKtvKj58eKoyfjPPfy
NpbR/flIJrQyoHpe+DSbkB1x88mOINYy8STh88MPAdvnEMqiYMH7RBL8hEfN/JE=
=zAn4
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-02-17T22:22:00Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAE/M7osrxnQX/N0eV4PzXqrzXLtblLY+Gr0znYJSpPiMw
Pw6O4Nw6u8JkVgZCo7/lG+Y86bsI412vnZxiq3pERlxQVHgNea3ArfbM7y0fH/pb
0l4BQkt6yleg738hV8XY1hbJG2xruiw1p+Ts71v2qaFpSazOyz0RPrIIcWelJjkP
P5IV9g83IZMv3AWEGnUByACe8VpWJlFJ578tYtJIfnhsrDryCBubQ0gPsXGqTPPI
=mE/U
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
unencrypted_suffix: _unencrypted
version: 3.10.2

7
config/hosts/matrix/sops.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

10
config/hosts/mqtt/configuration.nix
View file

@ -1,10 +0,0 @@
{ ... }:
{
networking = {
hostName = "mqtt";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.11";
}

9
config/hosts/mqtt/default.nix
View file

@ -1,9 +0,0 @@
{ pkgs, ... }:
{
imports = [
./configuration.nix
./networking.nix
./mosquitto.nix
];
}

34
config/hosts/mqtt/mosquitto.nix
View file

@ -1,34 +0,0 @@
# Sources for this configuration:
# - https://search.nixos.org/options?sort=relevance&type=packages&query=services.mosquitto
# - https://mosquitto.org/man/mosquitto-conf-5.html
# - https://winkekatze24.de
{ ... }:
{
services.mosquitto = {
enable = true;
persistence = true;
# set config for all listeners
listeners = [{
settings.allow_anonymous = true;
omitPasswordAuth = true;
acl = [ "topic readwrite #" ];
}];
bridges.winkekatz = {
addresses = [
{ address = "mqtt.winkekatze24.de"; }
];
topics = [
"winkekatze/allcats/eye/set in 2"
"winkekatze/allcats in 2"
"+/command in 2 winkekatze/ \"\""
"+/status out 2 winkekatze/ \"\""
"+/connected out 2 winkekatze/ \"\""
];
};
};
networking.firewall.allowedTCPPorts = [ 1883 ];
}

21
config/hosts/mqtt/networking.nix
View file

@ -1,21 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.14";
prefixLength = 23;
}
];
};
defaultGateway = "10.31.208.1";
nameservers = [ "10.31.210.1" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:48:85:73";
linkConfig.Name = "net0";
};
}

7
config/hosts/netbox/configuration.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
networking.hostName = "netbox";
system.stateVersion = "23.05";
}

4
config/hosts/penpot/default.nix → config/hosts/netbox/default.nix
View file

@ -3,9 +3,9 @@
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./netbox.nix
./networking.nix ./networking.nix
./nginx.nix ./nginx.nix
./penpot.nix ./postgresql.nix
./sops.nix
]; ];
} }

30
config/hosts/netbox/netbox.nix Normal file
View file

@ -0,0 +1,30 @@
# Sources for this configuration:
# - https://docs.netbox.dev/en/stable/configuration/
# - https://colmena.cli.rs/unstable/features/keys.html
# - https://colmena.cli.rs/unstable/reference/deployment.html
# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix
{ config, pkgs, ... }:
{
services.netbox = {
enable = true;
package = pkgs.netbox;
secretKeyFile = "/secrets/netbox-secret-key.secret";
settings = {
ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
SESSION_COOKIE_SECURE = true;
};
};
deployment.keys."netbox-secret-key.secret" = {
keyCommand = [ "env" "pass" "noc/vm-secrets/z9/netbox/netbox_secret_key" ];
destDir = "/secrets";
user = "netbox";
group = "netbox";
permissions = "0440";
uploadAt = "pre-activation";
};
}

12
config/hosts/penpot/networking.nix → config/hosts/netbox/networking.nix
View file

@ -1,10 +1,16 @@
{ ... }: # Networking configuration for the host.
# Sources for this configuration:
# - https://nixos.org/manual/nixos/stable/#sec-networking
# - https://nixos.wiki/wiki/Systemd-networkd
# - https://wiki.archlinux.org/title/Systemd-networkd
{ config, pkgs, ... }:
{ {
networking.interfaces.net0 = { networking.interfaces.net0 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "172.31.17.162"; address = "172.31.17.149";
prefixLength = 25; prefixLength = 25;
} }
]; ];
@ -14,7 +20,7 @@
networking.search = [ "hamburg.ccc.de" ]; networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:26:1C:8A"; matchConfig.MACAddress = "62:ED:44:20:7C:C1";
linkConfig.Name = "net0"; linkConfig.Name = "net0";
}; };
} }

24
config/hosts/woodpecker/woodpecker-server/nginx.nix → config/hosts/netbox/nginx.nix
View file

@ -1,17 +1,21 @@
# Sources for this configuration: # Sources for this configuration:
# - https://woodpecker-ci.org/docs/administration/deployment/nixos # - https://nixos.org/manual/nixos/stable/#module-security-acme
# - https://woodpecker-ci.org/docs/administration/proxy # - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix
# - https://docs.netbox.dev/en/stable/installation/5-http-server/
# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
# So nginx can access the Netbox static files.
user = "netbox";
virtualHosts."acme-woodpecker.hamburg.ccc.de" = { virtualHosts."acme-netbox.hamburg.ccc.de" = {
default = true; default = true;
enableACME = true; enableACME = true;
serverName = "woodpecker.hamburg.ccc.de"; serverName = "netbox.hamburg.ccc.de";
listen = [ listen = [
{ {
@ -21,10 +25,10 @@
]; ];
}; };
virtualHosts."woodpecker.hamburg.ccc.de" = { virtualHosts."netbox.hamburg.ccc.de" = {
default = true; default = true;
forceSSL = true; forceSSL = true;
useACMEHost = "woodpecker.hamburg.ccc.de"; useACMEHost = "netbox.hamburg.ccc.de";
listen = [ listen = [
{ {
@ -35,8 +39,12 @@
} }
]; ];
locations."/static/" = {
alias = "${config.services.netbox.dataDir}/static/";
};
locations."/" = { locations."/" = {
proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}"; proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
}; };
extraConfig = '' extraConfig = ''
@ -48,6 +56,8 @@
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
client_max_body_size 25m;
''; '';
}; };
}; };

7
config/hosts/netbox/postgresql.nix Normal file
View file

@ -0,0 +1,7 @@
{ pkgs, config, ... }:
{
services.postgresql = {
package = pkgs.postgresql_15;
};
}

7
config/hosts/penpot/configuration.nix
View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
networking.hostName = "penpot";
system.stateVersion = "24.05";
}

63
config/hosts/penpot/nginx.nix
View file

@ -1,63 +0,0 @@
{ config, pkgs, ... }:
let
domain = "design.hamburg.ccc.de";
in
{
services.nginx = {
enable = true;
virtualHosts = {
"acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://127.0.0.1:9001";
};
locations."/ws/notifications" = {
proxyPass = "http://127.0.0.1:9001";
proxyWebsockets = true;
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

198
config/hosts/penpot/penpot.nix
View file

@ -1,198 +0,0 @@
# Sources used for this configuration:
# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
# - https://help.penpot.app/technical-guide/configuration/
# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
{ config, pkgs, ... }:
let
# Flags for both frontend and backend.
# https://help.penpot.app/technical-guide/configuration/#common
# https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
penpotVersion = "2.1.3";
in
{
virtualisation.docker.enable = true;
virtualisation.oci-containers = {
backend = "docker";
containers = {
"penpot-frontend" = {
autoStart = true;
image = "docker.io/penpotapp/frontend:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
ports = [ "9001:80" ];
volumes = [ "penpot_assets:/opt/data/assets" ];
dependsOn = [
"penpot-backend"
"penpot-exporter"
];
environment = {
# https://help.penpot.app/technical-guide/configuration/#frontend
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
};
};
"penpot-backend" = {
autoStart = true;
image = "docker.io/penpotapp/backend:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
volumes = [ "penpot_assets:/opt/data/assets" ];
dependsOn = [
"penpot-postgres"
"penpot-redis"
];
environment = {
# https://help.penpot.app/technical-guide/configuration/#backend
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
# PENPOT_SECRET_KEY st via environmentFile.
PENPOT_TELEMETRY_ENABLED = "false";
# OpenID Connect configuration.
# https://help.penpot.app/technical-guide/configuration/#openid-connect
PENPOT_OIDC_CLIENT_ID = "penpot";
PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
# PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
PENPOT_OIDC_ROLES = "user";
PENPOT_OIDC_ROLES_ATTR = "roles";
# Database configuration.
# https://help.penpot.app/technical-guide/configuration/#database
PENPOT_DATABASE_USERNAME = "penpot";
# PENPOT_DATABASE_PASSWORD set via environmentFile.
PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
# Email configuration.
# https://help.penpot.app/technical-guide/configuration/#email-(smtp)
PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
PENPOT_SMTP_PORT = "465";
PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
# PENPOT_SMTP_PASSWORD set via environmentFile.
PENPOT_SMTP_SSL = "true";
PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
# Storage
# https://help.penpot.app/technical-guide/configuration/#storage
PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
# Redis
# https://help.penpot.app/technical-guide/configuration/#redis
PENPOT_REDIS_URI = "redis://penpot-redis/0";
PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
};
environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
};
"penpot-exporter" = {
autoStart = true;
image = "docker.io/penpotapp/exporter:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
environment = {
# https://help.penpot.app/technical-guide/configuration/#exporter
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
PENPOT_PUBLIC_URI = "http://penpot-frontend";
PENPOT_REDIS_URI = "redis://penpot-redis/0";
};
};
"penpot-postgres" = {
autoStart = true;
image = "docker.io/library/postgres:15";
extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
environment = {
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
POSTGRES_INITDB_ARGS = "--data-checksums";
POSTGRES_DB = "penpot";
POSTGRES_USER = "penpot";
# POSTGRES_PASSWORD set via environmentFile.
};
environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
};
"penpot-redis" = {
autoStart = true;
image = "docker.io/library/redis:7";
extraOptions = [ "--network=penpot" ];
};
};
};
# Docker networks.
systemd.services."docker-network-penpot" = {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
};
script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
requiredBy = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
before = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
};
# Pull docker images prior to starting container services, so that a container
# service isn't considered up, if it actually is still just pulling the
# relevant image.
systemd.services."docker-images-penpot" = {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
'';
requiredBy = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
before = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
};
sops.secrets."penpot_backend_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
};
sops.secrets."penpot_postgres_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
};
}

149
config/hosts/penpot/secrets.yaml
View file

@ -1,149 +0,0 @@
penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str]
penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str]
sops:
age:
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicGt5U2pkOVoyeEVrWUxP
RG42SVYxMmhjM1lvaXp2a2Zwd3FNL3l2bUZjClpibFhCT1JtNWp6akpIQ1V6YW5L
SzBHd1lPais3eDQ4OEtiYi8yeGVZK1EKLS0tIE5TeTB1MjFmVVh1TUYwZ05YZWor
aUNxU0xKVTNScEl3YXEvZmlVcHh5cjgKTwC4QsYGq/6Z90oxfYakHM0Uiym1KaTP
UcigMqnMlz3z94/cIHZKF+jFFRITq44SiOg8/yAMmR+MPtbTZ5ZnSA==
-----END AGE ENCRYPTED FILE-----
- recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1bVFvQ0xKMzdKY0MrekRp
NDJ1TGpFb0RJQWJZSys1ZUE1N2JYUDhRUzNJCmw4N3FKRVZ2M3FtdFlBZGZscVBj
NGdWUDlPZHI5ZFErY000VlFsVUtLYjQKLS0tIGo4YmZWRHF5RVpuZzBKQXhrdDN2
UllmcTIrNXJjcnNSS29BMWlSNkhOL2cKaPzeAO5y8SiU/Oupf3hVbhm5qlz08Z16
vaGXmMv/NjhSM2Xevk8BYuU9CH9rIVqNDiQXBKeIVD6VhdtoJV2pgA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-10T15:40:27Z"
mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str]
pgp:
- created_at: "2026-02-17T22:22:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAynwvOJFE4hlU6Cr/HwoXK5TqrsdZbJjsK0dBhMJjZCXo
mQiGbeCmq6ut9LpSL399eXSuZ7MGzk39JBQ54PXUeB/3K02E43tIAzPIrJGXVW9n
Z9QvdAk5B772WgjjTMN82GeQ7xGTp/KJ8MjNvob4umpqYVvkX7CN8glvldHoeqbH
oBwviYU2YEnNgqWYCby0OvwT2Ouky8QEXiKwlI0fUfGd3EHtnLCwegouAUUBKCqb
2SMPLpSFeJuZiGxTsS889CJWMQxXdfqVDS3aedt7SJP8TyqdDlIIJ+fJ5Vt429vN
Af/drBfpViLVHXHh3MQNF5kQXgLt+LSecuj9ubZHXLNm34nw0ldtjf1nqAcsMDRY
gM3FQSuBZUU3vpbisFHzF63tiotwdjQf2BR5r9McnSKyHNHvd0m6DN9l9W5xNlKC
Sdf+cuQOdtsYFxeGrkl7j3uvxsjEyfPJ7lokfRm3vC43GY6MoBBjVqUIe1i4ynUj
nLwtps6AkiTyhkDUXomCqKNiZNAGwW0VI2lMgnva/atWNI15VuD3gOU8TrAfBRcU
vpD82HhBGvyYgcqvn8WWwkd508OQsAHlQlZbp+ZFjbPgzqriSBCv1Z6C74Yhw1Gg
vmfcCCRw70Vmz0zXC4iWJxxFH4SUla7YVOCdwrKhF/6thJSfgQ85bsFkSzUcvV7S
XgHhXgm71Ah6fFzrkOTo58+8RJBwXYGhcOvotq0owzuski4RtdLKWTtC4cT0oMlR
hbziNLYPYo7aogsZ+FxYlkQ4YTleKJUkrUuwBPYqYKZsbCG0un0R5yQrf4/hlfo=
=ekfn
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-02-17T22:22:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//Rl2w61XcbW6YhwDThbwbcpaKzZegAzKnKa2Q25U2UfNP
jhqwqay/PUbJyt/G/9ukVNZ1ujTu4ffbzlV6wD4TJ6baLn1NL1Xkjz8rqoIlXy9/
ZqpyEZxyQAsaP0hBgE3x4UZdD6jh/NRUUlrnPRFVqXxHSCL5XHmHdjCaY58OgB6H
/5LFGjYdxFomGEozR5fpgBuA50B4ylh1Crw+xiT6VPB50/mWRw7GSO4f6iwB/2eR
VeGrK7nqHf6dFS/mTDUxw2jrSoyjDMTgAPHwl1qJ+Pug8fmp0cIdLf3ZGBlulsL2
9DHCvXNeNGmk72Ag6DWh1vxLBOGYAzar4hXSxu216ppJh9ym+3SZRmEYhP33VBRp
JbufVtrRwK3wU3+o88DXZ0Z58Pt+IlH652qxHqJlC7H2F/gX7B5zjH+Uz+1IeEK8
YudPIH3Vo+saCSpKg0RLqHiNXE9ia/wvnWNzw4U5GGikle8LNnzy2TMnwq8I92GP
RUVzWH3vFOWMSt+ilrA4nhjeVlzMBMGBvmQiJypAUAj+fm/xEJTkasa0a+GVpZtH
zHMwTFV/A/7rtXFrtcjTjDLBdlVMqSNM3FYHnKKlZLYUQbqhQNaINdxjrx2C/19w
+WLI08wqrPMZSa5iA1q60LLC3WkiTka1K5N+8fT6HxH/OuuiBJJyxMWsoIcSpYTS
XgG3jf+BR/9y8kDxqiGCwwU7fzRGXGvCH5i7CJzwrWtc3FmTNb7ct3k+tMbEcrNc
frd6gvm0u8+I5CFmHsdZFrDy55afTOoT4DErO7vmUGRKh4JfgKxsn8lzzfLcYjc=
=hjjX
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-02-17T22:22:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAhOSneDEqtquUzQxEuKsOmmBWObvr4JDzmoijutbNFS8w
dixZ92+6rfNthVHhzDQghzyU8dYNqQiwfcrXNWpJ4fJRE1g8nTuQApvxTF4lC4Vm
0l4B/YhYp2JGWdw1dllA9cD/HMAzKJ4zHSL7dCcfP6k0b6CUYm1GuO/VT6Bx7ygC
gfLuQKGFRPomTHNan4S1rhW0q2zvQNGIFMTDo3eR6Uyb2UVDTIdbaICsuaEKssEc
=JN/I
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-02-17T22:22:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/9GhlagbbuK9o7QroUgY9gcimdxp1PTK4HOsjRgnf56PNm
vTpP3We62o3+ohIX7yGKbpNKbnf3n5Ecx3ItJbBRniUDr3G2AnnxpynJJWmZGsn3
HOsgQqqYtUeSgf6KIhaeebP9drM2p2qPYmGfa+9DBb+Li6FESOlzOmZeiUoaZUlF
lHys0cTsBE2iYepR34NYwv7qrkt8tkCz1nrKraAmhiNWFoUFWVN617p2NQICpsFD
Wk5m9gJtWlgQHvSHvqEgu6PBArOFclBcY+bb/XC0srWlAVixwr60iDy1IRRuKz6r
9OukM9Ng1V0bZhkGyjB4ti+RmQKiP9SPAupxmCe5n+ZkweJ7gb/nE9lodNJv8IkK
3o9h653H1hCbWKeKlaAggCfopAyEn1mU+7l37AWUGh3sh5jz7aFrdXYcAIuum88/
Zpa0ALYIABoevjJwV6NyFtAsQpt7YQ3/0wJe/BC/6XQ7QI44DlUYraIaA+CLT9gp
C4h2olOPtCXHfNRM4VK4pOJ0gwQVTI40snlCNzq9TfZPjC63MxzinRLs8PUVvM3r
CXYTwxkOI3IFdvoTIefdVjoOxvGR0tUyYTagtJ0nihh4ymKlxPS2F2FNAm/oDQvm
kx1AjAci8YuYZbS+DSFpi5djN2nxoQRfiFhm08ruBRnX0SI1EYLMShO/AO5fJrTS
XgF86MBuDd9XX2E1OLWamMpgobsAHLgUd/kny8Nz1+VFRmME+FKicrOOvm3RVPWW
D5NGxvlHPMfeE/xqPv4Oog1qkvUdDQoNSc1D6h8uh07XW77mJr0kwnmhk/zDsmA=
=Tlzo
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-02-17T22:22:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAlUaspaXyF0VUY+9YYAZNTO9FcqybRLNMCNfYqxjOc9EY
CtHqfMOaA2fYO3Jz5cY3u85ilKovHNpUTQN2AL5B/DnMthQy8ooGrvabeZ4qYeuq
EgKDgzsFw5BS2eS1t6A5cl7OS/tSMnN83Mmy5zYT0eBApkW0uwucv5paNvi4v0XS
nxkfpjLx6Bh4lZ1S4elhkkoC3NQp9oi/xQD3xQue6i0hAw1fKjHXHcluN7gBYfQ3
dgCuPC9NGdNJ3O6k8zn5b01wyLKISt0noYy6XQfZkac/7YKJmfYjaDjwr3G5GPJN
5qDvb/NER/wcPMPiH2avFFPxy8MetG44OS7F2sqUumwxPAKCgrLuGvX5zNf2FdSO
hYPaOveWxGfoAP4IkoGlnp7+DdcWplWE/zyA8vk49JH/cac74+tUkI0AOflJVU2y
EGJ2egD2ThL64+V3Ezml5QQnVFwgWWM46w1X6fhx1wWD+o9mZovj2RF2WkGa2dp6
vP5PXDvTioFt40v5sYjN/19sfeuT+QVExdRZ8yBLgPj430CtF2TvCNNP56h1GB4+
oId9LNlhjSLl23dcA80C3OKLJhFMFC3EhJDXqyrUFXf4rUF/rN/Bd/ig0oq/d2+7
LE7xJE0TYQw83ReW4Amcy4rkLOub64JiNEpEBqZk246MkZoH2IT6gh8sKJ/DHdPS
XgGcprhx/8L/jM4qS0nGaFvkMnOWqZfv0By/CHCl1KPx9p+6m+a5oyA6NUUbYZsZ
6BF0Yk2CEdlM8WjUilQWIYBJtpXqGRu+z4KkaosyNmAem0gImPxQQA2bBdVTQwQ=
=PMud
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-02-17T22:22:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ/+NWPka8B/F/sZkJ2cVtVLywIPhHNIroBiyA5n/8TOjWjF
Q9zII52FLTjOrNozJb6Vf09iNTBqPGnde5vW/98aa4v6XaGL/rpHG0TS7uR7Y26Q
DQbYlxZIMwdlhkrb6OHgTeocl1q/XDruLqUaEpqxDjRrtwvFqtEPIMkIvJQp5g9U
qBUqL0gZz71hx7M4V/cxCitMY2bmINueF5TIF44THHGu8QbZaoAt7vXzkxvn9/Jj
jkQYCw128bBWWOTgZ8Nen+s5QuV0jRsczZGkwg7KNSkYi+XszxgcamXIPkKeGhcA
kTyKDNotOeKyui5Mh/MVGSQDi/njWua8ZiPUarORef53ndRY5hkd2dQVjZm1kZvY
Hfi7Nxd8Uxl7ru2m4W8+MXGPRCnm7jFFaVtcwKdGyIASyTtJBHG/wbXDVfsfQVSc
/YLuS10B37gd3innwndPTockCHsuOMHIbNeM8RD41OJSV3opEQlf+DCxTQTxQMZg
n+J61eflGMfkMHSU8yj/7b9NX2IFka2w3GO/hicZ2l2GrM7fNUqT+ynaO1lC1xNX
ALReI0DQUdRd2VHn3cBoduT2j/DM6RaVH89nf7Euj+mzHGSR0DFNxHFXyoHAJJmF
8J08ATp68JkbahHs7swa9Kh3Z4//LILHYcdDiiJNP5NJRG65OlIcTro08NzPg5HS
XgHKbiW3ZXCowpDempWr7UawruY3O1SSvgC3YsHlslrm6RD0uINCKxJL7YjBjIqD
u4M70/rHNiGJefJ2xACNQgdTzPl6s1LpG3c8ANEBLVE4irqFTE6mgfErOMb2Qzo=
=JZf1
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-02-17T22:22:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdApX/THvWws8d2Tijx5RrGIh+CYcqDI0T30rttyxT8Mw0w
/7TkFc4D2eSqXQW57YWEACwd47NGyMlW96JEeMDCqwNdGQQLaSseoYrS1hxI9oVB
0l4B0/igsdF1GICTtToMkS8aWwVHXQLu2AO0wNyKjXAyLtsDposdx+UtLM0y0v6X
HfXqQmyHEK0QNr17oqyTKiHQ6rnuX00W42vwxDCGs9RuLvI2qCWeNzC6C6j62vkI
=8osW
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
unencrypted_suffix: _unencrypted
version: 3.8.1

7
config/hosts/penpot/sops.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

10
config/hosts/ptouch-print-server/configuration.nix
View file

@ -1,10 +0,0 @@
{ ... }:
{
networking = {
hostName = "ptouch-print-server";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.11";
}

9
config/hosts/ptouch-print-server/default.nix
View file

@ -1,9 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./networking.nix
./printing.nix
];
}

84
config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/forcecommand-lpr-wrapper.py
View file

@ -1,84 +0,0 @@
#!/usr/bin/env python3
# A script for usage with the ForceCommand sshd_config option.
# It calls lpr with some standard arguments, but also parses
# SSH_ORIGINAL_COMMAND to potentially provide a different set of arguments to
# lpr.
#
# This wrapper is written for interacting with the Brother QL 500 label printer.
#
# The following options can be provided as an SSH command and this script will
# then pass them to the lpr call: <MediaType> <PageSize>
# - MediaType can be one of:
# - Labels
# - Tape (this is the default)
# - PageSize can be one of:
# - 12mm
# - 12mm-circular
# - 17x54mm
# - 17x87mm
# - 23x23mm
# - 24mm-circular
# - 29mm
# - 29x90mm
# - 38mm
# - 38x90mm
# - 50mm
# - 54mm
# - 58mm-circular
# - 62mm
# - 62x29mm
# - 62x100mm
# - Custom.WIDTHxHEIGHT (with WIDTH and HEIGHT needing to be either one to
# three digits)
# - label-wide (this being a convenience alias for Custom.62x35mm and it also
# being the default)
# - label-item (this being a convenience alias for 38x90mm)
#
# So using these options in a complete setup would look like this for example:
# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net labels label-item
# This being equivalent to:
# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net Labels 38x90mm
#
# The options are case-insensitive.
#
# The options are derived from: lpoptions -p Brother-QL-500 -l
import os, re, subprocess
mediaType = "Tape"
pageSize = "Custom.62x35mm"
def parseGivenOptions():
givenOptionsString = os.environ["SSH_ORIGINAL_COMMAND"]
givenOptionsIterator = iter(givenOptionsString.split(" "))
givenMediaType = next(givenOptionsIterator, "")
givenPageSize = next(givenOptionsIterator, "")
global mediaType
if givenMediaType.lower() == "labels":
mediaType = "Labels"
elif givenMediaType.lower() == "tape":
mediaType = "Tape"
global pageSize
pageSizeRegex = re.compile(r"^((12mm(-circular)?)|(24mm-circular)|(58mm-circular)|(((17x(54|87))|(23x23)|((29|38)(x90)?)|(62x(29|100))|50|54|62)mm))$", re.ASCII | re.IGNORECASE)
pageSizeMatch = pageSizeRegex.match(givenPageSize)
pageSizeCustomRegex = re.compile(r"^custom\.(\d{1,3})x(\d{1,3})$", re.ASCII | re.IGNORECASE)
pageSizeCustomMatch = pageSizeCustomRegex.match(givenPageSize)
if givenPageSize.lower() == "label-wide":
pageSize = "Custom.62x35mm"
elif givenPageSize.lower() == "label-item":
pageSize = "38x90mm"
elif pageSizeMatch:
pageSize = givenPageSize.lower()
elif pageSizeCustomMatch:
width = pageSizeCustomMatch.group(1)
height = pageSizeCustomMatch.group(2)
pageSize = "Custom.{}x{}".format(width, height)
if "SSH_ORIGINAL_COMMAND" in os.environ:
parseGivenOptions()
subprocess.run(["lpr", "-P", "Brother-QL-500", "-o", "MediaType={}".format(mediaType), "-o", "PageSize={}".format(pageSize)])

7
config/hosts/ptouch-print-server/forcecommand-lpr-wrapper/setup.py
View file

@ -1,7 +0,0 @@
from distutils.core import setup
setup(
name = "forcecommand-lpr-wrapper",
version = "0.0.1",
scripts = ["./forcecommand-lpr-wrapper.py"]
)

21
config/hosts/ptouch-print-server/networking.nix
View file

@ -1,21 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.13";
prefixLength = 25;
}
];
};
defaultGateway = "10.31.208.1";
nameservers = [ "10.31.208.1" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:F2:CF:8F";
linkConfig.Name = "net0";
};
}

102
config/hosts/ptouch-print-server/printing.nix
View file

@ -1,102 +0,0 @@
# Sources for this configuration:
# - https://nixos.wiki/wiki/Printing
{ pkgs, lib, ... }:
let
# https://github.com/philpem/printer-driver-ptouch
printer-driver-ptouch = pkgs.stdenv.mkDerivation rec {
pname = "printer-driver-ptouch";
version = "1.7";
src = pkgs.fetchgit {
url = "https://github.com/philpem/printer-driver-ptouch";
rev = "v${version}";
hash = "sha256-3ZotSHn7lERp53hAzx47Ct/k565rEoensCcltwX/Xls=";
};
nativeBuildInputs = [
pkgs.autoreconfHook
pkgs.perl
];
buildInputs = [
pkgs.cups
pkgs.libpng
pkgs.perlPackages.XMLLibXML
pkgs.foomatic-db-engine
];
patches = [
# Add this patch to have the package actually build sucessfully.
# https://github.com/philpem/printer-driver-ptouch/pull/35
(pkgs.fetchpatch {
name = "fix-brother-ql-600.xml.patch";
url = "https://patch-diff.githubusercontent.com/raw/philpem/printer-driver-ptouch/pull/35.patch";
hash = "sha256-y5bHKFeRXx8Wdl1++l4QNGgiY41LY5uzrRdOlaZyF9I=";
})
];
# Used the following as a reference on how to generate the ppd files.
# https://salsa.debian.org/printing-team/ptouch-driver/-/blob/4ba5d2c490ea1230374aa4b0bf711bf77f1ab0c7/debian/rules#L34
postInstall = ''
mkdir -p $out/share/cups
FOOMATICDB=$out/share/foomatic ${pkgs.foomatic-db-engine}/bin/foomatic-compiledb -t ppd -d $out/share/cups/model
rm -r $out/share/foomatic
'';
postPatch = ''
patchShebangs --build foomaticalize
'';
};
forcecommand-lpr-wrapper = pkgs.python3Packages.buildPythonApplication {
name = "forcecommand-lpr-wrapper";
src = ./forcecommand-lpr-wrapper;
propagatedBuildInputs = [
pkgs.cups
];
};
in
{
services.printing = {
enable = true;
drivers = [ printer-driver-ptouch ];
stateless = true;
};
hardware.printers = {
ensurePrinters = [
{
name = "Brother-QL-500";
location = "Z9";
deviceUri = "usb://Brother/QL-500?serial=J8Z249208";
model = "Brother-QL-500-ptouch-ql.ppd";
ppdOptions = {
PageSize = "Custom.62x35mm";
};
}
];
ensureDefaultPrinter = "Brother-QL-500";
};
users.users.print = {
isNormalUser = true;
description = "User for printing via SSH.";
password = "";
};
# PasswordAuthentication being set to false just puts "auth required
# pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
# PasswordAuthentication to have it not do that.
services.openssh.settings.PasswordAuthentication = lib.mkForce true;
security.pam.services.sshd.allowNullPassword = true;
services.openssh.extraConfig = ''
Match User print
PubkeyAuthentication no
AuthenticationMethods none
PermitEmptyPasswords yes
ForceCommand ${forcecommand-lpr-wrapper}/bin/forcecommand-lpr-wrapper.py
Match User *
'';
}

7
config/hosts/public-reverse-proxy/configuration.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
networking.hostName = "public-reverse-proxy";
system.stateVersion = "23.05";
}

3
config/hosts/woodpecker/woodpecker-server/default.nix → config/hosts/public-reverse-proxy/default.nix
View file

@ -2,8 +2,7 @@
{ {
imports = [ imports = [
./configuration.nix
./nginx.nix ./nginx.nix
./postgresql.nix
./woodpecker-server.nix
]; ];
} }

66
config/hosts/public-reverse-proxy/nginx.nix Normal file
View file

@ -0,0 +1,66 @@
# Sources for this configuration:
# - https://nixos.wiki/wiki/Nginx
# - https://nixos.org/manual/nixos/stable/#sec-firewall
# - https://git.grzb.de/yuri/nix-infra/-/tree/3896d34f4f7f3b5dd5cbd270a14b56b102ef3a2a/hosts/web-public-2
{ config, pkgs, ... }:
{
services.nginx.streamConfig = ''
map $ssl_preread_server_name $address {
status.ccchh.net 10.31.206.15:8443;
}
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the
# upstreams.
server {
listen 0.0.0.0:443;
proxy_pass $address;
ssl_preread on;
proxy_protocol on;
}
'';
services.nginx.appendHttpConfig = ''
map $host $upstream_acme_challenge_host {
club-assistant.ccchh.net 10.31.208.10;
netbox.ccchh.net 10.31.208.29:31820;
light.ccchh.net 10.31.208.23;
thinkcccore0.ccchh.net 10.31.242.3;
thinkcccore1.ccchh.net 10.31.242.4;
thinkcccore2.ccchh.net 10.31.242.5;
thinkcccore3.ccchh.net 10.31.242.6;
zigbee2mqtt.ccchh.net 10.31.208.25:31820;
esphome.ccchh.net 10.31.208.24:31820;
proxmox-backup-server.ccchh.net 10.31.208.28;
status.ccchh.net 10.31.206.15:31820;
default "";
}
'';
services.nginx = {
enable = true;
virtualHosts."well-known_acme-challenge" = {
default = true;
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."/.well-known/acme-challenge/" = {
proxyPass = "http://$upstream_acme_challenge_host";
};
# Better safe than sorry.
# Don't do a permanent redirect to avoid acme challenge pain.
locations."/" = {
return = "307 https://$host$request_uri";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
}

1
config/hosts/public-web-static/default.nix
View file

@ -6,7 +6,6 @@
./networking.nix ./networking.nix
./nginx.nix ./nginx.nix
./virtualHosts ./virtualHosts
./sops.nix
./spaceapid.nix ./spaceapid.nix
]; ];
} }

22
config/hosts/public-web-static/networking.nix
View file

@ -1,19 +1,17 @@
{ ... }: { ... }:
{ {
networking = { networking.interfaces.net0 = {
interfaces.net0 = { ipv4.addresses = [
ipv4.addresses = [ {
{ address = "172.31.17.151";
address = "172.31.17.151"; prefixLength = 25;
prefixLength = 25; }
} ];
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
}; };
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "86:72:08:F6:C0:D6"; matchConfig.MACAddress = "86:72:08:F6:C0:D6";

12
config/hosts/public-web-static/nginx.nix
View file

@ -1,17 +1,7 @@
{ ... }: { ... }:
{ {
services.nginx = { services.nginx.enable = true;
enable = true;
appendHttpConfig = ''
access_log off;
# load the DID redirect map from the webroot
map $request_uri $did_redirect_target {
include /var/www/diday.org/nginx-redirects.conf;
}
'';
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ]; networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ]; networking.firewall.allowedUDPPorts = [ 8443 ];

150
config/hosts/public-web-static/secrets.yaml
View file

@ -1,150 +0,0 @@
spaceapid_config_ccchh_credentials: ENC[AES256_GCM,data:5IClrKKMO/AztQuGabrnoRFItYNeEmVWGeafomVO94pL1RKzL1sCxBxnmzvJFPb/8Y+6FXMh+Mim4DP8B2RaJMLpmqCv+76N/5+527SZ6gn9i2Klg6q0kD9RzJv40qHq/NYLCa24tpcZDt7eB0EOgqLsKUmtX2LrQjjnN3NzjAevJGKQ5ypnb7xygjft2KrpvlR1hMnZ0XpSLDTNR1AmImxE24JtDaJKzwXbptr2IZvm1UFkNslxdqHPjN+N8+MSSLhqHy/FdcY2ADvsTX1jtjnjkb+9E30QOeCiFPKSmWtSGiQ9sPcQna1yr717Vk0EiNSAWDQ2fMZyJUgBXG6w3wiZbxfJmxvshLPs5KguF9NHER+Seps1QiE0p16c0IS/0Y24UYrK2GyUIcSReGufjxUFGTJHFSsNANac34H/RTs7BkoZ,iv:8WzTRaXVeH5GKmigMVTLVBnhy6nXZnTZHLAYHcqDs2s=,tag:jTdgz0gmruMWWDBQ3h70vw==,type:str]
staging.diday.org:
lego.env: ENC[AES256_GCM,data:FHCHBrjapNGSAtUnDTMZfeAZJqZV65d8COBJF8lzZmNBiw0jXyrmJ6rnUbYmnPN54T+1e8V0dzkdqmYX708tpFWagOPPQ9Ko+D+lV5yJ4hj/lhunuPSetWC/5dGBfN6CbA==,iv:WZ8CWu40ToF2mbpSUR6pDdUa6jcWPIUsWhVaGGBwx1E=,tag:8CohD3CwcUm2LzAJ8Lfimg==,type:str]
sops:
age:
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOaEZqOHRMMko4S1loUXdm
aTlsS1RDNHdjdkZWSG1aR0d4Vmh4dVVZQWo0CmJUbm9hZzJqaDBOMTVObG9HWFF1
RDlCcmdvR1RGbzBKQytZK1lSem82SWcKLS0tIEZUdFpldVJpT2RlVThjREVqcUV6
OUJkei9zWmhyazc5T2FVbElFRG9RaFkKu4lZrg8UWVVk75eY8HBdLIT4BNw2UcyV
+7X2L7ltv2z31T4cKnnZrsyeG6fBGCLvuI5EQBd09OCZEUZ4u7qPOA==
-----END AGE ENCRYPTED FILE-----
- recipient: age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMkdGQ0tpSUlWQ25ERTMy
QXhNdUYzdlBPUXR0V0NyOHpZbDY5RVd1ZXg0Cm40TjQvMXVGamM1akMzRUFuc3NO
K3lJYnpVQ1I3QjlRZUJkUm9QK0NuRFEKLS0tIFNuY2NXU002bnlvVHZKRCtoc1NS
ZE9rN3R4aHRXR0dBc2oxcEYrL1lxZncKuVocF84+ge1gyzfNjIxhwNgd8+kJIpxh
yREbS2mrQ2zvSMtw9OoA0KJSpoHZfIiCwn2uYkQDPiGB/721JmA12Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-27T20:40:06Z"
mac: ENC[AES256_GCM,data:Nsburro0nSV8CLZsxLaFrwsE5EIz8qQOlclNynbRT03XkfaPN2Pup8UWg9QL34KGcGUweqtytxZvLWjwfJYEsIkLqi4ZfrpXpEfBowq5aNbWHzDJDW5QqZKaUPmMQxiPVm1EhXmyvfVdFEueOhfFLbuNUSvNWaFk/7l2utTeLrs=,iv:dSJDVYGdaunvRqj+EkPGy3qxR9suV0s2Mm26silX24M=,tag:hqA+4FpP2PwatRMnZUcUqw==,type:str]
pgp:
- created_at: "2026-02-17T22:22:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//QUk96h2C0nYHnswgF7hInFG+w+HC0v6sCTzwacAOCwMG
a4otLktg51S/iBqP0VYNCQSfBc0iX2YhHrrROHTRGrxMecVWi8hw3q6MMkBjw49x
wHpSdao/2fSzwB7j6llJNAkpR1RTZkmOimyaWAkH8Er+MNF6xClPuxN3IrPvU/C8
Ru1uZCXvG0jh48NzvXk7rK/KRhPWlcYkgPWAEWQdeNMyxW9Ha0lQhSOhC/lNOLMJ
Q2pZ0zQxeQqNApe4nSs7AE9OGd1U/DNXAAriEtmXRHstPodHLqSjSfO749KLZuQA
ruSMz3tf+FFJspyY7DSleIiiJvu5A5SnU4aaFcrqfhDKNAsFfziG6ze2aq0YHf38
1KxvKvtQP+qT+8pKMFPe7Wz4oFEcHBjxFLyJZ7DwRDkzdMvdAQLLL/kcP4fKxFPx
tNDfJX45CM91soY9N6zHYk3MZ8WXCdcGjP+/XFit3GGeJCV3qNjy1mTalPZbVUE1
uqNgqwG7IZaPup+3TEtIuGb3r0YNy4kWlJcaQ2bz5pPtDpbzcf9Fr+jxTod2LIky
X25qzKmAwus6aWheEyPQ5AHZVT5l2Sgdf/uBBJjh7yt/Y1OY/EtbS05fE6VVdiUq
oFq3DQ8L+MGyUTfQqIxpremwdq7pNp+XxdF8v1O6H5t0ByqcQt0UjsDWpv0T+k3S
XgEMQqbP81OTPCSwL2ePrbj92C97zkScyAyur1lrducU0UPGulQ9k51gIm/1nV4C
04NrhKIlCqNHqx3DY8oHk/rnFrV/Ulrxqq5Hc1FRZCEJIbyV4e+uQQggWSxuqVM=
=uorx
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-02-17T22:22:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAApCd7a+rHgICU4yfYOorWORysVsifvZpAGVTJJGWfeRdR
CQiqubBzEMN2Y9q2WnjYqmk5j909VCxSXO8zWpFjJZwLtA9eaAMftja2/1pLtGQd
AUPUIuTWxKjrP/aoL8tC+I7W2TVsU6Q2GSYqm6OZ0WLDP5kR8YQRSOKzVSDsDkOt
jphtni6zQpE8XLlJRhyPiLX+96Y5geDYj8KD19DBl6vSMFudMhI2WK5imak5PERk
y07w3lJ0/FXGLAdR/I2l8aaynkQ53Ft4IEXNoDtf89nO/8L13AImOZtpoIv1nfVr
QMS1jKys9bfo5lIcJ9bIJQ7hMQwV8AZQziBDDZQjDclZxcxC353zx8sjWjUWzUeY
229b0bn6yutQ6hu9eIU0gxepyvNz9lAN6EHKb2cgp/UJb4IXnn3/ktmPq/wOlVIz
5xOH0ue/BaIWmp1xjC3oKLbJeTw8zvRyzk8jGFDhmhDRUwMoLiPvR9XkQ7cpGGYy
wkb/URVBXLGT2u7wWVPZL0zUJ7zO1wCZ27lBwLgSAvVNSE87Ldsj3roxtr9nOQif
/qmCxHkDbhfhWMFl3PbCYY3hkS/ANQPhGyiBaU26x8o/0Vgajq43OLU0KO1+Wxbr
xvfKVN4m58iPHsMXbgvyEipFu+eoiNvEA68+pCRXrS0om2oE913XNEalVJ6F5f/S
XgGxibFQj6MyvJChwsuFx9YmdH8/nnb0eb9hmZuXctFNZCdlVrv3fhEwBoA6FnrA
RoCdOB5Djl0jHSk66Jto1uwfDYdcPZR+1tgRT9xVeK4PtM+c0Q1Y8dv3wjAnqr8=
=lzNQ
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-02-17T22:22:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAMGn63OSW8nVLoTMXbLnQdYJuP0cD0exmbpSakMw9PlAw
MTJF0o46wKf+3F84IOf35LwWwMuMGEyz3pvcRXVa1OfPAFk53PMo1P9TyWRoHrgW
0l4BNK3KuE4zB7YNpu8sYtJ4a94qKzTOgUTPdBNOQyZR60BOVyGFDRLo3hHk0opV
eP1e3BxevL3rj1b2WoCewT8lNO+y8+x8bu8JY0WMBVrwjSqYlWENbtuG4eFhNGrN
=3yKD
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-02-17T22:22:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAhwsKIIhLW9DXZlOfg7a+6crdjzTv3EH+8dCcSk5JiRGG
QnFQX+14DCLTX9kmEilDXWwawKbIdabqkF/+LbGyRjd7IrcNe5a+ggzkry9cDPb0
VKts7T3Ti3BFcgNis8ku/W9l17Fm4ngdHA1F47ttByjDcfuAZURtnf1Ta2Lx8XwV
w3Cc09xtsKo98Bfrhel4iI0WZjj9+U3pHE4WeKm7bieLEpwtoxfdmPkGLGaGP8I4
4lIKJG78DTbrbsEP8FpWTTy6gp9N3Q7ZAjpZnuolZp7uZp1I4t+Z2SuHPrsLNwS+
fxjOJnigl8hwPHGm030xq2/tcsxyfNGD13Z8ZG85KBa4+ziN900WZe6AELtMFCsY
HTCEe6b1oe+rBIWsxNNswkakb0w12hZlkZP59/4iahHYaTIPKfmkZTtNKFxeGW8U
3/81nLtEUVn9EOjIL5uHO1zSeAxBBDZb5P6aajdVpKMa4HFFk18nbE8UnPYOoAHm
IJ+xwBs3FBN6nEfjMoq0P6RaszocK4lcTJ9a/8WqWHouG5s2Zvz3sgxBcWd0VQSJ
Eu2HUVPYn/R+87X5ExZ7n4Pv8z4obz+c9oPtjsJJd2sy8laKK1u1gEF94SLovNcJ
Xe/CaW0lpbJtglF4DwqI02WyjUJ4w1p7fgnVO1gzLRPRIbQc4Q/LtEv/rxMRUsbS
XgH6WzB8yoRztIy+0ZFPlcyvGwU+ZniK18rGPnj9FBMC5IWG/zn7Hqro1K0wxMB2
HPwiJkwy+ckIgskVYOdT6b3K9qDSZ6sXe4gMmTNLu95enc4HcaINHt4pUvePX54=
=n02T
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-02-17T22:22:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAvH00112Z82i6jX1U2jeHDSBkyNT8L2tgCO3pwKpbvP/i
qiq1FWod53sA4l9OlrrshJttmBLjra53fOjhEo/qITb/YQ0gB4/EOHgc/AVkF4Cz
kj0bvUaCwR9vhqla7exG+O10i+OpWXPIeGT0BZUo37XUZ/wPFztR4/GP5qhiC6ZF
q7aZVwCaMKE9YQiAJHGqKPUmsAaEbxQIzZKEkyn9/GMy1YAgMtmfVoZgp8FmiG0k
L6OwMv9BU7gS/4DY82KuF/rtJMGjjio8tLa9Bu/VsHhdREvvXDBjyl78g4wtTUSc
S2JRIdM061scpIoy8sn1VFVbaMP0zgrsU7JvBO9/hLmS6M4Dp5a43OP+hNdWg3X2
VxtzhGKLlOn6ycO96lMZflz0YA07SM3pw/EFhWszv/GTQCciGUojv1Gi2u94OQQl
YwbePXWF10IUWK4KqMBHUd6H/oyk4wahS3FDBlB5xdUiO61fH1o72ejQvy/d03mB
e4X3ThvpSg6lWJdXvRi3t4Nnk1deGU6NM1CRvZGsASkLulhsVYDsH3vW4NAatUyk
6g3I5HzJilgLj0CLEyO9dA8m/15Uq8jC2WmBMxqp667QFUuPkKnm1ZUl/vX7Vra+
yazYNtesU1eAP42IMA78irER+kOpi6AbQL7L8SXTcm+rQvhccNZz2/SO5eDDrHzS
XgErn65EfHWhgyLmkUPt6JPiGSoRgsEyEDn2EF3sxJVkCuwp4eVenSrzhtKTR5To
TIY/KGISC2AXccYlDMOicVE8j2K8NrvM6k/lNYhkaiUfhxqiOrFLK8Ku8YU9oPQ=
=JgVW
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-02-17T22:22:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAuPJGCikiP9NTaQJ60FgpC1MHVwBet0RdK86Q3TLHtrfN
ib6ZDZCczv1L/nijEA9sznTHuATnUtd75TrHH1DCKVzFs9fqZx6y7hvnfeJZz85M
iIVybAJwk2Q8xoEf+6IVzFVXwic1RnPCNN1ZYsrfFIWpyRIj6VgP3D9lX10Np/y1
x4QyxO7+gDG/vcNRkFXgnG+i4bekQwC/4vJ9jX3XEpXbTTPBqhW2OnMPX/T/mMmo
ll9NdBq+dw8OZ9zRCOtht5/HOI0uyP2pa/ooX/nfYiGZHzkIfENl1GID3LD3wHGl
qic1aSx0YkW19fZMQ9cTkoHXzrQDyv3QaSPFljgP3ibSh64k1Tp/lcc5Gn13qIMq
ORh2AeLlBwVSzlvr9FjulLzOJhoo04ZxHbi3OG6Exq9AOk61zGHe6xSa6sA0FoAS
SXAouLls4lqrF1RJhUMOJbX6Iwr+52z3JYgUmYqW1FP2iNnwU8Kfs/lW/3zn7IIH
oYimV6F7+5pqW85r7XMukEZB3LSFVviH7l/4pcxXbGCnfStACENngmd0Rkim6Bog
JYEF17naHgnXHJYsZkVGSnlxDfmaJYjK2YKQA1sFtQw0YenUDaewyPDeoCjAsf+O
QwzfLwJhPCZKRvsCAaP6Xj3DaisofI9fJWGKf8GwfbSFkISBY/RYLh4nTTauwlfS
XgFNQ+YXPmD5bCIO7KD9W+6MOVgyAu8Hyr7eMabydbzkMQ+OfeZCOQ535r6/lpzN
3s/9QYu0lYN104ZbZTfu9ZrLnp9ULxw75H019o40YyXE5rx1Qhf9K/Ml1LZgdZg=
=Y9gd
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-02-17T22:22:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdACJe1cOwJNh+yCqthzmRCGIO0eKIAdYjrJHDxsuhVB1ow
5wFPVzDJ1ERhKaur4wEPRwIe1FLznKHF4bR7F6+yIqgWiUhtMpGsrrezq0vS48C8
0l4BwPMgJVgLgfGRH8hZUcM3MYpSQcVKay13eOeTD8kH2rHOY5bq+79l69Z25qXf
46O7DP5sQ51DLGu6t6UBiifyFWZD+WEbkoa5knvyzziYBoQM5hEeUWj9KSHKBaBD
=zi1G
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
unencrypted_suffix: _unencrypted
version: 3.11.0

7
config/hosts/public-web-static/sops.nix
View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

90
config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json
View file

@ -4,7 +4,27 @@
"temperature": [ "temperature": [
{ {
"sensor_data": { "sensor_data": {
"unit": "°C", "unit": "C",
"location": "Hauptraum",
"description": "Sensor im Hauptraum"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "C",
"location": "Loetschlauch",
"description": "Sensor im Lötschlauch (Teil der Werkstatt)"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "C",
"location": "Innenhof", "location": "Innenhof",
"description": "Sensor im Innenhof (erreichbar durch das Flurfenster)" "description": "Sensor im Innenhof (erreichbar durch das Flurfenster)"
}, },
@ -14,6 +34,26 @@
} }
], ],
"humidity": [ "humidity": [
{
"sensor_data": {
"unit": "%",
"location": "Hauptraum",
"description": "Sensor im Hauptraum"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "%",
"location": "Loetschlauch",
"description": "Sensor im Lötschlauch (Teil der Werkstatt)"
},
"allowed_credentials": [
"club-assistant"
]
},
{ {
"sensor_data": { "sensor_data": {
"unit": "%", "unit": "%",
@ -24,54 +64,6 @@
"club-assistant" "club-assistant"
] ]
} }
],
"ext_3d_printer_busy_state": [
{
"sensor_data": {
"unit": "bool",
"location": "Loetschlauch",
"name": "mk4",
"description": "Prusa mk4 busy state"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "bool",
"location": "Loetschlauch",
"name": "mk3.5",
"description": "Prusa mk3.5 busy state"
},
"allowed_credentials": [
"club-assistant"
]
}
],
"ext_3d_printer_minutes_remaining": [
{
"sensor_data": {
"unit": "minutes_remaining",
"location": "Loetschlauch",
"name": "mk4",
"description": "Prusa mk4 minutes remaining"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "minutes_remaining",
"location": "Loetschlauch",
"name": "mk3.5",
"description": "Prusa mk3.5 minutes remaining"
},
"allowed_credentials": [
"club-assistant"
]
}
] ]
}, },
"state": { "state": {

5
config/hosts/public-web-static/spaceapid-config/ccchh-response.json
View file

@ -4,7 +4,7 @@
"14" "14"
], ],
"space": "CCCHH", "space": "CCCHH",
"logo": "https://hamburg.ccc.de/images/logo.svg", "logo": "https://next.hamburg.ccc.de/images/logo.svg",
"ext_ccc": "erfa", "ext_ccc": "erfa",
"url": "https://hamburg.ccc.de/", "url": "https://hamburg.ccc.de/",
"location": { "location": {
@ -14,6 +14,7 @@
}, },
"contact": { "contact": {
"phone": "+49 40 23830150", "phone": "+49 40 23830150",
"irc": "ircs://irc.hackint.org:6697/#ccchh",
"mastodon": "@ccchh@chaos.social", "mastodon": "@ccchh@chaos.social",
"email": "mail@hamburg.ccc.de", "email": "mail@hamburg.ccc.de",
"ml": "talk@hamburg.ccc.de", "ml": "talk@hamburg.ccc.de",
@ -32,7 +33,7 @@
"links": [ "links": [
{ {
"name": "Wiki", "name": "Wiki",
"url": "https://wiki.hamburg.ccc.de" "url": "https://wiki.ccchh.net"
}, },
{ {
"name": "Git (Forgejo)", "name": "Git (Forgejo)",

31
config/hosts/public-web-static/spaceapid.nix
View file

@ -1,22 +1,17 @@
{ pkgs, ... }: { pkgs, ... }:
let let
version = "v0.1.0"; spaceapidSrc = builtins.fetchGit {
spaceapidSrc = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git"; url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
rev = version; ref = "main";
hash = "sha256-2SDhliltzyydPPZdNn/htDydiK/SHQcYyG/dQ0EyFrY="; rev = "cf9678d7126e1951f9e4aabaa30d7350eb76973b";
}; };
spaceapid = pkgs.buildGoModule rec { spaceapid = pkgs.buildGoModule {
pname = "spaceapid"; pname = "spaceapid";
inherit version; version = "main";
src = spaceapidSrc; src = spaceapidSrc;
ldflags = [
"-X main.version=${version}"
];
# Since spaceapid doesn't have any dependencies, we can set this to null and # Since spaceapid doesn't have any dependencies, we can set this to null and
# use the nonexistend vendored dependencies. # use the nonexistend vendored dependencies.
vendorHash = null; vendorHash = null;
@ -39,7 +34,7 @@ in
After = [ "network.target" "network-online.target" ]; After = [ "network.target" "network-online.target" ];
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/run/secrets/spaceapid_config_ccchh_credentials"; ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/secrets/spaceapid-config-ccchh-credentials.secret";
User = "spaceapi"; User = "spaceapi";
Group = "spaceapi"; Group = "spaceapi";
Restart = "on-failure"; Restart = "on-failure";
@ -48,10 +43,14 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
sops.secrets."spaceapid_config_ccchh_credentials" = { deployment.keys = {
mode = "0440"; "spaceapid-config-ccchh-credentials.secret" = {
owner = "spaceapi"; keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/public-web-static/spaceapid-config-ccchh-credentials" ];
group = "spaceapi"; destDir = "/secrets";
restartUnits = [ "spaceapid.service" ]; user = "spaceapi";
group = "spaceapi";
permissions = "0640";
uploadAt = "pre-activation";
};
}; };
} }

69
config/hosts/public-web-static/virtualHosts/c3cat.de.nix
View file

@ -1,19 +1,10 @@
{ pkgs, ... }: { pkgs, ... }:
let {
domain = "c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-c3cat.de" = {
enableACME = true; enableACME = true;
serverName = "${domain}"; serverName = "c3cat.de";
serverAliases = [
"www.${domain}"
];
listen = [ listen = [
{ {
@ -23,9 +14,9 @@ in {
]; ];
}; };
"www.${domain}" = { "c3cat.de" = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; useACMEHost = "c3cat.de";
listen = [ listen = [
{ {
@ -37,42 +28,7 @@ in {
]; ];
locations."/" = { locations."/" = {
return = "302 https://c3cat.de$request_uri"; return = "302 https://wiki.ccchh.net/club:c3cat:start";
};
locations."/manuals/eh22-rgb-ears" = {
return = "307 https://www.c3cat.de/rgb-ears.html";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
locations."/manuals/eh22-rgb-ears" = {
return = "307 https://c3cat.de/rgb-ears.html";
}; };
extraConfig = '' extraConfig = ''
@ -87,17 +43,4 @@ in {
''; '';
}; };
}; };
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
];
};
users.groups."${deployUser}" = { };
} }

118
config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix
View file

@ -1,118 +0,0 @@
{ ... }:
let
domain = "cpu.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "cpuccc-website-deploy";
in
{
security.acme.certs."cpu.ccc.de".extraDomainNames = [
"lokal.ccc.de"
"local.ccc.de"
];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
# https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
index index.html;
default_type text/plain;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
'';
locations."/" = {
tryFiles = "$uri $uri/ =404";
extraConfig = ''
location /feed/ {
default_type application/rss+xml;
types {
text/xml application/rss+xml;
}
}
location /rss {
default_type application/rss+xml;
}
'';
};
};
"lokal.ccc.de" = {
forceSSL = true;
useACMEHost = "cpu.ccc.de";
serverAliases = [
"local.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://cpu.ccc.de";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de"
];
};
users.groups."${deployUser}" = { };
}

97
config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
View file

@ -1,97 +0,0 @@
{ ... }:
let
domain = "cryptoparty-hamburg.de";
dataDir = "/var/www/${domain}";
deployUser = "cryptoparty-website-deploy";
in
{
security.acme.certs."${domain}".extraDomainNames = [
"cryptoparty.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"cryptoparty.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/".return = "302 https://${domain}$request_uri";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz+Lxi9scblM/SKJq4nl64UwvVn8SuF2xmzOuyQrzR+ deploy key for cryptoparty-hamburg.de"
];
};
users.groups."${deployUser}" = { };
}

16
config/hosts/public-web-static/virtualHosts/default.nix
View file

@ -4,22 +4,8 @@
imports = [ imports = [
./branding-resources.hamburg.ccc.de.nix ./branding-resources.hamburg.ccc.de.nix
./c3cat.de.nix ./c3cat.de.nix
./cpu.ccc.de.nix
./cryptoparty-hamburg.de.nix
./element-admin.hamburg.ccc.de.nix
./element.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix
./hacker.tours.nix ./next.hamburg.ccc.de.nix
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix
./staging.c3cat.de.nix
./staging.cryptoparty-hamburg.de.nix
./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix
./www.hamburg.ccc.de.nix
./diday.org.nix
./staging.diday.org.nix
./historic-easterhegg
]; ];
} }

151
config/hosts/public-web-static/virtualHosts/diday.org.nix
View file

@ -1,151 +0,0 @@
{ ... }:
let
domain = "diday.org";
dataDir = "/var/www/${domain}";
deployUser = "diday-website-deploy";
in
{
security.acme.certs."${domain}".extraDomainNames = [
"did.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"did.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
basicAuth = {
"preview" = "liebe";
};
extraConfig = ''
return 301 https://diday.org;
'';
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
basicAuth = {
"preview" = "liebe";
};
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
index index.html;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# return a redirect based on the map loaded from the webroot
if ($did_redirect_target ~ ^301:(.*)$) {
return 301 $1;
}
if ($did_redirect_target ~ ^302:(.*)$) {
return 302 $1;
}
# deny access to the redirects config file
location = /nginx-redirects.conf {
deny all;
return 404;
}
# dynamically redirect the user to the language they prefer
location = / {
set $lang "de";
if ($http_accept_language ~* "^en") {
set $lang "en";
}
return 302 /$lang/;
}
# configure decap-cms content-type and caching rules
location = /admin/cms.js {
expires -1;
add_header Cache-Control "no-store";
}
location = /admin/config.yml {
expires -1;
add_header Cache-Control "no-store";
types { }
default_type text/yaml;
}
# configure asset caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
location /admin/src/ {
log_not_found off;
return 404;
}
location / {
try_files $uri $uri/ =404;
}
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBitESG5AvHnHLPo+kdsV5l+wzSTqCltkk0IFAWGqBcl codeberg-actions-runner"
];
};
users.groups."${deployUser}" = { };
}

115
config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix
View file

@ -1,115 +0,0 @@
{ config, pkgs, ... }:
let
elementAdminVersion = "0.1.10";
elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: {
pname = "element-admin";
version = elementAdminVersion;
src = pkgs.fetchzip {
url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip";
sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI=";
};
nativeBuildInputs = [
pkgs.nodejs
pkgs.pnpm.configHook
];
pnpmDeps = pkgs.pnpm.fetchDeps {
inherit (finalAttrs) pname version src;
fetcherVersion = 2;
hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4=";
};
buildPhase = ''
pnpm build
'';
installPhase = ''
cp -a dist $out
'';
});
in
{
services.nginx = {
enable = true;
virtualHosts."acme-element-admin.hamburg.ccc.de" = {
enableACME = true;
serverName = "element-admin.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."element-admin.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "element-admin.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = elementAdmin;
locations."/assets" = {
extraConfig = ''
expires 1y;
add_header Cache-Control "public, max-age=31536000, immutable";
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
'';
};
locations."/" = {
index = "/index.html";
tryFiles = "$uri $uri/ /";
extraConfig = ''
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
'';
};
extraConfig = ''
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
}

2
config/hosts/public-web-static/virtualHosts/element-web-config/config.json
View file

@ -49,7 +49,7 @@
"auth_header_logo_url": "https://branding-resources.hamburg.ccc.de/logo/ccchh-logo-no-background.png", "auth_header_logo_url": "https://branding-resources.hamburg.ccc.de/logo/ccchh-logo-no-background.png",
"auth_footer_links": [ "auth_footer_links": [
{ "text": "Website", "url": "https://hamburg.ccc.de/" }, { "text": "Website", "url": "https://hamburg.ccc.de/" },
{ "text": "Wiki", "url": "https://wiki.hamburg.ccc.de/" }, { "text": "Wiki", "url": "https://wiki.ccchh.net/" },
{ "text": "Status", "url": "https://status.ccchh.net/status/main" } { "text": "Status", "url": "https://status.ccchh.net/status/main" }
] ]
} }

5
config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
View file

@ -1,10 +1,9 @@
{ pkgs, ... }: { pkgs, ... }:
let let
elementWebVersion = "1.12.0";
element-web = pkgs.fetchzip { element-web = pkgs.fetchzip {
url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
sha256 = "sha256-2kXQFUhLYyEKuXYw+n94JGlTN2VJHRpjmu78u8gdaro="; sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
}; };
elementSecurityHeaders = '' elementSecurityHeaders = ''
# Configuration best practices # Configuration best practices

68
config/hosts/public-web-static/virtualHosts/hacker.tours.nix
View file

@ -1,68 +0,0 @@
{ pkgs, ... }:
let
domain = "hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
in
{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/shop" = {
return = "302 https://tickets.hamburg.ccc.de";
};
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours"
];
};
users.groups."${deployUser}" = { };
}

77
config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
View file

@ -1,77 +0,0 @@
{ pkgs, ... }:
let
domain = "hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
in
{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/de/posts/faq" = {
return = "302 /de/faq/";
};
locations."/en/posts/faq" = {
return = "302 /en/faq/";
};
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
rewrite ^/(de|en)/tours$ /$1/37c3 redirect;
rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de"
];
};
users.groups."${deployUser}" = { };
}

117
config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
View file

@ -1,117 +0,0 @@
{ pkgs, ... }:
{
services.nginx.virtualHosts = {
"acme-hamburg.ccc.de" = {
enableACME = true;
serverName = "hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "hamburg.ccc.de";
default = true;
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "/var/www/hamburg.ccc.de/";
# Redirect the old spaceapi endpoint to the new one.
locations."/dooris/status.json" = {
return = "302 https://spaceapi.hamburg.ccc.de/";
};
# Add .well-known/matrix stuff for Matrix to work.
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
extraConfig = ''
add_header Content-Type application/json;
'';
};
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
# Redirect pages starting with 4 digits for redirecting the old blog
# article URLs.
# We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we
# just match the first 4 digits for simplicity.
locations."~ \"^/[\\d]{4}\"" = {
return = "302 https://$host/blog$request_uri";
};
# Redirect pages, which previously lived on the old website, to their
# successors in the wiki.
locations."/club/satzung" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:satzung";
};
locations."/club/hausordnung" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:hausordnung";
};
locations."/club/vertrauenspersonen" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:vertrauenspersonen";
};
locations."/club/beitragsordnung" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:beitragsordnung";
};
locations."/club/mitgliedschaft" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:foemi-formular";
};
locations."/club/geschichte" = {
return = "302 https://wiki.hamburg.ccc.de/club:geschichte";
};
# Redirect old feed location.
locations."/feed.xml" = {
return = "302 https://$host/blog/index.xml";
};
# Redirect /calendar to the Nextcloud calendar, as this location apparently gets used in several locations.
locations."/calendar" = {
return = "302 https://cloud.hamburg.ccc.de/apps/calendar/embed/QJAdExziSnNJEz5g";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
'';
};
};
users.users.ccchh-website-deploy = {
isNormalUser = true;
group = "ccchh-website-deploy";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key"
];
};
users.groups.ccchh-website-deploy = { };
}

12
config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
View file

@ -1,12 +0,0 @@
{ ... }:
{
imports = [
./eh03.nix
./eh05.nix
./eh07.nix
./eh09.nix
./eh11.nix
./eh20.nix
];
}

101
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
View file

@ -1,101 +0,0 @@
{ pkgs, ... }:
let
eh03 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2003-website.git";
rev = "74977c56486cd060566bf06678a936e801952f9e";
hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
};
in
{
security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"easterhegg2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh03.easterhegg.eu" = {
enableACME = true;
serverName = "eh03.easterhegg.eu";
serverAliases = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"easterhegg2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2003.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh03.easterhegg.eu";
serverAliases = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh03.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh03.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh03.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.html";
root = eh03;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
set $chosen_lang "de";
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

100
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
View file

@ -1,100 +0,0 @@
{ pkgs, ... }:
let
eh05 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2005-website.git";
rev = "f1455aee35b6462ab5c46f3d52c47e0b200c1315";
hash = "sha256-lA4fxO05K39nosSYNfKUtSCrK+dja1yWKILqRklSNy8=";
};
in
{
security.acme.certs."eh05.easterhegg.eu".extraDomainNames = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"easterhegg2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh05.easterhegg.eu" = {
enableACME = true;
serverName = "eh05.easterhegg.eu";
serverAliases = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"easterhegg2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2005.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
serverAliases = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh05.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh05.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh05;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

106
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
View file

@ -1,106 +0,0 @@
{ pkgs, ... }:
let
eh07 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2007-website.git";
rev = "0bb06fd2654814ddda28469a1bf9e50a9814dd9a";
hash = "sha256-jMpDxgxbL3ipG3HLJo0ISTdWfYYrd2EfwpmoiWV0qCM=";
};
in
{
security.acme.certs."eh07.easterhegg.eu".extraDomainNames = [
"eh2007.hamburg.ccc.de"
"www.eh2007.hamburg.ccc.de"
"eh07.hamburg.ccc.de"
"www.eh07.hamburg.ccc.de"
"easterhegg2007.hamburg.ccc.de"
"www.easterhegg2007.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh07.easterhegg.eu" = {
enableACME = true;
serverName = "eh07.easterhegg.eu";
serverAliases = [
"eh2007.hamburg.ccc.de"
"www.eh2007.hamburg.ccc.de"
"eh07.hamburg.ccc.de"
"www.eh07.hamburg.ccc.de"
"easterhegg2007.hamburg.ccc.de"
"www.easterhegg2007.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2007.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh07.easterhegg.eu";
serverAliases = [
"eh2007.hamburg.ccc.de"
"www.eh2007.hamburg.ccc.de"
"eh07.hamburg.ccc.de"
"www.eh07.hamburg.ccc.de"
"www.easterhegg2007.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh07.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh07.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh07.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh07;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

105
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
View file

@ -1,105 +0,0 @@
{ pkgs, ... }:
let
eh09 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2009-website.git";
rev = "6d4a50c5ab23870072f0b33dd0171b0c56d6cab5";
hash = "sha256-kPJOrKseJD/scRxhYFa249DT1cYmeCjnK50Bt0IJZK8=";
};
in
{
security.acme.certs."eh09.easterhegg.eu".extraDomainNames = [
"eh2009.hamburg.ccc.de"
"www.eh2009.hamburg.ccc.de"
"eh09.hamburg.ccc.de"
"www.eh09.hamburg.ccc.de"
"easterhegg2009.hamburg.ccc.de"
"www.easterhegg2009.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh09.easterhegg.eu" = {
enableACME = true;
serverName = "eh09.easterhegg.eu";
serverAliases = [
"eh2009.hamburg.ccc.de"
"www.eh2009.hamburg.ccc.de"
"eh09.hamburg.ccc.de"
"www.eh09.hamburg.ccc.de"
"easterhegg2009.hamburg.ccc.de"
"www.easterhegg2009.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2009.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh09.easterhegg.eu";
serverAliases = [
"eh2009.hamburg.ccc.de"
"www.eh2009.hamburg.ccc.de"
"eh09.hamburg.ccc.de"
"www.eh09.hamburg.ccc.de"
"www.easterhegg2009.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh09.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh09.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh09.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh09;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

106
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
View file

@ -1,106 +0,0 @@
{ pkgs, ... }:
let
eh11 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2011-website.git";
rev = "c20540af71d4a0bd1fa12f49962b92d04293415b";
hash = "sha256-9hhtfU8fp2HOThcyQ4R7kuGQBjZktqMtiiYQhOas2QA=";
};
in
{
security.acme.certs."eh11.easterhegg.eu".extraDomainNames = [
"eh2011.hamburg.ccc.de"
"www.eh2011.hamburg.ccc.de"
"eh11.hamburg.ccc.de"
"www.eh11.hamburg.ccc.de"
"easterhegg2011.hamburg.ccc.de"
"www.easterhegg2011.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh11.easterhegg.eu" = {
enableACME = true;
serverName = "eh11.easterhegg.eu";
serverAliases = [
"eh2011.hamburg.ccc.de"
"www.eh2011.hamburg.ccc.de"
"eh11.hamburg.ccc.de"
"www.eh11.hamburg.ccc.de"
"easterhegg2011.hamburg.ccc.de"
"www.easterhegg2011.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2011.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh11.easterhegg.eu";
serverAliases = [
"eh2011.hamburg.ccc.de"
"www.eh2011.hamburg.ccc.de"
"eh11.hamburg.ccc.de"
"www.eh11.hamburg.ccc.de"
"www.easterhegg2011.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh11.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh11.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh11.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh11;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

91
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
View file

@ -1,91 +0,0 @@
{ pkgs, ... }:
let
eh20 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website.git";
rev = "026932ef2f1fb85c99269e0fb547589a25d3687c";
hash = "sha256-YYxHhPYIioJgyHXNieoX6ibasHcNw/AFk+qCNSOxke4=";
};
in
{
security.acme.certs."eh20.easterhegg.eu".extraDomainNames = [
"www.eh20.easterhegg.eu"
"eh20.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh20.easterhegg.eu" = {
enableACME = true;
serverName = "eh20.easterhegg.eu";
serverAliases = [
"www.eh20.easterhegg.eu"
"eh20.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"www.eh20.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh20.easterhegg.eu";
serverAliases = [
"eh20.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh20.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh20.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh20.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "start.html";
root = "${eh20}/wiki_siteexport";
};
# redirect doku.php?id=$pagename to /$pagename.html
locations."/doku.php" = {
return = "301 $scheme://$host/$arg_id.html";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
}

20
config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix → config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix
View file

@ -2,9 +2,9 @@
{ {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-staging.hamburg.ccc.de" = { "acme-next.hamburg.ccc.de" = {
enableACME = true; enableACME = true;
serverName = "staging.hamburg.ccc.de"; serverName = "next.hamburg.ccc.de";
listen = [ listen = [
{ {
@ -14,9 +14,9 @@
]; ];
}; };
"staging.hamburg.ccc.de" = { "next.hamburg.ccc.de" = {
forceSSL = true; forceSSL = true;
useACMEHost = "staging.hamburg.ccc.de"; useACMEHost = "next.hamburg.ccc.de";
listen = [ listen = [
{ {
@ -27,13 +27,7 @@
} }
]; ];
root = "/var/www/staging.hamburg.ccc.de/"; root = "/var/www/next.hamburg.ccc.de/";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
@ -44,8 +38,6 @@
# Then tell the realip_module to get the addreses from the proxy protocol # Then tell the realip_module to get the addreses from the proxy protocol
# header. # header.
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
port_in_redirect off;
''; '';
}; };
}; };
@ -54,7 +46,7 @@
isNormalUser = true; isNormalUser = true;
group = "ccchh-website-deploy"; group = "ccchh-website-deploy";
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb next.hamburg.ccc.de deployment key"
]; ];
}; };
users.groups.ccchh-website-deploy = { }; users.groups.ccchh-website-deploy = { };

60
config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
View file

@ -1,60 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# c3cat deploy user already defined in c3cat.de.nix.
}

94
config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix
View file

@ -1,94 +0,0 @@
{ ... }:
let
domain = "staging.cryptoparty-hamburg.de";
dataDir = "/var/www/${domain}";
deployUser = "cryptoparty-website-deploy";
in
{
security.acme.certs."${domain}".extraDomainNames = [
"staging.cryptoparty.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"staging.cryptoparty.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/".return = "302 https://${domain}$request_uri";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# Cryptoparty website deploy user already defined in cryptoparty-hamburg.de.nix.
}

81
config/hosts/public-web-static/virtualHosts/staging.diday.org.nix
View file

@ -1,81 +0,0 @@
{ config, ... }:
let
domain = "staging.diday.org";
dataDir = "/var/www/${domain}";
deployUser = "diday-website-deploy";
in
{
security.acme.certs."${domain}" = {
domain = "staging.diday.org";
extraDomainNames = [ "*.staging.diday.org" ];
group = "nginx";
dnsResolver = "45.54.76.1:53";
dnsProvider = "desec";
environmentFile = config.sops.secrets."staging.diday.org/lego.env".path;
};
services.nginx.virtualHosts = {
"*.${domain}" = {
useACMEHost = "${domain}";
forceSSL = true;
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
basicAuth = {
"preview" = "liebe";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
error_page 404 /404.html;
location / {
if ($host ~* "^(pr\d+)\.staging\.diday\.org$") {
root /var/www/staging.diday.org/$1/;
}
index index.html;
try_files $uri $uri/ =404;
# deny access to the redirects config file
location = /nginx-redirects.conf {
deny all;
return 404;
}
# dynamically redirect the user to the language they prefer
location = / {
set $lang "de";
if ($http_accept_language ~* "^en") {
set $lang "en";
}
return 302 /$lang/;
}
}
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
sops.secrets."staging.diday.org/lego.env" = {};
}

61
config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
View file

@ -1,61 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
in
{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# Hackertours deploy user already defined in hacker.tours.nix.
}

63
config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
View file

@ -1,63 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
in
{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# Hackertours CCCHH deploy user already defined in hackertours.hamburg.ccc.de.nix.
}

46
config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix
View file

@ -1,46 +0,0 @@
{ pkgs, ... }:
{
services.nginx.virtualHosts = {
"acme-www.hamburg.ccc.de" = {
enableACME = true;
serverName = "www.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"www.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "www.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
return = "302 https://hamburg.ccc.de$request_uri";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
}

7
config/hosts/woodpecker/configuration.nix
View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
networking.hostName = "woodpecker";
system.stateVersion = "24.05";
}

Some files were not shown because too many files have changed in this diff Show more