CCCHH/nix-infra
CCCHH/nix-infra
2
3
Fork 2
Code Issues 1 Pull requests 1 Wiki Activity

Compare commits

base: CCCHH:main
Branches Tags
CCCHH:main
CCCHH:ci-check
CCCHH:ci-check-lix
CCCHH:nixOptions
CCCHH:spaceapi
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid
..
compare: CCCHH:nixOptions
Branches Tags
CCCHH:main
CCCHH:ci-check
CCCHH:ci-check-lix
CCCHH:nixOptions
CCCHH:spaceapi
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid

1 commit
main ... nixOptions

Author SHA1 Message Date
jopejoe1
e4f5655c88
 		add required nixConfig option 2024-11-12 22:36:51 +01:00
67 changed files with 1227 additions and 1678 deletions
Download patch file Download diff file Expand all files Collapse all files

43
.sops.yaml
View file

@ -3,7 +3,7 @@ keys:
- &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505 - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
- &admin_gpg_june 057870A2C72CD82566A3EC983695F4FCBCAE4912 - &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
@ -13,8 +13,8 @@ keys:
- &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7 - &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
- &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t - &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
- &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk - &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
- &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
- &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
- &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
- &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
- &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r - &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
@ -32,6 +32,7 @@ creation_rules:
- *admin_gpg_echtnurich - *admin_gpg_echtnurich
- *admin_gpg_max - *admin_gpg_max
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_dante
age: age:
- *host_age_git - *host_age_git
- path_regex: config/hosts/forgejo-actions-runner/.* - path_regex: config/hosts/forgejo-actions-runner/.*
@ -47,6 +48,7 @@ creation_rules:
- *admin_gpg_echtnurich - *admin_gpg_echtnurich
- *admin_gpg_max - *admin_gpg_max
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_dante
age: age:
- *host_age_forgejo_actions_runner - *host_age_forgejo_actions_runner
- path_regex: config/hosts/matrix/.* - path_regex: config/hosts/matrix/.*
@ -62,8 +64,25 @@ creation_rules:
- *admin_gpg_echtnurich - *admin_gpg_echtnurich
- *admin_gpg_max - *admin_gpg_max
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_dante
age: age:
- *host_age_matrix - *host_age_matrix
- path_regex: config/hosts/netbox/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_netbox
- path_regex: config/hosts/public-web-static/.* - path_regex: config/hosts/public-web-static/.*
key_groups: key_groups:
- pgp: - pgp:
@ -77,6 +96,7 @@ creation_rules:
- *admin_gpg_echtnurich - *admin_gpg_echtnurich
- *admin_gpg_max - *admin_gpg_max
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_dante
age: age:
- *host_age_public_web_static - *host_age_public_web_static
- path_regex: config/hosts/mjolnir/.* - path_regex: config/hosts/mjolnir/.*
@ -92,6 +112,7 @@ creation_rules:
- *admin_gpg_echtnurich - *admin_gpg_echtnurich
- *admin_gpg_max - *admin_gpg_max
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_dante
age: age:
- *host_age_mjolnir - *host_age_mjolnir
- path_regex: config/hosts/woodpecker/.* - path_regex: config/hosts/woodpecker/.*
@ -107,6 +128,7 @@ creation_rules:
- *admin_gpg_echtnurich - *admin_gpg_echtnurich
- *admin_gpg_max - *admin_gpg_max
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_dante
age: age:
- *host_age_woodpecker - *host_age_woodpecker
- path_regex: config/hosts/penpot/.* - path_regex: config/hosts/penpot/.*
@ -122,23 +144,9 @@ creation_rules:
- *admin_gpg_echtnurich - *admin_gpg_echtnurich
- *admin_gpg_max - *admin_gpg_max
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_dante
age: age:
- *host_age_penpot - *host_age_penpot
- path_regex: config/hosts/yate/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
age:
- *host_age_yate
- key_groups: - key_groups:
- pgp: - pgp:
- *admin_gpg_djerun - *admin_gpg_djerun
@ -151,6 +159,7 @@ creation_rules:
- *admin_gpg_echtnurich - *admin_gpg_echtnurich
- *admin_gpg_max - *admin_gpg_max
- *admin_gpg_c6ristian - *admin_gpg_c6ristian
- *admin_gpg_dante
stores: stores:
yaml: yaml:
indent: 2 indent: 2

21
LICENSE
View file

@ -1,21 +0,0 @@
MIT License
Copyright (c) CCCHH
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

5
README.md
View file

@ -73,8 +73,3 @@ Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell ```shell
nix build .#proxmox-chaosknoten-nixos-template nix build .#proxmox-chaosknoten-nixos-template
``` ```
## License
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
[`librespot_PR1528_conflicts_resolved.patch`](patches/librespot_PR1528_conflicts_resolved.patch) is a modified version of [librespot PR 1528](https://github.com/librespot-org/librespot/pull/1528) and is licensed under the [MIT license](https://github.com/librespot-org/librespot/blob/dev/LICENSE).

7
config/common/users.nix
View file

@ -6,9 +6,14 @@
# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
{ config, pkgs, lib, authorizedKeysRepo, ... }: { config, pkgs, lib, ... }:
let let
authorizedKeysRepo = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
rev = "686a6af22f6696f0c0595c56f463c078550049fc";
hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
};
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in in
{ {

6
config/hosts/audio-hauptraum-kueche/networking.nix
View file

@ -5,13 +5,13 @@
interfaces.net0 = { interfaces.net0 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "172.31.200.14"; address = "10.31.210.10";
prefixLength = 23; prefixLength = 23;
} }
]; ];
}; };
defaultGateway = "172.31.200.1"; defaultGateway = "10.31.210.1";
nameservers = [ "172.31.200.1" ]; nameservers = [ "10.31.210.1" ];
}; };
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {

6
config/hosts/audio-hauptraum-tafel/networking.nix
View file

@ -5,13 +5,13 @@
interfaces.net0 = { interfaces.net0 = {
ipv4.addresses = [ ipv4.addresses = [
{ {
address = "172.31.200.15"; address = "10.31.210.13";
prefixLength = 23; prefixLength = 23;
} }
]; ];
}; };
defaultGateway = "172.31.200.1"; defaultGateway = "10.31.210.1";
nameservers = [ "172.31.200.1" ]; nameservers = [ "10.31.210.1" ];
}; };
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {

7
config/hosts/eh22-wiki/configuration.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
networking.hostName = "eh22-wiki";
system.stateVersion = "23.11";
}

9
config/hosts/eh22-wiki/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./dokuwiki.nix
./networking.nix
];
}

165
config/hosts/eh22-wiki/dokuwiki.nix Normal file
View file

@ -0,0 +1,165 @@
# Sources for this configuration:
# - https://www.dokuwiki.org/dokuwiki
# - https://www.dokuwiki.org/install
# - https://www.dokuwiki.org/requirements
# - https://www.dokuwiki.org/install:php
# - https://www.dokuwiki.org/security
# - https://www.dokuwiki.org/config:xsendfile
# - https://www.dokuwiki.org/install:nginx
# - https://www.dokuwiki.org/faq:uploadsize
# - https://nixos.wiki/wiki/Phpfpm
# - https://wiki.archlinux.org/title/Nginx#FastCGI
# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
# - https://www.php.net/manual/en/install.fpm.php
# - https://www.php.net/manual/en/install.fpm.configuration.php
{ config, pkgs, ... }:
let
# This is also used for user and group names.
app = "dokuwiki";
domain = "eh22.easterhegg.eu";
dataDir = "/srv/www/${domain}";
in {
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${app} ${app}"
];
services.phpfpm.pools."${app}" = {
user = "${app}";
group = "${app}";
phpOptions = ''
short_open_tag = Off
open_basedir =
output_buffering = Off
output_handler =
zlib.output_compression = Off
implicit_flush = Off
allow_call_time_pass_reference = Off
max_execution_time = 30
max_input_time = 60
max_input_vars = 10000
memory_limit = 128M
error_reporting = E_ALL & ~E_NOTICE
display_errors = Off
display_startup_errors = Off
log_errors = On
; error_log should be handled by NixOS.
variables_order = "EGPCS"
register_argc_argv = Off
file_uploads = On
upload_max_filesize = 20M
post_max_size = 20M
session.use_cookies = 1
; Checked the default NixOS PHP extensions and the only one missing from
; DokuWikis list of PHP extensions was bz2, so add that.
; Checked with NixOS 23.11 on 2024-05-02.
extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
'';
settings = {
"listen.owner" = "${config.services.nginx.user}";
"listen.group" = "${config.services.nginx.group}";
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
};
services.nginx = {
enable = true;
virtualHosts."acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
locations = {
"~ /(conf|bin|inc|vendor)/" = {
extraConfig = "deny all;";
};
"~ /install.php" = {
extraConfig = "deny all;";
};
"~ ^/data/" = {
extraConfig = "internal;";
};
"~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 31d;";
};
"/" = {
index = "doku.php";
extraConfig = "try_files $uri $uri/ @dokuwiki;";
};
"@dokuwiki" = {
extraConfig = ''
# Rewrites "doku.php/" out of the URLs if the userwrite setting is
# set to .htaccess in the DokuWiki config page.
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
'';
};
"~ \\.php$" = {
extraConfig = ''
try_files $uri $uri/ /doku.php;
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
'';
};
};
extraConfig = ''
# Set maximum file upload size to 20MB (same as upload_max_filesize and
# post_max_size in the phpOptions).
client_max_body_size 20M;
client_body_buffer_size 128k;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
users.users."${app}" = {
isSystemUser = true;
group = "${app}";
};
users.groups."${app}" = { };
}

22
config/hosts/eh22-wiki/networking.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.159";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:37:F0:AB";
linkConfig.Name = "net0";
};
}

6
config/hosts/esphome/networking.nix
View file

@ -11,14 +11,14 @@
]; ];
ipv6.addresses = [ ipv6.addresses = [
{ {
address = "2a07:c481:1:d0::66"; address = "2a07:c480:0:1d0::66";
prefixLength = 64; prefixLength = 64;
} }
]; ];
}; };
defaultGateway = "10.31.208.1"; defaultGateway = "10.31.208.1";
defaultGateway6 = "2a07:c481:1:d0::1"; defaultGateway6 = "2a07:c480:0:1d0::1";
nameservers = [ "10.31.208.1" "2a07:c481:1:d0::1" ]; nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
search = [ "z9.ccchh.net" ]; search = [ "z9.ccchh.net" ];
}; };

12
config/hosts/git/forgejo.nix
View file

@ -7,20 +7,13 @@
# - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
# - https://forgejo.org/docs/latest/admin/email-setup/ # - https://forgejo.org/docs/latest/admin/email-setup/
{ pkgs, ... }: { pkgs-unstable, ... }:
{ {
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = pkgs.forgejo;
database.type = "postgres"; database.type = "postgres";
lfs.enable = true; mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
secrets = {
mailer = {
PASSWD = "/run/secrets/forgejo_git_smtp_password";
};
};
settings = { settings = {
DEFAULT = { DEFAULT = {
@ -49,7 +42,6 @@
}; };
service = { service = {
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
ENABLE_INTERNAL_SIGNIN = false;
DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true; DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false; ENABLE_BASIC_AUTHENTICATION = false;

1
config/hosts/matrix/default.nix
View file

@ -3,7 +3,6 @@
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./mas.nix
./networking.nix ./networking.nix
./postgresql.nix ./postgresql.nix
./matrix-synapse.nix ./matrix-synapse.nix

124
config/hosts/matrix/mas.nix
View file

@ -1,124 +0,0 @@
{ pkgs, ... }:
let
masSettings = {
http = {
listeners = [
{
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
}
];
binds = [{
host = "localhost";
port = 8080;
}];
proxy_protocol = false;
}
{
name = "internal";
resources = [{
name = "health";
}];
binds = [{
host = "localhost";
port = 8081;
}];
proxy_protocol = false;
}
{
name = "admin";
resources = [{
name = "adminapi";
}];
binds = [{
host = "localhost";
port = 8082;
}];
proxy_protocol = false;
}
];
trusted_proxies = [
"127.0.0.1/8"
"::1/128"
];
public_base = "https://mas.hamburg.ccc.de";
};
database = {
uri = "postgresql://mas_user:mas@localhost/mas";
max_connections = 10;
min_connections = 0;
connect_timeout = 30;
idle_timeout = 600;
max_lifetime = 1800;
};
email = {
from = "\"Authentication Service\" <root@localhost>";
reply_to = "\"Authentication Service\" <root@localhost>";
# Don't send any emails.
transport = "blackhole";
};
passwords = {
enabled = true;
schemes = [
{
version = 1;
algorithm = "bcrypt";
unicode_normalization = true;
}
{
version = 2;
algorithm = "argon2id";
}
];
minimum_complexity = 8;
};
};
# matrix and secrets sections in secret
masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
in
{
environment.systemPackages = with pkgs; [
matrix-authentication-service
];
systemd.services.matrix-authentication-service = {
description = "Matrix Authentication Service";
after = [ "network-online.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/run/secrets/mas_secrets_config --config=/run/secrets/mas_matrix_config";
WorkingDirectory = "${pkgs.matrix-authentication-service}";
User = "matrix-synapse";
Group = "matrix-synapse";
};
wantedBy = [
"multi-user.target"
];
};
sops.secrets."mas_secrets_config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-authentication-service.service" ];
};
sops.secrets."mas_matrix_config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-authentication-service.service" ];
};
}

10
config/hosts/matrix/matrix-synapse.nix
View file

@ -41,13 +41,10 @@
max_upload_size = "500M"; max_upload_size = "500M";
admin_contact = "mailto:yuri+ccchh@nekover.se"; admin_contact = "mailto:yuri+ccchh@nekover.se";
default_room_version = "12";
}; };
extraConfigFiles = [ extraConfigFiles = [
"/run/secrets/matrix_registration_shared_secret" "/run/secrets/matrix_registration_shared_secret"
"/run/secrets/matrix_mas_config"
]; ];
}; };
@ -59,11 +56,4 @@
group = "matrix-synapse"; group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ]; restartUnits = [ "matrix-synapse.service" ];
}; };
sops.secrets."matrix_mas_config" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
};
} }

77
config/hosts/matrix/nginx.nix
View file

@ -17,18 +17,6 @@
]; ];
}; };
virtualHosts."acme-mas.hamburg.ccc.de" = {
enableACME = true;
serverName = "mas.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."matrix.hamburg.ccc.de" = { virtualHosts."matrix.hamburg.ccc.de" = {
default = true; default = true;
forceSSL = true; forceSSL = true;
@ -49,11 +37,6 @@
} }
]; ];
locations."~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
proxyPass = "http://localhost:8080";
priority = 999;
};
locations."~ ^(/_matrix|/_synapse/client)" = { locations."~ ^(/_matrix|/_synapse/client)" = {
# Only proxy to the local host on IPv4, because localhost doesn't seem to work # Only proxy to the local host on IPv4, because localhost doesn't seem to work
# even if matrix-synapse is listening on ::1 as well. # even if matrix-synapse is listening on ::1 as well.
@ -65,66 +48,6 @@
''; '';
}; };
locations."~ ^/_synapse/admin" = {
# Only proxy to the local host on IPv4, because localhost doesn't seem to work
# even if matrix-synapse is listening on ::1 as well.
proxyPass = "http://127.0.0.1:8008";
extraConfig = ''
# Restrict access to admin API.
allow 185.161.129.132/32; # z9
allow 2a07:c480:0:100::/56; # z9
allow 2a07:c481:1::/48; # z9 new ipv6
allow 213.240.180.39/32; # stbe home
allow 2a01:170:118b::1/64; # stbe home
deny all;
# Nginx by default only allows file uploads up to 1M in size
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
virtualHosts."mas.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "mas.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://localhost:8080";
};
locations."~ ^/api/admin" = {
proxyPass = "http://localhost:8082";
extraConfig = ''
# Restrict access to admin API.
allow 185.161.129.132/32; # z9
allow 2a07:c480:0:100::/56; # z9
allow 2a07:c481:1::/48; # z9 new ipv6
allow 213.240.180.39/32; # stbe home
allow 2a01:170:118b::1/64; # stbe home
deny all;
'';
};
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

5
config/hosts/matrix/postgresql.nix
View file

@ -11,11 +11,6 @@
TEMPLATE template0 TEMPLATE template0
LC_COLLATE = "C" LC_COLLATE = "C"
LC_CTYPE = "C"; LC_CTYPE = "C";
CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas';
CREATE DATABASE "mas" WITH OWNER "mas_user"
TEMPLATE template0
LC_COLLATE = "C"
LC_CTYPE = "C";
''; '';
dataDir = "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}"; dataDir = "/mnt/data/postgresql/${config.services.postgresql.package.psqlSchema}";

439
config/hosts/matrix/secrets.yaml
View file

@ -1,232 +1,233 @@
matrix_registration_shared_secret: ENC[AES256_GCM,data:5fKfTqwoUreSIPbua5t1lYZFRnQQjNzFvrIBVIBfKWu20kH4BhlDboL/zYnhWLELq/KykX/EUvijoZxxTnUiN7T8H3L6fKOCQKacZkIwKfg/JjqLVnXIaY0JOwg=,iv:Cazhdo7YR0zSgiyQoHLsk2e4dWGSoSfEtOuMA1LEJcg=,tag:KsbnGvEyRbzbIXuAayQk5A==,type:str] matrix_registration_shared_secret: ENC[AES256_GCM,data:5fKfTqwoUreSIPbua5t1lYZFRnQQjNzFvrIBVIBfKWu20kH4BhlDboL/zYnhWLELq/KykX/EUvijoZxxTnUiN7T8H3L6fKOCQKacZkIwKfg/JjqLVnXIaY0JOwg=,iv:Cazhdo7YR0zSgiyQoHLsk2e4dWGSoSfEtOuMA1LEJcg=,tag:KsbnGvEyRbzbIXuAayQk5A==,type:str]
matrix_mas_config: ENC[AES256_GCM,data:FxZHMYlqAlr/0rtjO3R58h2Au7hXY6zYv56bQD+LufA9Jrzi2vIDQe2RPQmJdkQ48sDgFiSGtJ1kqZVCDc21FPtjbYcJuCYKZK/opJag9MnXae/ZKBlsWk2QWtxGtWM48mwIw+8aBrSctOHA9Ibq76yQb8l2ubyjtHn3wYM=,iv:0YRfVkim4NNAUmV9MzErQoXZhdVKwa102D+hBT1is/w=,tag:l+9NkxOjXoxD1WalDgQlJA==,type:str]
mas_secrets_config: ENC[AES256_GCM,data:lgfGW/zkJ3sdmXehzEMGiBUjIvcjnSma+BjBshxAKTPKTxQtllk4GN8VI7AII91u9mG0231bcTb+sq7wm+nuVLxOY9wCuCGA4/Tsa0QZmphXqWzRXx0yuHawW6WCC3U3EmyPiG9m0/a+Xt7by7+ep1p4n4QrDKZBCFkdANCera2MA1VuzVUr0o7xCul26khpdN0dZ539wrUGdocKNw831s+KUdqadB6I9iQ7f+/l0EFi7HlWQ+vvF7/KAYuoUh2jS0MGhBTRgSDqr17QZ9TB7PEQRpztQygqgoqYIl+IVYi/AfmiyY10Zf7GFE9yHn3cd7N1gRRGj7jpKlW38QP/GOF/6w4pOJxovdsNzJRT9lAuFSyQqudgXgM3/uJQwQbguBf/aSGS5pWDp1LxQffLiKzQnfC5RJnYJ87f9n2908eZ53jlhSRYDtAqfbbwQNUsVvATOigcUFKmaDMwGyKKdyiDE3+mXH9Twal5K48pl3LgjOtajR9E23fR/3lJ5HfFCqCdL7rn8AYxFzS0B5G9r59ik7yhHSWiB1jPVhIQTBtbPzdeuIQUkWmRjpxi/I1eMgPGMoHlPNRJowg7Rsa0hvfYrV8caO/TVILd927MmtmqQ8BRDeCxHNNRC3fZVkqcVcMe5vFzafH3NlY+spsNPUJiA3yQX3ahKpByJP/NM5zlSR+y2ZgyM+eXVFW9ORJT6gvZnAtq6rWTEyMXk3iIQUgbw9ume1VN7H/TQur2Vwdaz646TqzYSn2KSXCOwoY/mNNlSbufXvK/76XrW9Ckhhl+tdvHGlzbVTzZJJM8j5/PI9XukCEgPbbrvL/DzXv5KlSme1B6JmGJZlqsaJTBrYBItWzAxiGKQg0e/f72Ay9mjoYqVCPVYG0ms8WECfw4S+45Q9gNoPvG1XLrOzlRNDT0UKnuE0am5H1x6vlmketzgnPMKSZVkWqNcgPA/6BlUkxF7Ne/+Q+506d6w7AyXgXfhFwg+cEyAqXjBtB3paFSLkm0U1OHfSBWsgbgMK0Xn8GyA/KLBV8bLINwR+qTp5Gdz+WgBQTfTb1m4OWhyolx1SkxjnUFveLdZRon3CXH/K34S7X4S8B4y/6z3UHGmQcK5g6HOYNQtuCGKlLAbZHBhQgmNJpdGFuwcdC2bdgHfcNl6eEazB9k90COjJTU030N5fzYq5hOGVL3xBUmvj1LaYEsnJldsfXjfas3JA6iAB9lcOfK2su6F1M1v+qr1SJbbGjeUmFt6q7B7LjrPnZ34Q/CO3PDR+UiuQD5dMpHGc+L6yB5VbMYs6hirlWVQlySvFYnOhaHiUbospLMzxwSi8nWKiMRiFGYojg/2YrpFlVv3T684vBGGGdL/MG7docgEdBANsOrf52nsvvT1921A09z/mL1PxHHJN0XkaSV5cUd1vLv2Ba3dHMs046ls/TrCKcMXQbl3FibSBP+yEg75xzk9aWzjSPUfnQcaslOo1T3UIrYLaPGjmzoMtLBhtNB1hOQh4tQpybHL3sMr52zxzj0vwA3dCZTy8+5SS7tD5hmy1qlnk19+aXaAFPgUZXETBk3r8c208Qi2lbjCHI/zgeQD/1J1ihtSu0EeJR5Kz9a99ztUD5AnyrZXpawsPYDcxjhAVFDmqMClV2pjO/Bt+QcFVMt46XKFftzGk0nXhN/9ziVwTpFYxegq7hJoebU0qG37tTHol8KiaZ6RtsVNwDAuFY4lGgDbnS4oLDxzVDoqY2vsk6WldowAtk8Gl4sicsXmC0WtyVF3KYn3h//nUty+KgxwxF30PMzrxaiK2BmJRSmUQecaYfv4xtcq4DcXkreG4HsnsEsExcMMW1xURfAVG5OC75RWW6yKy0mSVkUGUox2TSEvvJWuvX0yyYXaU0VfXqUTfw9ZFQEHKC0IvP/MtLxyCh5fWGuTGoDyin99b9v+Rf12LwZtkaLxqdzGz8ZuR+JVIhfE0cy/1/M0JEw3NexIPUf9b9svppQA/VGzRAQcwCfeZ4/S4LDC1xWPZCZi3+B4nrCYV1L6eZJIKhGQQzrF33abQ4KPmY3+NyGgA65308G3PhIerJzpvpq+SwRBtrLjXIM5wH2t6Azk8AEVYruZ+2SqLAyFXmt+Zn1uuMK+Zfscj+ji7rZ/Qyfr/r0m2Vc5XVZth0FCQHdL1Mal8bIW31q6tF4LVtMmK/7KrjypjRqCH7D1kUiaafQ74O60YYoS+sPF7emz7xTZ4PNdY5w50qBWcdm3WUW/ObBFR1YZyGd/OEEQXqcUzsSYJ5aMS1ohyIDMkWeUUAvu2digiQgHzyY1XrvjWzHGL56nsWe+x2VTS600d6aY9FYZ5/yY+h3B96hcs258vn9xTTJsMZHIV8V8ZoC1f6Gb4zHpulYNiAA9PjXHHORU3N4DXNjI4jpFmIgQvF7ZQAd7CzUHXXbdwHVD9IQeKrDTrcvl3ErmQumuM/fVD77OtegrBKDYQ/VVS1bPQfX7rnaQQ2hD2LEchJAPXTfI5eiEuH4nJ2TK0uSWHG4Yxau72gx8ASPeNsX5sHf8yIDlx9wlNSRnO6A1rs65uYfSSwTtOX9irkWvDvBUQvYJGtenk2mABAJf9+qoupuF2WfpOCYc1dWka9+vWxj3g+sxIN2KV4HUoAk5fkWOffsdiNVKyxKprrKHZX+X7e3+6azxVbEqQoEQo4yqE31dOPfZBjPntRwt1dVmpKGAQClrVcBfCD7J0+8J8R4r45a4Svwe7zAmef5Icvk3RHCUHKm0ZD+yIaDzoABDLXX+68vwrM2AgNNw2J3QcoKakpyyGtCC+oRlutqn8wAodC3NvnNmeBMuCJaZaTvypDoTnOyvNTmgK6rJZPt3RWACpZvq81tBrEgTjdWFLqPwlFzNhXGvKxIf9Md/ivau6pREa7vBxT1fBqV7ZjGOD1nWsXuq2FM0tKJXNL6cU3DzxVzK3Vll60qFa0s/MZjKL+1lKJaDTtQA156en2mQJo23fQ5uJxZt6mDOY6Qrty5/L5BkiY/vRDp/78orTh7UyW0zLK4Bgjk8/lfiUodliFjTgDnV619XyUK7J2PLzg9HAlbOTFczZS2JImEQKzLGSe3Byy7U/I45bD6TUFlzCBmDqmeIAmIbiu5IVGedqdbuLSJHp3JweR0/Hjho4SzQ3evgMMPG4B5wtYzKhASBcqLhny7Vrn4LmXGlIgRYSp5SxbgsufkORfa1IRviUFoePRVQahCTU+O6DyrwqFWIrAIk2W+O7rYuw83OjGDdFJtU8KDh0AQ6SAry1XLFervHwEtj125Tav9+fg622VnClFpkJV+7QxbtejulREc3BjmTqsPuW99D8lbQrne+BkAFSvNdy/DnHMvPNRYGoU9y39qvGWawfiE9bi39UNDDr+7oPJpnQX4AvrDlF9VNHFB9W3O5772Nh6cd3R39Jzb6jnNg3wC/WRgchKs5kS4WR0T/xhNFDMoAk1Hx59MdhsR/BKQKCUHZGW2tuUBH3Mls90xx4cmZwPQrvaR4NbanTc6MhMkXBDD9828lMC2UK3yv+VL66g2Q2uVTLjAlQaXDVIlSzzpgHJyi35o3CupTDOhUhS80sYA68dcNEcvqHpwoZ1apL98kc8XPQvf7I/885NNLhl3K3MHLiasFoLsFlp7xwXUFSuFz0sI7l/xGkotazDvWdhCS7uZJY+zVxV6Yzus2+ql4fh23kFVVNni9OVGcrDbv0zIWUH956KI0u4r0n3+QinCcUinTTFbrlDL+/WX3c7VlzRUcQ==,iv:DdcflAdm5G82WzP9hDBK+Cy2X6ncETdYdxYJmd8LG1U=,tag:3lp3SO4WI8/gRp0OJLYK2g==,type:str]
mas_matrix_config: ENC[AES256_GCM,data:W7tyChbHM+LWYJYuuWSXL1wg8hKFA6UWHjVFOBQMSnFgguwcE7cg5LSnt1Sr/6TaPQP7+2y0sma0fyKlJ+zcUc1k2OPbJLjsrdjNjz7eMSlzmDESRLo3TBSyNjAKjlgWkEftMZRrrwFmA/cR0PdPchTLfBJnvP2vcLpDPEdoitrQFKk=,iv:FvkXV9emW7l1q1KRk2CP2Ec2pIZfBJ6JlpcIx37mVcg=,tag:p/NaElAD08dSPAWOA/Htvg==,type:str]
sops: sops:
age: kms: []
- recipient: age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk gcp_kms: []
enc: | azure_kv: []
-----BEGIN AGE ENCRYPTED FILE----- hc_vault: []
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZzNVUm1keldaNExycVNM age:
OEV5SUZQNC9uSW8zMVNZOHQrMUQrNm01Tmg0ClF4Wm9uSzRTL055ZnlHUlplUHFO - recipient: age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
QmhXQU5yMFJDMytyMjFiaWFXa1RuR3cKLS0tIDM2d014TTRySXVtOEJieVRxdlVp enc: |
NG95TjFjUjZFMXh2STIyakxqbUJnRlUKQ64ahDiNJ4nPUQ5pLH4Jb5yidNrK11dT -----BEGIN AGE ENCRYPTED FILE-----
YSg9QNr++FTdYaQ/TXmYTg0d4kF3yb/xyG1vZMcpZP6+omwN73DSfg== YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZzNVUm1keldaNExycVNM
-----END AGE ENCRYPTED FILE----- OEV5SUZQNC9uSW8zMVNZOHQrMUQrNm01Tmg0ClF4Wm9uSzRTL055ZnlHUlplUHFO
lastmodified: "2025-10-12T02:48:54Z" QmhXQU5yMFJDMytyMjFiaWFXa1RuR3cKLS0tIDM2d014TTRySXVtOEJieVRxdlVp
mac: ENC[AES256_GCM,data:xmxSQJ75JwsMPzPIGUgmtijRre7HnU3wpCvaPJo+XVXsC3wRnSwhRGc38DWxKIljx9HAKGMXV+n0iT3+bnTkeUNYGaUMROs82cyfqxfCd9pn6Qi9ytUb/Oec+oignDlojg8sMKZJGyUguN9sdSRootgSe3/Z4Di/IxhXhW3cDZ4=,iv:cLtqVhLcFxrlzFim+jgVpFlmJaRzmm4zdPkRCKOd6CE=,tag:MnZrm5lwYH/7YEjG+vCIKA==,type:str] NG95TjFjUjZFMXh2STIyakxqbUJnRlUKQ64ahDiNJ4nPUQ5pLH4Jb5yidNrK11dT
pgp: YSg9QNr++FTdYaQ/TXmYTg0d4kF3yb/xyG1vZMcpZP6+omwN73DSfg==
- created_at: "2024-05-26T00:53:53Z" -----END AGE ENCRYPTED FILE-----
enc: |- lastmodified: "2024-05-26T00:55:05Z"
-----BEGIN PGP MESSAGE----- mac: ENC[AES256_GCM,data:ix01bcc6i1dTxoYkXbnEbLgMC1bcplI/hZhyO1mFzPAyjfn8h2d4AHUS9CG8UnIDYGky8Wx3BqrC6MmWMtt829m8bS6t83JTPxOEm1pFEa41sUkW9NYuNPL4LQ8X2BzwteQaI8nfscIuwOZ0nK5CmArZneuUookQEszAGX2R0Mw=,iv:mZlEG2pPfKLgZ+6k9iN+NexRzlibYi1HzqBzbrVFj3w=,tag:PIXA+vyOSaZdU0CaI+03/A==,type:str]
pgp:
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//Zi8QfQ8Ahr8WyEeaJIvXBRGUzmyg84aboRweI9D/MeJ2 hQIMAxK/JaB2/SdtAQ//Zi8QfQ8Ahr8WyEeaJIvXBRGUzmyg84aboRweI9D/MeJ2
CnVm91xr74HylD6sAXbGcTnwTtWChrrgSJ7vGBj5t2UOuW9zpKFl/pgs7o4jzwoc CnVm91xr74HylD6sAXbGcTnwTtWChrrgSJ7vGBj5t2UOuW9zpKFl/pgs7o4jzwoc
C2Kmgug7S/chaQJsfKTkAs0t/MTHO+DZru+O/pT90zgdQEig/19i1smnrseBuAiU C2Kmgug7S/chaQJsfKTkAs0t/MTHO+DZru+O/pT90zgdQEig/19i1smnrseBuAiU
zow7lc9mwBTIEsTlkYoIr1+Ihoiizv/q9oeMvfaZr8hKV4wYTp1Cx9xCgXxVcv+X zow7lc9mwBTIEsTlkYoIr1+Ihoiizv/q9oeMvfaZr8hKV4wYTp1Cx9xCgXxVcv+X
SpzIqqTT/lm87znJcSWCQY9fTRrhAQu4RdhXzEIxTODljmFhQcx/Nug82EAc1Xjh SpzIqqTT/lm87znJcSWCQY9fTRrhAQu4RdhXzEIxTODljmFhQcx/Nug82EAc1Xjh
B7qMIsblbabJyrBUk5BypvDHJiso8qLd/6/i/rRztzK1q3vtT37XPKk8KIJz84cy B7qMIsblbabJyrBUk5BypvDHJiso8qLd/6/i/rRztzK1q3vtT37XPKk8KIJz84cy
ZDqAGDWj8jWDctwac0xTAFKVr/5oF4TGIf1Ydwv7+GMOeXvn2ZInmiMGUKxdGhwW ZDqAGDWj8jWDctwac0xTAFKVr/5oF4TGIf1Ydwv7+GMOeXvn2ZInmiMGUKxdGhwW
vg2azqqatmRQxI+kHUHz+FBiQSTgKIkVplg8daCIhQVK4r4CkOU5dPvDjw7FLahV vg2azqqatmRQxI+kHUHz+FBiQSTgKIkVplg8daCIhQVK4r4CkOU5dPvDjw7FLahV
LN7XVNVCZw7p9yACd5KkjWX2E7bfpHr/EADOr5epc/EZwOmblFmGPzFPNR/IfF+E LN7XVNVCZw7p9yACd5KkjWX2E7bfpHr/EADOr5epc/EZwOmblFmGPzFPNR/IfF+E
QJrw2bTDuMGZRzvn+6CozZOnOFpSrYtzbUHTvdt+iskHS1jD237NOvPe4j2Od401 QJrw2bTDuMGZRzvn+6CozZOnOFpSrYtzbUHTvdt+iskHS1jD237NOvPe4j2Od401
c2LjekRPo9BpkrufIlDQrgjflH6RGHOLdgqPE9j2zIOfmKjdIYiQlIIjNlh/xeDU c2LjekRPo9BpkrufIlDQrgjflH6RGHOLdgqPE9j2zIOfmKjdIYiQlIIjNlh/xeDU
aAEJAhCoQ0WS+mj/YL0Y7lu2/GEf5FxjkOwa0o6SOd7iR17zrTwRkBdSfsSUAiu1 aAEJAhCoQ0WS+mj/YL0Y7lu2/GEf5FxjkOwa0o6SOd7iR17zrTwRkBdSfsSUAiu1
pw4vkDFzgvwR+80vYfZcnYyCGOQKMYcn0PLtmnQfy/LUUGW+B1/kxqSHZDDhCuWr pw4vkDFzgvwR+80vYfZcnYyCGOQKMYcn0PLtmnQfy/LUUGW+B1/kxqSHZDDhCuWr
o287s9GBxBoQ o287s9GBxBoQ
=BImL =BImL
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70 fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ//VYKib9HvGAxzknrRfI15qFSHdvRxWDiR0M8Jo7JWTOCJ hQIMA6EyPtWBEI+2AQ//VYKib9HvGAxzknrRfI15qFSHdvRxWDiR0M8Jo7JWTOCJ
e0BGytT/dkYAKXeZvLX4W/65jQ4GhBMi20NSnyfqsWt/ENoLc3v9mXX3JleBRceX e0BGytT/dkYAKXeZvLX4W/65jQ4GhBMi20NSnyfqsWt/ENoLc3v9mXX3JleBRceX
8Gyz7tlqjg+pVW7lUtotz4vM6TeKBJUT6tHm5K0OiQBeAtjitphIkmakw4wrS0+Y 8Gyz7tlqjg+pVW7lUtotz4vM6TeKBJUT6tHm5K0OiQBeAtjitphIkmakw4wrS0+Y
+3Y7dOpktefQDSWVDPtbDOImcMFS6EYn5JCPG9xOhsX7XoK7/wCmZuSF3p/q6/CV +3Y7dOpktefQDSWVDPtbDOImcMFS6EYn5JCPG9xOhsX7XoK7/wCmZuSF3p/q6/CV
3NgTK0W2L68CiUye+ajrtn4545f3jnQXiu+JkZGcHdKsHaexW6dzpTsSgsSc1S+t 3NgTK0W2L68CiUye+ajrtn4545f3jnQXiu+JkZGcHdKsHaexW6dzpTsSgsSc1S+t
NlhEty6Q7kXXylG3OAtoEhsA3PP2Av2o0oaIpn1Syd5czHvmV7M+QT1M9HU6U96l NlhEty6Q7kXXylG3OAtoEhsA3PP2Av2o0oaIpn1Syd5czHvmV7M+QT1M9HU6U96l
Nwio5cSX7faMrlGfaBNY681kVtOiOSFDMvDes8oPEqrqKEDkIiIQwMnh68iCTXzX Nwio5cSX7faMrlGfaBNY681kVtOiOSFDMvDes8oPEqrqKEDkIiIQwMnh68iCTXzX
jRj+dpCLLfrHdo1+oB1JI151eB3ofUPbvTSdz/pASJ9gkFJBgGCl89atxZ7BDNQZ jRj+dpCLLfrHdo1+oB1JI151eB3ofUPbvTSdz/pASJ9gkFJBgGCl89atxZ7BDNQZ
oCbk0NxorDG4RBA2mliITnctqAe8ZcpBrOJoGO8oJ6u4fH2SNNuoc5A+7tMEHCqb oCbk0NxorDG4RBA2mliITnctqAe8ZcpBrOJoGO8oJ6u4fH2SNNuoc5A+7tMEHCqb
2E06TYmUASROR87g0yZdtffK6+ZlLZzzNI4riTUGaGUu3wXDh1ZbXB1CwF5LJ67d 2E06TYmUASROR87g0yZdtffK6+ZlLZzzNI4riTUGaGUu3wXDh1ZbXB1CwF5LJ67d
4P3gJApHJ+ZDrJGnWr/4Tx0NlvPJgJ9bKNT6F45ZZcQzq6bt+RUh6RC1Axvdns7S 4P3gJApHJ+ZDrJGnWr/4Tx0NlvPJgJ9bKNT6F45ZZcQzq6bt+RUh6RC1Axvdns7S
XgE7EN6IttIGME/AAeNdGh6O/1XnE2CEiqwqTePb9kgwIufoJWLarnz19qcbnMp6 XgE7EN6IttIGME/AAeNdGh6O/1XnE2CEiqwqTePb9kgwIufoJWLarnz19qcbnMp6
mfHNrJlF5FSVuipVtgCYgfWDos7ft1qDqvgRSD1awmdFIk/2ct3wjXKxyB52Vxg= mfHNrJlF5FSVuipVtgCYgfWDos7ft1qDqvgRSD1awmdFIk/2ct3wjXKxyB52Vxg=
=5zOY =5zOY
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//cBAsMfpoC02vbVtRPf02VS4NIVu2lM1JdB/IcPo0BHSF hQIMAz5uSgHG2iMJAQ//cBAsMfpoC02vbVtRPf02VS4NIVu2lM1JdB/IcPo0BHSF
PHNaVh3bl2a3cqbfMvNG9nquFVpDgtAXcSaIvozlsWgMuBIukfYKgeoFNh4fhyy1 PHNaVh3bl2a3cqbfMvNG9nquFVpDgtAXcSaIvozlsWgMuBIukfYKgeoFNh4fhyy1
Wgcl26wZj15Tpu4rYHK27CmXBHVusQUyTZVx2CUZwoSdtI2zveWqs7+Qvfhdjb6r Wgcl26wZj15Tpu4rYHK27CmXBHVusQUyTZVx2CUZwoSdtI2zveWqs7+Qvfhdjb6r
Yt1bDr+Zkrd+AxUuU5Njlp2eGOcuxINGLln2lh8jrdSytOzKll+G/nI8yBdk1Vql Yt1bDr+Zkrd+AxUuU5Njlp2eGOcuxINGLln2lh8jrdSytOzKll+G/nI8yBdk1Vql
P7iTQ4hHlCzs6HBsgeA7mpkJMP/h0Ts18DQ9sOYCi1SB8JR1eOqZWUu/1nSAk/hV P7iTQ4hHlCzs6HBsgeA7mpkJMP/h0Ts18DQ9sOYCi1SB8JR1eOqZWUu/1nSAk/hV
ntHk3+FnOta4wx7VqYNjRi2JROpvi935JBu0UqwGkVVMdqQNB33/qnJdzcdcfoa1 ntHk3+FnOta4wx7VqYNjRi2JROpvi935JBu0UqwGkVVMdqQNB33/qnJdzcdcfoa1
3o5UtsQNuFZW/SgJ3uiPYshIZZGujH3j05aKZV2yULyBRfP7j4KrIq+3dQLlW4J6 3o5UtsQNuFZW/SgJ3uiPYshIZZGujH3j05aKZV2yULyBRfP7j4KrIq+3dQLlW4J6
TihPL1Y3aqVvlU0rGOjjKeBL/nTEbEQtbkyCcIrW6WjdWvUYtTeIGnBJt+ExkyH2 TihPL1Y3aqVvlU0rGOjjKeBL/nTEbEQtbkyCcIrW6WjdWvUYtTeIGnBJt+ExkyH2
cmuoch5XjiwMrXDnIFzOqeKbLsIZIAatFOzP0jsy66w2VAeNY9AyXCJI4cTqE6py cmuoch5XjiwMrXDnIFzOqeKbLsIZIAatFOzP0jsy66w2VAeNY9AyXCJI4cTqE6py
RVc1QK6+ynhrQ/zJ5XKJD4ATequVJidshC8ci900KBW/1R3XLm7zGQtw3gj5QQ6M RVc1QK6+ynhrQ/zJ5XKJD4ATequVJidshC8ci900KBW/1R3XLm7zGQtw3gj5QQ6M
lMfA3bPS3H/DzFHq9NWbQ7Lfkm8N5W8ZSQwBKum9o1uWJC/79lFkyfgf4JqDjDzS lMfA3bPS3H/DzFHq9NWbQ7Lfkm8N5W8ZSQwBKum9o1uWJC/79lFkyfgf4JqDjDzS
XgFfOjk/KKVSrS7P/3V6YHfQscFuq+Tiepr3LCNt8o+0IbNJbsr1Zg+sutuMFhrq XgFfOjk/KKVSrS7P/3V6YHfQscFuq+Tiepr3LCNt8o+0IbNJbsr1Zg+sutuMFhrq
2lblr+MKkvUpYBhUYYen/PULpr8c6QZYiVX14xJQqFzYk4U/4WoFZm/8dXuAQ8s= 2lblr+MKkvUpYBhUYYen/PULpr8c6QZYiVX14xJQqFzYk4U/4WoFZm/8dXuAQ8s=
=z9Gs =z9Gs
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+JcEj7POTdpKoqBO0W8sxpvNafGlxWBmGF9nVMKsCe6r0 hQIMAw5vwmoEJHQ1AQ/+JcEj7POTdpKoqBO0W8sxpvNafGlxWBmGF9nVMKsCe6r0
+z2iyj0TF2ffRe822djXoG0Kod4Gf1Ihg+u/EKGgoL41CRt3DhszervSesm/pHJU +z2iyj0TF2ffRe822djXoG0Kod4Gf1Ihg+u/EKGgoL41CRt3DhszervSesm/pHJU
9+IMJYj7Wz64GekkIVkYgcLkJr7AeIYM47W9kr5XGWCI4ogQLHJEVgrwFMWVsynV 9+IMJYj7Wz64GekkIVkYgcLkJr7AeIYM47W9kr5XGWCI4ogQLHJEVgrwFMWVsynV
meIBjn8ntS1aI9xZQC0EePlBekD6zvwQHOyEkar1MD4NaMqLKf+9x7IAErY0msXz meIBjn8ntS1aI9xZQC0EePlBekD6zvwQHOyEkar1MD4NaMqLKf+9x7IAErY0msXz
czBfBVZY74q0Aq27YqfUcl2QkksxfLsti3WrB4Nb2YIqzGJ6bED9TsqRhy9CQRBf czBfBVZY74q0Aq27YqfUcl2QkksxfLsti3WrB4Nb2YIqzGJ6bED9TsqRhy9CQRBf
TSN+jh9Snit8NgLMAD2eyBgGUcQbwvyW2OHEYWpDXqsMbGmXQ21wygBAN0vfSCyx TSN+jh9Snit8NgLMAD2eyBgGUcQbwvyW2OHEYWpDXqsMbGmXQ21wygBAN0vfSCyx
v9m2+DSJ0jG9icBj31JqZcztI5fRsaForxIRmuT6EwGHc0YfuJwk8LWW1YOTRhYq v9m2+DSJ0jG9icBj31JqZcztI5fRsaForxIRmuT6EwGHc0YfuJwk8LWW1YOTRhYq
KbOMzGZnB1aNI9i7jVYHgraU1vB6u6R3hU2hOJq0zzqP7w/XuSitzb4+EzwuFkw8 KbOMzGZnB1aNI9i7jVYHgraU1vB6u6R3hU2hOJq0zzqP7w/XuSitzb4+EzwuFkw8
zVRNJ406ZYJvMhZp8NQ878WkJRqsV3C++LevnLkHLNfMOfDcD+nltmctVXf99Fc6 zVRNJ406ZYJvMhZp8NQ878WkJRqsV3C++LevnLkHLNfMOfDcD+nltmctVXf99Fc6
ebc7FQj6jOsUlbNQMxnqOZ/6fV9WesjPgCsUMJFxC7/5/5th8CU5VJHYOwwMUEMS ebc7FQj6jOsUlbNQMxnqOZ/6fV9WesjPgCsUMJFxC7/5/5th8CU5VJHYOwwMUEMS
+zbwM41MxUeknII7dc22MHUXxMocVkhlmGPYNc+jRv85nuDwbYqMa9Ht4JychK7S +zbwM41MxUeknII7dc22MHUXxMocVkhlmGPYNc+jRv85nuDwbYqMa9Ht4JychK7S
XgEZyWSvHupNW3XMwspeyYZMS3pSDO+2YExopgpP6c9Uq1TgvkHo2L66SXj/E4EA XgEZyWSvHupNW3XMwspeyYZMS3pSDO+2YExopgpP6c9Uq1TgvkHo2L66SXj/E4EA
RaUR/bY7EoEdNTrqWlHpuLyRihgqHLHzlRsdJZYBinaIfwmKzvINRiQbGjqhKLs= RaUR/bY7EoEdNTrqWlHpuLyRihgqHLHzlRsdJZYBinaIfwmKzvINRiQbGjqhKLs=
=mbJg =mbJg
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ//Vo1ZEeqpfN2gJUEKHZs6L3dXmRSd5RedwTxivQSDUZaw hQIMA4HMJd/cQYrVAQ//Vo1ZEeqpfN2gJUEKHZs6L3dXmRSd5RedwTxivQSDUZaw
CS5CQgBHd6H8ly5Phc2+QrXSjn6sJubDPaCAVmWKOf4WTMOATgdbp7eNEKlX06iT CS5CQgBHd6H8ly5Phc2+QrXSjn6sJubDPaCAVmWKOf4WTMOATgdbp7eNEKlX06iT
igr5UuptY04tM6AauuXNLatD9F/2p545VkLUYVNQriVMgXjrSd2MWo7/J3P7G7lA igr5UuptY04tM6AauuXNLatD9F/2p545VkLUYVNQriVMgXjrSd2MWo7/J3P7G7lA
xupGHMQ/L3gwU2A50sJUtAc1/SW6h9RMNwHjx6FVRvQtdWUdAoRYCT+r2fICKs1m xupGHMQ/L3gwU2A50sJUtAc1/SW6h9RMNwHjx6FVRvQtdWUdAoRYCT+r2fICKs1m
MKYOUzOA4CW3uURM2NZEFrVdmES0izv0vNAQqx0lVxAL/qhqwsGqTAZkXryef39J MKYOUzOA4CW3uURM2NZEFrVdmES0izv0vNAQqx0lVxAL/qhqwsGqTAZkXryef39J
WkIpqwQWWutvwmpVu07yBllfWU5XzoxaH+ye64p7+3SyrRwdrZc7IVW8NM9NSAru WkIpqwQWWutvwmpVu07yBllfWU5XzoxaH+ye64p7+3SyrRwdrZc7IVW8NM9NSAru
+2lio54b/dp1Sh7GGV2Y3hNMmGuPOym/PEOLVG99mkfZaPDG+Ui6enV1Ol+dFRaJ +2lio54b/dp1Sh7GGV2Y3hNMmGuPOym/PEOLVG99mkfZaPDG+Ui6enV1Ol+dFRaJ
9VqSa1zIo5N1QdW4iy/Rke7oMlTINcJDCA/KgYeLXK5IRz/iv6q1QyzhR+dNH/pu 9VqSa1zIo5N1QdW4iy/Rke7oMlTINcJDCA/KgYeLXK5IRz/iv6q1QyzhR+dNH/pu
JzxDSru/ZSTP+oMXZ1AgGf9UDUy258A7oDRt/ECN2c3oggj+Oh/HfnPXfD+9Mlzq JzxDSru/ZSTP+oMXZ1AgGf9UDUy258A7oDRt/ECN2c3oggj+Oh/HfnPXfD+9Mlzq
c/FGIRDQE7lLQoHqBaEgp9pejepAAocCci3UMgAO3ZTgIlXwJyE7fWZKrbATIqEX c/FGIRDQE7lLQoHqBaEgp9pejepAAocCci3UMgAO3ZTgIlXwJyE7fWZKrbATIqEX
GYr/tLNIyb1df4Cg2Pp+kS0i5+KnPqcbPkN+IhJq1BA3qG0rzFJiQtIR5Yn7BxXS GYr/tLNIyb1df4Cg2Pp+kS0i5+KnPqcbPkN+IhJq1BA3qG0rzFJiQtIR5Yn7BxXS
XgEVc+mwjUlUnQuVxFzfyZSlVh8tipwLZck6aG3IrLn/9WSHMY22GDOprsy3bMta XgEVc+mwjUlUnQuVxFzfyZSlVh8tipwLZck6aG3IrLn/9WSHMY22GDOprsy3bMta
OOy9KLyPgZIdPr1v4BmX77x+2Z5EeijAEswFgfPvSPEuWKSiqkXvaVDy9w+U8kM= OOy9KLyPgZIdPr1v4BmX77x+2Z5EeijAEswFgfPvSPEuWKSiqkXvaVDy9w+U8kM=
=0phM =0phM
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAleXLoRXh1RP5u4Hk4zsVpSbbhKKW8dypXDBVMa4trCi/ hQIMAxjNhCKPP69fARAAleXLoRXh1RP5u4Hk4zsVpSbbhKKW8dypXDBVMa4trCi/
Xq5Z7XM/Nip1iBCUHoLRaJdi2MlM2aDfVFo+PEx4JagpjxFjzqW21WUa5vqct9Fy Xq5Z7XM/Nip1iBCUHoLRaJdi2MlM2aDfVFo+PEx4JagpjxFjzqW21WUa5vqct9Fy
UVgdsssSVq8hNrMvlxDJwYVYfyQIOUqKyzDMbXOGh6AaOHaZsNsWtOBDJRqHMSXy UVgdsssSVq8hNrMvlxDJwYVYfyQIOUqKyzDMbXOGh6AaOHaZsNsWtOBDJRqHMSXy
ULXMH9xxHmheDDV/ZnlOl4fOBJT+qC/F02Yo92Q7rMHWMcNs5NITGN3DDYrQqs6i ULXMH9xxHmheDDV/ZnlOl4fOBJT+qC/F02Yo92Q7rMHWMcNs5NITGN3DDYrQqs6i
uHopbwuTpRMggnHldaMM2l2n4eCBiKxxz0dGit7FlpFL0kgsZROGBkQUyAZdkkwQ uHopbwuTpRMggnHldaMM2l2n4eCBiKxxz0dGit7FlpFL0kgsZROGBkQUyAZdkkwQ
LKnaqgodCv9t/6VZNATp8+iJP7ji5IvXeW6WQOztb8+h8JV3j8pHdadNzgXxH4av LKnaqgodCv9t/6VZNATp8+iJP7ji5IvXeW6WQOztb8+h8JV3j8pHdadNzgXxH4av
LVnqAABQMhay9jEGlPzgQFT7zDbaAiUd3bSLz1i02Dyi/FYCIylHFEmBErr5RBsn LVnqAABQMhay9jEGlPzgQFT7zDbaAiUd3bSLz1i02Dyi/FYCIylHFEmBErr5RBsn
lqbG/vAxJPKOkiDL31nkjugd09UeFYNp2WqO1DpeoYQoMltFD26TvUnbOAQo+v/y lqbG/vAxJPKOkiDL31nkjugd09UeFYNp2WqO1DpeoYQoMltFD26TvUnbOAQo+v/y
xxl7hhCTzbd6kF1VxSCNtv0LhDdirq0+eiFN89E+5ijLjhmpg23S2E90etuRgjuF xxl7hhCTzbd6kF1VxSCNtv0LhDdirq0+eiFN89E+5ijLjhmpg23S2E90etuRgjuF
b050aoEJyXosRqgXVl0qkOEnXgQDbAXrEobbbRixrIQRHmNN1NjRCudzJjxs+p39 b050aoEJyXosRqgXVl0qkOEnXgQDbAXrEobbbRixrIQRHmNN1NjRCudzJjxs+p39
tucfUPZJO5np8ITgE7XCt82IYxW7b3HO2kejJAluIfUxOkdBgORKuc79vEaP+rrS tucfUPZJO5np8ITgE7XCt82IYxW7b3HO2kejJAluIfUxOkdBgORKuc79vEaP+rrS
XgGAqi7CdzN/lfoLononCBOhce9XgdgpbpQRohO+jLp+abqmbnEzI1ZnzxpWXo8Z XgGAqi7CdzN/lfoLononCBOhce9XgdgpbpQRohO+jLp+abqmbnEzI1ZnzxpWXo8Z
taWKvUIySWbN8bWhmiIky9TyUXEfRVKe9I0MUC3Q94NAnlnj+dNXXr3mS/AxNcQ= taWKvUIySWbN8bWhmiIky9TyUXEfRVKe9I0MUC3Q94NAnlnj+dNXXr3mS/AxNcQ=
=ZYXj =ZYXj
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAsBC/uAbTVpBWv3dmzvVglih0Zlnumbz6wcDbeDTVP3r+ hQIMA1Hthzn+T1OoARAAsBC/uAbTVpBWv3dmzvVglih0Zlnumbz6wcDbeDTVP3r+
XiUyiDFE/Hdnm5J0be2jSj7s5RIXj8Gb5BkXPoytAkGF6NMtHjZJLmeo7NciQ6Bo XiUyiDFE/Hdnm5J0be2jSj7s5RIXj8Gb5BkXPoytAkGF6NMtHjZJLmeo7NciQ6Bo
wDf5IXCmv/PbyuydqkHJEztsSMWoCQbGQo+dMeWoAY+WKt+dQGyGmoB8BbeUjuH+ wDf5IXCmv/PbyuydqkHJEztsSMWoCQbGQo+dMeWoAY+WKt+dQGyGmoB8BbeUjuH+
lgKlUk3W1INTV74Qz6avuEQpwc+6hvb1w3Vb5kdzgRjplLUB4w45wP+79HE8Ub3V lgKlUk3W1INTV74Qz6avuEQpwc+6hvb1w3Vb5kdzgRjplLUB4w45wP+79HE8Ub3V
7PhhEQMza/CIyYqHEGQ8fKzd+tuX/naYXnbfTCu64eyKCz2fQZOMdqKNA49aMWGC 7PhhEQMza/CIyYqHEGQ8fKzd+tuX/naYXnbfTCu64eyKCz2fQZOMdqKNA49aMWGC
vo8K38Nd8haQ+tcJvT9Vuis3n5X0Qdzpk/8u+M2XM4UQLHSaKSQRnJLpslumLJGK vo8K38Nd8haQ+tcJvT9Vuis3n5X0Qdzpk/8u+M2XM4UQLHSaKSQRnJLpslumLJGK
fI2ErQJoD/TR+vvwrKXmCOEeiFjs0GC8zQEVP6Qa1JE7Fr8iKIEtYYXmGK0Q5Sku fI2ErQJoD/TR+vvwrKXmCOEeiFjs0GC8zQEVP6Qa1JE7Fr8iKIEtYYXmGK0Q5Sku
5eUkrzJC9Lh4rBvGXLX1PZefBVxnnlBMNk0Cae7vGnKKKuARE4aYgRkIhzIp0GuG 5eUkrzJC9Lh4rBvGXLX1PZefBVxnnlBMNk0Cae7vGnKKKuARE4aYgRkIhzIp0GuG
pdwSir1iTVMKtfrkpJ7BqPANKxApbLzYHBi9rFWJboA7HAXe/E73HD4Ov0tIs1La pdwSir1iTVMKtfrkpJ7BqPANKxApbLzYHBi9rFWJboA7HAXe/E73HD4Ov0tIs1La
9rwRiJ0LYUixsngf6YvtGuj0ZiuTe0t+VhYzg9sYOcBWW8z/AAuZ3FQoBWLdOFPA 9rwRiJ0LYUixsngf6YvtGuj0ZiuTe0t+VhYzg9sYOcBWW8z/AAuZ3FQoBWLdOFPA
GBVI2KV+vr5h4dy7+yCqPxpqhkKe5ObCdwksBrl9tiaPVoQuN6Zv63kLlCtkP7jS GBVI2KV+vr5h4dy7+yCqPxpqhkKe5ObCdwksBrl9tiaPVoQuN6Zv63kLlCtkP7jS
XgFYwBL4tKcCPfG+9J61T3LqItNLmzrT56LMN6LIz3pvRtASRbSRRnqKuuPgAL9g XgFYwBL4tKcCPfG+9J61T3LqItNLmzrT56LMN6LIz3pvRtASRbSRRnqKuuPgAL9g
IeFHe8lblLErRwKz+iNre6wwQCEfwbVf5NPF+rLh3nfEIZzCf/CF3qrxBpdYzwQ= IeFHe8lblLErRwKz+iNre6wwQCEfwbVf5NPF+rLh3nfEIZzCf/CF3qrxBpdYzwQ=
=P+bx =P+bx
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAtl2tC6rlB5O8+4t+b7ZEo4GU578OHN06nJKxxFQHG5zn hQIMA46L6MuPqfJqARAAtl2tC6rlB5O8+4t+b7ZEo4GU578OHN06nJKxxFQHG5zn
mkcANcm5gVDSRAOecM2FyZe4ns18rH4OCvp+uegEQyMVN/XNUEj4/+bGzgXX0NZf mkcANcm5gVDSRAOecM2FyZe4ns18rH4OCvp+uegEQyMVN/XNUEj4/+bGzgXX0NZf
AazE5s2+0i2NETv9bhPjJB0RR+U47PEgx9vKf4EnvL9MAfWyPbGwzR6HdXXDEE/I AazE5s2+0i2NETv9bhPjJB0RR+U47PEgx9vKf4EnvL9MAfWyPbGwzR6HdXXDEE/I
c3GNaIOY7YWBgXEuX5LnZbON5hQhbFADY/BRhP1S0d7Wzff6sYgtJhbtaTQFSX2p c3GNaIOY7YWBgXEuX5LnZbON5hQhbFADY/BRhP1S0d7Wzff6sYgtJhbtaTQFSX2p
j2+pTA3D+tI2h9VvKnZw3n1t8Jc9apP81KNFCURpNpdR8Jh8KQ0aSEcYWTusjah9 j2+pTA3D+tI2h9VvKnZw3n1t8Jc9apP81KNFCURpNpdR8Jh8KQ0aSEcYWTusjah9
QOX8RmsnFnvWKTN+gU6tffcSbu/r76gmXyUCF47mWvn89ETVA8azp/66zfLTTTvO QOX8RmsnFnvWKTN+gU6tffcSbu/r76gmXyUCF47mWvn89ETVA8azp/66zfLTTTvO
CmFVx8+2X1TK04SIKa+MQcpAuS5cTHH6bw7N8u1YfX6O8mbHX/ZH7NJi/Bhxmube CmFVx8+2X1TK04SIKa+MQcpAuS5cTHH6bw7N8u1YfX6O8mbHX/ZH7NJi/Bhxmube
Cau4DtdZ8mX4yz0EjUF62skJoaYYUl3UBrkGXl5A4NXK75ZHlBHT9Cn4YQYIPP1b Cau4DtdZ8mX4yz0EjUF62skJoaYYUl3UBrkGXl5A4NXK75ZHlBHT9Cn4YQYIPP1b
5MAnTsy6UtsGVBZPf6O/kvkA2gAQNjtOjQ2nB1FF6fjqEFFopzmLnAgGvW7lWkeo 5MAnTsy6UtsGVBZPf6O/kvkA2gAQNjtOjQ2nB1FF6fjqEFFopzmLnAgGvW7lWkeo
lTbrylmv6SrrvX/0wN5Dsayni2iRb7pisEAFs7JAythm463PDrzaRmLoPBNBmJz9 lTbrylmv6SrrvX/0wN5Dsayni2iRb7pisEAFs7JAythm463PDrzaRmLoPBNBmJz9
l88QlYWDQaet4QbJ1AnEaOu5K03coEy6CTzJYqgkTWdLuFC4tUyKsD3P/1EANonS l88QlYWDQaet4QbJ1AnEaOu5K03coEy6CTzJYqgkTWdLuFC4tUyKsD3P/1EANonS
XgG1y8ifC6F27sgwQribg28RPRvwoiRSGszAXCAeIwo834NQLIvswid5C4VCvPje XgG1y8ifC6F27sgwQribg28RPRvwoiRSGszAXCAeIwo834NQLIvswid5C4VCvPje
XG4X8m9pipP+BoXF8UuX7naRFnIGfXBOVH9N+1+SoTeZtXRX4GIWUGcRtk4nrJQ= XG4X8m9pipP+BoXF8UuX7naRFnIGfXBOVH9N+1+SoTeZtXRX4GIWUGcRtk4nrJQ=
=FQZ1 =FQZ1
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/+MLPIERHeZTiyNPEUc6YnWYcfW3Zgnsnc7EzfFn7NJla7 hQIMA4EEKdYEzV0pAQ/+MLPIERHeZTiyNPEUc6YnWYcfW3Zgnsnc7EzfFn7NJla7
HpD82Y14w1gpQrUiPu7wdjzh7xeOQ3fnk2819g4wEXU32M5rCUay9XUWqWFnzpMZ HpD82Y14w1gpQrUiPu7wdjzh7xeOQ3fnk2819g4wEXU32M5rCUay9XUWqWFnzpMZ
/Gy0tdwE9TgwrSQ6GDNd6JO93hLNByq1QqhsIkKEL640Wv6doLVfQW07O59hDrPd /Gy0tdwE9TgwrSQ6GDNd6JO93hLNByq1QqhsIkKEL640Wv6doLVfQW07O59hDrPd
AQ3UxWnohbNbD333yXa3kjfYcNugjtERM2wZ6qqZoXp58SG2RE0A2wMV77H0jOQj AQ3UxWnohbNbD333yXa3kjfYcNugjtERM2wZ6qqZoXp58SG2RE0A2wMV77H0jOQj
Rx0arENCNBS5XZlIJW6v+I1Ak1wYnW5vAlVRMcUXo8vJNu93WaZ906EnmVCQ0cYn Rx0arENCNBS5XZlIJW6v+I1Ak1wYnW5vAlVRMcUXo8vJNu93WaZ906EnmVCQ0cYn
LeNVH2ajcuOud/uiVntwdYKMr85rMBl9eOlsPP3dHqbhsrXn/+Oqagh7YUwEvJ8g LeNVH2ajcuOud/uiVntwdYKMr85rMBl9eOlsPP3dHqbhsrXn/+Oqagh7YUwEvJ8g
LK1krKc4Jlj9a5J6dPl0lCsEAv6vGaVCICJkNnd0JikTViu7DhajImfGrSLrA6y+ LK1krKc4Jlj9a5J6dPl0lCsEAv6vGaVCICJkNnd0JikTViu7DhajImfGrSLrA6y+
81hx/TTKqisAL1xBwOOu+LbwlhFZrkrTQaKnueswKzwrS3utxSX7OIepui7Ib7JK 81hx/TTKqisAL1xBwOOu+LbwlhFZrkrTQaKnueswKzwrS3utxSX7OIepui7Ib7JK
h5R5VDq1bTCbRvo/rRpCaOt1KI6g4ZX+o5TI/60TUcGvzLRRAv7jZZ05PKhcfRuJ h5R5VDq1bTCbRvo/rRpCaOt1KI6g4ZX+o5TI/60TUcGvzLRRAv7jZZ05PKhcfRuJ
4ZrKoRu2qKVxA6+kcOfy4Gi5MgkI4Keue4tgJsYJ+LCP8tV7+Jntxf4XXVMLoFCH 4ZrKoRu2qKVxA6+kcOfy4Gi5MgkI4Keue4tgJsYJ+LCP8tV7+Jntxf4XXVMLoFCH
jQDe3vIHOxNKqlPUEnLlVmv+g3K9Y7N5uBLuk3xkVYrxWRhBmY6e0WtTVEF/lWjS jQDe3vIHOxNKqlPUEnLlVmv+g3K9Y7N5uBLuk3xkVYrxWRhBmY6e0WtTVEF/lWjS
XgFWqfLHx/JAJgIU2tiO9oLkJWcdHuXAHNYDvTKP+a8WLcJDZdS8X1feqOpWYbaH XgFWqfLHx/JAJgIU2tiO9oLkJWcdHuXAHNYDvTKP+a8WLcJDZdS8X1feqOpWYbaH
zVbYkg4MGJqO7K9f3jlCtyszh3Kpu5CFbfXA0MZ3M2eRoJTv91iWViIWY7UP3VI= zVbYkg4MGJqO7K9f3jlCtyszh3Kpu5CFbfXA0MZ3M2eRoJTv91iWViIWY7UP3VI=
=vsm4 =vsm4
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdANu3CeUuv/SDkBQG+aROPeiWBauWaQBDUm6UdXAhEBXUw hF4DQrf1tCqiJxoSAQdANu3CeUuv/SDkBQG+aROPeiWBauWaQBDUm6UdXAhEBXUw
Tuj49QiBBCQ440R3SBkHOzOOUUTMPkWo/wESnJm+EPla800tb9B8rOvUj7PnkbiY Tuj49QiBBCQ440R3SBkHOzOOUUTMPkWo/wESnJm+EPla800tb9B8rOvUj7PnkbiY
0l4Boe0q5XPHSysz9eIQ7zRwSKoClgd+zi/GOtcsvxkLWlISoBzAVOVEvk55OeKb 0l4Boe0q5XPHSysz9eIQ7zRwSKoClgd+zi/GOtcsvxkLWlISoBzAVOVEvk55OeKb
7J70fuIMl5rZPPFBzbF9gjnCHxAtfSyze5774nPfFI/zoQo3WaDfL/9viRhP7Eqb 7J70fuIMl5rZPPFBzbF9gjnCHxAtfSyze5774nPfFI/zoQo3WaDfL/9viRhP7Eqb
=i8o+ =i8o+
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T00:53:53Z" - created_at: "2024-05-26T00:53:53Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/+N5yVnEm3ejyw10aDPkLjJoUIoxZl0Nof6pGZxdWYgiF5 hQIMAzdAjw8ldn6CAQ/+N5yVnEm3ejyw10aDPkLjJoUIoxZl0Nof6pGZxdWYgiF5
VrEsLv9vYQD8Wp7/nXuI2HW7OoA+vTG9KBZt2Tw9R0iPIMXpEf0fewPSBZ2n10lk VrEsLv9vYQD8Wp7/nXuI2HW7OoA+vTG9KBZt2Tw9R0iPIMXpEf0fewPSBZ2n10lk
KJPvkMP4w2OV1AfGT+PrRPLaX8/2E4p6dE8BPviWEh9HptYKodhs9lRlcq2C3Kjh KJPvkMP4w2OV1AfGT+PrRPLaX8/2E4p6dE8BPviWEh9HptYKodhs9lRlcq2C3Kjh
sE88eJOSA+fQpASVZLNHKYn1UrXXENRTHE4tw3+OIpE2KSxHvIv7sI8LuXZb8Jxy sE88eJOSA+fQpASVZLNHKYn1UrXXENRTHE4tw3+OIpE2KSxHvIv7sI8LuXZb8Jxy
OpmUP+v9fmhsPJYIlP7SAvITMgZdMHceH7SDgOZn0kVU0inr7MJ+FCcNQkQOl7aP OpmUP+v9fmhsPJYIlP7SAvITMgZdMHceH7SDgOZn0kVU0inr7MJ+FCcNQkQOl7aP
jMp2B7qSXOdC2NHUmdYvzeUx6B8O9Bn19VM5LGte9n1RBnknw6TQfQO+fkQTjUyl jMp2B7qSXOdC2NHUmdYvzeUx6B8O9Bn19VM5LGte9n1RBnknw6TQfQO+fkQTjUyl
3FhVqQAxrutOBjud5xn7H0Grj+7oqRI51LLUjLQdOzpEi4hul9Of3FfGnKxjOxUf 3FhVqQAxrutOBjud5xn7H0Grj+7oqRI51LLUjLQdOzpEi4hul9Of3FfGnKxjOxUf
yVBHqZzFco5rcN2fzMgWytjuSED0AE8UPS/tcd01oXXEsTj4YBSKWox0gZuyn9B1 yVBHqZzFco5rcN2fzMgWytjuSED0AE8UPS/tcd01oXXEsTj4YBSKWox0gZuyn9B1
mspU7vr9I39igceGVE6LJQ4EBnpR8xC7v5CDFpEbCr1qt4VlaH4nUgfN2tEGtOGW mspU7vr9I39igceGVE6LJQ4EBnpR8xC7v5CDFpEbCr1qt4VlaH4nUgfN2tEGtOGW
2mmrX2nGC1r1VRm0K+ACRW4htDsOsBzSxQttVJ/5IWkP5fqegcwIajjo18VXz8IH 2mmrX2nGC1r1VRm0K+ACRW4htDsOsBzSxQttVJ/5IWkP5fqegcwIajjo18VXz8IH
BtZdJKzXuhQLG0B+sXndOAgACWkVQw4F2hD5CYRpiFtungAqUbtSDbeb43x7ICjS BtZdJKzXuhQLG0B+sXndOAgACWkVQw4F2hD5CYRpiFtungAqUbtSDbeb43x7ICjS
XgFrmwLxkGfZYKOPehbp8L9glbHpfHYE4CopRHPtUkhLTNWTqzEyE7YQYYVu9Cui XgFrmwLxkGfZYKOPehbp8L9glbHpfHYE4CopRHPtUkhLTNWTqzEyE7YQYYVu9Cui
E9Q3v2/+2swn6nKOQtB1Adu8ItCqu8Om+d3IJQvKVS24k4+fKPWa7/ccmkXz7OU= E9Q3v2/+2swn6nKOQtB1Adu8ItCqu8Om+d3IJQvKVS24k4+fKPWa7/ccmkXz7OU=
=w7hs =w7hs
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.8.1

10
config/hosts/mqtt/configuration.nix
View file

@ -1,10 +1,10 @@
{ ... }: { ... }:
{ {
networking = { networking = {
hostName = "mqtt"; hostName = "mqtt";
domain = "z9.ccchh.net"; domain = "z9.ccchh.net";
}; };
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

10
config/hosts/mqtt/default.nix
View file

@ -1,9 +1,9 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./networking.nix ./networking.nix
./mosquitto.nix ./mosquitto.nix
]; ];
} }

43
config/hosts/mqtt/mosquitto.nix
View file

@ -5,30 +5,29 @@
{ ... }: { ... }:
{ {
services.mosquitto = { services.mosquitto = {
enable = true; enable = true;
persistence = true; persistence = true;
# set config for all listeners # set config for all listeners
listeners = [{ listeners = [ {
settings.allow_anonymous = true; settings.allow_anonymous = true;
omitPasswordAuth = true; omitPasswordAuth = true;
acl = [ "topic readwrite #" ]; acl = ["topic readwrite #"];
}]; } ];
bridges.winkekatz = { bridges.winkekatz = {
addresses = [ addresses = [
{ address = "mqtt.winkekatze24.de"; } { address = "mqtt.winkekatze24.de"; }
]; ];
topics = [ topics = [
"winkekatze/allcats/eye/set in 2" "winkekatze/allcats/eye/set in 2"
"winkekatze/allcats in 2" "winkekatze/allcats in 2"
"+/command in 2 winkekatze/ \"\"" "+/status out 2 winkekatze/ \"\""
"+/status out 2 winkekatze/ \"\"" "+/connected out 2 winkekatze/ \"\""
"+/connected out 2 winkekatze/ \"\"" ];
]; };
}; };
};
networking.firewall.allowedTCPPorts = [ 1883 ]; networking.firewall.allowedTCPPorts = [ 1883 ];
} }

7
config/hosts/netbox/configuration.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
networking.hostName = "netbox";
system.stateVersion = "23.05";
}

12
config/hosts/netbox/default.nix Normal file
View file

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./netbox.nix
./networking.nix
./nginx.nix
./postgresql.nix
./sops.nix
];
}

42
config/hosts/netbox/netbox.nix Normal file
View file

@ -0,0 +1,42 @@
# Sources for this configuration:
# - https://docs.netbox.dev/en/stable/configuration/
# - https://colmena.cli.rs/unstable/features/keys.html
# - https://colmena.cli.rs/unstable/reference/deployment.html
# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/secrets.nix
{ config, pkgs, ... }:
{
services.netbox = {
enable = true;
package = pkgs.netbox;
secretKeyFile = "/run/secrets/netbox_secret_key";
keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
settings = {
ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
SESSION_COOKIE_SECURE = true;
# CCCHH ID (Keycloak) integration.
# https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
# https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
# SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
};
};
sops.secrets."netbox_secret_key" = {
mode = "0440";
owner = "netbox";
group = "netbox";
restartUnits = [ "netbox.service" "netbox-rq.service" ];
};
sops.secrets."netbox_keycloak_secret" = {
mode = "0440";
owner = "netbox";
group = "netbox";
restartUnits = [ "netbox.service" "netbox-rq.service" ];
};
}

22
config/hosts/netbox/networking.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.149";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "62:ED:44:20:7C:C1";
linkConfig.Name = "net0";
};
}

67
config/hosts/netbox/nginx.nix Normal file
View file

@ -0,0 +1,67 @@
# Sources for this configuration:
# - https://nixos.org/manual/nixos/stable/#module-security-acme
# - https://git.grzb.de/yuri/nix-infra/-/blob/33f2d9e324c2e3a8b1b41c20bce239001bcce9fc/hosts/netbox/nginx.nix
# - https://docs.netbox.dev/en/stable/installation/5-http-server/
# - https://github.com/netbox-community/netbox/blob/v3.5.9/contrib/nginx.conf
{ config, pkgs, ... }:
{
services.nginx = {
enable = true;
# So nginx can access the Netbox static files.
user = "netbox";
virtualHosts."acme-netbox.hamburg.ccc.de" = {
default = true;
enableACME = true;
serverName = "netbox.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."netbox.hamburg.ccc.de" = {
default = true;
forceSSL = true;
useACMEHost = "netbox.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/static/" = {
alias = "${config.services.netbox.dataDir}/static/";
};
locations."/" = {
proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
client_max_body_size 25m;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

7
config/hosts/netbox/postgresql.nix Normal file
View file

@ -0,0 +1,7 @@
{ pkgs, config, ... }:
{
services.postgresql = {
package = pkgs.postgresql_15;
};
}

234
config/hosts/netbox/secrets.yaml Normal file
View file

@ -0,0 +1,234 @@
netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-08T23:54:23Z"
mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
pgp:
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
6PA24RxtGxVm
=ES/O
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
=zG3F
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
+J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
=PqbF
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
/0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
=o7cj
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
=4agQ
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
=x1QX
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
=FXTF
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
/iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
=7WGw
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
=pFkW
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
=Lvnj
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
=WqHP
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

0
config/hosts/yate/sops.nix → config/hosts/netbox/sops.nix
View file

7
config/hosts/nix-box-june/configuration.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
networking.hostName = "nix-box-june";
system.stateVersion = "23.11";
}

10
config/hosts/nix-box-june/default.nix Normal file
View file

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./emulated-systems.nix
./networking.nix
./users.nix
];
}

5
config/hosts/nix-box-june/emulated-systems.nix Normal file
View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}

22
config/hosts/nix-box-june/networking.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.158";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:6A:33:5F";
linkConfig.Name = "net0";
};
}

59
config/hosts/nix-box-june/users.nix Normal file
View file

@ -0,0 +1,59 @@
{ lib, ... }:
{
users.users = {
chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
djerun = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
];
};
june = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
};
jtbx = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
};
dario = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
};
yuri = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
];
};
max = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
};
haegar = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
};
stb = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
};
hansenerd = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
};
echtnurich = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
};
c6ristian = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
};
};
}

1
config/hosts/public-web-static/spaceapid-config/ccchh-response.json
View file

@ -14,6 +14,7 @@
}, },
"contact": { "contact": {
"phone": "+49 40 23830150", "phone": "+49 40 23830150",
"irc": "ircs://irc.hackint.org:6697/#ccchh",
"mastodon": "@ccchh@chaos.social", "mastodon": "@ccchh@chaos.social",
"email": "mail@hamburg.ccc.de", "email": "mail@hamburg.ccc.de",
"ml": "talk@hamburg.ccc.de", "ml": "talk@hamburg.ccc.de",

69
config/hosts/public-web-static/virtualHosts/c3cat.de.nix
View file

@ -1,19 +1,10 @@
{ pkgs, ... }: { pkgs, ... }:
let {
domain = "c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-c3cat.de" = {
enableACME = true; enableACME = true;
serverName = "${domain}"; serverName = "c3cat.de";
serverAliases = [
"www.${domain}"
];
listen = [ listen = [
{ {
@ -23,9 +14,9 @@ in {
]; ];
}; };
"$www.${domain}" = { "c3cat.de" = {
forceSSL = true; forceSSL = true;
useACMEHost = "${domain}"; useACMEHost = "c3cat.de";
listen = [ listen = [
{ {
@ -37,42 +28,7 @@ in {
]; ];
locations."/" = { locations."/" = {
return = "302 https://c3cat.de$request_uri"; return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
};
locations."/manuals/eh22-rgb-ears" = {
return = "307 https://www.c3cat.de/rgb-ears.html";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
locations."/manuals/eh22-rgb-ears" = {
return = "307 https://c3cat.de/rgb-ears.html";
}; };
extraConfig = '' extraConfig = ''
@ -87,17 +43,4 @@ in {
''; '';
}; };
}; };
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
];
};
users.groups."${deployUser}" = { };
} }

97
config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
View file

@ -1,97 +0,0 @@
{ ... }:
let
domain = "cryptoparty-hamburg.de";
dataDir = "/var/www/${domain}";
deployUser = "cryptoparty-website-deploy";
in
{
security.acme.certs."${domain}".extraDomainNames = [
"cryptoparty.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"cryptoparty.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/".return = "302 https://${domain}$request_uri";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz+Lxi9scblM/SKJq4nl64UwvVn8SuF2xmzOuyQrzR+ deploy key for cryptoparty-hamburg.de"
];
};
users.groups."${deployUser}" = { };
}

4
config/hosts/public-web-static/virtualHosts/default.nix
View file

@ -4,15 +4,11 @@
imports = [ imports = [
./branding-resources.hamburg.ccc.de.nix ./branding-resources.hamburg.ccc.de.nix
./c3cat.de.nix ./c3cat.de.nix
./cryptoparty-hamburg.de.nix
./element-admin.hamburg.ccc.de.nix
./element.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix
./hacker.tours.nix ./hacker.tours.nix
./hackertours.hamburg.ccc.de.nix ./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix ./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix
./staging.c3cat.de.nix
./staging.cryptoparty-hamburg.de.nix
./staging.hacker.tours.nix ./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix ./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix

115
config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix
View file

@ -1,115 +0,0 @@
{ config, pkgs, ... }:
let
elementAdminVersion = "0.1.4";
elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: {
pname = "element-admin";
version = elementAdminVersion;
src = pkgs.fetchzip {
url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip";
sha256 = "sha256-dTHE0rg7W0k4e12s3v8yD/rBOYpIEqNN1VV4P3KtpQs=";
};
nativeBuildInputs = [
pkgs.nodejs
pkgs.pnpm.configHook
];
pnpmDeps = pkgs.pnpm.fetchDeps {
inherit (finalAttrs) pname version src;
fetcherVersion = 2;
hash = "sha256-YBSZIHNffS3Um0imYNmX9c1q193rphr+8lQ4tp7AcXw=";
};
buildPhase = ''
pnpm build
'';
installPhase = ''
cp -a dist $out
'';
});
in
{
services.nginx = {
enable = true;
virtualHosts."acme-element-admin.hamburg.ccc.de" = {
enableACME = true;
serverName = "element-admin.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."element-admin.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "element-admin.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = elementAdmin;
locations."/assets" = {
extraConfig = ''
expires 1y;
add_header Cache-Control "public, max-age=31536000, immutable";
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
'';
};
locations."/" = {
index = "/index.html";
tryFiles = "$uri $uri/ /";
extraConfig = ''
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
'';
};
extraConfig = ''
# Security headers.
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
}

6
config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
View file

@ -1,10 +1,10 @@
{ pkgs, ... }: { pkgs, ... }:
let let
elementWebVersion = "1.12.0"; elementWebVersion = "1.11.84";
element-web = pkgs.fetchzip { element-web = pkgs.fetchzip {
url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-2kXQFUhLYyEKuXYw+n94JGlTN2VJHRpjmu78u8gdaro="; sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
}; };
elementSecurityHeaders = '' elementSecurityHeaders = ''
# Configuration best practices # Configuration best practices

3
config/hosts/public-web-static/virtualHosts/hacker.tours.nix
View file

@ -4,8 +4,7 @@ let
domain = "hacker.tours"; domain = "hacker.tours";
dataDir = "/var/www/${domain}"; dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy"; deployUser = "hackertours-website-deploy";
in in {
{
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-${domain}" = {
enableACME = true; enableACME = true;

3
config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
View file

@ -4,8 +4,7 @@ let
domain = "hackertours.hamburg.ccc.de"; domain = "hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}"; dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy"; deployUser = "ht-ccchh-website-deploy";
in in {
{
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-${domain}" = {
enableACME = true; enableACME = true;

5
config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
View file

@ -83,11 +83,6 @@
return = "302 https://$host/blog/index.xml"; return = "302 https://$host/blog/index.xml";
}; };
# Redirect /calendar to the Nextcloud calendar, as this location apparently gets used in several locations.
locations."/calendar" = {
return = "302 https://cloud.hamburg.ccc.de/apps/calendar/embed/QJAdExziSnNJEz5g";
};
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

2
config/hosts/public-web-static/virtualHosts/historic-easterhegg/default.nix
View file

@ -1,4 +1,4 @@
{ ... }: {...}:
{ {
imports = [ imports = [

60
config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
View file

@ -1,60 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# c3cat deploy user already defined in c3cat.de.nix.
}

94
config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix
View file

@ -1,94 +0,0 @@
{ ... }:
let
domain = "staging.cryptoparty-hamburg.de";
dataDir = "/var/www/${domain}";
deployUser = "cryptoparty-website-deploy";
in
{
security.acme.certs."${domain}".extraDomainNames = [
"staging.cryptoparty.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"staging.cryptoparty.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/".return = "302 https://${domain}$request_uri";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# Cryptoparty website deploy user already defined in cryptoparty-hamburg.de.nix.
}

3
config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
View file

@ -4,8 +4,7 @@ let
domain = "staging.hacker.tours"; domain = "staging.hacker.tours";
dataDir = "/var/www/${domain}"; dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy"; deployUser = "hackertours-website-deploy";
in in {
{
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-${domain}" = {
enableACME = true; enableACME = true;

3
config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
View file

@ -4,8 +4,7 @@ let
domain = "staging.hackertours.hamburg.ccc.de"; domain = "staging.hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}"; dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy"; deployUser = "ht-ccchh-website-deploy";
in in {
{
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-${domain}" = {
enableACME = true; enableACME = true;

6
config/hosts/status/networking.nix
View file

@ -11,14 +11,14 @@
]; ];
ipv6.addresses = [ ipv6.addresses = [
{ {
address = "2a07:c481:1:ce::a"; address = "2a07:c480:0:1ce::f";
prefixLength = 64; prefixLength = 64;
} }
]; ];
}; };
defaultGateway = "10.31.206.1"; defaultGateway = "10.31.206.1";
defaultGateway6 = "2a07:c481:1:ce::1"; defaultGateway6 = "2a07:c480:0:1ce::1";
nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; nameservers = [ "10.31.206.1" "2a07:c480:0:1ce::1" ];
search = [ "z9.ccchh.net" ]; search = [ "z9.ccchh.net" ];
}; };

5
config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix
View file

@ -3,12 +3,13 @@
# - https://woodpecker-ci.org/docs/administration/agent-config # - https://woodpecker-ci.org/docs/administration/agent-config
# - https://woodpecker-ci.org/docs/administration/backends/docker # - https://woodpecker-ci.org/docs/administration/backends/docker
{ config, pkgs, ... }: { config, pkgs, pkgs-unstable, ... }:
{ {
services.woodpecker-agents.agents."docker" = { services.woodpecker-agents.agents."docker" = {
enable = true; enable = true;
package = pkgs.woodpecker-agent; # Since we use woodpecker-server from unstable, use the agent from unstable as well.
package = pkgs-unstable.woodpecker-agent;
extraGroups = [ "docker" ]; extraGroups = [ "docker" ];
environment = { environment = {
WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}"; WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";

7
config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix
View file

@ -5,12 +5,14 @@
# - https://woodpecker-ci.org/docs/administration/forges/forgejo # - https://woodpecker-ci.org/docs/administration/forges/forgejo
# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
{ config, pkgs, ... }: { config, pkgs, pkgs-unstable, ... }:
{ {
services.woodpecker-server = { services.woodpecker-server = {
enable = true; enable = true;
package = pkgs.woodpecker-server; # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
# https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
package = pkgs-unstable.woodpecker-server;
environment = { environment = {
WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de"; WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
WOODPECKER_SERVER_ADDR = ":8001"; WOODPECKER_SERVER_ADDR = ":8001";
@ -22,7 +24,6 @@
WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql"; WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
WOODPECKER_FORGEJO = "true"; WOODPECKER_FORGEJO = "true";
WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de"; WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
# Set via enviornmentFile: # Set via enviornmentFile:
# WOODPECKER_FORGEJO_CLIENT # WOODPECKER_FORGEJO_CLIENT
# WOODPECKER_FORGEJO_SECRET # WOODPECKER_FORGEJO_SECRET

2
config/hosts/yate/configuration.nix
View file

@ -1,4 +1,4 @@
{ ... }: { config, pkgs, ... }:
{ {
networking = { networking = {

4
config/hosts/yate/default.nix
View file

@ -1,10 +1,10 @@
{ ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./networking.nix ./networking.nix
./yate.nix ./yate.nix
./sops.nix ./service.nix
]; ];
} }

233
config/hosts/yate/secrets.yaml
View file

@ -1,233 +0,0 @@
git_clone_key: ENC[AES256_GCM,data:Wss8NtyYXOmQ8fYbqKfbGQ+5l+ifNznis9OJ4p2HRPsExOFvgHH60t+D/gsOPTiwL0fEQKQn008Zo7VpIEhKIQM0fW3cd3ED3Tk8QX4hDRxyLl/lql5MlhTm4UMY58rNMBXgA88oR1lozgAa39KMH0MRUoSzrhvecwnAHO+RjZGXBN5zYIorqBVEk5h+1wUGSlV1TroZX9u0cWt11eH59AgKY/oP5mOrgA++E623Oc/DnTxlLbR//lFHW1JPiBSUFMP1ck6fg4PwnADYITgr1B1zdJz1J6jNC+n6S9bKDPnH5bvqmpvJIRmimxR4/R182RkIC+TBhD850cD1y9KSZa0Lh3DZ3LPrqGtZ6MHvpCgY/wPiTUANv6CJPcOAoskaaW57EiFl0ev3Jc3A+XFM6yqQOmmvNXx0hYz6ltlvtsltOcmz5TWooijwTaPS5UEwltYalrT9RNmC/ODkBRkSvuLEBWYwnu8aeo2f/+IxciG0PldDJED2ud6HSkDEXHcPCwodScpnk032Jrc+0qtI,iv:tCo4f5u/y/ZrAfT1N+eUNLy5pKAg/U0xa3cNQmzUgFs=,tag:03HK65hWjYnVzz+7C+HmsA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4Rmg0UXBXcWcyRTV6ZGlP
TDY1RFBVaTlVQnJVV3NnU1ZTeEJzb2xsZXdJCnVFSGF0UjQ1OUpxcVNVb2F4K3Uw
KzZRYWtTaTJFd29zcmJENTRLMmZsUVkKLS0tIEdGaHRaOWFyeTMzSit4WFh1UGVS
bkRxanFoekdaQzZnSkFjNmhwNE1EdkUK5scD+5qe0QJvsgPHTrGQ4KrQLC8EHex1
xpImRJ0Y0R3e6p/WLwYbF236Ju2Z4f2Zg2Zw9/ErdM1McBJ8ll6yrw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-08T18:35:07Z"
mac: ENC[AES256_GCM,data:tyrfhBaTKnp1lqSPfkErk1UFoI7v/1az+zl9g3XoZ5Apo3CRixdLUldM9sYXqQT5WNrgO2NyZHqvyQOnFZiJuNhlYFSQbgwFFm3gz45BV8Do7QAhAG7+Q6q/Gz9VAqePQJlmzbfeL5iqJC2jhrcGIutO2cI22QULLkBzVVDg1/w=,iv:ayLonGC1F3vp6bh4pcAps6BvMzrG/yT2rPGAcUQ1Geg=,tag:1fIaRIFrzDTSP+oIUHABgQ==,type:str]
pgp:
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/8Dx0hTc0zZkd9+RXuKOXU8ZkKF54lcxfDTMH0rD2bKPhg
do/+I4VOSJxfyTvzFNjVXywSCEsws2+RyS73jF4048o4DrNQNG4P70GqXAqjDbQL
r+WCKT0if85JYPo/ho8nSRumo44BlbN2+Ftc5Z90UshW63VPU4Xm1Woqm8TOvs/0
cyhsigShwJGymnIEY4PwdT6fd/gkVVaoC9nCrkkSbaQZa1rXHud8+jLK+4TXebKl
Qk2G2cVivWBioT4wGjhZvQ6lLK4mlaqxiZF3aRYcUs1Hwgq1ZolbgiGPWG4xisFa
JgsqYRnmGnTM/33l57Cy8CpVHfprrapUXh2X2Ly/pBRQn+ns2zk1wkpTUHbwmyQi
ETLvw68PXbayoDNunMqZl2RWPjPnotNVeG5i2s+pwaEoDKAWcud2NPUWFb+gyftk
YNxMdp1CpXXOHpU4Ty+HHXAU/uLVVzLT91RLJAn+Y6rRyevg4UBSB/Y+lc5IMTfa
QPPLRPV6/P4LIWDlOdg/S3Q7ZwryNAogU/Hyuuz2xyS8LK7S7M0+BgVBrOkowazy
aGemt/BmQkyPQDpJTPxtdzsK1vvplol7uJnNou1h0krrgHlAzb++3i8+V4Z18dBg
GSeWIdSm+OD1HPDyD1054wEUAgPfRh0TZma+vDirH4RDH0tMubRGOLl17nV+/v7U
ZgEJAhCYgHEjsPDIpUoHopF1vkhxmhv6YqILLzDftbbmDQUqncs/mgnFCJPNnKVJ
ldwNj2kuAd2L5VRI0E9k0ZVzg/Aqb8B2wSTiJmQGWI3b0tNfGuC65fe7p8ceJ5vZ
et8Y1DEjVg==
=u7aP
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAsrHbA58mnccH/oWDgoEqwJx+ZkeSWo6Arc0nMhU/Qh+9
Nl/pKdKm3LsIwkKTRVGDxI4vFRo42LFZE47nyfa70G7GiM1uJnEOx6vLTN0HpL6S
YQi8Dbb/+WA7QnGDfaEiozGQzsPMAgSVAE3A0rlcLBqQwiGsfhHr1RwEggfXqMG4
twxWIbKI/8T088b1IFs7fOKxzEB6na7+HoNaG22jlvRY0irMfgti8xeflWmZIKf2
uY6gM2rCOtCSi8vZEhJiXb5SG1NbyMmVHsz0ZXHwwGsiDACFqISqfR921B0Cuftx
Nj2pIwKbGyOOsFjlbC3ZGUMplLzYpRMx8LetLMrksWSpzypWdeI166gjF4MncUlQ
gl5hM7gL/+6k86yxIqTeexVoU24NRcsYCnQKZAK5T2fxQxX0BXppWxju6Jq1erRU
JZsggrbxELMJfcyrDC1cH/zgAM1kqOi32ZaGiO3U1WA5fxhJPUy5kxoQXSISL7Ng
mrnnMKIWK7eClQb47a/lYWEIqw1UjJhCPmKVHlcSmiH8FATfr5KjHeFlK8Zou5Ji
yMbVS7s2P9MeEzdnNC8PSFwjM9K7qXuWJYvDQtUracfxgO3X0r7Z+5g62WmLVDcp
E26DzDyTrU6Vf6WANOg/V7C7paOasnpcaU62/C65BBtGH23mgEfkJSkBYJWCea7S
XAHLeksa73OaeO28kTspM4G/Nlh65lr2p92gmcpbqkARvw8dIOUrAqPMRjJHabZq
vLbFx/uqXDPfALVXNWKGZp3vObGPLImQ1EfjVCYzOlkXXnfVdE+ih9+HIYhX
=advR
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//c9NMv/m/qGaJR+2jeu5VAbPwqIfBbrAEiV2s6TlzJRLz
7yEo9l/wh2WV+1Ew9dM5Pe8cgezjNaXgCeV8EEMu6dzOb1N++3TQJ7ET10DaOVec
ofEwDUYj8UHmV0VmhOPWLpceAod5wk4Xm4rlJTFjQ6TKN8U0dBoGS1cxHWwWw8oa
RebdNmpfSgkj0ohbeD9owxQ7JhqGlOPo1JCz7YI6c6bwQ1wuOC/XqnJt4F5ny8ty
y/qj1m9KrL5nRRc06qxNtmYODMuS+OeScfcI4grX7wMTUrqaFkCVHcboi5ZD6DzE
L49PT51/KK/lOlgKjSDfGgRRj9a9UO+7IXnMG0/5kDzRRBJDBzZH/5rujP8ffz+8
glxGBiBhsLroHbwn3a4BlDHpnuqCKa/7CmSyfGCNPp0TuMPvCVWf6muXA86wo5fQ
B/qKjvJV15qWJXdKDYyWJAg2B78/dROYbX142R9wPitP8zyj8b3jrzIcoIViAvkl
L3ZnnhqZxzkKcfc2rBsdadBEquz9+oGj6rKARyhFkT92in6zZO19fBZqTH5y/QYl
o0bDAbdQKJf36Eqh8G102z2x/Keo7gK/PWwwOi5YrFlgDVk4oBqAHWRgBiEvjSaO
Z7Ork1eeBUuZLAofzMoNNDaZS0KBfEgE3gczGpcRjjIwTDSIXM8NVtz7aXwZjUTS
XAG89qkxjGjlnJcRrE6izhiNbepWaOYYWb57VB5jL0TciQJHR7nbOGQh0T+tNKcb
fKyxZOL8IdGpoqxsRCuaPE5cEwc17XKuu53CfZo9t6hjh8SwRKWGnk7dkYhy
=vqhH
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAArape3cqNbLeWh0YdcG9fBcuzyrTGntyD6ccl9Wwc4aTd
+uNMhCl7758tETPPK4qneAYNSnbnFQcgKj0ATkVMhMuT58g15GMEyXvhUsIukpQ7
Ca5t+aVh1fmb1pvcWPd4MUUQzt8KKN99+0KfyWzvdsb2jUBKICG3TQvTWXT93+g4
LjG6TCW+wv06nTquaCEaR4IdEPJRfZEspUXDhi2Wr/AjXIlvfN/yhs2AyTjde5un
kha2iy85o2NikCYoIaqFvFaEDOGjdcT4g/jaErxXn8sSxOQo9aV/r5Ksm/mXyEI2
cSrbMfBXwrlrHNZ5VCbYZLbNjIbwFdBV04buZldDT4GYmBW/PG71NeKDrXrgnTOn
3fBkXmhFb3gLppMv2v2TY96lGk3Obbfnry1lsgLLW+SvustNe1en3mXSVciCbuEh
7bsb4AkJyJXSUFh8jQ1LWxcE9jsI6eIj9eb/tw0QmC0y8Q2fqOV927B8d7Pl2dyU
K0aryOwn+80ce7sBd/9JRL6SOHB2nK8BpmRO2blAmhrGEjX8kif9hFrXHLU2+7sb
QC0ccFjoleqhTgsnOXCHwfm0ggejvZhS3GLjABgXBp2LVVYuWZXVhCQuRLsUV2v3
Wf4fPWaGWw8tTTaW198H0NWfd/FSogzWQcsgknVWM9YS/zzqcQNYsSObwh2q2V/S
XAFWrPxSexFSi0XiXK7ahhnp7OTIMtw9dy3e0HQ/7F8guhvhwoTcK6bLY2967wyj
IPh1r+J6g090fN2QXm0oHTSJbhl+fy4bOkXVt/ATyPh6b0yRaxMgSGXWeh3C
=hGXq
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVARAAwAzM+dgsD/WBFbCFIXhDdsLmmWZMeVLD1AlLTmu/GfGg
YvHhW4giEaqEzUsQOuxmyND7eQd3fBKf1GcwFLXE9xrR6YD5yh7s898mnCpBi2Xi
LBPMz7nN/j7mfetPklsTazbbaoSB9hVx8AK7jzS7zvzgEGIm8Yeilx/v8OqbT1xQ
+07soWjVvqM526a24KSdRBTgvXPJvqIPt0IEZzFWtAppectcRBiZJHX4huU5wOuG
SEk0vgwCwrt3cades+dbh59cSqUc65qGhDti0tnygnSKgepOkQsFOqoZ/WvgE+io
5fNEI4g2/D+gmSelCCcQE0MFe+Uzc1FpsWwZiHnbGfnA55GO0dvoOUAsJQtwCLSq
1Lw8bpywgfIfU4QMYmZAaYsHDly4VTwluFe1WnExzf/nMxRQQmqIlg2pTmNZ6tJ1
1A9Rc6mg83//2fNWRw+JBtOJUCePw5nyJ0jTOQZd7Dl0ZzwlsgH8g/Y/Flg1kFll
CXGcJ1TMjTjzD4+Fl3UE+BqpzBjwQodzHqX3LEJ9uJ2guw0zbWzuMs10aTEoW/1U
pVGexkrcaduykd5TQmMO8yG6rW2KEKJlh68lxZslUAiG0ASTuSpY5A8leS5OZZgF
EQjs903r1epwJgBwnQGhijpTrmqiThvdE0BJ9r1jmxUy75KzWh/SZDmpCwDfsELS
XAEceOrsLsaYRqisM5D1zvNneEoGKv3GoS4cs4iuqHPyy2ZueHWK24HmAmrghRQ7
uLCmS0SmU5CY5gmVRkrKhY/0wtKWqJ10cK17Z/dQtRz6g3qmFM4JBfMy4BL9
=vZLC
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAApzEcBIVknhmysQc02ufbjFzKweB4jsCvGoPXSooMzs4x
p4keH/xaVXF1/nn+bzMHJt1/LV1/5LlyHtQNcZ30hUrziOy4LCnyfNgb5WP3VMP3
XW6ZcBiEIcUHZ1Ikl/cUNCpKazVRD6o6oKmFCwXKgE9a/l5XX/j3vizQ22vwfgfa
oziQPhMadfne8hXAJIB7fOn45ZLFNgLqYWW4Jh4L1DJflziNR8kx3NQJLWDmSqqB
SpuFBkm7DaLCkj/TpvAQs5xSI69kLlDfcaEPI4noAdhJh+jwGVLNmKyekKsYfrDS
5cQUVD3Hmn4WnpR2jLJAlwcFaEZt0muiLIxZmAxfSzJhld8G4GOcoAllfG9ze+QG
oJ3G6jWtJeoCZR5zbdk+lNcQ+iHD6bzrkN+54menxu2XGHkFKQ1es/g+cU0AI3yZ
XXgnlwNtC75TzZHwSA0kjmqcgr5XVcoLOr5XJWasQOyIXpjcHbfonnMV4NE5A/Jo
IEMLUdjLBWmjW1xeWo1CJ8hELbpfNaQf8YBzEuo5Yqvs7s0fKl8ea18jwtwYP9qc
2CbD+7GpxuK/06gMTt7LExcqt39PVGmeFAtZHNtNBMnZ6Ek5cbWqhjPOCy2MFVaa
XTH3UxD1YISZC+NZtSYLDWrTwzY3EYCttAxHzg1iFC8STaM/OR6beD0OPcPj+QLS
XAH6NdHQcUSsFJ0KR4dfOrOnuLDzX2xLsgXJvDhRVbpYwSdeG40j5oGiNpam+z8/
fDboI4SNzB7Mb4j196kSHWK90sKFsxGkoDGZM/QZh4QA2v0yke1sqkUwkK4I
=SLD4
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+LSHRuYFtIKdxABivqoxvbirPS9Vyo+lYNXMRt9eK5oYp
8ei+fyJgsyxXIIlsW2Dg/ZrM8O4aTxkuX1Eg0BhvuWWGBx71S7IGYX+6eSqrZWb+
0zLSwKHmk3avGae/IkpKyEdFnGpHKhnILfpKEXVRWHQo5hjxFzUwzNr5N+wJcq19
sVuCsu4WSt75Ab5bTjl/AYrfYegkK5zXo2I+njIcSYqleQ6vlQ10LUiPg8QhPXqB
NvC8DVglMHN+dFDrnn5huTsd23nIJn6HRbLkqgPCezT8JUgjvEsO0tOdnM8jwRnI
K79HH53p3fbxSut+/P+u1X0gMTOT7KeLfY8URho5HQnnmymXbRxuWoQea9/Z3qIX
4tfYkcMQA3+rxXANgsfT1yHEs8NjomUxi0SmSCeqtH333iMJJwEwWgLiIKFAA6t9
SffF9liWeG88VEeAF5dM+7uQ7XrTsAlcdHdNoQCpprx3Hx331rFt1DOj3Md2moF0
TUqdNsZ7wCA9zlVPwtjkILMGEdz8ZN62an0R/h2ZM9Y/wuZcl1M6wWI9eyjx2Qva
7/Xk6LMklmNICifOZZ5Tmw1xSyxOIW8VNp7IiKXZBAjb8NiUveNUos0gjMxNQ3PR
oWv8LY3vfYiKE7AJhzrEim1PX36OcRYpB+0BAou//9PGI59tHp/Fupi2lWx7Qv3S
XAEJRUzfnCPB56PdLkNFbJAj2v11zD8zBIZqpuGh/f3fE7V0klGy/Dx9yHyAhw0t
LeXMrYUYO3zjLc4yh7qdrGPBdWUQg8BzWwIJERdHS90zQwmcTkkaX5en3GII
=MQ9C
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAApQx98KdexUMI0KY65hv0IRvBRFouPwpTsd4VpzTsbkYF
XDBhxWVXkI9iLS8O6siQygVDDMfIDs5SadVoOicWyOpHR5sjOaW9qHA4w399w8Fe
5XoPyfUuQvVywfHMhQiznHNPj5+SgcehwUL1i1+qD3h8RZxbgGkvYKinlkkbxzh/
Tk4lYjcoNvb/10XRWDEy5KxMB2qc2BFEWZk6DrXe9ZUd0IzYh+tA07rUZVu8TRAc
abx6/0lvgIK45frzYJb17yL/9mCbAUVzSlR/+5LZ+qm73Ax4nsGcGA8nfDVGw/di
+BbbpBHdCs7/1XEHfrKzuUXOAd0V1HjeQSS6zzcwsfFLMevYMyTLmiTwo6SEoWSk
nN599ZqPutG94MVtvaKqDY47ABSOr0BZIUn4jdus34GTgDjX3TVTx8KPzemIbUv7
BQcd654NKQN0poyZegrksnJVfs6OeSULLylufj6vyFNlKbjNR+D1sHhiyKcmyrQf
T0jDnPgZIzeVbNSdrDywrme+CykRSoFs60GgGYt6p/Omuh7Vp6we05jzY8lUJL76
VsGqqyCn3JLZb6iWFe+P7JT1VXsl8xsrmn5BKoSMeXqaXctYKuJ2E20gc90a8UXm
jhnHYeG2QHW1LBgv1yeqCpUIfHxNRr+gJ3cHQLNUuchC3vubf3sBXhHzYXyzyXrS
XAFwRah/o35ETWbRhFsw+SzJGTgsyUqKAtWGmfTRPsbVvbam63IEsbTSLOdMahmY
6uSgIbsZTobna90eVPFM8w3JIx7+Mq0YtdaLgRqpHJtPC7oVgN+RnKbgEEqQ
=uyf4
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ//QZwerhHFVjR/LahlgmnO/HyiR+wbvNzHEya/rVwuu+st
V8hNgBFp9N1Y9uh/GFIzZd5ETz7yq0FawRptlt5k0CqVYfsDBIB3ewxukJeyjdj2
8E84l9SSdmV5uqWK+MV+uY57C8BBcgWtUpjOTNrGkAqtEd5YrSZwcgtKGVLI2Dd/
i2I1RYdYP/VTusBtpqPk+IrpJf8jEYcEhl+S0wnG+kh/rhyCCrtda49SgRbuJE2d
V9JJlASkC6H6DRn6dVcO2BUZss3ZQB+OF9vfo7tnnuU8Mw1C2JWPy9oPiNat5UGE
zVJZf//m0xBfQVFWFDs95lvqzsBcAAg02tTsclPTtgz9buW5Pph3/OUiq4o/ZWOz
TMSXGD+Fi/mbP7jJZndtiadMtfOQC1dGC86A5H01aQliWruIMb0Wp55+Zr2Rw39p
FlhFSfCzyQHgA+uMa45XFaHCaS9pllWoT3QO3csP5ZyeUM8pLvnxwnLB2BTgg+yF
aV3BP0nzbHAUuaDeb/WtRINKRcKHCqrPPAEvb6X0OU51NvzmaWJphpdrvi3/4sEO
5+zDlqSZetaBa9WB1iCeD/u8wNNunCXageLxBucesv1uH5PvF51A/aJvXf1jRCym
NjSUQw2aSX35nWc9MIcUnO5mB8H4N5BF2FBx8Nq2XnrVgVPqqe1Sc2Ph4tE54QzS
XAG1bzAX3lHh77xsUuy/Nk3VE3kzJhaxpyz0rPIn6NQ9lVcy4hiyecKL3Jk3Ffcn
kxeKnjym5E4e3f8cMxWQlc+xtwga5QAD2dU2X9fPj6UxGEbh+gDqLv8wtzMr
=7R+0
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdA4XhPBK5WnPVo84ZrCUe92HZSEKtH88GLktniZCmAczcw
cO5WYiy9D4z/aieGuMTBGg5xRk7eAMZVTbMDV+KXKLVlDwoxKybKSbT+fvhNGJ13
0lwBd0RFKYGq4YO+/nUxHZo3hG6qmv3/K06fta/D4p/C5wYefNZVcAj5VqatP3Zi
I/ktqdDszkc98/bf4fHoQmSxP25Wp65jJBEYeMZgX75M/wguGeIBfEgZB5bgww==
=0G+m
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-08-05T20:33:02Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ//Vu9YJvMsevJAd4RJwJ5HMdB3xy3dbDG98qZb8Zoj0+qX
KT/VsR9YoOLeszmzI6BtB2PQhLeavMR2/SFJTGunxaSCvHcd/q7dnC+WAmUVun8l
MVRkIRh1I+tX1KQBqFt1IzsUm5kwJD4iThn4OWyDlS3WCDFlOLUC1iZVtdqxptzy
p4mzM4NmR/Z8r8aA+dYdTlzDHyUhVnvYCDaRTIyr2qzd6kUHmo9PMRvqUNQkNA3k
YOwLt8VR0nZIAx7YOGwSp4E32tk09o7Z+dUIYqXO71c5TxXsOoeEbVn7gj+7KQVs
yDNMF7he54zjModPJkSa4MjwTC2NKzLClux0aE9dW5Zv2eSiTEIlaAwhJjH0wt8O
oMJ5A8Y39GmNoAkadQ5NLP6WwTaUFYLacT56/AdAvsodQf7zlF399wXZlQufAgLv
3WAvL+LQKpg8TwH74pJe4te4BjnqWvYx+jkRYbRxSXD2iwqrWXk57XysizgjAAre
FJe42BeL2uyP/cMTcNFcd+W2DztUkNR54FHSYY8mqev81BYX92ExsfEugsBzUaDF
3QBnZIZZInCQKnXIIaj5+rV8XXbMKnyTNBQCxfUk92OOrUhikvYhwfPev2ejUzQm
k8RgIG9ZBWDENGX9ojmTH+ec2gWmLvKGyhrKjWvNMzzblHfuxjdSizoQ1FflYEPS
XAE9Cu/L0lwQEU8vRRPPF9kRHLoJygxdOYoD4+SggCkPJxtyiCTNWJeOBwbSnGyh
B8GnNJwNn7H8vh40se/uo2311O8NcuvdLLiBw9DxCTCcPHqS4e5hF98oiSnI
=ZgbM
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.9.0

21
config/hosts/yate/service.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, pkgs, ... }:
{
systemd.services.yate = {
enable = true;
description = "Yate telehony engine";
unitConfig = {
Type = "simple";
After="network.target";
};
serviceConfig = {
ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
Type="simple";
Restart="always";
# ...
};
wantedBy = [ "default.target" ];
requiredBy = [ "network.target" ];
# ...
};
}

67
config/hosts/yate/yate.nix
View file

@ -1,4 +1,4 @@
{ pkgs, ... }: { config, pkgs, ... }:
{ {
environment.systemPackages = [ environment.systemPackages = [
@ -10,69 +10,4 @@
# Just disable it for now. # Just disable it for now.
networking.firewall.enable = false; networking.firewall.enable = false;
users = {
users.yate = {
description = "yate service user";
group = "yate-config";
isNormalUser = true;
};
groups.yate-config = {
members = [ "colmema-deploy" "chaos" "root" "yate"];
};
};
environment.etc.yate = {
user = "yate";
group = "yate-config";
mode = "symlink";
source = "/var/lib/yate";
};
sops.secrets."git_clone_key" = {
mode = "0600";
owner = "yate";
group = "yate-config";
restartUnits = [ "yate.service" ];
};
systemd.services.yate = {
enable = true;
description = "Yate telehony engine";
unitConfig = {
After= "network-online.target";
};
serviceConfig = {
ExecStart = "${pkgs.yate}/bin/yate -c /etc/yate -e /etc/yate/share";
Type="simple";
Restart="always";
User="yate";
Group="yate-config";
StateDirectory = "yate";
StateDirectoryMode = "0775";
};
wantedBy = [ "default.target" ];
requires = [ "network-online.target" ];
preStart = ''
echo "\n" >> /run/secrets/git_clone_key
sleep 5
id
echo "$(stat -c '%U' /var/lib/yate/.git) owns /var/lib/yate/.git"
SSH_SUCCESS=1
${pkgs.openssh}/bin/ssh -q -i /run/secrets/git_clone_key forgejo@git.hamburg.ccc.de 2> /var/lib/yate/SSH_CHECK_LOG || SSH_SUCCESS=0
if [[ $SSH_SUCCESS = 1 && $(stat -c '%U' /var/lib/yate/.git) == *yate* ]]; then
rm -rf /var/lib/yate/*
rm -rf /var/lib/yate/.*
env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git clone forgejo@git.hamburg.ccc.de:CCCHH/yate-config.git /var/lib/yate
${pkgs.git}/bin/git -C /var/lib/yate config --add safe.directory "/var/lib/yate"
fi
'';
reload= ''
id
${pkgs.git}/bin/git config --global --add safe.directory /var/lib/yate
/usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate fetch --all
/usr/bin/env GIT_SSH_COMMAND="${pkgs.openssh}/bin/ssh -i /run/secrets/git_clone_key" ${pkgs.git}/bin/git -C /var/lib/yate reset --hard origin/master
'';
};
} }

9
deployment_configuration.json
View file

@ -3,6 +3,9 @@
"targetUser": "colmena-deploy" "targetUser": "colmena-deploy"
}, },
"hosts": { "hosts": {
"netbox": {
"targetHostname": "netbox-intern.hamburg.ccc.de"
},
"matrix": { "matrix": {
"targetHostname": "matrix-intern.hamburg.ccc.de" "targetHostname": "matrix-intern.hamburg.ccc.de"
}, },
@ -15,6 +18,12 @@
"forgejo-actions-runner": { "forgejo-actions-runner": {
"targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
}, },
"eh22-wiki": {
"targetHostname": "eh22-wiki-intern.hamburg.ccc.de"
},
"nix-box-june": {
"targetHostname": "nix-box-june-intern.hamburg.ccc.de"
},
"mjolnir": { "mjolnir": {
"targetHostname": "mjolnir-intern.hamburg.ccc.de" "targetHostname": "mjolnir-intern.hamburg.ccc.de"
}, },

81
flake.lock generated
View file

@ -1,26 +1,12 @@
{ {
"nodes": { "nodes": {
"authorizedKeysRepo": {
"flake": false,
"locked": {
"lastModified": 1745870473,
"narHash": "sha256-GMU6gfG1+3OjTuoiIYQg9yefzrz+RVVesqXa8jmOuCE=",
"rev": "fc95460e9e6ae759b2b08c93b10a8e010e9e14e6",
"type": "tarball",
"url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz"
}
},
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1736643958, "lastModified": 1729386149,
"narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -32,14 +18,16 @@
"nixos-generators": { "nixos-generators": {
"inputs": { "inputs": {
"nixlib": "nixlib", "nixlib": "nixlib",
"nixpkgs": "nixpkgs" "nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1751903740, "lastModified": 1729472750,
"narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "032decf9db65efed428afd2fa39d80f7089085eb", "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -50,41 +38,57 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1736657626, "lastModified": 1731133565,
"narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=", "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
"owner": "NixOS", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e", "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nixos",
"ref": "nixpkgs-unstable", "ref": "nixos-24.05-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1759580034, "lastModified": 1730602179,
"narHash": "sha256-YWo57PL7mGZU7D4WeKFMiW4ex/O6ZolUS6UNBHTZfkI=", "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1731265036,
"narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3bcc93c5f7a4b30335d31f21e2f1281cba68c318", "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-25.05", "ref": "nixos-unstable-small",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"root": { "root": {
"inputs": { "inputs": {
"authorizedKeysRepo": "authorizedKeysRepo",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
@ -92,14 +96,15 @@
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ],
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1759635238, "lastModified": 1731213149,
"narHash": "sha256-UvzKi02LMFP74csFfwLPAZ0mrE7k6EiYaKecplyX9Qk=", "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "6e5a38e08a2c31ae687504196a230ae00ea95133", "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
"type": "github" "type": "github"
}, },
"original": { "original": {

219
flake.nix
View file

@ -1,17 +1,22 @@
{ {
description = "CCCHH Nix Infrastructure"; description = "CCCHH Nix Infrastructure";
nixConfig = {
allow-import-from-derivation = true;
};
inputs = { inputs = {
# Use the NixOS small channels for nixpkgs. # Use the NixOS small channels for nixpkgs.
# https://nixos.org/manual/nixos/stable/#sec-upgrading # https://nixos.org/manual/nixos/stable/#sec-upgrading
# https://github.com/NixOS/nixpkgs # https://github.com/NixOS/nixpkgs
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
# Add nixos-generators as an input. # Add nixos-generators as an input.
# See here: https://github.com/nix-community/nixos-generators#using-in-a-flake # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
nixos-generators = { nixos-generators = {
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
#inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
# Add sops-nix as an input for secret management. # Add sops-nix as an input for secret management.
@ -20,208 +25,214 @@
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
authorizedKeysRepo = {
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/fc95460e9e6ae759b2b08c93b10a8e010e9e14e6.tar.gz";
flake = false;
};
}; };
outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }: outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
let let
specialArgs = {
inherit authorizedKeysRepo;
};
system = "x86_64-linux"; system = "x86_64-linux";
shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: {
shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
# See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
});
};
pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux";
in in
{ {
nixosModules = {
common = ./config/common;
proxmox-vm = ./config/proxmox-vm;
prometheus-exporter = ./config/extra/prometheus-exporter.nix;
};
overlays = {
librespotFixOverlay = final: prev: {
librespot = (prev.librespot.override { withAvahi = true; }).overrideAttrs (finalAttrs: prevAttr: rec {
# Build dev branch.
name = "${prevAttr.pname}-${version}";
version = "dev";
src = prev.fetchFromGitHub {
owner = "librespot-org";
repo = "librespot";
rev = "dev";
sha256 = "sha256-s9JpIbqXiVXMlhEuIuKio+rD1rM3kc7bAT0+8+5s35w=";
};
cargoDeps = final.rustPlatform.fetchCargoVendor {
inherit src;
hash = "sha256-Lujz2revTAok9B0hzdl8NVQ5XMRY9ACJzoQHIkIgKMg=";
};
# Fix librespot failing with "Unable to load audio item: Error { kind: Unavailable, error: StatusCode(500) }".
patches = (prevAttr.patches or []) ++ [
./patches/librespot_PR1528_conflicts_resolved.patch
];
});
};
};
nixosConfigurations = { nixosConfigurations = {
audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
{ nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
./config/hosts/audio-hauptraum-kueche ./config/hosts/audio-hauptraum-kueche
]; ];
}; };
audio-hauptraum-tafel = nixpkgs.lib.nixosSystem { audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
{ nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; }
./config/hosts/audio-hauptraum-tafel ./config/hosts/audio-hauptraum-tafel
{ nixpkgs.overlays = [ self.overlays.librespotFixOverlay ]; }
]; ];
}; };
esphome = nixpkgs.lib.nixosSystem { esphome = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
./config/hosts/esphome ./config/hosts/esphome
]; ];
}; };
public-reverse-proxy = nixpkgs.lib.nixosSystem { public-reverse-proxy = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
./config/hosts/public-reverse-proxy ./config/hosts/public-reverse-proxy
]; ];
}; };
matrix = nixpkgs.lib.nixosSystem { netbox = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter ./config/extra/prometheus-exporter.nix
./config/hosts/netbox
];
};
matrix = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./config/common
./config/proxmox-vm
sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix
./config/hosts/matrix ./config/hosts/matrix
]; ];
}; };
public-web-static = nixpkgs.lib.nixosSystem { public-web-static = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter ./config/extra/prometheus-exporter.nix
./config/hosts/public-web-static ./config/hosts/public-web-static
]; ];
}; };
git = nixpkgs.lib.nixosSystem { git = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter ./config/extra/prometheus-exporter.nix
./config/hosts/git ./config/hosts/git
]; ];
}; };
forgejo-actions-runner = nixpkgs.lib.nixosSystem { forgejo-actions-runner = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter ./config/extra/prometheus-exporter.nix
./config/hosts/forgejo-actions-runner ./config/hosts/forgejo-actions-runner
]; ];
}; };
ptouch-print-server = nixpkgs.lib.nixosSystem { ptouch-print-server = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
./config/hosts/ptouch-print-server ./config/hosts/ptouch-print-server
]; ];
}; };
yate = nixpkgs.lib.nixosSystem { eh22-wiki = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops ./config/extra/prometheus-exporter.nix
./config/hosts/eh22-wiki
];
};
nix-box-june = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./config/common
./config/proxmox-vm
./config/extra/prometheus-exporter.nix
./config/hosts/nix-box-june
];
};
yate = nixpkgs.lib.nixosSystem {
inherit system;
modules = [
./config/common
./config/proxmox-vm
./config/hosts/yate ./config/hosts/yate
]; ];
}; };
mqtt = nixpkgs.lib.nixosSystem { mqtt = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
./config/hosts/mqtt ./config/hosts/mqtt
]; ];
}; };
mjolnir = nixpkgs.lib.nixosSystem { mjolnir = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter ./config/extra/prometheus-exporter.nix
./config/hosts/mjolnir ./config/hosts/mjolnir
]; ];
}; };
woodpecker = nixpkgs.lib.nixosSystem { woodpecker = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter ./config/extra/prometheus-exporter.nix
./config/hosts/woodpecker ./config/hosts/woodpecker
]; ];
specialArgs = {
inherit pkgs-unstable;
};
}; };
status = nixpkgs.lib.nixosSystem { status = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/hosts/status ./config/hosts/status
]; ];
}; };
penpot = nixpkgs.lib.nixosSystem { penpot = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter ./config/extra/prometheus-exporter.nix
./config/hosts/penpot ./config/hosts/penpot
]; ];
}; };
hydra = nixpkgs.lib.nixosSystem { hydra = nixpkgs.lib.nixosSystem {
inherit system specialArgs; inherit system;
modules = [ modules = [
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
self.nixosModules.prometheus-exporter ./config/extra/prometheus-exporter.nix
./config/hosts/hydra ./config/hosts/hydra
]; ];
}; };
@ -229,24 +240,22 @@
packages.x86_64-linux = { packages.x86_64-linux = {
proxmox-nixos-template = nixos-generators.nixosGenerate { proxmox-nixos-template = nixos-generators.nixosGenerate {
inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./config/nixos-generators/proxmox.nix ./config/nixos-generators/proxmox.nix
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
]; ];
format = "proxmox"; format = "proxmox";
}; };
proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate { proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./config/nixos-generators/proxmox-chaosknoten.nix ./config/nixos-generators/proxmox-chaosknoten.nix
./config/proxmox-chaosknoten-additional-initial-config.nix ./config/proxmox-chaosknoten-additional-initial-config.nix
self.nixosModules.common ./config/common
self.nixosModules.proxmox-vm ./config/proxmox-vm
]; ];
format = "proxmox"; format = "proxmox";
}; };

6
modules/services/audio/librespot.nix
View file

@ -19,11 +19,11 @@ in
enable = true; enable = true;
description = "Spotify Connect Receiver Using librespot"; description = "Spotify Connect Receiver Using librespot";
unitConfig = { unitConfig = {
Requires = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ]; Requires = [ "network-online.target" "pipewire.service" ];
After = [ "network-online.target" "pipewire.service" "avahi-daemon.service" ]; After = [ "network-online.target" "pipewire.service" ];
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache --zeroconf-backend avahi"; ExecStart = "${pkgs.librespot}/bin/librespot --name '${config.ccchh.services.audio.name}' --device-type speaker --bitrate 320 --enable-volume-normalisation --disable-audio-cache --disable-credential-cache";
User = "librespot"; User = "librespot";
Group = "librespot"; Group = "librespot";
}; };

1
modules/services/audio/shairport-sync.nix
View file

@ -17,7 +17,6 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.shairport-sync = { services.shairport-sync = {
enable = true; enable = true;
package = pkgs.shairport-sync-airplay2;
arguments = "-o pw -v"; arguments = "-o pw -v";
}; };

223
patches/librespot_PR1528_conflicts_resolved.patch
View file

@ -1,223 +0,0 @@
From c4c968e594edcfce231682db5563f7186da7c6f0 Mon Sep 17 00:00:00 2001
From: Timon de Groot <tdegroot96@gmail.com>
Date: Thu, 7 Aug 2025 12:22:56 +0200
Subject: [PATCH 1/5] spclient: Specify base url for metadata requests
This fixes #1527
---
core/src/spclient.rs | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/core/src/spclient.rs b/core/src/spclient.rs
index 87a6098..56c4287 100644
--- a/core/src/spclient.rs
+++ b/core/src/spclient.rs
@@ -55,6 +55,7 @@ const CONNECTION_ID: HeaderName = HeaderName::from_static("x-spotify-connection-
const NO_METRICS_AND_SALT: RequestOptions = RequestOptions {
metrics: false,
salt: false,
+ base_url: None,
};
#[derive(Debug, Error)]
@@ -86,6 +87,7 @@ impl Default for RequestStrategy {
pub struct RequestOptions {
metrics: bool,
salt: bool,
+ base_url: Option<String>,
}
impl Default for RequestOptions {
@@ -93,6 +95,7 @@ impl Default for RequestOptions {
Self {
metrics: true,
salt: true,
+ base_url: None,
}
}
}
@@ -449,7 +452,10 @@ impl SpClient {
// Reconnection logic: retrieve the endpoint every iteration, so we can try
// another access point when we are experiencing network issues (see below).
- let mut url = self.base_url().await?;
+ let mut url = match &options.base_url {
+ Some(base_url) => base_url.clone(),
+ None => self.base_url().await?,
+ };
url.push_str(endpoint);
// Add metrics. There is also an optional `partner` key with a value like
@@ -566,7 +572,12 @@ impl SpClient {
pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult {
let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?);
- self.request(&Method::GET, &endpoint, None, None).await
+ let options = RequestOptions {
+ base_url: Some(String::from("https://spclient.wg.spotify.com")),
+ ..Default::default()
+ };
+ self.request_with_options(&Method::GET, &endpoint, None, None, &options)
+ .await
}
pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult {
--
2.49.0
From 2b72f3fbdf6519321feeaaecc1ea6e1bb042074e Mon Sep 17 00:00:00 2001
From: Timon de Groot <tdegroot96@gmail.com>
Date: Thu, 7 Aug 2025 13:51:55 +0200
Subject: [PATCH 2/5] spclient: Change RequestOptions to &str
This will allocate less strings and makes it possible to have const
request option values.
Also document why the metadata base url workaround is needed.
---
core/src/spclient.rs | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/core/src/spclient.rs b/core/src/spclient.rs
index 56c4287..11bcef4 100644
--- a/core/src/spclient.rs
+++ b/core/src/spclient.rs
@@ -87,7 +87,7 @@ impl Default for RequestStrategy {
pub struct RequestOptions {
metrics: bool,
salt: bool,
- base_url: Option<String>,
+ base_url: Option<&'static str>,
}
impl Default for RequestOptions {
@@ -453,7 +453,7 @@ impl SpClient {
// Reconnection logic: retrieve the endpoint every iteration, so we can try
// another access point when we are experiencing network issues (see below).
let mut url = match &options.base_url {
- Some(base_url) => base_url.clone(),
+ Some(base_url) => base_url.to_owned().to_string(),
None => self.base_url().await?,
};
url.push_str(endpoint);
@@ -572,8 +572,11 @@ impl SpClient {
pub async fn get_metadata(&self, scope: &str, id: &SpotifyId) -> SpClientResult {
let endpoint = format!("/metadata/4/{}/{}", scope, id.to_base16()?);
+ // For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com.
+ // Otherwise, the API will respond with 500 Internal Server Error responses.
+ // Context: https://github.com/librespot-org/librespot/issues/1527
let options = RequestOptions {
- base_url: Some(String::from("https://spclient.wg.spotify.com")),
+ base_url: Some("https://spclient.wg.spotify.com"),
..Default::default()
};
self.request_with_options(&Method::GET, &endpoint, None, None, &options)
--
2.49.0
From 73ed5c50849bb660834cd0d7aaa7110c01397055 Mon Sep 17 00:00:00 2001
From: Timon de Groot <tdegroot96@gmail.com>
Date: Sat, 9 Aug 2025 09:28:51 +0200
Subject: [PATCH 3/5] spclient: Make const request options for get_metadata
---
core/src/spclient.rs | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/core/src/spclient.rs b/core/src/spclient.rs
index 11bcef4..cbcf092 100644
--- a/core/src/spclient.rs
+++ b/core/src/spclient.rs
@@ -58,6 +58,12 @@ const NO_METRICS_AND_SALT: RequestOptions = RequestOptions {
base_url: None,
};
+const SPCLIENT_FALLBACK_ENDPOINT: RequestOptions = RequestOptions {
+ metrics: true,
+ salt: true,
+ base_url: Some("https://spclient.wg.spotify.com"),
+};
+
#[derive(Debug, Error)]
pub enum SpClientError {
#[error("missing attribute {0}")]
@@ -575,12 +581,14 @@ impl SpClient {
// For unknown reasons, metadata requests must now be sent through spclient.wg.spotify.com.
// Otherwise, the API will respond with 500 Internal Server Error responses.
// Context: https://github.com/librespot-org/librespot/issues/1527
- let options = RequestOptions {
- base_url: Some("https://spclient.wg.spotify.com"),
- ..Default::default()
- };
- self.request_with_options(&Method::GET, &endpoint, None, None, &options)
- .await
+ self.request_with_options(
+ &Method::GET,
+ &endpoint,
+ None,
+ None,
+ &SPCLIENT_FALLBACK_ENDPOINT,
+ )
+ .await
}
pub async fn get_track_metadata(&self, track_id: &SpotifyId) -> SpClientResult {
--
2.49.0
From 6adca21fdf64bd8026a2d6df04c42dd2b1239358 Mon Sep 17 00:00:00 2001
From: Timon de Groot <tdegroot96@gmail.com>
Date: Sat, 9 Aug 2025 09:40:20 +0200
Subject: [PATCH 4/5] spclient: Simplify base url init
---
core/src/spclient.rs | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/core/src/spclient.rs b/core/src/spclient.rs
index cbcf092..272975d 100644
--- a/core/src/spclient.rs
+++ b/core/src/spclient.rs
@@ -458,8 +458,8 @@ impl SpClient {
// Reconnection logic: retrieve the endpoint every iteration, so we can try
// another access point when we are experiencing network issues (see below).
- let mut url = match &options.base_url {
- Some(base_url) => base_url.to_owned().to_string(),
+ let mut url = match options.base_url {
+ Some(base_url) => base_url.to_string(),
None => self.base_url().await?,
};
url.push_str(endpoint);
--
2.49.0
From 0b5b1eb6c73a9291057b3856939f416113fdd8bb Mon Sep 17 00:00:00 2001
From: Timon de Groot <tdegroot96@gmail.com>
Date: Sat, 9 Aug 2025 10:14:02 +0200
Subject: [PATCH 5/5] Update CHANGELOG.md
---
CHANGELOG.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 560de2b..b62e9f8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -51,6 +51,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- [connect] Correctly apply playing/paused state when transferring playback
- [player] Saturate invalid seek positions to track duration
- [audio] Fall back to other URLs in case of a failure when downloading from CDN
+- [core] Metadata requests failing with 500 Internal Server Error
### Deprecated
--
2.49.0