Compare commits

..

1 commit

Author SHA1 Message Date
June fd240b0bc9
WIP: ptouch-print-server 2024-03-29 14:47:39 +01:00
128 changed files with 368 additions and 5021 deletions

View file

@ -1,23 +0,0 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
indent_style = space
charset = utf-8
[*.nix]
indent_size = 2
trim_trailing_whitespace = true
[*.md]
indent_size = 2
trim_trailing_whitespace = false
[*.json]
indent_size = 2
trim_trailing_whitespace = true
[*.yaml]
indent_size = 2
trim_trailing_whitespace = true

View file

@ -1,165 +0,0 @@
keys:
- &admin_gpg_djerun EF643F59E008414882232C78FFA8331EEB7D6B70
- &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
- &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- &admin_gpg_max 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
- &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
- &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
- &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
- &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
- &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
- &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
- &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
- &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
creation_rules:
- path_regex: config/hosts/git/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_git
- path_regex: config/hosts/forgejo-actions-runner/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_forgejo_actions_runner
- path_regex: config/hosts/matrix/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_matrix
- path_regex: config/hosts/netbox/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_netbox
- path_regex: config/hosts/public-web-static/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_public_web_static
- path_regex: config/hosts/mjolnir/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_mjolnir
- path_regex: config/hosts/woodpecker/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_woodpecker
- path_regex: config/hosts/penpot/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_penpot
- key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
stores:
yaml:
indent: 2

View file

@ -1,64 +0,0 @@
# nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \
To easily get a shell with `infra-rebuild` going, use the following command:
```
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
```
After that you can simply run the following to deploy e.g. the git and matrix hosts:
```
infra-rebuild switch git matrix
```
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
## Setting up secrets with sops-nix for a host
1. Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
It should be named something like: `host_age_hostname`
3. Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key. \
You can use existing creation rules as a reference.
4. Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
5. Add the following entry to the modules of the hosts `nixosConfiguration`:
```nix
sops-nix.nixosModules.sops
```
6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
```nix
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}
```
7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
```nix
sops.secrets."forgejo_git_smtp_password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
};
```
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.

View file

@ -1,22 +0,0 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
vim
joe
nano
htop
btop
ripgrep
fd
tmux
git
curl
rsync
ssh-to-age
usbutils
nix-tree
# For kitty terminfo.
kitty
];
}

View file

@ -13,5 +13,5 @@
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = lib.mkDefault "24.05";
system.stateVersion = lib.mkDefault "23.05";
}

View file

@ -3,7 +3,6 @@
{
imports = [
./acme.nix
./admin-environment.nix
./default-host-platform.nix
./default-state-version.nix
./localization.nix

View file

@ -9,10 +9,10 @@
{ config, pkgs, lib, ... }:
let
authorizedKeysRepo = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
authorizedKeysRepo = builtins.fetchGit {
url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
ref = "trunk";
rev = "0db6df46b68c07edbefe2a5f9ce4002fb6462980";
};
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in

View file

@ -1,8 +0,0 @@
{ ... }:
{
services.prometheus.exporters.node = {
enable = true;
openFirewall = true;
};
}

View file

@ -8,7 +8,6 @@
enable = true;
name = "Audio Hauptraum Küche";
};
services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
users.users.chaos.extraGroups = [ "pipewire" ];
}

View file

@ -2,7 +2,6 @@
{
networking = {
hostName = "audio-hauptraum-kueche";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.05";

View file

@ -1,4 +1,4 @@
{ ... }:
{ config, pkgs, ... }:
{
networking = {
@ -11,9 +11,10 @@
];
};
defaultGateway = "10.31.210.1";
nameservers = [ "10.31.210.1" ];
nameservers = [
"10.31.210.1"
];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "1E:EF:2D:92:81:DA";
linkConfig.Name = "net0";

View file

@ -8,7 +8,6 @@
enable = true;
name = "Audio Hauptraum Tafel";
};
services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
users.users.chaos.extraGroups = [ "pipewire" ];
}

View file

@ -2,7 +2,6 @@
{
networking = {
hostName = "audio-hauptraum-tafel";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.05";

View file

@ -1,4 +1,4 @@
{ ... }:
{ config, pkgs, ... }:
{
networking = {
@ -11,9 +11,10 @@
];
};
defaultGateway = "10.31.210.1";
nameservers = [ "10.31.210.1" ];
nameservers = [
"10.31.210.1"
];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "D2:10:33:B1:72:C3";
linkConfig.Name = "net0";

View file

@ -1,7 +0,0 @@
{ ... }:
{
networking.hostName = "eh22-wiki";
system.stateVersion = "23.11";
}

View file

@ -1,9 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./dokuwiki.nix
./networking.nix
];
}

View file

@ -1,165 +0,0 @@
# Sources for this configuration:
# - https://www.dokuwiki.org/dokuwiki
# - https://www.dokuwiki.org/install
# - https://www.dokuwiki.org/requirements
# - https://www.dokuwiki.org/install:php
# - https://www.dokuwiki.org/security
# - https://www.dokuwiki.org/config:xsendfile
# - https://www.dokuwiki.org/install:nginx
# - https://www.dokuwiki.org/faq:uploadsize
# - https://nixos.wiki/wiki/Phpfpm
# - https://wiki.archlinux.org/title/Nginx#FastCGI
# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
# - https://www.php.net/manual/en/install.fpm.php
# - https://www.php.net/manual/en/install.fpm.configuration.php
{ config, pkgs, ... }:
let
# This is also used for user and group names.
app = "dokuwiki";
domain = "eh22.easterhegg.eu";
dataDir = "/srv/www/${domain}";
in {
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${app} ${app}"
];
services.phpfpm.pools."${app}" = {
user = "${app}";
group = "${app}";
phpOptions = ''
short_open_tag = Off
open_basedir =
output_buffering = Off
output_handler =
zlib.output_compression = Off
implicit_flush = Off
allow_call_time_pass_reference = Off
max_execution_time = 30
max_input_time = 60
max_input_vars = 10000
memory_limit = 128M
error_reporting = E_ALL & ~E_NOTICE
display_errors = Off
display_startup_errors = Off
log_errors = On
; error_log should be handled by NixOS.
variables_order = "EGPCS"
register_argc_argv = Off
file_uploads = On
upload_max_filesize = 20M
post_max_size = 20M
session.use_cookies = 1
; Checked the default NixOS PHP extensions and the only one missing from
; DokuWikis list of PHP extensions was bz2, so add that.
; Checked with NixOS 23.11 on 2024-05-02.
extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
'';
settings = {
"listen.owner" = "${config.services.nginx.user}";
"listen.group" = "${config.services.nginx.group}";
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
};
services.nginx = {
enable = true;
virtualHosts."acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
locations = {
"~ /(conf|bin|inc|vendor)/" = {
extraConfig = "deny all;";
};
"~ /install.php" = {
extraConfig = "deny all;";
};
"~ ^/data/" = {
extraConfig = "internal;";
};
"~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 31d;";
};
"/" = {
index = "doku.php";
extraConfig = "try_files $uri $uri/ @dokuwiki;";
};
"@dokuwiki" = {
extraConfig = ''
# Rewrites "doku.php/" out of the URLs if the userwrite setting is
# set to .htaccess in the DokuWiki config page.
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
'';
};
"~ \\.php$" = {
extraConfig = ''
try_files $uri $uri/ /doku.php;
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
'';
};
};
extraConfig = ''
# Set maximum file upload size to 20MB (same as upload_max_filesize and
# post_max_size in the phpOptions).
client_max_body_size 20M;
client_body_buffer_size 128k;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
users.users."${app}" = {
isSystemUser = true;
group = "${app}";
};
users.groups."${app}" = { };
}

View file

@ -1,22 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.159";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:37:F0:AB";
linkConfig.Name = "net0";
};
}

View file

@ -2,7 +2,6 @@
{
networking = {
hostName = "esphome";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.05";

View file

@ -3,7 +3,6 @@
imports = [
./configuration.nix
./esphome.nix
./networking.nix
./nginx.nix
];
}

View file

@ -1,29 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.24";
prefixLength = 23;
}
];
ipv6.addresses = [
{
address = "2a07:c480:0:1d0::66";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.208.1";
defaultGateway6 = "2a07:c480:0:1d0::1";
nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
search = [ "z9.ccchh.net" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
linkConfig.Name = "net0";
};
}

View file

@ -1,34 +1,35 @@
{ config, ... }:
{
services.nginx = {
enable = true;
virtualHosts = {
"esphome.ccchh.net" = {
forceSSL = true;
"acme-esphome.ccchh.net" = {
enableACME = true;
serverName = "esphome.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"esphome.ccchh.net" = {
forceSSL = true;
useACMEHost = "esphome.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::]";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
];
locations."/" = {
@ -36,38 +37,9 @@
proxyWebsockets = true;
};
};
"esphome.z9.ccchh.net" = {
forceSSL = true;
useACMEHost = "esphome.ccchh.net";
serverName = "esphome.z9.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::]";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
];
globalRedirect = "esphome.ccchh.net";
redirectCode = 307;
};
};
};
security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedTCPPorts = [ 80 443 31820 ];
}

View file

@ -6,6 +6,5 @@
./docker.nix
./forgejo-actions-runner.nix
./networking.nix
./sops.nix
];
}

View file

@ -12,15 +12,19 @@
enable = true;
name = "Global Docker Forgejo Actions Runner";
url = "https://git.hamburg.ccc.de/";
tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
tokenFile = "/secrets/registration-token.secret";
labels = [ "docker:docker://node:current-bookworm" ];
};
};
sops.secrets."forgejo_actions_runner_registration_token" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ];
deployment.keys = {
"registration-token.secret" = {
keyCommand = [ "pass" "noc/services/forgejo-actions-runner/registration_token" ];
destDir = "/secrets";
user = "gitea-runner";
group = "gitea-runner";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

View file

@ -1,19 +1,17 @@
{ ... }:
{ config, pkgs, ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.155";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.155";
prefixLength = 25;
}
];
};
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";

View file

@ -1,233 +0,0 @@
forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZEFkeThaUkhoVlVXV1V0
eXBja2hueWJzZm5RNVdaNTdKNGp6OC9mVmt3Cit6S2tBQjNGb0N0RkdDdWtpR1Vv
REd5WjJrTnJYR0lGRkFGU2RXTjZkdncKLS0tIHJoV3I0YTNkcHdZQWZySVNyVm4y
TGR6Sm9uZ0ZQeEFNK1lJRE82eUluclUKL4mGDJkQ3mQu+7Xc2KflVqLUjbr/5a16
VlYUplTqUCYXtkzq/3RKZV/pM4RVYBDHvuSzVr4hXBSxW5j93dhezA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-26T00:29:52Z"
mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str]
pgp:
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAoDySYGJ2Xf27El8y/UTYOUaM51stw95ZfnU7JtKfPNyM
Ct+xymnyxAwR2OJ7oDluxwEItdPufp/Mr96zkw+TfrqI5lowTiH4YGtDsbioiScN
qxiZgHN4qVZcRHwzgmLcDa6GSIg6rEcDcBygakprmoI4Qeqp3Bioii0/OMuLeleN
igauRUzroFLIlS0QCgI5PaUSIPtSMxgKiEc5yM91EBh6w93RaoQmG0k9TWpfLmgo
ZVB164SYCCW45vts6T7WQ8cE7Pxkkti+rrOrjaDfB4ape1u4gS6xKc4dFJ+nWcE8
5l6MXoDLRd69VWRN6P+G5YGQzB5QRicNnuwk6H2q7CwIqZyi7ZqaCIZfcpvuUzCJ
OGJQInCFFVSdLj/3WFyXk+wemmZPna5xFxFb6WVwfSU1ikM/umrZ5yBly+mvDGzs
l+8YGcsZ9D//qjVIsWbiRwhGgeA3eU6f7SwdZdX/zOFy8bP85xwDcbwdOSkhifAA
l3Ud3rswmAnzSYAw5wK9tcSxS+G4JeCPU1iKABifugLohgME09Z31ljvyqWPBRe/
Rct5zvcQV2yjMbToudXafvRUb9nU+uJuWUEUe8xFSrAC1ijA3mBYfIrGNvD2eVCY
MTYK1ugKA9X7Sgls3vQ0A7fLHeR6C3+zhl7SzGHUZC3bh5+oXTq6cuXD8DjCwV/U
ZgEJAhAkZc7MICSMkACItUHxyyEMbBYNpIJ6P7GQA6ErhLcV1VpKWo6abJVVES36
j97RpaD1tL3OyGPfiivMkk650MkPrgpMKR0hasl770B8jkjVPyDV9mSn+sc7N+tK
D7IbDW18mA==
=EhAw
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAArCPbAnHJrNpP4B755wKuDEzwVMsqCR+gumSX/XcuQJMI
O3/34FJOI+++S/+z94y4O+A7XPsG4xr+UpDIGdGFAsOQBrbxyqD7c0BIToJgq6iG
22j7y6N6OZFo0g8hGkUVSMeAZXCkg/t70e2POeHeEwnlsNX3cRuFWC54KxfVwr4w
UjlQmjV26+r1uZd3DKj/+eMi5E63XTsgUhAlJqixpHt3PEKZ5UNtnCAbYXqF2FOF
qqNyB5X1M2ncee+RGzLqnXaQTSEdKmlEwteVlXWtsqBs4gICOz+6ehfA+gk6r+si
Hv5dW5W7OjHsZfRfLxaF05vBUqQ+M5FdYl0hBFZzco3zuNQ+c9om+c/3Fd+B0tZC
0pUs4JiNa/chjuSCiJ0ZJE8kh7xCmmjIrFqsvWi4ZiTk2GWPEeuPq91TC/azfQea
ZV/Ozh09wAMGnGYUY0OqH7BIGsV6mEFKy/oEpwvoPuI1sNLiMig3ZAMHcIdqYzta
S16/JVmVirTnOTCL7p0CZLtiQuQH158gn9F2T7WCfX/XA8ifVSAyjWnYL3+rJUr1
zuhndbJTXD+5K9RKVM+FXC+G5VRzmWKNN9riijtLFhPKuOqDwPDst81XGsO23gGn
QIFGGEfQ8vuC9lmF8jDPHZfgUWy3kMVaLW+ti7y5IWhWEJASYVXF2JknKeOw2zjS
XAE4hG6ck97ZiT9V5bKC/fk/Ep/GWPnQTMdISinbak9hZigPPQ3KCyf4WZoJ1+sE
r+rk9v7NO1N5rnVQokL+kO/sBCV/t9XrHuFDx16cZrSHpHubQUi9daxc6EQ1
=7d/s
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//QF80EGvpode+J0kDjrrFKdSXREPhfCtFU+EpmE+f+aGO
mMPZ0SEuBX4g+5K8u0IdeWR2weqYqY0O9Ar2m18YlpniSWFBZqzmW+/yk7vmDzqr
l9pV/SdRomGrKyXk9JehkLm5vwUrj/xlPAU0DQEKIPLZ/MMRh7bIfL5Fdujc9cLD
nybCqSXccYy59SDqVku5Q6A9FTTzLL8uFf5D3mthp/FgWpxIEQIau8G16PZm0aSJ
cBu2eZ3XDjmgIQLG+TMrW77lp/2AhFe23RtK4y5aZjzGhzO+Ax3Cn7pZI9zTGW6X
iF/ePoR+AQeXMWfwIujGR5Zy4NvdNKSfniFrjgXpsWSMjCp8pKTOlhkknL3gE+HU
etQDmPPCYvaVUwITpmrEAswTNPw0xekXGUe1HgETfhWAGw8zAEYRlOqw3Jt9mMX2
QczfXc2sA5Z4TcylESIUcpTAFQVMVMB9bZM762tZu3bM9qg6qybNVJBk9UPpi0RW
ZFbXA6lkOnJLG5/m/Ie4UDoxXxtOOqkFzjV57GEBy/HtYuC15LeyOuAgDp0Ta57L
0f/ufET/T3z5qBE8GN2zSTO7gGnFAEQ+028ZB0vGVR9C0JdCwVBMlGglC6NiaKqP
xPDLPdBqrCczUQyIJ4f7JJaFCfndLszuchb7IzCy95I7nMmATREpP06uRbnuRU3S
XAHno1TtKtfy/+T536cmGhke9gNLZXBjSg+W9ndHPo7r115Ytap5nlQqhM84qOyE
bhKZlipM9hkhfeT/6X2NzYL48/hsxJ7nh2sbmJQ0d/2DtmXT2gRGkbYq/f9+
=tuO+
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+IK+UPsLOltPFjdvN21ICHY4De1c6qqMrrDAskqeDWZet
9eoal403d0fY6E03o1Acq3XlTzR4srWLp9qo+soAhruZ3+W5M/6zBaq/f2XF4fu2
U+bjVplM5U/pHTtGb05nHJ+UN7dgq2OJkURAe7aLSwLLScxTH9cggHAo6wpsaUTQ
Uujbo508P5/Vt0efbnyNbk54M/UMH0s93YmWSuxu4XvyUPaVFcjXkh61Tfc8vY+v
l5P1qDEjQrRjSE11/xzqAmZ5x58cMK1Q9yB+cy5Lw6K+rFT+5r1jdJem5NBsIRFP
eJjmTj/rzehujAciA1EOCF16ZsVIG6HFb3SLcNoRRL3DDgQIHgjHT38qbKrobjGr
Ww2Trekg17t2C48+qa/fGZO8dSz+/97gfAMMA2DdWHPlZxVCraucZMG0p9CkNxcO
kEtpD5hYJE456MqJQJoF2x2m+/SylJntfeKstKDhD5MZevTkNhD3MRE/8XPW/abE
byO8hxz7g76l2OKSjJdOUkYTDsjr23qKAuYq3/tENOMC+Z0eTKjQbzyLdSitQkM4
eOxRMm1qJZM7Y27kYLZcLadkewuBgmXqpDePcH6lHuLZp6S9o9LmrzvAsG79RjGs
wWiITzj4oG7ROT1Np9h9iCrfKiQ3fM/5/4zJvFvGm62DaeqNSwVT9NSLodrpj/XS
XAF3ozQWD5ib0d/yUKcwZZcbbJyn7HyaCn/95zxOMu+C4K0qhJLZeMyOYQOj2pfb
T7EnwyXB5vdL3JJlhVmnFCTMFv/RjhNOJX4qbDnV1sqTj5fFMgcbA067BLEQ
=TU7Q
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ/8C0go1iw89B1ibjbrJTxnmYD6iep01wAwZjHNm9/cC3BV
yFRj/D7d84gO2YX2hZxnjlnFQYRsNez7HpsjZvUmp6FN9LpJNDp2NvukebtS5v86
hrcqODTdHNa+/ffHIhUoXVSjw5kwpQNT0JI6PR3EyV7kjCGkFAFMzHbaNRbdup5O
vC5cD6Ty+aihB/E0st7/KUw2PH7bMiJ+lAlx53Z4v7xZYSxS0vFXRDAJRYd6Bt2t
LvHO68aRMF7czDB0JoV8BOSohSvv+ZXBqe2zCZwl8kUZoW3n9eym8iF7yZ+itT2M
OdLTOg6SIhhtxcm7qFRHsOsBMjmT+MuzQVNGKDQ6Gga6NiiboyuURso64L7F0SbA
3MnHeYoTm39hUs50xqWXdFfi8G3d/SfYcxYghJJx+SwlTd1ZhdSDxQ1uJtUi7ccK
8pHwIVCdkOF1hvko3w0/B9kHmnlWKBUF1wN8QHTmlViCOo4vIpepowzN4fLlpTug
VtyW08lbdMWqq17OcTUK3O7Z6hDDUaIKV8vGvjxrJ7wJp3kok5cI7jXOYEPjxfSr
ZjJpcdrAuJTZjSIsFFopGXFbUkI8bqRpo75lDuK2fA6x38WQqedwNo6YTXvtMn0V
bhYLeEt5VeRSohGWNsdGvpjB6BtPhKoD6hK+aQAeOhhxyuF2cH4o0/lFZSkDo0/S
XAFiYzGNuu1nJulLjaAGGeoiom42N+MEmQvlIfG7AR/XgMSXs5d0JH/COJkL3V6W
zyhAGxTzEmDYmddbhelxXn38obOnsAJU92GXwLg+PXT7ZkFHrCfg9jEvgwmT
=98Lv
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/+M0Y24jgYhl4VEAT8ymoiCiNIsqGuk4yIXO6LrTIsNGlc
6YwkJu9Gj52AH8XKdvLuBGtWstjVoVrBOFyTtS2vzW01Eh+sFKfm3tF8CywjSMZ+
Xg/v+rtbj7s0EZ2JeE0DOk2X1zg26HsNd4X0HkIqTAm89gNVSTMWGGhDbTBSxtFx
ain5e14rUMM5qeIZg4IEMlY0mEbpGC7AqV1LKclN8pp2e0/6AS4fxamoMtPOhwld
/feF4/9AwZ04HIwF0ucbrDDkoZrW7YaYZPapxBTCMU0alkX4c+WTBMKTWICC1DkZ
lVF1zmLm2rhxebM0AaIw+eT2MymaecTcVrEHdhbtCGbfIL0sram2Qw0ZfeYDxIas
5W2z0a+qSQtlaCZfq/kc3UBQpRgv0Vrc0CBoZJhFmhfsH0F7uPE5rThqeT1w6TMd
bc6Y09Yorfyio+ZhbB8BJ5fzlolEo8opSZLm1K3YAik5Tw7toIvZqeXZoS6DfZhk
o7K/uUJTDKHuscxRLAfFKqBoZOBuf7d+ski5arMcjMqOYvmGKCn2pzs0TuO0ZaDG
gKbvSz2a6KyUSU822W0l2HSfM36HxxH7bDdJ12iqbBtWPcob+KcKrLowpbzzHpMT
o23ct/g5qpKpEvH+AkXQ9nOO9VKXx7voQyFM0gS0LXZGJcXeeeVbttcD28Td7WvS
XAFWumenh3Yc2VUSF4PUICL4g7o/4sLPjHhctlNHQ4+iaF6beZljWD/lwFkKxbqt
oHFjNx+ajtTxQpzpBQgqO6twKwLjND4lQ1yRlXp3mGm3U0BI7QUCRp+D+RcK
=N//k
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAtsPz8vCvZ84eAoI3bZwP69V1coDW0SgSVqAi0XDfsRbo
LJIU//nkp4pKjUMoBgc++TdLa94/mqeFVhXozAW2T7nFhYOOK2HoVl+JqvgvTGVy
ZhGEWTud++inzjSAKAEll6x89dYE07DLtbLNaLs8w3X/cSDF9fZekmTvyaks9AwQ
oI+RXPK1ao3Nvgw0pkvRzFze7HJansA25+Ojcr3wnhP3qtKqfHjbXRs5Qu46fB3b
mz3SPNcN/JihodKBhZ0suCk+HZx69EXbBV8i9EDBOX+2Azxn3aCGh0jlDAyCMMNp
CWiDuYduzYFV0mF5vAGQC8ifrQZDOjvJR1qqJ2115c2bB9cP0asTS7ZoJEEqfkz1
mGLHsOhhuP/DkHhX2B61nDl0LQ+eoc1ZdZEcDV0hrKptiFlxmPySlOXD1LpOU+uk
JFBot/Sc9GEZzaInyNSmSvd2Y6SiNOl9t7QAwIPwmGYGY3iNDPD6RRl/CQb7raLG
rfNH04BYltboG7HQeEqiEEijn7xctTSNp1O3EKrcdEpg/sAlQzarCOmEUvLXWeBj
YhPRH6Z3+PMyn7m2Jb8VFO3hAX4zfb7eJcXhsKHBhfYIXViyuuzJNBoXYnorqSRK
n5OobCGQAhxeLHOrG2J059HbfUgGtfD/4MJNiGxuCGmXJc5oSJVRhy3d11ttGIzS
XAGuD/Vw5GUqWVZKNp/k2Kfuxauqu6jDPI534dLf35qaROkvbWz2bbfwPx4hxtkE
dZCVWILFq/BbXXiCVEMeJf6FrXcB2rJETBgknQWtxRP18Q7Rb4a2jybv5TDk
=ATJq
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//WVgNIjTv+F0kaoyM5stNqV7lDHPNF3jKVLOZBV1d8wbL
NhHnNRiadls8SwazCHgds/ahoaUTv+4IF9hvmyLvksN6iEN5/YnyHa1nFDBC8kow
pzA97WD6/bo5SjCk5oqLHjbR7ApKAYHOnI/XDum3QyWUV3KzO5wQQBAVki736l6q
ccUVeYLgjcnlTSlz42TcNnPw5DbudAizU4DRu4KyqQX1hBJEYA9lLDvFxvjrSidb
TzGWzyY0ERkrgrW73K9il9xqGsnyDZLvHPZ3f+nwEuNjM+ITxliZrsfxmqbWZ29f
sid5Z8Z9lZ88jIC2VR4+XW1q3LAe4WPhp3MjvhELfKLUWTRp3zRN6kabxuBtJcuC
0s212dm2ctKbkTaDbn7Q0NyJ2CLX+5IMjWs/i1NoLAyjre6hFmie2Ldx0RGwxrJp
wCA7EiZ02UJcLQw4QT3o/2Pxg8Spi+eGmqxSmMV/PDJ1gSdUv85gPobdDcotky6n
ng3I3G1o2XRUKnfDwv//4mFbDHXsCPXs7fMLwsSYZi5Cp49NhfbCbQHeusCdchLY
dA0Eik9ckUDH6ihyEN8DyVcZyspxoIFONFqly21rNECcKy1i2HxTsq5SbkZmmUS5
XiNQTGoLsx0CKI78oAXNfgY3wdpi02Xykkctjga4U2L/u8Wg7dVRgUFmq64rJfDS
XAGHB1X4194RVvPcpYP6tScEDnmQCs55wsiEuWPUyvclwb/aO8y5K1o6Uz5IW7/o
8lfAj6gHs775Z5xZE3FD8O1NkXVOyLmzkH2bJbkZAQ+JVfQS2UKshMtnQgz7
=dG/+
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/9He59UueuO4GXg4uBxLASQiaGKS/F1pPfTU9W4E1f+C4k
Dw8hwiLIZWRDsj0huYd+klyg2VJnjmPf0tB8qj5nrHo0bTKH0oJpiDpX8Bi/8j7d
WBNyS8LmUrSub3TdM3Ob1muUt/nHvgGQmWKt3dH+Jkc/um0B/+Og3Yka/JcKRF0Q
IAYkzVFlPdh95IhPEJ0Lo7zyN1FU0UwlyMasjB8Xae7VoyDhtgwur60gTktNIuyU
tAvLPKSSyu//Uz9olGW8RKw5//5A/EYNlP8WrVV0crDNBGegTlX68EsZlZQp1uXc
GK0ZB0OtphMUJiF9dUXNfzbGz02l3voLs5DUIpE+EAyEDu7hZEDgU8e9oTJRv05f
TumOjDlgSrhALyewO1ig92fU407JxxwW9aNl8gFv2Ph9lEbSaQWpo/VAHA178x/p
j5caXUUh5qUFGYhtOoHB9KtxL9X+F7Z5FjHmHxFQBtLrxP/olmQ/5jjbiz5sgf8A
iW7bRu2tBmiT5TrMcDxFSf3d+v5o0kOngwPl+8e9NC681uXuddI9g4s76f7KrpuE
bb483XW0CZUdpt8eFXAvk6CJ97gi9H9iZBrqhMKjGnWbE6e0683PE8WNTwCafoYz
mCelVHHjX1Qsk8Zg/vI0EBEHkeigCiev9O85dUVbCxHVniBkvIF4ZNo9n7NRnAbS
XAHQ23ARYRtF676DYWSH50sHJ5v98BTKn+Ca1QWMRCb2kyqUSfn+XzgyP9Sv2nqx
dT8DO2oTOraOaFS2+j9N3wRjbocVRuTV2EPwdgPVPg9IakNaO3qBUwEnNM+b
=EzwG
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAy+TLSybMtug+TfJVBd4WJP4q5V6Qf0yPtgj4YUF4YCsw
rUctAxIueheQq5uqoPm3bTeLUYeticEVf090hr0613uh+l5DZcD/vqoHUK5dx7Zs
0lwBTi6sRElMIJiXplIvCMyYAOne/QZG3WaLx+LqqaNlNKPz8OVPhbokC++VNpwz
l5GE8Cv1ZoEDxbjLWurS772NiIumo+lAnjQMAxhHo4lVPXTxZZCqx3/98agyKQ==
=oiZp
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CARAAvnyyMeBLfWLFU6dBK2lNAzJy/gHb674YQbCe4W/w9Cjl
2pbiw1Hhpe0P7d7MGy2mB3Hi7cLygklFZADkHnrOoRIaJ8KqJELsNSHjapIE4+jW
8NWIcRSyZzOQFeKGFPNCJgyYd68clNmiLNlIAI/Xuxf4xSb3BLkBDRx1cIoug5gZ
pn7RrWYDPgrUyn9YfAJDr5OJsBcJD70sdi1TmCK6X6UCGZpNUI22yqS40LX6aCvj
WzZ6gd+nyjLlHXBBSG8R2lywPdoEVo4Y0pWvd5oK85Xl80gtlXSpFBfEg+EWbLCa
EkiAXthSAWwgBfjV0UCM+Qd5aiwNb8Q9j90AqPhIAawnsGWRrSL40finvJOdf4lW
f8R8Xk38RovBlHii1u0iw9O3Efur0UJ+aEntIEjaoND6K+32oJI56CWev0ARgR9N
ECROL+57Z1121S4QfDGp3LuClgAJDPB/LTL9ly39jOVaPZ7Ym+8qe45C0nkO3SDI
nyIkv+GA/gz9EuClfShc4N3T+XPjSe+wz7gt9hACpSai+Muea+2ruUpa9Kn8hasi
1zq7qR+3+ueJc5+8P6xIyCKxBTneBM2VNlh2e0GZlCxqCrx5Vt0spr4fijM/JvEo
+/2oIRv75NtF9zAwk7foSbyw8WQCReW61hLr9rVnYMoCkhYhlEIEGBZiq/94SHzS
XAEUZMZIyLdgzXVIoP8GVEqCErVYT5qCpo8Ett/v8efm27ucV797SrRibqiFEwIo
SsEKMoULNyHXQfnuKviNnuG1ril/azjsAtiucJvTdol7pY2nRWeYXIVecX0G
=Dlro
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -8,6 +8,5 @@
./nginx.nix
./opensearch.nix
./redis.nix
./sops.nix
];
}

View file

@ -12,8 +12,9 @@
{
services.forgejo = {
enable = true;
package = pkgs-unstable.forgejo;
database.type = "postgres";
mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret";
settings = {
DEFAULT = {
@ -76,10 +77,14 @@
};
};
sops.secrets."forgejo_git_smtp_password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
deployment.keys = {
"forgejo-git-smtp-password.secret" = {
keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ];
destDir = "/secrets";
user = "forgejo";
group = "forgejo";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

View file

@ -4,30 +4,27 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "212.12.51.136";
prefixLength = 28;
}
{
address = "172.31.17.154";
prefixLength = 25;
}
];
ipv6.addresses = [
{
address = "2a00:14b0:f000:23:51:136::1";
prefixLength = 64;
}
];
};
defaultGateway = "212.12.51.129";
defaultGateway6 = "2a00:14b0:f000:23::1";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "212.12.51.136";
prefixLength = 28;
}
];
};
networking.defaultGateway = "212.12.51.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
networking.interfaces.net0 = {
ipv6.addresses = [
{
address = "2a00:14b0:f000:23:51:136::1";
prefixLength = 64;
}
];
};
networking.defaultGateway6 = "2a00:14b0:f000:23::1";
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "92:7B:E6:12:A4:FA";

View file

@ -34,10 +34,6 @@
return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
};
};
# Disable checking of client request body size to make container registry
# image uploads work.
clientMaxBodySize = "0";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];

View file

@ -1,233 +0,0 @@
forgejo_git_smtp_password: ENC[AES256_GCM,data:ZRj5GpQKRlTxdu5CfbJirRGAKPCLAIG1F0V5USz5m5D49V3lu5uLomxHapmEwb0yYoE7e7ZLYK4VQUoQgpUnSw==,iv:K7+9E2gi8cdYu0lX/HgWitLxnxARywIwh5glEL0uOsM=,tag:s9UC8e+E5E3vM6cTKW7Vqw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZFhrMlF1YnV6bHlJZFp1
SExjNXk0aTE3U2pBd0lHODlkZW9La1M2cHhjCjd1VTdKWkE2ZWxoMWFjREsvLzdS
K3lSSkRMZ3lLZ0tSaDZMRkt4MXBMeXcKLS0tIDFlVjNXcktpbHdJc2hraGNrNGJh
UHlJWFN4NW1tNWFCU2EyNjkveXZML3cKrKk1w3IBAgdmicuFyGOaU26fwpULAcy9
eZPlcbRPUPHoRhy9GhNTAcXXDQzimKL39XZGAd0U29Kt9AvWAf8Qpg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-25T14:17:29Z"
mac: ENC[AES256_GCM,data:JeqYsVtogbB4oMWNEpLsF6zxsgUoAt7UzRUL2JzxDUtXDUndW/AxJxVxQaipYvblA3q2MzRyQN+j9khavlL02DR/ANtZFLQmH3OREV7M9eHmeeCa4Lm5D7gFYmqWkULJ7yEJsKz5AaiJTWlWgCcBITB901H3Z12dsz2a1+4WrUc=,iv:5Xm5Rjw8PS7hkTcRD1kj5XS5uiOgsPwXYeaMqUReB7E=,tag:2Y5R1/Why1TQd+ZYTF0qDA==,type:str]
pgp:
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/+Pw0v8i3ZGw4QNjAu9NX6ZJ5hvBHJgtcOWch3ZHlIAuxs
rNoPYhuKaYZL6QJcPTjP8AHVkFIEp+mVbXnsS3PCNUxPnwBS3DfAk+b9OmIJ5U8i
H0VYv4FpdAblyq59GPYx5cBaKUxAagATqlYmMh8b530DYBGcoAHPtzhCaZj+aJI9
ybakmmNfSqtdhJoWwRaRekqhbZ++wmS7axeefawuicXpdlNxhypEMKBUpGA847cH
lI4hw1/+KvyN/BT1q66vQanYpM8NNFLyyamT6HeBxQ1lP6gfb/T0a805qnaCXaZY
z2Ui6XJL/lbUWzG/0xnSJIFiQc7hIqMGIz+EHyYep5NBu/hiIUK1RpIFL4ClEOh3
kfVlWC16ys3fGHlFOTTBc3yJPGtyPjd5lGGfFmawwnegPH2wdNIt5tjrA7+vwKRE
f+RFNzvfc11o8rhGnbGd4ZGNgexuhxVaRGDSNqO0aixprSurcOa21Z1U76tvnJGq
IoeFtZf5KutqqLIyLoK0JM0YkSb92S/BHkIKpUO9fsKLRdQdnvm++8NRLJ/jXLVz
lZZnLxMC7QvKMyxE7J8GKye7nQa6S6CkEcqUsgXSMaxB3GMe9MiGWS9nqh16tHDX
p9YR9FVj8BUKWsTbIPKkomIaoxhRJvW6cakVcM7RG0rySVjGxrc2oAvYgjpVmmDU
aAEJAhAxPM/qlV+JghqnmnjP9Kn6KTIvGV2NGvX5YbY4k/NgL/sZ7VLsGZldemiu
1ogKtLzjRnvtruPhXBXPv3Ivw+a4ie7YBPsyyyh4RFfnZq7abAwBVDZDVXPA2GUS
9JOUdkYe2Q1T
=1km6
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAiyKB1LVhFUxkC/bKs7TmtXGbA+2xWwrtt9gUACD+GNlT
P0jQJ4N7x0xpvgo+ELNx4Owq4EXFYH8bI27zUxW9FmJu672uFVIpud4nZX+2AfFs
+Iy7VBp95kfS77Mc9VClJTJEaLMZOvciqlY58p1FB6C4pNwOuEhMvZ7athLVLlEz
hOrKkJAAtnjWXOFLBkq7BKCBVsxSLOUXMBgmK1Fr4dTJPifiXIIbO2BdNXanzMpv
8ANtENZ4JpqBHDW/DGoACkAh/hqu8p4B4TBC3L7szvFktsxy93w3i59CDXUroKXO
cG//41R5OH/EguctfO84qUWCe+eqA2D2ZuWIqSD6Aa4izQE+aTl+WDx/oxKuQcJB
UgKiLm/HXI7w1Zp7v2oRUt4BFr2EXHicsEkV+ztCGDMMPw0zBA3EE4fMFDmM9BXh
Y6bOT1cV/TQ1IgWvH6gMe4qdJscqYEfNMJNl6kZzylUSLBxK0YAfqxSnvV6lZ2D7
82KLl0TRZOiCWO0EMcRuN2L8AasrO4PaBGI/kbU2dCr8q4ku3qTjW7b77d6pVW29
Gh2eV+goXcdnk9tJt4hPcmz3vYIFJL8Pbmy5mSO0BetFdFVFnIhBuQzrXwe+Iq7z
nQ2L1eeDT0WI4PMEIz+YM0QVCMM52d0fK+JeiVz8H/bO7NcPCYTylcK68BA6QaLS
XgEP7Vp6aB2qQPbLYI1CfNrjiHLyCHXBJwyWGR3sSFB6LmvHsfx3tsHWdKxyrz3E
9AM9WvP+taIpK0F7OjDBcadaMo3Bzl74WVEtznaEmu9Vex7HxNXIMXXBHMj5RAU=
=CbYz
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//RSjkwW/PxItmHjB0luZ8pP6sMP5iTrgvwie04F3y1gu6
mIdAvh8QgCn/5Q/IqKZo7zdUzTQhyuq03DNUzuKyB/Sel6klohnW0QXes8Jt3vUe
W9bFFmIaFTk4mDc/tD5Vleph0ruNMXHlQRO4ia5wcYpVw0LtT3pKM5XApNl/9UKT
UFZ9/Fvad2a/p277Ai/N5dPUwM535s8H3Kkz473BvoS4Az7cjVnyxKHhguNQH9pw
n6hgXEjvyzDrzWvJwrX1T84KvCsPh0idAA9W5YfMU/4loL4RJUqvjkUvn2ErsPrl
gNoPTRY+BiivW2HV2uWRkiOyKTwVLdgs/oawZX7LB4aIaI9b5y8rcmHV4fKP8OEh
3q7LB5HU1peGmd6agwu1/ejbIc3+4WytVfoqHDI7MJ7jPE3iyfAxaZm1x5PFbVhA
7zmYs6tXs891l3ZJps84I/S1uSHjxJbMuGh954RHMmPHCrnLosS8yeNLEO2AHpQi
m2FFxbXCRFx7Xd8SvW2lAaKfeU+x36yUYCf7APaQeb59QLTnustIle6i4XQl070m
7GK/Hj2uanq6TEhAKWJlyVAucw4gruCfrjC7extPyY4pC4yXVUpM0jqJO37yCw+F
k64syU8yhR6whTmOPA/c2JsYoGKbV22NYRj6WIK9cIyiL34ellZVO9Ccsz6QGgHS
XgHve1EpLmsR1h1OKCKyUJNnNjvOnehZwyjCFwqT/DrIS1NUgoOaFr7As50YMfhU
ymMhQyDGYjjMHdmGoqmgPMOrJf/MJIECdzx/K/0e+eKM1RsC5XpwZnwKme+cVJc=
=5GW+
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//djObFBa/PnDRF/Q9ngtQy6VmuyUfErLqj9x1OOojB0g6
yMCvqH9zrN4JT82rb2xqvjbqEtZGq/35B2GccMXBifJy5JQj3SHOyTEPuoVr+yVK
4fzZ9k6vEUYl7FicEZABud8uasfoIGC/jn7EpYgP4v49RtXsESF0aTCnrcwqg03E
/cVJW4ovtIQM6UiE/BQPIdbUNPgVrwbDSxilNQrShvJvu3jVfCkdXuyOqlhF/lnH
weR/P1dNRhtNzZKLFYHNJRiJA3RuS+h2BFxG1pKhBfMfI/s46g74GkP/R+SEX3o1
l83P18t0br2pqqEE/qGHeLQ8PvEsTVHzxAzX8Qgx6qJQQfCDm2jDb6FlsxX6HT0y
TC3leI5q0u1A7Oj6nEl7p70/NjW2+W+cXWw4hmwMMnV0xNXsOBBDqk3sA9rJ8Mwx
oO6CuLqsWMsO0jGWptLebIzGnwMvaSWMGTMRgweW4gKNzcmiOXUrv5OT4ImJxgwt
7rFFPGcrVWUzBdGtTquLryAN1Gf1Co59ndG2SS0LKxVnY1sYspwd1FINpJA6x+99
kX4zJlK5qA8wcqkgj5WhTTXIQGLKD+R58pGjizEJzDt4aMB536uZa86ntP4bd1/5
Q4zjzwF0aIMWX9FdaCilFMjWjT+iMOl6m2dI3EBcUuTzqL8JTKbBxQ9z+Hc+yELS
XgHe79QN5IUbyoH/Fi7jNA7XEUwI6WIrhZ8TWF4nS3HgZkVfsZ/oK1DFBdVcZ5Zd
/rJaKqgeQLCxoRFroI1vZYsBRKInRs+7yziK8YtbFhmX0azW5G0NiUtsYXBOguU=
=YSsr
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ//byQSYLjXciKE2ryqYXiz3/OgDd0pIVr9HZLlxwUFJFMR
DLuxWPK+SxUj6F81mi4A9xq9CmTa3jMEVkGgblvjGoWjtEKKgJrdllMCvo5Q/Gcu
CLbMPXGfs/eDEjqEbX1rAdzR31TcFl9FI6bGUIXxGE21DeLIDCgInl5gNzVL+Ser
M5OAxpQCqe23wUMPya16XTzpaxug+mertfyOxC3XUk2A23y/8gey0pjAnaDTPIhD
q35ni2gA1eigiitJv2IWxIfbZ7rFuwmb9qi+vpBeqMTNLBBbhKgbSg4PUl6usFeC
65uRvNJOeMeXfwpPgMlphtz7pABg4ihW7tusVe//Utrph7QJs8bsiokXA/RYtTQO
uMK8oYdre9c4FboINGL4hznzUi02ZRiMh2Hf+V4cf4VK+YoBKsRYfO79lHytFHPF
6XCv9hh6qLuzTCHlUrAfOYbXbduS5mMLcfX6OYay4lYTEpx3dKBZz34wtg3TtMpP
eDuafUXNOfpx/E+4ZtB5X8Y99ax+3resPv9IQMTNOHQJ/vPa4JT8Avkrv/q4wIsJ
yMOixzR2bIPjetZbY4ykOwJxL2b0F/Bm5yu0rVHQp9+lYqrypjAzt5vhbdAMkDZD
CPxhEU/Kq7DC4fSE6ysTGEBBW+s4i7lwqvfds6RqHbQXL/0jginU4zSxZuZ26xvS
XgFinTWqnia1WkhfAZsH+UobDK92lKDiQRtM/xhWkNCB/WZQB4Q4EpJJeXIidTse
xQpG0tREIIuS75dJ6nD+Kh2CkOnalSVVvb3VVN8Ft9PEPLf76mE+x9Zk4Mu0vOc=
=BDOC
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/+P1WAWxpVnCVQpoHmEFNnK8x1ZeDN9IyYvFFpFRbRJ4f5
naL0ROxP/E19LGtD/bGbdBfVU4nNXdiXbGYtAlvAybAky9/8a8AJ97n2KVULR3xX
JnsXIjavi57MB3ty+Nop4Fgmv4p4AAsPOzDQtc07Uj5xzxrK9ARtv7w7UyJooOiG
Sp692SFChyskAjTVHWU9WKomqsqZY7XvbHJPQT6Y+wUbAjx9iAhpv0CEJcxX/irF
D3SkUD1tCJ0NHlzCZ0ORLdhDos+FNCASbhYZiCyUJn1mBfW6PcHmNevzaqSQQaoM
hd3vOxx5MFO81K3GtE/r1RA0waY/7knBHk0cBuscBOLhs6MC6i6mMfY711WoiOTj
Y9xCjAIYdOeK22fceg0Wk/FMtivFbgddpk+jOrAR6Wh6n2qJZDJFdxFpcaSF2fHj
dBZuJ/q5vRedjdLYFnL2uTejAKkQLthqL3F4m2Fzyr5wk80eGRYqQHDtSlwagVLD
ZoTLCtGp8qnSLF6Z+nnS9lmsf+X0286wAmRtxHsrTTGm2CDhBmvQjNeq086Bdhp4
z6S3WlgX5oMbTS3hD0BIr4euKIUT3CZcbyXzicuS4iwYOq1iaQEMGvXJ2TKkaOsI
9W2CPSySkIzp/z5Cpet4Z2JFBcO4QwgCvScm3yK53ZXkRoSwkUWBiWUO8GihgWzS
XgEGOQGCaBNxYr/B1ePYUTxZG7gz3qe3QzzrYebHUmYlEFcC1BkyD0CfWZy59oM6
mHL30p7LuuoQbO0VocvsnxR8ObQhXsncc+EyZx03zyeDSIbOFqs1sSQ/w+K1708=
=dnme
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+IDsMHXF8Xpm7Mz8EuZ6OjINDfe1aVJqkq6dislIuniSn
z62K3gIlYKVCkPC4uQ5KAQBC6mCv/IYmy82OFmexeaHO1uYhLiM5z+5efxkbChK6
jxKYudsVe0l0vd7JpJVCO+GSw/jelALUhwtrr/A5URNQ+fQZrTAd5SE9bFEFf0P7
exTBlw6Cus5671R+s7G7OGbKgx47Kf4CDzMizYruRBvjwDPkKOAPAGnoNApjl598
m2uR4PmlqUJ0z/aFcBtcs1au05vGmVvckSMz8BiqpGsmlbZEVIQRiXqsZ5A7X88B
D6Nx0nb0t4WM1EV1UUbSLPFwwcVkOSHHfs8SGk3gaStCNWunkrPGQStUFBmU1TpL
2exHEKopll2gQ+XKfvE+mPF0cqd8dq2SfZpLZgp80pKieuHXN/DJhEHoBSELixDe
zRXB5/s6Gr2Hlgd3lfp910UndiycP5ROJZbEwJ6O0x8QRxeIqbpk4eXiIK/4lxiK
ENepdeFSk8/DS/yEMc4M1kWxxm0rkQO/dxn3SvYV49eNFvkRMWkWimMrSbaIUKNM
k8KSLYr6JuoKP0v3NZHGcBZUGd8KuDi8R0A9KZtqz0pHyRIh/Ox+to+Gmlw7EP0r
ARPQOBQBUjcxqW6BRJ31onE24AxZN0b3pAAPMt7Z7KXmveHGGqolU1peZfeATKrS
XgHJDBQkCm1SOX89yw0O0DVZ43z0b9UqyP157R4JgdyEleNsMbPl+KDPCPx6vAnm
iGrsjpWeKMwA3s2biSYUb8T00KD48vH1nidc+XEjfQ/fBDJIsR8Ku7YMZtzKmNY=
=xEYv
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAkAuIMiq8rw37IFlLlVv1tzQbGMmWjNhQndBAlwA/dAaf
zk8dNuKA8wlmAFv6uwbmfOzvdiwunoYq8cgIRdaP7ieNPRppHIm+pbojWKOvXoZZ
6b2+ILacE6JBHpk5o+KbrILrnn1ciyfhGq6CX9gCi9+vvQkZk3+WexgaHEOfFL6x
zCp5jVEIbVeDMZIxVbDDVHMiXBy2qmpYrSDMnky05/szu9BBJodcsqZFAqgumVf2
kBFFvnzdhJgKWBfJ2H2CfVOWx3CUhLXidqJyFgzs338aGhSNO4jGKvOn1Yx/PLlg
LSRphptnmzM83BS4ev9/ejvYiWbxorKSBTPZBqehpKFtPdNNUqbWMpq/lmAn3yLu
S+yAVAklCHSDtKEdS9YHAFqycgxvj1VNxLx1DI2mNPyUBoOgzfdD1NiUDQp2s3j4
EX8EsH1+b1eKk93751yLKMaSfLjU6lnd2d/h++WIt5tDx71XvIJ91yV3NJVr2wIo
MVIUJFh16+zQOWvc6rKCQh8U5cu3AVcB8EfoRrn5fCNh6tu7Aw/fHxz/l/U0vzId
cWFZCYFrg4i3T5w3U+ZV5kgoMQaRDh6T8yVXZQTzKSi5qAQW/qeGn6h2zHWARznC
J3IJ6M9pX6zibz1ao9oc0ePhU3Vy2vNFdFcpGgLe3gl10BM7GbU7rrmAlHFgG4nS
XgHhWFZtUAcYwEuhuOVDfmN4J/QNWlzl20RML92pf0UNCx1VHrStAbA64MqyvE4V
Dgallu5Dr+u5SHLgAaNj9HfgAGuDLPCXGrCoYK8KLUR8fIYwkuO13FN2A0YnHOY=
=IKCU
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pARAAomxJSaPmNrFFIiqfWzwdemWBUK4oujqRSvfRmnK3fg7s
p+Q/eV8/jYqxPk1q/P9thQSu9gq3OXLkgT2TlMwcsFBG1+xnksu3Xcqr47ON7N9H
J5K6a0KPX07O9fuP6VZtn4cDatLq6ag7RYLp2D7v68eRMi1Kyc3W3mZyz2AlbrUO
7T/tOqQzD1Zb/vwIy0Vfn8w2KMCPBi3TxlfSdohPsZWehrIAAKZHDRp2931iKPXQ
0gDwjTd0sEdXwi+sfXxq00988R4uXIjJhBd+ZFOxIHg9yEcXSW02eUauVwETuLzv
2ohAB/LOKQx59mVyE9gFxtMM7oo3vb5zWcnX9pHG+N0UE/RU2C+aR8a3KCOtysk9
cHwBLT6Iv3zijeJCeKG7IvSgsp/WW71rqDZCMphs5cFZdzEola+lRXNPIpz6YJ/t
qyTFbu4BG76LZyRRTg+i35NhS/GiQCUMyZoUxW0mLgjDsbYS55FQdFP3xaH5BaPg
81UrfF3hV1Vrwe6DHbSEYe3qutk3p4NMruHvIIJJLwimIe3i6+MP3/N+ACLV1wBl
caNH/e7H4KStDwuNFb3BjXEXHBLPgnnbdkTSTHZFtmEA0o2avrM/EzVDvvVxTCT2
e9pbfNCAoXCNo6nstaWRPKjwP8u5HN7RCxjufpZnySt0H/5Ux4qy2v/01i7OARrS
XgE58F0/szyLPmsigEpWhFPIunfIF6esq+4u9OVyqBicYFZHfUddyqTLl64swDHk
r7vxwxH/A8QMGj2GSmQez25MDU/NBTBTotEzRSyxvqZFTxn7IOxKDblSYPhEfCY=
=Tf91
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAhuqKLIrt0ortv8L+5ex4c8h3ZbiIDTLSGhML7jbMAUww
ntvI7quM3pEBFfdBT4BuPCrgka9gA9KRKGRwxYX3uSe5jPtgnH8GI1+gImeyWIu5
0l4BEMzlg3LOwADrDONa9xStlwAIlxgH53bqmCVQ2t6zHkxAcSGeHLn2y+aCh6wI
9oicvnC69DuQLkMwBFMEMUNiQwwGH8EMfQRacoFAEtH5YqiwBT1qxsnOC8ALfZ+9
=1uoR
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/7BfqXXAGvvQVGeGJDi3+XhvZ0wKQvfS4UmjP7FFa4gm26
4W1eS5hM007yxpjOH7NAsVbWpej8jYA6dDfeuo7P34owws61F7LQLa0X61mC1qOZ
IXx4n4kdYSV/CyqJa8HrDe56B0dpou01vjbVZ383Pbf8+VzxaKeJ2X2y3ioRijZJ
+T+rCkDHx4neOrrUkutOTJhiezQaeOnFWPEAbNRVfdLAM9jFuuG0uKtnd7hkXf0W
8sv7z1xEYN8VF3bE70IGuyZtiTeXwhbTD0gq5kze8LldMLwBIxsrTd/xrH/Oc5Od
nY8vvdiLMlAwBrI4z+JI12Hi+b1nglldk3Hu34KaV7jG8DjgBGBy8yolqvKo0cT/
9T4aAe9eLANvyHpYfA1CkcFW4CHWOBRS79rC2HcHM1tQ8+coq+jxrzlYEBRwQcpE
2jBcP7mnIGPm1csIhB6u/UUKVMqlnZ57MdKHwwXja1vzxfnRNBqFdzq5uZEyU+OQ
dDJmURqxK4zCdhk+De7Nm/wR8J7xtIJLUszu2lDJ6SWQEsut2cNUVUvmd5XV1BWV
kZaIFKADZI9qcbivci6fpCEH1/qoU5jIZJ+zvOEOZLsIJXBw1M1/fgfSZ8Aosl2t
RpikITTF0S1HL2QLbWoogdgBp6X+6xjpoWIhHVi5lqm5CX8HTRwqrJL+hPi0GW3S
XgGQv0OqaxGfD6lwyVjokWvCSEoEfK0e7se+ZyJifwAlarGaLvG0PU/iW5cVUolV
QT3TwrxD94ZB412nL2+4/QPCT/ZtOXcO+9dhLiSLneHrNrSReByIAOE1s1ZU8MM=
=XvKN
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -1,9 +0,0 @@
{ ... }:
{
networking = {
hostName = "hydra";
};
system.stateVersion = "24.05";
}

View file

@ -1,11 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./hydra.nix
./networking.nix
./nginx.nix
./nix.nix
];
}

View file

@ -1,15 +0,0 @@
{ ... }:
{
services.hydra = {
enable = true;
listenHost = "localhost";
port = 3000;
hydraURL = "https://hydra.hamburg.ccc.de/";
# E-Mail configuration requires some work/investigation still.
notificationSender = "no-reply@hydra.hamburg.ccc.de";
useSubstitutes = true;
minimumDiskFree = 8;
minimumDiskFreeEvaluator = 2;
};
}

View file

@ -1,22 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.163";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:45:7C:D6";
linkConfig.Name = "net0";
};
}

View file

@ -1,58 +0,0 @@
{ config, pkgs, ... }:
let
domain = "hydra.hamburg.ccc.de";
in
{
services.nginx = {
enable = true;
virtualHosts = {
"acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

View file

@ -1,10 +0,0 @@
{ ... }:
{
# Allow Hydra to fetch flake inputs.
nix.settings.allowed-uris = [
"github:"
"https://github.com/"
"https://git.hamburg.ccc.de/"
];
}

View file

@ -7,6 +7,5 @@
./postgresql.nix
./matrix-synapse.nix
./nginx.nix
./sops.nix
];
}

View file

@ -44,16 +44,20 @@
};
extraConfigFiles = [
"/run/secrets/matrix_registration_shared_secret"
"/secrets/matrix-registration-shared-secret.secret"
];
};
systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ];
sops.secrets."matrix_registration_shared_secret" = {
mode = "0440";
owner = "matrix-synapse";
group = "matrix-synapse";
restartUnits = [ "matrix-synapse.service" ];
deployment.keys = {
"matrix-registration-shared-secret.secret" = {
keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ];
destDir = "/secrets";
user = "matrix-synapse";
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

View file

@ -1,19 +1,17 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.150";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.150";
prefixLength = 25;
}
];
};
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "2A:A5:80:C3:8E:32";

View file

@ -1,233 +0,0 @@
matrix_registration_shared_secret: ENC[AES256_GCM,data:5fKfTqwoUreSIPbua5t1lYZFRnQQjNzFvrIBVIBfKWu20kH4BhlDboL/zYnhWLELq/KykX/EUvijoZxxTnUiN7T8H3L6fKOCQKacZkIwKfg/JjqLVnXIaY0JOwg=,iv:Cazhdo7YR0zSgiyQoHLsk2e4dWGSoSfEtOuMA1LEJcg=,tag:KsbnGvEyRbzbIXuAayQk5A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZzNVUm1keldaNExycVNM
OEV5SUZQNC9uSW8zMVNZOHQrMUQrNm01Tmg0ClF4Wm9uSzRTL055ZnlHUlplUHFO
QmhXQU5yMFJDMytyMjFiaWFXa1RuR3cKLS0tIDM2d014TTRySXVtOEJieVRxdlVp
NG95TjFjUjZFMXh2STIyakxqbUJnRlUKQ64ahDiNJ4nPUQ5pLH4Jb5yidNrK11dT
YSg9QNr++FTdYaQ/TXmYTg0d4kF3yb/xyG1vZMcpZP6+omwN73DSfg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-26T00:55:05Z"
mac: ENC[AES256_GCM,data:ix01bcc6i1dTxoYkXbnEbLgMC1bcplI/hZhyO1mFzPAyjfn8h2d4AHUS9CG8UnIDYGky8Wx3BqrC6MmWMtt829m8bS6t83JTPxOEm1pFEa41sUkW9NYuNPL4LQ8X2BzwteQaI8nfscIuwOZ0nK5CmArZneuUookQEszAGX2R0Mw=,iv:mZlEG2pPfKLgZ+6k9iN+NexRzlibYi1HzqBzbrVFj3w=,tag:PIXA+vyOSaZdU0CaI+03/A==,type:str]
pgp:
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//Zi8QfQ8Ahr8WyEeaJIvXBRGUzmyg84aboRweI9D/MeJ2
CnVm91xr74HylD6sAXbGcTnwTtWChrrgSJ7vGBj5t2UOuW9zpKFl/pgs7o4jzwoc
C2Kmgug7S/chaQJsfKTkAs0t/MTHO+DZru+O/pT90zgdQEig/19i1smnrseBuAiU
zow7lc9mwBTIEsTlkYoIr1+Ihoiizv/q9oeMvfaZr8hKV4wYTp1Cx9xCgXxVcv+X
SpzIqqTT/lm87znJcSWCQY9fTRrhAQu4RdhXzEIxTODljmFhQcx/Nug82EAc1Xjh
B7qMIsblbabJyrBUk5BypvDHJiso8qLd/6/i/rRztzK1q3vtT37XPKk8KIJz84cy
ZDqAGDWj8jWDctwac0xTAFKVr/5oF4TGIf1Ydwv7+GMOeXvn2ZInmiMGUKxdGhwW
vg2azqqatmRQxI+kHUHz+FBiQSTgKIkVplg8daCIhQVK4r4CkOU5dPvDjw7FLahV
LN7XVNVCZw7p9yACd5KkjWX2E7bfpHr/EADOr5epc/EZwOmblFmGPzFPNR/IfF+E
QJrw2bTDuMGZRzvn+6CozZOnOFpSrYtzbUHTvdt+iskHS1jD237NOvPe4j2Od401
c2LjekRPo9BpkrufIlDQrgjflH6RGHOLdgqPE9j2zIOfmKjdIYiQlIIjNlh/xeDU
aAEJAhCoQ0WS+mj/YL0Y7lu2/GEf5FxjkOwa0o6SOd7iR17zrTwRkBdSfsSUAiu1
pw4vkDFzgvwR+80vYfZcnYyCGOQKMYcn0PLtmnQfy/LUUGW+B1/kxqSHZDDhCuWr
o287s9GBxBoQ
=BImL
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ//VYKib9HvGAxzknrRfI15qFSHdvRxWDiR0M8Jo7JWTOCJ
e0BGytT/dkYAKXeZvLX4W/65jQ4GhBMi20NSnyfqsWt/ENoLc3v9mXX3JleBRceX
8Gyz7tlqjg+pVW7lUtotz4vM6TeKBJUT6tHm5K0OiQBeAtjitphIkmakw4wrS0+Y
+3Y7dOpktefQDSWVDPtbDOImcMFS6EYn5JCPG9xOhsX7XoK7/wCmZuSF3p/q6/CV
3NgTK0W2L68CiUye+ajrtn4545f3jnQXiu+JkZGcHdKsHaexW6dzpTsSgsSc1S+t
NlhEty6Q7kXXylG3OAtoEhsA3PP2Av2o0oaIpn1Syd5czHvmV7M+QT1M9HU6U96l
Nwio5cSX7faMrlGfaBNY681kVtOiOSFDMvDes8oPEqrqKEDkIiIQwMnh68iCTXzX
jRj+dpCLLfrHdo1+oB1JI151eB3ofUPbvTSdz/pASJ9gkFJBgGCl89atxZ7BDNQZ
oCbk0NxorDG4RBA2mliITnctqAe8ZcpBrOJoGO8oJ6u4fH2SNNuoc5A+7tMEHCqb
2E06TYmUASROR87g0yZdtffK6+ZlLZzzNI4riTUGaGUu3wXDh1ZbXB1CwF5LJ67d
4P3gJApHJ+ZDrJGnWr/4Tx0NlvPJgJ9bKNT6F45ZZcQzq6bt+RUh6RC1Axvdns7S
XgE7EN6IttIGME/AAeNdGh6O/1XnE2CEiqwqTePb9kgwIufoJWLarnz19qcbnMp6
mfHNrJlF5FSVuipVtgCYgfWDos7ft1qDqvgRSD1awmdFIk/2ct3wjXKxyB52Vxg=
=5zOY
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//cBAsMfpoC02vbVtRPf02VS4NIVu2lM1JdB/IcPo0BHSF
PHNaVh3bl2a3cqbfMvNG9nquFVpDgtAXcSaIvozlsWgMuBIukfYKgeoFNh4fhyy1
Wgcl26wZj15Tpu4rYHK27CmXBHVusQUyTZVx2CUZwoSdtI2zveWqs7+Qvfhdjb6r
Yt1bDr+Zkrd+AxUuU5Njlp2eGOcuxINGLln2lh8jrdSytOzKll+G/nI8yBdk1Vql
P7iTQ4hHlCzs6HBsgeA7mpkJMP/h0Ts18DQ9sOYCi1SB8JR1eOqZWUu/1nSAk/hV
ntHk3+FnOta4wx7VqYNjRi2JROpvi935JBu0UqwGkVVMdqQNB33/qnJdzcdcfoa1
3o5UtsQNuFZW/SgJ3uiPYshIZZGujH3j05aKZV2yULyBRfP7j4KrIq+3dQLlW4J6
TihPL1Y3aqVvlU0rGOjjKeBL/nTEbEQtbkyCcIrW6WjdWvUYtTeIGnBJt+ExkyH2
cmuoch5XjiwMrXDnIFzOqeKbLsIZIAatFOzP0jsy66w2VAeNY9AyXCJI4cTqE6py
RVc1QK6+ynhrQ/zJ5XKJD4ATequVJidshC8ci900KBW/1R3XLm7zGQtw3gj5QQ6M
lMfA3bPS3H/DzFHq9NWbQ7Lfkm8N5W8ZSQwBKum9o1uWJC/79lFkyfgf4JqDjDzS
XgFfOjk/KKVSrS7P/3V6YHfQscFuq+Tiepr3LCNt8o+0IbNJbsr1Zg+sutuMFhrq
2lblr+MKkvUpYBhUYYen/PULpr8c6QZYiVX14xJQqFzYk4U/4WoFZm/8dXuAQ8s=
=z9Gs
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+JcEj7POTdpKoqBO0W8sxpvNafGlxWBmGF9nVMKsCe6r0
+z2iyj0TF2ffRe822djXoG0Kod4Gf1Ihg+u/EKGgoL41CRt3DhszervSesm/pHJU
9+IMJYj7Wz64GekkIVkYgcLkJr7AeIYM47W9kr5XGWCI4ogQLHJEVgrwFMWVsynV
meIBjn8ntS1aI9xZQC0EePlBekD6zvwQHOyEkar1MD4NaMqLKf+9x7IAErY0msXz
czBfBVZY74q0Aq27YqfUcl2QkksxfLsti3WrB4Nb2YIqzGJ6bED9TsqRhy9CQRBf
TSN+jh9Snit8NgLMAD2eyBgGUcQbwvyW2OHEYWpDXqsMbGmXQ21wygBAN0vfSCyx
v9m2+DSJ0jG9icBj31JqZcztI5fRsaForxIRmuT6EwGHc0YfuJwk8LWW1YOTRhYq
KbOMzGZnB1aNI9i7jVYHgraU1vB6u6R3hU2hOJq0zzqP7w/XuSitzb4+EzwuFkw8
zVRNJ406ZYJvMhZp8NQ878WkJRqsV3C++LevnLkHLNfMOfDcD+nltmctVXf99Fc6
ebc7FQj6jOsUlbNQMxnqOZ/6fV9WesjPgCsUMJFxC7/5/5th8CU5VJHYOwwMUEMS
+zbwM41MxUeknII7dc22MHUXxMocVkhlmGPYNc+jRv85nuDwbYqMa9Ht4JychK7S
XgEZyWSvHupNW3XMwspeyYZMS3pSDO+2YExopgpP6c9Uq1TgvkHo2L66SXj/E4EA
RaUR/bY7EoEdNTrqWlHpuLyRihgqHLHzlRsdJZYBinaIfwmKzvINRiQbGjqhKLs=
=mbJg
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ//Vo1ZEeqpfN2gJUEKHZs6L3dXmRSd5RedwTxivQSDUZaw
CS5CQgBHd6H8ly5Phc2+QrXSjn6sJubDPaCAVmWKOf4WTMOATgdbp7eNEKlX06iT
igr5UuptY04tM6AauuXNLatD9F/2p545VkLUYVNQriVMgXjrSd2MWo7/J3P7G7lA
xupGHMQ/L3gwU2A50sJUtAc1/SW6h9RMNwHjx6FVRvQtdWUdAoRYCT+r2fICKs1m
MKYOUzOA4CW3uURM2NZEFrVdmES0izv0vNAQqx0lVxAL/qhqwsGqTAZkXryef39J
WkIpqwQWWutvwmpVu07yBllfWU5XzoxaH+ye64p7+3SyrRwdrZc7IVW8NM9NSAru
+2lio54b/dp1Sh7GGV2Y3hNMmGuPOym/PEOLVG99mkfZaPDG+Ui6enV1Ol+dFRaJ
9VqSa1zIo5N1QdW4iy/Rke7oMlTINcJDCA/KgYeLXK5IRz/iv6q1QyzhR+dNH/pu
JzxDSru/ZSTP+oMXZ1AgGf9UDUy258A7oDRt/ECN2c3oggj+Oh/HfnPXfD+9Mlzq
c/FGIRDQE7lLQoHqBaEgp9pejepAAocCci3UMgAO3ZTgIlXwJyE7fWZKrbATIqEX
GYr/tLNIyb1df4Cg2Pp+kS0i5+KnPqcbPkN+IhJq1BA3qG0rzFJiQtIR5Yn7BxXS
XgEVc+mwjUlUnQuVxFzfyZSlVh8tipwLZck6aG3IrLn/9WSHMY22GDOprsy3bMta
OOy9KLyPgZIdPr1v4BmX77x+2Z5EeijAEswFgfPvSPEuWKSiqkXvaVDy9w+U8kM=
=0phM
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAleXLoRXh1RP5u4Hk4zsVpSbbhKKW8dypXDBVMa4trCi/
Xq5Z7XM/Nip1iBCUHoLRaJdi2MlM2aDfVFo+PEx4JagpjxFjzqW21WUa5vqct9Fy
UVgdsssSVq8hNrMvlxDJwYVYfyQIOUqKyzDMbXOGh6AaOHaZsNsWtOBDJRqHMSXy
ULXMH9xxHmheDDV/ZnlOl4fOBJT+qC/F02Yo92Q7rMHWMcNs5NITGN3DDYrQqs6i
uHopbwuTpRMggnHldaMM2l2n4eCBiKxxz0dGit7FlpFL0kgsZROGBkQUyAZdkkwQ
LKnaqgodCv9t/6VZNATp8+iJP7ji5IvXeW6WQOztb8+h8JV3j8pHdadNzgXxH4av
LVnqAABQMhay9jEGlPzgQFT7zDbaAiUd3bSLz1i02Dyi/FYCIylHFEmBErr5RBsn
lqbG/vAxJPKOkiDL31nkjugd09UeFYNp2WqO1DpeoYQoMltFD26TvUnbOAQo+v/y
xxl7hhCTzbd6kF1VxSCNtv0LhDdirq0+eiFN89E+5ijLjhmpg23S2E90etuRgjuF
b050aoEJyXosRqgXVl0qkOEnXgQDbAXrEobbbRixrIQRHmNN1NjRCudzJjxs+p39
tucfUPZJO5np8ITgE7XCt82IYxW7b3HO2kejJAluIfUxOkdBgORKuc79vEaP+rrS
XgGAqi7CdzN/lfoLononCBOhce9XgdgpbpQRohO+jLp+abqmbnEzI1ZnzxpWXo8Z
taWKvUIySWbN8bWhmiIky9TyUXEfRVKe9I0MUC3Q94NAnlnj+dNXXr3mS/AxNcQ=
=ZYXj
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAsBC/uAbTVpBWv3dmzvVglih0Zlnumbz6wcDbeDTVP3r+
XiUyiDFE/Hdnm5J0be2jSj7s5RIXj8Gb5BkXPoytAkGF6NMtHjZJLmeo7NciQ6Bo
wDf5IXCmv/PbyuydqkHJEztsSMWoCQbGQo+dMeWoAY+WKt+dQGyGmoB8BbeUjuH+
lgKlUk3W1INTV74Qz6avuEQpwc+6hvb1w3Vb5kdzgRjplLUB4w45wP+79HE8Ub3V
7PhhEQMza/CIyYqHEGQ8fKzd+tuX/naYXnbfTCu64eyKCz2fQZOMdqKNA49aMWGC
vo8K38Nd8haQ+tcJvT9Vuis3n5X0Qdzpk/8u+M2XM4UQLHSaKSQRnJLpslumLJGK
fI2ErQJoD/TR+vvwrKXmCOEeiFjs0GC8zQEVP6Qa1JE7Fr8iKIEtYYXmGK0Q5Sku
5eUkrzJC9Lh4rBvGXLX1PZefBVxnnlBMNk0Cae7vGnKKKuARE4aYgRkIhzIp0GuG
pdwSir1iTVMKtfrkpJ7BqPANKxApbLzYHBi9rFWJboA7HAXe/E73HD4Ov0tIs1La
9rwRiJ0LYUixsngf6YvtGuj0ZiuTe0t+VhYzg9sYOcBWW8z/AAuZ3FQoBWLdOFPA
GBVI2KV+vr5h4dy7+yCqPxpqhkKe5ObCdwksBrl9tiaPVoQuN6Zv63kLlCtkP7jS
XgFYwBL4tKcCPfG+9J61T3LqItNLmzrT56LMN6LIz3pvRtASRbSRRnqKuuPgAL9g
IeFHe8lblLErRwKz+iNre6wwQCEfwbVf5NPF+rLh3nfEIZzCf/CF3qrxBpdYzwQ=
=P+bx
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAtl2tC6rlB5O8+4t+b7ZEo4GU578OHN06nJKxxFQHG5zn
mkcANcm5gVDSRAOecM2FyZe4ns18rH4OCvp+uegEQyMVN/XNUEj4/+bGzgXX0NZf
AazE5s2+0i2NETv9bhPjJB0RR+U47PEgx9vKf4EnvL9MAfWyPbGwzR6HdXXDEE/I
c3GNaIOY7YWBgXEuX5LnZbON5hQhbFADY/BRhP1S0d7Wzff6sYgtJhbtaTQFSX2p
j2+pTA3D+tI2h9VvKnZw3n1t8Jc9apP81KNFCURpNpdR8Jh8KQ0aSEcYWTusjah9
QOX8RmsnFnvWKTN+gU6tffcSbu/r76gmXyUCF47mWvn89ETVA8azp/66zfLTTTvO
CmFVx8+2X1TK04SIKa+MQcpAuS5cTHH6bw7N8u1YfX6O8mbHX/ZH7NJi/Bhxmube
Cau4DtdZ8mX4yz0EjUF62skJoaYYUl3UBrkGXl5A4NXK75ZHlBHT9Cn4YQYIPP1b
5MAnTsy6UtsGVBZPf6O/kvkA2gAQNjtOjQ2nB1FF6fjqEFFopzmLnAgGvW7lWkeo
lTbrylmv6SrrvX/0wN5Dsayni2iRb7pisEAFs7JAythm463PDrzaRmLoPBNBmJz9
l88QlYWDQaet4QbJ1AnEaOu5K03coEy6CTzJYqgkTWdLuFC4tUyKsD3P/1EANonS
XgG1y8ifC6F27sgwQribg28RPRvwoiRSGszAXCAeIwo834NQLIvswid5C4VCvPje
XG4X8m9pipP+BoXF8UuX7naRFnIGfXBOVH9N+1+SoTeZtXRX4GIWUGcRtk4nrJQ=
=FQZ1
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/+MLPIERHeZTiyNPEUc6YnWYcfW3Zgnsnc7EzfFn7NJla7
HpD82Y14w1gpQrUiPu7wdjzh7xeOQ3fnk2819g4wEXU32M5rCUay9XUWqWFnzpMZ
/Gy0tdwE9TgwrSQ6GDNd6JO93hLNByq1QqhsIkKEL640Wv6doLVfQW07O59hDrPd
AQ3UxWnohbNbD333yXa3kjfYcNugjtERM2wZ6qqZoXp58SG2RE0A2wMV77H0jOQj
Rx0arENCNBS5XZlIJW6v+I1Ak1wYnW5vAlVRMcUXo8vJNu93WaZ906EnmVCQ0cYn
LeNVH2ajcuOud/uiVntwdYKMr85rMBl9eOlsPP3dHqbhsrXn/+Oqagh7YUwEvJ8g
LK1krKc4Jlj9a5J6dPl0lCsEAv6vGaVCICJkNnd0JikTViu7DhajImfGrSLrA6y+
81hx/TTKqisAL1xBwOOu+LbwlhFZrkrTQaKnueswKzwrS3utxSX7OIepui7Ib7JK
h5R5VDq1bTCbRvo/rRpCaOt1KI6g4ZX+o5TI/60TUcGvzLRRAv7jZZ05PKhcfRuJ
4ZrKoRu2qKVxA6+kcOfy4Gi5MgkI4Keue4tgJsYJ+LCP8tV7+Jntxf4XXVMLoFCH
jQDe3vIHOxNKqlPUEnLlVmv+g3K9Y7N5uBLuk3xkVYrxWRhBmY6e0WtTVEF/lWjS
XgFWqfLHx/JAJgIU2tiO9oLkJWcdHuXAHNYDvTKP+a8WLcJDZdS8X1feqOpWYbaH
zVbYkg4MGJqO7K9f3jlCtyszh3Kpu5CFbfXA0MZ3M2eRoJTv91iWViIWY7UP3VI=
=vsm4
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdANu3CeUuv/SDkBQG+aROPeiWBauWaQBDUm6UdXAhEBXUw
Tuj49QiBBCQ440R3SBkHOzOOUUTMPkWo/wESnJm+EPla800tb9B8rOvUj7PnkbiY
0l4Boe0q5XPHSysz9eIQ7zRwSKoClgd+zi/GOtcsvxkLWlISoBzAVOVEvk55OeKb
7J70fuIMl5rZPPFBzbF9gjnCHxAtfSyze5774nPfFI/zoQo3WaDfL/9viRhP7Eqb
=i8o+
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/+N5yVnEm3ejyw10aDPkLjJoUIoxZl0Nof6pGZxdWYgiF5
VrEsLv9vYQD8Wp7/nXuI2HW7OoA+vTG9KBZt2Tw9R0iPIMXpEf0fewPSBZ2n10lk
KJPvkMP4w2OV1AfGT+PrRPLaX8/2E4p6dE8BPviWEh9HptYKodhs9lRlcq2C3Kjh
sE88eJOSA+fQpASVZLNHKYn1UrXXENRTHE4tw3+OIpE2KSxHvIv7sI8LuXZb8Jxy
OpmUP+v9fmhsPJYIlP7SAvITMgZdMHceH7SDgOZn0kVU0inr7MJ+FCcNQkQOl7aP
jMp2B7qSXOdC2NHUmdYvzeUx6B8O9Bn19VM5LGte9n1RBnknw6TQfQO+fkQTjUyl
3FhVqQAxrutOBjud5xn7H0Grj+7oqRI51LLUjLQdOzpEi4hul9Of3FfGnKxjOxUf
yVBHqZzFco5rcN2fzMgWytjuSED0AE8UPS/tcd01oXXEsTj4YBSKWox0gZuyn9B1
mspU7vr9I39igceGVE6LJQ4EBnpR8xC7v5CDFpEbCr1qt4VlaH4nUgfN2tEGtOGW
2mmrX2nGC1r1VRm0K+ACRW4htDsOsBzSxQttVJ/5IWkP5fqegcwIajjo18VXz8IH
BtZdJKzXuhQLG0B+sXndOAgACWkVQw4F2hD5CYRpiFtungAqUbtSDbeb43x7ICjS
XgFrmwLxkGfZYKOPehbp8L9glbHpfHYE4CopRHPtUkhLTNWTqzEyE7YQYYVu9Cui
E9Q3v2/+2swn6nKOQtB1Adu8ItCqu8Om+d3IJQvKVS24k4+fKPWa7/ccmkXz7OU=
=w7hs
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -1,9 +0,0 @@
{ ... }:
{
networking = {
hostName = "mjolnir";
};
system.stateVersion = "24.05";
}

View file

@ -1,10 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./mjolnir.nix
./networking.nix
./sops.nix
];
}

View file

@ -1,36 +0,0 @@
# Sources for this configuration:
# - https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md
# - https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml
{ ... }:
{
# Allow deprecated, apparently somewhat insecure libolm to be able to update
# the moderation bot.
# The security issues aren't real world exploitable apparently:
# https://matrix.org/blog/2024/08/libolm-deprecation/
nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
services.mjolnir = {
enable = true;
homeserverUrl = "https://matrix.hamburg.ccc.de";
managementRoom = "#moderation-management:hamburg.ccc.de";
settings = {
verboseLogging = false;
};
pantalaimon = {
enable = true;
username = "moderation";
passwordFile = "/run/secrets/matrix_moderation_user_password";
options = {
ssl = true;
};
};
};
sops.secrets."matrix_moderation_user_password" = {
mode = "0440";
owner = "mjolnir";
group = "mjolnir";
restartUnits = [ "mjolnir.service" ];
};
}

View file

@ -1,22 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.161";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:C9:F8:C5";
linkConfig.Name = "net0";
};
}

View file

@ -1,233 +0,0 @@
matrix_moderation_user_password: ENC[AES256_GCM,data:NXJrbRh0A+NQh6Jy9iVAfYhsGR1BSOSuk1LjmArSiVF6jnuJAP9f750cRP7bu7Ai8xgxTlhjAtv9ck6SqlJ6Vw==,iv:IN/siIPCFKE+Nfl/aogYRYAHVgEGhMtTbmEZKZWQYgM=,tag:xxlnl5GU+uusSeh1OvoU1g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEhUMThoY3Nuc253NnBX
ZkplNmRzOGZFNWlQNDVpL08yRk5VTHZDUkZNCnIxMUJoUHJBYlJpbUViMW9GUmhR
V1F6SWh2NjRGWk9RWjMycGZYZXFZbkkKLS0tIE5MNk0xekwxY0NYYm9mc1ZGZFlH
NDN2dUpuQWFFMTZQRzFIS0ZieTRzQm8KUDRpPJwcWwePKMp6KQMnQLhqqyvuhgQh
rXpKW5fjxyT0Sh2u3FM2ET/9U0TUfpBVYBJojAJBFs1ntI8kFmqSYg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-20T20:02:16Z"
mac: ENC[AES256_GCM,data:5BhSo3YpF3QNqgGnx6YnymaEQB6pchMhokaJqk4rHg22xhbUAzOhWg4BQepT7vrCQlfOZIq4o//dGO+NQxqliiyyywrSYm3CBWD4xfZ9cdfinHC7Pc9lj6Dd4uPNxRjgTRNFuMyC+ATIABI2mHKpg+T2bxSalroIlvNr4vXWZo4=,iv:yPHJZ5PvI5zJlQIMRdbJ6eKGe1xN+teKF5GluD2pyK8=,tag:s4hO9RCdkHDsQ1W+KfXq7A==,type:str]
pgp:
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//Y/GVthqtuK7bY8Ne5CNfn/CD1RUTdX1+KwX1zy3YsgUC
CGxhoFFy1UoXR3QB4Hxnk8R/vaFVHezCWKWY45MAuPtwM1VGwjVsuknrJnSs8k7/
jrzVO9xXgTd26H6DLmPVfH1hKB0/lh84hwVgF5rlPS/P7l92LL0hDIIwZz3dB0kU
d6jLa1Fajqd4MSdLWbZRBPcioC5v1Ip/SXYAJp7IGLDgXm5MN+MnAdybAFsl1K5p
dCUmGqK5IjyPVP564TqL0ZEIXMxSSwex47in3cTYPaOO0L8P3kbKDNWxZQLaqZkn
4RZC4/aBqlfD2STxMez/ksi6kCcPuC7UPRzuq4oH3kOcJHxwIN8Df+DZYA4PJKsl
T9QDL1EylHBhsPIZCoxpmnGl3j+hVmONj2V1awlCaOagbgDlClEUEMyw7QCVVbtK
CW4DOgVnnTxcUaLHep8BgHxKkYjIDIbDMmg315h2ekT86gGgZavL8IiFTWSLzSrK
XChIjUdjpKZhanmSWpj4w8ZpdGOOjernL2EBWtSC23AibBZmQe9OB/QzMpLTdCvV
9t9mMoSayP61oJylBtOKhDnEW0Xib0U7tqzwpaow2V+CU2dr27qie1jh5GqMaoJR
qpu1KT3Z9eqpF3Dl8aI3dEovbmvDMVXErU3pmFu2zRJtm6TOXp4NNOYWCetUfxPU
aAEJAhCFerTI/ow/LWkCQ78cCMFjgKrYabA3lHu11Mr/PiHirwJ/vCmsUMiOhdRw
49lsyqJlO3IA79yW4exG5tYXvPgeJMTdz36fseUEKsewfrPEqMUa2T4onet2+GN6
GALPdepytjg+
=v+qv
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQILA6EyPtWBEI+2AQ/2L7fbbhBH3BfgD7IbgtVn+nEhNJw5tWR2+0z1k72TIr9j
rPAvV6NQY8oVV2+uNLa4fMl+ueqYTFd3/E4IsRXkmexjx+vos27LjDNSu6w0OPJU
BSq5TFqZWYIPiWaivQz4+rt+vbxvpv4Lh3FAXlV9YubprJ4GRrlwyheve/l3F0BN
3vCDLsfXijZjxaptb9nf7WiT9vvWrY0sD4g71ARZdWi7Lb+TgCxzbQMue+4VC0Zu
y/AWIymVo13BD+apoYltVYYvkn7yz3REzsx3NN4bkJyoCAevr6UeO2fGvlT7b7eG
F7CN/TusFlOqWV9M0VbiOGLfL7Q9tGAG3xDAyFh+yMQNadp0M3m9UiYUlHps5DRT
CVsIPnPUr3V/oycRm3s+UeVyBg3rpdzWyNtETOjNY/AqVmRQ0toqZOm//ZOg609U
6+EX1Oc/GosfNoHWJuFmfKJRhPpy2gXZX2rQuLWaVJUXzzKM5sbLnycCV03S24PU
Fi7Z5lIu334QTLG8PV6agO5UprZb946qPmW+b/QnUol23XXcgh1GIgMV+lEK8+83
UPT0aUkdtOTaKbWUg5xokx+0Ni9syJ4Nl7naQq57qOGiecMnBbeE3TYxaNOcjTBh
CY0/hdcrZYH6VPeDye4yghSDF9WCaNUvzZNePGzdqKK3F9O/NmBSiYd/cToyDdJe
AZMZCKxSw0/HyBqTRd3wC/VhC9uO2I4HWE3LuqBPUXYFWc4W1buJs+P8pFjqT5rZ
puHPH8IxIeIiVNO5SFhdL8ecSu/nawakvih65aMGSa102e6B2HfP6tD4SmarmA==
=tr5G
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAA02rGmKxyQkvxoXM1i2dLOiH6Gw/pUcdDxYSwKfdkNU3X
zc0He4FNG8CAURVq5jARD066VecamkBmlr+rwFJlaeqDPEiITfkz7DEGO8pPxKG0
GBnFVA9r/+OU351yLjHYB+72jvw1ey0PPHvKg6/sKjovssYvQLipUcktH33kPqVQ
yJzuQWFMWA7Jn/wTa/TP/53o0e//Kw9df69J3BSmnw9F6rKHGsIXLBmyR9HpQsLR
KAuClMzjPqHszCICND7vUDEzUvCcOVyizZAcRzWfDi/llwKGUanvEGUVXvyDXw/E
Q/FyR+VJXCzRlhsFTTuavjy6nhDsRf/N8N0Vsd9euDXOPQ4wuPAgpvdi58CPBmzP
8jU3xpFSXStYBIMt5u7t+UJT4IwdbjnClyIrSuyaV/7N5UQdYTv0fBy1mRrYLBAj
VhlRDa1y79n22Kg8mvDqJ16rC3VypkkQ6DaPvyDwlrG8iRLG/xi3Zz8HHnXxAGAm
SzliIolwEDHJZHI9ZE3YzpFJkB6UyOpXS1zMsDycupFvQ4jd2fQ0C7w5OaJHCkeQ
3zTKgtufjJGo7R2Nf0bTWTfi85GU3jpMsOHCEcChgBVXcO32ZZ/zzmqtXa/u3m5v
sjUstyBXEmG9eyIaiEtRAMAblwRsJPMszLaCUuBpzQw+mm9uTCsIaf5Xdud7GFzS
XgH+whlmbv/UeUC7bo65uxrG8SgTVAaPZpcQ2dP3rXYs45zYmYGKJaZuW+Hrl+nZ
pd6zT6rb6R8TMmXkNA1TjhvZ/A+ONlza1fH0dmsh7U9oqINXNFJU7Qm2r7imFvg=
=ZIDr
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//f51KkC9oViW/0EA0TLdWgXa76ZXMeu4b3UhWaQvYDT9+
8wuWE+slGEWsRnFZ+pgWZoV3HIv2p+xisX2lmBvepOufaRh6cyNpQaZNl0kFtpBo
ShQ66SmkorunYyM+OIh3ceI4PC7ca4KsRKB8nWkA935NWssFN9zMlkVW6GjqzTft
2JVJFL8GRlhIRMhJwSzp8zZ3XiYD0sB/2y+ffCMAOSCnDVcDjANyiSds6MPxfPy0
/kaNTXuUI7H50tHQP6vzJ3q1mRpAhUTIxubnmBTdvAQz/kaD0qPt55z+Q0xSXsLa
yfb+Zd2g/2o+IFiCrwqcki5yX49Ol89l69JRyIWe1T2VtqBSUVIiiYreX5OnmWPQ
OjJ1mAn9tpIlVSHzlaONtmJEmAJ+n55rP0itBMs1CrIBiQleLaCbSWqp6q3RfaJr
gpXnfHQpsU7cKEDQeyvxmH8qgrSR9AVh/knyGOJy8LnJQ93aQpr3xr/2MiFPYiKz
dcSrxHesrfx2Zl7bNB5OZ7VZTWFSunZQUnOn3F3+7yaaT9ePsvWsyTKBOSGUiA7s
VMxT5+P8QM6UOC8KxJj/q1eAVrWvN7vYbCA25+SzbdTtr1RweOVHzNgqZH5/Q2ZY
fguwHlCGg5Q7UKYKBk4QJFg6oClDgzBYCFL76K4aymtR7rxKl4sJxWoug84oP6DS
XgEZvNS3xsY8Pxm0bAmor93Q08Mii1svnNZ74Eqmbo9GxBjHReIGKDDZ08SaPhbc
NJxAP2C2sRUda2R4GvsNYmXHzGYfFTrfe+AXqEV42ZSD9vHDJMCiX9JrY/r4uSM=
=+F4l
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVARAAq/cP9y/7kxSXDFOD/xhI/3RjGzIN5dyHlfrmEQWJ8J7z
ov0VfBCJp6gFht37dGWuLtWi1qqWRgN+9hiBnkj2zONoph0SRGP9uNfadBSzYSD4
wvlOFrWeM9cswnk4i0q8Go+qdCC6U0g1szjirdifF7I9KdqKpOFwXzjnzsPTF42o
9oFCP32esOYv++DfTBgrSv8/STublJYABcs+lzjvURqBsFvdz7PBphH66++yxt7v
bTTmu8O9WHC8/5QTfUzOBAfgyu4CwF3YLRZd81ERtzO/udNYgGO3bifofCfpv+nY
MMyCbGxoiAfBWcAHhka+8nMnBj0as+ln220O99N6zH1rTmqqDxRQkEiYek1MqEU1
f319u3KqB6STWmZvjlwQ5AhwSLCLT2VpIJX4CpMClWlLb3E2rpZ+B1uBRMQQ3fMe
jSynatL2vXn3rKWzxIEIxA/BkVKQ8zXgOT9JyqyCZdHTvjEmWuQitILi7wKWJb7/
qhTGEBoQbjIKP2Bpso286RKhS3erE0wqLeXXFb7e6bkEEHXa/jVHCZk8/qDcAAIB
3eIb5SNnLxQwo07JlWdDPzCvqeC4fx5AWxXmHsKWI+91PA0jdNjcEPt2sxwAEQYq
LWBW6BL22Hqo/VOBXhM1T5mFKomqySLSrxTYeWXtJLZwh0aHbm6RyGGMjHpCiU3S
XgE8EQeKefLHoTixb1Rl/amIvtOUUcTtdqlyat9hhIdMl/7ZMesmNuD1ZsEzdCJd
20/DgHzFE7WvZKrjt73GDETUjwLHZSl5fydQMgcNFgzU2mdV6nYNhF18gE/af74=
=UA8K
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//RVzQX4Ua5XZHTIe7ffYiqMxy/KoJdbCxpgjbdD0sx2ou
zCB13t13UkLjLo5GkTE7kRGtyKOdhQ/7NUA7tOZ+rwWOq3NehOTLfU0wMkgT7tOh
byWwNHrY9VHz3ndFnya5nNcnrqILA1rEn32PnioNyWcU6832jyUWvtRqwF+JRrKr
yRJMvz4T8vmLwrxqarB1uqU0OVHXy8bq8d9/pVrAmk6+C/H5FINFlApD0dKYftd2
phoTSA5WG8j1e0v5p4+r9cRHlYXFMinMMkpzD/JMyNB1WVZ9aGQxU7WiuYzuv1bh
PKN/LEgfh3ypI8W960NHv/OMRjVs/VxA+G3ml3Lw6acRnaLr++MhF2G7ZBTx8rgi
fjyF6m4XtacwIKYZ7SNt9eQewGI8VU30o8np33qb9KeOt7v8PrMH1G3X+bTLnJGw
VjxjvaBaePmPplYYS7xaPuUnzFNabDXTE8XCQpdJMy26ef77gaWr6TQwXbRlZXrx
S60EecMLwUj+daR0PkVBkCDxXkW8+0uPkt6EEn5rmPdMXoh4DUw+4A14t7yyUU50
j3M9tv6DuYs/KhgZYfLe+6hVD7fY4lAs5Ge6QGLA/TljAatE3zpSZQK+b7C4HKJS
3eRpcAt6CJFhXaCBwl4+gigrg3voX1ykh62oqY/4ecKbAiiVXLIrcflv9kx2Ht7S
XgEDhoIRIvXoOUy6j/qjp/OFxwu5y6MpBX4vHxlpL36daL2yShMkCYyY3ajea4eX
9k7B9fpRu3sjbDTNr1heffI+5n/HKc8j9a52hzu5eF0e+v+vKY32uk1jlUhZdj4=
=R/pX
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+OHZshi2zBfbVQ91WKLqei7bT4CZGiPxQsl7aogv8JkyL
D8p+VgIReMvq4F5QFaIsA8yqMSnjxfIi5bFd9SKjuhOKvuQjyh1rSsFb0t8ESuYi
fHBnVw4tDNfTEGQa9YhNJPTq60TwR4P2xYFEgc//AQqfs9XH0cTbvkFS9dkug092
u4yJfB2aZEJa0Eh0AenUYzP13bFH0sJwL1hQop1v9gF44JeKHpRNd0Yixlp0Yucs
Ccww+WaNFVQ4+zvyW7MnI8/D27/SQGRXXqQE6sOQlsg5SUzF2vIpYbIeuu1NR5WK
v1ZB0DlWVuOshIB7M9WUCZcAS5cMAWKc1vvZ/K0l+6tNskZvGE4p/lv1bmZ5zfc3
gT/2L6ENuoKW7RoF071SsG9Xn7VJync+iNTtg0m7Je7HRAZAGGc8vfIkrTXAmoIE
QkGuog0R+EZxq9L1WMbppV/bnbBxiutFxwWOGTxzsn+DksVrVLvyI/EbHJvcEwzN
hISPFmAiCEKzGAGfaO24F5Xcs+U6AgumS5V5kwY6zA/kZpJEdQm38rcC12ZpXR9C
oHGs9ACtgf+g8H3/Ks5DL48FTbYuZADamVA5+pV97B7xCS8TxYChuFNPLwU2s52G
liiZV9NevlFlbsXFZS/EWgR8b0aH9Nhjl5TAPOajBOu0Nm/83XEP9nbbbjJjGRHS
XgHop/OMkJRuZZ35JQjUS6dIBzSivqplpr51wHbyilxbvOHdvuu6w9kqGY9VhuVt
nCszg+IQ0SM8YFuu1M5UPO4txYQTHx8zO5SD/d8kh5HEu9fmTNyJXblRcyAzYZc=
=TxDz
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//co7jg6v5QUB7eHXJPMLxsgtbC/VYp7C7QqXQda5qhohW
t0F9lysBybhIGoYuvfZGzNMYqqkVpFxzlOO2vFlcYFsQhjCpJrHBWYT4XOmIBR64
6Az/iKqNLS+cG+rFIIuc8BqRk3r4lrM32dCqz0a+3qRkdmbff4yKuzg8FTPlv1RI
O9SzRqfptcKDXItnQF+8CAziqcGyy4jL2wnl1Q2I2Pksr+Zw1eZVbFfHmCpG7A5C
TVihozz51jeXlggDp9/NPJOQDsmV+KdpvNx2Eqj6PQ6aGWtyYv5YZG3X/eRKW90+
qUOJxwpW5KGcROnuvQt1AggcXquOTLHFyJ85M8tpJcl+JYVZsIeNDo+LO8sbrCTA
cjp/YSLOms+GullbGAwrJh4TYtwJE9sEKr9OAFUvd+AxVFWj08BqMe1eN5YBbwwB
vNurVdvjE8jaTCmZgPPOIP5KXSrsG8bA02YlZ4MnzodYidIhTudJ8VB4NYCtNgOL
G/x7h/KA5KYgDWEtr21z2oy0QkGijtrcNa02GpslirjufZ6TPGCbJjAeEsPbYBm7
mDXm5+PzZpb1pbcSVNlVG5Ry73JrZxBpYCPGnxLs5yAmWOlNa/xcgDHBU+iXyVg0
Wm8pHRAVNfbvL7NB8yeaxSDoTSE7/BsisL6tUHoV+bdlpVsTF26bQZBc/zhxiZrS
XgGJ8ChRZbpi2qUzP4nA2jPkYtQ4cquA+ftDx4i+ZqVNtAhVSnTiBZoYu/21+BUB
oxDa5m2vD0s0t0fGfmmIvpLZKZIF7NcwnCdNVQve/D3qNNa4T3YnXb8JTGH0PYc=
=mu1s
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/8D4mAcC6vsHLkSryz1yIYoBqqtJnG62pITFEbafhVLR6V
nWAw/zP9DqNj15MsrM67xaQxlMVgkVM7QTchgp0CjXsyZ/gWPgDl0NaC92Uj93Ov
Gi2OpkfHQFaAW6JsAFl5NrF0ZBw/flx8X0l2klIxBV+ztpkLADEtXWsoGsmz5L4m
n41icEp9+nb9nwy7p+Je0s4jZCBB0sVlbkX9i4IpMOgEhA0HcWemc940VJp3UyRg
LkOs5C0J4Y4qjS12248y16gV/IhNaJ4PCPgVwSj1Xzz6VXauQosmWhnUbnqJbi3F
KWEV0IJJO+dlj5VShzFDnkN2bM1GeyQx1S+FkNp+Mmm6JNrUK+CZL8fUYka06O0V
DD/sg1Pyq8VawNG5RxwAWA5F1F1SIrJzF0T4HyIN1UFRCjWC466sdrBTQLtx472k
NdBCvabHS/bx5miPKF5iglJYzz4biUdevc3EU7q4hwgMYM2oep3m2EsaTbKWzjnY
PLB4d0bCsRlya0YfHaFX5f3xSNb/FzBcUlTHzX2asyB2DolMug1VqS3jCEkWGbk/
vfNfR5yRuwkwNlJRqHbGIfH7fYEgwSTW+VW2iUdY7Dra7xjgTzqZgLi5W8QwKJqq
1V5H4KlRQNYwloVJzQZCwoPcY+tBfTZ4LsDKtjyJzFY9vdTGGGqb9lAG7YBUdubS
XgE72UuZvbPQZuI7uVKMEORGVssQjwZFhs4InR/Ixe03a7hb8fdRHfu/ueS/3KQx
mRXVino/iVQ6M936mtibfeH9TpBpjqH8sBKNHv2hgnoap9QpkrVn1yWqrOcpht8=
=+sXL
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdA/tIZCvQv0E4dHN5jBHsAGclKEeLFhyf4lIQx+xa+uwQw
/VGCdNT8U13EawRC66KLXRrRgsNPpwUg15wAoTzQ8gW/tLpgvL5nsEYPfaowYwBD
0l4BmNV4o4J+NHF7Tk1af2kx0pp6kF9eJynn6irr336tGzY004lZfZlqwgeOk+qN
93XcSfdAOlIktfex1q1oTPrSpGIv32zsLPoRNVa50dO+IKu1tmYAxi9N9sQgbWa4
=rnF9
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/9HNG41mTgq8VavF9DBX7+upnsmoDtwblck18l3rurJ1mo
k2ki7tWwIxRyLLHtsUxJ9S55cmXuhhPJK8Kzc32SnY5irDkqK/4JZnDvofg+z68B
8pQOunN1BQp50k8vd4Mha43re8s24iqrM+fj59uHM2YYsQYt9TCR/NvUopOdi6l2
8OnKI2KdRvYhtzzCY3wmQKhG7p0hc8y8pP/0DmPW5IGQ6OP4zO+Qnc4EbVnA9Uhr
tZ4sTNn0o80kfvILKANkAm81v86KdSRXdd3+1IpH1c7rTqm9o+DEm8nKnwWOF63O
P0klsYLlfqiZyQ0AyS67RHPTw/y57mAyWVFbABDLtXQQHWcIkADMLKTJLpnhKkRn
Cp94EXBBBwViAUBUzzskE4lgKXncl1h5ogLum8btU+cLky0qa8Hzie5QqszlErf8
fci0AEHV8u+Kf5EARf1FiY6K2aVnFOJchdeL98qllwRu6f8zz7+bfLq1UXcGBlQS
JnbAlXiL4vEBxQyW5awYYzpaMUTW1ejjujZUitdaUeIQJdv/IJvHe9y6/F0uukdt
AMrDI7E+JKa6hLPe4g6H1hUzh6GcaHuNU9z2NSDfzxcOHkqALsCDLVDxsjPhahCc
UZkSn8ebyqv7/jpTgWnsls0Fx8XqvKKJNoqXfK81oIvWlJsEwqSaBczkq9HQbO7S
XgH2N8XPOJWmqDc+xS26eERNJ8ZlhYaODWwatgqt2si6EdBpVRZL4PXsOrOlI8Xi
Uaag1/Uljqbk5mN18+CtSfSt0ded79d44B9zAbc70hgvkRrpcotDBnO8YQ9MxB0=
=O0Sg
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -1,10 +0,0 @@
{ ... }:
{
networking = {
hostName = "mqtt";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.11";
}

View file

@ -1,9 +0,0 @@
{ pkgs, ... }:
{
imports = [
./configuration.nix
./networking.nix
./mosquitto.nix
];
}

View file

@ -1,33 +0,0 @@
# Sources for this configuration:
# - https://search.nixos.org/options?sort=relevance&type=packages&query=services.mosquitto
# - https://mosquitto.org/man/mosquitto-conf-5.html
# - https://winkekatze24.de
{ ... }:
{
services.mosquitto = {
enable = true;
persistence = true;
# set config for all listeners
listeners = [ {
settings.allow_anonymous = true;
omitPasswordAuth = true;
acl = ["topic readwrite #"];
} ];
bridges.winkekatz = {
addresses = [
{ address = "mqtt.winkekatze24.de"; }
];
topics = [
"winkekatze/allcats/eye/set in 2"
"winkekatze/allcats in 2"
"+/status out 2 winkekatze/ \"\""
"+/connected out 2 winkekatze/ \"\""
];
};
};
networking.firewall.allowedTCPPorts = [ 1883 ];
}

View file

@ -1,21 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.14";
prefixLength = 23;
}
];
};
defaultGateway = "10.31.208.1";
nameservers = [ "10.31.210.1" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:48:85:73";
linkConfig.Name = "net0";
};
}

View file

@ -7,6 +7,5 @@
./networking.nix
./nginx.nix
./postgresql.nix
./sops.nix
];
}

View file

@ -10,33 +10,21 @@
services.netbox = {
enable = true;
package = pkgs.netbox;
secretKeyFile = "/run/secrets/netbox_secret_key";
keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
secretKeyFile = "/secrets/netbox-secret-key.secret";
settings = {
ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
SESSION_COOKIE_SECURE = true;
# CCCHH ID (Keycloak) integration.
# https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
# https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
# SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
};
};
sops.secrets."netbox_secret_key" = {
mode = "0440";
owner = "netbox";
deployment.keys."netbox-secret-key.secret" = {
keyCommand = [ "env" "pass" "noc/vm-secrets/z9/netbox/netbox_secret_key" ];
destDir = "/secrets";
user = "netbox";
group = "netbox";
restartUnits = [ "netbox.service" "netbox-rq.service" ];
};
sops.secrets."netbox_keycloak_secret" = {
mode = "0440";
owner = "netbox";
group = "netbox";
restartUnits = [ "netbox.service" "netbox-rq.service" ];
permissions = "0440";
uploadAt = "pre-activation";
};
}

View file

@ -1,19 +1,23 @@
{ ... }:
# Networking configuration for the host.
# Sources for this configuration:
# - https://nixos.org/manual/nixos/stable/#sec-networking
# - https://nixos.wiki/wiki/Systemd-networkd
# - https://wiki.archlinux.org/title/Systemd-networkd
{ config, pkgs, ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.149";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.149";
prefixLength = 25;
}
];
};
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "62:ED:44:20:7C:C1";

View file

@ -1,234 +0,0 @@
netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-08T23:54:23Z"
mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
pgp:
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
6PA24RxtGxVm
=ES/O
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
=zG3F
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
+J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
=PqbF
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
/0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
=o7cj
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
=4agQ
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
=x1QX
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
=FXTF
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
/iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
=7WGw
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
=pFkW
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
=Lvnj
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
=WqHP
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
networking.hostName = "nix-box-june";
system.stateVersion = "23.11";
}

View file

@ -1,10 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./emulated-systems.nix
./networking.nix
./users.nix
];
}

View file

@ -1,5 +0,0 @@
{ config, pkgs, ... }:
{
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}

View file

@ -1,22 +0,0 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.158";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:6A:33:5F";
linkConfig.Name = "net0";
};
}

View file

@ -1,59 +0,0 @@
{ lib, ... }:
{
users.users = {
chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
djerun = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
];
};
june = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
};
jtbx = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
};
dario = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
};
yuri = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
];
};
max = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
};
haegar = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
};
stb = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
};
hansenerd = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
};
echtnurich = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
};
c6ristian = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
};
};
}

View file

@ -1,7 +0,0 @@
{ config, pkgs, ... }:
{
networking.hostName = "penpot";
system.stateVersion = "24.05";
}

View file

@ -1,11 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./networking.nix
./nginx.nix
./penpot.nix
./sops.nix
];
}

View file

@ -1,20 +0,0 @@
{ ... }:
{
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.162";
prefixLength = 25;
}
];
};
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:26:1C:8A";
linkConfig.Name = "net0";
};
}

View file

@ -1,63 +0,0 @@
{ config, pkgs, ... }:
let
domain = "design.hamburg.ccc.de";
in
{
services.nginx = {
enable = true;
virtualHosts = {
"acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://127.0.0.1:9001";
};
locations."/ws/notifications" = {
proxyPass = "http://127.0.0.1:9001";
proxyWebsockets = true;
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

View file

@ -1,198 +0,0 @@
# Sources used for this configuration:
# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
# - https://help.penpot.app/technical-guide/configuration/
# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
{ config, pkgs, ... }:
let
# Flags for both frontend and backend.
# https://help.penpot.app/technical-guide/configuration/#common
# https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
penpotVersion = "2.1.3";
in
{
virtualisation.docker.enable = true;
virtualisation.oci-containers = {
backend = "docker";
containers = {
"penpot-frontend" = {
autoStart = true;
image = "docker.io/penpotapp/frontend:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
ports = [ "9001:80" ];
volumes = [ "penpot_assets:/opt/data/assets" ];
dependsOn = [
"penpot-backend"
"penpot-exporter"
];
environment = {
# https://help.penpot.app/technical-guide/configuration/#frontend
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
};
};
"penpot-backend" = {
autoStart = true;
image = "docker.io/penpotapp/backend:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
volumes = [ "penpot_assets:/opt/data/assets" ];
dependsOn = [
"penpot-postgres"
"penpot-redis"
];
environment = {
# https://help.penpot.app/technical-guide/configuration/#backend
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
# PENPOT_SECRET_KEY st via environmentFile.
PENPOT_TELEMETRY_ENABLED = "false";
# OpenID Connect configuration.
# https://help.penpot.app/technical-guide/configuration/#openid-connect
PENPOT_OIDC_CLIENT_ID = "penpot";
PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
# PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
PENPOT_OIDC_ROLES = "user";
PENPOT_OIDC_ROLES_ATTR = "roles";
# Database configuration.
# https://help.penpot.app/technical-guide/configuration/#database
PENPOT_DATABASE_USERNAME = "penpot";
# PENPOT_DATABASE_PASSWORD set via environmentFile.
PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
# Email configuration.
# https://help.penpot.app/technical-guide/configuration/#email-(smtp)
PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
PENPOT_SMTP_PORT = "465";
PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
# PENPOT_SMTP_PASSWORD set via environmentFile.
PENPOT_SMTP_SSL = "true";
PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
# Storage
# https://help.penpot.app/technical-guide/configuration/#storage
PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
# Redis
# https://help.penpot.app/technical-guide/configuration/#redis
PENPOT_REDIS_URI = "redis://penpot-redis/0";
PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
};
environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
};
"penpot-exporter" = {
autoStart = true;
image = "docker.io/penpotapp/exporter:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
environment = {
# https://help.penpot.app/technical-guide/configuration/#exporter
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
PENPOT_PUBLIC_URI = "http://penpot-frontend";
PENPOT_REDIS_URI = "redis://penpot-redis/0";
};
};
"penpot-postgres" = {
autoStart = true;
image = "docker.io/library/postgres:15";
extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
environment = {
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
POSTGRES_INITDB_ARGS = "--data-checksums";
POSTGRES_DB = "penpot";
POSTGRES_USER = "penpot";
# POSTGRES_PASSWORD set via environmentFile.
};
environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
};
"penpot-redis" = {
autoStart = true;
image = "docker.io/library/redis:7";
extraOptions = [ "--network=penpot" ];
};
};
};
# Docker networks.
systemd.services."docker-network-penpot" = {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
};
script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
requiredBy = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
before = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
};
# Pull docker images prior to starting container services, so that a container
# service isn't considered up, if it actually is still just pulling the
# relevant image.
systemd.services."docker-images-penpot" = {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
'';
requiredBy = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
before = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
};
sops.secrets."penpot_backend_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
};
sops.secrets."penpot_postgres_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
};
}

View file

@ -1,234 +0,0 @@
penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str]
penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZVA5WE9JcDBOQVdPbGkz
SnNkWEJvaUtGaWVOajd6SzJ6aGNxSXZQaVhnCmgwT01kNFRZa09Gd1o2ZURyZUJQ
N0dwK21vUmk1N1duOVNtV2wrVmlyNDQKLS0tIEJtUENHdXhGcXhRRjM5VkhpdEVG
Z3UzOGFFUDhwUndoQWtCdHlMenZETW8KI0FjoFG4E1fhOxYiCIxY2BnLOmGcpoyK
EbDdNFQEMngwppEm9r1KzG/1cGMoIij2qpmK4Jz1Hzgk/6dZwvGxzw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-10T15:40:27Z"
mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str]
pgp:
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/+JKe4fsuAKMJr6kuDt5vjv+hrXamWEwRLBfYPHHZHEUeK
AQBs9fG9Ni7Qpelv8RIbxWyophgt2TCEqP2d+7EcGTgDZkdLxx5s2LJuCh+tEZwT
bm0sPt+8eYY077MxA1ZtlBgkslMugvdnJaDckGc8xRPldUa7gRp0j3yaLULRxjA6
T0nyALAqAaDa2uHgB7mTB3pXJYk4GxZpYbVc+wxAWXEDRLR/bpT18ywAcA6iSerd
KGDzWKjgOr1TTJqUxsguqDjnVp1c+xRPirC9uENGqW8mxI7h1+4B//dJvuXV/cYh
LKi0aDUTnma78mo2v9faUSJl23LkIehWZwbVG/+Mpkk3yxscLV124Vbwj56IFCzI
AiJ7m2QVxY5eXoVLodw6Po2S62gkwg7H5Aw3J4pppNuIAIr/8mJBpJoBy6poTsG3
QhbQdEdsF5ikoLu/OV/H7mp86zJt42Q+74xGjKYx/qvLq6SDmDA03kqk9N71URyu
FRTEDysEkeAzreFFkxn3Q+K/cXvtv/2Knte1lmDTfpmhg4cFwsLPLPH37A2veaxJ
JTyWDLHgrJ8NFgii3gLrwj+XLOZOwmCY0puJKtdAnPaaQiLfyqYfeLVlt7Se4MMJ
8XaFWcaQHBxL9nRZnx7WkE9LfHIG0e+414hT0F/aER+8iKboIbt6rdEHpEMGDWnU
aAEJAhD/TpW7E+yYjFVi/xSQ3kCAruHcm6x4BDTE7by0VeTLiRFW+culxiInOYiD
kdp+dATm5f7IrQp/qemL02/Me5yqURZlZrDHra7AiCI+MVBJiCRIY/x6xZSew7PX
HC+p9sB+PBFL
=1qbt
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+Ijn18W+K2je/hpolpY6HmQMTTRpQJZ8YtJ5G35o5WoVP
hH+znQMrBBAtnTWeFBeIuIzk4CHjPS0yfnsE4/rP7/lSa177A2xaeiCb74F6k/Es
MtDE/TApSlNdPFruN5nkd2I8jAWh1k37nS+/NUhszReR39NNmgA+aCSc2OK04aAz
dpPXmaJ+d3zMr7eFoL2NyhNI3A/ZdVP3UmZCp12juckDRl8oeei4PBlw2T6ODJP4
tY08I9EyK/5K4auhYJyvayl1RWwRuShFV732ZjztkawLw152W0Rrg75Qoukhs9mr
TdyF0zcnVxAcOV4e5wRe13dDV6Ue7zeWFc9bb577thGzUm2Oue0u+oisty16qt9K
0vw0tVSDtT/suodG8HpvSwGQ+/xcV7w8XCH8Yx28N9iO49VZCB1ZYXQBxTHVDl2b
J/8AivaK4OOFvPWNr4u6oLaO9nz1aaX6Qsap5zn0Qa2Ls2SSBwWk2Fp/f1dq3KOy
/jGR89ocuEuImVacr2G6zxPnbukfa4S8q/FUUDbswQUqmWMcDDq3dOQ1fFPRd7vy
5a9u3P8LFW+ZPPHop3kgozgZ9pBGDOlw3nkjGjFl39lE33E+049gLE6I6+1+umG0
EWkNI9y8X+HmHMthVuYapq23Ix09H6Wa452hZmEUxNgp33M8Zx+l3s6D7o7jfrjS
XgElPJuUWyGKPoUY9mFaINyVqjOJGEtEOYRP7jvCpFWDq/xQ8jbJvvv7qBy8+i0b
cpqRrMJrvMB2PSLeD6cNWymrNhKilLLFOcG9yaIEudDhiuv3L4/ub08QMroDmo8=
=80AM
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//Vv7IVqc9ReeFgo8RWbYpl1W5atAHerZuUh0oYc4otGpb
UseJ2JInyykcUeQWlOGvTK+eauBVNET0E/6jylCoWb8lzffhSMJ4FFpvpsoYjPG9
Q8s3r8soOCYB0xscfhinZwJg5to+I2MSd8mppWIp4UCQhxv7MqQpbqEzNTfVP7YO
QEUZ/lesVovLvxMzKc2YVWyZFSW2G6HK3LTaJIg8gy5ym/crlUB+awd2ZDePGk6F
Y7DcKwL1EpCL+hoPWGF9PclYKrOBIZVznYQuwHAqG+Bxr9Ln/NmS/OoCrJDMN6gG
2YMZ3Q7GQ82zZESxYA7g+ef9/lGCm7DIkt80or72x7eS6/OP7c1bjGFgKLQNyHFU
Th6cOy/TzK8Sq2g1mWB2zyV3xk6mb9C0ETAFD5vvPGVC3Sb4549Y+epe1T3ZLFTA
t09nUIpTC05PEdGsWs5Z5MDp8ZCsPZpipbVrWENesNOfaFYG+p7aM0LjgTqZcadD
B/Foejayc3XYI0T/NoP43mAZ2nEOw2Bz9lBpwz0PeTfzyrhz9XlJ7Dw462XTFA3i
voTHA5+DzGNPf6zC1fH9GcESmpC2nqXit8ZV+Y7Zb9/cAsx3E05S8ayxdBZUrOtJ
JSWGOAfPuzGXgL6Ht3iKcmCxQ/pSi1aH0h+bYqlrxTvP9IMyNCrxmP6+YsXCv8XS
XgE0NjzRMClq4/HhQ5X0ANGHWxbZJLAbm8yfgK5rnnmvi53RNJhRUHDnNca93brF
n27gnVLKM+2FdwRjwNIznkbZV/iNM6zIfRWwmJs9gHRuX/J/XWzD1KjDsn2rmiQ=
=bAYZ
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAkdXjf9h4iyYtKPwR9V8hgIfpt3s3zMduuJN3u76ZHdfE
87t5K8eL2yIVN2DeOqtXRG28Broy3LLwMlLOJhxVxS5LAOEjT4ScZyb9H7MLnDsp
boW210SLkeQ5vTW9hgjAU9V6wbemxoiNPYTcBUsuirI8a+jpnALLY0jeOILBEmHQ
c+wbeo+VnlTQkTKCFI7TwlG1JnRnv3DMATVkOjC2PXmXPNkhr04Ivvf0+yBELY/1
hLirTfk/W6vFodPaoaRaeWjGJOo+FbqKLxr2xYzVu6SkF+i4CvDPb1x0t/laTpPA
qC6KJ1wyVwG4k7ZBLgRcf5Scn1zgGFzZexUAhdIYp0tKPycphUQxEMOI8/OeBP1V
68gBcilvv42zs+ed2RUK4j1e9YklxazZgaUhPfdrBrw/HiDJ8ILaq6LQQZSNrxZx
koAV/qw8ylU7vkciyA8bGLOiWc/Ub9vkRSuEi5TMOhmT7bVZ+W/26bWgDcAMmCpa
13H1uLXLuHnfDavdesh+RAxRgEavPTMz+HFbqhvkv8sy0RPCodyJv69J7dsS7a2C
71Ub7jyZIQyRtTGGZH5EjMQVStBMccE2KrJRzZCKbCmQDofKb4M67caaHBnVrs7D
vyx8V7JQGkNOWIgWFb23dtCtRiMzFaRk31mihFmFF2tSgg6XMqNmTp0pc3zQBarS
XgFZKRlYE7H1tMUCDwyKB7G3r1jsxBlUSbH1J6XjUBWKkTD4iMHI/4YStvghLjm2
0qqgKH/Njd9xBXc3x4Ut7kh8tFMMa07xF7/V0Pgwq+7J7EgckEfKHKA5vcQt17Q=
=23io
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ//RH/jOrYE9MD9IjkUfsQZ79rjEwDdtmsXs+gS/XUr0MpI
f/aDyw/vfvD7ZgY86yqp68x0OQLIyRIx9O05FNB3giVN4YFvZpFblLotpMzCFa2d
5xKLIQ1oviDSnE0kKpNM+QKITKjCxyke7MgW/laXvF0zMaVdPj0qo3Zn07MUKULs
btxZgPhzwWLjveZGn+72QiBGTF0ce49TWoh6y/l7PDsXhojau2KP556hI3rp/nC0
PunbLVRntpz+bOoyOk+xvKen+8b/Vwp+GYA2NBDbZSEY9H3YF5ugZBR/jUc8da7D
9EBA35udmQVKtD2XZrIyfhETC1eqLXORo0JKld5oC03JPkqvV+QpMF+8JBjXe1Cy
qI4pBmdhTJYFoJHpvMH7eC4CWgZZRMD5mB2nk1hYd9oIiYUPABfdeGxKiFnC8zHH
cEY3jgGzetZTxnpk2mxZvFMMwFqyOJA2PnwMTv3IraARkFrLxGzUIG4uOjo+l2fp
igOKsw9p46RR1gkuKF4u3yB3/1RloDyqGCU1/n4BCWy5/UkjSQpWKShZt3qMd2G2
A6si2zgSHIQ+ubR7MPB3Q3U/Rnw7pSbTbdDc73pZ2SPZfUuJplPSDUvXICGlj8cO
jO8s926qp4X9C4mi5um6EX5nLG+pfuKowIBdB2HWmxu2idwyrmNdlIgAcWcteazS
XgF9W6THXau4lEmrBqWEiC0K/9NA0cDJqRdvj6wqZ/OIAo86q3yRlm8yY8U7D00j
wNS8WSHq+EX0K9LpwQiHAJoxNXABEx/DbRqVeuLn2FaCocZigbvu3k/pePuOsK0=
=ZLl2
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//dCKpiens8kqp+I9HtwP2CQOVMLLAle1VYB7pJ5pfcyzI
/3tAmwcxBmg+jhkFiqheBQYV2yNmBMHc5ulx+MxSDKd9mzCTavlGlE+intPjON8k
sis68RnU5OFsnGVXSmJji1vN37cCY4jHkf2vYzz6HJ6FLPrda/W3ZfXI+ZnOCao5
wGYrqPcYUj+7gnN1S42HM492oqeCNLcENDvegf8AxtBEgfp7UQ0V3ZC0wZEYhz0V
p9bdivFoEZ3Zo0sJTWKj3Df3IA5T6c4dbSPj8r7IZ5iNDguKAjvegXujco7pow51
fNNJB02hnYHLMRAbeRqaWyJ7qUQSWbQEgb8NuonspnXnajKc/OddgoTN91gTRgMb
op2T3HOFv3lKZPA/xIeDZpIm6GqOW6eJLjqiLP39VGvvNRYg+zxhNg/ZBVkFuSAf
U5uDPUyIAr10zdm7NqJKL8wKRbQzBg5OYovrXqSl96+KNenJqbMNv1N7kfSF6FuF
x8joEDXIaBSwINE4oXD5SN7Z5L2SuuMJ2nvuXFmmXKerRlrBiGsBzUVMt1bGqKEU
KoAAwbInZ9SprSxqJ1EkSVXpNGnFFNlbBB1j2u9BoGygOkVM4ZxIS19DBDLG0Tls
Fq6GI5d3axcf7t024UmwcU9yaP1BzrV0bDvDg3X+Azuo5JqpT3pSUvqv+Sy1C3nS
XgHK1C7XTOfcvmcxJ1f++xELwRkgNo1OqSG3cIZ8i1tKZFKTyYCiNHa/ajSr+wER
4phM7Tdr6ubjLkqvDkMeXvtiGyUoAvbtLC0wqSaE8sEZ28eFGEAaECV/uOW81X0=
=0jv9
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/9GTEI65w8icqppqTuvQD50vaR+lCY1NjWT0HekgvNuCLV
4gL1cYv7tJ5UU6jOnREoScamWnUTYf/sLINIfa+FgvH+apswQeQCFrdCb8/61/Xc
3hsJ8gwmguP1zJabKFI6/Yo3vPPa+kpj0Am6M7dUUxEKw4Lqy6Hc32O6ULNJOvdo
56oqr6KoemrpU0TzqkKTpgAZaQjFfVzPWfC8moUL1pvxrHm7rqDPiYcl7fZP3JFD
gQMZokH205u1elxiFxuQGtW8jbeBqCZUm1UorEgD2EJYEPfyphIaHaQnCpW8zXkI
gt9QT3cqJpGJAobCPbh6vKPtbGPEqZOzOaCMFl07pkOSGPAVGMVfV+FdsfszPYY6
Rqsk7zlCFv/iNFWKpkdfI66JLvhmgNwXRv+rkYzH3QrQikjLmAeTzyL69SPujgDK
qXBRZiAPwEDScr2Qcum36jDVrT3jRfC1opzwpRxM2ompJ0F6caBPNVjY10BScl7Y
RWVmkFrPL9MdEelFLscG17K+y5S/50sLcU+sGbMkmPsmizA0boK5XBXJz3cTadYy
Asr2b4aWTqBS5iW1vbWIGJVrUUk3U1S4fFaSvsL3I6O0E+sOB3eEEpQZqpF9Genr
hCE8GVE5yQWb3YYK0ZA7j4u+dwA+QfRIuQuMWFoRKp8oqEitjjix3je2R3u8/ILS
XgFcAp8Jh+VbnQg/pq92u3dX6afGv6nENpMVPn73yob+sfE5xUFEfEzE1E1WCWdR
HiLZVOgpVOYmo2s8/UW60hLNBULpqyf6ZTQsr7IqaGw4g+Ew116cwDawywRSJMg=
=T0nI
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAApsnPRzTCIkbKT6jaVHixgP6wyCjfVmvgb0NnMrN2Ygup
pafb6GNWoFq9WdiSqwFIJPZlZxJFiIgSxplDI63Wj1MgfvQBEnKUQvnvR+UtnB22
bGr9mIrq/wKgslhPLFB0qT81RK/GqJKvRNpI3trGmB1pBnDdb5jiFeDHStv41XrP
hezAvmDGBKlM74fehu0pKOanIspyvFAjs31NULSHGJGzBxyM6OGcg/XLt9ea6bI5
jHwu3+M/7nixjtaIdCtEFPv/Mdimq9p64+c6AvbEVikUH/omRebRFIRrJCotYENT
ak6/2F+Fze2cof6pJPaq1KTF7LQHi1ZaQ/N+YNDsMJIYYuX3lVg/ClEjeo5k1HJ4
Jc+ul2KF/dAh8UsJPIdhJDlxIPdnof7xBLax1xmOQTHpqsfhZe5BP/0KMeeXzG6s
TlozMaCY0ok4JiQmiJcs+TjHX+uiiih6Wi756v7qwpCk5u3/BM+veHB/slD5Xezn
KmuHzwcbaP1n5JlOtv1PLAPfqX9EDsAVr2xhYTBISZiIKXyfagUWzPNX6toYtBfV
cQ/m9nfc5/STna7XGucnKkYFG5U2a+olIqCcbbNkN4NcW5ly0M5g1VW3oh02NO8r
A/4aU8ECj+79XXx0XCuVojnkGdTT3SQex7bkV2stBpuc5xfESbuOMWXgK0qZrYrS
XgEfX0ySVVrCxhtJgsQvZl0zrOwIttomV6hlQgo+n23HNPwjEf4nf1p2sje0uPvb
bPC7u5y1eDdy5E0XyWkAg4hxPLg7yOj7ET84Bg9S3NE8cE0nM50qL0N6aCAb4II=
=Is94
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/7Bx/s7WlB9TE30vyqVWw6H4DoZS8s03Z21tDAtrUEK+k5
QtMPvAIE0SG4lXersM3L6VMmhvPQlwZf+zSzBnO0J5vacvMG8dch4/ZH7YTM0VX6
T0Ix9ScamEI8J5Fr1LAeBoqtTa8n1/3N2ILBVPRTTX5Wu4lSUw/voeePXAYxSSMv
9vzrxJNcRgzbd/8Fbo3i2vzn4GvrP1JzsprLrUMVFaek5khD0hRDJMM0IhBWFRRh
L241zX/IBZDQVz0x1QVUBFmkoUjyNn94CTezTmGvqCXfkLRmcKzTZXd0dhORBPFa
LygVSLdor0v5ru70rMds6YN5WvqbmG7KUY8M3gcVXutvID58vw6ZE83T8ZAYj9S5
r9hXegeb2e03tCvSrHmQFf37+298/E8/kBrBQgoevnHmm3p0yN3ZbrWLIRhbx2iF
NzL5s17PnGzmuSigoZERsN2Flx2fzUbtwVDP3AyLVpQ7NoqTZkJTcGQuvkYawnEa
3RxUQySR+a7bED38wJ6zEpVg10ye7c8mVkzQnda1Qp3lnPZxz+1qg1n25I9hjNO6
X1E8gtXx2EcwaoWcPO0W/sNBwE09SCM68KWSykwOLvZb5tq/HnhrwSisps5sAg9V
Z1c0OCwgJvYoTY46rqk7scN9YkE16LDCtAzgppZerli179E/f/7O3d59CA1mCEXS
XgHbdM2nxaBPCPgXXNRVq13R8JXiOokuxUZofwl6FaG8A6yc9z5F4Ygr/KKDeT0i
YMBezxQtQ5uKY0jIx5g2r6aSdly3QPNKiFS/rxDCrmtaBqw+OvhvLrnCn6IaRVY=
=XAoN
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAFvRDMKG3Vjs98kRqcs4ep+bYoUcBHbMA7WgzI7CcaGQw
FjdmSwvWaHJZQGEbGk4uDHKPHqXRD3HnD9d75Azu2HXnCA29aU2c0zn0PziIi7Aa
0l4BbcavPKNBkZpJNgW0uII7xMYJWJ/9vStTxXG/WzNia6nk/Cv7PMJW7EwIeUga
+PWB4yGfPXgqJGnJj0H1EdCVPrM/+f19GcFxNKKzkGaKTyVTW9NxntlsFl1vbmRx
=YRc6
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/5ARLA8sAZHMwNhHJycVof+ZergR58hXCBjbIy5zgyAwYU
IJ5OwhTpWqniZjt0b9pvlzU4JO1k73B1WrF7mAYEOKET32GPVatrQ64yInQbORSZ
zNQgX3aQ8tEtyBsKAWqwqRjOaP6Plee6G0RCksJBAkjIZik0diTOBwi+ZhgYSRLE
G1NAETqMKkLleYQbUWCFNveJOd/7pfhE4xhAEaSxL3dgXNPV2TOngvjCqMXvz0K2
hEz6OYC8idpmAJv+S+HOaZbKV+giCopsPyFnbeu8jf1UpbsBRbHPnLOO6lLby2gf
2P9MhwSeMjjCZFX/ys8vHQ2jUwXK8jfW3xfVie4hVJgh6vO+uHcomjnk2b+34SRk
7ttoozLbMFxwrcP9trV0TgT2uzjFCe4fHccpY1VLTCX/O0eYtlhDhur0Wojp1z9v
h5mcqySEtJfHXJbTXkgMA2+QSyUaTTfvZ6oJqX3yAoq5eIzC0CcF+IMa6NS1XkY0
TNd3FEhwe7TvKGCy/3bJx6jMUnhT71r6KW/w7RVIHgdp1hfUS9JBhxVB+agQVyRv
+HBmvWHqUdwnFzotGRzLU1g6soWa+fRVQQ80qAi1U8e+u9IX3EG0KoIXLjpkvXxK
y520NcOdN4wR0xILPP/+47QDN+kM6lunm/EMgrff4YDE8J83qMhH2IP5s/tV023S
XgH1hiB0U4SYt0Rp6OGDV+CjBCFaCkPPlync/SVuXddfLC1owGlY9L3jwu7j2PR7
jy2jPPTWrOvT0wZKEh4k501LRb0n6LGqW6gDTgOnZKNg2iQ6jybv2HeyyExYllg=
=1o5H
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -1,10 +1,7 @@
{ ... }:
{
networking = {
hostName = "ptouch-print-server";
domain = "z9.ccchh.net";
};
networking.hostName = "ptouch-print-server";
system.stateVersion = "23.11";
}

View file

@ -11,7 +11,9 @@
];
};
defaultGateway = "10.31.208.1";
nameservers = [ "10.31.208.1" ];
nameservers = [
"10.31.208.1"
];
};
systemd.network.links."10-net0" = {

View file

@ -90,7 +90,9 @@ in
# pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
# PasswordAuthentication to have it not do that.
services.openssh.settings.PasswordAuthentication = lib.mkForce true;
security.pam.services.sshd.allowNullPassword = true;
# The following doesn't need to be set in order for empty passwords to work
# apparently:
# security.pam.services.sshd.allowNullPassword = true;
services.openssh.extraConfig = ''
Match User print
PubkeyAuthentication no

View file

@ -1,10 +1,7 @@
{ config, pkgs, ... }:
{
networking = {
hostName = "public-reverse-proxy";
domain = "z9.ccchh.net";
};
networking.hostName = "public-reverse-proxy";
system.stateVersion = "23.05";
}

View file

@ -9,7 +9,6 @@
services.nginx.streamConfig = ''
map $ssl_preread_server_name $address {
status.ccchh.net 10.31.206.15:8443;
status.hamburg.ccc.de 10.31.206.15:8443;
}
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the

View file

@ -6,7 +6,6 @@
./networking.nix
./nginx.nix
./virtualHosts
./sops.nix
./spaceapid.nix
];
}

View file

@ -1,19 +1,17 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.151";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.151";
prefixLength = 25;
}
];
};
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "86:72:08:F6:C0:D6";

View file

@ -1,233 +0,0 @@
spaceapid_config_ccchh_credentials: ENC[AES256_GCM,data:5IClrKKMO/AztQuGabrnoRFItYNeEmVWGeafomVO94pL1RKzL1sCxBxnmzvJFPb/8Y+6FXMh+Mim4DP8B2RaJMLpmqCv+76N/5+527SZ6gn9i2Klg6q0kD9RzJv40qHq/NYLCa24tpcZDt7eB0EOgqLsKUmtX2LrQjjnN3NzjAevJGKQ5ypnb7xygjft2KrpvlR1hMnZ0XpSLDTNR1AmImxE24JtDaJKzwXbptr2IZvm1UFkNslxdqHPjN+N8+MSSLhqHy/FdcY2ADvsTX1jtjnjkb+9E30QOeCiFPKSmWtSGiQ9sPcQna1yr717Vk0EiNSAWDQ2fMZyJUgBXG6w3wiZbxfJmxvshLPs5KguF9NHER+Seps1QiE0p16c0IS/0Y24UYrK2GyUIcSReGufjxUFGTJHFSsNANac34H/RTs7BkoZ,iv:8WzTRaXVeH5GKmigMVTLVBnhy6nXZnTZHLAYHcqDs2s=,tag:jTdgz0gmruMWWDBQ3h70vw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclhsVmM1TTVCY1ljcmxz
TkNMQnhUMGsvWlQyTkZtQ1RDTjhoYVBhOWlFCk9ERUdvaTNBQ1QwamtleTJPbUo4
dkpYYjVSR1J0UkJML3RtUlRXNEsvTFUKLS0tIHNTdEFGL01vYStRaVVmWFZySWZM
MzEvb2IvZUZwSTgrL282VU9WUVpGNEUKFg1INcr/YbkmV6/F/4hWbTXj3PCscAMY
dlr4Pii9Tbhn39yOXyzt3DF+XivkdMsG7fQTHSYdvzMAnvEJ1CLOtA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-26T01:21:16Z"
mac: ENC[AES256_GCM,data:ENLJIlcUXLEt+vXp/F2YATUZrc9ZjaE4AWwvG280etdsufEw/vGAWBhG2KT+CkcZLaJ4ctVvNlJEqU/pRzae+m/43SV3GNAG+jjT2VmNm0NyNYN27bpsj4tq11D27LPn7CkfBUB0gnmGJXVKalxhFkHBf+eq3ted8dPIv9YNRt8=,iv:Yfz7scjN3qDY9lV1SYOqrejiEwf4dVSPJhiFRJyFPio=,tag:SOw4Nhx6wwYIisRJl0SSRA==,type:str]
pgp:
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAkz8cMmtau9sLQQFafUnjIkuq8UWKn9TFcAfjAWDjnLTx
WAP4RQE56FXzVCo3DXWvucOjOlVNR9Y86x99eXaMLgYLtJfOTZOCbn2nSIDxQI1S
XNHAPEXEH/UXEoQ2lffIjR+VfSOpJlwD6acfVEu13NZMvxlO9/51EOvAAo+qKa0L
EwMczgDh8QsYohBV13UIxC3Et1Hsj0Guawrx4M6pzL4OvXGUKkpDfw4NCx9to0XK
3L4k+DHur3KhpZJg4QhrM1O1XJeb8RdlkCBMCrcteXkzKMQotVeee6Avr7kfti9s
R0hYuVswmiRJP+dxkQx1n84nnFkakY85LOxXIv7Mo3CT5xV/n/teUgZhyU+97aK0
Soq68sBMBqo8v3Izrfi1wp5iF7nnjbkMBzkDVFsRkA7bqYlEpTqZenzTzdEhm/Kt
e+A1mY+hcWI5Gr3kkz8+LGOXgBHHjXjVslK5+KmOxzcpm77IBIQCXaTViUwTJPbW
kmrDT9MSiS+bpTHS6NPLgRz21FltbCL4d0QD7bCiMnLjdeYwfRzT+if/yR6YIGMb
1I2odrB2Qf42CXHZooB/fV5OO5ziUXBpos3HZLxIvCUjOHyCYnoL1s4M3A6Zjf3v
0rZvSOy0UNwYwSbxRe5G9Z2xfFddFCTE5dp0cPV2RUEVMVlNU/kgpsMtxCFwIN/U
ZgEJAhDOqBVfz4bsqSMs4t2I4Vys7oeOfYJveNT88qc/PNPqjXgEoWSWp2DZdSvV
dNHaoVQHHRyZbRxfIwe0q+xoNjv6H5NafDIMnRk0gWl0gCSJQpCIQ9j1IQrXUoPq
cArG8aqHSA==
=rUJB
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+PCUJ7JMkGZ37gSURfBI/fM9Ow1oRp1MH8mHiflICRsio
RJhrcuThlqWHYYSFE1OlQhha8Uu+s6oaps153LKS7ZH1dzomqr5H8LfuKsaO6GDg
QyuiSGGAfudtyQ5ILN1CHjO8ifh/4469J7P/SyKkQ2AhZGQePbGkrR4kqGhj5axn
fY3Ar8HreWssm30k797x6zSs0z3BDS5vUd8JZjpt2E1nmbVTX5dLcDud06UwE3ae
B6lC+T/lxwp4LptskgsaBiikPTYspPAL8M1yG5XxKvvQlU8a9Lta7jOoXWnJ0kYE
mLoSRFBxsQsrpir4msR3oEXS7H30gkCT5j8bLdON+vbbK3d6nE5v3SXkOZhJKm8P
Zhk70lkj1HWe1uh5XRRAjn5YDelnipuml6dQMUJdxw8YrUmnVXjL+AGT0p0gcf3S
kMU6FZfELOmdR1zqCt1HicVQDmQJA2wct2+2hXRRQ91M/FAxCILOA/mqq6jZNrw1
uz1Sa43IlI5lz/ts9bIhR8rZj/Iuq18tRgmKdLhxtuJyZKcN1v1CDiIgNOvlc67x
ydVbVHygWVs95WZyya/PjF1+K5Tuq+VkfHMIJz3cW5xDy4PwYS8GsTqG6r8gEYbx
Qn2NC3h2gtrJ76/Qo8xs+8KCbQAUgST/uSJRK8peyhvqJXSrbhFBvq7ewvJbroHS
XAHl1yNdyWNwC9t2G9twEd9c2FjLuyXGhrincAcQ0gdH1jhKHY7/LoBiVIRMBJDe
kDD+RjcCB9jXRGln/l4teKs5TeCKzpaJiONEcecl2tSqjSaOzNE8rJh0kihH
=Edso
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAzGzj3TJVDsnArDe7GziE2avL5WHkHFUJNoQcEBqNhfTU
PNu8RKSpKelWeOFEFzgr3Q1imapoR1+UXzTC1dP0QL+6sEWiqImxrbHygpm9tPSp
HvLMIvAvS0zPjX9q7HFgsw2fm489To0tuEK0oTFcayatAAijpWBl63KyslFbk5f+
tHSnaYTeRZq9QkRZlNGI3uJgMXyrHnmoyUUIb5wdKKQ2tpt1nR5okh307kU6fwqb
vT5ylRSTEZ0eWDyQbb0hThJkQS2j8QnsBN/xabDN8QGTFORrPDDobW3iro22SKJv
iVyh1yAm7QiA9yTdqcB8J1QuYvnP4RzSoCSNCAK0gZ+DklPUGC9DIEK4VTdmUaWs
cJM/dZw861D8Jnavf2RToEa4binehYHvi/+TNv7vBE+2xe9cp2Y3UZq891gHKbmr
OdlaIUv5yvU6dJfV/aib33PoGxcim1jGmRnDDu+aYv215WqoUxfNniib/HcNFb9M
JT70R4Ixo6Hnp9DyvSh+wGKPGg2WRuwrspbAjFucwMdBuY4a3XoBE4QE8QhFjLWc
2JTegdfx4yKovY9raJ1U5LxYWkErpfdvPgYOpn2xIvhHBy9Y9F8RgnI5CIyQ2haO
KL82cNunEeljvluG+vH5bhbWNOjWKcRXfy474+KOBGSu8UJsZJr3s8n6RSAjmN7S
XAE8nvvN86y/RxvwxG0qUX3tEjVZwvipqrzxeAcY2lEX1zFpW8HyHzqWlnpN2LlG
pfqdqn6A6wocTpuaKhCWNc34Ws4uJ+XJd59nrNP6j/4Wl6SenxcJef7bgqru
=X/V9
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAApyVhDae44C6aOlE8j+oAmoPWBiTc0j6VGAwo7y6OzRVx
p6W/l/ALDRd2eVfttzTtS/J3EZ85gQEt1RTOVTR/vTTL1j+XzNF6adPuC2+uJBAb
FFhiReuD9YGyT7aW84qmfI797kKFfdkjIUiUr62iGr+kJ/urC9JK2mNSnhKJVTct
lP0HA0vrUlEHzU1LACUWw2FylyOpO+248Nxx+SXgP8ol3kQk0hAGtEq3+p7ViQdl
K9fYMM5bxlNGmMav6WVaR8ipyjf7Q6jrwOrtNymVlxKoWfzuQy8o0ACsn2PADeG9
QZsKAmbp33S1hVYdTeXajTlPwtHhNewkxIQdahP2Ni1netzV6I8kp3HHoGO1XN0i
TtHlqZnd9/aJb5Uvuqsz4Ei+nHL0WGS7UJYKphWfw58MaYGkJ9xwEZVxoEWY9+ZQ
prQrXbIwbt6XJnuDnlgO/XZQs76/h/SAK9JQoXV13mC00SwcNqB9iav7S9+d5U3H
QOerfUDzEOjE9AehSmeruaNIdqr/V54dY9eQFGQ5hrM30JTycWdhxl0TZkAYsT+d
qd79FKXceBSodL00kg4OUS1pGwI7w6pe7RsQZ0hl9O8X8JXsRebe8Ardyh5oGe+W
yiKKGj0xi63MdzVm8r6FH4HoWPnmfTq5gcI8urUB/157aU8jlJen3TM4i4bwydzS
XAEldvNa4/1McnNpPAWGDNPGObSg71kAIR/opGGkS8atywKgkNSCUJ6wAJhyksqd
FVdrCl5Mt3GSgk5uVWeYfDuuIxM/aZ8WMjxjtxQMyOnkXQYmQD+D6dgkqiTb
=q5Tx
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ/8Dc0JtpbZLDLway7kk2YWhLvjTmBRzIZCAaa9WSEuDVWg
u1koIDIaeAi1Y7xNUbDeEACMo1gT23mRG7Dy6QSqi+6DUY4f4v7/UCwqyJdwAb0V
ig6ENedYzYoCKZ3t/kqeeZmKnQehj2hzmIci1avzQjUmsI+u1YGJOZGDCPK9W1CA
nkZ69BlsI7ZWwkaO7J9KKd8wLp1/XVcSnRjYxvowOHmUyDd1Mlm/I+umcqWZU9De
hXc9/4cPkUk+h5c4M9XeFFqxorOozMK0dyEBjFw7Dd7BMyPfyh5OnxPazp/aqgz3
T6SxedaTv0kH8U8dNkPkGc5NYv+D8gfZb7kLdzDglGvcHwL3HTwq7JUCFVvzCD9y
PN5XvFYIzwd1cxAbozhzX54almMFgvd8d1v+03ioEjxOJbAqMXRTgd8C5xUbFvH8
SJ8v4YsN5XksT6AME3MyZAZgWgbDqdQDAtUvP2cWlBFFJz4+43+71sec4AK9bqph
mG/aTXDHAQ+JjLUGH+hul87F+mIa5WspbSYJ0hky1Sz7JBr1153X1xutFMiIqafL
GwfUzkDqIY2AKZPocqyRthLUkSaf2axLdWMi3VfErzD8fu9XhpM7xY/sI1S7sCBs
HGfjBTF2zTvyNo4cS5SPW1QXGrGoAy6cpxJDkuOQMq/YvW2kIeO4Wv+as3TUtLzS
XAFxzoYXYbes+SGlxaRYY62CONNdFpvF66q8IgDN1/QNC0j8g0gE0bNc14KOamxr
Qg43kRmxOVlB+zbpY5lYI4YL7XbFusFGM9dKJVg9g390nRgDnD4yBZXfqkq/
=rthq
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/5AXvpR4o2fsfev/U/qdJ5Zz8jKwGpZ+xAhEEL8E64+f/P
Y542Oqig04emeGgvZat+jnc3ihKa+Z6k1ysSd4cod/yDUAy4NVtYzTsTziDekmaF
A1nEkbZoBrwXHQVGnO0PtFttqa0JEr5LcFlYgF8NIQRTQSQQgKp8p3llUFZYx+Pb
vuhOtWbZMFtl+yq0p03nDP3mrj32nPyyLIngvj82jMRQmw0em+Zw1JAwIIg3svWq
bp6F9a++PP2Pboc/piEGT3BIq/41gjKoIwz9m+p0NoSIcDRgmIIxflS9vzG/APC9
E4lVM/U/px0OmLcrmlBTjQ7HwHhVEVEYjZiByeHCm5UjSYWF6yHcmyLp9etD3GsR
pPwFsmc2PWFiEWrM0aV+3EPGkSV1Kwkvd7v34sRqAsGkb8HO5KxtfIQMccMqwMRG
kwBUgLcVuft9H6k2N+MHY6yidr4LLopGfd2FZ8BkQGNy9kIVNdZw9v+6R5HkVpoD
cY0NpzwvX21M9CPuMoXzjwXLnoKHHt9sWoxL7L0XIjyTkvKmETFqvKIY7cPFU837
4uxnsPhVESL3UfXrIk3maCgIZfFFL60eglVHdSLUy9XvAIXkLrLzqZLTW0LVYsuY
ZAlqUkkqZ4jjrF9OlmHsjgn5znOiMlW35bcKppC+MonrNXCJHjCdGmpj1v0cc4nS
XAE0EBSF6XDG2rxXETyWzKJurkfveD1njjcRwYeBiBRZEXKKqWuICLIgR5h/WBQI
KPv2k2RhxjH6Zk6FWgc6EWhIWUM/6+zN24m5VnAgMg+DRp8d1mO6t4ZaS+WU
=p4B8
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ//Z0+gyWwynvznK8WbrU9aP583JpI53BilDDl+dJ34P28f
Kd2wr/l/Aw6QZ43kp0JGA3ZMB9SbWKy56L6MXPcDXHM42ojRCN1Z3am6NZEx4M+K
cstyV9qHZp/bUQjlUna3eZBlehHgRM0tRCKn/83Gi08nNK15wRlfZR5tg0aNbdXT
4ymxyUfA3+n8k4K/rZlBxJ59UESUcuUJCb/oPiUCrS7lXJwA8f85F5/M9t7D1xwO
2AfkoYl5b2NU48JrICY7SQp+xYg0jwEB2nAC/Gpmk9FGxCMIeFIT4MfpGmMah0t6
+2qDWQFQ86TEoAHVTqcW77Qmw7WLjNm8oLh0FWYb8VxaRo2B2jnbTtC0cosLWyl2
TrOwSYfzOOclQQchbmoK1JQb5+dUV+qUN4BO4MuI0mSXk85QFys3CY9a9X2pRXSh
SW7uMCj3SQ784uoYDBNprIYv4qsfzTEgCxrG9Ev/h35JyuNUr/oKGVsVfsLETJC/
Leepo2FjQIzr9qe52AVcUe9JH++jrPOgUM6JQEHHz+jp+N9arsuTGakxu/5saNjT
+E7WtWdBM5mtr82DDoTKsKLEUJKsMKFpQovFjvz5tgCAsoMhFP5oem2gbfOVi2+A
uQjQH+xJow4OMjb58Qx7fILcky6XYDTNWn9hlf2zrXmtEnhkSwf6U/Gyo71qCtDS
XAHIEr8bpFS9ndb1tchTO8mcDANnKLWttuqs/UdN/W0nl895hIP7C6esi7vLF1gM
OfYLVy+X8FyS5hpjd9rcEd5jj7XBMJ4kHaW7QLMGWHYS2zLjGOhYHS4rt7nk
=hag6
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAi01+TuUHgBT2UH75pacaptBmEYedNUkzqhUn98AA1yr5
PtYV1NGNP/rq7LDXP367yXhCslrwr+1BO7qnfAsEsEFr6InAyhOyZmAs18u5ilwc
RxW5EXrANm8SQLODBPH3/gxltpW7vzfayxdTOTNyCUH0x22eKfYknawOfpaMevAm
95nhILE05Unqd4FSoQId+Zw6djuMdSdQ6iAANKmvRpgs1Y8RNb9P/JG1TmbVvqQm
dbx5hfoLuNnLR4q0r64tGej0iVeBljSjUDrxusjMkhwgiinFTTz8oNoLoOuPjPMm
MymkjV1m6HzdwB9JMU7kMcHDEsqhXiKcxZ5mPDQJIXSG7TTuIZndRsln2ske9ibm
uZusIC7y1868R409UWhjGXjxsoFzqOKpOCo8tFoZSdE250E6o7U8PKOgSUxRAQlb
va7LUhP10ODZof5jM9xUDorrcamT1kbnmz4SlYDIOSliR0ofsmX0ObyxZmL3CZhN
/iC5BVv9D14U7iU0PsKZl0XUOP+urJwSZSCid0zq8rjUXdqy0YH81eBG9Y360ZHB
AlfhfeaYindnJYkPpZe1XWyI0yaKOjrKgdz8/vuDTZWyNseKAcofA7cgjUHtIUvu
uMPhFk+RHd0xZnk3yrlTnEOht8MiAZxVFPk3NK/P7W3D3r0li5D5f7+2ph8RsI/S
XAFXDSRXTIDsHCWPjvTAftTKbS8dq4A28yFHJg8+Ber+RxBbOWH7NpBIgmO2SNAJ
9CkU9neCROJuNBY9h0Xl4Yp7g6XNOeFeWdgxqJgZWhoKYSR0W8ILzQD45PXj
=ALYc
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/+L9uVnDe2jK1unhCFjKv0YhHobPNSQAhXaYoIiw2qTJ/q
ntduHgPFvLjQdeGT6EsfS+vxGcsLtS2FlG8woiLzX0iyc9sB0AmcwwKdG2FwyemY
+ZPE8BfjVKrGq0oiYASIceYxTfdp1kNX2aTIpuBzm36ccHQb/RSzUhEeZjyN4xtO
c6j8HJ6TANoh4eBG+X4LDVGFQPMToozqw/2hX5HPn+EDqP6Egprf/6hAetX4VcCk
csbP2AB2wl75U8Q8xSmlNUj/CTz4wpOpNj5tjsADP/ZlkH6EUcGIPk3+BC6ovy54
zoydEnTi6uy+gMAZDLP2bRdSgjW887TIh3qPsZiyG0SEygC3B+Fb1EY/NIL7Yh5R
mJDdMbrAb9rBSXYS1ptLvq2QSjbyIpVK2n+PLtycySsaktsAEopotlwxlbf/QSBv
FCRgws0djwZ4+qtXJ/D1pMNSHD4sdRxGANPdqNJem7S4fHmegtlVWNphDP8V2bUa
krGYBc0pn/cTusEJgkccp898ghJQ7bjKxD41qtIkfceB8FnaKgdxBrNfIrucaMjb
xv0NLk5NLTCbv/ES5R6Pb4MDKEBpInUp6gygcbaDybyn5lu/jT+6pYFp8Sq0F81B
+Vk7+iz9MsV8Yz9dHJnqIiypZREF1KRPWpenNAK9XGdy5SxezfBS7Zz1VShYgoPS
XAGKmeK4A1VarYym4wSb/AXhT6HXLBM6VWB6OFvz3sXR02sAUI7GXuZOjY2raezt
Usn+dhqFnRUHgUqgtLYGXlgyXiSjUTGQnh4c18n/mkbApUKcTdX2VigoivLo
=Xjqf
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAEZMgepQuERqKK4S8uiXmIYIRdeN5swy6S4hmzdL3yj8w
E45ScSNMVsvKD3pQq8EqxTFPb5pQ+2LfpP8gbbhYoDomGDm4tcbr8pyH3AXXoFwl
0lwBFFDJa1GSmHSgnJqrIaqmOZJgBE5t3IEIiDQksVjV7KTwPMwoU+wx42AAU/dS
hjxQwPAfpwO9mH6FN4JC8OTVSU1VfWLCO4e8HroG44c2gOxFfnflaMjaXuIsDA==
=kkiD
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ//Z5yRTQUt73bYUIrnaBPwQCLB4lmlutSICdQvdlQFcqDZ
Tw0kBNBS+4dEhxlYuEmCJgM6H+2KEH+6/M5IdFErlTz8Ly0R73adlSMu0R+os/6i
clLQQAwWIyFVuRaaNxSDdJ06sl4+hZyGZlbpo9kYBjslTUpJC4urvc+6xlRnlIuf
gae9+Zmh1K9+BpUH5svExyTERwWQI1HzvcqSc+tsEYugNvJitBHTyfpFN8xjtbns
h1aDXgKo4riFHzlZHftWfaLdot8++0jgluc7fCNXfnNVYf+nREIP49A/bkDFH4Re
Lwhq1iQte48KE0JKiaXDsAwLSanNYOfEZo5LSAFYAaEGJ6gUwnyoRgH+2T9FiWoJ
Z3myWbrm0SUr8Za2k1AA1FGz8tmGppxGZp3llyqaY/hbP84myfnfpvis6IUAzyfl
xMZOGs0Q3VlOJRAYXOWS64oM6cvCg9rJiOsPMr75P+9nWhz+Ur/X8hPTPr4ku/D1
ewUhDd406/a7aAGe7m6RyRnVCK2mybuKKYt3BGu0usYvKcPIMUYq+g2zqt6/fQ5r
gS2c+uuvMqM6o9dxkRxZWt99o8E29cGH51yl9IdrXsr7F/EyymjBENQxbDApp9mG
DHokBg9QdRvwRyyC2YBttgob8QrkZTI4xE7oRFaq9wuZqhjv6VGZXO0jauIRYV7S
XAFidvRJ2EMZlPeVpDkosbXLsux2q4v0ECXy1ciRRYJn50vLN8Fqk2fKg4aKkqeV
riCQgu8aliCMtTRTa+/NQoTpXbqD9XaPz8hf9betygs+6y3zVyBn7k7WQqmj
=yfan
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,7 +0,0 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -2,6 +2,26 @@
"dynamic": {
"sensors": {
"temperature": [
{
"sensor_data": {
"unit": "°C",
"location": "Hauptraum",
"description": "Sensor im Hauptraum"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "°C",
"location": "Loetschlauch",
"description": "Sensor im Lötschlauch (Teil der Werkstatt)"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "°C",
@ -14,6 +34,26 @@
}
],
"humidity": [
{
"sensor_data": {
"unit": "%",
"location": "Hauptraum",
"description": "Sensor im Hauptraum"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "%",
"location": "Loetschlauch",
"description": "Sensor im Lötschlauch (Teil der Werkstatt)"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "%",
@ -25,13 +65,12 @@
]
}
],
"ext_3d_printer_busy_state": [
"CO2": [
{
"sensor_data": {
"unit": "bool",
"location": "Loetschlauch",
"name": "mk4",
"description": "Prusa mk4 busy state"
"unit": "ppm",
"location": "Hauptraum",
"description": "Sensor im Hauptraum (Typ: SCD41)"
},
"allowed_credentials": [
"club-assistant"
@ -39,34 +78,9 @@
},
{
"sensor_data": {
"unit": "bool",
"unit": "ppm",
"location": "Loetschlauch",
"name": "mk3.5",
"description": "Prusa mk3.5 busy state"
},
"allowed_credentials": [
"club-assistant"
]
}
],
"ext_3d_printer_minutes_remaining": [
{
"sensor_data": {
"unit": "minutes_remaining",
"location": "Loetschlauch",
"name": "mk4",
"description": "Prusa mk4 minutes remaining"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "minutes_remaining",
"location": "Loetschlauch",
"name": "mk3.5",
"description": "Prusa mk3.5 minutes remaining"
"description": "Sensor im Lötschlauch (Teil der Werkstatt, Typ: SCD41)"
},
"allowed_credentials": [
"club-assistant"

View file

@ -4,7 +4,7 @@
"14"
],
"space": "CCCHH",
"logo": "https://hamburg.ccc.de/images/logo.svg",
"logo": "https://next.hamburg.ccc.de/images/logo.svg",
"ext_ccc": "erfa",
"url": "https://hamburg.ccc.de/",
"location": {

View file

@ -1,20 +1,19 @@
{ pkgs, ... }:
let
version = "v0.1.0";
spaceapidSrc = pkgs.fetchgit {
spaceapidSrc = builtins.fetchGit {
url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
rev = version;
hash = "sha256-2SDhliltzyydPPZdNn/htDydiK/SHQcYyG/dQ0EyFrY=";
ref = "main";
rev = "bbeb0d0e2b4538faed275b9891fb55149bc3a2f8";
};
spaceapid = pkgs.buildGoModule rec {
pname = "spaceapid";
inherit version;
version = "main";
src = spaceapidSrc;
ldflags = [
"-X main.version=${version}"
"-X main.version=${version}-${spaceapidSrc.rev}"
];
# Since spaceapid doesn't have any dependencies, we can set this to null and
@ -39,7 +38,7 @@ in
After = [ "network.target" "network-online.target" ];
};
serviceConfig = {
ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/run/secrets/spaceapid_config_ccchh_credentials";
ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/secrets/spaceapid-config-ccchh-credentials.secret";
User = "spaceapi";
Group = "spaceapi";
Restart = "on-failure";
@ -48,10 +47,14 @@ in
wantedBy = [ "multi-user.target" ];
};
sops.secrets."spaceapid_config_ccchh_credentials" = {
mode = "0440";
owner = "spaceapi";
group = "spaceapi";
restartUnits = [ "spaceapid.service" ];
deployment.keys = {
"spaceapid-config-ccchh-credentials.secret" = {
keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/public-web-static/spaceapid-config-ccchh-credentials" ];
destDir = "/secrets";
user = "spaceapi";
group = "spaceapi";
permissions = "0640";
uploadAt = "pre-activation";
};
};
}

View file

@ -5,14 +5,9 @@
./branding-resources.hamburg.ccc.de.nix
./c3cat.de.nix
./element.hamburg.ccc.de.nix
./hacker.tours.nix
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix
./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix
./www.hamburg.ccc.de.nix
./historic-easterhegg
];
}

View file

@ -1,10 +1,10 @@
{ pkgs, ... }:
let
elementWebVersion = "1.11.80";
elementWebVersion = "1.11.59";
element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
sha256 = "sha256-iVTd5zWUJh9wkbKMh+5hq0ucQaLLY29w1xCLxDIdQ18=";
};
elementSecurityHeaders = ''
# Configuration best practices

View file

@ -1,63 +0,0 @@
{ pkgs, ... }:
let
domain = "hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours"
];
};
users.groups."${deployUser}" = { };
}

View file

@ -1,68 +0,0 @@
{ pkgs, ... }:
let
domain = "hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
rewrite ^/(de|en)/tours$ /$1/37c3 redirect;
rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de"
];
};
users.groups."${deployUser}" = { };
}

View file

@ -94,8 +94,6 @@
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
'';
};
};

View file

@ -1,12 +0,0 @@
{...}:
{
imports = [
./eh03.nix
./eh05.nix
./eh07.nix
./eh09.nix
./eh11.nix
./eh20.nix
];
}

View file

@ -1,101 +0,0 @@
{ pkgs, ... }:
let
eh03 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2003-website.git";
rev = "74977c56486cd060566bf06678a936e801952f9e";
hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
};
in
{
security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"easterhegg2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh03.easterhegg.eu" = {
enableACME = true;
serverName = "eh03.easterhegg.eu";
serverAliases = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"easterhegg2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2003.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh03.easterhegg.eu";
serverAliases = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh03.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh03.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh03.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.html";
root = eh03;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
set $chosen_lang "de";
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

View file

@ -1,100 +0,0 @@
{ pkgs, ... }:
let
eh05 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2005-website.git";
rev = "f1455aee35b6462ab5c46f3d52c47e0b200c1315";
hash = "sha256-lA4fxO05K39nosSYNfKUtSCrK+dja1yWKILqRklSNy8=";
};
in
{
security.acme.certs."eh05.easterhegg.eu".extraDomainNames = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"easterhegg2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh05.easterhegg.eu" = {
enableACME = true;
serverName = "eh05.easterhegg.eu";
serverAliases = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"easterhegg2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2005.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
serverAliases = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh05.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh05.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh05;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

View file

@ -1,106 +0,0 @@
{ pkgs, ... }:
let
eh07 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2007-website.git";
rev = "0bb06fd2654814ddda28469a1bf9e50a9814dd9a";
hash = "sha256-jMpDxgxbL3ipG3HLJo0ISTdWfYYrd2EfwpmoiWV0qCM=";
};
in
{
security.acme.certs."eh07.easterhegg.eu".extraDomainNames = [
"eh2007.hamburg.ccc.de"
"www.eh2007.hamburg.ccc.de"
"eh07.hamburg.ccc.de"
"www.eh07.hamburg.ccc.de"
"easterhegg2007.hamburg.ccc.de"
"www.easterhegg2007.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh07.easterhegg.eu" = {
enableACME = true;
serverName = "eh07.easterhegg.eu";
serverAliases = [
"eh2007.hamburg.ccc.de"
"www.eh2007.hamburg.ccc.de"
"eh07.hamburg.ccc.de"
"www.eh07.hamburg.ccc.de"
"easterhegg2007.hamburg.ccc.de"
"www.easterhegg2007.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2007.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh07.easterhegg.eu";
serverAliases = [
"eh2007.hamburg.ccc.de"
"www.eh2007.hamburg.ccc.de"
"eh07.hamburg.ccc.de"
"www.eh07.hamburg.ccc.de"
"www.easterhegg2007.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh07.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh07.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh07.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh07;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

View file

@ -1,105 +0,0 @@
{ pkgs, ... }:
let
eh09 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2009-website.git";
rev = "6d4a50c5ab23870072f0b33dd0171b0c56d6cab5";
hash = "sha256-kPJOrKseJD/scRxhYFa249DT1cYmeCjnK50Bt0IJZK8=";
};
in
{
security.acme.certs."eh09.easterhegg.eu".extraDomainNames = [
"eh2009.hamburg.ccc.de"
"www.eh2009.hamburg.ccc.de"
"eh09.hamburg.ccc.de"
"www.eh09.hamburg.ccc.de"
"easterhegg2009.hamburg.ccc.de"
"www.easterhegg2009.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh09.easterhegg.eu" = {
enableACME = true;
serverName = "eh09.easterhegg.eu";
serverAliases = [
"eh2009.hamburg.ccc.de"
"www.eh2009.hamburg.ccc.de"
"eh09.hamburg.ccc.de"
"www.eh09.hamburg.ccc.de"
"easterhegg2009.hamburg.ccc.de"
"www.easterhegg2009.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2009.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh09.easterhegg.eu";
serverAliases = [
"eh2009.hamburg.ccc.de"
"www.eh2009.hamburg.ccc.de"
"eh09.hamburg.ccc.de"
"www.eh09.hamburg.ccc.de"
"www.easterhegg2009.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh09.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh09.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh09.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh09;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

View file

@ -1,106 +0,0 @@
{ pkgs, ... }:
let
eh11 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2011-website.git";
rev = "c20540af71d4a0bd1fa12f49962b92d04293415b";
hash = "sha256-9hhtfU8fp2HOThcyQ4R7kuGQBjZktqMtiiYQhOas2QA=";
};
in
{
security.acme.certs."eh11.easterhegg.eu".extraDomainNames = [
"eh2011.hamburg.ccc.de"
"www.eh2011.hamburg.ccc.de"
"eh11.hamburg.ccc.de"
"www.eh11.hamburg.ccc.de"
"easterhegg2011.hamburg.ccc.de"
"www.easterhegg2011.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh11.easterhegg.eu" = {
enableACME = true;
serverName = "eh11.easterhegg.eu";
serverAliases = [
"eh2011.hamburg.ccc.de"
"www.eh2011.hamburg.ccc.de"
"eh11.hamburg.ccc.de"
"www.eh11.hamburg.ccc.de"
"easterhegg2011.hamburg.ccc.de"
"www.easterhegg2011.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2011.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh11.easterhegg.eu";
serverAliases = [
"eh2011.hamburg.ccc.de"
"www.eh2011.hamburg.ccc.de"
"eh11.hamburg.ccc.de"
"www.eh11.hamburg.ccc.de"
"www.easterhegg2011.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh11.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh11.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh11.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh11;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

View file

@ -1,91 +0,0 @@
{ pkgs, ... }:
let
eh20 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-eh20-website.git";
rev = "026932ef2f1fb85c99269e0fb547589a25d3687c";
hash = "sha256-YYxHhPYIioJgyHXNieoX6ibasHcNw/AFk+qCNSOxke4=";
};
in
{
security.acme.certs."eh20.easterhegg.eu".extraDomainNames = [
"www.eh20.easterhegg.eu"
"eh20.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh20.easterhegg.eu" = {
enableACME = true;
serverName = "eh20.easterhegg.eu";
serverAliases = [
"www.eh20.easterhegg.eu"
"eh20.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"www.eh20.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh20.easterhegg.eu";
serverAliases = [
"eh20.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh20.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh20.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh20.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "start.html";
root = "${eh20}/wiki_siteexport";
};
# redirect doku.php?id=$pagename to /$pagename.html
locations."/doku.php" = {
return = "301 $scheme://$host/$arg_id.html";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
}

View file

@ -1,60 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# Hackertours deploy user already defined in hacker.tours.nix.
}

View file

@ -1,62 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# Hackertours CCCHH deploy user already defined in hackertours.hamburg.ccc.de.nix.
}

View file

@ -44,8 +44,6 @@
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
'';
};
};

View file

@ -1,10 +0,0 @@
{ ... }:
{
networking = {
hostName = "status";
domain = "z9.ccchh.net";
};
system.stateVersion = "24.05";
}

View file

@ -1,10 +0,0 @@
{ ... }:
{
imports = [
./configuration.nix
./networking.nix
./nginx.nix
./uptime-kuma.nix
];
}

Some files were not shown because too many files have changed in this diff Show more