Compare commits

..

12 commits

Author SHA1 Message Date
christian c78c278627
Set WOODPECKER_LIMIT_MEM to 6 GB for woodpecker
so pipelines don't get killed by OOM.
2024-11-17 22:43:51 +01:00
jopejoe1 e3c677ea9b
fix: use tar file 2024-11-17 21:15:05 +01:00
christian ecd9fe4adf
fix: use http clone url from forgejo 2024-11-17 21:06:27 +01:00
jopejoe1 2003367108
move authorized keys to flake input 2024-11-17 20:33:38 +01:00
christian 53e33a6641
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565' (2024-10-21)
  → 'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101' (2024-11-14)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e' (2024-10-20)
  → 'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a' (2024-11-10)
• Updated input 'nixos-generators/nixpkgs':
    follows 'nixpkgs'
  → 'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
  → 'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682' (2024-11-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
  → 'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978' (2024-11-17)
• Removed input 'sops-nix/nixpkgs-stable'
2024-11-17 20:25:16 +01:00
jopejoe1 e404d4740f
remove nixpkgs-unstable
the current version of woodpecker-server in stable now has the features this was original used for, not other usages of unstable are in tree left so removing it.
2024-11-17 19:33:00 +01:00
jopejoe1 f7ebe660fe
format files with nix fmt 2024-11-17 19:33:00 +01:00
jopejoe1 6c85b91efb
make use of nixosModules output 2024-11-17 19:33:00 +01:00
jopejoe1 7d58a3db4a
move overlay to overlays output 2024-11-17 19:32:59 +01:00
christian c25d6c6326
revert: useing pkgs.fetchGit for authorized keys
reverts the changes from ec64eebfd6
it brakes some of the flake process we use,
setting 'allow-import-from-derivation' doesn't seem like a good fix to me and doesn't work in all cases.
I couldn't find any other solution to fix it for now,
so we will revert it for now, until we have a better solution.
2024-11-17 19:24:25 +01:00
June d98aa099e1
license this repo under the MIT license
All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(#12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.

Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467

MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/
2024-11-14 22:56:50 +01:00
June cf46da9df7
public-web-static: make c3cat.de and www work as well as staging 2024-11-12 23:06:01 +01:00
26 changed files with 357 additions and 221 deletions

21
LICENSE Normal file
View file

@ -0,0 +1,21 @@
MIT License
Copyright (c) CCCHH
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

View file

@ -73,3 +73,7 @@ Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell ```shell
nix build .#proxmox-chaosknoten-nixos-template nix build .#proxmox-chaosknoten-nixos-template
``` ```
## License
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).

View file

@ -6,14 +6,9 @@
# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
{ config, pkgs, lib, ... }: { config, pkgs, lib, authorizedKeysRepo, ... }:
let let
authorizedKeysRepo = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
rev = "686a6af22f6696f0c0595c56f463c078550049fc";
hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
};
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in in
{ {

View file

@ -21,7 +21,8 @@ let
app = "dokuwiki"; app = "dokuwiki";
domain = "eh22.easterhegg.eu"; domain = "eh22.easterhegg.eu";
dataDir = "/srv/www/${domain}"; dataDir = "/srv/www/${domain}";
in { in
{
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${app} ${app}" "d ${dataDir} 0755 ${app} ${app}"
]; ];
@ -76,7 +77,7 @@ in {
default = true; default = true;
enableACME = true; enableACME = true;
serverName = "${domain}"; serverName = "${domain}";
listen = [ listen = [
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";

View file

@ -1,10 +1,10 @@
{ ... }: { ... }:
{ {
networking = { networking = {
hostName = "mqtt"; hostName = "mqtt";
domain = "z9.ccchh.net"; domain = "z9.ccchh.net";
}; };
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

View file

@ -1,9 +1,9 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
imports = [ imports = [
./configuration.nix ./configuration.nix
./networking.nix ./networking.nix
./mosquitto.nix ./mosquitto.nix
]; ];
} }

View file

@ -5,29 +5,29 @@
{ ... }: { ... }:
{ {
services.mosquitto = { services.mosquitto = {
enable = true; enable = true;
persistence = true; persistence = true;
# set config for all listeners # set config for all listeners
listeners = [ { listeners = [{
settings.allow_anonymous = true; settings.allow_anonymous = true;
omitPasswordAuth = true; omitPasswordAuth = true;
acl = ["topic readwrite #"]; acl = [ "topic readwrite #" ];
} ]; }];
bridges.winkekatz = { bridges.winkekatz = {
addresses = [ addresses = [
{ address = "mqtt.winkekatze24.de"; } { address = "mqtt.winkekatze24.de"; }
]; ];
topics = [ topics = [
"winkekatze/allcats/eye/set in 2" "winkekatze/allcats/eye/set in 2"
"winkekatze/allcats in 2" "winkekatze/allcats in 2"
"+/status out 2 winkekatze/ \"\"" "+/status out 2 winkekatze/ \"\""
"+/connected out 2 winkekatze/ \"\"" "+/connected out 2 winkekatze/ \"\""
]; ];
};
}; };
};
networking.firewall.allowedTCPPorts = [ 1883 ]; networking.firewall.allowedTCPPorts = [ 1883 ];
} }

View file

@ -26,7 +26,7 @@
}; };
yuri = { yuri = {
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
]; ];

View file

@ -1,10 +1,19 @@
{ pkgs, ... }: { pkgs, ... }:
{ let
domain = "c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-c3cat.de" = { "acme-${domain}" = {
enableACME = true; enableACME = true;
serverName = "c3cat.de"; serverName = "${domain}";
serverAliases = [
"www.${domain}"
];
listen = [ listen = [
{ {
@ -14,9 +23,9 @@
]; ];
}; };
"c3cat.de" = { "$www.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = "c3cat.de"; useACMEHost = "${domain}";
listen = [ listen = [
{ {
@ -28,7 +37,7 @@
]; ];
locations."/" = { locations."/" = {
return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start"; return = "302 https://c3cat.de$request_uri";
}; };
extraConfig = '' extraConfig = ''
@ -42,5 +51,45 @@
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
}; };
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
];
};
users.groups."${deployUser}" = { };
} }

View file

@ -9,6 +9,7 @@
./hackertours.hamburg.ccc.de.nix ./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix ./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix
./staging.c3cat.de.nix
./staging.hacker.tours.nix ./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix ./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix

View file

@ -4,7 +4,8 @@ let
domain = "hacker.tours"; domain = "hacker.tours";
dataDir = "/var/www/${domain}"; dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy"; deployUser = "hackertours-website-deploy";
in { in
{
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-${domain}" = {
enableACME = true; enableACME = true;

View file

@ -4,7 +4,8 @@ let
domain = "hackertours.hamburg.ccc.de"; domain = "hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}"; dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy"; deployUser = "ht-ccchh-website-deploy";
in { in
{
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-${domain}" = {
enableACME = true; enableACME = true;

View file

@ -1,4 +1,4 @@
{...}: { ... }:
{ {
imports = [ imports = [
@ -9,4 +9,4 @@
./eh11.nix ./eh11.nix
./eh20.nix ./eh20.nix
]; ];
} }

View file

@ -6,7 +6,7 @@ let
rev = "74977c56486cd060566bf06678a936e801952f9e"; rev = "74977c56486cd060566bf06678a936e801952f9e";
hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk="; hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
}; };
in in
{ {
security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [ security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
"eh2003.hamburg.ccc.de" "eh2003.hamburg.ccc.de"
@ -48,7 +48,7 @@ in
}]; }];
locations."/".return = "302 https://eh03.easterhegg.eu"; locations."/".return = "302 https://eh03.easterhegg.eu";
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy

View file

@ -48,7 +48,7 @@ in
}]; }];
locations."/".return = "302 https://eh05.easterhegg.eu"; locations."/".return = "302 https://eh05.easterhegg.eu";
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
@ -60,7 +60,7 @@ in
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };
"eh05.easterhegg.eu" = { "eh05.easterhegg.eu" = {
forceSSL = true; forceSSL = true;
useACMEHost = "eh05.easterhegg.eu"; useACMEHost = "eh05.easterhegg.eu";
@ -71,7 +71,7 @@ in
ssl = true; ssl = true;
proxyProtocol = true; proxyProtocol = true;
}]; }];
locations."/" = { locations."/" = {
index = "index.shtml"; index = "index.shtml";
root = eh05; root = eh05;
@ -80,7 +80,7 @@ in
default_type text/html; default_type text/html;
# Enable SSI # Enable SSI
ssi on; ssi on;
''; '';
}; };
extraConfig = '' extraConfig = ''

View file

@ -54,7 +54,7 @@ in
}]; }];
locations."/".return = "302 https://eh07.easterhegg.eu"; locations."/".return = "302 https://eh07.easterhegg.eu";
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
@ -86,7 +86,7 @@ in
default_type text/html; default_type text/html;
# Enable SSI # Enable SSI
ssi on; ssi on;
''; '';
}; };
extraConfig = '' extraConfig = ''

View file

@ -54,7 +54,7 @@ in
}]; }];
locations."/".return = "302 https://eh09.easterhegg.eu"; locations."/".return = "302 https://eh09.easterhegg.eu";
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
@ -86,7 +86,7 @@ in
default_type text/html; default_type text/html;
# Enable SSI # Enable SSI
ssi on; ssi on;
''; '';
}; };
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and

View file

@ -54,7 +54,7 @@ in
}]; }];
locations."/".return = "302 https://eh11.easterhegg.eu"; locations."/".return = "302 https://eh11.easterhegg.eu";
extraConfig = '' extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and # Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy # $remote_port to the client address and client port, when using proxy
@ -86,7 +86,7 @@ in
default_type text/html; default_type text/html;
# Enable SSI # Enable SSI
ssi on; ssi on;
''; '';
}; };
extraConfig = '' extraConfig = ''

View file

@ -0,0 +1,60 @@
{ pkgs, ... }:
let
domain = "staging.c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# c3cat deploy user already defined in c3cat.de.nix.
}

View file

@ -4,7 +4,8 @@ let
domain = "staging.hacker.tours"; domain = "staging.hacker.tours";
dataDir = "/var/www/${domain}"; dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy"; deployUser = "hackertours-website-deploy";
in { in
{
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-${domain}" = {
enableACME = true; enableACME = true;

View file

@ -4,7 +4,8 @@ let
domain = "staging.hackertours.hamburg.ccc.de"; domain = "staging.hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}"; dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy"; deployUser = "ht-ccchh-website-deploy";
in { in
{
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-${domain}" = { "acme-${domain}" = {
enableACME = true; enableACME = true;

View file

@ -3,13 +3,12 @@
# - https://woodpecker-ci.org/docs/administration/agent-config # - https://woodpecker-ci.org/docs/administration/agent-config
# - https://woodpecker-ci.org/docs/administration/backends/docker # - https://woodpecker-ci.org/docs/administration/backends/docker
{ config, pkgs, pkgs-unstable, ... }: { config, pkgs, ... }:
{ {
services.woodpecker-agents.agents."docker" = { services.woodpecker-agents.agents."docker" = {
enable = true; enable = true;
# Since we use woodpecker-server from unstable, use the agent from unstable as well. package = pkgs.woodpecker-agent;
package = pkgs-unstable.woodpecker-agent;
extraGroups = [ "docker" ]; extraGroups = [ "docker" ];
environment = { environment = {
WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}"; WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";

View file

@ -5,14 +5,12 @@
# - https://woodpecker-ci.org/docs/administration/forges/forgejo # - https://woodpecker-ci.org/docs/administration/forges/forgejo
# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING # - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
{ config, pkgs, pkgs-unstable, ... }: { config, pkgs, ... }:
{ {
services.woodpecker-server = { services.woodpecker-server = {
enable = true; enable = true;
# Use package from unstable to get at least version 2.6.0 for native Forgejo support. package = pkgs.woodpecker-server;
# https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
package = pkgs-unstable.woodpecker-server;
environment = { environment = {
WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de"; WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
WOODPECKER_SERVER_ADDR = ":8001"; WOODPECKER_SERVER_ADDR = ":8001";
@ -24,6 +22,7 @@
WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql"; WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
WOODPECKER_FORGEJO = "true"; WOODPECKER_FORGEJO = "true";
WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de"; WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
# Set via enviornmentFile: # Set via enviornmentFile:
# WOODPECKER_FORGEJO_CLIENT # WOODPECKER_FORGEJO_CLIENT
# WOODPECKER_FORGEJO_SECRET # WOODPECKER_FORGEJO_SECRET

View file

@ -6,16 +6,16 @@
description = "Yate telehony engine"; description = "Yate telehony engine";
unitConfig = { unitConfig = {
Type = "simple"; Type = "simple";
After="network.target"; After = "network.target";
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do"; ExecStart = "${pkgs.yate}/bin/yate -c /yate -e /yate/share -Do";
Type="simple"; Type = "simple";
Restart="always"; Restart = "always";
# ... # ...
}; };
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
requiredBy = [ "network.target" ]; requiredBy = [ "network.target" ];
# ... # ...
}; };
} }

View file

@ -1,12 +1,26 @@
{ {
"nodes": { "nodes": {
"authorizedKeysRepo": {
"flake": false,
"locked": {
"lastModified": 1731276342,
"narHash": "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=",
"rev": "686a6af22f6696f0c0595c56f463c078550049fc",
"type": "tarball",
"url": "https://git.hamburg.ccc.de/api/v1/repos/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz?rev=686a6af22f6696f0c0595c56f463c078550049fc"
},
"original": {
"type": "tarball",
"url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz"
}
},
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1729386149, "lastModified": 1731200463,
"narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", "narHash": "sha256-qDaAweJjdFbVExqs8aG27urUgcgKufkIngHW3Rzustg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "cce4521b6df014e79a7b7afc58c703ed683c916e", "rev": "e04234d263750db01c78a412690363dc2226e68a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -18,16 +32,14 @@
"nixos-generators": { "nixos-generators": {
"inputs": { "inputs": {
"nixlib": "nixlib", "nixlib": "nixlib",
"nixpkgs": [ "nixpkgs": "nixpkgs"
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1729472750, "lastModified": 1731546190,
"narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=", "narHash": "sha256-kJix8nLyFIJ3EC7VtoXK/85C4ZN2dC5oWoS8+ErehqI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565", "rev": "06ffce1a8d95e95c06a4bcfa117dd960b14a7101",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -38,11 +50,27 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1731133565, "lastModified": 1731245184,
"narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=", "narHash": "sha256-vmLS8+x+gHRv1yzj3n+GTAEObwmhxmkkukB2DwtJRdU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "aebe249544837ce42588aa4b2e7972222ba12e8f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1731842749,
"narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2", "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -52,43 +80,11 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-stable": {
"locked": {
"lastModified": 1730602179,
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1731265036,
"narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"authorizedKeysRepo": "authorizedKeysRepo",
"nixos-generators": "nixos-generators", "nixos-generators": "nixos-generators",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
}, },
@ -96,15 +92,14 @@
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ]
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1731213149, "lastModified": 1731862312,
"narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=", "narHash": "sha256-NVUTFxKrJp/hjehlF1IvkPnlRYg/O9HFVutbxOM8zNM=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7", "rev": "472741cf3fee089241ac9ea705bb2b9e0bfa2978",
"type": "github" "type": "github"
}, },
"original": { "original": {

192
flake.nix
View file

@ -1,22 +1,17 @@
{ {
description = "CCCHH Nix Infrastructure"; description = "CCCHH Nix Infrastructure";
nixConfig = {
allow-import-from-derivation = true;
};
inputs = { inputs = {
# Use the NixOS small channels for nixpkgs. # Use the NixOS small channels for nixpkgs.
# https://nixos.org/manual/nixos/stable/#sec-upgrading # https://nixos.org/manual/nixos/stable/#sec-upgrading
# https://github.com/NixOS/nixpkgs # https://github.com/NixOS/nixpkgs
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
# Add nixos-generators as an input. # Add nixos-generators as an input.
# See here: https://github.com/nix-community/nixos-generators#using-in-a-flake # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake
nixos-generators = { nixos-generators = {
url = "github:nix-community/nixos-generators"; url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs"; #inputs.nixpkgs.follows = "nixpkgs";
}; };
# Add sops-nix as an input for secret management. # Add sops-nix as an input for secret management.
@ -25,214 +20,225 @@
url = "github:Mic92/sops-nix"; url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
authorizedKeysRepo = {
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/archive/686a6af22f6696f0c0595c56f463c078550049fc.tar.gz";
flake = false;
};
}; };
outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }: outputs = { self, nixpkgs, nixos-generators, sops-nix, authorizedKeysRepo, ... }:
let let
system = "x86_64-linux"; specialArgs = {
shairportSync431ExtendedNixpkgsUnstableOverlay = final: prev: { inherit authorizedKeysRepo;
shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
# See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
});
}; };
pkgs-unstable = nixpkgs-unstable.legacyPackages."x86_64-linux"; system = "x86_64-linux";
in in
{ {
overlays = {
shairportSyncAirplay2 = final: prev: {
shairport-sync = (prev.shairport-sync.override { enableMetadata = true; enableAirplay2 = true; }).overrideAttrs (finalAttr: previousAttr: {
# See: https://github.com/mikebrady/shairport-sync/blob/e78a88b64adfe7b5f88fd6faedf55c57445bb240/CONFIGURATION%20FLAGS.md
configureFlags = previousAttr.configureFlags ++ [ "--with-mqtt-client" ];
buildInputs = previousAttr.buildInputs ++ [ final.mosquitto ];
});
};
};
nixosModules = {
common = ./config/common;
proxmox-vm = ./config/proxmox-vm;
prometheus-exporter = ./config/extra/prometheus-exporter.nix;
};
nixosConfigurations = { nixosConfigurations = {
audio-hauptraum-kueche = nixpkgs.lib.nixosSystem { audio-hauptraum-kueche = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
{ nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; } { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
./config/hosts/audio-hauptraum-kueche ./config/hosts/audio-hauptraum-kueche
]; ];
}; };
audio-hauptraum-tafel = nixpkgs.lib.nixosSystem { audio-hauptraum-tafel = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
{ nixpkgs.overlays = [ shairportSync431ExtendedNixpkgsUnstableOverlay ]; } { nixpkgs.overlays = [ self.overlays.shairportSyncAirplay2 ]; }
./config/hosts/audio-hauptraum-tafel ./config/hosts/audio-hauptraum-tafel
]; ];
}; };
esphome = nixpkgs.lib.nixosSystem { esphome = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
./config/hosts/esphome ./config/hosts/esphome
]; ];
}; };
public-reverse-proxy = nixpkgs.lib.nixosSystem { public-reverse-proxy = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
./config/hosts/public-reverse-proxy ./config/hosts/public-reverse-proxy
]; ];
}; };
netbox = nixpkgs.lib.nixosSystem { netbox = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/netbox ./config/hosts/netbox
]; ];
}; };
matrix = nixpkgs.lib.nixosSystem { matrix = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/matrix ./config/hosts/matrix
]; ];
}; };
public-web-static = nixpkgs.lib.nixosSystem { public-web-static = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/public-web-static ./config/hosts/public-web-static
]; ];
}; };
git = nixpkgs.lib.nixosSystem { git = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/git ./config/hosts/git
]; ];
}; };
forgejo-actions-runner = nixpkgs.lib.nixosSystem { forgejo-actions-runner = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/forgejo-actions-runner ./config/hosts/forgejo-actions-runner
]; ];
}; };
ptouch-print-server = nixpkgs.lib.nixosSystem { ptouch-print-server = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
./config/hosts/ptouch-print-server ./config/hosts/ptouch-print-server
]; ];
}; };
eh22-wiki = nixpkgs.lib.nixosSystem { eh22-wiki = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/eh22-wiki ./config/hosts/eh22-wiki
]; ];
}; };
nix-box-june = nixpkgs.lib.nixosSystem { nix-box-june = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/nix-box-june ./config/hosts/nix-box-june
]; ];
}; };
yate = nixpkgs.lib.nixosSystem { yate = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
./config/hosts/yate ./config/hosts/yate
]; ];
}; };
mqtt = nixpkgs.lib.nixosSystem { mqtt = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
./config/hosts/mqtt ./config/hosts/mqtt
]; ];
}; };
mjolnir = nixpkgs.lib.nixosSystem { mjolnir = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/mjolnir ./config/hosts/mjolnir
]; ];
}; };
woodpecker = nixpkgs.lib.nixosSystem { woodpecker = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/woodpecker ./config/hosts/woodpecker
]; ];
specialArgs = {
inherit pkgs-unstable;
};
}; };
status = nixpkgs.lib.nixosSystem { status = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/hosts/status ./config/hosts/status
]; ];
}; };
penpot = nixpkgs.lib.nixosSystem { penpot = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops sops-nix.nixosModules.sops
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/penpot ./config/hosts/penpot
]; ];
}; };
hydra = nixpkgs.lib.nixosSystem { hydra = nixpkgs.lib.nixosSystem {
inherit system; inherit system specialArgs;
modules = [ modules = [
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
./config/extra/prometheus-exporter.nix self.nixosModules.prometheus-exporter
./config/hosts/hydra ./config/hosts/hydra
]; ];
}; };
@ -240,22 +246,24 @@
packages.x86_64-linux = { packages.x86_64-linux = {
proxmox-nixos-template = nixos-generators.nixosGenerate { proxmox-nixos-template = nixos-generators.nixosGenerate {
inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./config/nixos-generators/proxmox.nix ./config/nixos-generators/proxmox.nix
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
]; ];
format = "proxmox"; format = "proxmox";
}; };
proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate { proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate {
inherit specialArgs;
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./config/nixos-generators/proxmox-chaosknoten.nix ./config/nixos-generators/proxmox-chaosknoten.nix
./config/proxmox-chaosknoten-additional-initial-config.nix ./config/proxmox-chaosknoten-additional-initial-config.nix
./config/common self.nixosModules.common
./config/proxmox-vm self.nixosModules.proxmox-vm
]; ];
format = "proxmox"; format = "proxmox";
}; };