diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix index 24e1472..376fde6 100644 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix @@ -3,11 +3,11 @@ # - https://forgejo.org/docs/latest/user/actions/ # - https://docs.gitea.com/next/usage/actions/act-runner -{ config, pkgs-unstable, ... }: +{ config, pkgs, ... }: { services.gitea-actions-runner = { - package = pkgs-unstable.forgejo-actions-runner; + package = pkgs.forgejo-runner; instances.ccchh-forgejo-global-docker = { enable = true; name = "Global Docker Forgejo Actions Runner"; diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix deleted file mode 100644 index a4c612e..0000000 --- a/config/hosts/hydra/configuration.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "hydra"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix deleted file mode 100644 index f621711..0000000 --- a/config/hosts/hydra/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./hydra.nix - ./networking.nix - ./nginx.nix - ./nix.nix - ]; -} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix deleted file mode 100644 index f315710..0000000 --- a/config/hosts/hydra/hydra.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: - -{ - services.hydra = { - enable = true; - listenHost = "localhost"; - port = 3000; - hydraURL = "https://hydra.hamburg.ccc.de/"; - # E-Mail configuration requires some work/investigation still. - notificationSender = "no-reply@hydra.hamburg.ccc.de"; - useSubstitutes = true; - minimumDiskFree = 8; - minimumDiskFreeEvaluator = 2; - }; -} diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix deleted file mode 100644 index 82cec55..0000000 --- a/config/hosts/hydra/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.163"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:45:7C:D6"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix deleted file mode 100644 index 49ca2e1..0000000 --- a/config/hosts/hydra/nginx.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, pkgs, ... }: - -let - domain = "hydra.hamburg.ccc.de"; -in -{ - services.nginx = { - enable = true; - - virtualHosts = { - "acme-${domain}" = { - default = true; - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - default = true; - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; -} diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix deleted file mode 100644 index b95e469..0000000 --- a/config/hosts/hydra/nix.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - # Allow Hydra to fetch flake inputs. - nix.settings.allowed-uris = [ - "github:" - "https://github.com/" - "https://git.hamburg.ccc.de/" - ]; -} diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix index a441814..4d4693d 100644 --- a/config/hosts/mjolnir/networking.nix +++ b/config/hosts/mjolnir/networking.nix @@ -1,18 +1,24 @@ { ... }: { - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.161"; - prefixLength = 25; - } + networking.useDHCP = false; + + services.cloud-init = { + enable = true; + network.enable = true; + + # Version without ssh of: + # https://github.com/NixOS/nixpkgs/blob/3c9db02515ef1d9b6b709fc60ba9a540957f661c/nixos/modules/services/system/cloud-init.nix#L145 + # So we don't get ssh hostkey regenerations. + settings.cloud_config_modules = [ + "disk_setup" + "mounts" + "ssh-import-id" + "set-passwords" + "timezone" + "disable-ec2-metadata" + "runcmd" ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; }; systemd.network.links."10-net0" = { diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix index 507b71a..68c30c2 100644 --- a/config/hosts/public-reverse-proxy/nginx.nix +++ b/config/hosts/public-reverse-proxy/nginx.nix @@ -6,22 +6,6 @@ { config, pkgs, ... }: { - services.nginx.streamConfig = '' - map $ssl_preread_server_name $address { - status.ccchh.net 10.31.206.15:8443; - status.hamburg.ccc.de 10.31.206.15:8443; - } - - # Listen on port 443 as a reverse proxy and use PROXY Protocol for the - # upstreams. - server { - listen 0.0.0.0:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - ''; - services.nginx.appendHttpConfig = '' map $host $upstream_acme_challenge_host { club-assistant.ccchh.net 10.31.208.10; @@ -35,7 +19,6 @@ zigbee2mqtt.ccchh.net 10.31.208.25:31820; esphome.ccchh.net 10.31.208.24:31820; proxmox-backup-server.ccchh.net 10.31.208.28; - status.ccchh.net 10.31.206.15:31820; default ""; } ''; diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix index 9d0e173..b69e60b 100644 --- a/config/hosts/public-web-static/nginx.nix +++ b/config/hosts/public-web-static/nginx.nix @@ -1,7 +1,12 @@ { ... }: { - services.nginx.enable = true; + services.nginx = { + enable = true; + appendHttpConfig = '' + access_log off; + ''; + }; networking.firewall.allowedTCPPorts = [ 8443 31820 ]; networking.firewall.allowedUDPPorts = [ 8443 ]; diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index ff59fab..95f9b59 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -23,7 +23,7 @@ in { ]; }; - "$www.${domain}" = { + "www.${domain}" = { forceSSL = true; useACMEHost = "${domain}"; diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix new file mode 100644 index 0000000..d2e779a --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -0,0 +1,118 @@ +{ ... }: + +let + domain = "cpu.ccc.de"; + dataDir = "/var/www/${domain}"; + deployUser = "cpuccc-website-deploy"; +in +{ + security.acme.certs."cpu.ccc.de".extraDomainNames = [ + "lokal.ccc.de" + "local.ccc.de" + ]; + + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + # https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + index index.html; + default_type text/plain; + + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + port_in_redirect off; + ''; + + locations."/" = { + tryFiles = "$uri $uri/ =404"; + + extraConfig = '' + location /feed/ { + default_type application/rss+xml; + types { + text/xml application/rss+xml; + } + } + + location /rss { + default_type application/rss+xml; + } + ''; + }; + }; + + "lokal.ccc.de" = { + forceSSL = true; + useACMEHost = "cpu.ccc.de"; + serverAliases = [ + "local.ccc.de" + ]; + + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + + locations."/".return = "302 https://cpu.ccc.de"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de" + ]; + }; + users.groups."${deployUser}" = { }; +} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 793829a..3532c25 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -4,6 +4,7 @@ imports = [ ./branding-resources.hamburg.ccc.de.nix ./c3cat.de.nix + ./cpu.ccc.de.nix ./cryptoparty-hamburg.de.nix ./element-admin.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index 8277b5f..1c967c9 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -17,6 +17,7 @@ "hamburg.ccc.de" = { forceSSL = true; useACMEHost = "hamburg.ccc.de"; + default = true; listen = [ { diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix deleted file mode 100644 index c36dc63..0000000 --- a/config/hosts/status/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "status"; - domain = "z9.ccchh.net"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix deleted file mode 100644 index d8644c5..0000000 --- a/config/hosts/status/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./networking.nix - ./nginx.nix - ./uptime-kuma.nix - ]; -} diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix deleted file mode 100644 index 0bff4b5..0000000 --- a/config/hosts/status/networking.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "10.31.206.15"; - prefixLength = 23; - } - ]; - ipv6.addresses = [ - { - address = "2a07:c481:1:ce::a"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "10.31.206.1"; - defaultGateway6 = "2a07:c481:1:ce::1"; - nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; - search = [ "z9.ccchh.net" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:79:D3:E1"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix deleted file mode 100644 index 8eff61c..0000000 --- a/config/hosts/status/nginx.nix +++ /dev/null @@ -1,149 +0,0 @@ -# Sources for this configuration: -# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy - -{ config, ... }: - -{ - services.nginx = { - enable = true; - - virtualHosts = { - "status.hamburg.ccc.de" = { - forceSSL = true; - enableACME = true; - serverName = "status.hamburg.ccc.de"; - - listen = [ - { - addr = "[::]"; - port = 80; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; - }; - }; - "status-proxyprotocol.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.31.206.11; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - "status.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.ccchh.net"; - - listen = [ - { - addr = "[::]"; - port = 80; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - }; - "status-proxyprotocol.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.ccchh.net"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.31.206.11; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - "status.z9.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.z9.ccchh.net"; - - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "[::]"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - }; - }; - }; - - security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [ - "status.ccchh.net" - "status.z9.ccchh.net" - ]; - - networking.firewall.allowedTCPPorts = [ 80 443 8443 ]; -} diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix deleted file mode 100644 index 02411f2..0000000 --- a/config/hosts/status/uptime-kuma.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - services.uptime-kuma = { - enable = true; - }; -} diff --git a/deployment_configuration.json b/deployment_configuration.json index 9c2f99a..1bb46e7 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -16,16 +16,13 @@ "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" }, "mjolnir": { - "targetHostname": "mjolnir-intern.hamburg.ccc.de" + "targetHostname": "mjolnir.hosts.hamburg.ccc.de" }, "woodpecker": { "targetHostname": "woodpecker-intern.hamburg.ccc.de" }, "penpot": { "targetHostname": "penpot-intern.hamburg.ccc.de" - }, - "hydra": { - "targetHostname": "hydra-intern.hamburg.ccc.de" } } } diff --git a/flake.lock b/flake.lock index 76a3fc3..3230d75 100644 --- a/flake.lock +++ b/flake.lock @@ -19,27 +19,27 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761173472, - "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=", + "lastModified": 1768621446, + "narHash": "sha256-6YwHV1cjv6arXdF/PQc365h1j+Qje3Pydk501Rm4Q+4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb", + "rev": "72ac591e737060deab2b86d6952babd1f896d7c5", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-unstable": { "locked": { - "lastModified": 1761349956, - "narHash": "sha256-tH3wHnOJms+U4k/rK2Nn1RfBrhffX92jLP/2VndSn0w=", + "lastModified": 1768661221, + "narHash": "sha256-MJwOjrIISfOpdI9x4C+5WFQXvHtOuj5mqLZ4TMEtk1M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "02f2cb8e0feb4596d20cc52fda73ccee960e3538", + "rev": "3327b113f2ef698d380df83fbccefad7e83d7769", "type": "github" }, "original": { @@ -64,11 +64,11 @@ ] }, "locked": { - "lastModified": 1760998189, - "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "lastModified": 1768709255, + "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index be9e8fb..e976c25 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; # # Add nixos-generators as an input. @@ -147,7 +147,6 @@ ]; specialArgs = { inherit authorizedKeysRepo; - inherit pkgs-unstable; }; }; @@ -201,16 +200,6 @@ ]; }; - status = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - ./config/hosts/status - ]; - }; - penpot = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ @@ -221,16 +210,6 @@ ./config/hosts/penpot ]; }; - - hydra = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - self.nixosModules.prometheus-exporter - ./config/hosts/hydra - ]; - }; }; # packages.x86_64-linux = { @@ -259,10 +238,5 @@ # }; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; - - hydraJobs = { - inherit (self) packages; - nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations; - }; }; }