Compare commits

..

125 commits
main ... main

Author SHA1 Message Date
christian c78c278627
Set WOODPECKER_LIMIT_MEM to 6 GB for woodpecker
so pipelines don't get killed by OOM.
2024-11-17 22:43:51 +01:00
jopejoe1 e3c677ea9b
fix: use tar file 2024-11-17 21:15:05 +01:00
christian ecd9fe4adf
fix: use http clone url from forgejo 2024-11-17 21:06:27 +01:00
jopejoe1 2003367108
move authorized keys to flake input 2024-11-17 20:33:38 +01:00
christian 53e33a6641
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565' (2024-10-21)
  → 'github:nix-community/nixos-generators/06ffce1a8d95e95c06a4bcfa117dd960b14a7101' (2024-11-14)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e' (2024-10-20)
  → 'github:nix-community/nixpkgs.lib/e04234d263750db01c78a412690363dc2226e68a' (2024-11-10)
• Updated input 'nixos-generators/nixpkgs':
    follows 'nixpkgs'
  → 'github:NixOS/nixpkgs/aebe249544837ce42588aa4b2e7972222ba12e8f' (2024-11-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
  → 'github:nixos/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682' (2024-11-17)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
  → 'github:Mic92/sops-nix/472741cf3fee089241ac9ea705bb2b9e0bfa2978' (2024-11-17)
• Removed input 'sops-nix/nixpkgs-stable'
2024-11-17 20:25:16 +01:00
jopejoe1 e404d4740f
remove nixpkgs-unstable
the current version of woodpecker-server in stable now has the features this was original used for, not other usages of unstable are in tree left so removing it.
2024-11-17 19:33:00 +01:00
jopejoe1 f7ebe660fe
format files with nix fmt 2024-11-17 19:33:00 +01:00
jopejoe1 6c85b91efb
make use of nixosModules output 2024-11-17 19:33:00 +01:00
jopejoe1 7d58a3db4a
move overlay to overlays output 2024-11-17 19:32:59 +01:00
christian c25d6c6326
revert: useing pkgs.fetchGit for authorized keys
reverts the changes from ec64eebfd6
it brakes some of the flake process we use,
setting 'allow-import-from-derivation' doesn't seem like a good fix to me and doesn't work in all cases.
I couldn't find any other solution to fix it for now,
so we will revert it for now, until we have a better solution.
2024-11-17 19:24:25 +01:00
June d98aa099e1
license this repo under the MIT license
All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(CCCHH/nix-infra#12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.

Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467

MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/
2024-11-14 22:56:50 +01:00
June cf46da9df7
public-web-static: make c3cat.de and www work as well as staging 2024-11-12 23:06:01 +01:00
fi c84d9e7d0a
Update element to 1.11.84 2024-11-11 02:43:08 +01:00
christian 33b2cbf5d0
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f' (2024-11-01)
  → 'github:nixos/nixpkgs/11f65b4b0405cff5b54c813626bddcf5435d7ad2' (2024-11-09)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88' (2024-11-01)
  → 'github:nixos/nixpkgs/8aed22ecd71e5b67e5299efae8b9dc580dec711c' (2024-11-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56' (2024-10-27)
  → 'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950' (2024-10-26)
  → 'github:NixOS/nixpkgs/3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c' (2024-11-03)
2024-11-10 23:14:58 +01:00
christian afb4fc71ce
Update infrastructure-authorized-keys rev 2024-11-10 23:10:50 +01:00
christian 1fcd8c6421
fix typo and writing improvement 2024-11-10 20:18:59 +01:00
christian ff1a12846a
Add how to generate the NixOS Proxmox VE templates 2024-11-10 20:18:59 +01:00
June 2ba371f8cd
git: disable making org users auto watch new repos on creation
Also explicitly disable making users auto watch repos after their first
commit to it.
2024-11-10 19:38:05 +01:00
June c8e7bd1ccf
git: enable sending of e-mails to watchers of repositories 2024-11-10 19:26:26 +01:00
jopejoe1 4fc8e31df0
Remove version lock for shairport-sync
The current version in nixpkgs is newer than the one we are currently locking, the nqptp fix was also already in nixpkgs.

Co-authored-by: c6ristian <c6ristian@christian.moe>
2024-11-04 23:35:22 +01:00
djerun 9d9b8ede02
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/e8c1cd886cc17e31e424f915efd32e84d8af0ce9?narHash=sha256-t/%2Bz1Tf7hSaStU1pBYkY7i0/GkG%2BYIPSmfeRrK8eYUw%3D' (2024-09-23)
  → 'github:nix-community/nixos-generators/7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565?narHash=sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg%3D' (2024-10-21)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/575704ff85d3a41dc5bfef7b55380cbc7b87f3c2?narHash=sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k%3D' (2024-09-22)
  → 'github:nix-community/nixpkgs.lib/cce4521b6df014e79a7b7afc58c703ed683c916e?narHash=sha256-hUP9oxmnOmNnKcDOf5Y55HQ%2BNnoT0%2BbLWHLQWLLw9Ks%3D' (2024-10-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992?narHash=sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I%3D' (2024-09-23)
  → 'github:nixos/nixpkgs/38edd08881ce4dc24056eec173b43587a93c990f?narHash=sha256-fLLUd2dO/Vnf96UDr8YPzerYi%2Bn99l3S5yIUDnmcPBE%3D' (2024-11-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/d266adc5a77ec8c10ed941c7251b2673004dbd62?narHash=sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4%3D' (2024-09-23)
  → 'github:nixos/nixpkgs/ab464abbeb3a2833288c6e907488c49c2e599f88?narHash=sha256-Hlv3rTPxnO%2BDpKRXw9yjzERLdk05h7%2BfEbZxWM2taCw%3D' (2024-11-01)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8?narHash=sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4%3D' (2024-09-16)
  → 'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56?narHash=sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN%2BompyW4GIJruLuw%3D' (2024-10-27)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05?narHash=sha256-vNv%2BaJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8%3D' (2024-09-08)
  → 'github:NixOS/nixpkgs/cd3e8833d70618c4eea8df06f95b364b016d4950?narHash=sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk%3D' (2024-10-26)
2024-11-02 00:12:24 +01:00
June 4f789adb21
hydra: configure hydra host 2024-10-30 01:44:12 +01:00
June ec64eebfd6
common: use pkgs.fetchgit and git commit hash for authorized keys repo
Do this to be in line with other places, where resources get fetched
using git and to hopefully avoid errors such as:
Cannot find Git revision 'da9d3ead9d97ce0fef7538638326264957e2f1b4' in ref 'trunk' of repository 'ssh://forgejo@git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git'! Please make sure that the rev exists on the ref you've specified or add allRefs = true; to fetchGit.
This issue was discovered while trying to make the new hydra work.
2024-10-29 23:17:31 +01:00
June fefff391b7
add hydraJobs for packages and nixosConfigurations 2024-10-29 21:30:16 +01:00
dequis 9d1521c485
spaceapid: adjustments to 3d printer state sensors
- Prefix sensor names with ext_ as the spec says we should use that for
  extensions (this also improves attribute access for tools that don't
  like fields starting with a number)
- Rename printer state to printer busy state, to make it clearer.
- Add ext_3d_printer_minutes_remaining sensors
2024-10-24 16:25:40 +02:00
June accd31173b
public-web-static: turn off ports to prevent broken redirects to 8443 2024-10-21 21:35:10 +02:00
June 8165d22159
public-web-static: prevent staging ht ccchh from search machine indexing 2024-10-21 21:30:36 +02:00
June ecdaa2d5f6
public-web-static: redirect EH20 doku.php?id=$pagename to new format
See:
CCCHH/easterhegg-eh20-website#2 (comment)
2024-10-13 22:09:20 +02:00
Stefan Bethke de2390c78d
public-web-static: redirect old hackertours 37C3 urls to proper url 2024-10-13 20:59:04 +02:00
June 2fe65b0513
public-web-static: add staging for hackertours.hamburg.ccc.de 2024-10-12 22:14:42 +02:00
June 804094aaeb
public-web-static: add hackertours.hamburg.ccc.de static web host
It can be deployed using a corresponding deploy key in the same manner
hacker.tours and hamburg.ccc.de can be deployed.
2024-10-12 20:03:04 +02:00
christian da8e2bbbf4
Update element to 1.11.80 2024-10-10 20:50:20 +02:00
June 05b96b8fae
netbox: integrate with CCCHH ID (Keycloak) 2024-10-09 02:18:46 +02:00
June c54b655b0e
all: setup prometheus node exporter for all hosts on Chaosknoten
Do that so we can have monitoring for them via prometheus, alertmanager
and grafana.
Also add a local ip for the git host for PVE firewalling.
2024-10-03 16:09:42 +02:00
June 68f11ad955
mjolnir: allow use of deprecated, somewhat insecure libolm
Do this to be able to update the moderation bot and because the security
issues apparently aren't real world exploitable:
https://matrix.org/blog/2024/08/libolm-deprecation/
2024-09-30 23:20:06 +02:00
June 445bf05842
public-web-static: host Easterhegg 20 website static export 2024-09-28 05:00:31 +02:00
djerun cd8108fc9b
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/8e337ce40421c4f33e7535aeb988d8e30fe067eb?narHash=sha256-LI%2BgI4qeVTQaS0vW6tn49RG%2Bf8cH1KBALaligCeHLog%3D' (2024-09-02)
  → 'github:nix-community/nixos-generators/e8c1cd886cc17e31e424f915efd32e84d8af0ce9?narHash=sha256-t/%2Bz1Tf7hSaStU1pBYkY7i0/GkG%2BYIPSmfeRrK8eYUw%3D' (2024-09-23)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/7f0b9e4fbd91826cb9ce6babbc11c87903191051?narHash=sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc%2BUZDKYE%3D' (2024-09-01)
  → 'github:nix-community/nixpkgs.lib/575704ff85d3a41dc5bfef7b55380cbc7b87f3c2?narHash=sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k%3D' (2024-09-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/3524b030c839db4ea4ba16737789c6fb8a1769c6?narHash=sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs%3D' (2024-09-01)
  → 'github:nixos/nixpkgs/7ca0f93c530406c1610defff0b9bf643333cf992?narHash=sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I%3D' (2024-09-23)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/2830c7c930311397d94c0b86a359c865c081c875?narHash=sha256-/HTUg%2BkMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc%3D' (2024-09-03)
  → 'github:nixos/nixpkgs/d266adc5a77ec8c10ed941c7251b2673004dbd62?narHash=sha256-m6kgjR4zAwyMe1Pn4RGXLCzArtoBp1qzhb2AUlPeVh4%3D' (2024-09-23)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/5db5921e40ae382d6716dce591ea23b0a39d96f7?narHash=sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07%2BQpERnzTS4%3D' (2024-09-01)
  → 'github:Mic92/sops-nix/e2d404a7ea599a013189aa42947f66cede0645c8?narHash=sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4%3D' (2024-09-16)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
  → 'github:NixOS/nixpkgs/dc454045f5b5d814e5862a6d057e7bb5c29edc05?narHash=sha256-vNv%2BaJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8%3D' (2024-09-08)
2024-09-23 22:09:01 +02:00
June 1b755b4eab
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/5fd22603892e4ec5ac6085058ed658243143aacd?narHash=sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y%3D' (2024-08-19)
  → 'github:nix-community/nixos-generators/8e337ce40421c4f33e7535aeb988d8e30fe067eb?narHash=sha256-LI%2BgI4qeVTQaS0vW6tn49RG%2Bf8cH1KBALaligCeHLog%3D' (2024-09-02)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251?narHash=sha256-QdSArN0xKESEOTcv%2B3kE6yu4B4WX9lupZ4%2BHtx3RXGg%3D' (2024-08-18)
  → 'github:nix-community/nixpkgs.lib/7f0b9e4fbd91826cb9ce6babbc11c87903191051?narHash=sha256-Tm344cnFM9f2YZsgWtJduvhIrvLr3Bi8J4Xc%2BUZDKYE%3D' (2024-09-01)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/3f38e71a8e23a27569acbbfee0e83b76c86fa569?narHash=sha256-vAq%2BI0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY%3D' (2024-08-18)
  → 'github:nixos/nixpkgs/3524b030c839db4ea4ba16737789c6fb8a1769c6?narHash=sha256-w3sjCEbnc242ByJ18uebzgjFZY3QU7dZhmLwPsJIZJs%3D' (2024-09-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/ed434d7889eddb68002d81bc25212f26ff8f2862?narHash=sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI%3D' (2024-08-19)
  → 'github:nixos/nixpkgs/2830c7c930311397d94c0b86a359c865c081c875?narHash=sha256-/HTUg%2BkMaqBPGrcQBYboAMsQHIWIkuKRDldss/035Hc%3D' (2024-09-03)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/be0eec2d27563590194a9206f551a6f73d52fa34?narHash=sha256-N9IcHgj/p1%2B2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE%3D' (2024-08-12)
  → 'github:Mic92/sops-nix/5db5921e40ae382d6716dce591ea23b0a39d96f7?narHash=sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07%2BQpERnzTS4%3D' (2024-09-01)
2024-09-03 15:38:18 +02:00
June b26320f999
penpot: switch to stock penpot image and version 2.1.3
Do that since it now has all the fixes applied we need.
2024-08-27 00:00:55 +02:00
June 0395484ea9
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d6c5d29f58acc10ea82afff1de2b28f038f572bd?narHash=sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk%3D' (2024-08-08)
  → 'github:nix-community/nixos-generators/5fd22603892e4ec5ac6085058ed658243143aacd?narHash=sha256-U11ZiQPrpIBdv7oS23bNdX9GCxe/hPf/ARr64P2Wj1Y%3D' (2024-08-19)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/8bebd4c74f368aacb047f0141db09ec6b339733c?narHash=sha256-do2Mfm3T6SR7a5A804RhjQ%2BJTsF5hk4JTPGjCTRM/m8%3D' (2024-08-04)
  → 'github:nix-community/nixpkgs.lib/531a2e8416a6d8200a53eddfbdb8f2c8dc4a1251?narHash=sha256-QdSArN0xKESEOTcv%2B3kE6yu4B4WX9lupZ4%2BHtx3RXGg%3D' (2024-08-18)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c306d09c1dc6492442ae4af0d1ba575869c41fc3?narHash=sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o%3D' (2024-08-10)
  → 'github:nixos/nixpkgs/3f38e71a8e23a27569acbbfee0e83b76c86fa569?narHash=sha256-vAq%2BI0IWsIDq5RUc01t25iL46LLxdsmlTJ96A30bMEY%3D' (2024-08-18)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/bef98989a27429e1cb9e3d9c25701ba2da742af2?narHash=sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y%3D' (2024-08-10)
  → 'github:nixos/nixpkgs/ed434d7889eddb68002d81bc25212f26ff8f2862?narHash=sha256-tGRPGJKwczrM7793zaR74KnuYLMHArJvYXmGu8Wo9oI%3D' (2024-08-19)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9?narHash=sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb%2BN4Ap4%3D' (2024-08-05)
  → 'github:Mic92/sops-nix/be0eec2d27563590194a9206f551a6f73d52fa34?narHash=sha256-N9IcHgj/p1%2B2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE%3D' (2024-08-12)
2024-08-19 19:17:40 +02:00
dequis 9b751fa1ed
spaceapid: add 3d printer state sensors (bool)
The schema only allows numeric values so I'm leaving the time to finish
field out of this for now.
2024-08-17 00:15:27 +02:00
djerun 5bbc8aa03e
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7?narHash=sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ%3D' (2024-07-13)
  → 'github:nix-community/nixos-generators/d6c5d29f58acc10ea82afff1de2b28f038f572bd?narHash=sha256-HSxOQEKNZXiJe9aWnckTTCThOhcRCabwHa32IduDKLk%3D' (2024-08-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6?narHash=sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY%3D' (2024-06-30)
  → 'github:nix-community/nixpkgs.lib/8bebd4c74f368aacb047f0141db09ec6b339733c?narHash=sha256-do2Mfm3T6SR7a5A804RhjQ%2BJTsF5hk4JTPGjCTRM/m8%3D' (2024-08-04)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
  → 'github:nixos/nixpkgs/c306d09c1dc6492442ae4af0d1ba575869c41fc3?narHash=sha256-aA1JNhFh97BHPTXoJvcvgG4VSyjx0U1wT2EivxMp77o%3D' (2024-08-10)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/4cc8b29327bed3d52b40041f810f49734298af46?narHash=sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y%3D' (2024-07-21)
  → 'github:nixos/nixpkgs/bef98989a27429e1cb9e3d9c25701ba2da742af2?narHash=sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y%3D' (2024-08-10)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/909e8cfb60d83321d85c8d17209d733658a21c95?narHash=sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU%3D' (2024-07-21)
  → 'github:Mic92/sops-nix/8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9?narHash=sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb%2BN4Ap4%3D' (2024-08-05)
2024-08-11 19:46:53 +02:00
June 178777007f
penpot: configure penpot host using oci-containers 2024-08-10 22:38:05 +02:00
June faffcb7d54
spaceapi: remove inside sensors for privacy reasons 2024-08-04 21:05:43 +02:00
June 1ffc959ce3
Update spaceapid to v0.1.0 2024-08-04 21:03:29 +02:00
June 028b5dc9e8
Configure Uptime-Kuma host 2024-08-04 02:19:26 +02:00
June 35e5fbc8a2
Add .editorconfig for ensuring some consistency 2024-07-30 01:35:13 +02:00
June b30015fee1
Clean up networking configs by making them all use the same layout
Also use the v6 gateway as a nameserver as well for the esphome host.
2024-07-30 01:17:05 +02:00
June e88982d7c7
Give esphome a static v6 and get cert directly via chal. served over v6
Give the host a static v4 as well.
Also let the nginx redirect from the hosts FQDN to the service domain.
2024-07-27 22:24:54 +02:00
June a2102b064f
Fix container registry image uploads for git server
Do this by disabling checking of client request body size.
2024-07-27 21:05:58 +02:00
christian 59b540c9e3
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
  → 'github:nixos/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/0af9d835c27984b3265145f8e3cbc6c153479196?narHash=sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70%3D' (2024-07-14)
  → 'github:nixos/nixpkgs/4cc8b29327bed3d52b40041f810f49734298af46?narHash=sha256-jfF4gpRUpTBY2OxDB0FRySsgNGOiuDckEtu7YDQom3Y%3D' (2024-07-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/0703ba03fd9c1665f8ab68cc3487302475164617?narHash=sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY%3D' (2024-07-14)
  → 'github:Mic92/sops-nix/909e8cfb60d83321d85c8d17209d733658a21c95?narHash=sha256-AsvPw7T0tBLb53xZGcUC3YPqlIpdxoSx56u8vPCr6gU%3D' (2024-07-21)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
  → 'github:NixOS/nixpkgs/556533a23879fc7e5f98dd2e0b31a6911a213171?narHash=sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0%3D' (2024-07-21)
2024-07-21 23:03:44 +02:00
June a271fddff8
Switch from deprecated extraConfig to settings for phpfpm.pools.dokuwiki 2024-07-15 02:44:37 +02:00
June 1185f9bb41
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/f7a029d41e49ff0747888105e1ed4314dca8436f?narHash=sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A%3D' (2024-07-01)
  → 'github:nix-community/nixos-generators/076ea5b672bb1ea535ee84cfdabd0c2f0b7f20c7?narHash=sha256-i8BiZj5faQS6gsupE0S9xtiyZmWinGpVLwxXWV342aQ%3D' (2024-07-13)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e?narHash=sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw%3D' (2024-07-01)
  → 'github:nixos/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc?narHash=sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t%2BJe1zc%3D' (2024-07-01)
  → 'github:nixos/nixpkgs/0af9d835c27984b3265145f8e3cbc6c153479196?narHash=sha256-if0qaFmAe8X01NsVRK5e9Asg9mEWVkHrA9WuqM5jB70%3D' (2024-07-14)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/b5974d4331fb6c893e808977a2e1a6d34b3162d6?narHash=sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8%2BawNMyqs%3D' (2024-06-30)
  → 'github:Mic92/sops-nix/0703ba03fd9c1665f8ab68cc3487302475164617?narHash=sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY%3D' (2024-07-14)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/4a1e673523344f6ccc84b37f4413ad74ea19a119?narHash=sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo%3D' (2024-06-29)
  → 'github:NixOS/nixpkgs/74348da2f3a312ee25cea09b98cdba4cb9fa5d5d?narHash=sha256-6vuViC56%2BKSr%2B945bCV8akHK%2B7J5k6n/epYg/W3I5eQ%3D' (2024-07-14)
2024-07-15 02:15:32 +02:00
June 9f56692222
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/35c20ba421dfa5059e20e0ef2343c875372bdcf3?narHash=sha256-WZ1gdKq/9u1Ns/oXuNsDm%2BW0salonVA0VY1amw8urJ4%3D' (2024-06-10)
  → 'github:nix-community/nixos-generators/f7a029d41e49ff0747888105e1ed4314dca8436f?narHash=sha256-8lsuMR3rnX4yUPPjz04opgb30Z47sCgZu4TIszWBW9A%3D' (2024-07-01)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/3c62b6a12571c9a7f65ab037173ee153d539905f?narHash=sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw%3D' (2024-04-07)
  → 'github:nix-community/nixpkgs.lib/1bba8a624b3b9d4f68db94fb63aaeb46039ce9e6?narHash=sha256-XFNKtyirrGNdehpg7lMNm1skEcBApjqGhaHc/OI95HY%3D' (2024-06-30)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/201ed88e66f7f34d5c74e46d2e4399cc4bea1501?narHash=sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0%2BnI%3D' (2024-06-21)
  → 'github:nixos/nixpkgs/10c832d0548e9e3a6df7eb51e68c2783212a303e?narHash=sha256-2ASBatUTQWNIiTeBZRuxROu27MyOavVnzeCv7h40QNw%3D' (2024-07-01)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/1c0bec249943cd3e03f876554b8af7d1e32a09e1?narHash=sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs%3D' (2024-06-21)
  → 'github:nixos/nixpkgs/7f993cdf26ccef564eabf31fdb40d140821e12bc?narHash=sha256-pY0wosAgcr9W4vmGML0T3BVhQiGuKoozCbs2t%2BJe1zc%3D' (2024-07-01)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/797ce4c1f45a85df6dd3d9abdc53f2691bea9251?narHash=sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg%3D' (2024-06-16)
  → 'github:Mic92/sops-nix/b5974d4331fb6c893e808977a2e1a6d34b3162d6?narHash=sha256-KA9gy2Wkv76s4A8eLnOcdKVTygewbw3xsB8%2BawNMyqs%3D' (2024-06-30)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/c884223af91820615a6146af1ae1fea25c107005?narHash=sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs%3D' (2024-06-15)
  → 'github:NixOS/nixpkgs/4a1e673523344f6ccc84b37f4413ad74ea19a119?narHash=sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo%3D' (2024-06-29)
2024-07-01 15:31:10 +02:00
June 7058ec3582
Make passwordless ssh for ptouch-print-server work again
Now (with NixOS 24.05) pam.services.sshd.allowNullPassword needs to be
set to true for passwordless ssh to work apparently.
2024-06-30 21:12:28 +02:00
June 026e47d055
Last commit didn't do, switching to Docker instead of podman does 2024-06-22 18:06:39 +02:00
June be7f6e4917
Fix clone step failing, because git.hamburg.ccc.de could not be resolved 2024-06-22 17:11:11 +02:00
June f5432bd682
Use an agent token for Woodpecker agent to stop it from re-registering
With the shared system token, every time the Woodpecker host would
restart, a new Woodpecker agent registration would be created, because
the agent receives a unique ID on first connection using the system
token, which it couldn't store however, because it doesn't have a
writable config file in NixOS.
Use an agent token now, which doesn't require the agent to store a
unique ID in a wrtiable config, therefore not making it re-register.

Also see:
https://woodpecker-ci.org/docs/administration/agent-config#agent-registration
2024-06-22 16:26:58 +02:00
June 1aff46745a
Disable mjolnirs verbose logging to have it not spam the management room 2024-06-22 16:07:01 +02:00
June df17b25009
Add woodpecker host running a woodpecker-server and -agent for CI 2024-06-22 04:20:38 +02:00
June dfcb961fd3
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d14b286322c7f4f897ca4b1726ce38cb68596c94?narHash=sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J%2Bve1w%3D' (2024-05-20)
  → 'github:nix-community/nixos-generators/35c20ba421dfa5059e20e0ef2343c875372bdcf3?narHash=sha256-WZ1gdKq/9u1Ns/oXuNsDm%2BW0salonVA0VY1amw8urJ4%3D' (2024-06-10)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/de0ae76b011bf0000d58ab71821199ce310128b2?narHash=sha256-/VAxV/4lvtOtq4Zxq0MrqTGj7g8aSR/eJQDXB37ozvs%3D' (2024-06-16)
  → 'github:nixos/nixpkgs/201ed88e66f7f34d5c74e46d2e4399cc4bea1501?narHash=sha256-3vNXv4zrblZFobrxz1P3RwLpHl6X3/GzfArdTxq0%2BnI%3D' (2024-06-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4?narHash=sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q%3D' (2024-05-23)
  → 'github:nixos/nixpkgs/1c0bec249943cd3e03f876554b8af7d1e32a09e1?narHash=sha256-uIZlOpCIi/GZ3xrkA87CAHqbTvsTbVQV1JjnP33slxs%3D' (2024-06-21)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/b549832718b8946e875c016a4785d204fcfc2e53?narHash=sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb%2BcyGsqOKa4c%3D' (2024-05-22)
  → 'github:Mic92/sops-nix/797ce4c1f45a85df6dd3d9abdc53f2691bea9251?narHash=sha256-Pm9I/BMQHbsucdWf6y9G3xBZh3TMlThGo4KBbeoeczg%3D' (2024-06-16)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/e7cc61784ddf51c81487637b3031a6dd2d6673a2?narHash=sha256-H0eCta7ahEgloGIwE/ihkyGstOGu%2BkQwAiHvwVoXaA0%3D' (2024-05-18)
  → 'github:NixOS/nixpkgs/c884223af91820615a6146af1ae1fea25c107005?narHash=sha256-v43N1gZLcGkhg3PdcrKUNIZ1L0FBzB2JqhIYEyKAHEs%3D' (2024-06-15)
2024-06-22 02:55:54 +02:00
June 3059843e1a
Add mjolnir host running mjolnir for Matrix moderation
Also see:
https://wiki.hamburg.ccc.de/infrastructure:services:mjolnir
2024-06-20 23:45:44 +02:00
June f3f5d5a611
Use forgejo package from stable (24.05) instead of from unstable 2024-06-20 04:12:42 +02:00
June 33599951ef
Upgrade to NixOS 24.05
Also bump the default state version to 24.05.

See the release notes of the 24.05 release for more information:
https://nixos.org/manual/nixos/stable/release-notes#sec-release-24.05
2024-06-17 20:59:03 +02:00
June 6411ae8b80
Add hacker.tours and a staging env. similar to the CCCHH website one 2024-06-13 22:53:06 +02:00
christian b30952a049
Add mqtt server (mosquitto)
The config was based on the exsisting mosquitto setup.
2024-06-11 23:03:57 +02:00
fi 8a2d406d4e
Bump element-web to 1.11.68 2024-06-09 22:51:42 +02:00
June bb2f1e1252
Mark nix code blocks as containing nix code for syntax highlighting 2024-06-09 21:24:42 +02:00
June d08007fd1c
Document where a secret is then actually available on the host 2024-06-09 21:15:14 +02:00
echtnurich 22eff92488 add yate service for autostart 2024-06-09 21:13:14 +02:00
June bc98327cda
Add ssh-to-age to the admin tooling 2024-06-09 21:10:19 +02:00
June 06e52eed74
Document how to use sops and sops-nix 2024-06-09 21:10:19 +02:00
christian 579b63fe89
Update authorizedKeysRepo rev in common/users.nix
to add echtnurich secondary device key
2024-06-08 21:39:24 +02:00
June ef1710b09f
Configure basic yate host 2024-06-08 20:18:59 +02:00
June 46e43e51aa
Add deployment_configuration to make deployment using infra-rebuild work
Also document usage of infra-rebuild and its configuration file.
2024-06-08 19:57:40 +02:00
June 9d7f9d0ec8
Emulate aarch64-linux on nix-box-june to be able to build aarch64 pkgs 2024-06-06 20:17:00 +02:00
June 41f04732c2
Switch from colmena to standard nixosConfigurations
Those can then be deployed using for example nixos-rebuild or bij.
Also ensure all hosts have an fqdn, where possible, in order for bij to
be able to work with them more easily. Tho not really, since for actual
deployment one still needs to set the target manually to set usage of
the colmena-deploy user.

https://git.clerie.de/clerie/bij
2024-05-27 01:43:53 +02:00
June a7541eefa8
Add tools and other stuff for a more comf. admin enviorn. on the hosts 2024-05-26 18:32:55 +02:00
June 58ec317b02
Use IP address for eh22-wiki, which isn't already in use 2024-05-26 18:00:20 +02:00
June 7c7da0db05
Add a nix box managed by June
Every admin can login as its own user with the keys listed here:
https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys/src/branch/trunk/authorized_keys
2024-05-26 14:39:28 +02:00
June 3aae597752
Switch the public-web-static hosts secret mngmt from colmena to sops-nix 2024-05-26 03:49:43 +02:00
June dc439abefe
Switch the netbox hosts secret management from colmena to sops-nix 2024-05-26 03:14:31 +02:00
June 154edc1972
Switch the matrix hosts secret management from colmena to sops-nix 2024-05-26 03:01:34 +02:00
June 361ccac69f
Switch the forgejo-actions-runners secret mngmt from colmena to sops-nix 2024-05-26 02:50:08 +02:00
June 88e3da11a6
Introduce sops and sops-nix for secret management
Use the GPG keys used for the password-store noc directory for the admin
keys.
Switch the git hosts secret management from colmena to sops-nix.

https://github.com/getsops/sops
https://github.com/Mic92/sops-nix
2024-05-25 16:47:34 +02:00
June eab3523033
Make MPD be put into pause mode instead of start. playback after startup 2024-05-23 22:25:32 +02:00
June ca816ba50b
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e?narHash=sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE%2B9ytRWxsA5aWtmyI%3D' (2024-04-22)
  → 'github:nix-community/nixos-generators/d14b286322c7f4f897ca4b1726ce38cb68596c94?narHash=sha256-iqQa3omRcHGpWb1ds75jS9ruA5R39FTmAkeR3J%2Bve1w%3D' (2024-05-20)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/8a4282c38b6cbea9f0989c0eafc6ce1837a26442?narHash=sha256-t1t39%2B9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968%3D' (2024-05-13)
  → 'github:nixos/nixpkgs/dff68ababdd2c2616d03f26546ba632f5f09d3c6?narHash=sha256-e4pjcLqe1Dexz7enk/%2Bui0aVdcoSiWnrTGjk7KLtAPw%3D' (2024-05-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/7ed944be63682d0c5bc37e66f3c997390d0bbd8e?narHash=sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw%3D' (2024-05-13)
  → 'github:nixos/nixpkgs/2ee89d5a0167a8aa0f2a5615d2b8aefb1f299cd4?narHash=sha256-2eh7rYxQOntkUjFXtlPH7lBuUDd4isu/YHRjNJW7u1Q%3D' (2024-05-23)
2024-05-23 21:25:22 +02:00
June 475ab8cc66
Configure EH22 Wiki 2024-05-17 20:42:48 +02:00
June 320f4afb4a
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/d4df7c26d03e94dbdabbd350cb89c9565cae07bb?narHash=sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI%3D' (2024-04-22)
  → 'github:nixos/nixpkgs/8a4282c38b6cbea9f0989c0eafc6ce1837a26442?narHash=sha256-t1t39%2B9F0NSrUQQsvrQ0Ym/BfnOtjgXnJVn8daI3968%3D' (2024-05-13)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/de52a47e961d45f6a8c7f9f086c60ff89ecdddaf?narHash=sha256-HLpr4EgxIRB1UJCpupvF%2BAi8pFa93BJh8anPJ68FwOI%3D' (2024-04-22)
  → 'github:nixos/nixpkgs/7ed944be63682d0c5bc37e66f3c997390d0bbd8e?narHash=sha256-ncgLV/zSzXGx8XXEM8QlovDftzzcV11MnLeRUL63Szw%3D' (2024-05-13)
2024-05-14 03:46:01 +02:00
June c378fc64c6
Deploy shairport-sync with more verbosity for easier debugging 2024-04-28 19:51:45 +02:00
June c96486aa91
Let MPD mix the audio itself to work around PW/WP restore bug
jtbx discovered that MPD is using the Pipewire stream volume for volume
control, but that when Pipewire/Wireplumber restores the stream volumes
on restart, it wrongly assigns the MPD stream volume to the Shaireport
Sync stream as well.
Work around that bug by making MPD mix itself and not through
Pipewire/Wireplumber.
2024-04-27 23:28:31 +02:00
June 14bbdea9dc
Add MPD to audio service module 2024-04-23 19:12:16 +02:00
June 856c4ac696
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d942db8df8ee860556a38754f15b8d03bf7e6933?narHash=sha256-yYlxv1sg/TNl6hghjAe0ct%2B/p5PwXiT1mpuaExjhR88%3D' (2024-04-08)
  → 'github:nix-community/nixos-generators/722b512eb7e6915882f39fff0e4c9dd44f42b77e?narHash=sha256-3yh0nqI1avYUmmtqqTW3EVfwaLE%2B9ytRWxsA5aWtmyI%3D' (2024-04-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/6ec8515bc79f396159a67b2ed8012b2e988d9dc6?narHash=sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U%2BGs%3D' (2024-04-14)
  → 'github:nixos/nixpkgs/d4df7c26d03e94dbdabbd350cb89c9565cae07bb?narHash=sha256-TFRzgAjRgwXpDucaPZfVz9mRyH2wGM6oYABe1q/20iI%3D' (2024-04-22)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/bc59f72803cf40fb50f05cb73068d85b5ce21297?narHash=sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU%3D' (2024-04-14)
  → 'github:nixos/nixpkgs/de52a47e961d45f6a8c7f9f086c60ff89ecdddaf?narHash=sha256-HLpr4EgxIRB1UJCpupvF%2BAi8pFa93BJh8anPJ68FwOI%3D' (2024-04-22)
2024-04-22 21:13:11 +02:00
June bc6af32a36
Update spaceapid to latest commit and use correct logo URL 2024-04-15 17:07:50 +02:00
June b229494eac
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/bef32a05496d9480b02be586fa7827748b9e597b?narHash=sha256-803UIoB8%2BvGkm/VK/g55aBAAOf/ncTGvxXyjTF4ydm0%3D' (2024-03-08)
  → 'github:nix-community/nixos-generators/d942db8df8ee860556a38754f15b8d03bf7e6933?narHash=sha256-yYlxv1sg/TNl6hghjAe0ct%2B/p5PwXiT1mpuaExjhR88%3D' (2024-04-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c?narHash=sha256-jLBZmwXf0WYHzLkmEMq33bqhX55YtT5edvluFr0RcSA%3D' (2024-03-03)
  → 'github:nix-community/nixpkgs.lib/3c62b6a12571c9a7f65ab037173ee153d539905f?narHash=sha256-K6IkdtMtq9xktmYPj0uaYc8NsIqHuaAoRBaMgu9Fvrw%3D' (2024-04-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/fcaa81ed3c273237217330cf342ef1873b77c80a?narHash=sha256-LW84B4vM1cn7E6cDNQn2LndT9iJXI1dRE5fwbNFbQa8%3D' (2024-03-09)
  → 'github:nixos/nixpkgs/6ec8515bc79f396159a67b2ed8012b2e988d9dc6?narHash=sha256-x4RVSeo0qq099PEdCOGHrJ/mpUKIhTCJDTy4hI1U%2BGs%3D' (2024-04-14)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/e389a1133d14925b942e0ad76ce75f32637db20d?narHash=sha256-W3KoCToX0gnwpZARkRteYd8Ns0Kie3C4u057YepUP5I%3D' (2024-03-09)
  → 'github:nixos/nixpkgs/bc59f72803cf40fb50f05cb73068d85b5ce21297?narHash=sha256-goBKZ4CKodTfkKaEGhpYOz545gnXmLfmn8gjiq7PLpU%3D' (2024-04-14)
2024-04-14 18:50:13 +02:00
June c97f169b77
Add print server for label printer to have it easily usable via SSH
Add and configure a print server for the Brother P-touch QL 500 label
printer, so that it can be easily used via SSH.

Do the following to make that work:
- Configure the print server host.
- Package printer-driver-ptouch to have a working driver for the label
  printer.
- Configure CUPS.
- Add a script "forcecommand-lpr-wrapper", which works together with the
  ForceCommand sshd_config option and wraps lpr to provide an easy
  interface to use the Brother QL 500 label printer via SSH.
- Add a print user and configure SSH to have the
  "forcecommand-lpr-wrapper" script accessible without a password using
  the print user via SSH.
2024-04-14 18:46:51 +02:00
christian 6a0218c132
Serve old easterhegg pages from public-web-static.
The old easterhegg pages from 2003, 2005, 2007, 2009, 2011 are served on the
easterhegg.eu domain and all old subdomains under hamburg.ccc.de
redirect to the corresponding pages under easterhegg.eu
2024-03-29 16:16:13 +01:00
June fc5b5bb9b7
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/f4631dee1a0fd56c0db89860e83e3588a28c7631' (2024-02-22)
  → 'github:nix-community/nixos-generators/bef32a05496d9480b02be586fa7827748b9e597b' (2024-03-08)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/e623008d8a46517470e6365505f1a3ce171fa46a' (2024-02-18)
  → 'github:nix-community/nixpkgs.lib/7873d84a89ae6e4841528ff7f5697ddcb5bdfe6c' (2024-03-03)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/79032939bc8d409bcc16121c4ad694ca862895e4' (2024-02-24)
  → 'github:nixos/nixpkgs/fcaa81ed3c273237217330cf342ef1873b77c80a' (2024-03-09)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/5ab08ad057499977d489f1b378e79d166a684e6c' (2024-02-24)
  → 'github:nixos/nixpkgs/e389a1133d14925b942e0ad76ce75f32637db20d' (2024-03-09)
2024-03-10 03:58:41 +01:00
June 1ad6ac9dc0
Run "nix fmt" to format this entire flake 2024-03-06 22:50:32 +01:00
June 71e1684f76
Add a formatter, which can be used by running "nix fmt"
Use nixpkgs-fmt because what it does closely aligns to this repos
already established conventions and it doesn't do weird stuff.

Also see:
https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-fmt.html
https://github.com/nix-community/nixpkgs-fmt
2024-03-06 22:50:26 +01:00
fi a5a994f87f
Bump element-web to 1.11.59 2024-03-02 17:22:15 +01:00
June 7ab1563c88
Add entry to public-reverse-proxy for acme challenge for light-werkstatt 2024-03-02 15:40:55 +01:00
June c0142ad1a5
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24)
  → 'github:nix-community/nixos-generators/f4631dee1a0fd56c0db89860e83e3588a28c7631' (2024-02-22)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/f5af57d3ef9947a70ac86e42695231ac1ad00c25' (2023-09-03)
  → 'github:nix-community/nixpkgs.lib/e623008d8a46517470e6365505f1a3ce171fa46a' (2024-02-18)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/ac0524b807cb04a3e792c0bcc9e853e9a1547aa1' (2024-02-02)
  → 'github:nixos/nixpkgs/79032939bc8d409bcc16121c4ad694ca862895e4' (2024-02-24)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/4f301350dacb4eb0a93578ef3b07c8a996c777e7' (2024-02-03)
  → 'github:nixos/nixpkgs/5ab08ad057499977d489f1b378e79d166a684e6c' (2024-02-24)
2024-02-24 15:51:03 +01:00
June 85951e2e59
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/ed8ab00e8d92076a7cac1b428881b4d5304bb771' (2024-01-22)
  → 'github:nix-community/nixos-generators/896f6589db5b25023b812bbb6c1f5d3a499b1132' (2024-01-24)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/a1aa4980b64eb5fbfa652da57ed4de92e92be630' (2024-01-21)
  → 'github:nixos/nixpkgs/ac0524b807cb04a3e792c0bcc9e853e9a1547aa1' (2024-02-02)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/8cccce637e19577815de54c5ecc3132dff965aee' (2024-01-22)
  → 'github:nixos/nixpkgs/4f301350dacb4eb0a93578ef3b07c8a996c777e7' (2024-02-03)
2024-02-04 00:21:47 +01:00
fi d8d0236870
Fix indentation 2024-01-28 22:03:15 +01:00
fi 2ae1ad3604
Configure matrix server .well-known delegation 2024-01-28 21:59:08 +01:00
fi 4c0decea4a
Update element-web to 1.11.55 2024-01-28 05:05:53 +01:00
June e18b840d20
Enable offline mode for Forgejo to disable use of CDN and Gravatar 2024-01-24 20:17:59 +01:00
June a0e92ff92a
Give Git an IPv6 2024-01-23 23:24:20 +01:00
June 7ce5c934df
Redirect old feed location to new one for CCCHH website 2024-01-23 19:57:20 +01:00
June c83f1faaa7
Use custom 404 page for hamburg.ccc.de 2024-01-22 23:32:00 +01:00
June 6bb4577a33
flake.lock: Update
Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/246219bc21b943c6f6812bb7744218ba0df08600' (2023-12-04)
  → 'github:nix-community/nixos-generators/ed8ab00e8d92076a7cac1b428881b4d5304bb771' (2024-01-22)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/76fc2dd7efd18cb4251db2f35ab6655ee746e961' (2024-01-12)
  → 'github:nixos/nixpkgs/a1aa4980b64eb5fbfa652da57ed4de92e92be630' (2024-01-21)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/391d29cb04fe2ca9a4744c10d6b8a7783f6b0f6d' (2024-01-12)
  → 'github:nixos/nixpkgs/8cccce637e19577815de54c5ecc3132dff965aee' (2024-01-22)
2024-01-22 23:15:57 +01:00
June 1dd8651bda
Update wiki links to point to wiki.hamburg.ccc.de 2024-01-22 23:15:03 +01:00
June 394f4fe562
Deploy new website under hamburg.ccc.de
Make next.hamburg.ccc.de hamburg.ccc.de and add redirects to handle URLs
of the old website deployment properly.
Also redirect the old spaceapi endpoint to the new one.

Add staging.hamburg.ccc.de for hosting upcoming changes (PRs).
Also give it a robots.txt, since its contents don't need to show up in
search engines.

Add www.hamburg.ccc.de and let it redirect to hamburg.ccc.de.
2024-01-22 23:08:38 +01:00
June 485ed0fec2
Use opensearch for code and issue search 2024-01-22 17:59:01 +01:00
June 12c38aac8b
Add CO2 sensors to spaceapid response 2024-01-22 02:05:48 +01:00
June 7fd115ca22
Use new infrastructure-authorized-keys url and latest commit 2024-01-21 04:55:57 +01:00
June aa25b300e3
Fix temperature unit in spaceapid response
See:
https://github.com/SpaceApi/directory/pull/247#pullrequestreview-1825757336
CCCHH/spaceapid#26
https://spaceapi.io/docs/#schema-key-sensors-temperature-unit
2024-01-21 03:54:01 +01:00
June 598e110641
Don't keep artifacts for so long
Keep them for 30 days instead of the default 90.
2024-01-20 21:39:22 +01:00
June f6567bffb2
Use Forgejo 1.21 from NixOS unstable to make Actions work properly
1.21 has scheduled Actions for example, which we need.
2024-01-20 21:34:09 +01:00
June 85c059c75c
Configure new forgejo-actions-runner host
Configure it to host a forgejo-actions-runner capable of handling CI
workloads running on Docker.
2024-01-18 05:03:21 +01:00
June 4970f59052
Enable Forgejo Actions for our Forgejo 2024-01-18 05:02:47 +01:00
June 8faf83158f Disable HTTP Basic authentication and set default repo units for Forgejo 2024-01-16 20:35:56 +01:00
Bendodroid 7cef911b61 Set -ldflags for spaceapid to set version string
Co-authored-by: June <june@jsts.xyz>
2024-01-16 02:46:09 +01:00
June b5ec5fd763 Update spaceapid 2024-01-16 02:33:13 +01:00
142 changed files with 5814 additions and 424 deletions

23
.editorconfig Normal file
View file

@ -0,0 +1,23 @@
root = true
[*]
end_of_line = lf
insert_final_newline = true
indent_style = space
charset = utf-8
[*.nix]
indent_size = 2
trim_trailing_whitespace = true
[*.md]
indent_size = 2
trim_trailing_whitespace = false
[*.json]
indent_size = 2
trim_trailing_whitespace = true
[*.yaml]
indent_size = 2
trim_trailing_whitespace = true

165
.sops.yaml Normal file
View file

@ -0,0 +1,165 @@
keys:
- &admin_gpg_djerun EF643F59E008414882232C78FFA8331EEB7D6B70
- &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
- &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- &admin_gpg_max 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- &admin_gpg_c6ristian B71138A6A8964A3C3B8899857B4F70C356765BAB
- &admin_gpg_dante 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
- &host_age_git age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
- &host_age_forgejo_actions_runner age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
- &host_age_matrix age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
- &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
- &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
- &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
- &host_age_penpot age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
creation_rules:
- path_regex: config/hosts/git/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_git
- path_regex: config/hosts/forgejo-actions-runner/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_forgejo_actions_runner
- path_regex: config/hosts/matrix/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_matrix
- path_regex: config/hosts/netbox/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_netbox
- path_regex: config/hosts/public-web-static/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_public_web_static
- path_regex: config/hosts/mjolnir/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_mjolnir
- path_regex: config/hosts/woodpecker/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_woodpecker
- path_regex: config/hosts/penpot/.*
key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
age:
- *host_age_penpot
- key_groups:
- pgp:
- *admin_gpg_djerun
- *admin_gpg_stb
- *admin_gpg_jtbx
- *admin_gpg_yuri
- *admin_gpg_june
- *admin_gpg_haegar
- *admin_gpg_dario
- *admin_gpg_echtnurich
- *admin_gpg_max
- *admin_gpg_c6ristian
- *admin_gpg_dante
stores:
yaml:
indent: 2

21
LICENSE Normal file
View file

@ -0,0 +1,21 @@
MIT License
Copyright (c) CCCHH
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

79
README.md Normal file
View file

@ -0,0 +1,79 @@
# nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using [infra-rebuild](https://git.hamburg.ccc.de/CCCHH/infra-rebuild). \
To easily get a shell with `infra-rebuild` going, use the following command:
```
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
```
After that you can simply run the following to deploy e.g. the git and matrix hosts:
```
infra-rebuild switch git matrix
```
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a [`deployment_configuration.json`](./deployment_configuration.json) can be used.
This is exactly what we're doing to set the default deployment user to `colmena-deploy` and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
## Setting up secrets with sops-nix for a host
1. Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
```
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age
```
2. Add the resulting age public key to the `.sops.yaml` as a YAML anchor in keys.
It should be named something like: `host_age_hostname`
3. Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key. \
You can use existing creation rules as a reference.
4. Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
```
sops config/hosts/hostname/secrets.yaml
```
Note: Nested keys don't seem to be compatible with sops-nix.
5. Add the following entry to the modules of the hosts `nixosConfiguration`:
```nix
sops-nix.nixosModules.sops
```
6. Create a `sops.nix` in the hosts config directory containing the following content to include the `secrets.yaml`:
```nix
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}
```
7. Make sure the `sops.nix` gets imported. For example in the `default.nix`.
8. To use a secret stored under e.g. `forgejo_git_smtp_password`, you can then do something like the following:
```nix
sops.secrets."forgejo_git_smtp_password" = {
mode = "0440";
owner = "forgejo";
group = "forgejo";
restartUnits = [ "forgejo.service" ];
};
```
This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
## Build NixOS Proxmox VE Template
Build a new NixOS Proxmox VE Template for the thinkcccore's:
```shell
nix build .#proxmox-nixos-template
```
Build a new NixOS Proxmox VE Template for the chaosknoten:
```shell
nix build .#proxmox-chaosknoten-nixos-template
```
## License
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).

View file

@ -0,0 +1,22 @@
{ config, pkgs, ... }:
{
environment.systemPackages = with pkgs; [
vim
joe
nano
htop
btop
ripgrep
fd
tmux
git
curl
rsync
ssh-to-age
usbutils
nix-tree
# For kitty terminfo.
kitty
];
}

View file

@ -13,5 +13,5 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = lib.mkDefault "23.05"; system.stateVersion = lib.mkDefault "24.05";
} }

View file

@ -3,6 +3,7 @@
{ {
imports = [ imports = [
./acme.nix ./acme.nix
./admin-environment.nix
./default-host-platform.nix ./default-host-platform.nix
./default-state-version.nix ./default-state-version.nix
./localization.nix ./localization.nix

View file

@ -6,34 +6,29 @@
# - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix # - https://git.grzb.de/yuri/nix-infra/-/blob/342a2f732da042d04e579d98e9f834418b7ebf25/users/colmena-deploy/default.nix
# - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings # - https://nixos.org/manual/nix/stable/command-ref/conf-file.html?highlight=nix.conf#available-settings
{ config, pkgs, lib, ... }: { config, pkgs, lib, authorizedKeysRepo, ... }:
let let
authorizedKeysRepo = builtins.fetchGit {
url = "ssh://git@gitlab.hamburg.ccc.de:4242/ccchh/infrastructure-authorized-keys.git";
ref = "trunk";
rev = "6dbf11113603a4f6c12f781c2dc7a8980e65a131";
};
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys")); authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
in in
{ {
users.mutableUsers = false; users.mutableUsers = false;
users.users.chaos = { users.users.chaos = {
isNormalUser = true; isNormalUser = true;
description = "Chaos"; description = "Chaos";
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = authorizedKeys; openssh.authorizedKeys.keys = authorizedKeys;
}; };
users.users.colmena-deploy = { users.users.colmena-deploy = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = authorizedKeys; openssh.authorizedKeys.keys = authorizedKeys;
}; };
nix.settings.trusted-users = [ "colmena-deploy" ]; nix.settings.trusted-users = [ "colmena-deploy" ];
# Since our user doesn't have a password, allow passwordless sudo for wheel. # Since our user doesn't have a password, allow passwordless sudo for wheel.
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
} }

View file

@ -0,0 +1,8 @@
{ ... }:
{
services.prometheus.exporters.node = {
enable = true;
openFirewall = true;
};
}

View file

@ -8,6 +8,7 @@
enable = true; enable = true;
name = "Audio Hauptraum Küche"; name = "Audio Hauptraum Küche";
}; };
services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
users.users.chaos.extraGroups = [ "pipewire" ]; users.users.chaos.extraGroups = [ "pipewire" ];
} }

View file

@ -2,6 +2,7 @@
{ {
networking = { networking = {
hostName = "audio-hauptraum-kueche"; hostName = "audio-hauptraum-kueche";
domain = "z9.ccchh.net";
}; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";

View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
{ {
networking = { networking = {
@ -11,10 +11,9 @@
]; ];
}; };
defaultGateway = "10.31.210.1"; defaultGateway = "10.31.210.1";
nameservers = [ nameservers = [ "10.31.210.1" ];
"10.31.210.1"
];
}; };
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "1E:EF:2D:92:81:DA"; matchConfig.MACAddress = "1E:EF:2D:92:81:DA";
linkConfig.Name = "net0"; linkConfig.Name = "net0";

View file

@ -8,6 +8,7 @@
enable = true; enable = true;
name = "Audio Hauptraum Tafel"; name = "Audio Hauptraum Tafel";
}; };
services.mpd.musicDirectory = "smb://beamer:beamer@beamer.z9.ccchh.net/music";
users.users.chaos.extraGroups = [ "pipewire" ]; users.users.chaos.extraGroups = [ "pipewire" ];
} }

View file

@ -2,6 +2,7 @@
{ {
networking = { networking = {
hostName = "audio-hauptraum-tafel"; hostName = "audio-hauptraum-tafel";
domain = "z9.ccchh.net";
}; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";

View file

@ -1,4 +1,4 @@
{ config, pkgs, ... }: { ... }:
{ {
networking = { networking = {
@ -11,10 +11,9 @@
]; ];
}; };
defaultGateway = "10.31.210.1"; defaultGateway = "10.31.210.1";
nameservers = [ nameservers = [ "10.31.210.1" ];
"10.31.210.1"
];
}; };
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "D2:10:33:B1:72:C3"; matchConfig.MACAddress = "D2:10:33:B1:72:C3";
linkConfig.Name = "net0"; linkConfig.Name = "net0";

View file

@ -0,0 +1,7 @@
{ ... }:
{
networking.hostName = "eh22-wiki";
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,9 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./dokuwiki.nix
./networking.nix
];
}

View file

@ -0,0 +1,166 @@
# Sources for this configuration:
# - https://www.dokuwiki.org/dokuwiki
# - https://www.dokuwiki.org/install
# - https://www.dokuwiki.org/requirements
# - https://www.dokuwiki.org/install:php
# - https://www.dokuwiki.org/security
# - https://www.dokuwiki.org/config:xsendfile
# - https://www.dokuwiki.org/install:nginx
# - https://www.dokuwiki.org/faq:uploadsize
# - https://nixos.wiki/wiki/Phpfpm
# - https://wiki.archlinux.org/title/Nginx#FastCGI
# - https://github.com/NixOS/nixpkgs/blob/84c0cb1471eee15e77ed97e7ae1e8cdae8835c61/nixos/modules/services/web-apps/dokuwiki.nix
# - https://git.hamburg.ccc.de/CCCHH/ansible-infra/src/commit/81c8bfe16b311d5bf4635947fa02dfb65aea7f91/playbooks/files/chaosknoten/configs/wiki/nginx/wiki.hamburg.ccc.de.conf
# - https://www.php.net/manual/en/install.fpm.php
# - https://www.php.net/manual/en/install.fpm.configuration.php
{ config, pkgs, ... }:
let
# This is also used for user and group names.
app = "dokuwiki";
domain = "eh22.easterhegg.eu";
dataDir = "/srv/www/${domain}";
in
{
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${app} ${app}"
];
services.phpfpm.pools."${app}" = {
user = "${app}";
group = "${app}";
phpOptions = ''
short_open_tag = Off
open_basedir =
output_buffering = Off
output_handler =
zlib.output_compression = Off
implicit_flush = Off
allow_call_time_pass_reference = Off
max_execution_time = 30
max_input_time = 60
max_input_vars = 10000
memory_limit = 128M
error_reporting = E_ALL & ~E_NOTICE
display_errors = Off
display_startup_errors = Off
log_errors = On
; error_log should be handled by NixOS.
variables_order = "EGPCS"
register_argc_argv = Off
file_uploads = On
upload_max_filesize = 20M
post_max_size = 20M
session.use_cookies = 1
; Checked the default NixOS PHP extensions and the only one missing from
; DokuWikis list of PHP extensions was bz2, so add that.
; Checked with NixOS 23.11 on 2024-05-02.
extension = ${pkgs.phpExtensions.bz2}/lib/php/extensions/bz2.so
'';
settings = {
"listen.owner" = "${config.services.nginx.user}";
"listen.group" = "${config.services.nginx.group}";
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
};
services.nginx = {
enable = true;
virtualHosts."acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
locations = {
"~ /(conf|bin|inc|vendor)/" = {
extraConfig = "deny all;";
};
"~ /install.php" = {
extraConfig = "deny all;";
};
"~ ^/data/" = {
extraConfig = "internal;";
};
"~ ^/lib.*\.(js|css|gif|png|ico|jpg|jpeg)$" = {
extraConfig = "expires 31d;";
};
"/" = {
index = "doku.php";
extraConfig = "try_files $uri $uri/ @dokuwiki;";
};
"@dokuwiki" = {
extraConfig = ''
# Rewrites "doku.php/" out of the URLs if the userwrite setting is
# set to .htaccess in the DokuWiki config page.
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
'';
};
"~ \\.php$" = {
extraConfig = ''
try_files $uri $uri/ /doku.php;
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:${config.services.phpfpm.pools."${app}".socket};
'';
};
};
extraConfig = ''
# Set maximum file upload size to 20MB (same as upload_max_filesize and
# post_max_size in the phpOptions).
client_max_body_size 20M;
client_body_buffer_size 128k;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
users.users."${app}" = {
isSystemUser = true;
group = "${app}";
};
users.groups."${app}" = { };
}

View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.159";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:37:F0:AB";
linkConfig.Name = "net0";
};
}

View file

@ -2,6 +2,7 @@
{ {
networking = { networking = {
hostName = "esphome"; hostName = "esphome";
domain = "z9.ccchh.net";
}; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";

View file

@ -3,6 +3,7 @@
imports = [ imports = [
./configuration.nix ./configuration.nix
./esphome.nix ./esphome.nix
./networking.nix
./nginx.nix ./nginx.nix
]; ];
} }

View file

@ -0,0 +1,29 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.24";
prefixLength = 23;
}
];
ipv6.addresses = [
{
address = "2a07:c480:0:1d0::66";
prefixLength = 64;
}
];
};
defaultGateway = "10.31.208.1";
defaultGateway6 = "2a07:c480:0:1d0::1";
nameservers = [ "10.31.208.1" "2a07:c480:0:1d0::1" ];
search = [ "z9.ccchh.net" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "7E:3C:F0:77:8A:F4";
linkConfig.Name = "net0";
};
}

View file

@ -1,35 +1,34 @@
{ config, ... }: { config, ... }:
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"acme-esphome.ccchh.net" = {
enableACME = true;
serverName = "esphome.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"esphome.ccchh.net" = { "esphome.ccchh.net" = {
forceSSL = true; forceSSL = true;
useACMEHost = "esphome.ccchh.net"; enableACME = true;
serverName = "esphome.ccchh.net";
listen = [ listen = [
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 80; port = 80;
} }
{
addr = "[::]";
port = 80;
}
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 443; port = 443;
ssl = true; ssl = true;
} }
{
addr = "[::]";
port = 443;
ssl = true;
}
]; ];
locations."/" = { locations."/" = {
@ -37,9 +36,38 @@
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
"esphome.z9.ccchh.net" = {
forceSSL = true;
useACMEHost = "esphome.ccchh.net";
serverName = "esphome.z9.ccchh.net";
listen = [
{
addr = "0.0.0.0";
port = 80;
}
{
addr = "[::]";
port = 80;
}
{
addr = "0.0.0.0";
port = 443;
ssl = true;
}
{
addr = "[::]";
port = 443;
ssl = true;
}
];
globalRedirect = "esphome.ccchh.net";
redirectCode = 307;
};
}; };
}; };
security.acme.certs."esphome.ccchh.net".extraDomainNames = [ "esphome.z9.ccchh.net" ];
networking.firewall.allowedTCPPorts = [ 80 443 31820 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
} }

View file

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
networking.hostName = "forgejo-actions-runner";
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,11 @@
{ ... }:
{
imports = [
./configuration.nix
./docker.nix
./forgejo-actions-runner.nix
./networking.nix
./sops.nix
];
}

View file

@ -0,0 +1,13 @@
# Sources for this configuration:
# - https://nixos.wiki/wiki/Docker
{ config, pkgs, ... }:
{
virtualisation.docker = {
enable = true;
autoPrune = {
enable = true;
dates = "weekly";
};
};
}

View file

@ -0,0 +1,26 @@
# Sources for this configuration:
# - https://forgejo.org/docs/latest/admin/actions/
# - https://forgejo.org/docs/latest/user/actions/
# - https://docs.gitea.com/next/usage/actions/act-runner
{ config, pkgs, ... }:
{
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.ccchh-forgejo-global-docker = {
enable = true;
name = "Global Docker Forgejo Actions Runner";
url = "https://git.hamburg.ccc.de/";
tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
labels = [ "docker:docker://node:current-bookworm" ];
};
};
sops.secrets."forgejo_actions_runner_registration_token" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ];
};
}

View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.155";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
linkConfig.Name = "net0";
};
}

View file

@ -0,0 +1,233 @@
forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10xz2l7ghul7023awcydf4q3wurmszy2tafnadlarj0tvm7kl033sjw5f8t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKZEFkeThaUkhoVlVXV1V0
eXBja2hueWJzZm5RNVdaNTdKNGp6OC9mVmt3Cit6S2tBQjNGb0N0RkdDdWtpR1Vv
REd5WjJrTnJYR0lGRkFGU2RXTjZkdncKLS0tIHJoV3I0YTNkcHdZQWZySVNyVm4y
TGR6Sm9uZ0ZQeEFNK1lJRE82eUluclUKL4mGDJkQ3mQu+7Xc2KflVqLUjbr/5a16
VlYUplTqUCYXtkzq/3RKZV/pM4RVYBDHvuSzVr4hXBSxW5j93dhezA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-26T00:29:52Z"
mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str]
pgp:
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAoDySYGJ2Xf27El8y/UTYOUaM51stw95ZfnU7JtKfPNyM
Ct+xymnyxAwR2OJ7oDluxwEItdPufp/Mr96zkw+TfrqI5lowTiH4YGtDsbioiScN
qxiZgHN4qVZcRHwzgmLcDa6GSIg6rEcDcBygakprmoI4Qeqp3Bioii0/OMuLeleN
igauRUzroFLIlS0QCgI5PaUSIPtSMxgKiEc5yM91EBh6w93RaoQmG0k9TWpfLmgo
ZVB164SYCCW45vts6T7WQ8cE7Pxkkti+rrOrjaDfB4ape1u4gS6xKc4dFJ+nWcE8
5l6MXoDLRd69VWRN6P+G5YGQzB5QRicNnuwk6H2q7CwIqZyi7ZqaCIZfcpvuUzCJ
OGJQInCFFVSdLj/3WFyXk+wemmZPna5xFxFb6WVwfSU1ikM/umrZ5yBly+mvDGzs
l+8YGcsZ9D//qjVIsWbiRwhGgeA3eU6f7SwdZdX/zOFy8bP85xwDcbwdOSkhifAA
l3Ud3rswmAnzSYAw5wK9tcSxS+G4JeCPU1iKABifugLohgME09Z31ljvyqWPBRe/
Rct5zvcQV2yjMbToudXafvRUb9nU+uJuWUEUe8xFSrAC1ijA3mBYfIrGNvD2eVCY
MTYK1ugKA9X7Sgls3vQ0A7fLHeR6C3+zhl7SzGHUZC3bh5+oXTq6cuXD8DjCwV/U
ZgEJAhAkZc7MICSMkACItUHxyyEMbBYNpIJ6P7GQA6ErhLcV1VpKWo6abJVVES36
j97RpaD1tL3OyGPfiivMkk650MkPrgpMKR0hasl770B8jkjVPyDV9mSn+sc7N+tK
D7IbDW18mA==
=EhAw
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAArCPbAnHJrNpP4B755wKuDEzwVMsqCR+gumSX/XcuQJMI
O3/34FJOI+++S/+z94y4O+A7XPsG4xr+UpDIGdGFAsOQBrbxyqD7c0BIToJgq6iG
22j7y6N6OZFo0g8hGkUVSMeAZXCkg/t70e2POeHeEwnlsNX3cRuFWC54KxfVwr4w
UjlQmjV26+r1uZd3DKj/+eMi5E63XTsgUhAlJqixpHt3PEKZ5UNtnCAbYXqF2FOF
qqNyB5X1M2ncee+RGzLqnXaQTSEdKmlEwteVlXWtsqBs4gICOz+6ehfA+gk6r+si
Hv5dW5W7OjHsZfRfLxaF05vBUqQ+M5FdYl0hBFZzco3zuNQ+c9om+c/3Fd+B0tZC
0pUs4JiNa/chjuSCiJ0ZJE8kh7xCmmjIrFqsvWi4ZiTk2GWPEeuPq91TC/azfQea
ZV/Ozh09wAMGnGYUY0OqH7BIGsV6mEFKy/oEpwvoPuI1sNLiMig3ZAMHcIdqYzta
S16/JVmVirTnOTCL7p0CZLtiQuQH158gn9F2T7WCfX/XA8ifVSAyjWnYL3+rJUr1
zuhndbJTXD+5K9RKVM+FXC+G5VRzmWKNN9riijtLFhPKuOqDwPDst81XGsO23gGn
QIFGGEfQ8vuC9lmF8jDPHZfgUWy3kMVaLW+ti7y5IWhWEJASYVXF2JknKeOw2zjS
XAE4hG6ck97ZiT9V5bKC/fk/Ep/GWPnQTMdISinbak9hZigPPQ3KCyf4WZoJ1+sE
r+rk9v7NO1N5rnVQokL+kO/sBCV/t9XrHuFDx16cZrSHpHubQUi9daxc6EQ1
=7d/s
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//QF80EGvpode+J0kDjrrFKdSXREPhfCtFU+EpmE+f+aGO
mMPZ0SEuBX4g+5K8u0IdeWR2weqYqY0O9Ar2m18YlpniSWFBZqzmW+/yk7vmDzqr
l9pV/SdRomGrKyXk9JehkLm5vwUrj/xlPAU0DQEKIPLZ/MMRh7bIfL5Fdujc9cLD
nybCqSXccYy59SDqVku5Q6A9FTTzLL8uFf5D3mthp/FgWpxIEQIau8G16PZm0aSJ
cBu2eZ3XDjmgIQLG+TMrW77lp/2AhFe23RtK4y5aZjzGhzO+Ax3Cn7pZI9zTGW6X
iF/ePoR+AQeXMWfwIujGR5Zy4NvdNKSfniFrjgXpsWSMjCp8pKTOlhkknL3gE+HU
etQDmPPCYvaVUwITpmrEAswTNPw0xekXGUe1HgETfhWAGw8zAEYRlOqw3Jt9mMX2
QczfXc2sA5Z4TcylESIUcpTAFQVMVMB9bZM762tZu3bM9qg6qybNVJBk9UPpi0RW
ZFbXA6lkOnJLG5/m/Ie4UDoxXxtOOqkFzjV57GEBy/HtYuC15LeyOuAgDp0Ta57L
0f/ufET/T3z5qBE8GN2zSTO7gGnFAEQ+028ZB0vGVR9C0JdCwVBMlGglC6NiaKqP
xPDLPdBqrCczUQyIJ4f7JJaFCfndLszuchb7IzCy95I7nMmATREpP06uRbnuRU3S
XAHno1TtKtfy/+T536cmGhke9gNLZXBjSg+W9ndHPo7r115Ytap5nlQqhM84qOyE
bhKZlipM9hkhfeT/6X2NzYL48/hsxJ7nh2sbmJQ0d/2DtmXT2gRGkbYq/f9+
=tuO+
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+IK+UPsLOltPFjdvN21ICHY4De1c6qqMrrDAskqeDWZet
9eoal403d0fY6E03o1Acq3XlTzR4srWLp9qo+soAhruZ3+W5M/6zBaq/f2XF4fu2
U+bjVplM5U/pHTtGb05nHJ+UN7dgq2OJkURAe7aLSwLLScxTH9cggHAo6wpsaUTQ
Uujbo508P5/Vt0efbnyNbk54M/UMH0s93YmWSuxu4XvyUPaVFcjXkh61Tfc8vY+v
l5P1qDEjQrRjSE11/xzqAmZ5x58cMK1Q9yB+cy5Lw6K+rFT+5r1jdJem5NBsIRFP
eJjmTj/rzehujAciA1EOCF16ZsVIG6HFb3SLcNoRRL3DDgQIHgjHT38qbKrobjGr
Ww2Trekg17t2C48+qa/fGZO8dSz+/97gfAMMA2DdWHPlZxVCraucZMG0p9CkNxcO
kEtpD5hYJE456MqJQJoF2x2m+/SylJntfeKstKDhD5MZevTkNhD3MRE/8XPW/abE
byO8hxz7g76l2OKSjJdOUkYTDsjr23qKAuYq3/tENOMC+Z0eTKjQbzyLdSitQkM4
eOxRMm1qJZM7Y27kYLZcLadkewuBgmXqpDePcH6lHuLZp6S9o9LmrzvAsG79RjGs
wWiITzj4oG7ROT1Np9h9iCrfKiQ3fM/5/4zJvFvGm62DaeqNSwVT9NSLodrpj/XS
XAF3ozQWD5ib0d/yUKcwZZcbbJyn7HyaCn/95zxOMu+C4K0qhJLZeMyOYQOj2pfb
T7EnwyXB5vdL3JJlhVmnFCTMFv/RjhNOJX4qbDnV1sqTj5fFMgcbA067BLEQ
=TU7Q
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ/8C0go1iw89B1ibjbrJTxnmYD6iep01wAwZjHNm9/cC3BV
yFRj/D7d84gO2YX2hZxnjlnFQYRsNez7HpsjZvUmp6FN9LpJNDp2NvukebtS5v86
hrcqODTdHNa+/ffHIhUoXVSjw5kwpQNT0JI6PR3EyV7kjCGkFAFMzHbaNRbdup5O
vC5cD6Ty+aihB/E0st7/KUw2PH7bMiJ+lAlx53Z4v7xZYSxS0vFXRDAJRYd6Bt2t
LvHO68aRMF7czDB0JoV8BOSohSvv+ZXBqe2zCZwl8kUZoW3n9eym8iF7yZ+itT2M
OdLTOg6SIhhtxcm7qFRHsOsBMjmT+MuzQVNGKDQ6Gga6NiiboyuURso64L7F0SbA
3MnHeYoTm39hUs50xqWXdFfi8G3d/SfYcxYghJJx+SwlTd1ZhdSDxQ1uJtUi7ccK
8pHwIVCdkOF1hvko3w0/B9kHmnlWKBUF1wN8QHTmlViCOo4vIpepowzN4fLlpTug
VtyW08lbdMWqq17OcTUK3O7Z6hDDUaIKV8vGvjxrJ7wJp3kok5cI7jXOYEPjxfSr
ZjJpcdrAuJTZjSIsFFopGXFbUkI8bqRpo75lDuK2fA6x38WQqedwNo6YTXvtMn0V
bhYLeEt5VeRSohGWNsdGvpjB6BtPhKoD6hK+aQAeOhhxyuF2cH4o0/lFZSkDo0/S
XAFiYzGNuu1nJulLjaAGGeoiom42N+MEmQvlIfG7AR/XgMSXs5d0JH/COJkL3V6W
zyhAGxTzEmDYmddbhelxXn38obOnsAJU92GXwLg+PXT7ZkFHrCfg9jEvgwmT
=98Lv
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/+M0Y24jgYhl4VEAT8ymoiCiNIsqGuk4yIXO6LrTIsNGlc
6YwkJu9Gj52AH8XKdvLuBGtWstjVoVrBOFyTtS2vzW01Eh+sFKfm3tF8CywjSMZ+
Xg/v+rtbj7s0EZ2JeE0DOk2X1zg26HsNd4X0HkIqTAm89gNVSTMWGGhDbTBSxtFx
ain5e14rUMM5qeIZg4IEMlY0mEbpGC7AqV1LKclN8pp2e0/6AS4fxamoMtPOhwld
/feF4/9AwZ04HIwF0ucbrDDkoZrW7YaYZPapxBTCMU0alkX4c+WTBMKTWICC1DkZ
lVF1zmLm2rhxebM0AaIw+eT2MymaecTcVrEHdhbtCGbfIL0sram2Qw0ZfeYDxIas
5W2z0a+qSQtlaCZfq/kc3UBQpRgv0Vrc0CBoZJhFmhfsH0F7uPE5rThqeT1w6TMd
bc6Y09Yorfyio+ZhbB8BJ5fzlolEo8opSZLm1K3YAik5Tw7toIvZqeXZoS6DfZhk
o7K/uUJTDKHuscxRLAfFKqBoZOBuf7d+ski5arMcjMqOYvmGKCn2pzs0TuO0ZaDG
gKbvSz2a6KyUSU822W0l2HSfM36HxxH7bDdJ12iqbBtWPcob+KcKrLowpbzzHpMT
o23ct/g5qpKpEvH+AkXQ9nOO9VKXx7voQyFM0gS0LXZGJcXeeeVbttcD28Td7WvS
XAFWumenh3Yc2VUSF4PUICL4g7o/4sLPjHhctlNHQ4+iaF6beZljWD/lwFkKxbqt
oHFjNx+ajtTxQpzpBQgqO6twKwLjND4lQ1yRlXp3mGm3U0BI7QUCRp+D+RcK
=N//k
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAtsPz8vCvZ84eAoI3bZwP69V1coDW0SgSVqAi0XDfsRbo
LJIU//nkp4pKjUMoBgc++TdLa94/mqeFVhXozAW2T7nFhYOOK2HoVl+JqvgvTGVy
ZhGEWTud++inzjSAKAEll6x89dYE07DLtbLNaLs8w3X/cSDF9fZekmTvyaks9AwQ
oI+RXPK1ao3Nvgw0pkvRzFze7HJansA25+Ojcr3wnhP3qtKqfHjbXRs5Qu46fB3b
mz3SPNcN/JihodKBhZ0suCk+HZx69EXbBV8i9EDBOX+2Azxn3aCGh0jlDAyCMMNp
CWiDuYduzYFV0mF5vAGQC8ifrQZDOjvJR1qqJ2115c2bB9cP0asTS7ZoJEEqfkz1
mGLHsOhhuP/DkHhX2B61nDl0LQ+eoc1ZdZEcDV0hrKptiFlxmPySlOXD1LpOU+uk
JFBot/Sc9GEZzaInyNSmSvd2Y6SiNOl9t7QAwIPwmGYGY3iNDPD6RRl/CQb7raLG
rfNH04BYltboG7HQeEqiEEijn7xctTSNp1O3EKrcdEpg/sAlQzarCOmEUvLXWeBj
YhPRH6Z3+PMyn7m2Jb8VFO3hAX4zfb7eJcXhsKHBhfYIXViyuuzJNBoXYnorqSRK
n5OobCGQAhxeLHOrG2J059HbfUgGtfD/4MJNiGxuCGmXJc5oSJVRhy3d11ttGIzS
XAGuD/Vw5GUqWVZKNp/k2Kfuxauqu6jDPI534dLf35qaROkvbWz2bbfwPx4hxtkE
dZCVWILFq/BbXXiCVEMeJf6FrXcB2rJETBgknQWtxRP18Q7Rb4a2jybv5TDk
=ATJq
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//WVgNIjTv+F0kaoyM5stNqV7lDHPNF3jKVLOZBV1d8wbL
NhHnNRiadls8SwazCHgds/ahoaUTv+4IF9hvmyLvksN6iEN5/YnyHa1nFDBC8kow
pzA97WD6/bo5SjCk5oqLHjbR7ApKAYHOnI/XDum3QyWUV3KzO5wQQBAVki736l6q
ccUVeYLgjcnlTSlz42TcNnPw5DbudAizU4DRu4KyqQX1hBJEYA9lLDvFxvjrSidb
TzGWzyY0ERkrgrW73K9il9xqGsnyDZLvHPZ3f+nwEuNjM+ITxliZrsfxmqbWZ29f
sid5Z8Z9lZ88jIC2VR4+XW1q3LAe4WPhp3MjvhELfKLUWTRp3zRN6kabxuBtJcuC
0s212dm2ctKbkTaDbn7Q0NyJ2CLX+5IMjWs/i1NoLAyjre6hFmie2Ldx0RGwxrJp
wCA7EiZ02UJcLQw4QT3o/2Pxg8Spi+eGmqxSmMV/PDJ1gSdUv85gPobdDcotky6n
ng3I3G1o2XRUKnfDwv//4mFbDHXsCPXs7fMLwsSYZi5Cp49NhfbCbQHeusCdchLY
dA0Eik9ckUDH6ihyEN8DyVcZyspxoIFONFqly21rNECcKy1i2HxTsq5SbkZmmUS5
XiNQTGoLsx0CKI78oAXNfgY3wdpi02Xykkctjga4U2L/u8Wg7dVRgUFmq64rJfDS
XAGHB1X4194RVvPcpYP6tScEDnmQCs55wsiEuWPUyvclwb/aO8y5K1o6Uz5IW7/o
8lfAj6gHs775Z5xZE3FD8O1NkXVOyLmzkH2bJbkZAQ+JVfQS2UKshMtnQgz7
=dG/+
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/9He59UueuO4GXg4uBxLASQiaGKS/F1pPfTU9W4E1f+C4k
Dw8hwiLIZWRDsj0huYd+klyg2VJnjmPf0tB8qj5nrHo0bTKH0oJpiDpX8Bi/8j7d
WBNyS8LmUrSub3TdM3Ob1muUt/nHvgGQmWKt3dH+Jkc/um0B/+Og3Yka/JcKRF0Q
IAYkzVFlPdh95IhPEJ0Lo7zyN1FU0UwlyMasjB8Xae7VoyDhtgwur60gTktNIuyU
tAvLPKSSyu//Uz9olGW8RKw5//5A/EYNlP8WrVV0crDNBGegTlX68EsZlZQp1uXc
GK0ZB0OtphMUJiF9dUXNfzbGz02l3voLs5DUIpE+EAyEDu7hZEDgU8e9oTJRv05f
TumOjDlgSrhALyewO1ig92fU407JxxwW9aNl8gFv2Ph9lEbSaQWpo/VAHA178x/p
j5caXUUh5qUFGYhtOoHB9KtxL9X+F7Z5FjHmHxFQBtLrxP/olmQ/5jjbiz5sgf8A
iW7bRu2tBmiT5TrMcDxFSf3d+v5o0kOngwPl+8e9NC681uXuddI9g4s76f7KrpuE
bb483XW0CZUdpt8eFXAvk6CJ97gi9H9iZBrqhMKjGnWbE6e0683PE8WNTwCafoYz
mCelVHHjX1Qsk8Zg/vI0EBEHkeigCiev9O85dUVbCxHVniBkvIF4ZNo9n7NRnAbS
XAHQ23ARYRtF676DYWSH50sHJ5v98BTKn+Ca1QWMRCb2kyqUSfn+XzgyP9Sv2nqx
dT8DO2oTOraOaFS2+j9N3wRjbocVRuTV2EPwdgPVPg9IakNaO3qBUwEnNM+b
=EzwG
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAy+TLSybMtug+TfJVBd4WJP4q5V6Qf0yPtgj4YUF4YCsw
rUctAxIueheQq5uqoPm3bTeLUYeticEVf090hr0613uh+l5DZcD/vqoHUK5dx7Zs
0lwBTi6sRElMIJiXplIvCMyYAOne/QZG3WaLx+LqqaNlNKPz8OVPhbokC++VNpwz
l5GE8Cv1ZoEDxbjLWurS772NiIumo+lAnjQMAxhHo4lVPXTxZZCqx3/98agyKQ==
=oiZp
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T00:28:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CARAAvnyyMeBLfWLFU6dBK2lNAzJy/gHb674YQbCe4W/w9Cjl
2pbiw1Hhpe0P7d7MGy2mB3Hi7cLygklFZADkHnrOoRIaJ8KqJELsNSHjapIE4+jW
8NWIcRSyZzOQFeKGFPNCJgyYd68clNmiLNlIAI/Xuxf4xSb3BLkBDRx1cIoug5gZ
pn7RrWYDPgrUyn9YfAJDr5OJsBcJD70sdi1TmCK6X6UCGZpNUI22yqS40LX6aCvj
WzZ6gd+nyjLlHXBBSG8R2lywPdoEVo4Y0pWvd5oK85Xl80gtlXSpFBfEg+EWbLCa
EkiAXthSAWwgBfjV0UCM+Qd5aiwNb8Q9j90AqPhIAawnsGWRrSL40finvJOdf4lW
f8R8Xk38RovBlHii1u0iw9O3Efur0UJ+aEntIEjaoND6K+32oJI56CWev0ARgR9N
ECROL+57Z1121S4QfDGp3LuClgAJDPB/LTL9ly39jOVaPZ7Ym+8qe45C0nkO3SDI
nyIkv+GA/gz9EuClfShc4N3T+XPjSe+wz7gt9hACpSai+Muea+2ruUpa9Kn8hasi
1zq7qR+3+ueJc5+8P6xIyCKxBTneBM2VNlh2e0GZlCxqCrx5Vt0spr4fijM/JvEo
+/2oIRv75NtF9zAwk7foSbyw8WQCReW61hLr9rVnYMoCkhYhlEIEGBZiq/94SHzS
XAEUZMZIyLdgzXVIoP8GVEqCErVYT5qCpo8Ett/v8efm27ucV797SrRibqiFEwIo
SsEKMoULNyHXQfnuKviNnuG1ril/azjsAtiucJvTdol7pY2nRWeYXIVecX0G
=Dlro
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,7 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -6,6 +6,8 @@
./forgejo.nix ./forgejo.nix
./networking.nix ./networking.nix
./nginx.nix ./nginx.nix
./opensearch.nix
./redis.nix ./redis.nix
./sops.nix
]; ];
} }

View file

@ -7,13 +7,13 @@
# - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md # - https://codeberg.org/forgejo/forgejo/src/branch/forgejo/docs/content/administration/reverse-proxies.en-us.md
# - https://forgejo.org/docs/latest/admin/email-setup/ # - https://forgejo.org/docs/latest/admin/email-setup/
{ ... }: { pkgs-unstable, ... }:
{ {
services.forgejo = { services.forgejo = {
enable = true; enable = true;
database.type = "postgres"; database.type = "postgres";
mailerPasswordFile = "/secrets/forgejo-git-smtp-password.secret"; mailerPasswordFile = "/run/secrets/forgejo_git_smtp_password";
settings = { settings = {
DEFAULT = { DEFAULT = {
@ -27,6 +27,7 @@
ROOT_URL = "https://git.hamburg.ccc.de/"; ROOT_URL = "https://git.hamburg.ccc.de/";
# LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself.
# Doesn't need to be set. # Doesn't need to be set.
OFFLINE_MODE = true;
}; };
admin = { admin = {
DISABLE_REGULAR_ORG_CREATION = false; DISABLE_REGULAR_ORG_CREATION = false;
@ -43,6 +44,17 @@
ALLOW_ONLY_EXTERNAL_REGISTRATION = true; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_USER_VISIBILITY = "limited";
DEFAULT_KEEP_EMAIL_PRIVATE = true; DEFAULT_KEEP_EMAIL_PRIVATE = true;
ENABLE_BASIC_AUTHENTICATION = false;
ENABLE_NOTIFY_MAIL = true;
AUTO_WATCH_NEW_REPOS = false;
AUTO_WATCH_ON_CHANGES = false;
};
repo = {
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
};
actions = {
ENABLED = true;
ARTIFACT_RETENTION_DAYS = 30;
}; };
mailer = { mailer = {
ENABLED = true; ENABLED = true;
@ -57,17 +69,20 @@
ADAPTER = "redis"; ADAPTER = "redis";
HOST = "redis+socket:///run/redis-forgejo/redis.sock"; HOST = "redis+socket:///run/redis-forgejo/redis.sock";
}; };
indexer = {
ISSUE_INDEXER_TYPE = "elasticsearch";
ISSUE_INDEXER_CONN_STR = "http://127.0.0.1:9200";
REPO_INDEXER_ENABLED = true;
REPO_INDEXER_TYPE = "elasticsearch";
REPO_INDEXER_CONN_STR = "http://127.0.0.1:9200";
};
}; };
}; };
deployment.keys = { sops.secrets."forgejo_git_smtp_password" = {
"forgejo-git-smtp-password.secret" = { mode = "0440";
keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/git/smtp_password" ]; owner = "forgejo";
destDir = "/secrets"; group = "forgejo";
user = "forgejo"; restartUnits = [ "forgejo.service" ];
group = "forgejo";
permissions = "0640";
uploadAt = "pre-activation";
};
}; };
} }

View file

@ -1,17 +1,33 @@
# Sources for this configuration:
# - https://nixos.wiki/wiki/Networking
{ ... }: { ... }:
{ {
networking.interfaces.net0 = { networking = {
ipv4.addresses = [ interfaces.net0 = {
{ ipv4.addresses = [
address = "212.12.51.136"; {
prefixLength = 28; address = "212.12.51.136";
} prefixLength = 28;
]; }
{
address = "172.31.17.154";
prefixLength = 25;
}
];
ipv6.addresses = [
{
address = "2a00:14b0:f000:23:51:136::1";
prefixLength = 64;
}
];
};
defaultGateway = "212.12.51.129";
defaultGateway6 = "2a00:14b0:f000:23::1";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
}; };
networking.defaultGateway = "212.12.51.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "92:7B:E6:12:A4:FA"; matchConfig.MACAddress = "92:7B:E6:12:A4:FA";

View file

@ -34,6 +34,10 @@
return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\""; return = "200 \"User-agent: *\\nDisallow: /*/*/archive/\\n\"";
}; };
}; };
# Disable checking of client request body size to make container registry
# image uploads work.
clientMaxBodySize = "0";
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];

View file

@ -0,0 +1,12 @@
{ ... }:
{
services.opensearch = {
enable = true;
};
systemd.services.forgejo = {
after = [ "opensearch.service" ];
requires = [ "opensearch.service" ];
};
}

View file

@ -0,0 +1,233 @@
forgejo_git_smtp_password: ENC[AES256_GCM,data:ZRj5GpQKRlTxdu5CfbJirRGAKPCLAIG1F0V5USz5m5D49V3lu5uLomxHapmEwb0yYoE7e7ZLYK4VQUoQgpUnSw==,iv:K7+9E2gi8cdYu0lX/HgWitLxnxARywIwh5glEL0uOsM=,tag:s9UC8e+E5E3vM6cTKW7Vqw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18zaq9xg9nhqyl8g7mvrqhsx4qstay5l9cekq2g80vx4920pswdfqpeafd7
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZFhrMlF1YnV6bHlJZFp1
SExjNXk0aTE3U2pBd0lHODlkZW9La1M2cHhjCjd1VTdKWkE2ZWxoMWFjREsvLzdS
K3lSSkRMZ3lLZ0tSaDZMRkt4MXBMeXcKLS0tIDFlVjNXcktpbHdJc2hraGNrNGJh
UHlJWFN4NW1tNWFCU2EyNjkveXZML3cKrKk1w3IBAgdmicuFyGOaU26fwpULAcy9
eZPlcbRPUPHoRhy9GhNTAcXXDQzimKL39XZGAd0U29Kt9AvWAf8Qpg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-25T14:17:29Z"
mac: ENC[AES256_GCM,data:JeqYsVtogbB4oMWNEpLsF6zxsgUoAt7UzRUL2JzxDUtXDUndW/AxJxVxQaipYvblA3q2MzRyQN+j9khavlL02DR/ANtZFLQmH3OREV7M9eHmeeCa4Lm5D7gFYmqWkULJ7yEJsKz5AaiJTWlWgCcBITB901H3Z12dsz2a1+4WrUc=,iv:5Xm5Rjw8PS7hkTcRD1kj5XS5uiOgsPwXYeaMqUReB7E=,tag:2Y5R1/Why1TQd+ZYTF0qDA==,type:str]
pgp:
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/+Pw0v8i3ZGw4QNjAu9NX6ZJ5hvBHJgtcOWch3ZHlIAuxs
rNoPYhuKaYZL6QJcPTjP8AHVkFIEp+mVbXnsS3PCNUxPnwBS3DfAk+b9OmIJ5U8i
H0VYv4FpdAblyq59GPYx5cBaKUxAagATqlYmMh8b530DYBGcoAHPtzhCaZj+aJI9
ybakmmNfSqtdhJoWwRaRekqhbZ++wmS7axeefawuicXpdlNxhypEMKBUpGA847cH
lI4hw1/+KvyN/BT1q66vQanYpM8NNFLyyamT6HeBxQ1lP6gfb/T0a805qnaCXaZY
z2Ui6XJL/lbUWzG/0xnSJIFiQc7hIqMGIz+EHyYep5NBu/hiIUK1RpIFL4ClEOh3
kfVlWC16ys3fGHlFOTTBc3yJPGtyPjd5lGGfFmawwnegPH2wdNIt5tjrA7+vwKRE
f+RFNzvfc11o8rhGnbGd4ZGNgexuhxVaRGDSNqO0aixprSurcOa21Z1U76tvnJGq
IoeFtZf5KutqqLIyLoK0JM0YkSb92S/BHkIKpUO9fsKLRdQdnvm++8NRLJ/jXLVz
lZZnLxMC7QvKMyxE7J8GKye7nQa6S6CkEcqUsgXSMaxB3GMe9MiGWS9nqh16tHDX
p9YR9FVj8BUKWsTbIPKkomIaoxhRJvW6cakVcM7RG0rySVjGxrc2oAvYgjpVmmDU
aAEJAhAxPM/qlV+JghqnmnjP9Kn6KTIvGV2NGvX5YbY4k/NgL/sZ7VLsGZldemiu
1ogKtLzjRnvtruPhXBXPv3Ivw+a4ie7YBPsyyyh4RFfnZq7abAwBVDZDVXPA2GUS
9JOUdkYe2Q1T
=1km6
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2ARAAiyKB1LVhFUxkC/bKs7TmtXGbA+2xWwrtt9gUACD+GNlT
P0jQJ4N7x0xpvgo+ELNx4Owq4EXFYH8bI27zUxW9FmJu672uFVIpud4nZX+2AfFs
+Iy7VBp95kfS77Mc9VClJTJEaLMZOvciqlY58p1FB6C4pNwOuEhMvZ7athLVLlEz
hOrKkJAAtnjWXOFLBkq7BKCBVsxSLOUXMBgmK1Fr4dTJPifiXIIbO2BdNXanzMpv
8ANtENZ4JpqBHDW/DGoACkAh/hqu8p4B4TBC3L7szvFktsxy93w3i59CDXUroKXO
cG//41R5OH/EguctfO84qUWCe+eqA2D2ZuWIqSD6Aa4izQE+aTl+WDx/oxKuQcJB
UgKiLm/HXI7w1Zp7v2oRUt4BFr2EXHicsEkV+ztCGDMMPw0zBA3EE4fMFDmM9BXh
Y6bOT1cV/TQ1IgWvH6gMe4qdJscqYEfNMJNl6kZzylUSLBxK0YAfqxSnvV6lZ2D7
82KLl0TRZOiCWO0EMcRuN2L8AasrO4PaBGI/kbU2dCr8q4ku3qTjW7b77d6pVW29
Gh2eV+goXcdnk9tJt4hPcmz3vYIFJL8Pbmy5mSO0BetFdFVFnIhBuQzrXwe+Iq7z
nQ2L1eeDT0WI4PMEIz+YM0QVCMM52d0fK+JeiVz8H/bO7NcPCYTylcK68BA6QaLS
XgEP7Vp6aB2qQPbLYI1CfNrjiHLyCHXBJwyWGR3sSFB6LmvHsfx3tsHWdKxyrz3E
9AM9WvP+taIpK0F7OjDBcadaMo3Bzl74WVEtznaEmu9Vex7HxNXIMXXBHMj5RAU=
=CbYz
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//RSjkwW/PxItmHjB0luZ8pP6sMP5iTrgvwie04F3y1gu6
mIdAvh8QgCn/5Q/IqKZo7zdUzTQhyuq03DNUzuKyB/Sel6klohnW0QXes8Jt3vUe
W9bFFmIaFTk4mDc/tD5Vleph0ruNMXHlQRO4ia5wcYpVw0LtT3pKM5XApNl/9UKT
UFZ9/Fvad2a/p277Ai/N5dPUwM535s8H3Kkz473BvoS4Az7cjVnyxKHhguNQH9pw
n6hgXEjvyzDrzWvJwrX1T84KvCsPh0idAA9W5YfMU/4loL4RJUqvjkUvn2ErsPrl
gNoPTRY+BiivW2HV2uWRkiOyKTwVLdgs/oawZX7LB4aIaI9b5y8rcmHV4fKP8OEh
3q7LB5HU1peGmd6agwu1/ejbIc3+4WytVfoqHDI7MJ7jPE3iyfAxaZm1x5PFbVhA
7zmYs6tXs891l3ZJps84I/S1uSHjxJbMuGh954RHMmPHCrnLosS8yeNLEO2AHpQi
m2FFxbXCRFx7Xd8SvW2lAaKfeU+x36yUYCf7APaQeb59QLTnustIle6i4XQl070m
7GK/Hj2uanq6TEhAKWJlyVAucw4gruCfrjC7extPyY4pC4yXVUpM0jqJO37yCw+F
k64syU8yhR6whTmOPA/c2JsYoGKbV22NYRj6WIK9cIyiL34ellZVO9Ccsz6QGgHS
XgHve1EpLmsR1h1OKCKyUJNnNjvOnehZwyjCFwqT/DrIS1NUgoOaFr7As50YMfhU
ymMhQyDGYjjMHdmGoqmgPMOrJf/MJIECdzx/K/0e+eKM1RsC5XpwZnwKme+cVJc=
=5GW+
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//djObFBa/PnDRF/Q9ngtQy6VmuyUfErLqj9x1OOojB0g6
yMCvqH9zrN4JT82rb2xqvjbqEtZGq/35B2GccMXBifJy5JQj3SHOyTEPuoVr+yVK
4fzZ9k6vEUYl7FicEZABud8uasfoIGC/jn7EpYgP4v49RtXsESF0aTCnrcwqg03E
/cVJW4ovtIQM6UiE/BQPIdbUNPgVrwbDSxilNQrShvJvu3jVfCkdXuyOqlhF/lnH
weR/P1dNRhtNzZKLFYHNJRiJA3RuS+h2BFxG1pKhBfMfI/s46g74GkP/R+SEX3o1
l83P18t0br2pqqEE/qGHeLQ8PvEsTVHzxAzX8Qgx6qJQQfCDm2jDb6FlsxX6HT0y
TC3leI5q0u1A7Oj6nEl7p70/NjW2+W+cXWw4hmwMMnV0xNXsOBBDqk3sA9rJ8Mwx
oO6CuLqsWMsO0jGWptLebIzGnwMvaSWMGTMRgweW4gKNzcmiOXUrv5OT4ImJxgwt
7rFFPGcrVWUzBdGtTquLryAN1Gf1Co59ndG2SS0LKxVnY1sYspwd1FINpJA6x+99
kX4zJlK5qA8wcqkgj5WhTTXIQGLKD+R58pGjizEJzDt4aMB536uZa86ntP4bd1/5
Q4zjzwF0aIMWX9FdaCilFMjWjT+iMOl6m2dI3EBcUuTzqL8JTKbBxQ9z+Hc+yELS
XgHe79QN5IUbyoH/Fi7jNA7XEUwI6WIrhZ8TWF4nS3HgZkVfsZ/oK1DFBdVcZ5Zd
/rJaKqgeQLCxoRFroI1vZYsBRKInRs+7yziK8YtbFhmX0azW5G0NiUtsYXBOguU=
=YSsr
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ//byQSYLjXciKE2ryqYXiz3/OgDd0pIVr9HZLlxwUFJFMR
DLuxWPK+SxUj6F81mi4A9xq9CmTa3jMEVkGgblvjGoWjtEKKgJrdllMCvo5Q/Gcu
CLbMPXGfs/eDEjqEbX1rAdzR31TcFl9FI6bGUIXxGE21DeLIDCgInl5gNzVL+Ser
M5OAxpQCqe23wUMPya16XTzpaxug+mertfyOxC3XUk2A23y/8gey0pjAnaDTPIhD
q35ni2gA1eigiitJv2IWxIfbZ7rFuwmb9qi+vpBeqMTNLBBbhKgbSg4PUl6usFeC
65uRvNJOeMeXfwpPgMlphtz7pABg4ihW7tusVe//Utrph7QJs8bsiokXA/RYtTQO
uMK8oYdre9c4FboINGL4hznzUi02ZRiMh2Hf+V4cf4VK+YoBKsRYfO79lHytFHPF
6XCv9hh6qLuzTCHlUrAfOYbXbduS5mMLcfX6OYay4lYTEpx3dKBZz34wtg3TtMpP
eDuafUXNOfpx/E+4ZtB5X8Y99ax+3resPv9IQMTNOHQJ/vPa4JT8Avkrv/q4wIsJ
yMOixzR2bIPjetZbY4ykOwJxL2b0F/Bm5yu0rVHQp9+lYqrypjAzt5vhbdAMkDZD
CPxhEU/Kq7DC4fSE6ysTGEBBW+s4i7lwqvfds6RqHbQXL/0jginU4zSxZuZ26xvS
XgFinTWqnia1WkhfAZsH+UobDK92lKDiQRtM/xhWkNCB/WZQB4Q4EpJJeXIidTse
xQpG0tREIIuS75dJ6nD+Kh2CkOnalSVVvb3VVN8Ft9PEPLf76mE+x9Zk4Mu0vOc=
=BDOC
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/+P1WAWxpVnCVQpoHmEFNnK8x1ZeDN9IyYvFFpFRbRJ4f5
naL0ROxP/E19LGtD/bGbdBfVU4nNXdiXbGYtAlvAybAky9/8a8AJ97n2KVULR3xX
JnsXIjavi57MB3ty+Nop4Fgmv4p4AAsPOzDQtc07Uj5xzxrK9ARtv7w7UyJooOiG
Sp692SFChyskAjTVHWU9WKomqsqZY7XvbHJPQT6Y+wUbAjx9iAhpv0CEJcxX/irF
D3SkUD1tCJ0NHlzCZ0ORLdhDos+FNCASbhYZiCyUJn1mBfW6PcHmNevzaqSQQaoM
hd3vOxx5MFO81K3GtE/r1RA0waY/7knBHk0cBuscBOLhs6MC6i6mMfY711WoiOTj
Y9xCjAIYdOeK22fceg0Wk/FMtivFbgddpk+jOrAR6Wh6n2qJZDJFdxFpcaSF2fHj
dBZuJ/q5vRedjdLYFnL2uTejAKkQLthqL3F4m2Fzyr5wk80eGRYqQHDtSlwagVLD
ZoTLCtGp8qnSLF6Z+nnS9lmsf+X0286wAmRtxHsrTTGm2CDhBmvQjNeq086Bdhp4
z6S3WlgX5oMbTS3hD0BIr4euKIUT3CZcbyXzicuS4iwYOq1iaQEMGvXJ2TKkaOsI
9W2CPSySkIzp/z5Cpet4Z2JFBcO4QwgCvScm3yK53ZXkRoSwkUWBiWUO8GihgWzS
XgEGOQGCaBNxYr/B1ePYUTxZG7gz3qe3QzzrYebHUmYlEFcC1BkyD0CfWZy59oM6
mHL30p7LuuoQbO0VocvsnxR8ObQhXsncc+EyZx03zyeDSIbOFqs1sSQ/w+K1708=
=dnme
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+IDsMHXF8Xpm7Mz8EuZ6OjINDfe1aVJqkq6dislIuniSn
z62K3gIlYKVCkPC4uQ5KAQBC6mCv/IYmy82OFmexeaHO1uYhLiM5z+5efxkbChK6
jxKYudsVe0l0vd7JpJVCO+GSw/jelALUhwtrr/A5URNQ+fQZrTAd5SE9bFEFf0P7
exTBlw6Cus5671R+s7G7OGbKgx47Kf4CDzMizYruRBvjwDPkKOAPAGnoNApjl598
m2uR4PmlqUJ0z/aFcBtcs1au05vGmVvckSMz8BiqpGsmlbZEVIQRiXqsZ5A7X88B
D6Nx0nb0t4WM1EV1UUbSLPFwwcVkOSHHfs8SGk3gaStCNWunkrPGQStUFBmU1TpL
2exHEKopll2gQ+XKfvE+mPF0cqd8dq2SfZpLZgp80pKieuHXN/DJhEHoBSELixDe
zRXB5/s6Gr2Hlgd3lfp910UndiycP5ROJZbEwJ6O0x8QRxeIqbpk4eXiIK/4lxiK
ENepdeFSk8/DS/yEMc4M1kWxxm0rkQO/dxn3SvYV49eNFvkRMWkWimMrSbaIUKNM
k8KSLYr6JuoKP0v3NZHGcBZUGd8KuDi8R0A9KZtqz0pHyRIh/Ox+to+Gmlw7EP0r
ARPQOBQBUjcxqW6BRJ31onE24AxZN0b3pAAPMt7Z7KXmveHGGqolU1peZfeATKrS
XgHJDBQkCm1SOX89yw0O0DVZ43z0b9UqyP157R4JgdyEleNsMbPl+KDPCPx6vAnm
iGrsjpWeKMwA3s2biSYUb8T00KD48vH1nidc+XEjfQ/fBDJIsR8Ku7YMZtzKmNY=
=xEYv
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAkAuIMiq8rw37IFlLlVv1tzQbGMmWjNhQndBAlwA/dAaf
zk8dNuKA8wlmAFv6uwbmfOzvdiwunoYq8cgIRdaP7ieNPRppHIm+pbojWKOvXoZZ
6b2+ILacE6JBHpk5o+KbrILrnn1ciyfhGq6CX9gCi9+vvQkZk3+WexgaHEOfFL6x
zCp5jVEIbVeDMZIxVbDDVHMiXBy2qmpYrSDMnky05/szu9BBJodcsqZFAqgumVf2
kBFFvnzdhJgKWBfJ2H2CfVOWx3CUhLXidqJyFgzs338aGhSNO4jGKvOn1Yx/PLlg
LSRphptnmzM83BS4ev9/ejvYiWbxorKSBTPZBqehpKFtPdNNUqbWMpq/lmAn3yLu
S+yAVAklCHSDtKEdS9YHAFqycgxvj1VNxLx1DI2mNPyUBoOgzfdD1NiUDQp2s3j4
EX8EsH1+b1eKk93751yLKMaSfLjU6lnd2d/h++WIt5tDx71XvIJ91yV3NJVr2wIo
MVIUJFh16+zQOWvc6rKCQh8U5cu3AVcB8EfoRrn5fCNh6tu7Aw/fHxz/l/U0vzId
cWFZCYFrg4i3T5w3U+ZV5kgoMQaRDh6T8yVXZQTzKSi5qAQW/qeGn6h2zHWARznC
J3IJ6M9pX6zibz1ao9oc0ePhU3Vy2vNFdFcpGgLe3gl10BM7GbU7rrmAlHFgG4nS
XgHhWFZtUAcYwEuhuOVDfmN4J/QNWlzl20RML92pf0UNCx1VHrStAbA64MqyvE4V
Dgallu5Dr+u5SHLgAaNj9HfgAGuDLPCXGrCoYK8KLUR8fIYwkuO13FN2A0YnHOY=
=IKCU
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pARAAomxJSaPmNrFFIiqfWzwdemWBUK4oujqRSvfRmnK3fg7s
p+Q/eV8/jYqxPk1q/P9thQSu9gq3OXLkgT2TlMwcsFBG1+xnksu3Xcqr47ON7N9H
J5K6a0KPX07O9fuP6VZtn4cDatLq6ag7RYLp2D7v68eRMi1Kyc3W3mZyz2AlbrUO
7T/tOqQzD1Zb/vwIy0Vfn8w2KMCPBi3TxlfSdohPsZWehrIAAKZHDRp2931iKPXQ
0gDwjTd0sEdXwi+sfXxq00988R4uXIjJhBd+ZFOxIHg9yEcXSW02eUauVwETuLzv
2ohAB/LOKQx59mVyE9gFxtMM7oo3vb5zWcnX9pHG+N0UE/RU2C+aR8a3KCOtysk9
cHwBLT6Iv3zijeJCeKG7IvSgsp/WW71rqDZCMphs5cFZdzEola+lRXNPIpz6YJ/t
qyTFbu4BG76LZyRRTg+i35NhS/GiQCUMyZoUxW0mLgjDsbYS55FQdFP3xaH5BaPg
81UrfF3hV1Vrwe6DHbSEYe3qutk3p4NMruHvIIJJLwimIe3i6+MP3/N+ACLV1wBl
caNH/e7H4KStDwuNFb3BjXEXHBLPgnnbdkTSTHZFtmEA0o2avrM/EzVDvvVxTCT2
e9pbfNCAoXCNo6nstaWRPKjwP8u5HN7RCxjufpZnySt0H/5Ux4qy2v/01i7OARrS
XgE58F0/szyLPmsigEpWhFPIunfIF6esq+4u9OVyqBicYFZHfUddyqTLl64swDHk
r7vxwxH/A8QMGj2GSmQez25MDU/NBTBTotEzRSyxvqZFTxn7IOxKDblSYPhEfCY=
=Tf91
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAhuqKLIrt0ortv8L+5ex4c8h3ZbiIDTLSGhML7jbMAUww
ntvI7quM3pEBFfdBT4BuPCrgka9gA9KRKGRwxYX3uSe5jPtgnH8GI1+gImeyWIu5
0l4BEMzlg3LOwADrDONa9xStlwAIlxgH53bqmCVQ2t6zHkxAcSGeHLn2y+aCh6wI
9oicvnC69DuQLkMwBFMEMUNiQwwGH8EMfQRacoFAEtH5YqiwBT1qxsnOC8ALfZ+9
=1uoR
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-25T14:42:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/7BfqXXAGvvQVGeGJDi3+XhvZ0wKQvfS4UmjP7FFa4gm26
4W1eS5hM007yxpjOH7NAsVbWpej8jYA6dDfeuo7P34owws61F7LQLa0X61mC1qOZ
IXx4n4kdYSV/CyqJa8HrDe56B0dpou01vjbVZ383Pbf8+VzxaKeJ2X2y3ioRijZJ
+T+rCkDHx4neOrrUkutOTJhiezQaeOnFWPEAbNRVfdLAM9jFuuG0uKtnd7hkXf0W
8sv7z1xEYN8VF3bE70IGuyZtiTeXwhbTD0gq5kze8LldMLwBIxsrTd/xrH/Oc5Od
nY8vvdiLMlAwBrI4z+JI12Hi+b1nglldk3Hu34KaV7jG8DjgBGBy8yolqvKo0cT/
9T4aAe9eLANvyHpYfA1CkcFW4CHWOBRS79rC2HcHM1tQ8+coq+jxrzlYEBRwQcpE
2jBcP7mnIGPm1csIhB6u/UUKVMqlnZ57MdKHwwXja1vzxfnRNBqFdzq5uZEyU+OQ
dDJmURqxK4zCdhk+De7Nm/wR8J7xtIJLUszu2lDJ6SWQEsut2cNUVUvmd5XV1BWV
kZaIFKADZI9qcbivci6fpCEH1/qoU5jIZJ+zvOEOZLsIJXBw1M1/fgfSZ8Aosl2t
RpikITTF0S1HL2QLbWoogdgBp6X+6xjpoWIhHVi5lqm5CX8HTRwqrJL+hPi0GW3S
XgGQv0OqaxGfD6lwyVjokWvCSEoEfK0e7se+ZyJifwAlarGaLvG0PU/iW5cVUolV
QT3TwrxD94ZB412nL2+4/QPCT/ZtOXcO+9dhLiSLneHrNrSReByIAOE1s1ZU8MM=
=XvKN
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,7 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -0,0 +1,9 @@
{ ... }:
{
networking = {
hostName = "hydra";
};
system.stateVersion = "24.05";
}

View file

@ -0,0 +1,11 @@
{ ... }:
{
imports = [
./configuration.nix
./hydra.nix
./networking.nix
./nginx.nix
./nix.nix
];
}

View file

@ -0,0 +1,15 @@
{ ... }:
{
services.hydra = {
enable = true;
listenHost = "localhost";
port = 3000;
hydraURL = "https://hydra.hamburg.ccc.de/";
# E-Mail configuration requires some work/investigation still.
notificationSender = "no-reply@hydra.hamburg.ccc.de";
useSubstitutes = true;
minimumDiskFree = 8;
minimumDiskFreeEvaluator = 2;
};
}

View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.163";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:45:7C:D6";
linkConfig.Name = "net0";
};
}

View file

@ -0,0 +1,58 @@
{ config, pkgs, ... }:
let
domain = "hydra.hamburg.ccc.de";
in
{
services.nginx = {
enable = true;
virtualHosts = {
"acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

View file

@ -0,0 +1,10 @@
{ ... }:
{
# Allow Hydra to fetch flake inputs.
nix.settings.allowed-uris = [
"github:"
"https://github.com/"
"https://git.hamburg.ccc.de/"
];
}

View file

@ -7,5 +7,6 @@
./postgresql.nix ./postgresql.nix
./matrix-synapse.nix ./matrix-synapse.nix
./nginx.nix ./nginx.nix
./sops.nix
]; ];
} }

View file

@ -44,20 +44,16 @@
}; };
extraConfigFiles = [ extraConfigFiles = [
"/secrets/matrix-registration-shared-secret.secret" "/run/secrets/matrix_registration_shared_secret"
]; ];
}; };
systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ]; systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ];
deployment.keys = { sops.secrets."matrix_registration_shared_secret" = {
"matrix-registration-shared-secret.secret" = { mode = "0440";
keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/matrix/registration-shared-secret" ]; owner = "matrix-synapse";
destDir = "/secrets"; group = "matrix-synapse";
user = "matrix-synapse"; restartUnits = [ "matrix-synapse.service" ];
group = "matrix-synapse";
permissions = "0640";
uploadAt = "pre-activation";
};
}; };
} }

View file

@ -1,17 +1,19 @@
{ ... }: { ... }:
{ {
networking.interfaces.net0 = { networking = {
ipv4.addresses = [ interfaces.net0 = {
{ ipv4.addresses = [
address = "172.31.17.150"; {
prefixLength = 25; address = "172.31.17.150";
} prefixLength = 25;
]; }
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
}; };
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "2A:A5:80:C3:8E:32"; matchConfig.MACAddress = "2A:A5:80:C3:8E:32";

View file

@ -0,0 +1,233 @@
matrix_registration_shared_secret: ENC[AES256_GCM,data:5fKfTqwoUreSIPbua5t1lYZFRnQQjNzFvrIBVIBfKWu20kH4BhlDboL/zYnhWLELq/KykX/EUvijoZxxTnUiN7T8H3L6fKOCQKacZkIwKfg/JjqLVnXIaY0JOwg=,iv:Cazhdo7YR0zSgiyQoHLsk2e4dWGSoSfEtOuMA1LEJcg=,tag:KsbnGvEyRbzbIXuAayQk5A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1f7ams0n2zy994pzt0u30h8tex6xdcernj59t4d70z4kjsyzrr3wsy87xzk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZzNVUm1keldaNExycVNM
OEV5SUZQNC9uSW8zMVNZOHQrMUQrNm01Tmg0ClF4Wm9uSzRTL055ZnlHUlplUHFO
QmhXQU5yMFJDMytyMjFiaWFXa1RuR3cKLS0tIDM2d014TTRySXVtOEJieVRxdlVp
NG95TjFjUjZFMXh2STIyakxqbUJnRlUKQ64ahDiNJ4nPUQ5pLH4Jb5yidNrK11dT
YSg9QNr++FTdYaQ/TXmYTg0d4kF3yb/xyG1vZMcpZP6+omwN73DSfg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-26T00:55:05Z"
mac: ENC[AES256_GCM,data:ix01bcc6i1dTxoYkXbnEbLgMC1bcplI/hZhyO1mFzPAyjfn8h2d4AHUS9CG8UnIDYGky8Wx3BqrC6MmWMtt829m8bS6t83JTPxOEm1pFEa41sUkW9NYuNPL4LQ8X2BzwteQaI8nfscIuwOZ0nK5CmArZneuUookQEszAGX2R0Mw=,iv:mZlEG2pPfKLgZ+6k9iN+NexRzlibYi1HzqBzbrVFj3w=,tag:PIXA+vyOSaZdU0CaI+03/A==,type:str]
pgp:
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//Zi8QfQ8Ahr8WyEeaJIvXBRGUzmyg84aboRweI9D/MeJ2
CnVm91xr74HylD6sAXbGcTnwTtWChrrgSJ7vGBj5t2UOuW9zpKFl/pgs7o4jzwoc
C2Kmgug7S/chaQJsfKTkAs0t/MTHO+DZru+O/pT90zgdQEig/19i1smnrseBuAiU
zow7lc9mwBTIEsTlkYoIr1+Ihoiizv/q9oeMvfaZr8hKV4wYTp1Cx9xCgXxVcv+X
SpzIqqTT/lm87znJcSWCQY9fTRrhAQu4RdhXzEIxTODljmFhQcx/Nug82EAc1Xjh
B7qMIsblbabJyrBUk5BypvDHJiso8qLd/6/i/rRztzK1q3vtT37XPKk8KIJz84cy
ZDqAGDWj8jWDctwac0xTAFKVr/5oF4TGIf1Ydwv7+GMOeXvn2ZInmiMGUKxdGhwW
vg2azqqatmRQxI+kHUHz+FBiQSTgKIkVplg8daCIhQVK4r4CkOU5dPvDjw7FLahV
LN7XVNVCZw7p9yACd5KkjWX2E7bfpHr/EADOr5epc/EZwOmblFmGPzFPNR/IfF+E
QJrw2bTDuMGZRzvn+6CozZOnOFpSrYtzbUHTvdt+iskHS1jD237NOvPe4j2Od401
c2LjekRPo9BpkrufIlDQrgjflH6RGHOLdgqPE9j2zIOfmKjdIYiQlIIjNlh/xeDU
aAEJAhCoQ0WS+mj/YL0Y7lu2/GEf5FxjkOwa0o6SOd7iR17zrTwRkBdSfsSUAiu1
pw4vkDFzgvwR+80vYfZcnYyCGOQKMYcn0PLtmnQfy/LUUGW+B1/kxqSHZDDhCuWr
o287s9GBxBoQ
=BImL
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ//VYKib9HvGAxzknrRfI15qFSHdvRxWDiR0M8Jo7JWTOCJ
e0BGytT/dkYAKXeZvLX4W/65jQ4GhBMi20NSnyfqsWt/ENoLc3v9mXX3JleBRceX
8Gyz7tlqjg+pVW7lUtotz4vM6TeKBJUT6tHm5K0OiQBeAtjitphIkmakw4wrS0+Y
+3Y7dOpktefQDSWVDPtbDOImcMFS6EYn5JCPG9xOhsX7XoK7/wCmZuSF3p/q6/CV
3NgTK0W2L68CiUye+ajrtn4545f3jnQXiu+JkZGcHdKsHaexW6dzpTsSgsSc1S+t
NlhEty6Q7kXXylG3OAtoEhsA3PP2Av2o0oaIpn1Syd5czHvmV7M+QT1M9HU6U96l
Nwio5cSX7faMrlGfaBNY681kVtOiOSFDMvDes8oPEqrqKEDkIiIQwMnh68iCTXzX
jRj+dpCLLfrHdo1+oB1JI151eB3ofUPbvTSdz/pASJ9gkFJBgGCl89atxZ7BDNQZ
oCbk0NxorDG4RBA2mliITnctqAe8ZcpBrOJoGO8oJ6u4fH2SNNuoc5A+7tMEHCqb
2E06TYmUASROR87g0yZdtffK6+ZlLZzzNI4riTUGaGUu3wXDh1ZbXB1CwF5LJ67d
4P3gJApHJ+ZDrJGnWr/4Tx0NlvPJgJ9bKNT6F45ZZcQzq6bt+RUh6RC1Axvdns7S
XgE7EN6IttIGME/AAeNdGh6O/1XnE2CEiqwqTePb9kgwIufoJWLarnz19qcbnMp6
mfHNrJlF5FSVuipVtgCYgfWDos7ft1qDqvgRSD1awmdFIk/2ct3wjXKxyB52Vxg=
=5zOY
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//cBAsMfpoC02vbVtRPf02VS4NIVu2lM1JdB/IcPo0BHSF
PHNaVh3bl2a3cqbfMvNG9nquFVpDgtAXcSaIvozlsWgMuBIukfYKgeoFNh4fhyy1
Wgcl26wZj15Tpu4rYHK27CmXBHVusQUyTZVx2CUZwoSdtI2zveWqs7+Qvfhdjb6r
Yt1bDr+Zkrd+AxUuU5Njlp2eGOcuxINGLln2lh8jrdSytOzKll+G/nI8yBdk1Vql
P7iTQ4hHlCzs6HBsgeA7mpkJMP/h0Ts18DQ9sOYCi1SB8JR1eOqZWUu/1nSAk/hV
ntHk3+FnOta4wx7VqYNjRi2JROpvi935JBu0UqwGkVVMdqQNB33/qnJdzcdcfoa1
3o5UtsQNuFZW/SgJ3uiPYshIZZGujH3j05aKZV2yULyBRfP7j4KrIq+3dQLlW4J6
TihPL1Y3aqVvlU0rGOjjKeBL/nTEbEQtbkyCcIrW6WjdWvUYtTeIGnBJt+ExkyH2
cmuoch5XjiwMrXDnIFzOqeKbLsIZIAatFOzP0jsy66w2VAeNY9AyXCJI4cTqE6py
RVc1QK6+ynhrQ/zJ5XKJD4ATequVJidshC8ci900KBW/1R3XLm7zGQtw3gj5QQ6M
lMfA3bPS3H/DzFHq9NWbQ7Lfkm8N5W8ZSQwBKum9o1uWJC/79lFkyfgf4JqDjDzS
XgFfOjk/KKVSrS7P/3V6YHfQscFuq+Tiepr3LCNt8o+0IbNJbsr1Zg+sutuMFhrq
2lblr+MKkvUpYBhUYYen/PULpr8c6QZYiVX14xJQqFzYk4U/4WoFZm/8dXuAQ8s=
=z9Gs
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ/+JcEj7POTdpKoqBO0W8sxpvNafGlxWBmGF9nVMKsCe6r0
+z2iyj0TF2ffRe822djXoG0Kod4Gf1Ihg+u/EKGgoL41CRt3DhszervSesm/pHJU
9+IMJYj7Wz64GekkIVkYgcLkJr7AeIYM47W9kr5XGWCI4ogQLHJEVgrwFMWVsynV
meIBjn8ntS1aI9xZQC0EePlBekD6zvwQHOyEkar1MD4NaMqLKf+9x7IAErY0msXz
czBfBVZY74q0Aq27YqfUcl2QkksxfLsti3WrB4Nb2YIqzGJ6bED9TsqRhy9CQRBf
TSN+jh9Snit8NgLMAD2eyBgGUcQbwvyW2OHEYWpDXqsMbGmXQ21wygBAN0vfSCyx
v9m2+DSJ0jG9icBj31JqZcztI5fRsaForxIRmuT6EwGHc0YfuJwk8LWW1YOTRhYq
KbOMzGZnB1aNI9i7jVYHgraU1vB6u6R3hU2hOJq0zzqP7w/XuSitzb4+EzwuFkw8
zVRNJ406ZYJvMhZp8NQ878WkJRqsV3C++LevnLkHLNfMOfDcD+nltmctVXf99Fc6
ebc7FQj6jOsUlbNQMxnqOZ/6fV9WesjPgCsUMJFxC7/5/5th8CU5VJHYOwwMUEMS
+zbwM41MxUeknII7dc22MHUXxMocVkhlmGPYNc+jRv85nuDwbYqMa9Ht4JychK7S
XgEZyWSvHupNW3XMwspeyYZMS3pSDO+2YExopgpP6c9Uq1TgvkHo2L66SXj/E4EA
RaUR/bY7EoEdNTrqWlHpuLyRihgqHLHzlRsdJZYBinaIfwmKzvINRiQbGjqhKLs=
=mbJg
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ//Vo1ZEeqpfN2gJUEKHZs6L3dXmRSd5RedwTxivQSDUZaw
CS5CQgBHd6H8ly5Phc2+QrXSjn6sJubDPaCAVmWKOf4WTMOATgdbp7eNEKlX06iT
igr5UuptY04tM6AauuXNLatD9F/2p545VkLUYVNQriVMgXjrSd2MWo7/J3P7G7lA
xupGHMQ/L3gwU2A50sJUtAc1/SW6h9RMNwHjx6FVRvQtdWUdAoRYCT+r2fICKs1m
MKYOUzOA4CW3uURM2NZEFrVdmES0izv0vNAQqx0lVxAL/qhqwsGqTAZkXryef39J
WkIpqwQWWutvwmpVu07yBllfWU5XzoxaH+ye64p7+3SyrRwdrZc7IVW8NM9NSAru
+2lio54b/dp1Sh7GGV2Y3hNMmGuPOym/PEOLVG99mkfZaPDG+Ui6enV1Ol+dFRaJ
9VqSa1zIo5N1QdW4iy/Rke7oMlTINcJDCA/KgYeLXK5IRz/iv6q1QyzhR+dNH/pu
JzxDSru/ZSTP+oMXZ1AgGf9UDUy258A7oDRt/ECN2c3oggj+Oh/HfnPXfD+9Mlzq
c/FGIRDQE7lLQoHqBaEgp9pejepAAocCci3UMgAO3ZTgIlXwJyE7fWZKrbATIqEX
GYr/tLNIyb1df4Cg2Pp+kS0i5+KnPqcbPkN+IhJq1BA3qG0rzFJiQtIR5Yn7BxXS
XgEVc+mwjUlUnQuVxFzfyZSlVh8tipwLZck6aG3IrLn/9WSHMY22GDOprsy3bMta
OOy9KLyPgZIdPr1v4BmX77x+2Z5EeijAEswFgfPvSPEuWKSiqkXvaVDy9w+U8kM=
=0phM
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fARAAleXLoRXh1RP5u4Hk4zsVpSbbhKKW8dypXDBVMa4trCi/
Xq5Z7XM/Nip1iBCUHoLRaJdi2MlM2aDfVFo+PEx4JagpjxFjzqW21WUa5vqct9Fy
UVgdsssSVq8hNrMvlxDJwYVYfyQIOUqKyzDMbXOGh6AaOHaZsNsWtOBDJRqHMSXy
ULXMH9xxHmheDDV/ZnlOl4fOBJT+qC/F02Yo92Q7rMHWMcNs5NITGN3DDYrQqs6i
uHopbwuTpRMggnHldaMM2l2n4eCBiKxxz0dGit7FlpFL0kgsZROGBkQUyAZdkkwQ
LKnaqgodCv9t/6VZNATp8+iJP7ji5IvXeW6WQOztb8+h8JV3j8pHdadNzgXxH4av
LVnqAABQMhay9jEGlPzgQFT7zDbaAiUd3bSLz1i02Dyi/FYCIylHFEmBErr5RBsn
lqbG/vAxJPKOkiDL31nkjugd09UeFYNp2WqO1DpeoYQoMltFD26TvUnbOAQo+v/y
xxl7hhCTzbd6kF1VxSCNtv0LhDdirq0+eiFN89E+5ijLjhmpg23S2E90etuRgjuF
b050aoEJyXosRqgXVl0qkOEnXgQDbAXrEobbbRixrIQRHmNN1NjRCudzJjxs+p39
tucfUPZJO5np8ITgE7XCt82IYxW7b3HO2kejJAluIfUxOkdBgORKuc79vEaP+rrS
XgGAqi7CdzN/lfoLononCBOhce9XgdgpbpQRohO+jLp+abqmbnEzI1ZnzxpWXo8Z
taWKvUIySWbN8bWhmiIky9TyUXEfRVKe9I0MUC3Q94NAnlnj+dNXXr3mS/AxNcQ=
=ZYXj
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoARAAsBC/uAbTVpBWv3dmzvVglih0Zlnumbz6wcDbeDTVP3r+
XiUyiDFE/Hdnm5J0be2jSj7s5RIXj8Gb5BkXPoytAkGF6NMtHjZJLmeo7NciQ6Bo
wDf5IXCmv/PbyuydqkHJEztsSMWoCQbGQo+dMeWoAY+WKt+dQGyGmoB8BbeUjuH+
lgKlUk3W1INTV74Qz6avuEQpwc+6hvb1w3Vb5kdzgRjplLUB4w45wP+79HE8Ub3V
7PhhEQMza/CIyYqHEGQ8fKzd+tuX/naYXnbfTCu64eyKCz2fQZOMdqKNA49aMWGC
vo8K38Nd8haQ+tcJvT9Vuis3n5X0Qdzpk/8u+M2XM4UQLHSaKSQRnJLpslumLJGK
fI2ErQJoD/TR+vvwrKXmCOEeiFjs0GC8zQEVP6Qa1JE7Fr8iKIEtYYXmGK0Q5Sku
5eUkrzJC9Lh4rBvGXLX1PZefBVxnnlBMNk0Cae7vGnKKKuARE4aYgRkIhzIp0GuG
pdwSir1iTVMKtfrkpJ7BqPANKxApbLzYHBi9rFWJboA7HAXe/E73HD4Ov0tIs1La
9rwRiJ0LYUixsngf6YvtGuj0ZiuTe0t+VhYzg9sYOcBWW8z/AAuZ3FQoBWLdOFPA
GBVI2KV+vr5h4dy7+yCqPxpqhkKe5ObCdwksBrl9tiaPVoQuN6Zv63kLlCtkP7jS
XgFYwBL4tKcCPfG+9J61T3LqItNLmzrT56LMN6LIz3pvRtASRbSRRnqKuuPgAL9g
IeFHe8lblLErRwKz+iNre6wwQCEfwbVf5NPF+rLh3nfEIZzCf/CF3qrxBpdYzwQ=
=P+bx
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAtl2tC6rlB5O8+4t+b7ZEo4GU578OHN06nJKxxFQHG5zn
mkcANcm5gVDSRAOecM2FyZe4ns18rH4OCvp+uegEQyMVN/XNUEj4/+bGzgXX0NZf
AazE5s2+0i2NETv9bhPjJB0RR+U47PEgx9vKf4EnvL9MAfWyPbGwzR6HdXXDEE/I
c3GNaIOY7YWBgXEuX5LnZbON5hQhbFADY/BRhP1S0d7Wzff6sYgtJhbtaTQFSX2p
j2+pTA3D+tI2h9VvKnZw3n1t8Jc9apP81KNFCURpNpdR8Jh8KQ0aSEcYWTusjah9
QOX8RmsnFnvWKTN+gU6tffcSbu/r76gmXyUCF47mWvn89ETVA8azp/66zfLTTTvO
CmFVx8+2X1TK04SIKa+MQcpAuS5cTHH6bw7N8u1YfX6O8mbHX/ZH7NJi/Bhxmube
Cau4DtdZ8mX4yz0EjUF62skJoaYYUl3UBrkGXl5A4NXK75ZHlBHT9Cn4YQYIPP1b
5MAnTsy6UtsGVBZPf6O/kvkA2gAQNjtOjQ2nB1FF6fjqEFFopzmLnAgGvW7lWkeo
lTbrylmv6SrrvX/0wN5Dsayni2iRb7pisEAFs7JAythm463PDrzaRmLoPBNBmJz9
l88QlYWDQaet4QbJ1AnEaOu5K03coEy6CTzJYqgkTWdLuFC4tUyKsD3P/1EANonS
XgG1y8ifC6F27sgwQribg28RPRvwoiRSGszAXCAeIwo834NQLIvswid5C4VCvPje
XG4X8m9pipP+BoXF8UuX7naRFnIGfXBOVH9N+1+SoTeZtXRX4GIWUGcRtk4nrJQ=
=FQZ1
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/+MLPIERHeZTiyNPEUc6YnWYcfW3Zgnsnc7EzfFn7NJla7
HpD82Y14w1gpQrUiPu7wdjzh7xeOQ3fnk2819g4wEXU32M5rCUay9XUWqWFnzpMZ
/Gy0tdwE9TgwrSQ6GDNd6JO93hLNByq1QqhsIkKEL640Wv6doLVfQW07O59hDrPd
AQ3UxWnohbNbD333yXa3kjfYcNugjtERM2wZ6qqZoXp58SG2RE0A2wMV77H0jOQj
Rx0arENCNBS5XZlIJW6v+I1Ak1wYnW5vAlVRMcUXo8vJNu93WaZ906EnmVCQ0cYn
LeNVH2ajcuOud/uiVntwdYKMr85rMBl9eOlsPP3dHqbhsrXn/+Oqagh7YUwEvJ8g
LK1krKc4Jlj9a5J6dPl0lCsEAv6vGaVCICJkNnd0JikTViu7DhajImfGrSLrA6y+
81hx/TTKqisAL1xBwOOu+LbwlhFZrkrTQaKnueswKzwrS3utxSX7OIepui7Ib7JK
h5R5VDq1bTCbRvo/rRpCaOt1KI6g4ZX+o5TI/60TUcGvzLRRAv7jZZ05PKhcfRuJ
4ZrKoRu2qKVxA6+kcOfy4Gi5MgkI4Keue4tgJsYJ+LCP8tV7+Jntxf4XXVMLoFCH
jQDe3vIHOxNKqlPUEnLlVmv+g3K9Y7N5uBLuk3xkVYrxWRhBmY6e0WtTVEF/lWjS
XgFWqfLHx/JAJgIU2tiO9oLkJWcdHuXAHNYDvTKP+a8WLcJDZdS8X1feqOpWYbaH
zVbYkg4MGJqO7K9f3jlCtyszh3Kpu5CFbfXA0MZ3M2eRoJTv91iWViIWY7UP3VI=
=vsm4
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdANu3CeUuv/SDkBQG+aROPeiWBauWaQBDUm6UdXAhEBXUw
Tuj49QiBBCQ440R3SBkHOzOOUUTMPkWo/wESnJm+EPla800tb9B8rOvUj7PnkbiY
0l4Boe0q5XPHSysz9eIQ7zRwSKoClgd+zi/GOtcsvxkLWlISoBzAVOVEvk55OeKb
7J70fuIMl5rZPPFBzbF9gjnCHxAtfSyze5774nPfFI/zoQo3WaDfL/9viRhP7Eqb
=i8o+
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T00:53:53Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/+N5yVnEm3ejyw10aDPkLjJoUIoxZl0Nof6pGZxdWYgiF5
VrEsLv9vYQD8Wp7/nXuI2HW7OoA+vTG9KBZt2Tw9R0iPIMXpEf0fewPSBZ2n10lk
KJPvkMP4w2OV1AfGT+PrRPLaX8/2E4p6dE8BPviWEh9HptYKodhs9lRlcq2C3Kjh
sE88eJOSA+fQpASVZLNHKYn1UrXXENRTHE4tw3+OIpE2KSxHvIv7sI8LuXZb8Jxy
OpmUP+v9fmhsPJYIlP7SAvITMgZdMHceH7SDgOZn0kVU0inr7MJ+FCcNQkQOl7aP
jMp2B7qSXOdC2NHUmdYvzeUx6B8O9Bn19VM5LGte9n1RBnknw6TQfQO+fkQTjUyl
3FhVqQAxrutOBjud5xn7H0Grj+7oqRI51LLUjLQdOzpEi4hul9Of3FfGnKxjOxUf
yVBHqZzFco5rcN2fzMgWytjuSED0AE8UPS/tcd01oXXEsTj4YBSKWox0gZuyn9B1
mspU7vr9I39igceGVE6LJQ4EBnpR8xC7v5CDFpEbCr1qt4VlaH4nUgfN2tEGtOGW
2mmrX2nGC1r1VRm0K+ACRW4htDsOsBzSxQttVJ/5IWkP5fqegcwIajjo18VXz8IH
BtZdJKzXuhQLG0B+sXndOAgACWkVQw4F2hD5CYRpiFtungAqUbtSDbeb43x7ICjS
XgFrmwLxkGfZYKOPehbp8L9glbHpfHYE4CopRHPtUkhLTNWTqzEyE7YQYYVu9Cui
E9Q3v2/+2swn6nKOQtB1Adu8ItCqu8Om+d3IJQvKVS24k4+fKPWa7/ccmkXz7OU=
=w7hs
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,7 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -0,0 +1,9 @@
{ ... }:
{
networking = {
hostName = "mjolnir";
};
system.stateVersion = "24.05";
}

View file

@ -0,0 +1,10 @@
{ ... }:
{
imports = [
./configuration.nix
./mjolnir.nix
./networking.nix
./sops.nix
];
}

View file

@ -0,0 +1,36 @@
# Sources for this configuration:
# - https://github.com/matrix-org/mjolnir/blob/main/docs/setup.md
# - https://github.com/matrix-org/mjolnir/blob/main/config/default.yaml
{ ... }:
{
# Allow deprecated, apparently somewhat insecure libolm to be able to update
# the moderation bot.
# The security issues aren't real world exploitable apparently:
# https://matrix.org/blog/2024/08/libolm-deprecation/
nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
services.mjolnir = {
enable = true;
homeserverUrl = "https://matrix.hamburg.ccc.de";
managementRoom = "#moderation-management:hamburg.ccc.de";
settings = {
verboseLogging = false;
};
pantalaimon = {
enable = true;
username = "moderation";
passwordFile = "/run/secrets/matrix_moderation_user_password";
options = {
ssl = true;
};
};
};
sops.secrets."matrix_moderation_user_password" = {
mode = "0440";
owner = "mjolnir";
group = "mjolnir";
restartUnits = [ "mjolnir.service" ];
};
}

View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.161";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:C9:F8:C5";
linkConfig.Name = "net0";
};
}

View file

@ -0,0 +1,233 @@
matrix_moderation_user_password: ENC[AES256_GCM,data:NXJrbRh0A+NQh6Jy9iVAfYhsGR1BSOSuk1LjmArSiVF6jnuJAP9f750cRP7bu7Ai8xgxTlhjAtv9ck6SqlJ6Vw==,iv:IN/siIPCFKE+Nfl/aogYRYAHVgEGhMtTbmEZKZWQYgM=,tag:xxlnl5GU+uusSeh1OvoU1g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEhUMThoY3Nuc253NnBX
ZkplNmRzOGZFNWlQNDVpL08yRk5VTHZDUkZNCnIxMUJoUHJBYlJpbUViMW9GUmhR
V1F6SWh2NjRGWk9RWjMycGZYZXFZbkkKLS0tIE5MNk0xekwxY0NYYm9mc1ZGZFlH
NDN2dUpuQWFFMTZQRzFIS0ZieTRzQm8KUDRpPJwcWwePKMp6KQMnQLhqqyvuhgQh
rXpKW5fjxyT0Sh2u3FM2ET/9U0TUfpBVYBJojAJBFs1ntI8kFmqSYg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-20T20:02:16Z"
mac: ENC[AES256_GCM,data:5BhSo3YpF3QNqgGnx6YnymaEQB6pchMhokaJqk4rHg22xhbUAzOhWg4BQepT7vrCQlfOZIq4o//dGO+NQxqliiyyywrSYm3CBWD4xfZ9cdfinHC7Pc9lj6Dd4uPNxRjgTRNFuMyC+ATIABI2mHKpg+T2bxSalroIlvNr4vXWZo4=,iv:yPHJZ5PvI5zJlQIMRdbJ6eKGe1xN+teKF5GluD2pyK8=,tag:s4hO9RCdkHDsQ1W+KfXq7A==,type:str]
pgp:
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ//Y/GVthqtuK7bY8Ne5CNfn/CD1RUTdX1+KwX1zy3YsgUC
CGxhoFFy1UoXR3QB4Hxnk8R/vaFVHezCWKWY45MAuPtwM1VGwjVsuknrJnSs8k7/
jrzVO9xXgTd26H6DLmPVfH1hKB0/lh84hwVgF5rlPS/P7l92LL0hDIIwZz3dB0kU
d6jLa1Fajqd4MSdLWbZRBPcioC5v1Ip/SXYAJp7IGLDgXm5MN+MnAdybAFsl1K5p
dCUmGqK5IjyPVP564TqL0ZEIXMxSSwex47in3cTYPaOO0L8P3kbKDNWxZQLaqZkn
4RZC4/aBqlfD2STxMez/ksi6kCcPuC7UPRzuq4oH3kOcJHxwIN8Df+DZYA4PJKsl
T9QDL1EylHBhsPIZCoxpmnGl3j+hVmONj2V1awlCaOagbgDlClEUEMyw7QCVVbtK
CW4DOgVnnTxcUaLHep8BgHxKkYjIDIbDMmg315h2ekT86gGgZavL8IiFTWSLzSrK
XChIjUdjpKZhanmSWpj4w8ZpdGOOjernL2EBWtSC23AibBZmQe9OB/QzMpLTdCvV
9t9mMoSayP61oJylBtOKhDnEW0Xib0U7tqzwpaow2V+CU2dr27qie1jh5GqMaoJR
qpu1KT3Z9eqpF3Dl8aI3dEovbmvDMVXErU3pmFu2zRJtm6TOXp4NNOYWCetUfxPU
aAEJAhCFerTI/ow/LWkCQ78cCMFjgKrYabA3lHu11Mr/PiHirwJ/vCmsUMiOhdRw
49lsyqJlO3IA79yW4exG5tYXvPgeJMTdz36fseUEKsewfrPEqMUa2T4onet2+GN6
GALPdepytjg+
=v+qv
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQILA6EyPtWBEI+2AQ/2L7fbbhBH3BfgD7IbgtVn+nEhNJw5tWR2+0z1k72TIr9j
rPAvV6NQY8oVV2+uNLa4fMl+ueqYTFd3/E4IsRXkmexjx+vos27LjDNSu6w0OPJU
BSq5TFqZWYIPiWaivQz4+rt+vbxvpv4Lh3FAXlV9YubprJ4GRrlwyheve/l3F0BN
3vCDLsfXijZjxaptb9nf7WiT9vvWrY0sD4g71ARZdWi7Lb+TgCxzbQMue+4VC0Zu
y/AWIymVo13BD+apoYltVYYvkn7yz3REzsx3NN4bkJyoCAevr6UeO2fGvlT7b7eG
F7CN/TusFlOqWV9M0VbiOGLfL7Q9tGAG3xDAyFh+yMQNadp0M3m9UiYUlHps5DRT
CVsIPnPUr3V/oycRm3s+UeVyBg3rpdzWyNtETOjNY/AqVmRQ0toqZOm//ZOg609U
6+EX1Oc/GosfNoHWJuFmfKJRhPpy2gXZX2rQuLWaVJUXzzKM5sbLnycCV03S24PU
Fi7Z5lIu334QTLG8PV6agO5UprZb946qPmW+b/QnUol23XXcgh1GIgMV+lEK8+83
UPT0aUkdtOTaKbWUg5xokx+0Ni9syJ4Nl7naQq57qOGiecMnBbeE3TYxaNOcjTBh
CY0/hdcrZYH6VPeDye4yghSDF9WCaNUvzZNePGzdqKK3F9O/NmBSiYd/cToyDdJe
AZMZCKxSw0/HyBqTRd3wC/VhC9uO2I4HWE3LuqBPUXYFWc4W1buJs+P8pFjqT5rZ
puHPH8IxIeIiVNO5SFhdL8ecSu/nawakvih65aMGSa102e6B2HfP6tD4SmarmA==
=tr5G
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAA02rGmKxyQkvxoXM1i2dLOiH6Gw/pUcdDxYSwKfdkNU3X
zc0He4FNG8CAURVq5jARD066VecamkBmlr+rwFJlaeqDPEiITfkz7DEGO8pPxKG0
GBnFVA9r/+OU351yLjHYB+72jvw1ey0PPHvKg6/sKjovssYvQLipUcktH33kPqVQ
yJzuQWFMWA7Jn/wTa/TP/53o0e//Kw9df69J3BSmnw9F6rKHGsIXLBmyR9HpQsLR
KAuClMzjPqHszCICND7vUDEzUvCcOVyizZAcRzWfDi/llwKGUanvEGUVXvyDXw/E
Q/FyR+VJXCzRlhsFTTuavjy6nhDsRf/N8N0Vsd9euDXOPQ4wuPAgpvdi58CPBmzP
8jU3xpFSXStYBIMt5u7t+UJT4IwdbjnClyIrSuyaV/7N5UQdYTv0fBy1mRrYLBAj
VhlRDa1y79n22Kg8mvDqJ16rC3VypkkQ6DaPvyDwlrG8iRLG/xi3Zz8HHnXxAGAm
SzliIolwEDHJZHI9ZE3YzpFJkB6UyOpXS1zMsDycupFvQ4jd2fQ0C7w5OaJHCkeQ
3zTKgtufjJGo7R2Nf0bTWTfi85GU3jpMsOHCEcChgBVXcO32ZZ/zzmqtXa/u3m5v
sjUstyBXEmG9eyIaiEtRAMAblwRsJPMszLaCUuBpzQw+mm9uTCsIaf5Xdud7GFzS
XgH+whlmbv/UeUC7bo65uxrG8SgTVAaPZpcQ2dP3rXYs45zYmYGKJaZuW+Hrl+nZ
pd6zT6rb6R8TMmXkNA1TjhvZ/A+ONlza1fH0dmsh7U9oqINXNFJU7Qm2r7imFvg=
=ZIDr
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//f51KkC9oViW/0EA0TLdWgXa76ZXMeu4b3UhWaQvYDT9+
8wuWE+slGEWsRnFZ+pgWZoV3HIv2p+xisX2lmBvepOufaRh6cyNpQaZNl0kFtpBo
ShQ66SmkorunYyM+OIh3ceI4PC7ca4KsRKB8nWkA935NWssFN9zMlkVW6GjqzTft
2JVJFL8GRlhIRMhJwSzp8zZ3XiYD0sB/2y+ffCMAOSCnDVcDjANyiSds6MPxfPy0
/kaNTXuUI7H50tHQP6vzJ3q1mRpAhUTIxubnmBTdvAQz/kaD0qPt55z+Q0xSXsLa
yfb+Zd2g/2o+IFiCrwqcki5yX49Ol89l69JRyIWe1T2VtqBSUVIiiYreX5OnmWPQ
OjJ1mAn9tpIlVSHzlaONtmJEmAJ+n55rP0itBMs1CrIBiQleLaCbSWqp6q3RfaJr
gpXnfHQpsU7cKEDQeyvxmH8qgrSR9AVh/knyGOJy8LnJQ93aQpr3xr/2MiFPYiKz
dcSrxHesrfx2Zl7bNB5OZ7VZTWFSunZQUnOn3F3+7yaaT9ePsvWsyTKBOSGUiA7s
VMxT5+P8QM6UOC8KxJj/q1eAVrWvN7vYbCA25+SzbdTtr1RweOVHzNgqZH5/Q2ZY
fguwHlCGg5Q7UKYKBk4QJFg6oClDgzBYCFL76K4aymtR7rxKl4sJxWoug84oP6DS
XgEZvNS3xsY8Pxm0bAmor93Q08Mii1svnNZ74Eqmbo9GxBjHReIGKDDZ08SaPhbc
NJxAP2C2sRUda2R4GvsNYmXHzGYfFTrfe+AXqEV42ZSD9vHDJMCiX9JrY/r4uSM=
=+F4l
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVARAAq/cP9y/7kxSXDFOD/xhI/3RjGzIN5dyHlfrmEQWJ8J7z
ov0VfBCJp6gFht37dGWuLtWi1qqWRgN+9hiBnkj2zONoph0SRGP9uNfadBSzYSD4
wvlOFrWeM9cswnk4i0q8Go+qdCC6U0g1szjirdifF7I9KdqKpOFwXzjnzsPTF42o
9oFCP32esOYv++DfTBgrSv8/STublJYABcs+lzjvURqBsFvdz7PBphH66++yxt7v
bTTmu8O9WHC8/5QTfUzOBAfgyu4CwF3YLRZd81ERtzO/udNYgGO3bifofCfpv+nY
MMyCbGxoiAfBWcAHhka+8nMnBj0as+ln220O99N6zH1rTmqqDxRQkEiYek1MqEU1
f319u3KqB6STWmZvjlwQ5AhwSLCLT2VpIJX4CpMClWlLb3E2rpZ+B1uBRMQQ3fMe
jSynatL2vXn3rKWzxIEIxA/BkVKQ8zXgOT9JyqyCZdHTvjEmWuQitILi7wKWJb7/
qhTGEBoQbjIKP2Bpso286RKhS3erE0wqLeXXFb7e6bkEEHXa/jVHCZk8/qDcAAIB
3eIb5SNnLxQwo07JlWdDPzCvqeC4fx5AWxXmHsKWI+91PA0jdNjcEPt2sxwAEQYq
LWBW6BL22Hqo/VOBXhM1T5mFKomqySLSrxTYeWXtJLZwh0aHbm6RyGGMjHpCiU3S
XgE8EQeKefLHoTixb1Rl/amIvtOUUcTtdqlyat9hhIdMl/7ZMesmNuD1ZsEzdCJd
20/DgHzFE7WvZKrjt73GDETUjwLHZSl5fydQMgcNFgzU2mdV6nYNhF18gE/af74=
=UA8K
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//RVzQX4Ua5XZHTIe7ffYiqMxy/KoJdbCxpgjbdD0sx2ou
zCB13t13UkLjLo5GkTE7kRGtyKOdhQ/7NUA7tOZ+rwWOq3NehOTLfU0wMkgT7tOh
byWwNHrY9VHz3ndFnya5nNcnrqILA1rEn32PnioNyWcU6832jyUWvtRqwF+JRrKr
yRJMvz4T8vmLwrxqarB1uqU0OVHXy8bq8d9/pVrAmk6+C/H5FINFlApD0dKYftd2
phoTSA5WG8j1e0v5p4+r9cRHlYXFMinMMkpzD/JMyNB1WVZ9aGQxU7WiuYzuv1bh
PKN/LEgfh3ypI8W960NHv/OMRjVs/VxA+G3ml3Lw6acRnaLr++MhF2G7ZBTx8rgi
fjyF6m4XtacwIKYZ7SNt9eQewGI8VU30o8np33qb9KeOt7v8PrMH1G3X+bTLnJGw
VjxjvaBaePmPplYYS7xaPuUnzFNabDXTE8XCQpdJMy26ef77gaWr6TQwXbRlZXrx
S60EecMLwUj+daR0PkVBkCDxXkW8+0uPkt6EEn5rmPdMXoh4DUw+4A14t7yyUU50
j3M9tv6DuYs/KhgZYfLe+6hVD7fY4lAs5Ge6QGLA/TljAatE3zpSZQK+b7C4HKJS
3eRpcAt6CJFhXaCBwl4+gigrg3voX1ykh62oqY/4ecKbAiiVXLIrcflv9kx2Ht7S
XgEDhoIRIvXoOUy6j/qjp/OFxwu5y6MpBX4vHxlpL36daL2yShMkCYyY3ajea4eX
9k7B9fpRu3sjbDTNr1heffI+5n/HKc8j9a52hzu5eF0e+v+vKY32uk1jlUhZdj4=
=R/pX
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/+OHZshi2zBfbVQ91WKLqei7bT4CZGiPxQsl7aogv8JkyL
D8p+VgIReMvq4F5QFaIsA8yqMSnjxfIi5bFd9SKjuhOKvuQjyh1rSsFb0t8ESuYi
fHBnVw4tDNfTEGQa9YhNJPTq60TwR4P2xYFEgc//AQqfs9XH0cTbvkFS9dkug092
u4yJfB2aZEJa0Eh0AenUYzP13bFH0sJwL1hQop1v9gF44JeKHpRNd0Yixlp0Yucs
Ccww+WaNFVQ4+zvyW7MnI8/D27/SQGRXXqQE6sOQlsg5SUzF2vIpYbIeuu1NR5WK
v1ZB0DlWVuOshIB7M9WUCZcAS5cMAWKc1vvZ/K0l+6tNskZvGE4p/lv1bmZ5zfc3
gT/2L6ENuoKW7RoF071SsG9Xn7VJync+iNTtg0m7Je7HRAZAGGc8vfIkrTXAmoIE
QkGuog0R+EZxq9L1WMbppV/bnbBxiutFxwWOGTxzsn+DksVrVLvyI/EbHJvcEwzN
hISPFmAiCEKzGAGfaO24F5Xcs+U6AgumS5V5kwY6zA/kZpJEdQm38rcC12ZpXR9C
oHGs9ACtgf+g8H3/Ks5DL48FTbYuZADamVA5+pV97B7xCS8TxYChuFNPLwU2s52G
liiZV9NevlFlbsXFZS/EWgR8b0aH9Nhjl5TAPOajBOu0Nm/83XEP9nbbbjJjGRHS
XgHop/OMkJRuZZ35JQjUS6dIBzSivqplpr51wHbyilxbvOHdvuu6w9kqGY9VhuVt
nCszg+IQ0SM8YFuu1M5UPO4txYQTHx8zO5SD/d8kh5HEu9fmTNyJXblRcyAzYZc=
=TxDz
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqAQ//co7jg6v5QUB7eHXJPMLxsgtbC/VYp7C7QqXQda5qhohW
t0F9lysBybhIGoYuvfZGzNMYqqkVpFxzlOO2vFlcYFsQhjCpJrHBWYT4XOmIBR64
6Az/iKqNLS+cG+rFIIuc8BqRk3r4lrM32dCqz0a+3qRkdmbff4yKuzg8FTPlv1RI
O9SzRqfptcKDXItnQF+8CAziqcGyy4jL2wnl1Q2I2Pksr+Zw1eZVbFfHmCpG7A5C
TVihozz51jeXlggDp9/NPJOQDsmV+KdpvNx2Eqj6PQ6aGWtyYv5YZG3X/eRKW90+
qUOJxwpW5KGcROnuvQt1AggcXquOTLHFyJ85M8tpJcl+JYVZsIeNDo+LO8sbrCTA
cjp/YSLOms+GullbGAwrJh4TYtwJE9sEKr9OAFUvd+AxVFWj08BqMe1eN5YBbwwB
vNurVdvjE8jaTCmZgPPOIP5KXSrsG8bA02YlZ4MnzodYidIhTudJ8VB4NYCtNgOL
G/x7h/KA5KYgDWEtr21z2oy0QkGijtrcNa02GpslirjufZ6TPGCbJjAeEsPbYBm7
mDXm5+PzZpb1pbcSVNlVG5Ry73JrZxBpYCPGnxLs5yAmWOlNa/xcgDHBU+iXyVg0
Wm8pHRAVNfbvL7NB8yeaxSDoTSE7/BsisL6tUHoV+bdlpVsTF26bQZBc/zhxiZrS
XgGJ8ChRZbpi2qUzP4nA2jPkYtQ4cquA+ftDx4i+ZqVNtAhVSnTiBZoYu/21+BUB
oxDa5m2vD0s0t0fGfmmIvpLZKZIF7NcwnCdNVQve/D3qNNa4T3YnXb8JTGH0PYc=
=mu1s
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/8D4mAcC6vsHLkSryz1yIYoBqqtJnG62pITFEbafhVLR6V
nWAw/zP9DqNj15MsrM67xaQxlMVgkVM7QTchgp0CjXsyZ/gWPgDl0NaC92Uj93Ov
Gi2OpkfHQFaAW6JsAFl5NrF0ZBw/flx8X0l2klIxBV+ztpkLADEtXWsoGsmz5L4m
n41icEp9+nb9nwy7p+Je0s4jZCBB0sVlbkX9i4IpMOgEhA0HcWemc940VJp3UyRg
LkOs5C0J4Y4qjS12248y16gV/IhNaJ4PCPgVwSj1Xzz6VXauQosmWhnUbnqJbi3F
KWEV0IJJO+dlj5VShzFDnkN2bM1GeyQx1S+FkNp+Mmm6JNrUK+CZL8fUYka06O0V
DD/sg1Pyq8VawNG5RxwAWA5F1F1SIrJzF0T4HyIN1UFRCjWC466sdrBTQLtx472k
NdBCvabHS/bx5miPKF5iglJYzz4biUdevc3EU7q4hwgMYM2oep3m2EsaTbKWzjnY
PLB4d0bCsRlya0YfHaFX5f3xSNb/FzBcUlTHzX2asyB2DolMug1VqS3jCEkWGbk/
vfNfR5yRuwkwNlJRqHbGIfH7fYEgwSTW+VW2iUdY7Dra7xjgTzqZgLi5W8QwKJqq
1V5H4KlRQNYwloVJzQZCwoPcY+tBfTZ4LsDKtjyJzFY9vdTGGGqb9lAG7YBUdubS
XgE72UuZvbPQZuI7uVKMEORGVssQjwZFhs4InR/Ixe03a7hb8fdRHfu/ueS/3KQx
mRXVino/iVQ6M936mtibfeH9TpBpjqH8sBKNHv2hgnoap9QpkrVn1yWqrOcpht8=
=+sXL
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdA/tIZCvQv0E4dHN5jBHsAGclKEeLFhyf4lIQx+xa+uwQw
/VGCdNT8U13EawRC66KLXRrRgsNPpwUg15wAoTzQ8gW/tLpgvL5nsEYPfaowYwBD
0l4BmNV4o4J+NHF7Tk1af2kx0pp6kF9eJynn6irr336tGzY004lZfZlqwgeOk+qN
93XcSfdAOlIktfex1q1oTPrSpGIv32zsLPoRNVa50dO+IKu1tmYAxi9N9sQgbWa4
=rnF9
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-06-20T20:01:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/9HNG41mTgq8VavF9DBX7+upnsmoDtwblck18l3rurJ1mo
k2ki7tWwIxRyLLHtsUxJ9S55cmXuhhPJK8Kzc32SnY5irDkqK/4JZnDvofg+z68B
8pQOunN1BQp50k8vd4Mha43re8s24iqrM+fj59uHM2YYsQYt9TCR/NvUopOdi6l2
8OnKI2KdRvYhtzzCY3wmQKhG7p0hc8y8pP/0DmPW5IGQ6OP4zO+Qnc4EbVnA9Uhr
tZ4sTNn0o80kfvILKANkAm81v86KdSRXdd3+1IpH1c7rTqm9o+DEm8nKnwWOF63O
P0klsYLlfqiZyQ0AyS67RHPTw/y57mAyWVFbABDLtXQQHWcIkADMLKTJLpnhKkRn
Cp94EXBBBwViAUBUzzskE4lgKXncl1h5ogLum8btU+cLky0qa8Hzie5QqszlErf8
fci0AEHV8u+Kf5EARf1FiY6K2aVnFOJchdeL98qllwRu6f8zz7+bfLq1UXcGBlQS
JnbAlXiL4vEBxQyW5awYYzpaMUTW1ejjujZUitdaUeIQJdv/IJvHe9y6/F0uukdt
AMrDI7E+JKa6hLPe4g6H1hUzh6GcaHuNU9z2NSDfzxcOHkqALsCDLVDxsjPhahCc
UZkSn8ebyqv7/jpTgWnsls0Fx8XqvKKJNoqXfK81oIvWlJsEwqSaBczkq9HQbO7S
XgH2N8XPOJWmqDc+xS26eERNJ8ZlhYaODWwatgqt2si6EdBpVRZL4PXsOrOlI8Xi
Uaag1/Uljqbk5mN18+CtSfSt0ded79d44B9zAbc70hgvkRrpcotDBnO8YQ9MxB0=
=O0Sg
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,7 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -0,0 +1,10 @@
{ ... }:
{
networking = {
hostName = "mqtt";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,9 @@
{ pkgs, ... }:
{
imports = [
./configuration.nix
./networking.nix
./mosquitto.nix
];
}

View file

@ -0,0 +1,33 @@
# Sources for this configuration:
# - https://search.nixos.org/options?sort=relevance&type=packages&query=services.mosquitto
# - https://mosquitto.org/man/mosquitto-conf-5.html
# - https://winkekatze24.de
{ ... }:
{
services.mosquitto = {
enable = true;
persistence = true;
# set config for all listeners
listeners = [{
settings.allow_anonymous = true;
omitPasswordAuth = true;
acl = [ "topic readwrite #" ];
}];
bridges.winkekatz = {
addresses = [
{ address = "mqtt.winkekatze24.de"; }
];
topics = [
"winkekatze/allcats/eye/set in 2"
"winkekatze/allcats in 2"
"+/status out 2 winkekatze/ \"\""
"+/connected out 2 winkekatze/ \"\""
];
};
};
networking.firewall.allowedTCPPorts = [ 1883 ];
}

View file

@ -0,0 +1,21 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.14";
prefixLength = 23;
}
];
};
defaultGateway = "10.31.208.1";
nameservers = [ "10.31.210.1" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:48:85:73";
linkConfig.Name = "net0";
};
}

View file

@ -7,5 +7,6 @@
./networking.nix ./networking.nix
./nginx.nix ./nginx.nix
./postgresql.nix ./postgresql.nix
./sops.nix
]; ];
} }

View file

@ -10,21 +10,33 @@
services.netbox = { services.netbox = {
enable = true; enable = true;
package = pkgs.netbox; package = pkgs.netbox;
secretKeyFile = "/secrets/netbox-secret-key.secret"; secretKeyFile = "/run/secrets/netbox_secret_key";
keycloakClientSecret = "/run/secrets/netbox_keycloak_secret";
settings = { settings = {
ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ]; ALLOWED_HOSTS = [ "netbox.hamburg.ccc.de" ];
SESSION_COOKIE_SECURE = true; SESSION_COOKIE_SECURE = true;
# CCCHH ID (Keycloak) integration.
# https://github.com/python-social-auth/social-core/blob/0925304a9e437f8b729862687d3a808c7fb88a95/social_core/backends/keycloak.py#L7
# https://python-social-auth.readthedocs.io/en/latest/backends/keycloak.html
REMOTE_AUTH_BACKEND = "social_core.backends.keycloak.KeycloakOAuth2";
SOCIAL_AUTH_KEYCLOAK_KEY = "netbox";
# SOCIAL_AUTH_KEYCLOAK_SECRET set via keycloakClientSecret option.
SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi/Shi+b2OyYNGVFPsa6qf9SesEpRl5U5rpwgmt8H7NawMvwpPUYVW9o46QW0ulYcDmysT3BzpP3tagO/SFNoOjZdYe0D9nJ7vEp8KHbzR09KCfkyQIi0wLssKnDotVHL5JeUY+iKk+gjiwF9FSFSHPBqsST7hXVAut9LkOvs2aDod9AzbTH/uYbt4wfUm5l/1Ii8D+K7YcsFGUIqxv4XS/ylKqObqN4M2dac69iIwapoh6reaBQEm66vrOzJ+3yi4DZuPrkShJqi2hddtoyZihyCkF+eJJKEI5LrBf1KZB3Ec2YUrqk93ZGUGs/XY6R87QSfR3hJ82B1wnF+c2pw+QIDAQAB";
SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/auth";
SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = "https://id.hamburg.ccc.de/realms/ccchh/protocol/openid-connect/token";
}; };
}; };
deployment.keys."netbox-secret-key.secret" = { sops.secrets."netbox_secret_key" = {
keyCommand = [ "env" "pass" "noc/vm-secrets/z9/netbox/netbox_secret_key" ]; mode = "0440";
owner = "netbox";
destDir = "/secrets";
user = "netbox";
group = "netbox"; group = "netbox";
permissions = "0440"; restartUnits = [ "netbox.service" "netbox-rq.service" ];
};
uploadAt = "pre-activation"; sops.secrets."netbox_keycloak_secret" = {
mode = "0440";
owner = "netbox";
group = "netbox";
restartUnits = [ "netbox.service" "netbox-rq.service" ];
}; };
} }

View file

@ -1,23 +1,19 @@
# Networking configuration for the host. { ... }:
# Sources for this configuration:
# - https://nixos.org/manual/nixos/stable/#sec-networking
# - https://nixos.wiki/wiki/Systemd-networkd
# - https://wiki.archlinux.org/title/Systemd-networkd
{ config, pkgs, ... }:
{ {
networking.interfaces.net0 = { networking = {
ipv4.addresses = [ interfaces.net0 = {
{ ipv4.addresses = [
address = "172.31.17.149"; {
prefixLength = 25; address = "172.31.17.149";
} prefixLength = 25;
]; }
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
}; };
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "62:ED:44:20:7C:C1"; matchConfig.MACAddress = "62:ED:44:20:7C:C1";

View file

@ -0,0 +1,234 @@
netbox_secret_key: ENC[AES256_GCM,data:7cVGSlrCo3MEjeLjfeZrL0VZi3+yZqsC3qI+rx+xadic78H0egWCCNaYEHIgtilgFjw=,iv:gnearzPduWcrVLU/FuzS05eNPZ5srX0hqZyElq+19ek=,tag:9MKgFb4eVYE6a5ncx9sgpw==,type:str]
netbox_keycloak_secret: ENC[AES256_GCM,data:WLPCwl6KmHhyGwpqchZUmTr0XwA1T9asAEXNOSQMfGU=,iv:fsO+Ho18Uz6+y2iohbve1bUKhCR/c2zNrbODR2Jrh3Q=,tag:MWeh7GhdyUJnSzrndA3l3Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKaTJ5OEJPeGVPTHp5V2tX
c0xYcWtKNG00d3lCQ1JZRERkUFZsaXpyMERJClQwdDFnTVdCRjB0S3hEYkVmclE5
dGRUQThYSWhpK2dCQWxSVjhuNEY4TUEKLS0tIC9RS3hSdFZCbTd4eFNNSTgyaXdU
V1lQK3YzTWI5ZGdyeGtFQ0E3QXQ3YnMK8sBStC8xBKwpeWkF/HrryWi0hZA69nuw
a73HiZuED8KEp5OPME3yC6Ode71uEEaE/av2zp7WUYbCqVpWnwcjSg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-08T23:54:23Z"
mac: ENC[AES256_GCM,data:6KwBwJ1uTuOaCTcBs9sgvX+E/bV37ylJmDqYupa3545ba5Y3VMuF2Hx72zzRYPmh5/DmwzDxc/f7TZUheO5jwwwMGGNCYuX2c+nkzLgtovT/yCXTo8vPHNf03fQRHlOq28ztQIG8Ug1s/t4XkA+iuqPdbvyNKLbsJfJBqg4SF44=,iv:SUXPFtW3/pSTBnjAh77G6pJTucHy4VEhUVkELiMJ4JU=,tag:SfLCwPpJuvL7RrIRmN5PGg==,type:str]
pgp:
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAgiNMTfquNZeRDR0p1DQbGPVx/tCxKng4aQ+6A8x7H3Ul
UFSjn+85rFBqTRswDnFM4gSfokBHLW1Ltztqw4aKuYoNLs0vUGJWrkf5dHsJv2Mb
YJaHm1iqSwIrgmyI1PWvrZ+cUjgUWBriJOTNlYi2iHWBWqDSQ7O7TUqpeCxiHAp9
e6UydzIxsLjl+7gaDW2M/FRJNVKxtq8UBEdg33xLi/eE6O5/fNyo8qBjUUWnG4xb
fiuKWgn83n7vsVsmvNJPlsOUrrZoYJAOSm5nymkXlAEQv1LPrSXXYHz8WoOTPDs8
29YAX8gvIwK+lc7xFFZAsjQ8JzqcVMyFHsT9N8zWSdaOyGcFcsDwBEICOvVSabb9
g3yrI8PKoEkQigeLnzKrkLZX+1vqVkSO7MBWn5xAMMhTTZvH0+MknlYO0pU3ziME
Yp6EbvU4OeRbcB6gMt21KQDhiEkPNdwcyxoOtFIWw8tCK57Leyyyb1YU2W7T96M4
2fcoAzr5x3xapdvOEgUr7OFzTrc2DRrpx7FKoJFBIy4HEvtJKJvKxcq4aUqznSPG
ILpbnH3CEQuWmcGu5fTZ3ggQZW7bM523cz+cwOJjUokhW49D+h7wZjffUuSK1AWS
7FwncFVVkNcLAs77p1DFn4A3mUjdh3jl+VAXudgQfOGtLeLDY4+qlMMQSGPoj4fU
aAEJAhB0l1X5jqjGE7o/PRwgoaeFl/zwiX8n0k26++hPw2+Vt/b3sT3Ce0zNr30p
Yc7h4H8UoN9j6zD96R9MAATHikz7a5EprAshqzV6uy7VNI6bcKVKilLoxVa47Y1p
6PA24RxtGxVm
=ES/O
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+OBSrAP5xkjanku4jcpbYrYDMTWRxVfEgNesvuTyQsxVr
kKK9THm7MUHbVBkx1xirvpv6XLcLtCwdMnYlBkSCVaztGmb1aowmCn5tWZiVDyE+
UPCF0bTXmxjLM+Cav8aweylfD3vAQsPvFLS3XvCBHKWqZ7dNkro+5VTxKmQ+XiZ6
t67M5DtltUm8IWOE2DScAgGiBQlCSY23O/zy4U5Sj3Ii+eRHxC1B7NB0Crj01pi7
2v6J7yNZnw4vfH3UiRO5Vg9q0QLPp3XR6Xb1J/TJJS6vCUarSbL1/oBjujHkF4hK
MEZ+Q3qGnv+dGOzUch4xkEkuWyfIcMTY6JOa3TpkhfkbQwXsph/sD/SaHpRD70Ra
PX0vBzSdbtEMea8/pVTOxfFEjPGQIFI1+pdNmCfzhWNbrH6EqjrSOyZXSr6+U3dI
Xhpyv2wKuNho0c9jWYqPzY4vhSGRjc9416nfV/o7Ebv659ypBKHtMDcL5kebkCB4
W0OwscSRPUXUz2S9XfSa3J80Aakv5S5xvlXo6R/8TDaMWJtZP2vtF4y0elNGOfZM
Vn/zlv1htaezQDNznJK+E8bHEF3p92hiuSjO8yMZByIFrAV1AyqY4kiMmW68scA6
NBOlxah9xCV7XnD8B1ZCR9FruuYYj9cpwES0lLvISBXJvh1viyHN8Js0uApePInS
XgGzDhaZWWyt5TK+Uv2fu8wh6hbX8hmzT9vBLfPz0Gx6Z78RnwflsTqF8svtjSuB
zv4z9d/zrysfHY93Gd8kdKkG955f1THz9dELEpYLIwyLoTx1vHlymVP87TuPqxc=
=zG3F
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAjT7YVbq2/QthKii2fmj1EZgsDm7ZkcAKJ7Bo0jm7Vgxm
wGeBULB0bBoYEiFFO7Kc420Yk6IK+uUG8S8X3bJHUbMzvY/K/kG0eVpXwDJwJPf8
o46blkjpmhIiTvvQ4K74AJgsT9W0yXRrPxGz5HIuOG8P8CAqOabZ79ORfd3KFebJ
yOvBSyor//XoMB60a7uqQoaWw/+UwRKpz2yncLafD23nyuS5uXsoHNuySHLsI4va
y6Nhp4LdpYjjx/DIuzrl/3SCeLgisHL5u5kJ1QaGsfd2z7Tjxk+GoVgs/Wb51uHs
vPk0diKrv/kouW7rN20a2ywQETenik7/z2JcEFyZiOPH9KhHk3QGoXdlVVqESz5O
OMV5d/ijFW92Z7yuis1jSewGKDDp1FqyR3gIMONl2vK7Pzl1A8v8yQBbY5/fObuM
xTs/qwwoqYimokqM3WrjjKgx8oFFstWWzKBT24aCQTajA8vl83v1jfjR7EjBrrAu
+J+wBFNpnJiXgECPmJgOtQB+4IA023X1cdgDm2GlR+sPKKSBP+AySMOOp4zMoS4J
9xd30ltQp1ncNvU7KaTV0VXRaGb7CEJnlhiN2naYcpcsX+G8bfcrCuZwxtBFiZvY
9Ey47LLHP5SPPOWxhnsrPOYidNJd056+uyvnnbUYArjb6s5JUh6KQgjELKCEOIXS
XgEUryr5jMrBHLQi7wYHEqWkouH8cFsPAu5O/KOIYvZVIoOzB3DDPtJ4CknNfAMa
CTvlOJHJSuweQ4Mq0c+247aWu12V9ZMcTQT4e3g5DYq5TWm58Uidbd/g3FDwLgg=
=PqbF
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1AQ//baYynNo2MfmuqEKles0xnZpfPemIyQUnPmRKEtZUl6T6
eweGXKF3Ms32ErPhZaT8RNYAk2XX+RRlpJvTcMvLv/rxVTf2QcCAz6vxukmh5una
5CJe1H1tcDmXrQ7zkGffktkGcT90/OpRbhMJtp7MKcEzfpdgcw5yCeDpYCRn2r9E
/0Eaf72R60ecnr6CaOSIdbpy1QiDMydgmg/QCONBT97RQMJaGN+qAuPz1Fpb/Z+N
E/bmtqS39ADYZoB36sy+LCzp+oMLI0DpCHz2ngfFnKbeYeNU9gMXCAda9/ZyMbaI
aFjvwlTBsvAklWN36pvG/YxoO1XkN/Mj1N1QBvxP2LYg28X7uBnVUZAyvvQPL6xN
U110qThvDvLxgHC1DAfoMygKCDig2oSg3njf8LS1y5XkTag/B1JJT3NcgFI+MMvT
5NMaw6HRAgOwWcJ1pJokFZ6zIpLlIbToutJu/Ep4tisyg/G3ybbthqaywg5jkbCT
vbhzXpsbqkE+jyx2dWziBbQR9lOoTycRwIs6um+pKuPF7TzfD1GRyqTwtU9TN58D
Yl1GN3oz8ZFeGkdy1dXBxMP4EXR1BTdLk14vFGFPbjQ0bAAohOgTSgtGm+iZ73Q/
PFNf/3gGt8/Gk0cMl20PFzk3FMyUDOLFl5dOre0THGQelpVbN7fvZuaXOSZjuYXS
XgHGFmChf+zsmbKnT0tQfzGtFQb0cHHvkenxC5MCCCPibxwVeHEwcJTtPvvF1QqF
9kR3XEpuVFMNFrxsQd/31c5RUTC+sr7W+PRIVgIhdU6RtikIMsmekrunnPeB99U=
=o7cj
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ/6A6ealIO6x8Xq3xzjIvZt1R4TvbnF+LmKpW2iG1nO3aVY
QOEGUCVdEveWbQBOexKXl1TgfhxIOrPVixJ2KgIZnNxobhgABfF/H/EqXsxUI6n6
2mZt8r0ibknzoPn7MmC7ceJt0t8UVFgPlPuT7zb5T2nDrm61WD50tbubJTYTuWmY
NE5qhd051/Ohqf1RGB7MEfesDNj0S+J3E0TAjOsAcFoAUwSohUtxONcCSwjiygqM
vCC9Z51tMe6pC9n/2MNgb47xd5eqFs9rzfKXxPlnhhRmS1jOmE5fVfmOg9KOkGCu
PskiO+hgyQK3q2a+/e/MGuKv3ChCrTloTUBarQW5oRoQnWdoiZh7rVwyNVasGfHW
FLEhZuBlyV8w9JqOQTiOx3FN8IhVL2lJIa72Ng+O+AMYuvuSCxv5r+1D88IUlF9B
n01qAMC7fUfOpkUPM0yXQ9GTIWt02Mp/7z15t49Uk3izYCGluxVNhLNFxvAZOZh8
nfT2Hpf5mkJHMvUD9F9rWFVWPyCD0ORN8k770ziOVEYMadSJ7/HpCHxg5m+TqNnM
TNQXID/f7AyoO10zcS8TD0IgDLEjTaPMTPZ1EZ0MvgLQ7MgzPdjdvXOGc0g8L6oa
ac9a/NDWeZGDNfj5T88pZStoLJKnTvuuwxk0haabClxCAOysifxINqJ7U6AfkpnS
XgHR1vDF871X9kwm/c2zrbJca2sH5pNU/HiLf3IMRTAnmIewYxQAvn3JH+0jUUKH
fEt+fZuW9dgfvDzaw4C3FbGxFViRXXFrjqSDGN9JT6VprCmX3Or0RdIjHwdvvhY=
=4agQ
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//R+9lFm16WjGtRkq3zcPbva2SpijBjVBfuL2veFyeDq5G
H09EL0+A9IJ5rPI4Y6HJ2LhnqUWg7NRHbmM48bHla5NDtCNB+YsU1rNc4oGIf/TJ
JRob3u660+BxRiEO/Agc925BeQS7xoPSIQTTkzMKEGih2aUj3Im0JHBd6p3UWnsn
ZTUy4rkZHhUot1vHSOh1RTRDQHdDMTFpzPA66nH2y9tyz79jhqEFUCZIVIB5dGWv
blFqZgoVf9Piw/7ic9FHuNRy/5tia7SGN6xIu3OlR3TU+z7fvjUAHG9Afm0FINfm
fS7SRg+y/6wUWVGL8NSQWQLdnMnUt7E2DSu5IY6S6ToZTDxpNM9Waw89GQbUe+Jg
APzUtmXt2VNZ7faIE+tE0LJs2x5OGNxALKgj+K9ZFl6oIL8E7PB4ncxDlTsCRiz/
H15LzKYMWcYAntMVuVbyyzKUh/3KdZWfs31PV+JIQuazVUQgO9R3myn1Y9SnvZdQ
dIwvfYBOmwhC6oCkJB3Pj4yOoE6gtacZBeeUZwScDxH6h+D3MFrF/1bgiKZs26m+
VfuTS2vxUAln9werKIGAbQWZmtCOkRdyVIJyeo31zO3hy/xdfzlZdBijcOqZDeho
FP+WDUAySkSahqV1pr+jIMsaejRglJo/GfCGPdtBYAuB872VpdiQ8g3i0CW7eSfS
XgH5YBfA4EgJSxRdCpBO25i0SyxlNK2WJ9INQbu4xyfBfsZYyhKo1RbmD+60t/xw
Lxeg8plFAuBPvQCRCGvda1y9uw66Hmxt0QKtScd3MXwOk2Q2u04cIPDZ/KAtC4g=
=x1QX
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/6AgZkGRrZDbtTDEkksKQ84CsGyRBMioOrYfHDSyRb7URZ
RDVLfqr25Iz48kYR1n2nMo+O7QyayjTwaEAwFLFSTIpRKN6/9fT2ZVJxUfgLUWhH
I1OYMmRr9f/30OUMw8uTlCMqznkdoSjBmm0CX2Mu3YyRDUokzZa+ixRHX9TRBrKz
GSfJvHm77HTamvJLZcHnrVi9YH0KL7cQ8ileNHbUbCqmG+rrhiwz+gRp9aJ7pbnw
Qp7TaafrQKFh0Zsbmwuzcv030TJvuZboWpMIuGoeOWqv6tzSFhUV8eUu6UnM/2fg
arflryayYFRDUkysHONGoHviygefHr3+dIkneVO7tJ4ePYnFYhLvUsps4KASoHMF
dHMOwaPQDnBYo/ADiar1fgagYD/1Yns2SpsA1eqWwTE+hp+jwQi0mzYMLM3xl9YA
cMuqIOnXvpnuXYIRmooFtf/JkoJkYDV+8gbowZU52FJbB15QsPUgN47aixkWzJxj
6iV34LoF783DGQTnoMzgV9bDXa3RE1UgxjdFV6TNsPQvmWQJe+NNhqdkhH3MwLTG
jMGAwUNsPnmvCg4xPZlZMiuGhi3vxC4Fj6MWUw8uJbxCv83FPYwmpHCGVNwpDhFC
rRLk9vo1Dsm0oMHHLDxS9gTlg7FCrEyXinHBEq/11wigACM217oyg28nWxd6iA/S
XgHgxWlTQiYOWBRdJuJrPwXpNIHlsNDuE5YantoGFx6ykGT5H42HFlll7xGq6xVq
pssSfJK++lqWpvX076vh9tfwa40N2neO/vQ+8jBXr3dP6Vj/FUA8IUDVjc9xxAc=
=FXTF
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAlG+nZhDVZX/+nHA+dPdw2RSGeXrIaxe0gjkGShZOVhmq
/iOfY7IgRzfp03BCJxRZwTYZu9hcg25jmW1havkmv5NPMDrmhgg9nX1AgyJaOgTo
FCPlXAvBSyWPGv+xgi63ttakHhobOympBj4hSzXdLg3RhkZ7KHci4Qz7XVfOpJ+j
wl/HKkNmkLiPiA7kYk8SOwJMFO89dMphHQBc81cZAptwfz9snTP7v6iBVvQDvF8h
3y5QPpfKEJZy0+GlqbMvRASHNx+w2GXIk6F/ldMt9rq9IJvR0od0p15aXCcO6TzC
Yzo7lIyyxqp9NQyN0S/DwzH0Uqj2CFMYdoKeFTNXG4a9fkVorj8+4rmJPewDxc4a
6Pc1hrQc6qoN+7o0Fj4xYkSO615gmVwZprWLQqgdkSMSPklecMX1d7WmkmIHNBk8
wkFUT0yBoedBiOTIHXRXhnQ8/4fkbRw7HYA3R4CqT7njtvqC0VWfwLISubuQ38tf
wbGKg5Bzzt+T176VoOfjau4aDoy3S1aGQcVKD19egj4l/eO+SvHl3UVZNUipkB3C
7MUqORS2kOh+IIqdSjYKvn7+MuAM5UP5GdzIoHaPPSCTUPdUjOLFPb+bjonTReQM
N4slvyssD3pgy9cwNofVtsmgVrc4Cv9mTo6rygeAq7wWxkl5hvVcmkhRN6zXD4TS
XgHV1a+C7ZWICtKI1u19NVYkjDkRrbQx96UdAkKquofpaQjxxXsz4SDi94BB2dCS
z+S2ZjOtweynhey1QPOLLmNUvZLE+SGsKmwkrMCBdtSyTbRXHSqPHt0Lc77tUhE=
=7WGw
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/9Ek8xSUknHMyj7pFgR6oME3Q/az5CykwxpkKFZgafhxWQ
nA2Ge4y3Px+rSoPPPtxtb32lw4PcWV+P1Y4EdtpinsuW9xlSWJvE8Yp6C0BBFceu
3k3O2sPHlF0yeJgjS+rhpqPppRn5nlvmD+E9ZiJGQNOEUxmrdgoNLonazlLqcgjO
07CQdgHp9AuBthhlEU+UgdVdfHMV83KhhyOIf+mhEUU4cQWL3X/J2Sm6jtAowA92
fiAA7U8UXEt4lFEXle6Xj/1LtBI5zI8YHrE3xX6kN0Byf+ydtAM1eqjGb0dL7u6W
24CavCODfgWepuK97Jo++umTfN8wkLlfpbaNro2EpAdD5Q9CeGSzXk1PjFmsZgAb
QVOxo8kiTULEgMTI55pqg4GT4pglbofsQRMuk2IZPj1a9ScJjOxZIm0VUXG9AAZi
BogAuiObch3orMm2KGeSX1s6HyHrvQjuXDNPHoC2yFJ2oBu1QIHy/hAFLnOcNW/U
3JfhWHLpMHQgu9lFzkTlobg+4Lg1MHlXtSApwdmMIcrAJcm/l/7+x1J/TVVRQAdP
zyzWLA9AGjRv0Vud6lhCnL2FjsUVUWA+S8G+OYqxpkp70Ku1a5z3e7P8CoAtzDoe
RZLRwjawjgfyKpEvbN+s2UvWqtgvRPqiudG4cAZs5GecLxO8ItahyklRZ47G8JnS
XgEdyiiO06vx5LMszt/tFXtoIKlaWnbB0oLyIwm8un55VnJija5OVrFfdQYhp4fQ
yvRQ9uAM32WVjQ+gKVVQ3pAHgF2Lu67E7HtZtdmdLkWafybEWUsqGZyDzDvchZs=
=pFkW
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAeCb2j6cmTulJV2huSow62xTILgzf8/OOo5lED9+T5VQw
kBqubSVgy3jiW7lfjAK8U5Wh0ITb+6AR9kDLRE0WCxNbrOaeGado1VEalTw00Q58
0l4B+PeAZBg82rPUegAvU7UnnUIC3nGVzN4CEdPRpPcrG99V6VvXOks+s4DLky16
5FOihlYbf5nCD7OFbc3yys3MbUVuHda8x8H0BkuxDR81Wf4Q+HXCg8OUhncB57zN
=Lvnj
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T01:07:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ//UFokgDfUkScPVlJ+YnFw+W8eLk6y2YVI+nTCCZO9fhPB
77aDFY+yJG/BfEzjZNwQbISBjt+OuxVSSam52B+4FQkolr3KRhkfkuS16Fe9PwOg
XLMRoDba416ZtwAKz9HznFnPAzyPOwAn8yuF9RMp0KFP3ko+NSRAvOgja+jjPOl7
4BNkH6w5SAoE8u5jyQKIV9OB4W8RCVX30bYo2XzxjOcK1L+9EygoR+1CVOkbx8p/
T2i3mBdy3EtQ+86nSMPjGrSqURaUaKbCN/ygrSMhN/Pl/FvLiEEHamj2dVXPdHRV
k4bR51ZjO+U056PAB2Z5yK1Mpp0d0xpi5+QdOdi3eEqnGCXFq4Xz7NHUrmdy8Zug
QPnlMqibC3Wqdee4uhPbCHe0veF/VLaNAlyGkBHw7q66Ln2MY8coKPoiR8K4CD8o
9dtsV/qDvdFhziqsWCBjTwtFct2x/qEcRnzm1kvpyKwe2zV15lHA9WLafZVQ8eNk
U8yxBDETa8Bwd9voJ9NqYTcnyQLRJ3sZcvfkWQ7D5NOvmdHD5vF+gm5zJzR4EGN2
kSiqwZvztVuQCm6EOe0pJqp774KZXWW9eHc6CaNwkT5cmWjWu1wdHYhRk32HdhxX
1FQF3MxxACwDg9kj/s7gpWLlsofN4NM/QtHoGRh1wDQJGm8IZyH2qxpsgcXX9YHS
XgGX4oCWpHLRyRuHPb0xvjAdVX20WQKLzAtXvJkRMUd+Xt348nkZ4ZCqqfQ4eKPU
02FoWeCVqWTUyoaaHC87HFXUNJ4Gc+9AsWlbB9yA8nAm1z4wWHHFqZS2duu28ow=
=WqHP
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,7 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
networking.hostName = "nix-box-june";
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./emulated-systems.nix
./networking.nix
./users.nix
];
}

View file

@ -0,0 +1,5 @@
{ config, pkgs, ... }:
{
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}

View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.158";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:6A:33:5F";
linkConfig.Name = "net0";
};
}

View file

@ -0,0 +1,59 @@
{ lib, ... }:
{
users.users = {
chaos.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
colmena-deploy.openssh.authorizedKeys.keys = lib.mkForce [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
djerun = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWXk9N9GoDyvaB0mnX448IvzKKsMv0eFZKvjqmsJ3In djerun@chaos.ferrum.local"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQsu6WSAXsF45wGmw2spQUWopsgioUuFI8hKLBW/WVk djerun@chaos-noc.ferrum.local"
];
};
june = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqCxniUEAZAYqL5zbisFfYcQx+7iDRrMo4Pz4uWXq5b julian@01_id_ed25519" ];
};
jtbx = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBQgnQAq6FUSDK8bxtYPjx3oRCAKG+xy9J3Gas2ztJk jannik@Magrathea.local" ];
};
dario = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZtJwNPEIfNsAxBfWgxAeoKX1ajORPvs6L5S+qipJ7J dario@ccchh" ];
};
yuri = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
];
};
max = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINHNGDzZqmiFUH75oq1npZTyxV0B7eSJES/29UJxTXBc max@iridium" ];
};
haegar = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhWTkvLI/rp6eyTemuFZRbt2xxRtal7fu668nnb/ekU haegar@aurora" ];
};
stb = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgVuX9phyXImxqvof+49UXhiSQ+VGizeU4LrPcZY1Hy stb@lassitu.de 20230418" ];
};
hansenerd = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBxujzHK49IBtYKPgnTCDQEiIxgzzlQ846tmU+6TcMIi hansenerd" ];
};
echtnurich = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWWxkGFje1CJbZTB2Kv8hxZpvRR8qyw2IarRIHnQj3+ echtnurich" ];
};
c6ristian = {
isNormalUser = true;
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOgfWcCrsVSXvYEssbfMOy2DnfkGSx+ZRnPLtjVNSxbf c6ristian" ];
};
};
}

View file

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
networking.hostName = "penpot";
system.stateVersion = "24.05";
}

View file

@ -0,0 +1,11 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./networking.nix
./nginx.nix
./penpot.nix
./sops.nix
];
}

View file

@ -0,0 +1,20 @@
{ ... }:
{
networking.interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.162";
prefixLength = 25;
}
];
};
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:26:1C:8A";
linkConfig.Name = "net0";
};
}

View file

@ -0,0 +1,63 @@
{ config, pkgs, ... }:
let
domain = "design.hamburg.ccc.de";
in
{
services.nginx = {
enable = true;
virtualHosts = {
"acme-${domain}" = {
default = true;
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
default = true;
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://127.0.0.1:9001";
};
locations."/ws/notifications" = {
proxyPass = "http://127.0.0.1:9001";
proxyWebsockets = true;
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

View file

@ -0,0 +1,198 @@
# Sources used for this configuration:
# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
# - https://help.penpot.app/technical-guide/configuration/
# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
{ config, pkgs, ... }:
let
# Flags for both frontend and backend.
# https://help.penpot.app/technical-guide/configuration/#common
# https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
penpotVersion = "2.1.3";
in
{
virtualisation.docker.enable = true;
virtualisation.oci-containers = {
backend = "docker";
containers = {
"penpot-frontend" = {
autoStart = true;
image = "docker.io/penpotapp/frontend:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
ports = [ "9001:80" ];
volumes = [ "penpot_assets:/opt/data/assets" ];
dependsOn = [
"penpot-backend"
"penpot-exporter"
];
environment = {
# https://help.penpot.app/technical-guide/configuration/#frontend
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
};
};
"penpot-backend" = {
autoStart = true;
image = "docker.io/penpotapp/backend:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
volumes = [ "penpot_assets:/opt/data/assets" ];
dependsOn = [
"penpot-postgres"
"penpot-redis"
];
environment = {
# https://help.penpot.app/technical-guide/configuration/#backend
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
# PENPOT_SECRET_KEY st via environmentFile.
PENPOT_TELEMETRY_ENABLED = "false";
# OpenID Connect configuration.
# https://help.penpot.app/technical-guide/configuration/#openid-connect
PENPOT_OIDC_CLIENT_ID = "penpot";
PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
# PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
PENPOT_OIDC_ROLES = "user";
PENPOT_OIDC_ROLES_ATTR = "roles";
# Database configuration.
# https://help.penpot.app/technical-guide/configuration/#database
PENPOT_DATABASE_USERNAME = "penpot";
# PENPOT_DATABASE_PASSWORD set via environmentFile.
PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
# Email configuration.
# https://help.penpot.app/technical-guide/configuration/#email-(smtp)
PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
PENPOT_SMTP_PORT = "465";
PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
# PENPOT_SMTP_PASSWORD set via environmentFile.
PENPOT_SMTP_SSL = "true";
PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
# Storage
# https://help.penpot.app/technical-guide/configuration/#storage
PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
# Redis
# https://help.penpot.app/technical-guide/configuration/#redis
PENPOT_REDIS_URI = "redis://penpot-redis/0";
PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
};
environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
};
"penpot-exporter" = {
autoStart = true;
image = "docker.io/penpotapp/exporter:${penpotVersion}";
extraOptions = [ "--network=penpot" ];
environment = {
# https://help.penpot.app/technical-guide/configuration/#exporter
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
PENPOT_PUBLIC_URI = "http://penpot-frontend";
PENPOT_REDIS_URI = "redis://penpot-redis/0";
};
};
"penpot-postgres" = {
autoStart = true;
image = "docker.io/library/postgres:15";
extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
environment = {
# https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
POSTGRES_INITDB_ARGS = "--data-checksums";
POSTGRES_DB = "penpot";
POSTGRES_USER = "penpot";
# POSTGRES_PASSWORD set via environmentFile.
};
environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
};
"penpot-redis" = {
autoStart = true;
image = "docker.io/library/redis:7";
extraOptions = [ "--network=penpot" ];
};
};
};
# Docker networks.
systemd.services."docker-network-penpot" = {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
};
script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
requiredBy = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
before = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
};
# Pull docker images prior to starting container services, so that a container
# service isn't considered up, if it actually is still just pulling the
# relevant image.
systemd.services."docker-images-penpot" = {
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
'';
requiredBy = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
before = [
"docker-penpot-frontend.service"
"docker-penpot-backend.service"
"docker-penpot-exporter.service"
"docker-penpot-postgres.service"
"docker-penpot-redis.service"
];
};
sops.secrets."penpot_backend_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
};
sops.secrets."penpot_postgres_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
};
}

View file

@ -0,0 +1,234 @@
penpot_backend_environment_file: ENC[AES256_GCM,data:+MJbbAjzslBIYlQ9xe0VzM8ON2U5dktJGGHmoUu0HW0mvU4pRYrQXlWdW85RXAyYU9yOiL6TNAHOWUQyqOdo23whuer2jL/Qe17DEhapE4b9W9JqBX7H0VZZKHS70AgGZdWmbj/bWAROg/qGPVKjZLhgKxoVTVbvAIJEXUDAbGfvHlY3BP67yUTXvbmtd/Rdhn6i1HafY7YHFNAW8SkikglW6wR5igEZMFAefMOMgq7aYmNXOr1bImjCPEko0DvumJZM4YMjmb3Wc97wL7OMP9G/V0k9fRclhOj9+lNpeeCKL+VL3Bgo8vqgrB+WIi4a0EwerT8srx351txrU+ITxoHciRQtOpeXVHWL1snW9o7xCoOcil0NS93D9GhW+Hd75Is/xHN08UHmahF1r71nbDK4CmSiUzZzFLl1oWkSTU/31zBUnllHOt5nDMKT42xiniAJcQ==,iv:vtIlNGIh9+e9W+OebTac+UUQp9glBIolC6KQwQMzDn4=,tag:kBBTu7LVp+3xJ/MstLyomw==,type:str]
penpot_postgres_environment_file: ENC[AES256_GCM,data:VT36kHkRH8ghnU1oyPpAQZW2LR8GNmG1cQXVjU4f+rGy9hViTivd7qxzMusisy7IcWfVaQuXFvUCT+pCMD/fhSAQZOY/1Rs8LBXJtsuPButOG9Q=,iv:pUjAkvvHjsnzn0xRRmdZXatOgLm9dx8Ggt7lEfiQllQ=,tag:FZRqlcxQWu/FgnJfoukIcA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age10ku5rphtsf2lcxg78za7f2dad5cx5x9urgkce0d7tyqwq2enva9sqf7g8r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZVA5WE9JcDBOQVdPbGkz
SnNkWEJvaUtGaWVOajd6SzJ6aGNxSXZQaVhnCmgwT01kNFRZa09Gd1o2ZURyZUJQ
N0dwK21vUmk1N1duOVNtV2wrVmlyNDQKLS0tIEJtUENHdXhGcXhRRjM5VkhpdEVG
Z3UzOGFFUDhwUndoQWtCdHlMenZETW8KI0FjoFG4E1fhOxYiCIxY2BnLOmGcpoyK
EbDdNFQEMngwppEm9r1KzG/1cGMoIij2qpmK4Jz1Hzgk/6dZwvGxzw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-10T15:40:27Z"
mac: ENC[AES256_GCM,data:hxVxH/BBwYcvbtOH4aOUnI9NnbCfAGnnwE3VQBJBJliOWo9WHm/hx4Eol4vaS+AA2t6AUU7UmzjofX2wSTbqQliDCFCSgbpMofDXP7tmlat+M9Du91fQmfOibzCd84tkqS+TRTFCFX83LmQ7/Bb2mHl77uGVAFYyHX9+IPPEUMw=,iv:w2Rdl2+o7bZRQsOogU6U5DK1UuHn+bL4Ouh3XbByYHA=,tag:6sqJal6+kzk0stP6vK6oOw==,type:str]
pgp:
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtAQ/+JKe4fsuAKMJr6kuDt5vjv+hrXamWEwRLBfYPHHZHEUeK
AQBs9fG9Ni7Qpelv8RIbxWyophgt2TCEqP2d+7EcGTgDZkdLxx5s2LJuCh+tEZwT
bm0sPt+8eYY077MxA1ZtlBgkslMugvdnJaDckGc8xRPldUa7gRp0j3yaLULRxjA6
T0nyALAqAaDa2uHgB7mTB3pXJYk4GxZpYbVc+wxAWXEDRLR/bpT18ywAcA6iSerd
KGDzWKjgOr1TTJqUxsguqDjnVp1c+xRPirC9uENGqW8mxI7h1+4B//dJvuXV/cYh
LKi0aDUTnma78mo2v9faUSJl23LkIehWZwbVG/+Mpkk3yxscLV124Vbwj56IFCzI
AiJ7m2QVxY5eXoVLodw6Po2S62gkwg7H5Aw3J4pppNuIAIr/8mJBpJoBy6poTsG3
QhbQdEdsF5ikoLu/OV/H7mp86zJt42Q+74xGjKYx/qvLq6SDmDA03kqk9N71URyu
FRTEDysEkeAzreFFkxn3Q+K/cXvtv/2Knte1lmDTfpmhg4cFwsLPLPH37A2veaxJ
JTyWDLHgrJ8NFgii3gLrwj+XLOZOwmCY0puJKtdAnPaaQiLfyqYfeLVlt7Se4MMJ
8XaFWcaQHBxL9nRZnx7WkE9LfHIG0e+414hT0F/aER+8iKboIbt6rdEHpEMGDWnU
aAEJAhD/TpW7E+yYjFVi/xSQ3kCAruHcm6x4BDTE7by0VeTLiRFW+culxiInOYiD
kdp+dATm5f7IrQp/qemL02/Me5yqURZlZrDHra7AiCI+MVBJiCRIY/x6xZSew7PX
HC+p9sB+PBFL
=1qbt
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+Ijn18W+K2je/hpolpY6HmQMTTRpQJZ8YtJ5G35o5WoVP
hH+znQMrBBAtnTWeFBeIuIzk4CHjPS0yfnsE4/rP7/lSa177A2xaeiCb74F6k/Es
MtDE/TApSlNdPFruN5nkd2I8jAWh1k37nS+/NUhszReR39NNmgA+aCSc2OK04aAz
dpPXmaJ+d3zMr7eFoL2NyhNI3A/ZdVP3UmZCp12juckDRl8oeei4PBlw2T6ODJP4
tY08I9EyK/5K4auhYJyvayl1RWwRuShFV732ZjztkawLw152W0Rrg75Qoukhs9mr
TdyF0zcnVxAcOV4e5wRe13dDV6Ue7zeWFc9bb577thGzUm2Oue0u+oisty16qt9K
0vw0tVSDtT/suodG8HpvSwGQ+/xcV7w8XCH8Yx28N9iO49VZCB1ZYXQBxTHVDl2b
J/8AivaK4OOFvPWNr4u6oLaO9nz1aaX6Qsap5zn0Qa2Ls2SSBwWk2Fp/f1dq3KOy
/jGR89ocuEuImVacr2G6zxPnbukfa4S8q/FUUDbswQUqmWMcDDq3dOQ1fFPRd7vy
5a9u3P8LFW+ZPPHop3kgozgZ9pBGDOlw3nkjGjFl39lE33E+049gLE6I6+1+umG0
EWkNI9y8X+HmHMthVuYapq23Ix09H6Wa452hZmEUxNgp33M8Zx+l3s6D7o7jfrjS
XgElPJuUWyGKPoUY9mFaINyVqjOJGEtEOYRP7jvCpFWDq/xQ8jbJvvv7qBy8+i0b
cpqRrMJrvMB2PSLeD6cNWymrNhKilLLFOcG9yaIEudDhiuv3L4/ub08QMroDmo8=
=80AM
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ//Vv7IVqc9ReeFgo8RWbYpl1W5atAHerZuUh0oYc4otGpb
UseJ2JInyykcUeQWlOGvTK+eauBVNET0E/6jylCoWb8lzffhSMJ4FFpvpsoYjPG9
Q8s3r8soOCYB0xscfhinZwJg5to+I2MSd8mppWIp4UCQhxv7MqQpbqEzNTfVP7YO
QEUZ/lesVovLvxMzKc2YVWyZFSW2G6HK3LTaJIg8gy5ym/crlUB+awd2ZDePGk6F
Y7DcKwL1EpCL+hoPWGF9PclYKrOBIZVznYQuwHAqG+Bxr9Ln/NmS/OoCrJDMN6gG
2YMZ3Q7GQ82zZESxYA7g+ef9/lGCm7DIkt80or72x7eS6/OP7c1bjGFgKLQNyHFU
Th6cOy/TzK8Sq2g1mWB2zyV3xk6mb9C0ETAFD5vvPGVC3Sb4549Y+epe1T3ZLFTA
t09nUIpTC05PEdGsWs5Z5MDp8ZCsPZpipbVrWENesNOfaFYG+p7aM0LjgTqZcadD
B/Foejayc3XYI0T/NoP43mAZ2nEOw2Bz9lBpwz0PeTfzyrhz9XlJ7Dw462XTFA3i
voTHA5+DzGNPf6zC1fH9GcESmpC2nqXit8ZV+Y7Zb9/cAsx3E05S8ayxdBZUrOtJ
JSWGOAfPuzGXgL6Ht3iKcmCxQ/pSi1aH0h+bYqlrxTvP9IMyNCrxmP6+YsXCv8XS
XgE0NjzRMClq4/HhQ5X0ANGHWxbZJLAbm8yfgK5rnnmvi53RNJhRUHDnNca93brF
n27gnVLKM+2FdwRjwNIznkbZV/iNM6zIfRWwmJs9gHRuX/J/XWzD1KjDsn2rmiQ=
=bAYZ
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAkdXjf9h4iyYtKPwR9V8hgIfpt3s3zMduuJN3u76ZHdfE
87t5K8eL2yIVN2DeOqtXRG28Broy3LLwMlLOJhxVxS5LAOEjT4ScZyb9H7MLnDsp
boW210SLkeQ5vTW9hgjAU9V6wbemxoiNPYTcBUsuirI8a+jpnALLY0jeOILBEmHQ
c+wbeo+VnlTQkTKCFI7TwlG1JnRnv3DMATVkOjC2PXmXPNkhr04Ivvf0+yBELY/1
hLirTfk/W6vFodPaoaRaeWjGJOo+FbqKLxr2xYzVu6SkF+i4CvDPb1x0t/laTpPA
qC6KJ1wyVwG4k7ZBLgRcf5Scn1zgGFzZexUAhdIYp0tKPycphUQxEMOI8/OeBP1V
68gBcilvv42zs+ed2RUK4j1e9YklxazZgaUhPfdrBrw/HiDJ8ILaq6LQQZSNrxZx
koAV/qw8ylU7vkciyA8bGLOiWc/Ub9vkRSuEi5TMOhmT7bVZ+W/26bWgDcAMmCpa
13H1uLXLuHnfDavdesh+RAxRgEavPTMz+HFbqhvkv8sy0RPCodyJv69J7dsS7a2C
71Ub7jyZIQyRtTGGZH5EjMQVStBMccE2KrJRzZCKbCmQDofKb4M67caaHBnVrs7D
vyx8V7JQGkNOWIgWFb23dtCtRiMzFaRk31mihFmFF2tSgg6XMqNmTp0pc3zQBarS
XgFZKRlYE7H1tMUCDwyKB7G3r1jsxBlUSbH1J6XjUBWKkTD4iMHI/4YStvghLjm2
0qqgKH/Njd9xBXc3x4Ut7kh8tFMMa07xF7/V0Pgwq+7J7EgckEfKHKA5vcQt17Q=
=23io
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ//RH/jOrYE9MD9IjkUfsQZ79rjEwDdtmsXs+gS/XUr0MpI
f/aDyw/vfvD7ZgY86yqp68x0OQLIyRIx9O05FNB3giVN4YFvZpFblLotpMzCFa2d
5xKLIQ1oviDSnE0kKpNM+QKITKjCxyke7MgW/laXvF0zMaVdPj0qo3Zn07MUKULs
btxZgPhzwWLjveZGn+72QiBGTF0ce49TWoh6y/l7PDsXhojau2KP556hI3rp/nC0
PunbLVRntpz+bOoyOk+xvKen+8b/Vwp+GYA2NBDbZSEY9H3YF5ugZBR/jUc8da7D
9EBA35udmQVKtD2XZrIyfhETC1eqLXORo0JKld5oC03JPkqvV+QpMF+8JBjXe1Cy
qI4pBmdhTJYFoJHpvMH7eC4CWgZZRMD5mB2nk1hYd9oIiYUPABfdeGxKiFnC8zHH
cEY3jgGzetZTxnpk2mxZvFMMwFqyOJA2PnwMTv3IraARkFrLxGzUIG4uOjo+l2fp
igOKsw9p46RR1gkuKF4u3yB3/1RloDyqGCU1/n4BCWy5/UkjSQpWKShZt3qMd2G2
A6si2zgSHIQ+ubR7MPB3Q3U/Rnw7pSbTbdDc73pZ2SPZfUuJplPSDUvXICGlj8cO
jO8s926qp4X9C4mi5um6EX5nLG+pfuKowIBdB2HWmxu2idwyrmNdlIgAcWcteazS
XgF9W6THXau4lEmrBqWEiC0K/9NA0cDJqRdvj6wqZ/OIAo86q3yRlm8yY8U7D00j
wNS8WSHq+EX0K9LpwQiHAJoxNXABEx/DbRqVeuLn2FaCocZigbvu3k/pePuOsK0=
=ZLl2
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//dCKpiens8kqp+I9HtwP2CQOVMLLAle1VYB7pJ5pfcyzI
/3tAmwcxBmg+jhkFiqheBQYV2yNmBMHc5ulx+MxSDKd9mzCTavlGlE+intPjON8k
sis68RnU5OFsnGVXSmJji1vN37cCY4jHkf2vYzz6HJ6FLPrda/W3ZfXI+ZnOCao5
wGYrqPcYUj+7gnN1S42HM492oqeCNLcENDvegf8AxtBEgfp7UQ0V3ZC0wZEYhz0V
p9bdivFoEZ3Zo0sJTWKj3Df3IA5T6c4dbSPj8r7IZ5iNDguKAjvegXujco7pow51
fNNJB02hnYHLMRAbeRqaWyJ7qUQSWbQEgb8NuonspnXnajKc/OddgoTN91gTRgMb
op2T3HOFv3lKZPA/xIeDZpIm6GqOW6eJLjqiLP39VGvvNRYg+zxhNg/ZBVkFuSAf
U5uDPUyIAr10zdm7NqJKL8wKRbQzBg5OYovrXqSl96+KNenJqbMNv1N7kfSF6FuF
x8joEDXIaBSwINE4oXD5SN7Z5L2SuuMJ2nvuXFmmXKerRlrBiGsBzUVMt1bGqKEU
KoAAwbInZ9SprSxqJ1EkSVXpNGnFFNlbBB1j2u9BoGygOkVM4ZxIS19DBDLG0Tls
Fq6GI5d3axcf7t024UmwcU9yaP1BzrV0bDvDg3X+Azuo5JqpT3pSUvqv+Sy1C3nS
XgHK1C7XTOfcvmcxJ1f++xELwRkgNo1OqSG3cIZ8i1tKZFKTyYCiNHa/ajSr+wER
4phM7Tdr6ubjLkqvDkMeXvtiGyUoAvbtLC0wqSaE8sEZ28eFGEAaECV/uOW81X0=
=0jv9
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/9GTEI65w8icqppqTuvQD50vaR+lCY1NjWT0HekgvNuCLV
4gL1cYv7tJ5UU6jOnREoScamWnUTYf/sLINIfa+FgvH+apswQeQCFrdCb8/61/Xc
3hsJ8gwmguP1zJabKFI6/Yo3vPPa+kpj0Am6M7dUUxEKw4Lqy6Hc32O6ULNJOvdo
56oqr6KoemrpU0TzqkKTpgAZaQjFfVzPWfC8moUL1pvxrHm7rqDPiYcl7fZP3JFD
gQMZokH205u1elxiFxuQGtW8jbeBqCZUm1UorEgD2EJYEPfyphIaHaQnCpW8zXkI
gt9QT3cqJpGJAobCPbh6vKPtbGPEqZOzOaCMFl07pkOSGPAVGMVfV+FdsfszPYY6
Rqsk7zlCFv/iNFWKpkdfI66JLvhmgNwXRv+rkYzH3QrQikjLmAeTzyL69SPujgDK
qXBRZiAPwEDScr2Qcum36jDVrT3jRfC1opzwpRxM2ompJ0F6caBPNVjY10BScl7Y
RWVmkFrPL9MdEelFLscG17K+y5S/50sLcU+sGbMkmPsmizA0boK5XBXJz3cTadYy
Asr2b4aWTqBS5iW1vbWIGJVrUUk3U1S4fFaSvsL3I6O0E+sOB3eEEpQZqpF9Genr
hCE8GVE5yQWb3YYK0ZA7j4u+dwA+QfRIuQuMWFoRKp8oqEitjjix3je2R3u8/ILS
XgFcAp8Jh+VbnQg/pq92u3dX6afGv6nENpMVPn73yob+sfE5xUFEfEzE1E1WCWdR
HiLZVOgpVOYmo2s8/UW60hLNBULpqyf6ZTQsr7IqaGw4g+Ew116cwDawywRSJMg=
=T0nI
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAApsnPRzTCIkbKT6jaVHixgP6wyCjfVmvgb0NnMrN2Ygup
pafb6GNWoFq9WdiSqwFIJPZlZxJFiIgSxplDI63Wj1MgfvQBEnKUQvnvR+UtnB22
bGr9mIrq/wKgslhPLFB0qT81RK/GqJKvRNpI3trGmB1pBnDdb5jiFeDHStv41XrP
hezAvmDGBKlM74fehu0pKOanIspyvFAjs31NULSHGJGzBxyM6OGcg/XLt9ea6bI5
jHwu3+M/7nixjtaIdCtEFPv/Mdimq9p64+c6AvbEVikUH/omRebRFIRrJCotYENT
ak6/2F+Fze2cof6pJPaq1KTF7LQHi1ZaQ/N+YNDsMJIYYuX3lVg/ClEjeo5k1HJ4
Jc+ul2KF/dAh8UsJPIdhJDlxIPdnof7xBLax1xmOQTHpqsfhZe5BP/0KMeeXzG6s
TlozMaCY0ok4JiQmiJcs+TjHX+uiiih6Wi756v7qwpCk5u3/BM+veHB/slD5Xezn
KmuHzwcbaP1n5JlOtv1PLAPfqX9EDsAVr2xhYTBISZiIKXyfagUWzPNX6toYtBfV
cQ/m9nfc5/STna7XGucnKkYFG5U2a+olIqCcbbNkN4NcW5ly0M5g1VW3oh02NO8r
A/4aU8ECj+79XXx0XCuVojnkGdTT3SQex7bkV2stBpuc5xfESbuOMWXgK0qZrYrS
XgEfX0ySVVrCxhtJgsQvZl0zrOwIttomV6hlQgo+n23HNPwjEf4nf1p2sje0uPvb
bPC7u5y1eDdy5E0XyWkAg4hxPLg7yOj7ET84Bg9S3NE8cE0nM50qL0N6aCAb4II=
=Is94
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/7Bx/s7WlB9TE30vyqVWw6H4DoZS8s03Z21tDAtrUEK+k5
QtMPvAIE0SG4lXersM3L6VMmhvPQlwZf+zSzBnO0J5vacvMG8dch4/ZH7YTM0VX6
T0Ix9ScamEI8J5Fr1LAeBoqtTa8n1/3N2ILBVPRTTX5Wu4lSUw/voeePXAYxSSMv
9vzrxJNcRgzbd/8Fbo3i2vzn4GvrP1JzsprLrUMVFaek5khD0hRDJMM0IhBWFRRh
L241zX/IBZDQVz0x1QVUBFmkoUjyNn94CTezTmGvqCXfkLRmcKzTZXd0dhORBPFa
LygVSLdor0v5ru70rMds6YN5WvqbmG7KUY8M3gcVXutvID58vw6ZE83T8ZAYj9S5
r9hXegeb2e03tCvSrHmQFf37+298/E8/kBrBQgoevnHmm3p0yN3ZbrWLIRhbx2iF
NzL5s17PnGzmuSigoZERsN2Flx2fzUbtwVDP3AyLVpQ7NoqTZkJTcGQuvkYawnEa
3RxUQySR+a7bED38wJ6zEpVg10ye7c8mVkzQnda1Qp3lnPZxz+1qg1n25I9hjNO6
X1E8gtXx2EcwaoWcPO0W/sNBwE09SCM68KWSykwOLvZb5tq/HnhrwSisps5sAg9V
Z1c0OCwgJvYoTY46rqk7scN9YkE16LDCtAzgppZerli179E/f/7O3d59CA1mCEXS
XgHbdM2nxaBPCPgXXNRVq13R8JXiOokuxUZofwl6FaG8A6yc9z5F4Ygr/KKDeT0i
YMBezxQtQ5uKY0jIx5g2r6aSdly3QPNKiFS/rxDCrmtaBqw+OvhvLrnCn6IaRVY=
=XAoN
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAFvRDMKG3Vjs98kRqcs4ep+bYoUcBHbMA7WgzI7CcaGQw
FjdmSwvWaHJZQGEbGk4uDHKPHqXRD3HnD9d75Azu2HXnCA29aU2c0zn0PziIi7Aa
0l4BbcavPKNBkZpJNgW0uII7xMYJWJ/9vStTxXG/WzNia6nk/Cv7PMJW7EwIeUga
+PWB4yGfPXgqJGnJj0H1EdCVPrM/+f19GcFxNKKzkGaKTyVTW9NxntlsFl1vbmRx
=YRc6
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-08-09T01:28:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ/5ARLA8sAZHMwNhHJycVof+ZergR58hXCBjbIy5zgyAwYU
IJ5OwhTpWqniZjt0b9pvlzU4JO1k73B1WrF7mAYEOKET32GPVatrQ64yInQbORSZ
zNQgX3aQ8tEtyBsKAWqwqRjOaP6Plee6G0RCksJBAkjIZik0diTOBwi+ZhgYSRLE
G1NAETqMKkLleYQbUWCFNveJOd/7pfhE4xhAEaSxL3dgXNPV2TOngvjCqMXvz0K2
hEz6OYC8idpmAJv+S+HOaZbKV+giCopsPyFnbeu8jf1UpbsBRbHPnLOO6lLby2gf
2P9MhwSeMjjCZFX/ys8vHQ2jUwXK8jfW3xfVie4hVJgh6vO+uHcomjnk2b+34SRk
7ttoozLbMFxwrcP9trV0TgT2uzjFCe4fHccpY1VLTCX/O0eYtlhDhur0Wojp1z9v
h5mcqySEtJfHXJbTXkgMA2+QSyUaTTfvZ6oJqX3yAoq5eIzC0CcF+IMa6NS1XkY0
TNd3FEhwe7TvKGCy/3bJx6jMUnhT71r6KW/w7RVIHgdp1hfUS9JBhxVB+agQVyRv
+HBmvWHqUdwnFzotGRzLU1g6soWa+fRVQQ80qAi1U8e+u9IX3EG0KoIXLjpkvXxK
y520NcOdN4wR0xILPP/+47QDN+kM6lunm/EMgrff4YDE8J83qMhH2IP5s/tV023S
XgH1hiB0U4SYt0Rp6OGDV+CjBCFaCkPPlync/SVuXddfLC1owGlY9L3jwu7j2PR7
jy2jPPTWrOvT0wZKEh4k501LRb0n6LGqW6gDTgOnZKNg2iQ6jybv2HeyyExYllg=
=1o5H
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,7 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -0,0 +1,10 @@
{ ... }:
{
networking = {
hostName = "ptouch-print-server";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.11";
}

View file

@ -0,0 +1,9 @@
{ ... }:
{
imports = [
./configuration.nix
./networking.nix
./printing.nix
];
}

View file

@ -0,0 +1,84 @@
#!/usr/bin/env python3
# A script for usage with the ForceCommand sshd_config option.
# It calls lpr with some standard arguments, but also parses
# SSH_ORIGINAL_COMMAND to potentially provide a different set of arguments to
# lpr.
#
# This wrapper is written for interacting with the Brother QL 500 label printer.
#
# The following options can be provided as an SSH command and this script will
# then pass them to the lpr call: <MediaType> <PageSize>
# - MediaType can be one of:
# - Labels
# - Tape (this is the default)
# - PageSize can be one of:
# - 12mm
# - 12mm-circular
# - 17x54mm
# - 17x87mm
# - 23x23mm
# - 24mm-circular
# - 29mm
# - 29x90mm
# - 38mm
# - 38x90mm
# - 50mm
# - 54mm
# - 58mm-circular
# - 62mm
# - 62x29mm
# - 62x100mm
# - Custom.WIDTHxHEIGHT (with WIDTH and HEIGHT needing to be either one to
# three digits)
# - label-wide (this being a convenience alias for Custom.62x35mm and it also
# being the default)
# - label-item (this being a convenience alias for 38x90mm)
#
# So using these options in a complete setup would look like this for example:
# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net labels label-item
# This being equivalent to:
# cat label-item.pdf | ssh print@ptouch-print-server.z9.ccchh.net Labels 38x90mm
#
# The options are case-insensitive.
#
# The options are derived from: lpoptions -p Brother-QL-500 -l
import os, re, subprocess
mediaType = "Tape"
pageSize = "Custom.62x35mm"
def parseGivenOptions():
givenOptionsString = os.environ["SSH_ORIGINAL_COMMAND"]
givenOptionsIterator = iter(givenOptionsString.split(" "))
givenMediaType = next(givenOptionsIterator, "")
givenPageSize = next(givenOptionsIterator, "")
global mediaType
if givenMediaType.lower() == "labels":
mediaType = "Labels"
elif givenMediaType.lower() == "tape":
mediaType = "Tape"
global pageSize
pageSizeRegex = re.compile(r"^((12mm(-circular)?)|(24mm-circular)|(58mm-circular)|(((17x(54|87))|(23x23)|((29|38)(x90)?)|(62x(29|100))|50|54|62)mm))$", re.ASCII | re.IGNORECASE)
pageSizeMatch = pageSizeRegex.match(givenPageSize)
pageSizeCustomRegex = re.compile(r"^custom\.(\d{1,3})x(\d{1,3})$", re.ASCII | re.IGNORECASE)
pageSizeCustomMatch = pageSizeCustomRegex.match(givenPageSize)
if givenPageSize.lower() == "label-wide":
pageSize = "Custom.62x35mm"
elif givenPageSize.lower() == "label-item":
pageSize = "38x90mm"
elif pageSizeMatch:
pageSize = givenPageSize.lower()
elif pageSizeCustomMatch:
width = pageSizeCustomMatch.group(1)
height = pageSizeCustomMatch.group(2)
pageSize = "Custom.{}x{}".format(width, height)
if "SSH_ORIGINAL_COMMAND" in os.environ:
parseGivenOptions()
subprocess.run(["lpr", "-P", "Brother-QL-500", "-o", "MediaType={}".format(mediaType), "-o", "PageSize={}".format(pageSize)])

View file

@ -0,0 +1,7 @@
from distutils.core import setup
setup(
name = "forcecommand-lpr-wrapper",
version = "0.0.1",
scripts = ["./forcecommand-lpr-wrapper.py"]
)

View file

@ -0,0 +1,21 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "10.31.208.13";
prefixLength = 25;
}
];
};
defaultGateway = "10.31.208.1";
nameservers = [ "10.31.208.1" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:F2:CF:8F";
linkConfig.Name = "net0";
};
}

View file

@ -0,0 +1,102 @@
# Sources for this configuration:
# - https://nixos.wiki/wiki/Printing
{ pkgs, lib, ... }:
let
# https://github.com/philpem/printer-driver-ptouch
printer-driver-ptouch = pkgs.stdenv.mkDerivation rec {
pname = "printer-driver-ptouch";
version = "1.7";
src = pkgs.fetchgit {
url = "https://github.com/philpem/printer-driver-ptouch";
rev = "v${version}";
hash = "sha256-3ZotSHn7lERp53hAzx47Ct/k565rEoensCcltwX/Xls=";
};
nativeBuildInputs = [
pkgs.autoreconfHook
pkgs.perl
];
buildInputs = [
pkgs.cups
pkgs.libpng
pkgs.perlPackages.XMLLibXML
pkgs.foomatic-db-engine
];
patches = [
# Add this patch to have the package actually build sucessfully.
# https://github.com/philpem/printer-driver-ptouch/pull/35
(pkgs.fetchpatch {
name = "fix-brother-ql-600.xml.patch";
url = "https://patch-diff.githubusercontent.com/raw/philpem/printer-driver-ptouch/pull/35.patch";
hash = "sha256-y5bHKFeRXx8Wdl1++l4QNGgiY41LY5uzrRdOlaZyF9I=";
})
];
# Used the following as a reference on how to generate the ppd files.
# https://salsa.debian.org/printing-team/ptouch-driver/-/blob/4ba5d2c490ea1230374aa4b0bf711bf77f1ab0c7/debian/rules#L34
postInstall = ''
mkdir -p $out/share/cups
FOOMATICDB=$out/share/foomatic ${pkgs.foomatic-db-engine}/bin/foomatic-compiledb -t ppd -d $out/share/cups/model
rm -r $out/share/foomatic
'';
postPatch = ''
patchShebangs --build foomaticalize
'';
};
forcecommand-lpr-wrapper = pkgs.python3Packages.buildPythonApplication {
name = "forcecommand-lpr-wrapper";
src = ./forcecommand-lpr-wrapper;
propagatedBuildInputs = [
pkgs.cups
];
};
in
{
services.printing = {
enable = true;
drivers = [ printer-driver-ptouch ];
stateless = true;
};
hardware.printers = {
ensurePrinters = [
{
name = "Brother-QL-500";
location = "Z9";
deviceUri = "usb://Brother/QL-500?serial=J8Z249208";
model = "Brother-QL-500-ptouch-ql.ppd";
ppdOptions = {
PageSize = "Custom.62x35mm";
};
}
];
ensureDefaultPrinter = "Brother-QL-500";
};
users.users.print = {
isNormalUser = true;
description = "User for printing via SSH.";
password = "";
};
# PasswordAuthentication being set to false just puts "auth required
# pam_deny.so # deny (order 12400)" for pam.d/sshd, so enable
# PasswordAuthentication to have it not do that.
services.openssh.settings.PasswordAuthentication = lib.mkForce true;
security.pam.services.sshd.allowNullPassword = true;
services.openssh.extraConfig = ''
Match User print
PubkeyAuthentication no
AuthenticationMethods none
PermitEmptyPasswords yes
ForceCommand ${forcecommand-lpr-wrapper}/bin/forcecommand-lpr-wrapper.py
Match User *
'';
}

View file

@ -1,7 +1,10 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
networking.hostName = "public-reverse-proxy"; networking = {
hostName = "public-reverse-proxy";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.05"; system.stateVersion = "23.05";
} }

View file

@ -9,6 +9,7 @@
services.nginx.streamConfig = '' services.nginx.streamConfig = ''
map $ssl_preread_server_name $address { map $ssl_preread_server_name $address {
status.ccchh.net 10.31.206.15:8443; status.ccchh.net 10.31.206.15:8443;
status.hamburg.ccc.de 10.31.206.15:8443;
} }
# Listen on port 443 as a reverse proxy and use PROXY Protocol for the # Listen on port 443 as a reverse proxy and use PROXY Protocol for the
@ -26,6 +27,7 @@
club-assistant.ccchh.net 10.31.208.10; club-assistant.ccchh.net 10.31.208.10;
netbox.ccchh.net 10.31.208.29:31820; netbox.ccchh.net 10.31.208.29:31820;
light.ccchh.net 10.31.208.23; light.ccchh.net 10.31.208.23;
light-werkstatt.ccchh.net 10.31.208.23;
thinkcccore0.ccchh.net 10.31.242.3; thinkcccore0.ccchh.net 10.31.242.3;
thinkcccore1.ccchh.net 10.31.242.4; thinkcccore1.ccchh.net 10.31.242.4;
thinkcccore2.ccchh.net 10.31.242.5; thinkcccore2.ccchh.net 10.31.242.5;

View file

@ -6,6 +6,7 @@
./networking.nix ./networking.nix
./nginx.nix ./nginx.nix
./virtualHosts ./virtualHosts
./sops.nix
./spaceapid.nix ./spaceapid.nix
]; ];
} }

View file

@ -1,17 +1,19 @@
{ ... }: { ... }:
{ {
networking.interfaces.net0 = { networking = {
ipv4.addresses = [ interfaces.net0 = {
{ ipv4.addresses = [
address = "172.31.17.151"; {
prefixLength = 25; address = "172.31.17.151";
} prefixLength = 25;
]; }
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
}; };
networking.defaultGateway = "172.31.17.129";
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
networking.search = [ "hamburg.ccc.de" ];
systemd.network.links."10-net0" = { systemd.network.links."10-net0" = {
matchConfig.MACAddress = "86:72:08:F6:C0:D6"; matchConfig.MACAddress = "86:72:08:F6:C0:D6";

View file

@ -0,0 +1,233 @@
spaceapid_config_ccchh_credentials: ENC[AES256_GCM,data:5IClrKKMO/AztQuGabrnoRFItYNeEmVWGeafomVO94pL1RKzL1sCxBxnmzvJFPb/8Y+6FXMh+Mim4DP8B2RaJMLpmqCv+76N/5+527SZ6gn9i2Klg6q0kD9RzJv40qHq/NYLCa24tpcZDt7eB0EOgqLsKUmtX2LrQjjnN3NzjAevJGKQ5ypnb7xygjft2KrpvlR1hMnZ0XpSLDTNR1AmImxE24JtDaJKzwXbptr2IZvm1UFkNslxdqHPjN+N8+MSSLhqHy/FdcY2ADvsTX1jtjnjkb+9E30QOeCiFPKSmWtSGiQ9sPcQna1yr717Vk0EiNSAWDQ2fMZyJUgBXG6w3wiZbxfJmxvshLPs5KguF9NHER+Seps1QiE0p16c0IS/0Y24UYrK2GyUIcSReGufjxUFGTJHFSsNANac34H/RTs7BkoZ,iv:8WzTRaXVeH5GKmigMVTLVBnhy6nXZnTZHLAYHcqDs2s=,tag:jTdgz0gmruMWWDBQ3h70vw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByclhsVmM1TTVCY1ljcmxz
TkNMQnhUMGsvWlQyTkZtQ1RDTjhoYVBhOWlFCk9ERUdvaTNBQ1QwamtleTJPbUo4
dkpYYjVSR1J0UkJML3RtUlRXNEsvTFUKLS0tIHNTdEFGL01vYStRaVVmWFZySWZM
MzEvb2IvZUZwSTgrL282VU9WUVpGNEUKFg1INcr/YbkmV6/F/4hWbTXj3PCscAMY
dlr4Pii9Tbhn39yOXyzt3DF+XivkdMsG7fQTHSYdvzMAnvEJ1CLOtA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-26T01:21:16Z"
mac: ENC[AES256_GCM,data:ENLJIlcUXLEt+vXp/F2YATUZrc9ZjaE4AWwvG280etdsufEw/vGAWBhG2KT+CkcZLaJ4ctVvNlJEqU/pRzae+m/43SV3GNAG+jjT2VmNm0NyNYN27bpsj4tq11D27LPn7CkfBUB0gnmGJXVKalxhFkHBf+eq3ted8dPIv9YNRt8=,iv:Yfz7scjN3qDY9lV1SYOqrejiEwf4dVSPJhiFRJyFPio=,tag:SOw4Nhx6wwYIisRJl0SSRA==,type:str]
pgp:
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxK/JaB2/SdtARAAkz8cMmtau9sLQQFafUnjIkuq8UWKn9TFcAfjAWDjnLTx
WAP4RQE56FXzVCo3DXWvucOjOlVNR9Y86x99eXaMLgYLtJfOTZOCbn2nSIDxQI1S
XNHAPEXEH/UXEoQ2lffIjR+VfSOpJlwD6acfVEu13NZMvxlO9/51EOvAAo+qKa0L
EwMczgDh8QsYohBV13UIxC3Et1Hsj0Guawrx4M6pzL4OvXGUKkpDfw4NCx9to0XK
3L4k+DHur3KhpZJg4QhrM1O1XJeb8RdlkCBMCrcteXkzKMQotVeee6Avr7kfti9s
R0hYuVswmiRJP+dxkQx1n84nnFkakY85LOxXIv7Mo3CT5xV/n/teUgZhyU+97aK0
Soq68sBMBqo8v3Izrfi1wp5iF7nnjbkMBzkDVFsRkA7bqYlEpTqZenzTzdEhm/Kt
e+A1mY+hcWI5Gr3kkz8+LGOXgBHHjXjVslK5+KmOxzcpm77IBIQCXaTViUwTJPbW
kmrDT9MSiS+bpTHS6NPLgRz21FltbCL4d0QD7bCiMnLjdeYwfRzT+if/yR6YIGMb
1I2odrB2Qf42CXHZooB/fV5OO5ziUXBpos3HZLxIvCUjOHyCYnoL1s4M3A6Zjf3v
0rZvSOy0UNwYwSbxRe5G9Z2xfFddFCTE5dp0cPV2RUEVMVlNU/kgpsMtxCFwIN/U
ZgEJAhDOqBVfz4bsqSMs4t2I4Vys7oeOfYJveNT88qc/PNPqjXgEoWSWp2DZdSvV
dNHaoVQHHRyZbRxfIwe0q+xoNjv6H5NafDIMnRk0gWl0gCSJQpCIQ9j1IQrXUoPq
cArG8aqHSA==
=rUJB
-----END PGP MESSAGE-----
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA6EyPtWBEI+2AQ/+PCUJ7JMkGZ37gSURfBI/fM9Ow1oRp1MH8mHiflICRsio
RJhrcuThlqWHYYSFE1OlQhha8Uu+s6oaps153LKS7ZH1dzomqr5H8LfuKsaO6GDg
QyuiSGGAfudtyQ5ILN1CHjO8ifh/4469J7P/SyKkQ2AhZGQePbGkrR4kqGhj5axn
fY3Ar8HreWssm30k797x6zSs0z3BDS5vUd8JZjpt2E1nmbVTX5dLcDud06UwE3ae
B6lC+T/lxwp4LptskgsaBiikPTYspPAL8M1yG5XxKvvQlU8a9Lta7jOoXWnJ0kYE
mLoSRFBxsQsrpir4msR3oEXS7H30gkCT5j8bLdON+vbbK3d6nE5v3SXkOZhJKm8P
Zhk70lkj1HWe1uh5XRRAjn5YDelnipuml6dQMUJdxw8YrUmnVXjL+AGT0p0gcf3S
kMU6FZfELOmdR1zqCt1HicVQDmQJA2wct2+2hXRRQ91M/FAxCILOA/mqq6jZNrw1
uz1Sa43IlI5lz/ts9bIhR8rZj/Iuq18tRgmKdLhxtuJyZKcN1v1CDiIgNOvlc67x
ydVbVHygWVs95WZyya/PjF1+K5Tuq+VkfHMIJz3cW5xDy4PwYS8GsTqG6r8gEYbx
Qn2NC3h2gtrJ76/Qo8xs+8KCbQAUgST/uSJRK8peyhvqJXSrbhFBvq7ewvJbroHS
XAHl1yNdyWNwC9t2G9twEd9c2FjLuyXGhrincAcQ0gdH1jhKHY7/LoBiVIRMBJDe
kDD+RjcCB9jXRGln/l4teKs5TeCKzpaJiONEcecl2tSqjSaOzNE8rJh0kihH
=Edso
-----END PGP MESSAGE-----
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJARAAzGzj3TJVDsnArDe7GziE2avL5WHkHFUJNoQcEBqNhfTU
PNu8RKSpKelWeOFEFzgr3Q1imapoR1+UXzTC1dP0QL+6sEWiqImxrbHygpm9tPSp
HvLMIvAvS0zPjX9q7HFgsw2fm489To0tuEK0oTFcayatAAijpWBl63KyslFbk5f+
tHSnaYTeRZq9QkRZlNGI3uJgMXyrHnmoyUUIb5wdKKQ2tpt1nR5okh307kU6fwqb
vT5ylRSTEZ0eWDyQbb0hThJkQS2j8QnsBN/xabDN8QGTFORrPDDobW3iro22SKJv
iVyh1yAm7QiA9yTdqcB8J1QuYvnP4RzSoCSNCAK0gZ+DklPUGC9DIEK4VTdmUaWs
cJM/dZw861D8Jnavf2RToEa4binehYHvi/+TNv7vBE+2xe9cp2Y3UZq891gHKbmr
OdlaIUv5yvU6dJfV/aib33PoGxcim1jGmRnDDu+aYv215WqoUxfNniib/HcNFb9M
JT70R4Ixo6Hnp9DyvSh+wGKPGg2WRuwrspbAjFucwMdBuY4a3XoBE4QE8QhFjLWc
2JTegdfx4yKovY9raJ1U5LxYWkErpfdvPgYOpn2xIvhHBy9Y9F8RgnI5CIyQ2haO
KL82cNunEeljvluG+vH5bhbWNOjWKcRXfy474+KOBGSu8UJsZJr3s8n6RSAjmN7S
XAE8nvvN86y/RxvwxG0qUX3tEjVZwvipqrzxeAcY2lEX1zFpW8HyHzqWlnpN2LlG
pfqdqn6A6wocTpuaKhCWNc34Ws4uJ+XJd59nrNP6j/4Wl6SenxcJef7bgqru
=X/V9
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAApyVhDae44C6aOlE8j+oAmoPWBiTc0j6VGAwo7y6OzRVx
p6W/l/ALDRd2eVfttzTtS/J3EZ85gQEt1RTOVTR/vTTL1j+XzNF6adPuC2+uJBAb
FFhiReuD9YGyT7aW84qmfI797kKFfdkjIUiUr62iGr+kJ/urC9JK2mNSnhKJVTct
lP0HA0vrUlEHzU1LACUWw2FylyOpO+248Nxx+SXgP8ol3kQk0hAGtEq3+p7ViQdl
K9fYMM5bxlNGmMav6WVaR8ipyjf7Q6jrwOrtNymVlxKoWfzuQy8o0ACsn2PADeG9
QZsKAmbp33S1hVYdTeXajTlPwtHhNewkxIQdahP2Ni1netzV6I8kp3HHoGO1XN0i
TtHlqZnd9/aJb5Uvuqsz4Ei+nHL0WGS7UJYKphWfw58MaYGkJ9xwEZVxoEWY9+ZQ
prQrXbIwbt6XJnuDnlgO/XZQs76/h/SAK9JQoXV13mC00SwcNqB9iav7S9+d5U3H
QOerfUDzEOjE9AehSmeruaNIdqr/V54dY9eQFGQ5hrM30JTycWdhxl0TZkAYsT+d
qd79FKXceBSodL00kg4OUS1pGwI7w6pe7RsQZ0hl9O8X8JXsRebe8Ardyh5oGe+W
yiKKGj0xi63MdzVm8r6FH4HoWPnmfTq5gcI8urUB/157aU8jlJen3TM4i4bwydzS
XAEldvNa4/1McnNpPAWGDNPGObSg71kAIR/opGGkS8atywKgkNSCUJ6wAJhyksqd
FVdrCl5Mt3GSgk5uVWeYfDuuIxM/aZ8WMjxjtxQMyOnkXQYmQD+D6dgkqiTb
=q5Tx
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4HMJd/cQYrVAQ/8Dc0JtpbZLDLway7kk2YWhLvjTmBRzIZCAaa9WSEuDVWg
u1koIDIaeAi1Y7xNUbDeEACMo1gT23mRG7Dy6QSqi+6DUY4f4v7/UCwqyJdwAb0V
ig6ENedYzYoCKZ3t/kqeeZmKnQehj2hzmIci1avzQjUmsI+u1YGJOZGDCPK9W1CA
nkZ69BlsI7ZWwkaO7J9KKd8wLp1/XVcSnRjYxvowOHmUyDd1Mlm/I+umcqWZU9De
hXc9/4cPkUk+h5c4M9XeFFqxorOozMK0dyEBjFw7Dd7BMyPfyh5OnxPazp/aqgz3
T6SxedaTv0kH8U8dNkPkGc5NYv+D8gfZb7kLdzDglGvcHwL3HTwq7JUCFVvzCD9y
PN5XvFYIzwd1cxAbozhzX54almMFgvd8d1v+03ioEjxOJbAqMXRTgd8C5xUbFvH8
SJ8v4YsN5XksT6AME3MyZAZgWgbDqdQDAtUvP2cWlBFFJz4+43+71sec4AK9bqph
mG/aTXDHAQ+JjLUGH+hul87F+mIa5WspbSYJ0hky1Sz7JBr1153X1xutFMiIqafL
GwfUzkDqIY2AKZPocqyRthLUkSaf2axLdWMi3VfErzD8fu9XhpM7xY/sI1S7sCBs
HGfjBTF2zTvyNo4cS5SPW1QXGrGoAy6cpxJDkuOQMq/YvW2kIeO4Wv+as3TUtLzS
XAFxzoYXYbes+SGlxaRYY62CONNdFpvF66q8IgDN1/QNC0j8g0gE0bNc14KOamxr
Qg43kRmxOVlB+zbpY5lYI4YL7XbFusFGM9dKJVg9g390nRgDnD4yBZXfqkq/
=rthq
-----END PGP MESSAGE-----
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ/5AXvpR4o2fsfev/U/qdJ5Zz8jKwGpZ+xAhEEL8E64+f/P
Y542Oqig04emeGgvZat+jnc3ihKa+Z6k1ysSd4cod/yDUAy4NVtYzTsTziDekmaF
A1nEkbZoBrwXHQVGnO0PtFttqa0JEr5LcFlYgF8NIQRTQSQQgKp8p3llUFZYx+Pb
vuhOtWbZMFtl+yq0p03nDP3mrj32nPyyLIngvj82jMRQmw0em+Zw1JAwIIg3svWq
bp6F9a++PP2Pboc/piEGT3BIq/41gjKoIwz9m+p0NoSIcDRgmIIxflS9vzG/APC9
E4lVM/U/px0OmLcrmlBTjQ7HwHhVEVEYjZiByeHCm5UjSYWF6yHcmyLp9etD3GsR
pPwFsmc2PWFiEWrM0aV+3EPGkSV1Kwkvd7v34sRqAsGkb8HO5KxtfIQMccMqwMRG
kwBUgLcVuft9H6k2N+MHY6yidr4LLopGfd2FZ8BkQGNy9kIVNdZw9v+6R5HkVpoD
cY0NpzwvX21M9CPuMoXzjwXLnoKHHt9sWoxL7L0XIjyTkvKmETFqvKIY7cPFU837
4uxnsPhVESL3UfXrIk3maCgIZfFFL60eglVHdSLUy9XvAIXkLrLzqZLTW0LVYsuY
ZAlqUkkqZ4jjrF9OlmHsjgn5znOiMlW35bcKppC+MonrNXCJHjCdGmpj1v0cc4nS
XAE0EBSF6XDG2rxXETyWzKJurkfveD1njjcRwYeBiBRZEXKKqWuICLIgR5h/WBQI
KPv2k2RhxjH6Zk6FWgc6EWhIWUM/6+zN24m5VnAgMg+DRp8d1mO6t4ZaS+WU
=p4B8
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ//Z0+gyWwynvznK8WbrU9aP583JpI53BilDDl+dJ34P28f
Kd2wr/l/Aw6QZ43kp0JGA3ZMB9SbWKy56L6MXPcDXHM42ojRCN1Z3am6NZEx4M+K
cstyV9qHZp/bUQjlUna3eZBlehHgRM0tRCKn/83Gi08nNK15wRlfZR5tg0aNbdXT
4ymxyUfA3+n8k4K/rZlBxJ59UESUcuUJCb/oPiUCrS7lXJwA8f85F5/M9t7D1xwO
2AfkoYl5b2NU48JrICY7SQp+xYg0jwEB2nAC/Gpmk9FGxCMIeFIT4MfpGmMah0t6
+2qDWQFQ86TEoAHVTqcW77Qmw7WLjNm8oLh0FWYb8VxaRo2B2jnbTtC0cosLWyl2
TrOwSYfzOOclQQchbmoK1JQb5+dUV+qUN4BO4MuI0mSXk85QFys3CY9a9X2pRXSh
SW7uMCj3SQ784uoYDBNprIYv4qsfzTEgCxrG9Ev/h35JyuNUr/oKGVsVfsLETJC/
Leepo2FjQIzr9qe52AVcUe9JH++jrPOgUM6JQEHHz+jp+N9arsuTGakxu/5saNjT
+E7WtWdBM5mtr82DDoTKsKLEUJKsMKFpQovFjvz5tgCAsoMhFP5oem2gbfOVi2+A
uQjQH+xJow4OMjb58Qx7fILcky6XYDTNWn9hlf2zrXmtEnhkSwf6U/Gyo71qCtDS
XAHIEr8bpFS9ndb1tchTO8mcDANnKLWttuqs/UdN/W0nl895hIP7C6esi7vLF1gM
OfYLVy+X8FyS5hpjd9rcEd5jj7XBMJ4kHaW7QLMGWHYS2zLjGOhYHS4rt7nk
=hag6
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAi01+TuUHgBT2UH75pacaptBmEYedNUkzqhUn98AA1yr5
PtYV1NGNP/rq7LDXP367yXhCslrwr+1BO7qnfAsEsEFr6InAyhOyZmAs18u5ilwc
RxW5EXrANm8SQLODBPH3/gxltpW7vzfayxdTOTNyCUH0x22eKfYknawOfpaMevAm
95nhILE05Unqd4FSoQId+Zw6djuMdSdQ6iAANKmvRpgs1Y8RNb9P/JG1TmbVvqQm
dbx5hfoLuNnLR4q0r64tGej0iVeBljSjUDrxusjMkhwgiinFTTz8oNoLoOuPjPMm
MymkjV1m6HzdwB9JMU7kMcHDEsqhXiKcxZ5mPDQJIXSG7TTuIZndRsln2ske9ibm
uZusIC7y1868R409UWhjGXjxsoFzqOKpOCo8tFoZSdE250E6o7U8PKOgSUxRAQlb
va7LUhP10ODZof5jM9xUDorrcamT1kbnmz4SlYDIOSliR0ofsmX0ObyxZmL3CZhN
/iC5BVv9D14U7iU0PsKZl0XUOP+urJwSZSCid0zq8rjUXdqy0YH81eBG9Y360ZHB
AlfhfeaYindnJYkPpZe1XWyI0yaKOjrKgdz8/vuDTZWyNseKAcofA7cgjUHtIUvu
uMPhFk+RHd0xZnk3yrlTnEOht8MiAZxVFPk3NK/P7W3D3r0li5D5f7+2ph8RsI/S
XAFXDSRXTIDsHCWPjvTAftTKbS8dq4A28yFHJg8+Ber+RxBbOWH7NpBIgmO2SNAJ
9CkU9neCROJuNBY9h0Xl4Yp7g6XNOeFeWdgxqJgZWhoKYSR0W8ILzQD45PXj
=ALYc
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA4EEKdYEzV0pAQ/+L9uVnDe2jK1unhCFjKv0YhHobPNSQAhXaYoIiw2qTJ/q
ntduHgPFvLjQdeGT6EsfS+vxGcsLtS2FlG8woiLzX0iyc9sB0AmcwwKdG2FwyemY
+ZPE8BfjVKrGq0oiYASIceYxTfdp1kNX2aTIpuBzm36ccHQb/RSzUhEeZjyN4xtO
c6j8HJ6TANoh4eBG+X4LDVGFQPMToozqw/2hX5HPn+EDqP6Egprf/6hAetX4VcCk
csbP2AB2wl75U8Q8xSmlNUj/CTz4wpOpNj5tjsADP/ZlkH6EUcGIPk3+BC6ovy54
zoydEnTi6uy+gMAZDLP2bRdSgjW887TIh3qPsZiyG0SEygC3B+Fb1EY/NIL7Yh5R
mJDdMbrAb9rBSXYS1ptLvq2QSjbyIpVK2n+PLtycySsaktsAEopotlwxlbf/QSBv
FCRgws0djwZ4+qtXJ/D1pMNSHD4sdRxGANPdqNJem7S4fHmegtlVWNphDP8V2bUa
krGYBc0pn/cTusEJgkccp898ghJQ7bjKxD41qtIkfceB8FnaKgdxBrNfIrucaMjb
xv0NLk5NLTCbv/ES5R6Pb4MDKEBpInUp6gygcbaDybyn5lu/jT+6pYFp8Sq0F81B
+Vk7+iz9MsV8Yz9dHJnqIiypZREF1KRPWpenNAK9XGdy5SxezfBS7Zz1VShYgoPS
XAGKmeK4A1VarYym4wSb/AXhT6HXLBM6VWB6OFvz3sXR02sAUI7GXuZOjY2raezt
Usn+dhqFnRUHgUqgtLYGXlgyXiSjUTGQnh4c18n/mkbApUKcTdX2VigoivLo
=Xjqf
-----END PGP MESSAGE-----
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdAEZMgepQuERqKK4S8uiXmIYIRdeN5swy6S4hmzdL3yj8w
E45ScSNMVsvKD3pQq8EqxTFPb5pQ+2LfpP8gbbhYoDomGDm4tcbr8pyH3AXXoFwl
0lwBFFDJa1GSmHSgnJqrIaqmOZJgBE5t3IEIiDQksVjV7KTwPMwoU+wx42AAU/dS
hjxQwPAfpwO9mH6FN4JC8OTVSU1VfWLCO4e8HroG44c2gOxFfnflaMjaXuIsDA==
=kkiD
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
- created_at: "2024-05-26T01:20:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzdAjw8ldn6CAQ//Z5yRTQUt73bYUIrnaBPwQCLB4lmlutSICdQvdlQFcqDZ
Tw0kBNBS+4dEhxlYuEmCJgM6H+2KEH+6/M5IdFErlTz8Ly0R73adlSMu0R+os/6i
clLQQAwWIyFVuRaaNxSDdJ06sl4+hZyGZlbpo9kYBjslTUpJC4urvc+6xlRnlIuf
gae9+Zmh1K9+BpUH5svExyTERwWQI1HzvcqSc+tsEYugNvJitBHTyfpFN8xjtbns
h1aDXgKo4riFHzlZHftWfaLdot8++0jgluc7fCNXfnNVYf+nREIP49A/bkDFH4Re
Lwhq1iQte48KE0JKiaXDsAwLSanNYOfEZo5LSAFYAaEGJ6gUwnyoRgH+2T9FiWoJ
Z3myWbrm0SUr8Za2k1AA1FGz8tmGppxGZp3llyqaY/hbP84myfnfpvis6IUAzyfl
xMZOGs0Q3VlOJRAYXOWS64oM6cvCg9rJiOsPMr75P+9nWhz+Ur/X8hPTPr4ku/D1
ewUhDd406/a7aAGe7m6RyRnVCK2mybuKKYt3BGu0usYvKcPIMUYq+g2zqt6/fQ5r
gS2c+uuvMqM6o9dxkRxZWt99o8E29cGH51yl9IdrXsr7F/EyymjBENQxbDApp9mG
DHokBg9QdRvwRyyC2YBttgob8QrkZTI4xE7oRFaq9wuZqhjv6VGZXO0jauIRYV7S
XAFidvRJ2EMZlPeVpDkosbXLsux2q4v0ECXy1ciRRYJn50vLN8Fqk2fKg4aKkqeV
riCQgu8aliCMtTRTa+/NQoTpXbqD9XaPz8hf9betygs+6y3zVyBn7k7WQqmj
=yfan
-----END PGP MESSAGE-----
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,7 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

View file

@ -4,27 +4,7 @@
"temperature": [ "temperature": [
{ {
"sensor_data": { "sensor_data": {
"unit": "C", "unit": "°C",
"location": "Hauptraum",
"description": "Sensor im Hauptraum"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "C",
"location": "Loetschlauch",
"description": "Sensor im Lötschlauch (Teil der Werkstatt)"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "C",
"location": "Innenhof", "location": "Innenhof",
"description": "Sensor im Innenhof (erreichbar durch das Flurfenster)" "description": "Sensor im Innenhof (erreichbar durch das Flurfenster)"
}, },
@ -34,26 +14,6 @@
} }
], ],
"humidity": [ "humidity": [
{
"sensor_data": {
"unit": "%",
"location": "Hauptraum",
"description": "Sensor im Hauptraum"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "%",
"location": "Loetschlauch",
"description": "Sensor im Lötschlauch (Teil der Werkstatt)"
},
"allowed_credentials": [
"club-assistant"
]
},
{ {
"sensor_data": { "sensor_data": {
"unit": "%", "unit": "%",
@ -64,6 +24,54 @@
"club-assistant" "club-assistant"
] ]
} }
],
"ext_3d_printer_busy_state": [
{
"sensor_data": {
"unit": "bool",
"location": "Loetschlauch",
"name": "mk4",
"description": "Prusa mk4 busy state"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "bool",
"location": "Loetschlauch",
"name": "mk3.5",
"description": "Prusa mk3.5 busy state"
},
"allowed_credentials": [
"club-assistant"
]
}
],
"ext_3d_printer_minutes_remaining": [
{
"sensor_data": {
"unit": "minutes_remaining",
"location": "Loetschlauch",
"name": "mk4",
"description": "Prusa mk4 minutes remaining"
},
"allowed_credentials": [
"club-assistant"
]
},
{
"sensor_data": {
"unit": "minutes_remaining",
"location": "Loetschlauch",
"name": "mk3.5",
"description": "Prusa mk3.5 minutes remaining"
},
"allowed_credentials": [
"club-assistant"
]
}
] ]
}, },
"state": { "state": {

View file

@ -4,7 +4,7 @@
"14" "14"
], ],
"space": "CCCHH", "space": "CCCHH",
"logo": "https://next.hamburg.ccc.de/images/logo.svg", "logo": "https://hamburg.ccc.de/images/logo.svg",
"ext_ccc": "erfa", "ext_ccc": "erfa",
"url": "https://hamburg.ccc.de/", "url": "https://hamburg.ccc.de/",
"location": { "location": {
@ -33,7 +33,7 @@
"links": [ "links": [
{ {
"name": "Wiki", "name": "Wiki",
"url": "https://wiki.ccchh.net" "url": "https://wiki.hamburg.ccc.de"
}, },
{ {
"name": "Git (Forgejo)", "name": "Git (Forgejo)",

View file

@ -1,17 +1,22 @@
{ pkgs, ... }: { pkgs, ... }:
let let
spaceapidSrc = builtins.fetchGit { version = "v0.1.0";
spaceapidSrc = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git"; url = "https://git.hamburg.ccc.de/CCCHH/spaceapid.git";
ref = "main"; rev = version;
rev = "cf9678d7126e1951f9e4aabaa30d7350eb76973b"; hash = "sha256-2SDhliltzyydPPZdNn/htDydiK/SHQcYyG/dQ0EyFrY=";
}; };
spaceapid = pkgs.buildGoModule { spaceapid = pkgs.buildGoModule rec {
pname = "spaceapid"; pname = "spaceapid";
version = "main"; inherit version;
src = spaceapidSrc; src = spaceapidSrc;
ldflags = [
"-X main.version=${version}"
];
# Since spaceapid doesn't have any dependencies, we can set this to null and # Since spaceapid doesn't have any dependencies, we can set this to null and
# use the nonexistend vendored dependencies. # use the nonexistend vendored dependencies.
vendorHash = null; vendorHash = null;
@ -34,7 +39,7 @@ in
After = [ "network.target" "network-online.target" ]; After = [ "network.target" "network-online.target" ];
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/secrets/spaceapid-config-ccchh-credentials.secret"; ExecStart = "${spaceapid}/bin/spaceapid -c ${spaceapidConfigResponse},${spaceapidConfigDynamic},/run/secrets/spaceapid_config_ccchh_credentials";
User = "spaceapi"; User = "spaceapi";
Group = "spaceapi"; Group = "spaceapi";
Restart = "on-failure"; Restart = "on-failure";
@ -43,14 +48,10 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
deployment.keys = { sops.secrets."spaceapid_config_ccchh_credentials" = {
"spaceapid-config-ccchh-credentials.secret" = { mode = "0440";
keyCommand = [ "pass" "noc/vm-secrets/chaosknoten/public-web-static/spaceapid-config-ccchh-credentials" ]; owner = "spaceapi";
destDir = "/secrets"; group = "spaceapi";
user = "spaceapi"; restartUnits = [ "spaceapid.service" ];
group = "spaceapi";
permissions = "0640";
uploadAt = "pre-activation";
};
}; };
} }

View file

@ -1,10 +1,19 @@
{ pkgs, ... }: { pkgs, ... }:
{ let
domain = "c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"acme-c3cat.de" = { "acme-${domain}" = {
enableACME = true; enableACME = true;
serverName = "c3cat.de"; serverName = "${domain}";
serverAliases = [
"www.${domain}"
];
listen = [ listen = [
{ {
@ -14,9 +23,9 @@
]; ];
}; };
"c3cat.de" = { "$www.${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = "c3cat.de"; useACMEHost = "${domain}";
listen = [ listen = [
{ {
@ -28,7 +37,7 @@
]; ];
locations."/" = { locations."/" = {
return = "302 https://wiki.ccchh.net/club:c3cat:start"; return = "302 https://c3cat.de$request_uri";
}; };
extraConfig = '' extraConfig = ''
@ -42,5 +51,45 @@
real_ip_header proxy_protocol; real_ip_header proxy_protocol;
''; '';
}; };
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
}; };
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
];
};
users.groups."${deployUser}" = { };
} }

View file

@ -5,7 +5,15 @@
./branding-resources.hamburg.ccc.de.nix ./branding-resources.hamburg.ccc.de.nix
./c3cat.de.nix ./c3cat.de.nix
./element.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix
./next.hamburg.ccc.de.nix ./hacker.tours.nix
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix
./staging.c3cat.de.nix
./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix
./www.hamburg.ccc.de.nix
./historic-easterhegg
]; ];
} }

View file

@ -49,7 +49,7 @@
"auth_header_logo_url": "https://branding-resources.hamburg.ccc.de/logo/ccchh-logo-no-background.png", "auth_header_logo_url": "https://branding-resources.hamburg.ccc.de/logo/ccchh-logo-no-background.png",
"auth_footer_links": [ "auth_footer_links": [
{ "text": "Website", "url": "https://hamburg.ccc.de/" }, { "text": "Website", "url": "https://hamburg.ccc.de/" },
{ "text": "Wiki", "url": "https://wiki.ccchh.net/" }, { "text": "Wiki", "url": "https://wiki.hamburg.ccc.de/" },
{ "text": "Status", "url": "https://status.ccchh.net/status/main" } { "text": "Status", "url": "https://status.ccchh.net/status/main" }
] ]
} }

View file

@ -1,9 +1,10 @@
{ pkgs, ... }: { pkgs, ... }:
let let
elementWebVersion = "1.11.84";
element-web = pkgs.fetchzip { element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz"; url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs="; sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
}; };
elementSecurityHeaders = '' elementSecurityHeaders = ''
# Configuration best practices # Configuration best practices

View file

@ -0,0 +1,64 @@
{ pkgs, ... }:
let
domain = "hacker.tours";
dataDir = "/var/www/${domain}";
deployUser = "hackertours-website-deploy";
in
{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrDTANfPMkcf+V7zkypzaeX2fxkfStPHmZKqC29xyqy deploy key for hacker.tours"
];
};
users.groups."${deployUser}" = { };
}

View file

@ -0,0 +1,69 @@
{ pkgs, ... }:
let
domain = "hackertours.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "ht-ccchh-website-deploy";
in
{
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
rewrite ^/(de|en)/tours$ /$1/37c3 redirect;
rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de"
];
};
users.groups."${deployUser}" = { };
}

View file

@ -0,0 +1,111 @@
{ pkgs, ... }:
{
services.nginx.virtualHosts = {
"acme-hamburg.ccc.de" = {
enableACME = true;
serverName = "hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "/var/www/hamburg.ccc.de/";
# Redirect the old spaceapi endpoint to the new one.
locations."/dooris/status.json" = {
return = "302 https://spaceapi.hamburg.ccc.de/";
};
# Add .well-known/matrix stuff for Matrix to work.
locations."/.well-known/matrix/server" = {
return = "200 '{\"m.server\": \"matrix.hamburg.ccc.de:443\"}'";
extraConfig = ''
add_header Content-Type application/json;
'';
};
locations."/.well-known/matrix/client" = {
return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.hamburg.ccc.de\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}}'";
extraConfig = ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
'';
};
# Redirect pages starting with 4 digits for redirecting the old blog
# article URLs.
# We want to redirect /yyyy/mm/dd/slug to /blog/yyyy/mm/dd/slug, but we
# just match the first 4 digits for simplicity.
locations."~ \"^/[\\d]{4}\"" = {
return = "302 https://$host/blog$request_uri";
};
# Redirect pages, which previously lived on the old website, to their
# successors in the wiki.
locations."/club/satzung" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:satzung";
};
locations."/club/hausordnung" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:hausordnung";
};
locations."/club/vertrauenspersonen" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:vertrauenspersonen";
};
locations."/club/beitragsordnung" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:beitragsordnung";
};
locations."/club/mitgliedschaft" = {
return = "302 https://wiki.hamburg.ccc.de/verein:offizielles:foemi-formular";
};
locations."/club/geschichte" = {
return = "302 https://wiki.hamburg.ccc.de/club:geschichte";
};
# Redirect old feed location.
locations."/feed.xml" = {
return = "302 https://$host/blog/index.xml";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
'';
};
};
users.users.ccchh-website-deploy = {
isNormalUser = true;
group = "ccchh-website-deploy";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb ccchh website deployment key"
];
};
users.groups.ccchh-website-deploy = { };
}

View file

@ -0,0 +1,12 @@
{ ... }:
{
imports = [
./eh03.nix
./eh05.nix
./eh07.nix
./eh09.nix
./eh11.nix
./eh20.nix
];
}

View file

@ -0,0 +1,101 @@
{ pkgs, ... }:
let
eh03 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2003-website.git";
rev = "74977c56486cd060566bf06678a936e801952f9e";
hash = "sha256-ded/NO+Jex2Sa4yWAIRpqANsv8i0vKmJSkM5r9KxaVk=";
};
in
{
security.acme.certs."eh03.easterhegg.eu".extraDomainNames = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"easterhegg2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh03.easterhegg.eu" = {
enableACME = true;
serverName = "eh03.easterhegg.eu";
serverAliases = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"easterhegg2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2003.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh03.easterhegg.eu";
serverAliases = [
"eh2003.hamburg.ccc.de"
"www.eh2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh03.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh03.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh03.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.html";
root = eh03;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
set $chosen_lang "de";
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

View file

@ -0,0 +1,100 @@
{ pkgs, ... }:
let
eh05 = pkgs.fetchgit {
url = "https://git.hamburg.ccc.de/CCCHH/easterhegg-2005-website.git";
rev = "f1455aee35b6462ab5c46f3d52c47e0b200c1315";
hash = "sha256-lA4fxO05K39nosSYNfKUtSCrK+dja1yWKILqRklSNy8=";
};
in
{
security.acme.certs."eh05.easterhegg.eu".extraDomainNames = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"easterhegg2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
services.nginx.virtualHosts = {
"acme-eh05.easterhegg.eu" = {
enableACME = true;
serverName = "eh05.easterhegg.eu";
serverAliases = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"easterhegg2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2005.hamburg.ccc.de" = {
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
serverAliases = [
"eh2005.hamburg.ccc.de"
"www.eh2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh05.easterhegg.eu";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
"eh05.easterhegg.eu" = {
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh05;
extraConfig = ''
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;
'';
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# Enable SSI
ssi on;
'';
};
};
}

Some files were not shown because too many files have changed in this diff Show more