Merge pull request 'style: check formatting using nixpkgs standard and fail early in CI to enforce it' (#183) from ci/check-formatting into main

Reviewed-on: pub-solar/infra#183
Reviewed-by: b12f <b12f@noreply.git.pub.solar>
This commit is contained in:
teutat3s 2024-05-08 21:00:50 +00:00
commit 599e69fcaf
Signed by: pub.solar gitea
GPG key ID: F0332B04B7054873
76 changed files with 974 additions and 1319 deletions

View file

@ -46,6 +46,10 @@ jobs:
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
useDaemon: false useDaemon: false
- name: Check formatting
run: |
nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change
- name: Run flake checks - name: Run flake checks
run: | run: |
# Prevent cache garbage collection by creating GC roots # Prevent cache garbage collection by creating GC roots

View file

@ -1,9 +1,12 @@
# Process for handling a deletion request # Process for handling a deletion request
### Keycloak ### Keycloak
Required: Required:
- auth.pub.solar ops user credentials - auth.pub.solar ops user credentials
- SSH access to host nachtigall - SSH access to host nachtigall
``` ```
ssh barkeeper@nachtigall.pub.solar ssh barkeeper@nachtigall.pub.solar
@ -20,8 +23,8 @@ sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/2ec6f173-3
Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-user Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-user
### Nextcloud ### Nextcloud
``` ```
ssh barkeeper@nachtigall.pub.solar ssh barkeeper@nachtigall.pub.solar
nextcloud-occ user:delete <username> nextcloud-occ user:delete <username>
@ -29,8 +32,8 @@ nextcloud-occ user:delete <username>
Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#user-commands-label Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#user-commands-label
### Mastodon ### Mastodon
``` ```
ssh barkeeper@nachtigall.pub.solar ssh barkeeper@nachtigall.pub.solar
sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address> sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
@ -38,8 +41,8 @@ sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
### Forgejo ### Forgejo
``` ```
ssh barkeeper@nachtigall.pub.solar ssh barkeeper@nachtigall.pub.solar
sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address> sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
@ -47,8 +50,8 @@ sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.
Docs: https://forgejo.org/docs/latest/admin/command-line/#delete Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
### Matrix ### Matrix
``` ```
ssh bartender@matrix.pub.solar -p 2020 ssh bartender@matrix.pub.solar -p 2020
curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}' curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
@ -56,6 +59,6 @@ curl --header "Authorization: Bearer <admin-access-token>" --request POST http:/
Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account
### OpenBikeSensor ### OpenBikeSensor
Not implemented, see: https://github.com/openbikesensor/portal/issues/95 Not implemented, see: https://github.com/openbikesensor/portal/issues/95

View file

@ -8,11 +8,13 @@ To deploy, make sure you have a [working development shell](./development-shell.
Then, run `deploy-rs` with the hostname of the server you want to deploy: Then, run `deploy-rs` with the hostname of the server you want to deploy:
For nachtigall.pub.solar: For nachtigall.pub.solar:
``` ```
deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false
``` ```
For flora-6.pub.solar: For flora-6.pub.solar:
``` ```
deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false
``` ```
@ -29,4 +31,5 @@ to enable switching to the new config quickly at a later moment.
You'll need to have SSH Access to the boxes to be able to run `deploy`. You'll need to have SSH Access to the boxes to be able to run `deploy`.
### Getting SSH access ### Getting SSH access
See [administrative-access.md](./administrative-access.md). See [administrative-access.md](./administrative-access.md).

View file

@ -15,12 +15,15 @@ Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the det
You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro), You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
look for "namecheap API key" in the pub.solar Keepass database. look for "namecheap API key" in the pub.solar Keepass database.
``` ```
NAMECHEAP_API_KEY NAMECHEAP_API_KEY
NAMECHEAP_API_USER NAMECHEAP_API_USER
NAMECHEAP_USER_NAME NAMECHEAP_USER_NAME
``` ```
You will probably also need to add your external IP to the [API allow list](https://ap.www.namecheap.com/settings/tools/apiaccess/whitelisted-ips). You will probably also need to add your external IP to the [API allow list](https://ap.www.namecheap.com/settings/tools/apiaccess/whitelisted-ips).
``` ```
dig -4 ip @dns.toys dig -4 ip @dns.toys
``` ```
@ -35,16 +38,19 @@ terraform init
``` ```
Make your changes, e.g. in `dns.tf`. Make your changes, e.g. in `dns.tf`.
``` ```
$EDITOR dns.tf $EDITOR dns.tf
``` ```
Plan your changes using: Plan your changes using:
``` ```
terraform plan -out pub-solar-infra.plan terraform plan -out pub-solar-infra.plan
``` ```
After verification, apply your changes with: After verification, apply your changes with:
``` ```
terraform apply "pub-solar-infra.plan" terraform apply "pub-solar-infra.plan"
``` ```
@ -52,7 +58,9 @@ terraform apply "pub-solar-infra.plan"
### Useful links ### Useful links
We use the Manta remote backend to save the terraform state for collaboration. We use the Manta remote backend to save the terraform state for collaboration.
- https://www.terraform.io/language/v1.2.x/settings/backends/manta - https://www.terraform.io/language/v1.2.x/settings/backends/manta
Namecheap Terraform provider docs: Namecheap Terraform provider docs:
- https://registry.terraform.io/providers/namecheap/namecheap/latest/docs - https://registry.terraform.io/providers/namecheap/namecheap/latest/docs

View file

@ -1,9 +1,12 @@
# Process for getting a list of email addresses of all keycloak users # Process for getting a list of email addresses of all keycloak users
### Keycloak ### Keycloak
Required: Required:
- auth.pub.solar ops user credentials - auth.pub.solar ops user credentials
- SSH access to host nachtigall - SSH access to host nachtigall
``` ```
ssh barkeeper@nachtigall.pub.solar ssh barkeeper@nachtigall.pub.solar

View file

@ -1,9 +1,12 @@
# Process for resetting keycloak user passwords # Process for resetting keycloak user passwords
### Keycloak ### Keycloak
Required: Required:
- auth.pub.solar ops user credentials - auth.pub.solar ops user credentials
- SSH access to host nachtigall - SSH access to host nachtigall
``` ```
ssh barkeeper@nachtigall.pub.solar ssh barkeeper@nachtigall.pub.solar

View file

@ -1,9 +1,12 @@
# Process for updating a keycloak realm via CLI # Process for updating a keycloak realm via CLI
### Keycloak ### Keycloak
Required: Required:
- auth.pub.solar ops user credentials - auth.pub.solar ops user credentials
- SSH access to host nachtigall - SSH access to host nachtigall
``` ```
ssh barkeeper@nachtigall.pub.solar ssh barkeeper@nachtigall.pub.solar

View file

@ -24,6 +24,7 @@ deploy --targets '.#nachtigall'
``` ```
Then, finalize the update by running the database migration script: Then, finalize the update by running the database migration script:
``` ```
ssh barkeeper@nachtigall.pub.solar ssh barkeeper@nachtigall.pub.solar
docker exec -it mediawiki bash docker exec -it mediawiki bash

View file

@ -1,10 +1,10 @@
# OpenBikeSensor Portal # OpenBikeSensor Portal
## Docker Containers ## Docker Containers
* portal
* worker
* db
- portal
- worker
- db
## Run database migrations ## Run database migrations

View file

@ -1,3 +1 @@
# Reverting to an old version # Reverting to an old version

View file

@ -40,9 +40,13 @@
element-stickers.inputs.nixpkgs.follows = "nixpkgs"; element-stickers.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = inputs@{ self, ... }: outputs =
inputs@{ self, ... }:
inputs.flake-parts.lib.mkFlake { inherit inputs; } { inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ "x86_64-linux" "aarch64-linux" ]; systems = [
"x86_64-linux"
"aarch64-linux"
];
imports = [ imports = [
inputs.nixos-flake.flakeModule inputs.nixos-flake.flakeModule
@ -52,14 +56,19 @@
./hosts ./hosts
]; ];
perSystem = { system, pkgs, config, ... }: { perSystem =
{
system,
pkgs,
config,
...
}:
{
_module.args = { _module.args = {
inherit inputs; inherit inputs;
pkgs = import inputs.nixpkgs { pkgs = import inputs.nixpkgs {
inherit system; inherit system;
overlays = [ overlays = [ inputs.agenix.overlays.default ];
inputs.agenix.overlays.default
];
}; };
unstable = import inputs.unstable { inherit system; }; unstable = import inputs.unstable { inherit system; };
master = import inputs.master { inherit system; }; master = import inputs.master { inherit system; };
@ -92,19 +101,15 @@
inherit username; inherit username;
nixosModules = builtins.listToAttrs ( nixosModules = builtins.listToAttrs (
map map (x: {
(x: {
name = x; name = x;
value = import (./modules + "/${x}"); value = import (./modules + "/${x}");
}) }) (builtins.attrNames (builtins.readDir ./modules))
(builtins.attrNames (builtins.readDir ./modules))
); );
checks = builtins.mapAttrs checks = builtins.mapAttrs (
(
system: deployLib: deployLib.deployChecks self.deploy system: deployLib: deployLib.deployChecks self.deploy
) ) inputs.deploy-rs.lib;
inputs.deploy-rs.lib;
formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style; formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;

View file

@ -1,8 +1,9 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
...
}: }:
let let
psCfg = config.pub-solar; psCfg = config.pub-solar;

View file

@ -1,8 +1,7 @@
{ ... }: { ... }:
{ {
imports = imports = [
[
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./configuration.nix ./configuration.nix

View file

@ -1,15 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config {
, lib config,
, pkgs lib,
, modulesPath pkgs,
, ... modulesPath,
}: { ...
}:
{
imports = [ ]; imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk" ]; boot.initrd.availableKernelModules = [
"ahci"
"virtio_pci"
"xhci_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];

View file

@ -1,7 +1,5 @@
{ pkgs { pkgs, flake, ... }:
, flake {
, ...
}: {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
flake.inputs.triton-vmtools.packages.${pkgs.system}.default flake.inputs.triton-vmtools.packages.${pkgs.system}.default
]; ];

View file

@ -2,7 +2,8 @@
config, config,
pkgs, pkgs,
flake, flake,
... }: ...
}:
{ {
networking.firewall.allowedUDPPorts = [ 51820 ]; networking.firewall.allowedUDPPorts = [ 51820 ];
@ -18,10 +19,14 @@
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ # nachtigall.pub.solar {
# nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk="; publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ]; allowedIPs = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
} }
]; ];
}; };

View file

@ -1,4 +1,5 @@
{ flake, ... }: { { flake, ... }:
{
age.secrets."restic-repo-droppie" = { age.secrets."restic-repo-droppie" = {
file = "${flake.self}/secrets/restic-repo-droppie.age"; file = "${flake.self}/secrets/restic-repo-droppie.age";
mode = "400"; mode = "400";

View file

@ -1,8 +1,10 @@
{ flake {
, config flake,
, pkgs config,
, ... pkgs,
}: { ...
}:
{
# Use GRUB2 as the boot loader. # Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot. # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
boot.loader.systemd-boot.enable = false; boot.loader.systemd-boot.enable = false;
@ -11,15 +13,11 @@
efiSupport = false; efiSupport = false;
mirroredBoots = [ mirroredBoots = [
{ {
devices = [ devices = [ "/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371" ];
"/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371"
];
path = "/boot1"; path = "/boot1";
} }
{ {
devices = [ devices = [ "/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL" ];
"/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL"
];
path = "/boot2"; path = "/boot2";
} }
]; ];

View file

@ -1,8 +1,7 @@
{ flake, ... }: { flake, ... }:
{ {
imports = imports = [
[
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./configuration.nix ./configuration.nix
@ -10,6 +9,5 @@
./networking.nix ./networking.nix
./wireguard.nix ./wireguard.nix
./backups.nix ./backups.nix
]; ];
} }

View file

@ -1,51 +1,51 @@
# Do not modify this file! It was generated by nixos-generate-config # Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: {
config,
lib,
pkgs,
modulesPath,
...
}:
{ {
imports = imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ahci" "nvme" ]; boot.initrd.availableKernelModules = [
"ahci"
"nvme"
];
boot.initrd.kernelModules = [ ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" = {
{
device = "root_pool/root"; device = "root_pool/root";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib" = fileSystems."/var/lib" = {
{
device = "root_pool/data"; device = "root_pool/data";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib/postgresql" = fileSystems."/var/lib/postgresql" = {
{
device = "root_pool/data/postgresql"; device = "root_pool/data/postgresql";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib/docker" = fileSystems."/var/lib/docker" = {
{
device = "root_pool/data/docker"; device = "root_pool/data/docker";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/boot1" = fileSystems."/boot1" = {
{
device = "/dev/disk/by-uuid/5493-EFF5"; device = "/dev/disk/by-uuid/5493-EFF5";
fsType = "vfat"; fsType = "vfat";
}; };
fileSystems."/boot2" = fileSystems."/boot2" = {
{
device = "/dev/disk/by-uuid/5494-BA1E"; device = "/dev/disk/by-uuid/5494-BA1E";
fsType = "vfat"; fsType = "vfat";
}; };

View file

@ -2,7 +2,8 @@
config, config,
pkgs, pkgs,
flake, flake,
... }: ...
}:
{ {
networking.hostName = "nachtigall"; networking.hostName = "nachtigall";
@ -24,5 +25,8 @@
} }
]; ];
networking.defaultGateway = "138.201.80.65"; networking.defaultGateway = "138.201.80.65";
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; }; networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp35s0";
};
} }

View file

@ -2,7 +2,8 @@
config, config,
pkgs, pkgs,
flake, flake,
... }: ...
}:
{ {
networking.firewall.allowedUDPPorts = [ 51820 ]; networking.firewall.allowedUDPPorts = [ 51820 ];
@ -18,10 +19,14 @@
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ # flora-6.pub.solar {
# flora-6.pub.solar
endpoint = "80.71.153.210:51820"; endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ]; allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
} }
]; ];
}; };

View file

@ -1,16 +1,16 @@
let let
lock = builtins.fromJSON (builtins.readFile builtins.path { lock = builtins.fromJSON (
builtins.readFile builtins.path {
path = ../../flake.lock; path = ../../flake.lock;
name = "lockPath"; name = "lockPath";
}); }
);
flake = flake =
import import
( (fetchTarball {
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash; sha256 = lock.nodes.flake-compat.locked.narHash;
} })
)
{ {
src = builtins.path { src = builtins.path {
path = ../../.; path = ../../.;

View file

@ -1,4 +1,10 @@
{ self, lib, inputs, ... }: { {
self,
lib,
inputs,
...
}:
{
# Configuration common to all Linux systems # Configuration common to all Linux systems
flake = { flake = {
lib = lib =

View file

@ -1,8 +1,8 @@
/* /*
* The contents of this file are adapted from digga The contents of this file are adapted from digga
* https://github.com/divnix/digga https://github.com/divnix/digga
*
* Licensed under the MIT license Licensed under the MIT license
*/ */
{ lib, inputs }: { lib, inputs }:
@ -14,21 +14,26 @@ let
inherit system; inherit system;
overlays = [ overlays = [
inputs.deploy-rs.overlay inputs.deploy-rs.overlay
(self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; }) (self: super: {
deploy-rs = {
inherit (pkgs) deploy-rs;
lib = super.deploy-rs.lib;
};
})
]; ];
}; };
getFqdn = c: getFqdn =
c:
let let
net = c.config.networking; net = c.config.networking;
fqdn = fqdn =
if (net ? domain) && (net.domain != null) if (net ? domain) && (net.domain != null) then "${net.hostName}.${net.domain}" else net.hostName;
then "${net.hostName}.${net.domain}"
else net.hostName;
in in
fqdn; fqdn;
in in
{ {
mkDeployNodes = systemConfigurations: extraConfig: mkDeployNodes =
systemConfigurations: extraConfig:
/* /*
* *
Synopsis: mkNodes _systemConfigurations_ _extraConfig_ Synopsis: mkNodes _systemConfigurations_ _extraConfig_
@ -59,17 +64,11 @@ in
``` ```
* *
*/ */
lib.recursiveUpdate lib.recursiveUpdate (lib.mapAttrs (_: c: {
(lib.mapAttrs
(
_: c: {
hostname = getFqdn c; hostname = getFqdn c;
profiles.system = { profiles.system = {
user = "root"; user = "root";
path = deployPkgs.deploy-rs.lib.activate.nixos c; path = deployPkgs.deploy-rs.lib.activate.nixos c;
}; };
} }) systemConfigurations) extraConfig;
)
systemConfigurations)
extraConfig;
} }

View file

@ -10,7 +10,10 @@
{ {
# tuxnix # tuxnix
publicKey = "fTvULvdsc92binFaBV+uWwFi33bi8InShcaPnoxUZEA="; publicKey = "fTvULvdsc92binFaBV+uWwFi33bi8InShcaPnoxUZEA=";
allowedIPs = [ "10.7.6.203/32" "fd00:fae:fae:fae:fae:203::/96" ]; allowedIPs = [
"10.7.6.203/32"
"fd00:fae:fae:fae:fae:203::/96"
];
} }
]; ];
}; };
@ -27,9 +30,13 @@
} // sshPubKeys; } // sshPubKeys;
wireguardDevices = [ wireguardDevices = [
{ # stroopwafel {
# stroopwafel
publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE="; publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE=";
allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ]; allowedIPs = [
"10.7.6.200/32"
"fd00:fae:fae:fae:fae:200::/96"
];
} }
]; ];
}; };
@ -42,9 +49,13 @@
secretEncryptionKeys = sshPubKeys; secretEncryptionKeys = sshPubKeys;
wireguardDevices = [ wireguardDevices = [
{ # judy {
# judy
publicKey = "I+gN7v1VXkAGoSir6L8aebtLbguvy5nAx1QVDTzdckk="; publicKey = "I+gN7v1VXkAGoSir6L8aebtLbguvy5nAx1QVDTzdckk=";
allowedIPs = [ "10.7.6.202/32" "fd00:fae:fae:fae:fae:202::/96" ]; allowedIPs = [
"10.7.6.202/32"
"fd00:fae:fae:fae:fae:202::/96"
];
} }
]; ];
}; };
@ -59,13 +70,21 @@
}; };
wireguardDevices = [ wireguardDevices = [
{ # dumpyourvms {
# dumpyourvms
publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk="; publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk=";
allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ]; allowedIPs = [
"10.7.6.201/32"
"fd00:fae:fae:fae:fae:201::/96"
];
} }
{ # ryzensun {
# ryzensun
publicKey = "oVF2/s7eIxyVjtG0MhKPx5SZ1JllZg+ZFVF2eVYtPGo="; publicKey = "oVF2/s7eIxyVjtG0MhKPx5SZ1JllZg+ZFVF2eVYtPGo=";
allowedIPs = [ "10.7.6.204/32" "fd00:fae:fae:fae:fae:204::/96" ]; allowedIPs = [
"10.7.6.204/32"
"fd00:fae:fae:fae:fae:204::/96"
];
} }
]; ];
}; };

View file

@ -1,13 +1,24 @@
{ lib, ... }: let { lib, ... }:
let
admins = import ./admins.nix; admins = import ./admins.nix;
robots = import ./robots.nix; robots = import ./robots.nix;
in { in
{
flake = { flake = {
logins = { logins = {
admins = lib.lists.foldl (logins: adminConfig: { admins =
lib.lists.foldl
(logins: adminConfig: {
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys); sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
wireguardDevices = logins.wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []); wireguardDevices =
}) { sshPubKeys = []; wireguardDevices = []; } (lib.attrsets.attrValues admins); logins.wireguardDevices
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
})
{
sshPubKeys = [ ];
wireguardDevices = [ ];
}
(lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots; robots.sshPubKeys = lib.attrsets.attrValues robots;
}; };
}; };

View file

@ -1,8 +1,9 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
...
}: }:
{ {
services.caddy = { services.caddy = {
@ -14,5 +15,8 @@
grace_period 60s grace_period 60s
''; '';
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [
80
443
];
} }

View file

@ -1,9 +1,11 @@
{ config {
, lib config,
, pkgs lib,
, self pkgs,
, ... self,
}: { ...
}:
{
services.nginx.virtualHosts."collabora.${config.pub-solar-os.networking.domain}" = { services.nginx.virtualHosts."collabora.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -24,9 +26,7 @@
containers."collabora" = { containers."collabora" = {
image = "collabora/code"; image = "collabora/code";
autoStart = true; autoStart = true;
ports = [ ports = [ "127.0.0.1:9980:9980" ];
"127.0.0.1:9980:9980"
];
extraOptions = [ extraOptions = [
"--cap-add=MKNOD" "--cap-add=MKNOD"
"--pull=always" "--pull=always"

View file

@ -1,4 +1,11 @@
{ pkgs, config, flake, lib, ... }: { {
pkgs,
config,
flake,
lib,
...
}:
{
imports = [ imports = [
./nix.nix ./nix.nix
./networking.nix ./networking.nix
@ -29,7 +36,11 @@
config = { config = {
environment = { environment = {
# Just a couple of global packages to make our lives easier # Just a couple of global packages to make our lives easier
systemPackages = with pkgs; [ git vim wget ]; systemPackages = with pkgs; [
git
vim
wget
];
}; };
# Select internationalization properties # Select internationalization properties

View file

@ -3,7 +3,8 @@
lib, lib,
config, config,
... ...
}: { }:
{
options.pub-solar-os.networking = with lib; { options.pub-solar-os.networking = with lib; {
domain = mkOption { domain = mkOption {
description = "domain on which all services should run. This defaults to pub.solar"; description = "domain on which all services should run. This defaults to pub.solar";

View file

@ -1,11 +1,12 @@
{ config {
, pkgs config,
, lib pkgs,
, flake lib,
, ... flake,
}: { ...
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ }:
]; {
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
nix = { nix = {
# Use default version alias for nix package # Use default version alias for nix package
@ -25,7 +26,10 @@
# Prevents impurities in builds # Prevents impurities in builds
sandbox = true; sandbox = true;
# Give root and @wheel special privileges with nix # Give root and @wheel special privileges with nix
trusted-users = [ "root" "@wheel" ]; trusted-users = [
"root"
"@wheel"
];
# Allow only group wheel to connect to the nix daemon # Allow only group wheel to connect to the nix daemon
allowed-users = [ "@wheel" ]; allowed-users = [ "@wheel" ];
}; };

View file

@ -1,4 +1,5 @@
{ flake, config, ... }: { { flake, config, ... }:
{
home-manager.users.${config.pub-solar-os.authentication.username} = { home-manager.users.${config.pub-solar-os.authentication.username} = {
programs.git.enable = true; programs.git.enable = true;
programs.starship.enable = true; programs.starship.enable = true;

View file

@ -4,7 +4,8 @@
lib, lib,
config, config,
... ...
}: { }:
{
options.pub-solar-os.authentication = with lib; { options.pub-solar-os.authentication = with lib; {
username = mkOption { username = mkOption {
description = "Username for the adminstrative user"; description = "Username for the adminstrative user";
@ -41,7 +42,10 @@
users.users.${config.pub-solar-os.authentication.username} = { users.users.${config.pub-solar-os.authentication.username} = {
name = config.pub-solar-os.authentication.username; name = config.pub-solar-os.authentication.username;
group = config.pub-solar-os.authentication.username; group = config.pub-solar-os.authentication.username;
extraGroups = [ "wheel" "docker" ]; extraGroups = [
"wheel"
"docker"
];
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys; openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
}; };
@ -63,7 +67,8 @@
users.groups.${config.pub-solar-os.authentication.robot.username} = { }; users.groups.${config.pub-solar-os.authentication.robot.username} = { };
users.users.root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword; users.users.root.initialHashedPassword =
config.pub-solar-os.authentication.root.initialHashedPassword;
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
}; };

View file

@ -1,4 +1,9 @@
{ flake, config, lib, ... }: {
flake,
config,
lib,
...
}:
{ {
age.secrets."coturn-static-auth-secret" = { age.secrets."coturn-static-auth-secret" = {
file = "${flake.self}/secrets/coturn-static-auth-secret.age"; file = "${flake.self}/secrets/coturn-static-auth-secret.age";
@ -19,8 +24,12 @@
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = extraConfig =
let let
externalIPv4s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses; externalIPv4s = lib.strings.concatMapStringsSep "\n" (
externalIPv6s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses; { address, ... }: "external-ip=${address}"
) config.networking.interfaces.enp35s0.ipv4.addresses;
externalIPv6s = lib.strings.concatMapStringsSep "\n" (
{ address, ... }: "external-ip=${address}"
) config.networking.interfaces.enp35s0.ipv6.addresses;
in in
'' ''
${externalIPv4s} ${externalIPv4s}
@ -61,28 +70,35 @@
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
''; '';
}; };
networking.firewall = { networking.firewall = {
interfaces.enp35s0 = interfaces.enp35s0 =
let let
range = with config.services.coturn; [{ range = with config.services.coturn; [
{
from = min-port; from = min-port;
to = max-port; to = max-port;
}]; }
];
in in
{ {
allowedUDPPortRanges = range; allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 5349 ]; allowedUDPPorts = [
3478
5349
];
allowedTCPPortRanges = [ ]; allowedTCPPortRanges = [ ];
allowedTCPPorts = [ 3478 5349 ]; allowedTCPPorts = [
3478
5349
];
}; };
}; };
# get a certificate # get a certificate
security.acme.certs.${config.services.coturn.realm} = { security.acme.certs.${config.services.coturn.realm} = {
/* insert here the right configuration to obtain a certificate */ # insert here the right configuration to obtain a certificate
postRun = "systemctl restart coturn.service"; postRun = "systemctl restart coturn.service";
group = "turnserver"; group = "turnserver";
}; };

View file

@ -1,4 +1,5 @@
{ pkgs, ... }: { { pkgs, ... }:
{
virtualisation.docker = { virtualisation.docker = {
enable = true; enable = true;
extraOptions = '' extraOptions = ''

View file

@ -1,9 +1,11 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
}: { ...
}:
{
age.secrets.drone-secrets = { age.secrets.drone-secrets = {
file = "${flake.self}/secrets/drone-secrets.age"; file = "${flake.self}/secrets/drone-secrets.age";
mode = "600"; mode = "600";
@ -26,9 +28,7 @@
users.groups.drone = { }; users.groups.drone = { };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [ "d '/var/lib/drone-db' 0750 drone drone - -" ];
"d '/var/lib/drone-db' 0750 drone drone - -"
];
services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = { services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
logFormat = lib.mkForce '' logFormat = lib.mkForce ''
@ -66,23 +66,15 @@
image = "postgres:14"; image = "postgres:14";
autoStart = true; autoStart = true;
user = "994"; user = "994";
volumes = [ volumes = [ "/var/lib/drone-db:/var/lib/postgresql/data" ];
"/var/lib/drone-db:/var/lib/postgresql/data" extraOptions = [ "--network=drone-net" ];
]; environmentFiles = [ config.age.secrets.drone-db-secrets.path ];
extraOptions = [
"--network=drone-net"
];
environmentFiles = [
config.age.secrets.drone-db-secrets.path
];
}; };
containers."drone-server" = { containers."drone-server" = {
image = "drone/drone:2"; image = "drone/drone:2";
autoStart = true; autoStart = true;
user = "994"; user = "994";
ports = [ ports = [ "127.0.0.1:4000:80" ];
"127.0.0.1:4000:80"
];
dependsOn = [ "drone-db" ]; dependsOn = [ "drone-db" ];
extraOptions = [ extraOptions = [
"--network=drone-net" "--network=drone-net"
@ -95,18 +87,14 @@
DRONE_SERVER_PROTO = "https"; DRONE_SERVER_PROTO = "https";
DRONE_DATABASE_DRIVER = "postgres"; DRONE_DATABASE_DRIVER = "postgres";
}; };
environmentFiles = [ environmentFiles = [ config.age.secrets.drone-secrets.path ];
config.age.secrets.drone-secrets.path
];
}; };
containers."drone-docker-runner" = { containers."drone-docker-runner" = {
image = "drone/drone-runner-docker:1"; image = "drone/drone-runner-docker:1";
autoStart = true; autoStart = true;
# needs to run as root # needs to run as root
#user = "994"; #user = "994";
volumes = [ volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
"/var/run/docker.sock:/var/run/docker.sock"
];
dependsOn = [ "drone-db" ]; dependsOn = [ "drone-db" ];
extraOptions = [ extraOptions = [
"--network=drone-net" "--network=drone-net"
@ -119,9 +107,7 @@
DRONE_RUNNER_CAPACITY = "2"; DRONE_RUNNER_CAPACITY = "2";
DRONE_RUNNER_NAME = "flora-6-docker-runner"; DRONE_RUNNER_NAME = "flora-6-docker-runner";
}; };
environmentFiles = [ environmentFiles = [ config.age.secrets.drone-secrets.path ];
config.age.secrets.drone-secrets.path
];
}; };
}; };
}; };

View file

@ -1,9 +1,11 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
}: { ...
}:
{
age.secrets.forgejo-actions-runner-token = { age.secrets.forgejo-actions-runner-token = {
file = "${flake.self}/secrets/forgejo-actions-runner-token.age"; file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
mode = "644"; mode = "644";

View file

@ -1,9 +1,11 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
}: { ...
}:
{
age.secrets.forgejo-database-password = { age.secrets.forgejo-database-password = {
file = "${flake.self}/secrets/forgejo-database-password.age"; file = "${flake.self}/secrets/forgejo-database-password.age";
mode = "600"; mode = "600";

View file

@ -1,9 +1,11 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
}: { ...
}:
{
age.secrets.grafana-admin-password = { age.secrets.grafana-admin-password = {
file = "${flake.self}/secrets/grafana-admin-password.age"; file = "${flake.self}/secrets/grafana-admin-password.age";
mode = "644"; mode = "644";

View file

@ -70,9 +70,7 @@
"icon": "external link", "icon": "external link",
"includeVars": true, "includeVars": true,
"keepTime": true, "keepTime": true,
"tags": [ "tags": ["matrix"],
"matrix"
],
"title": "Dashboards", "title": "Dashboards",
"type": "dashboards" "type": "dashboards"
} }
@ -4313,9 +4311,7 @@
"id": "byNames", "id": "byNames",
"options": { "options": {
"mode": "exclude", "mode": "exclude",
"names": [ "names": ["libera.chat "],
"libera.chat "
],
"prefix": "All except:", "prefix": "All except:",
"readOnly": true "readOnly": true
} }
@ -4435,9 +4431,7 @@
"id": "byNames", "id": "byNames",
"options": { "options": {
"mode": "exclude", "mode": "exclude",
"names": [ "names": ["libera.chat"],
"libera.chat"
],
"prefix": "All except:", "prefix": "All except:",
"readOnly": true "readOnly": true
} }
@ -13266,9 +13260,7 @@
"refresh": false, "refresh": false,
"schemaVersion": 37, "schemaVersion": 37,
"style": "dark", "style": "dark",
"tags": [ "tags": ["matrix"],
"matrix"
],
"templating": { "templating": {
"list": [ "list": [
{ {
@ -13453,17 +13445,7 @@
"2h", "2h",
"1d" "1d"
], ],
"time_options": [ "time_options": ["5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d"]
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
]
}, },
"timezone": "", "timezone": "",
"title": "Synapse", "title": "Synapse",

View file

@ -1,9 +1,11 @@
{ flake {
, config flake,
, lib config,
, pkgs lib,
, ... pkgs,
}: { ...
}:
{
options.pub-solar-os.auth = with lib; { options.pub-solar-os.auth = with lib; {
enable = mkEnableOption "Enable keycloak to run on the node"; enable = mkEnableOption "Enable keycloak to run on the node";
@ -53,14 +55,13 @@
features = "declarative-user-profile"; features = "declarative-user-profile";
}; };
themes = { themes = {
"pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; "pub.solar" =
flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
}; };
}; };
services.restic.backups.keycloak-droppie = { services.restic.backups.keycloak-droppie = {
paths = [ paths = [ "/tmp/keycloak-backup.sql" ];
"/tmp/keycloak-backup.sql"
];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 02:00:00 Etc/UTC"; OnCalendar = "*-*-* 02:00:00 Etc/UTC";
# droppie will be offline if nachtigall misses the timer # droppie will be offline if nachtigall misses the timer
@ -83,9 +84,7 @@
}; };
services.restic.backups.keycloak-storagebox = { services.restic.backups.keycloak-storagebox = {
paths = [ paths = [ "/tmp/keycloak-backup.sql" ];
"/tmp/keycloak-backup.sql"
];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 04:10:00 Etc/UTC"; OnCalendar = "*-*-* 04:10:00 Etc/UTC";
}; };

View file

@ -1,9 +1,11 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
}: { ...
}:
{
services.caddy.virtualHosts = { services.caddy.virtualHosts = {
"flora-6.${config.pub-solar-os.networking.domain}" = { "flora-6.${config.pub-solar-os.networking.domain}" = {
logFormat = lib.mkForce '' logFormat = lib.mkForce ''
@ -51,7 +53,8 @@
retention_delete_worker_count = 150; retention_delete_worker_count = 150;
}; };
schema_config = { schema_config = {
configs = [{ configs = [
{
from = "2020-05-15"; from = "2020-05-15";
store = "boltdb-shipper"; store = "boltdb-shipper";
object_store = "filesystem"; object_store = "filesystem";
@ -60,7 +63,8 @@
prefix = "index_"; prefix = "index_";
period = "24h"; period = "24h";
}; };
}]; }
];
}; };
}; };
}; };
@ -75,10 +79,13 @@
positions = { positions = {
filename = "/tmp/positions.yaml"; filename = "/tmp/positions.yaml";
}; };
clients = [{ clients = [
{
url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; url = "http://127.0.0.1:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
}]; }
scrape_configs = [{ ];
scrape_configs = [
{
job_name = "journal"; job_name = "journal";
journal = { journal = {
max_age = "24h"; max_age = "24h";
@ -87,11 +94,14 @@
host = "flora-6"; host = "flora-6";
}; };
}; };
relabel_configs = [{ relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ]; source_labels = [ "__journal__systemd_unit" ];
target_label = "unit"; target_label = "unit";
}]; }
}]; ];
}
];
}; };
}; };
} }

View file

@ -1,8 +1,9 @@
{ flake {
, config flake,
, lib config,
, pkgs lib,
, ... pkgs,
...
}: }:
{ {
networking.firewall.allowedTCPPorts = [ 25 ]; networking.firewall.allowedTCPPorts = [ 25 ];

View file

@ -1,4 +1,10 @@
{ config, pkgs, flake, inputs, ... }: {
config,
pkgs,
flake,
inputs,
...
}:
{ {
age.secrets."mastodon-secret-key-base" = { age.secrets."mastodon-secret-key-base" = {
@ -64,9 +70,7 @@
mediaAutoRemove = { mediaAutoRemove = {
olderThanDays = 7; olderThanDays = 7;
}; };
extraEnvFiles = [ extraEnvFiles = [ "/run/agenix/mastodon-extra-env-secrets" ];
"/run/agenix/mastodon-extra-env-secrets"
];
extraConfig = { extraConfig = {
WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}"; WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}";
# Defined in ./opensearch.nix # Defined in ./opensearch.nix
@ -97,9 +101,7 @@
}; };
services.restic.backups.mastodon-droppie = { services.restic.backups.mastodon-droppie = {
paths = [ paths = [ "/tmp/mastodon-backup.sql" ];
"/tmp/mastodon-backup.sql"
];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 02:00:00 Etc/UTC"; OnCalendar = "*-*-* 02:00:00 Etc/UTC";
# droppie will be offline if nachtigall misses the timer # droppie will be offline if nachtigall misses the timer
@ -122,9 +124,7 @@
}; };
services.restic.backups.mastodon-storagebox = { services.restic.backups.mastodon-storagebox = {
paths = [ paths = [ "/tmp/mastodon-backup.sql" ];
"/tmp/mastodon-backup.sql"
];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 04:05:00 Etc/UTC"; OnCalendar = "*-*-* 04:05:00 Etc/UTC";
}; };

View file

@ -1,15 +1,18 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
# Find element in list config.services.matrix-synapse.settings.listeners.*.resources # Find element in list config.services.matrix-synapse.settings.listeners.*.resources
# that sets names = "client" # that sets names = "client"
nameHasClient = name: name == "client"; nameHasClient = name: name == "client";
resourceHasClient = resource: builtins.any nameHasClient resource.names; resourceHasClient = resource: builtins.any nameHasClient resource.names;
listenerWithClient = lib.findFirst listenerWithClient =
(listener: lib.findFirst (listener: builtins.any resourceHasClient listener.resources)
builtins.any resourceHasClient listener.resources)
(throw "Found no matrix-synapse.settings.listeners.*.resources.*.names containing string client") (throw "Found no matrix-synapse.settings.listeners.*.resources.*.names containing string client")
config.services.matrix-synapse.settings.listeners config.services.matrix-synapse.settings.listeners;
;
synapseClientPort = "${toString listenerWithClient.port}"; synapseClientPort = "${toString listenerWithClient.port}";
in in
{ {
@ -46,7 +49,11 @@ in
}; };
metrics = { metrics = {
enabled = true; enabled = true;
remoteUserAgeBuckets = [ "1h" "1d" "1w" ]; remoteUserAgeBuckets = [
"1h"
"1d"
"1w"
];
}; };
provisioning = { provisioning = {
enabled = false; enabled = false;
@ -122,4 +129,3 @@ in
}; };
}; };
} }

View file

@ -1,4 +1,10 @@
{ flake, lib, config, pkgs, ... }: {
flake,
lib,
config,
pkgs,
...
}:
{ {
age.secrets."matrix-mautrix-telegram-env-file" = { age.secrets."matrix-mautrix-telegram-env-file" = {
file = "${flake.self}/secrets/matrix-mautrix-telegram-env-file.age"; file = "${flake.self}/secrets/matrix-mautrix-telegram-env-file.age";

View file

@ -1,4 +1,9 @@
{ flake, config, pkgs, ... }: {
flake,
config,
pkgs,
...
}:
let let
publicDomain = "matrix.${config.pub-solar-os.networking.domain}"; publicDomain = "matrix.${config.pub-solar-os.networking.domain}";
serverDomain = "${config.pub-solar-os.networking.domain}"; serverDomain = "${config.pub-solar-os.networking.domain}";
@ -40,22 +45,16 @@ in
}; };
listeners = [ listeners = [
{ {
bind_addresses = [ bind_addresses = [ "127.0.0.1" ];
"127.0.0.1"
];
port = 8008; port = 8008;
resources = [ resources = [
{ {
compress = true; compress = true;
names = [ names = [ "client" ];
"client"
];
} }
{ {
compress = false; compress = false;
names = [ names = [ "federation" ];
"federation"
];
} }
]; ];
tls = false; tls = false;
@ -63,29 +62,23 @@ in
x_forwarded = true; x_forwarded = true;
} }
{ {
bind_addresses = [ bind_addresses = [ "127.0.0.1" ];
"127.0.0.1"
];
port = 8012; port = 8012;
resources = [ resources = [ { names = [ "metrics" ]; } ];
{
names = [
"metrics"
];
}
];
tls = false; tls = false;
type = "metrics"; type = "metrics";
} }
]; ];
account_threepid_delegates.msisdn = ""; account_threepid_delegates.msisdn = "";
alias_creation_rules = [{ alias_creation_rules = [
{
action = "allow"; action = "allow";
alias = "*"; alias = "*";
room_id = "*"; room_id = "*";
user_id = "*"; user_id = "*";
}]; }
];
allow_guest_access = false; allow_guest_access = false;
allow_public_rooms_over_federation = true; allow_public_rooms_over_federation = true;
allow_public_rooms_without_auth = false; allow_public_rooms_without_auth = false;
@ -152,7 +145,7 @@ in
}; };
per_user = { per_user = {
burst_count = 5; burst_count = 5;
per_second = 0.003; per_second = 3.0e-3;
}; };
}; };
rc_joins = { rc_joins = {
@ -162,7 +155,7 @@ in
}; };
remote = { remote = {
burst_count = 10; burst_count = 10;
per_second = 0.01; per_second = 1.0e-2;
}; };
}; };
rc_login = { rc_login = {
@ -194,12 +187,14 @@ in
registrations_require_3pid = [ "email" ]; registrations_require_3pid = [ "email" ];
report_stats = false; report_stats = false;
require_auth_for_profile_requests = false; require_auth_for_profile_requests = false;
room_list_publication_rules = [{ room_list_publication_rules = [
{
action = "allow"; action = "allow";
alias = "*"; alias = "*";
room_id = "*"; room_id = "*";
user_id = "*"; user_id = "*";
}]; }
];
signing_key_path = "/run/agenix/matrix-synapse-signing-key"; signing_key_path = "/run/agenix/matrix-synapse-signing-key";
@ -276,9 +271,7 @@ in
"redis" "redis"
]; ];
plugins = [ plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth
];
sliding-sync = { sliding-sync = {
enable = true; enable = true;

View file

@ -2,7 +2,7 @@ version: 1
formatters: formatters:
precise: precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"
filters: filters:
context: context:

View file

@ -1,8 +1,9 @@
{ flake {
, config flake,
, lib config,
, pkgs lib,
, ... pkgs,
...
}: }:
let let
localSettingsPHP = pkgs.writeScript "LocalSettings.php" '' localSettingsPHP = pkgs.writeScript "LocalSettings.php" ''
@ -201,7 +202,9 @@ in
group = "mediawiki"; group = "mediawiki";
inherit uid; inherit uid;
}; };
users.groups.mediawiki = { inherit gid; }; users.groups.mediawiki = {
inherit gid;
};
virtualisation = { virtualisation = {
oci-containers = { oci-containers = {
@ -212,9 +215,7 @@ in
user = "1000:${builtins.toString gid}"; user = "1000:${builtins.toString gid}";
autoStart = true; autoStart = true;
ports = [ ports = [ "127.0.0.1:8293:80" ];
"127.0.0.1:8293:80"
];
extraOptions = [ extraOptions = [
"--add-host=host.docker.internal:host-gateway" "--add-host=host.docker.internal:host-gateway"

View file

@ -1,7 +1,8 @@
{ config {
, pkgs config,
, flake pkgs,
, ... flake,
...
}: }:
{ {
age.secrets."nextcloud-secrets" = { age.secrets."nextcloud-secrets" = {

View file

@ -1,7 +1,4 @@
{ { config, ... }:
config,
...
}:
let let
objStorHost = "link.tardigradeshare.io"; objStorHost = "link.tardigradeshare.io";

View file

@ -30,7 +30,12 @@ in
}; };
locations."@proxy" = { locations."@proxy" = {
proxyPass = (if cfg.enableUnixSocket then "http://unix:/run/mastodon-web/web.socket" else "http://127.0.0.1:${toString(cfg.webPort)}"); proxyPass = (
if cfg.enableUnixSocket then
"http://unix:/run/mastodon-web/web.socket"
else
"http://127.0.0.1:${toString (cfg.webPort)}"
);
proxyWebsockets = true; proxyWebsockets = true;
}; };
@ -45,13 +50,12 @@ in
extraConfig = '' extraConfig = ''
least_conn; least_conn;
''; '';
servers = builtins.listToAttrs servers = builtins.listToAttrs (
(map map (i: {
(i: {
name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket"; name = "unix:/run/mastodon-streaming/streaming-${toString i}.socket";
value = { }; value = { };
}) }) (lib.range 1 cfg.streamingProcesses)
(lib.range 1 cfg.streamingProcesses)); );
}; };
}; };
} }

View file

@ -1,4 +1,9 @@
{ lib, pkgs, config, ... }: {
lib,
pkgs,
config,
...
}:
let let
commonHeaders = '' commonHeaders = ''
add_header Permissions-Policy interest-cohort=() always; add_header Permissions-Policy interest-cohort=() always;
@ -71,9 +76,7 @@ in
"chat.${config.pub-solar-os.networking.domain}" = { "chat.${config.pub-solar-os.networking.domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
root = pkgs.element-web.override { root = pkgs.element-web.override { conf = clientConfig; };
conf = clientConfig;
};
}; };
"stickers.chat.${config.pub-solar-os.networking.domain}" = { "stickers.chat.${config.pub-solar-os.networking.domain}" = {
@ -126,7 +129,8 @@ in
serverName = "matrix.${config.pub-solar-os.networking.domain}"; serverName = "matrix.${config.pub-solar-os.networking.domain}";
forceSSL = lib.mkDefault true; forceSSL = lib.mkDefault true;
enableACME = lib.mkDefault true; enableACME = lib.mkDefault true;
listen = [{ listen = [
{
port = 8448; port = 8448;
addr = "0.0.0.0"; addr = "0.0.0.0";
ssl = true; ssl = true;
@ -135,7 +139,8 @@ in
port = 8448; port = 8448;
addr = "[::]"; addr = "[::]";
ssl = true; ssl = true;
}]; }
];
root = "/dev/null"; root = "/dev/null";
extraConfig = '' extraConfig = ''
server_tokens off; server_tokens off;
@ -159,4 +164,3 @@ in
}; };
networking.firewall.allowedTCPPorts = [ 8448 ]; networking.firewall.allowedTCPPorts = [ 8448 ];
} }

View file

@ -1,4 +1,5 @@
{ pkgs, lib, ... }: { { pkgs, lib, ... }:
{
default_server_config = { default_server_config = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://matrix.pub.solar"; base_url = "https://matrix.pub.solar";
@ -35,10 +36,12 @@
homeUrl = ""; homeUrl = "";
}; };
branding = { branding = {
auth_footer_links = [{ auth_footer_links = [
{
text = "Privacy"; text = "Privacy";
url = "https://pub.solar/privacy"; url = "https://pub.solar/privacy";
}]; }
];
# FUTUREWORK: Replace with pub.solar logo # FUTUREWORK: Replace with pub.solar logo
auth_header_logo_url = "themes/element/img/logos/element-logo.svg"; auth_header_logo_url = "themes/element/img/logos/element-logo.svg";
}; };

View file

@ -1,13 +1,16 @@
{ config, flake, lib, ... }: {
config,
flake,
lib,
...
}:
let let
# Find element in list config.services.matrix-synapse.settings.listeners # Find element in list config.services.matrix-synapse.settings.listeners
# that sets type = "metrics" # that sets type = "metrics"
listenerWithMetrics = lib.findFirst listenerWithMetrics =
(listener: lib.findFirst (listener: listener.type == "metrics")
listener.type == "metrics")
(throw "Found no matrix-synapse.settings.listeners.*.type containing string metrics") (throw "Found no matrix-synapse.settings.listeners.*.type containing string metrics")
config.services.matrix-synapse.settings.listeners config.services.matrix-synapse.settings.listeners;
;
synapseMetricsPort = "${toString listenerWithMetrics.port}"; synapseMetricsPort = "${toString listenerWithMetrics.port}";
in in
{ {

View file

@ -1,9 +1,7 @@
{ ... }: { ... }:
{ {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [ "d '/srv/www/miom.space' 0750 hakkonaut hakkonaut - -" ];
"d '/srv/www/miom.space' 0750 hakkonaut hakkonaut - -"
];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"www.miom.space" = { "www.miom.space" = {

View file

@ -1,5 +1,5 @@
{ lib, config, ... }:
{ {
lib, config, ... }: {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '/srv/www/${config.pub-solar-os.networking.domain}' 0750 hakkonaut hakkonaut - -" "d '/srv/www/${config.pub-solar-os.networking.domain}' 0750 hakkonaut hakkonaut - -"
]; ];
@ -54,7 +54,8 @@
}; };
# Responsible disclosure information https://securitytxt.org/ # Responsible disclosure information https://securitytxt.org/
"/.well-known/security.txt" = let "/.well-known/security.txt" =
let
securityTXT = lib.lists.foldr (a: b: a + "\n" + b) "" [ securityTXT = lib.lists.foldr (a: b: a + "\n" + b) "" [
"Contact: mailto:admins@pub.solar" "Contact: mailto:admins@pub.solar"
"Expires: 2025-01-04T23:00:00.000Z" "Expires: 2025-01-04T23:00:00.000Z"
@ -62,7 +63,8 @@
"Preferred-Languages: en,de" "Preferred-Languages: en,de"
"Canonical: https://${config.pub-solar-os.networking.domain}/.well-known/security.txt" "Canonical: https://${config.pub-solar-os.networking.domain}/.well-known/security.txt"
]; ];
in { in
{
extraConfig = '' extraConfig = ''
add_header Content-Type text/plain; add_header Content-Type text/plain;
return 200 '${securityTXT}'; return 200 '${securityTXT}';

View file

@ -1,8 +1,9 @@
{ config {
, lib config,
, pkgs lib,
, self pkgs,
, ... self,
...
}: }:
let let
acmeEmailAddress = config.pub-solar-os.adminEmail; acmeEmailAddress = config.pub-solar-os.adminEmail;
@ -38,5 +39,8 @@ in
defaults.email = acmeEmailAddress; defaults.email = acmeEmailAddress;
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [
80
443
];
} }

View file

@ -1,10 +1,12 @@
{ config {
, lib config,
, pkgs lib,
, self pkgs,
, flake self,
, ... flake,
}: let ...
}:
let
configPy = pkgs.writeText "obs-portal-config.py" '' configPy = pkgs.writeText "obs-portal-config.py" ''
DEBUG = False DEBUG = False
VERBOSE = DEBUG VERBOSE = DEBUG
@ -41,7 +43,8 @@ ADDITIONAL_CORS_ORIGINS = None
OBS_DATA_DIR = "/data"; OBS_DATA_DIR = "/data";
OBS_PROXIES_COUNT = "1"; OBS_PROXIES_COUNT = "1";
}; };
in { in
{
age.secrets.obs-portal-env = { age.secrets.obs-portal-env = {
file = "${flake.self}/secrets/obs-portal-env.age"; file = "${flake.self}/secrets/obs-portal-env.age";
mode = "600"; mode = "600";
@ -59,8 +62,16 @@ in {
in in
{ {
serviceConfig.Type = "oneshot"; serviceConfig.Type = "oneshot";
before = [ "docker-obs-portal.service" "docker-obs-portal-db.service" "docker-obs-portal-worker.service" ]; before = [
requiredBy = [ "docker-obs-portal.service" "docker-obs-portal-db.service" "docker-obs-portal-worker.service" ]; "docker-obs-portal.service"
"docker-obs-portal-db.service"
"docker-obs-portal-worker.service"
];
requiredBy = [
"docker-obs-portal.service"
"docker-obs-portal-db.service"
"docker-obs-portal-worker.service"
];
script = '' script = ''
${dockerBin} network inspect obs-portal-net >/dev/null 2>&1 || ${dockerBin} network create obs-portal-net --subnet 172.20.0.0/24 ${dockerBin} network inspect obs-portal-net >/dev/null 2>&1 || ${dockerBin} network create obs-portal-net --subnet 172.20.0.0/24
''; '';
@ -101,16 +112,17 @@ in {
"/var/lib/obs-portal/pbf/:/pbf" "/var/lib/obs-portal/pbf/:/pbf"
]; ];
extraOptions = [ extraOptions = [ "--network=obs-portal-net" ];
"--network=obs-portal-net"
];
}; };
containers."obs-portal-worker" = { containers."obs-portal-worker" = {
image = "git.pub.solar/pub-solar/obs-portal:latest"; image = "git.pub.solar/pub-solar/obs-portal:latest";
autoStart = true; autoStart = true;
cmd = [ "python" "tools/process_track.py" ]; cmd = [
"python"
"tools/process_track.py"
];
environment = env; environment = env;
environmentFiles = [ config.age.secrets.obs-portal-env.path ]; environmentFiles = [ config.age.secrets.obs-portal-env.path ];
@ -120,9 +132,7 @@ in {
"/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}" "/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}"
]; ];
extraOptions = [ extraOptions = [ "--network=obs-portal-net" ];
"--network=obs-portal-net"
];
}; };
containers."obs-portal-db" = { containers."obs-portal-db" = {
@ -131,13 +141,9 @@ in {
environmentFiles = [ config.age.secrets.obs-portal-database-env.path ]; environmentFiles = [ config.age.secrets.obs-portal-database-env.path ];
volumes = [ volumes = [ "/var/lib/postgres-obs-portal/data:/var/lib/postgresql/data" ];
"/var/lib/postgres-obs-portal/data:/var/lib/postgresql/data"
];
extraOptions = [ extraOptions = [ "--network=obs-portal-net" ];
"--network=obs-portal-net"
];
}; };
}; };
}; };

View file

@ -1,9 +1,11 @@
{ flake {
, config flake,
, lib config,
, pkgs lib,
, ... pkgs,
}: { ...
}:
{
services.nginx.virtualHosts."stream.${config.pub-solar-os.networking.domain}" = { services.nginx.virtualHosts."stream.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

View file

@ -7,11 +7,7 @@
}; };
systemd.services.postgresql = { systemd.services.postgresql = {
after = [ after = [ "var-lib-postgresql.mount" ];
"var-lib-postgresql.mount" requisite = [ "var-lib-postgresql.mount" ];
];
requisite = [
"var-lib-postgresql.mount"
];
}; };
} }

View file

@ -1,6 +1,5 @@
{ config { config, ... }:
, ... {
}: {
services.prometheus = { services.prometheus = {
exporters = { exporters = {
node = { node = {

View file

@ -1,9 +1,11 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
}: { ...
}:
{
age.secrets.nachtigall-metrics-prometheus-basic-auth-password = { age.secrets.nachtigall-metrics-prometheus-basic-auth-password = {
file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age"; file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age";
mode = "600"; mode = "600";
@ -27,12 +29,14 @@
scrapeConfigs = [ scrapeConfigs = [
{ {
job_name = "node-exporter-http"; job_name = "node-exporter-http";
static_configs = [{ static_configs = [
{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
labels = { labels = {
instance = "flora-6"; instance = "flora-6";
}; };
}]; }
];
} }
{ {
job_name = "node-exporter-https"; job_name = "node-exporter-https";
@ -42,12 +46,14 @@
username = "hakkonaut"; username = "hakkonaut";
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
}; };
static_configs = [{ static_configs = [
{
targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
labels = { labels = {
instance = "nachtigall"; instance = "nachtigall";
}; };
}]; }
];
} }
{ {
job_name = "matrix-synapse"; job_name = "matrix-synapse";
@ -57,12 +63,14 @@
username = "hakkonaut"; username = "hakkonaut";
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
}; };
static_configs = [{ static_configs = [
{
targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ]; targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
labels = { labels = {
instance = "nachtigall"; instance = "nachtigall";
}; };
}]; }
];
} }
]; ];
}; };

View file

@ -1,9 +1,11 @@
{ config {
, lib config,
, pkgs lib,
, flake pkgs,
, ... flake,
}: { ...
}:
{
age.secrets.nachtigall-metrics-prometheus-basic-auth-password = { age.secrets.nachtigall-metrics-prometheus-basic-auth-password = {
file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age"; file = "${flake.self}/secrets/nachtigall-metrics-prometheus-basic-auth-password.age";
mode = "600"; mode = "600";
@ -20,14 +22,17 @@
positions = { positions = {
filename = "/tmp/positions.yaml"; filename = "/tmp/positions.yaml";
}; };
clients = [{ clients = [
{
url = "https://flora-6.${config.pub-solar-os.networking.domain}/loki/api/v1/push"; url = "https://flora-6.${config.pub-solar-os.networking.domain}/loki/api/v1/push";
basic_auth = { basic_auth = {
username = "hakkonaut"; username = "hakkonaut";
password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}"; password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
}; };
}]; }
scrape_configs = [{ ];
scrape_configs = [
{
job_name = "journal"; job_name = "journal";
journal = { journal = {
max_age = "24h"; max_age = "24h";
@ -36,11 +41,14 @@
host = "nachtigall"; host = "nachtigall";
}; };
}; };
relabel_configs = [{ relabel_configs = [
{
source_labels = [ "__journal__systemd_unit" ]; source_labels = [ "__journal__systemd_unit" ];
target_label = "unit"; target_label = "unit";
}]; }
}]; ];
}
];
}; };
}; };
} }

View file

@ -1,8 +1,9 @@
{ flake {
, config flake,
, lib config,
, pkgs lib,
, ... pkgs,
...
}: }:
{ {
age.secrets.searx-environment = { age.secrets.searx-environment = {
@ -64,9 +65,18 @@
}; };
engine = [ engine = [
{ engine = "startpage"; disabled = false; } {
{ engine = "yahoo"; disabled = false; } engine = "startpage";
{ engine = "tagesschau"; disabled = false; } disabled = false;
}
{
engine = "yahoo";
disabled = false;
}
{
engine = "tagesschau";
disabled = false;
}
]; ];
ui = { ui = {

View file

@ -1,4 +1,5 @@
{ flake, config, ... }: { { flake, config, ... }:
{
# From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot # From https://nixos.wiki/wiki/ZFS#Unlock_encrypted_zfs_via_ssh_on_boot
boot.initrd.network = { boot.initrd.network = {
enable = true; enable = true;

View file

@ -1,24 +1,27 @@
{ self { self, inputs, ... }:
, inputs {
, ...
}: {
flake = { flake = {
nixosModules = rec { nixosModules = rec {
overlays = ({ ... }: { overlays = (
{ ... }:
{
nixpkgs.overlays = [ nixpkgs.overlays = [
(final: prev: (
final: prev:
let let
unstable = import inputs.unstable { unstable = import inputs.unstable { system = prev.system; };
system = prev.system;
};
in in
{ {
forgejo-runner = unstable.forgejo-runner; forgejo-runner = unstable.forgejo-runner;
element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker { inherit (inputs) element-stickers maunium-stickerpicker; }; element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
}) inherit (inputs) element-stickers maunium-stickerpicker;
};
}
)
]; ];
}); }
);
}; };
}; };
} }

View file

@ -1,4 +1,8 @@
{ stdenvNoCC, element-stickers, maunium-stickerpicker }: {
stdenvNoCC,
element-stickers,
maunium-stickerpicker,
}:
stdenvNoCC.mkDerivation { stdenvNoCC.mkDerivation {
src = maunium-stickerpicker; src = maunium-stickerpicker;
name = "element-stickers"; name = "element-stickers";

View file

@ -1,4 +1,8 @@
{ stdenvNoCC, jq, element-themes }: {
stdenvNoCC,
jq,
element-themes,
}:
stdenvNoCC.mkDerivation { stdenvNoCC.mkDerivation {
src = element-themes; src = element-themes;
name = "element-themes"; name = "element-themes";

View file

@ -4,15 +4,13 @@ let
nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6"; flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
adminKeys = builtins.foldl' (keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)) [] (builtins.attrValues admins); adminKeys = builtins.foldl' (
keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)
) [ ] (builtins.attrValues admins);
nachtigallKeys = [ nachtigallKeys = [ nachtigall-host ];
nachtigall-host
];
flora6Keys = [ flora6Keys = [ flora-6-host ];
flora-6-host
];
in in
{ {
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
@ -63,7 +61,8 @@ in
"grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys; "grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys;
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys; "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys =
flora6Keys ++ nachtigallKeys ++ adminKeys;
"obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys; "obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys;
"obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys; "obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys;

View file

@ -4,7 +4,8 @@
lib, lib,
config, config,
... ...
}: { }:
{
name = "website"; name = "website";
nodes.nachtigall-test = self.nixosConfigurations.nachtigall-test; nodes.nachtigall-test = self.nixosConfigurations.nachtigall-test;

24
treefmt.toml Normal file
View file

@ -0,0 +1,24 @@
[formatter.nix]
command = "nix"
options = ["fmt"]
includes = ["*.nix"]
excludes = []
[formatter.prettier]
command = "prettier"
options = ["--write"]
includes = [
"*.json",
"*.yaml",
"*.md",
]
[formatter.shell]
command = "shfmt"
options = [
"-s",
"-w",
"-i",
"2",
]
includes = ["*.sh"]