forked from pub-solar/infra
Compare commits
1 commit
main
...
feat/matri
Author | SHA1 | Date | |
---|---|---|---|
5b4b60542c |
48 changed files with 320 additions and 1096 deletions
.forgejo/workflows
docs
flake.lockflake.nixhosts
logins
modules
overlays
public-keys
secrets
age-yubikey-464-identity.txtage-yubikey-485-identity.txtflora6-wg-private-key.ageforgejo-ssh-private-key.agematrix-mjolnir-password.agenachtigall-wg-private-key.agesecrets.nix
terraform
|
@ -10,7 +10,7 @@ jobs:
|
|||
- name: Check out repository code
|
||||
uses: https://code.forgejo.org/actions/checkout@v4
|
||||
|
||||
- uses: https://github.com/nixbuild/nix-quick-install-action@v27
|
||||
- uses: https://github.com/nixbuild/nix-quick-install-action@v26
|
||||
with:
|
||||
load_nixConfig: false
|
||||
nix_conf: |
|
||||
|
@ -24,7 +24,7 @@ jobs:
|
|||
echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Restore and cache Nix store
|
||||
uses: https://github.com/nix-community/cache-nix-action@v4.0.3
|
||||
uses: https://github.com/nix-community/cache-nix-action@v4
|
||||
id: nix-store-cache
|
||||
with:
|
||||
key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }}
|
||||
|
@ -35,37 +35,16 @@ jobs:
|
|||
gc-max-store-size-linux: 10000000000
|
||||
|
||||
purge-caches: true
|
||||
purge-key: cache-${{ runner.os }}-nix-store-
|
||||
purge-keys: cache-${{ runner.os }}-nix-store-
|
||||
purge-created: true
|
||||
purge-created-max-age: 42
|
||||
|
||||
- name: Prepare cachix
|
||||
uses: https://github.com/cachix/cachix-action@v14
|
||||
uses: https://github.com/cachix/cachix-action@v12
|
||||
with:
|
||||
name: pub-solar
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
useDaemon: false
|
||||
|
||||
- name: Run flake checks
|
||||
run: |
|
||||
# Prevent cache garbage collection by creating GC roots
|
||||
for target in $(nix flake show --json --all-systems | jq '
|
||||
.["nixosConfigurations"] |
|
||||
to_entries[] |
|
||||
.key
|
||||
' | tr -d '"'
|
||||
); do
|
||||
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
|
||||
build --out-link ./result-$target ".#nixosConfigurations.${target}.config.system.build.toplevel"
|
||||
done
|
||||
|
||||
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check
|
||||
|
||||
# Add GC roots for flake inputs, too
|
||||
# https://github.com/NixOS/nix/issues/4250#issuecomment-1146878407
|
||||
mkdir --parents "$NIX_USER_PROFILE_DIR"
|
||||
gc_root_prefix="$NIX_USER_PROFILE_DIR"/infra-flake-
|
||||
echo "Adding gcroots flake inputs with prefix $gc_root_prefix ..."
|
||||
nix flake archive --json 2>/dev/null | jq --raw-output '.inputs | to_entries[] | "ln --force --symbolic --no-target-directory "+.value.path+" \"'"$gc_root_prefix"'"+.key+"\""' | while read -r line; do
|
||||
eval "$line"
|
||||
done
|
||||
|
|
|
@ -1,37 +0,0 @@
|
|||
# Adminstrative access
|
||||
|
||||
People with admin access to the infrastructure are added to [`logins/admins.nix`](../logins/admins.nix). This is a attrset with the following structure:
|
||||
|
||||
```
|
||||
{
|
||||
<username> = {
|
||||
sshPubKeys = {
|
||||
<name> = <pubkey-string>;
|
||||
};
|
||||
|
||||
wireguardDevices = [
|
||||
{
|
||||
publicKey = <pubkey-string>;
|
||||
allowedIPs = [ "10.7.6.<ip-address>/32" "fd00:fae:fae:fae:fae:<ip-address>::/96" ];
|
||||
}
|
||||
}];
|
||||
|
||||
secretEncryptionKeys = {
|
||||
<name> = <encryption-key-string>;
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
# SSH Access
|
||||
|
||||
SSH is not reachable from the open internet. Instead, SSH Port 22 is protected by a wireguard VPN network. Thus, to get root access on the servers, at least two pieces of information have to be added to the admins config:
|
||||
|
||||
1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
|
||||
2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
|
||||
|
||||
# Secret encryption
|
||||
|
||||
Deployment secrets are added to the repository in encrypted files. To be able to work with these encrypted files, your public key(s) will have to be added to your user attrset under `secretEncryptionKeys`.
|
||||
|
||||
See also the docs on [working with secrets](./secrets.md).
|
|
@ -1,32 +1,20 @@
|
|||
# Deploying new versions
|
||||
|
||||
We use [deploy-rs](https://github.com/serokell/deploy-rs) to deploy changes.
|
||||
Currently this process is not automated, so configuration changes will have to
|
||||
be manually deployed.
|
||||
We use [deploy-rs](https://github.com/serokell/deploy-rs) to deploy changes. Currently this process is not automated, so configuration changes will have to be manually deployed.
|
||||
|
||||
To deploy, make sure you have a [working development shell](./development-shell.md).
|
||||
Then, run `deploy-rs` with the hostname of the server you want to deploy:
|
||||
To deploy, make sure you have a [working development shell](./development-shell.md). Then, run `deploy-rs` with the hostname of the server you want to deploy:
|
||||
|
||||
For nachtigall.pub.solar:
|
||||
```
|
||||
deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false
|
||||
deploy '.#nachtigall'
|
||||
```
|
||||
|
||||
For flora-6.pub.solar:
|
||||
```
|
||||
deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false
|
||||
deploy '.#flora-6'
|
||||
```
|
||||
|
||||
Usually we skip all rollback functionality, but if you want to deploy a change
|
||||
that might lock you out, e.g. to SSH, it might make sense to set these to `true`.
|
||||
You'll need to have SSH Access to the boxes to be able to do this.
|
||||
|
||||
To skip flake checks, e.g. because you already ran them manually before
|
||||
deployment, add the flag `--skip-checks` at the end of the command.
|
||||
|
||||
`--dry-activate` can be used to only put all files in place without switching,
|
||||
to enable switching to the new config quickly at a later moment.
|
||||
|
||||
You'll need to have SSH Access to the boxes to be able to run `deploy`.
|
||||
|
||||
### Getting SSH access
|
||||
See [administrative-access.md](./administrative-access.md).
|
||||
### SSH access
|
||||
Ensure your SSH public key is in place [here](./public-keys/admins.nix) and was deployed by someone with access.
|
||||
|
|
|
@ -1,5 +1 @@
|
|||
# Working with secrets
|
||||
|
||||
Secrets are handled with [agenix](https://github.com/ryantm/agenix). To be able to view secrets, your public key will have to be added to the admins config. See [Administrative Access](./administrative-access.md) on how to do this.
|
||||
|
||||
For a comprehensive tutorial, see [the agenix repository](https://github.com/ryantm/agenix?tab=readme-ov-file#tutorial).
|
||||
|
|
3
docs/ssh.md
Normal file
3
docs/ssh.md
Normal file
|
@ -0,0 +1,3 @@
|
|||
# SSH Access
|
||||
|
||||
SSH Access is granted by adding a public key to [`public-keys/admins.nix`](../public-keys/admins.nix). This change will then have to be deployed to all hosts by an existing key. The keys will also grant access to the initrd SSH Server to enable remote unlock.
|
108
flake.lock
generated
108
flake.lock
generated
|
@ -14,11 +14,11 @@
|
|||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712079060,
|
||||
"narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
|
||||
"lastModified": 1703433843,
|
||||
"narHash": "sha256-nmtA4KqFboWxxoOAA6Y1okHbZh+HsXaMPFkYHsoDRDw=",
|
||||
"owner": "ryantm",
|
||||
"repo": "agenix",
|
||||
"rev": "1381a759b205dff7a6818733118d02253340fd5e",
|
||||
"rev": "417caa847f9383e111d1397039c9d4337d024bf0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -36,11 +36,11 @@
|
|||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711973905,
|
||||
"narHash": "sha256-UFKME/N1pbUtn+2Aqnk+agUt8CekbpuqwzljivfIme8=",
|
||||
"lastModified": 1704875591,
|
||||
"narHash": "sha256-eWRLbqRcrILgztU/m/k7CYLzETKNbv0OsT2GjkaNm8A=",
|
||||
"owner": "serokell",
|
||||
"repo": "deploy-rs",
|
||||
"rev": "88b3059b020da69cbe16526b8d639bd5e0b51c8b",
|
||||
"rev": "1776009f1f3fb2b5d236b84d9815f2edee463a9b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -51,18 +51,18 @@
|
|||
},
|
||||
"devshell": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"keycloak-theme-pub-solar",
|
||||
"nixpkgs"
|
||||
]
|
||||
],
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705332421,
|
||||
"narHash": "sha256-USpGLPme1IuqG78JNqSaRabilwkCyHmVWY0M9vYyqEA=",
|
||||
"lastModified": 1688380630,
|
||||
"narHash": "sha256-8ilApWVb1mAi4439zS3iFeIT0ODlbrifm/fegWwgHjA=",
|
||||
"owner": "numtide",
|
||||
"repo": "devshell",
|
||||
"rev": "83cb93d6d063ad290beee669f4badf9914cc16ec",
|
||||
"rev": "f9238ec3d75cefbb2b42a44948c4e8fb1ae9a205",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -74,11 +74,11 @@
|
|||
"element-themes": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1707755689,
|
||||
"narHash": "sha256-pMwrpZwLp7tw0nBbz/ENVJ2LoN9jIxEfjcq7OXoiKEw=",
|
||||
"lastModified": 1705202375,
|
||||
"narHash": "sha256-YizGYCik8MYKqsBWCBhFBofSpIsML1ryEdRxOVEjFUw=",
|
||||
"owner": "aaronraimist",
|
||||
"repo": "element-themes",
|
||||
"rev": "2368b58c16d2c4aabb82a245f036d228cbb6e5f5",
|
||||
"rev": "fec249ddecfacfbbe6cfaf6a48261d00270b6abe",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -109,11 +109,11 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712014858,
|
||||
"narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
|
||||
"lastModified": 1704982712,
|
||||
"narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
|
||||
"rev": "07f6395285469419cf9d078f59b5b49993198c00",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -124,14 +124,14 @@
|
|||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems_3"
|
||||
"systems": "systems_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701680307,
|
||||
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
|
||||
"lastModified": 1689068808,
|
||||
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
|
||||
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -141,24 +141,6 @@
|
|||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"inputs": {
|
||||
"systems": "systems_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1705309234,
|
||||
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_3": {
|
||||
"locked": {
|
||||
"lastModified": 1653893745,
|
||||
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
|
||||
|
@ -180,11 +162,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714043624,
|
||||
"narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
|
||||
"lastModified": 1705659542,
|
||||
"narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
|
||||
"rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -197,17 +179,17 @@
|
|||
"keycloak-theme-pub-solar": {
|
||||
"inputs": {
|
||||
"devshell": "devshell",
|
||||
"flake-utils": "flake-utils_2",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1707424749,
|
||||
"narHash": "sha256-eTvts5E3zmD4/DoAI9KedQjRwica0cg36wwIVp1NWbM=",
|
||||
"lastModified": 1705006945,
|
||||
"narHash": "sha256-KCcB84g+xhDIWEODrxGSJU/Z8n3ONF3x3WzjswQLpEk=",
|
||||
"ref": "main",
|
||||
"rev": "1202a23c205b3c07a5feb5caf6813f21b3c69307",
|
||||
"revCount": 30,
|
||||
"rev": "73f1ae5ca6ff8886960cd0eb89d46a9f4af86cb4",
|
||||
"revCount": 27,
|
||||
"type": "git",
|
||||
"url": "https://git.pub.solar/pub-solar/keycloak-theme"
|
||||
},
|
||||
|
@ -224,11 +206,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713946171,
|
||||
"narHash": "sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8=",
|
||||
"lastModified": 1706497381,
|
||||
"narHash": "sha256-VzzLBvm4ejehe42yKlCUjG3op3NLXq78MKS8u/W3NLQ=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "230a197063de9287128e2c68a7a4b0cd7d0b50a7",
|
||||
"rev": "00538eecf2d1a8f98a53a71c9c84f913003ec5e8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -240,11 +222,11 @@
|
|||
},
|
||||
"nixos-flake": {
|
||||
"locked": {
|
||||
"lastModified": 1711376798,
|
||||
"narHash": "sha256-37wawZGSX/dD1rn7TwFJhUdpozC2VPEQXetpfpK/D+w=",
|
||||
"lastModified": 1705990839,
|
||||
"narHash": "sha256-Gb0bvp7BiHBn2PkssT4CiBhD7lVWqSHEBfiai/RFfSQ=",
|
||||
"owner": "srid",
|
||||
"repo": "nixos-flake",
|
||||
"rev": "7b19503e7f8c7cc0884fc2fbd669c0cc2e05aef5",
|
||||
"rev": "244072b1f9088833627046d703d7973b90fe7843",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -255,11 +237,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1713995372,
|
||||
"narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
|
||||
"lastModified": 1706373441,
|
||||
"narHash": "sha256-S1hbgNbVYhuY2L05OANWqmRzj4cElcbLuIkXTb69xkk=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
|
||||
"rev": "56911ef3403a9318b7621ce745f5452fb9ef6867",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -288,11 +270,11 @@
|
|||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"dir": "lib",
|
||||
"lastModified": 1711703276,
|
||||
"narHash": "sha256-iMUFArF0WCatKK6RzfUJknjem0H9m4KgorO/p3Dopkk=",
|
||||
"lastModified": 1703961334,
|
||||
"narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d8fe5e6c92d0d190646fb9f1056741a229980089",
|
||||
"rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -381,7 +363,7 @@
|
|||
},
|
||||
"triton-vmtools": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_3",
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
]
|
||||
|
@ -405,11 +387,11 @@
|
|||
},
|
||||
"unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1713895582,
|
||||
"narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
|
||||
"lastModified": 1706191920,
|
||||
"narHash": "sha256-eLihrZAPZX0R6RyM5fYAWeKVNuQPYjAkCUBr+JNvtdE=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "572af610f6151fd41c212f897c71f7056e3fb518",
|
||||
"rev": "ae5c332cbb5827f6b1f02572496b141021de335f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -39,7 +39,7 @@
|
|||
|
||||
imports = [
|
||||
inputs.nixos-flake.flakeModule
|
||||
./logins
|
||||
./public-keys
|
||||
./lib
|
||||
./overlays
|
||||
./modules
|
||||
|
@ -63,7 +63,6 @@
|
|||
deploy-rs
|
||||
nixpkgs-fmt
|
||||
agenix
|
||||
age-plugin-yubikey
|
||||
cachix
|
||||
editorconfig-checker
|
||||
nodePackages.prettier
|
||||
|
@ -89,12 +88,14 @@
|
|||
|
||||
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
|
||||
nachtigall = {
|
||||
hostname = "10.7.6.1";
|
||||
# hostname is set in hosts/nachtigall/networking.nix
|
||||
sshUser = username;
|
||||
};
|
||||
flora-6 = {
|
||||
hostname = "10.7.6.2";
|
||||
hostname = "flora-6.pub.solar";
|
||||
sshUser = username;
|
||||
# Example
|
||||
#sshOpts = [ "-p" "19999" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,260 +0,0 @@
|
|||
{ lib }:
|
||||
|
||||
let
|
||||
# docker's filesystems disappear quickly, leading to false positives
|
||||
deviceFilter = ''path!~"^(/var/lib/docker|/nix/store).*"'';
|
||||
in
|
||||
lib.mapAttrsToList
|
||||
(name: opts: {
|
||||
alert = name;
|
||||
expr = opts.condition;
|
||||
for = opts.time or "2m";
|
||||
labels = { };
|
||||
annotations.description = opts.description;
|
||||
})
|
||||
({
|
||||
|
||||
# prometheus_too_many_restarts = {
|
||||
# condition = ''changes(process_start_time_seconds{job=~"prometheus|alertmanager"}[15m]) > 2'';
|
||||
# description = "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping.";
|
||||
# };
|
||||
|
||||
# alert_manager_config_not_synced = {
|
||||
# condition = ''count(count_values("config_hash", alertmanager_config_hash)) > 1'';
|
||||
# description = "Configurations of AlertManager cluster instances are out of sync.";
|
||||
# };
|
||||
|
||||
#alert_manager_e2e_dead_man_switch = {
|
||||
# condition = "vector(1)";
|
||||
# description = "Prometheus DeadManSwitch is an always-firing alert. It's used as an end-to-end test of Prometheus through the Alertmanager.";
|
||||
#};
|
||||
|
||||
# prometheus_not_connected_to_alertmanager = {
|
||||
# condition = "prometheus_notifications_alertmanagers_discovered < 1";
|
||||
# description = "Prometheus cannot connect the alertmanager\n VALUE = {{ $value }}\n LABELS = {{ $labels }}";
|
||||
# };
|
||||
|
||||
# prometheus_rule_evaluation_failures = {
|
||||
# condition = "increase(prometheus_rule_evaluation_failures_total[3m]) > 0";
|
||||
# description = "Prometheus encountered {{ $value }} rule evaluation failures, leading to potentially ignored alerts.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}";
|
||||
# };
|
||||
|
||||
# prometheus_template_expansion_failures = {
|
||||
# condition = "increase(prometheus_template_text_expansion_failures_total[3m]) > 0";
|
||||
# time = "0m";
|
||||
# description = "Prometheus encountered {{ $value }} template text expansion failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}";
|
||||
# };
|
||||
|
||||
# promtail_file_lagging = {
|
||||
# condition = ''abs(promtail_file_bytes_total - promtail_read_bytes_total) > 1e6'';
|
||||
# time = "15m";
|
||||
# description = ''{{ $labels.instance }} {{ $labels.job }} {{ $labels.path }} has been lagging by more than 1MB for more than 15m.'';
|
||||
# };
|
||||
|
||||
filesystem_full_80percent = {
|
||||
condition = ''
|
||||
100 - ((node_filesystem_avail_bytes{fstype!="rootfs",mountpoint="/"} * 100) / node_filesystem_size_bytes{fstype!="rootfs",mountpoint="/"}) > 80'';
|
||||
time = "10m";
|
||||
description =
|
||||
"{{$labels.instance}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 20% space left on its filesystem.";
|
||||
};
|
||||
|
||||
# filesystem_inodes_full = {
|
||||
# condition = ''disk_inodes_free / disk_inodes_total < 0.10'';
|
||||
# time = "10m";
|
||||
# description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% inodes left on its filesystem.";
|
||||
# };
|
||||
|
||||
# daily_task_not_run = {
|
||||
# # give 6 hours grace period
|
||||
# condition = ''time() - task_last_run{state="ok",frequency="daily"} > (24 + 6) * 60 * 60'';
|
||||
# description = "{{$labels.instance}}: {{$labels.name}} was not run in the last 24h";
|
||||
# };
|
||||
|
||||
# daily_task_failed = {
|
||||
# condition = ''task_last_run{state="fail"}'';
|
||||
# description = "{{$labels.instance}}: {{$labels.name}} failed to run";
|
||||
# };
|
||||
# } // (lib.genAttrs [
|
||||
# "borgbackup-turingmachine"
|
||||
# "borgbackup-eve"
|
||||
# "borgbackup-datastore"
|
||||
# ]
|
||||
# (name: {
|
||||
# condition = ''absent_over_time(task_last_run{name="${name}"}[1d])'';
|
||||
# description = "status of ${name} is unknown: no data for a day";
|
||||
# }))
|
||||
# // {
|
||||
|
||||
# borgbackup_matchbox_not_run = {
|
||||
# # give 6 hours grace period
|
||||
# condition = ''time() - task_last_run{state="ok",frequency="daily",name="borgbackup-matchbox"} > 7 * 24 * 60 * 60'';
|
||||
# description = "{{$labels.instance}}: {{$labels.name}} was not run in the last week";
|
||||
# };
|
||||
|
||||
# borgbackup_matchbox = {
|
||||
# condition = ''absent_over_time(task_last_run{name="borgbackup-matchbox"}[7d])'';
|
||||
# description = "status of borgbackup-matchbox is unknown: no data for a week";
|
||||
# };
|
||||
|
||||
# homeassistant = {
|
||||
# condition = ''
|
||||
# homeassistant_entity_available{domain="persistent_notification", entity!="persistent_notification.http_login"} >= 0'';
|
||||
# description =
|
||||
# "homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}";
|
||||
# };
|
||||
|
||||
swap_using_20percent = {
|
||||
condition =
|
||||
"node_memory_SwapTotal_bytes - (node_memory_SwapCached_bytes + node_memory_SwapFree_bytes) > node_memory_SwapTotal_bytes * 0.2";
|
||||
time = "30m";
|
||||
description =
|
||||
"{{$labels.instance}} is using 20% of its swap space for at least 30 minutes.";
|
||||
};
|
||||
|
||||
systemd_service_failed = {
|
||||
condition = ''node_systemd_unit_state{state="failed"} == 1'';
|
||||
description =
|
||||
"{{$labels.instance}} failed to (re)start service {{$labels.name}}.";
|
||||
};
|
||||
|
||||
restic_backup_too_old = {
|
||||
condition = ''(time() - restic_snapshots_latest_time)/(60*60) > 24'';
|
||||
description = "{{$labels.instance}} not backed up for more than 24 hours. ({{$value}})";
|
||||
};
|
||||
|
||||
host_down = {
|
||||
condition = ''up{job="node-stats", instance!~"ahorn.wireguard:9100|kartoffel.wireguard:9100|mega.wireguard:9100"} == 0'';
|
||||
description = "{{$labels.instance}} is down!";
|
||||
};
|
||||
|
||||
# service_not_running = {
|
||||
# condition = ''systemd_units_active_code{name=~"teamspeak3-server.service|tt-rss.service", sub!="running"}'';
|
||||
# description = "{{$labels.instance}} should have a running {{$labels.name}}.";
|
||||
# };
|
||||
|
||||
ram_using_90percent = {
|
||||
condition =
|
||||
"node_memory_Buffers_bytes + node_memory_MemFree_bytes + node_memory_Cached_bytes < node_memory_MemTotal_bytes * 0.1";
|
||||
time = "1h";
|
||||
description =
|
||||
"{{$labels.instance}} is using at least 90% of its RAM for at least 1 hour.";
|
||||
};
|
||||
|
||||
cpu_using_90percent = {
|
||||
condition = ''
|
||||
100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) >= 90'';
|
||||
time = "10m";
|
||||
description =
|
||||
"{{$labels.instance}} is running with cpu usage > 90% for at least 10 minutes: {{$value}}";
|
||||
};
|
||||
|
||||
reboot = {
|
||||
condition = "node_boot_time_seconds < 300";
|
||||
description = "{{$labels.instance}} just rebooted.";
|
||||
};
|
||||
|
||||
uptime = {
|
||||
condition = "(time() - node_boot_time_seconds ) / (60*60*24) > 30";
|
||||
description =
|
||||
"Uptime monster: {{$labels.instance}} has been up for more than 30 days.";
|
||||
};
|
||||
|
||||
flake_nixpkgs_outdated = {
|
||||
condition = ''
|
||||
(time() - flake_input_last_modified{input="nixpkgs"}) / (60*60*24) > 30'';
|
||||
description =
|
||||
"Nixpkgs outdated: Nixpkgs on {{$labels.instance}} has not been updated in 30 days";
|
||||
};
|
||||
|
||||
/* ping = {
|
||||
condition = "ping_result_code{type!='mobile'} != 0";
|
||||
description = "{{$labels.url}}: ping from {{$labels.instance}} has failed!";
|
||||
};
|
||||
|
||||
ping_high_latency = {
|
||||
condition = "ping_average_response_ms{type!='mobile'} > 5000";
|
||||
description = "{{$labels.instance}}: ping probe from {{$labels.source}} is encountering high latency!";
|
||||
};
|
||||
*/
|
||||
http_status = {
|
||||
condition = ''
|
||||
probe_http_status_code{instance!~"https://megaclan3000.de"} != 200'';
|
||||
description =
|
||||
"http request failed from {{$labels.instance}}: {{$labels.result}}!";
|
||||
};
|
||||
/* http_match_failed = {
|
||||
condition = "http_response_response_string_match == 0";
|
||||
description = "{{$labels.server}} : http body not as expected; status code: {{$labels.status_code}}!";
|
||||
};
|
||||
dns_query = {
|
||||
condition = "dns_query_result_code != 0";
|
||||
description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}}!";
|
||||
};
|
||||
secure_dns_query = {
|
||||
condition = "secure_dns_state != 0";
|
||||
description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}} for protocol {{$labels.protocol}}!";
|
||||
};
|
||||
connection_failed = {
|
||||
condition = "net_response_result_code != 0";
|
||||
description = "{{$labels.server}}: connection to {{$labels.port}}({{$labels.protocol}}) failed from {{$labels.instance}}";
|
||||
};
|
||||
healthchecks = {
|
||||
condition = "hc_check_up == 0";
|
||||
description = "{{$labels.instance}}: healtcheck {{$labels.job}} fails!";
|
||||
};
|
||||
*/
|
||||
cert_expiry = {
|
||||
condition = "(probe_ssl_earliest_cert_expiry - time())/(3600*24) < 30";
|
||||
description =
|
||||
"{{$labels.instance}}: The TLS certificate will expire in less than 30 days: {{$value}}s";
|
||||
};
|
||||
|
||||
# ignore devices that disabled S.M.A.R.T (example if attached via USB)
|
||||
|
||||
# smart_errors = {
|
||||
# condition = ''smart_device_health_ok{enabled!="Disabled"} != 1'';
|
||||
# description =
|
||||
# "{{$labels.instance}}: S.M.A.R.T reports: {{$labels.device}} ({{$labels.model}}) has errors.";
|
||||
# };
|
||||
|
||||
oom_kills = {
|
||||
condition = "increase(node_vmstat_oom_kill[5m]) > 0";
|
||||
description = "{{$labels.instance}}: OOM kill detected";
|
||||
};
|
||||
|
||||
/* unusual_disk_read_latency = {
|
||||
condition =
|
||||
"rate(diskio_read_time[1m]) / rate(diskio_reads[1m]) > 0.1 and rate(diskio_reads[1m]) > 0";
|
||||
description = ''
|
||||
{{$labels.instance}}: Disk latency is growing (read operations > 100ms)
|
||||
'';
|
||||
};
|
||||
|
||||
unusual_disk_write_latency = {
|
||||
condition =
|
||||
"rate(diskio_write_time[1m]) / rate(diskio_write[1m]) > 0.1 and rate(diskio_write[1m]) > 0";
|
||||
description = ''
|
||||
{{$labels.instance}}: Disk latency is growing (write operations > 100ms)
|
||||
'';
|
||||
};
|
||||
*/
|
||||
|
||||
host_memory_under_memory_pressure = {
|
||||
condition = "rate(node_vmstat_pgmajfault[1m]) > 1000";
|
||||
description =
|
||||
"{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}";
|
||||
};
|
||||
|
||||
# ext4_errors = {
|
||||
# condition = "ext4_errors_value > 0";
|
||||
# description =
|
||||
# "{{$labels.instance}}: ext4 has reported {{$value}} I/O errors: check /sys/fs/ext4/*/errors_count";
|
||||
# };
|
||||
|
||||
# alerts_silences_changed = {
|
||||
# condition = ''abs(delta(alertmanager_silences{state="active"}[1h])) >= 1'';
|
||||
# description =
|
||||
# "alertmanager: number of active silences has changed: {{$value}}";
|
||||
# };
|
||||
})
|
|
@ -37,14 +37,6 @@
|
|||
reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
|
||||
'';
|
||||
};
|
||||
"alerts.pub.solar" = {
|
||||
logFormat = lib.mkForce ''
|
||||
output discard
|
||||
'';
|
||||
extraConfig = ''
|
||||
reverse_proxy 10.7.6.2:${toString config.services.prometheus.alertmanager.port}
|
||||
'';
|
||||
};
|
||||
"grafana.pub.solar" = {
|
||||
logFormat = lib.mkForce ''
|
||||
output discard
|
||||
|
|
|
@ -72,13 +72,12 @@
|
|||
autoStart = true;
|
||||
user = "994";
|
||||
ports = [
|
||||
"127.0.0.1:4000:80"
|
||||
"4000:80"
|
||||
];
|
||||
dependsOn = [ "drone-db" ];
|
||||
extraOptions = [
|
||||
"--network=drone-net"
|
||||
"--pull=always"
|
||||
"--add-host=nachtigall.pub.solar:10.7.6.1"
|
||||
];
|
||||
environment = {
|
||||
DRONE_GITEA_SERVER = "https://git.pub.solar";
|
||||
|
@ -102,7 +101,6 @@
|
|||
extraOptions = [
|
||||
"--network=drone-net"
|
||||
"--pull=always"
|
||||
"--add-host=nachtigall.pub.solar:10.7.6.1"
|
||||
];
|
||||
environment = {
|
||||
DRONE_RPC_HOST = "ci.pub.solar";
|
||||
|
|
|
@ -13,43 +13,16 @@
|
|||
# Needed for the docker runner to communicate with the act_runner cache
|
||||
networking.firewall.trustedInterfaces = [ "br-+" ];
|
||||
|
||||
users.users.gitea-runner = {
|
||||
home = "/var/lib/gitea-runner/flora-6";
|
||||
useDefaultShell = true;
|
||||
group = "gitea-runner";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.gitea-runner = {};
|
||||
|
||||
systemd.services."gitea-runner-flora\\x2d6".serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -"
|
||||
"d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -"
|
||||
];
|
||||
|
||||
# forgejo actions runner
|
||||
# https://forgejo.org/docs/latest/admin/actions/
|
||||
# https://docs.gitea.com/usage/actions/quickstart
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-runner;
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances."flora-6" = {
|
||||
enable = true;
|
||||
name = config.networking.hostName;
|
||||
url = "https://git.pub.solar";
|
||||
tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
|
||||
settings = {
|
||||
cache = {
|
||||
enabled = true;
|
||||
dir = "/data/gitea-actions-runner/actcache";
|
||||
host = "";
|
||||
port = 0;
|
||||
external_server = "";
|
||||
};
|
||||
};
|
||||
labels = [
|
||||
# provide a debian 12 bookworm base with Node.js for actions
|
||||
"debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
|
||||
|
|
|
@ -65,50 +65,5 @@
|
|||
}];
|
||||
}
|
||||
];
|
||||
|
||||
ruleFiles = [
|
||||
(pkgs.writeText "prometheus-rules.yml" (builtins.toJSON {
|
||||
groups = [{
|
||||
name = "alerting-rules";
|
||||
rules = import ./alert-rules.nix { inherit lib; };
|
||||
}];
|
||||
}))
|
||||
];
|
||||
|
||||
alertmanagers = [{ static_configs = [{ targets = [ "localhost:9093" ]; }]; }];
|
||||
|
||||
alertmanager = {
|
||||
enable = true;
|
||||
# port = 9093; # Default
|
||||
webExternalUrl = "https://alerts.pub.solar"; # TODO use a proper url?
|
||||
# environmentFile = "${config.age.secrets.nachtigall-alertmanager-envfile.path}";
|
||||
configuration = {
|
||||
|
||||
route = {
|
||||
receiver = "all";
|
||||
group_by = [ "instance" ];
|
||||
group_wait = "30s";
|
||||
group_interval = "2m";
|
||||
repeat_interval = "24h";
|
||||
};
|
||||
|
||||
receivers = [{
|
||||
name = "all";
|
||||
# Email config documentation: https://prometheus.io/docs/alerting/latest/configuration/#email_config
|
||||
email_configs = [{
|
||||
send_resolved = true;
|
||||
to = "TODO";
|
||||
from = "alerts@pub.solar";
|
||||
smarthost = "TODO";
|
||||
auth_username = "TODO";
|
||||
auth_password_file = "${config.age.secrets.nachtigall-alertmanager-smtp-password.path}";
|
||||
require_tls = true;
|
||||
}];
|
||||
# TODO:
|
||||
# For matrix notifications, look into: https://github.com/pinpox/matrix-hook and add a webhook
|
||||
# webhook_configs = [ { url = "http://127.0.0.1:11000/alert"; } ];
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -35,7 +35,6 @@ in
|
|||
#systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
|
||||
systemd.network.wait-online.ignoredInterfaces = [
|
||||
"docker0"
|
||||
"wg-ssh"
|
||||
];
|
||||
|
||||
# List services that you want to enable:
|
||||
|
|
|
@ -7,7 +7,6 @@
|
|||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
./triton-vmtools.nix
|
||||
./wireguard.nix
|
||||
|
||||
./apps/caddy.nix
|
||||
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
... }:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
|
||||
age.secrets.wg-private-key.file = "${flake.self}/secrets/flora6-wg-private-key.age";
|
||||
|
||||
networking.wireguard.interfaces = {
|
||||
wg-ssh = {
|
||||
listenPort = 51820;
|
||||
mtu = 1300;
|
||||
ips = [
|
||||
"10.7.6.2/32"
|
||||
"fd00:fae:fae:fae:fae:2::/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{ # nachtigall.pub.solar
|
||||
endpoint = "138.201.80.102:51820";
|
||||
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
|
||||
allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.listenAddresses = [
|
||||
{
|
||||
addr = "10.7.6.2";
|
||||
port = 22;
|
||||
}
|
||||
{
|
||||
addr = "[fd00:fae:fae:fae:fae:2::]";
|
||||
port = 22;
|
||||
}
|
||||
];
|
||||
}
|
|
@ -16,19 +16,6 @@
|
|||
owner = "gitea";
|
||||
};
|
||||
|
||||
age.secrets.forgejo-ssh-private-key = {
|
||||
file = "${flake.self}/secrets/forgejo-ssh-private-key.age";
|
||||
mode = "600";
|
||||
owner = "gitea";
|
||||
path = "/etc/forgejo/ssh/id_forgejo";
|
||||
};
|
||||
|
||||
environment.etc."forgejo/ssh/id_forgejo.pub" = {
|
||||
text = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkPjvF2tZ2lZtkXed6lBvaPUpsNrI5kHlCNEf4LyFtgFXHoUL8UD3Bz9Fn1S+SDkdBMw/SumjvUf7TEGqQqzmFbG7+nWdWg2L00VdN8Kp8W+kKPBByJrzjDUIGhIMt7obaZnlSAVO5Cdqc1Q6bA9POLjSHIBxSD3QUs2pjUCkciNcEtL93easuXnlMwoYa217n5sA8n+BZmOJAcmA/UxYvKsqYlpJxa44m8JgMTy+5L08i/zkx9/FwniOcKcLedxmjZfV8raitDy34LslT2nBNG4I+em7qhKhSScn/cfyPvARiK71pk/rTx9mxBEjcGAkp3+hiA3Nyms0h/qTUh8yGyhbOn8hiro34HEKswXDN1HRfseyyZ4TqOoIC07F53x4OliYA0B+QbvwOemTX2XAWHfU4xEYrIhR46o3Eu5ooOM9HZLLYzIzKjsj/rpuKalFZ+9IeT/PJ/DrbgOEBlJGTu4XucEYXSiIvWB7G9WXij7TXKYbsRAFho9jw+9UZWklFAh9dcUKlX9YxafxOrw9DhJK620hblHLY9wPPFCbZVXDGfqdtn+ncRReMAw6N3VYqxMgnxd+OC52SMsSUi9VaL26i2UvEBwNYuim8GDnVabu/ciQLHMgifBONuF9sKD58ee5nnKgtYLDy9zU86aHBU78Ijew+WhYitO7qejMHMQ==";
|
||||
mode = "600";
|
||||
user = "gitea";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."git.pub.solar" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -45,46 +32,23 @@
|
|||
};
|
||||
};
|
||||
|
||||
users.users.gitea = {
|
||||
home = "/var/lib/forgejo";
|
||||
useDefaultShell = true;
|
||||
group = "gitea";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.gitea = {};
|
||||
|
||||
# Expose SSH port only for forgejo SSH
|
||||
networking.firewall.interfaces.enp35s0.allowedTCPPorts = [ 2223 ];
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables -t nat -i enp35s0 -I PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2223
|
||||
ip6tables -t nat -i enp35s0 -I PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2223
|
||||
'';
|
||||
|
||||
services.forgejo = {
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
user = "gitea";
|
||||
group = "gitea";
|
||||
package = pkgs.forgejo;
|
||||
appName = "pub.solar git server";
|
||||
database = {
|
||||
type = "postgres";
|
||||
passwordFile = config.age.secrets.forgejo-database-password.path;
|
||||
name = "gitea";
|
||||
user = "gitea";
|
||||
};
|
||||
stateDir = "/var/lib/forgejo";
|
||||
lfs.enable = true;
|
||||
mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
|
||||
settings = {
|
||||
DEFAULT.APP_NAME = "pub.solar git server";
|
||||
|
||||
server = {
|
||||
ROOT_URL = "https://git.pub.solar";
|
||||
DOMAIN = "git.pub.solar";
|
||||
HTTP_ADDR = "127.0.0.1";
|
||||
HTTP_PORT = 3000;
|
||||
START_SSH_SERVER = true;
|
||||
SSH_LISTEN_PORT = 2223;
|
||||
SSH_SERVER_HOST_KEYS = "${config.age.secrets."forgejo-ssh-private-key".path}";
|
||||
};
|
||||
|
||||
log.LEVEL = "Warn";
|
||||
|
@ -133,19 +97,6 @@
|
|||
# the value of DEFAULT_ACTIONS_URL is prepended to it.
|
||||
DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
|
||||
};
|
||||
|
||||
# https://forgejo.org/docs/next/admin/recommendations/#securitylogin_remember_days
|
||||
security = {
|
||||
LOGIN_REMEMBER_DAYS = 365;
|
||||
};
|
||||
|
||||
# https://forgejo.org/docs/next/admin/config-cheat-sheet/#indexer-indexer
|
||||
indexer = {
|
||||
REPO_INDEXER_ENABLED = true;
|
||||
REPO_INDEXER_PATH = "indexers/repos.bleve";
|
||||
MAX_FILE_SIZE = 1048576;
|
||||
REPO_INDEXER_EXCLUDE = "resources/bin/**";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -190,11 +141,6 @@
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/forgejo-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
|
||||
services.restic.backups.forgejo-storagebox = {
|
||||
|
@ -214,10 +160,5 @@
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/forgejo-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -64,11 +64,6 @@
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/keycloak-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
|
||||
services.restic.backups.keycloak-storagebox = {
|
||||
|
@ -87,10 +82,5 @@
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/keycloak-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -94,11 +94,6 @@
|
|||
initialize = true;
|
||||
passwordFile = config.age.secrets."restic-repo-droppie".path;
|
||||
repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
|
||||
services.restic.backups.mailman-storagebox = {
|
||||
|
@ -114,10 +109,5 @@
|
|||
initialize = true;
|
||||
passwordFile = config.age.secrets."restic-repo-storagebox".path;
|
||||
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -61,9 +61,6 @@
|
|||
passwordFile = "/run/agenix/mastodon-smtp-password";
|
||||
fromAddress = "mastodon-notifications@pub.solar";
|
||||
};
|
||||
mediaAutoRemove = {
|
||||
olderThanDays = 7;
|
||||
};
|
||||
extraEnvFiles = [
|
||||
"/run/agenix/mastodon-extra-env-secrets"
|
||||
];
|
||||
|
@ -114,11 +111,6 @@
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/mastodon-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
|
||||
services.restic.backups.mastodon-storagebox = {
|
||||
|
@ -137,10 +129,5 @@
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/mastodon-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -13,6 +13,11 @@ let
|
|||
synapseClientPort = "${toString listenerWithClient.port}";
|
||||
in
|
||||
{
|
||||
systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
|
||||
"@system-service @pkey"
|
||||
"~@privileged @resources"
|
||||
"@chown"
|
||||
];
|
||||
services.matrix-appservice-irc = {
|
||||
enable = true;
|
||||
localpart = "irc_bot";
|
||||
|
|
47
hosts/nachtigall/apps/matrix/mjolnir.nix
Normal file
47
hosts/nachtigall/apps/matrix/mjolnir.nix
Normal file
|
@ -0,0 +1,47 @@
|
|||
{ lib, flake, ... }:
|
||||
{
|
||||
age.secrets."matrix-mjolnir-password" = {
|
||||
file = "${flake.self}/secrets/matrix-mjolnir-password.age";
|
||||
mode = "640";
|
||||
owner = "root";
|
||||
group = "mjolnir";
|
||||
};
|
||||
|
||||
# Adopted from:
|
||||
# https://github.com/NixOS/nixos-org-configurations/blob/42ab3d94c0b5995f2ea05eb0b20b4759192c01ff/non-critical-infra/modules/mjolnir.nix
|
||||
#
|
||||
# pantalaimon takes ages to start up, so mjolnir could hit the systemd burst
|
||||
# limit and then just be down forever. We don't want mjolnir to ever go down,
|
||||
# so disable rate-limiting and allow it to flap until pantalaimon is alive.
|
||||
systemd.services.mjolnir.serviceConfig.Restart = lib.mkForce "always";
|
||||
systemd.services.mjolnir.serviceConfig.RestartSec = 3;
|
||||
systemd.services.mjolnir.unitConfig.StartLimitIntervalSec = 0;
|
||||
|
||||
services.pantalaimon-headless.instances.mjolnir.listenAddress = "127.0.0.1";
|
||||
|
||||
services.mjolnir = {
|
||||
enable = true;
|
||||
homeserverUrl = "https://matrix.pub.solar:443";
|
||||
|
||||
pantalaimon = {
|
||||
enable = true;
|
||||
username = "mjolnir";
|
||||
passwordFile = "/run/agenix/matrix-mjolnir-password";
|
||||
options = {
|
||||
listenAddress = "127.0.0.1";
|
||||
};
|
||||
};
|
||||
|
||||
managementRoom = "#moderators:pub.solar";
|
||||
|
||||
# https://github.com/matrix-org/mjolnir/blob/master/config/default.yaml
|
||||
settings = {
|
||||
noop = false;
|
||||
protectAllJoinedRooms = true;
|
||||
fasterMembershipChecks = true;
|
||||
|
||||
# too noisy
|
||||
verboseLogging = false;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -188,7 +188,6 @@ in
|
|||
per_second = 0.17;
|
||||
};
|
||||
redaction_retention_period = "7d";
|
||||
forgotten_room_retention_period = "7d";
|
||||
redis.enabled = false;
|
||||
registration_requires_token = false;
|
||||
registrations_require_3pid = [ "email" ];
|
||||
|
@ -255,6 +254,31 @@ in
|
|||
# "/matrix-mautrix-signal-registration.yaml"
|
||||
# "/matrix-mautrix-telegram-registration.yaml"
|
||||
];
|
||||
|
||||
modules = [
|
||||
{
|
||||
module = "mjolnir.Module";
|
||||
config = {
|
||||
# Prevent servers/users in the ban lists from inviting users on this
|
||||
# server to rooms. Default true.
|
||||
block_invites = true;
|
||||
# Flag messages sent by servers/users in the ban lists as spam. Currently
|
||||
# this means that spammy messages will appear as empty to users. Default
|
||||
# false.
|
||||
block_messages = false;
|
||||
# Remove users from the user directory search by filtering matrix IDs and
|
||||
# display names by the entries in the user ban list. Default false.
|
||||
block_usernames = false;
|
||||
# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
|
||||
# this list cannot be room aliases or permalinks. This server is expected
|
||||
# to already be joined to the room - Mjolnir will not automatically join
|
||||
# these rooms.
|
||||
ban_lists = [
|
||||
"!roomid:example.org"
|
||||
];
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
withJemalloc = true;
|
||||
|
@ -276,8 +300,9 @@ in
|
|||
"redis"
|
||||
];
|
||||
|
||||
plugins = [
|
||||
config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth
|
||||
plugins = with config.services.matrix-synapse.package.plugins; [
|
||||
matrix-synapse-shared-secret-auth
|
||||
matrix-synapse-mjolnir-antispam
|
||||
];
|
||||
|
||||
sliding-sync = {
|
||||
|
@ -312,10 +337,5 @@ in
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/matrix-synapse-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -208,7 +208,7 @@ in
|
|||
backend = "docker";
|
||||
|
||||
containers."mediawiki" = {
|
||||
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.41.1";
|
||||
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.41.0";
|
||||
user = "1000:${builtins.toString gid}";
|
||||
autoStart = true;
|
||||
|
||||
|
|
|
@ -97,7 +97,6 @@
|
|||
integrity.check.disabled = false;
|
||||
updater.release.channel = "stable";
|
||||
loglevel = 0;
|
||||
maintenance_window_start = "1";
|
||||
# maintenance = false;
|
||||
app_install_overwrite = [
|
||||
"pdfdraw"
|
||||
|
@ -150,11 +149,6 @@
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/nextcloud-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
|
||||
services.restic.backups.nextcloud-storagebox = {
|
||||
|
@ -174,10 +168,5 @@
|
|||
backupCleanupCommand = ''
|
||||
rm /tmp/nextcloud-backup.sql
|
||||
'';
|
||||
pruneOpts = [
|
||||
"--keep-daily 7"
|
||||
"--keep-weekly 4"
|
||||
"--keep-monthly 3"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,43 +0,0 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/srv/www/miom.space' 0750 hakkonaut hakkonaut - -"
|
||||
];
|
||||
|
||||
services.nginx.virtualHosts = {
|
||||
"www.miom.space" = {
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
|
||||
extraConfig = ''
|
||||
error_log /dev/null;
|
||||
access_log /dev/null;
|
||||
'';
|
||||
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
return 301 https://miom.space$request_uri;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
"miom.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
extraConfig = ''
|
||||
error_log /dev/null;
|
||||
access_log /dev/null;
|
||||
'';
|
||||
|
||||
locations = {
|
||||
"/" = {
|
||||
root = "/srv/www/miom.space";
|
||||
index = "index.html";
|
||||
tryFiles = "$uri $uri/ =404";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,4 +1,6 @@
|
|||
{ lib, ... }: {
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -"
|
||||
];
|
||||
|
@ -7,12 +9,6 @@
|
|||
"www.pub.solar" = {
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
|
||||
extraConfig = ''
|
||||
error_log /dev/null;
|
||||
access_log /dev/null;
|
||||
'';
|
||||
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
return 301 https://pub.solar$request_uri;
|
||||
|
@ -25,11 +21,6 @@
|
|||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
extraConfig = ''
|
||||
error_log /dev/null;
|
||||
access_log /dev/null;
|
||||
'';
|
||||
|
||||
locations = {
|
||||
# serve base domain pub.solar for mastodon.pub.solar
|
||||
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
|
||||
|
@ -52,22 +43,6 @@
|
|||
'';
|
||||
};
|
||||
|
||||
# Responsible disclosure information https://securitytxt.org/
|
||||
"/.well-known/security.txt" = let
|
||||
securityTXT = lib.lists.foldr (a: b: a + "\n" + b) "" [
|
||||
"Contact: mailto:admins@pub.solar"
|
||||
"Expires: 2025-01-04T23:00:00.000Z"
|
||||
"Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3"
|
||||
"Preferred-Languages: en,de"
|
||||
"Canonical: https://pub.solar/.well-known/security.txt"
|
||||
];
|
||||
in {
|
||||
extraConfig = ''
|
||||
add_header Content-Type text/plain;
|
||||
return 200 '${securityTXT}';
|
||||
'';
|
||||
};
|
||||
|
||||
"/satzung" = {
|
||||
extraConfig = ''
|
||||
return 302 https://cloud.pub.solar/s/iaKqiW25QJpHPYs;
|
||||
|
|
|
@ -24,13 +24,6 @@ in
|
|||
# https://my.f5.com/manage/s/article/K51798430
|
||||
proxy_headers_hash_bucket_size 128;
|
||||
'';
|
||||
appendConfig = ''
|
||||
# Number of CPU cores
|
||||
worker_processes 8;
|
||||
'';
|
||||
eventsConfig = ''
|
||||
worker_connections 1024;
|
||||
'';
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.tmate-ssh-server = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
openFirewall = true;
|
||||
host = "tmate.pub.solar";
|
||||
};
|
||||
}
|
|
@ -8,7 +8,6 @@
|
|||
./configuration.nix
|
||||
|
||||
./networking.nix
|
||||
./wireguard.nix
|
||||
./backups.nix
|
||||
./apps/nginx.nix
|
||||
|
||||
|
@ -24,14 +23,12 @@
|
|||
./apps/nginx-mastodon-files.nix
|
||||
./apps/nginx-prometheus-exporters.nix
|
||||
./apps/nginx-website.nix
|
||||
./apps/nginx-website-miom.nix
|
||||
./apps/opensearch.nix
|
||||
./apps/owncast.nix
|
||||
./apps/postgresql.nix
|
||||
./apps/prometheus-exporters.nix
|
||||
./apps/promtail.nix
|
||||
./apps/searx.nix
|
||||
./apps/tmate.nix
|
||||
|
||||
./apps/matrix/irc.nix
|
||||
./apps/matrix/mautrix-telegram.nix
|
||||
|
|
|
@ -1,8 +1,4 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
... }:
|
||||
{ config, pkgs, ... }:
|
||||
{
|
||||
|
||||
networking.hostName = "nachtigall";
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
... }:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
|
||||
age.secrets.wg-private-key.file = "${flake.self}/secrets/nachtigall-wg-private-key.age";
|
||||
|
||||
networking.wireguard.interfaces = {
|
||||
wg-ssh = {
|
||||
listenPort = 51820;
|
||||
mtu = 1300;
|
||||
ips = [
|
||||
"10.7.6.1/32"
|
||||
"fd00:fae:fae:fae:fae:1::/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{ # flora-6.pub.solar
|
||||
endpoint = "80.71.153.210:51820";
|
||||
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
|
||||
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.listenAddresses = [
|
||||
{
|
||||
addr = "10.7.6.1";
|
||||
port = 22;
|
||||
}
|
||||
{
|
||||
addr = "[fd00:fae:fae:fae:fae:1::]";
|
||||
port = 22;
|
||||
}
|
||||
];
|
||||
}
|
|
@ -1,72 +0,0 @@
|
|||
{
|
||||
axeman = rec {
|
||||
sshPubKeys = {
|
||||
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
|
||||
};
|
||||
|
||||
secretEncryptionKeys = sshPubKeys;
|
||||
|
||||
wireguardDevices = [
|
||||
{
|
||||
# tuxnix
|
||||
publicKey = "fTvULvdsc92binFaBV+uWwFi33bi8InShcaPnoxUZEA=";
|
||||
allowedIPs = [ "10.7.6.203/32" "fd00:fae:fae:fae:fae:203::/96" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
b12f = rec {
|
||||
sshPubKeys = {
|
||||
b12f-gpg = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVbUEOgciblRPOCaCkkwfYoKLjmJ6JKxnfg6MY7sN3W1/N4AsC27bvYPkYI66d4M3Ygi6nztaUrIIKBOPZrQtS0vx1jqosmcDwBMttNI7u4LdSDjGMEGB4zJdfR60HFuzpSNaBI/nKMWcAxr8v1KODy/mKTQ7fnMDN15OhvE7sAZe26B6IptUbG1DLuouezd4AW0OwQ3c6hVIuv5eF96OKrwFZ9XpNyYAashy8WTYqJWJRb71DV8oiqT9b3sN0Dy+7nUAPcLvJdwUDGjHQvnklgFUupKtrPhpRWqgJ41l4ebb1DCxmoL2zpdVohUK4eVC9ELdplvXtK+EJIJ1lKcDAYduYcxk//3+EdUDH0IkfXvz0Tomryu2BeyxURdMPzQh+ctHUWNI49tByx/mWrEqSu+XdgvtcumVg+jNUZKL9eA++xxuOan7H/OyshptLugZHd2e9JNM34NEOUEptq7LtHD5pEdXRV1ZT1IOsuSoDtdX14GeP2GSl21eKLnvSu9g8nGULIsx9hI3CrrlvvL9JU+Aymb4iEvqLhDeUNE643uYQad6P2SuK0kLQ/9Ny0z3y6bgglGn2uDUiAOPd8c+gFRRkMWvAWjWQi3iIR9TYBS4Z+CeYmUv8X2UCRcQPBn1wt69rvE9RcfHqRLZTUE5SpstQ0rXLinXmRA/WQV5Bdw== yubi-gpg";
|
||||
};
|
||||
|
||||
secretEncryptionKeys = {
|
||||
bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
|
||||
yubi485 = "age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q";
|
||||
yubi464 = "age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7";
|
||||
} // sshPubKeys;
|
||||
|
||||
wireguardDevices = [
|
||||
{ # stroopwafel
|
||||
publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE=";
|
||||
allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
hensoko = rec {
|
||||
sshPubKeys = {
|
||||
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
|
||||
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
|
||||
};
|
||||
|
||||
secretEncryptionKeys = sshPubKeys;
|
||||
wireguardDevices = [
|
||||
{ # judy
|
||||
publicKey = "I+gN7v1VXkAGoSir6L8aebtLbguvy5nAx1QVDTzdckk=";
|
||||
allowedIPs = [ "10.7.6.202/32" "fd00:fae:fae:fae:fae:202::/96" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
teutat3s = {
|
||||
sshPubKeys = {
|
||||
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
|
||||
};
|
||||
|
||||
secretEncryptionKeys = {
|
||||
teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
|
||||
};
|
||||
|
||||
wireguardDevices = [
|
||||
{ # dumpyourvms
|
||||
publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk=";
|
||||
allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ];
|
||||
}
|
||||
{ # ryzensun
|
||||
publicKey = "oVF2/s7eIxyVjtG0MhKPx5SZ1JllZg+ZFVF2eVYtPGo=";
|
||||
allowedIPs = [ "10.7.6.204/32" "fd00:fae:fae:fae:fae:204::/96" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,14 +0,0 @@
|
|||
{ lib, ... }: let
|
||||
admins = import ./admins.nix;
|
||||
robots = import ./robots.nix;
|
||||
in {
|
||||
flake = {
|
||||
logins = {
|
||||
admins = lib.lists.foldl (logins: adminConfig: {
|
||||
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
|
||||
wireguardDevices = logins.wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []);
|
||||
}) { sshPubKeys = []; wireguardDevices = []; } (lib.attrsets.attrValues admins);
|
||||
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,15 +1,6 @@
|
|||
{ pkgs, lib, ... }: {
|
||||
# Don't expose SSH via public interfaces
|
||||
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
|
||||
|
||||
networking.hosts = {
|
||||
"10.7.6.1" = ["nachtigall.pub.solar"];
|
||||
"10.7.6.2" = ["flora-6.pub.solar"];
|
||||
};
|
||||
|
||||
{ pkgs, ... }: {
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
openFirewall = lib.mkDefault false;
|
||||
settings = {
|
||||
PermitRootLogin = "prohibit-password";
|
||||
PasswordAuthentication = false;
|
||||
|
@ -36,11 +27,14 @@
|
|||
|
||||
services.resolved = {
|
||||
enable = true;
|
||||
# DNSSEC=false because of random SERVFAIL responses with Greenbaum DNS
|
||||
# when using allow-downgrade, see https://github.com/systemd/systemd/issues/10579
|
||||
extraConfig = ''
|
||||
DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu 2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
|
||||
FallbackDNS=5.1.66.255#dot.ffmuc.net 185.150.99.255#dot.ffmuc.net 2001:678:e68:f000::#dot.ffmuc.net 2001:678:ed0:f000::#dot.ffmuc.net
|
||||
Domains=~.
|
||||
DNSOverTLS=yes
|
||||
DNSSEC=false
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
|
||||
# Please create this manually the first time.
|
||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||
authorizedKeys = flake.self.logins.admins.sshPubKeys;
|
||||
authorizedKeys = flake.self.publicKeys.admins;
|
||||
};
|
||||
# this will automatically load the zfs password prompt on login
|
||||
# and kill the other prompt so boot can continue
|
||||
|
|
|
@ -4,12 +4,12 @@
|
|||
group = flake.self.username;
|
||||
extraGroups = [ "wheel" "docker" ];
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
|
||||
openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
|
||||
};
|
||||
users.groups.${flake.self.username} = { };
|
||||
|
||||
# TODO: Remove when we stop locking ourselves out.
|
||||
users.users.root.openssh.authorizedKeys.keys = flake.self.logins.admins.sshPubKeys;
|
||||
users.users.root.openssh.authorizedKeys.keys = flake.self.publicKeys.admins;
|
||||
|
||||
users.users.hakkonaut = {
|
||||
description = "CI and automation user";
|
||||
|
@ -19,7 +19,7 @@
|
|||
uid = 998;
|
||||
group = "hakkonaut";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = flake.self.logins.robots.sshPubKeys;
|
||||
openssh.authorizedKeys.keys = flake.self.publicKeys.robots;
|
||||
};
|
||||
|
||||
users.groups.hakkonaut = { };
|
||||
|
|
|
@ -13,8 +13,16 @@
|
|||
};
|
||||
in
|
||||
{
|
||||
forgejo-runner = unstable.forgejo-runner;
|
||||
element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
|
||||
mastodon = prev.mastodon.override {
|
||||
version = "4.2.5";
|
||||
patches = [
|
||||
(final.fetchpatch {
|
||||
url = "https://github.com/mastodon/mastodon/compare/v4.2.4...v4.2.5.patch";
|
||||
hash = "sha256-CtzYV1i34s33lV/1jeNcr9p/x4Es1zRaf4l1sNWVKYk=";
|
||||
})
|
||||
];
|
||||
};
|
||||
})
|
||||
];
|
||||
});
|
||||
|
|
9
public-keys/admins.nix
Normal file
9
public-keys/admins.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{
|
||||
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
|
||||
b12f-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main";
|
||||
b12f-2 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup";
|
||||
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
|
||||
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
|
||||
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
|
||||
|
||||
}
|
|
@ -1 +0,0 @@
|
|||
AGE-PLUGIN-YUBIKEY-1HZCCGQVZH5WV7DCL6V837
|
|
@ -1 +0,0 @@
|
|||
AGE-PLUGIN-YUBIKEY-1EKCCGQVZE64TLZCKYUCW7
|
|
@ -1,42 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 Y0ZZaw FvsdIE/inJoLVSosWXATnFbAAVjVuf7jlEC3nSUF6Ug
|
||||
gX84OKgWdfkGBN+NFy11BxIb4WX1z9UkPA4u2Q1uV+g
|
||||
-> ssh-ed25519 uYcDNw z5Veza0uVwqCqGCGYzGmXPcyaV9HztEN39cWFbSG7yg
|
||||
UWZQcDP1vMsYoWwMQlr4YmzWYw2EKm/s5zJVHNf2M0U
|
||||
-> ssh-rsa f5THog
|
||||
v1kqiU+cx65mvTNeuAhK65eBEk1vmkABRYgcmFIrdr4eY3pru+FaQTfMhTI9HjcO
|
||||
OTU0YPxxSadbUCaN6Z3QnTv5qowwOQlEsWK+RMsOZgnyRQHa2SIrhfHz7v+n8BTF
|
||||
8BYB4UBJpD3aLqM7VED6dYls178HUbiq34ohrG2vY5PHE72xTU60amv9NcJhSJPR
|
||||
twZPiSp3I14MlJU4bboS1YBaEmgxvbXru0DwuoQLw3OUrH7xOggVoSJxm8lVyjR2
|
||||
oFYS5wdnrhAIEsJ0lTsO5fvq9Dmie7qoL60rbBbue9lPk1nD1NlUe3akd4IIo36R
|
||||
kDbthUYluVSJON3o/wenSvJDOw3N3t8bu2+/XfWAd2NL9SPBijMQJtqjK8EAtmz9
|
||||
OjBMjJGQzVdBxRP9U3CWYIwaqYQfWhXXY4AXTwIMsfmeV8ZHZsId3Y156p0NaKg6
|
||||
NGb7eX/AWmcdNTp8ZCqlb4QexICrVd7XDkNbPHkYPUOdUhaMyS+T7YU8Qs3YWroP
|
||||
Bw63QMWbvo1l4HO/3HeIKlzIXTjLEi6PjTiWb7vM4GuoCwjdDg5djMEj4nsvDyea
|
||||
B9EBTEcoP2oj47wgsX0nfV5bKAQ4y8AN4ZNWb00vjN9ybBbLK3q//1DrEWmddieF
|
||||
t6FyZXvZH0Gf6y5OO56yRp/vmxvKFcvxqUA3P8bPAnw
|
||||
-> ssh-rsa kFDS0A
|
||||
c+0wRUbjzdJiBhdKAVlE8yxt1O3t4oQ438F5HjMPohEXSFLiNFi4Y0JQsw6qn3GP
|
||||
hySsyIoj9G+cI9FDPjTFPmE7O1SHrd2LqBZGukyswDXX8CpwmZ7vfqfK2lCgKfos
|
||||
SSPiGaYk+HlQF2QfX/xdgQ2PbFXHnDy8LZ9AfZP04PrnK9wqdiEXwmkWZ/Lu1P+V
|
||||
Wb/28BYxcfkseAprFr/KSJLoNuD9UphRhQwRklmjADnf0lep3vHccxz1Oo5flu5M
|
||||
AD47r+0bLGM+w3epCF1GyR4L2lEBaD8pkVOt3/zIdjn8nFZVNJwjshToazvnVEd3
|
||||
Vd9Uas58AyxcT7Dk/QaVO7c5KJDdfSuxnT1zElkM2ZQM4lEueTJYDBJGyfubb30y
|
||||
Z7re/MsLOh0jNJbb0r1KOkzwpcdm9iyvi26eaGsX7Q1Gb2pzOYFxD1vSUUC6A6Hp
|
||||
W5X6fKsiBPreYLf5MV6p9r2YJPdX4SJiq4XztQi1PL+ndq1h8wskxk3Pyvk9fhle
|
||||
iC5owZ8/FikfC/1oEa2KayeLyYB001BUuktevzfH2GmbqLkR9wBGw5vUJzOO4vOW
|
||||
o8SVCSUxSrG8S+HQksOSXFWywkdBDhqc8eyRUtb+6iqqMA2Q4GDqktSCB1KeBYD6
|
||||
OalH6bo4H1ddV8LPMOKcFtjmTPuum43C7bNge2rxhgg
|
||||
-> piv-p256 vRzPNw A/utfOjPG1zs1Lf2FOWDHhJIJW1PIHmKFqFvBZZycHPn
|
||||
EfGFh9R0PDgskQg00z6thQ1YozT5ZiBhzNN9iTXWDe4
|
||||
-> piv-p256 zqq/iw A0RjdOkfYmTlYCwM3aFLdXfBimXMGzVh21A5QxZ217xW
|
||||
7J9cRYpr1uhQPE0VjvLAwyS7jNSK0+qjA9xUMeRwYos
|
||||
-> ssh-ed25519 YFSOsg w8ljrS1oRdB9RT8Odi5UOPjEtFL3WBlQUAH9Y7gp3WM
|
||||
xcrbEm66K6mNrJ9+877YEgWUdxW85YyS1z8CGMyYxeE
|
||||
-> ssh-ed25519 iHV63A O0bMGpauAYAuiAtbITj+lQOS0LuFl/BDVxIUTly8tQM
|
||||
0Kiu4sNN0joX5D4eB42oQ/iRSntsJI5JNKOmkQeyLGE
|
||||
-> ssh-ed25519 BVsyTA k/0Rtr9qbFH7V6DyCRtyqdAHU1b7D7DNGV8pPPJmrnk
|
||||
dJ29gcfSxaVQ46XbW021PxPotZ8ZG2zjostJme9GUZQ
|
||||
--- 1V0sJP5JIa9GZ0F0hf1GAFX3LNkPSNsxNhqM9cH7Rgc
|
||||
|¿‘#ø©mÌæR„Ö5wäÎQòÅÐf1Ü
ÑÁZ·MUüèOÃfãÜ:GÓ^<5E>ì•!<21>
|
||||
gÐG29wíƒÙ_B‘ìdêÿ
|
Binary file not shown.
25
secrets/matrix-mjolnir-password.age
Normal file
25
secrets/matrix-mjolnir-password.age
Normal file
|
@ -0,0 +1,25 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 iDKjwg k0qY4jLPEdz8HDYS8Ubh5sUp+BidUJ9j3nPYqxwYwX0
|
||||
ZWqonJ8wEFkt7iC4I6RzoVMcRRaK5yjFORz2ysTzrp4
|
||||
-> ssh-ed25519 uYcDNw 4GC7Rc2iDtDKNObkZGzt6TLhY49SkYNSz4JbZtKva04
|
||||
Z4q6od9qzaN28tizJhoO/lm1U2ymnu1hbUWoAMtNM+8
|
||||
-> ssh-rsa kFDS0A
|
||||
KNQhAEi5o9kk+EljFMRXjNoWa3xY+QEq3OaCkqkuEpr65wPmtrjVq/eMxAX31SgU
|
||||
EwIjUlBf3XsdAZkYmrItBuPgwxKBClDhnOHZQS6GowYPOW+CDNlRzcp947kfCcdG
|
||||
ZrbrMZb/zwqDNijOgjh1zn6kdaX2clp3wA5GdLP1pSRRBQWh7ZkGQkgiyQSLIHWu
|
||||
nfo/liBJ6qMAGtVwlAHcYhQDiYsYoquRvQ7TsgdQtu9NPmKhwjWbpEaJSt7AMC2y
|
||||
e9B8Lp46oPZHCptPqMBpvi5SPxg9X0wvj9Vg+3OG+dn0zvQmyTtEHq15I9MKSPCB
|
||||
oNVgvrgEcgaKxMdJCqFdbCj5I+eyZZc9tHTggSzSLAYHzoY3TbYx6TOpeHbub3lc
|
||||
cBCnbNTRwQCNQoBLXAKIkhcIv968D3RvtY5lPdQdU7MoW5GFHy67vmERMDBVCiYI
|
||||
29HSxdLGTLUKOgzLdR0pxQnRPSdxEBw06gHRP3q6MDXH066Of5e/RRqvYzJX1VlH
|
||||
cMhJjGTVZNnqP3RIVg1FMLfz6uooki8J9w42JOa9VVB3Zf5ics8vf7m3EObcHXL9
|
||||
B/Wh6oy9L+q6vZHs8ix5cHmIQA3GLsSsdQ2NimVG+YO9zwUPq9MNqPpoZfXH+wa6
|
||||
gUpANLeJjYzuo0Ob0gDMHSaFBfuyn1MxPipbccgnXG4
|
||||
-> ssh-ed25519 YFSOsg AiVh32W3+y52eDKrMBU0qjertV661tD8jqb8q4ZAyy8
|
||||
zIN8hgZ4ynWAt/HOcY4zzYHZUmeBNyk0TgtmztkGXi4
|
||||
-> ssh-ed25519 iHV63A EfbQmp++H8mgZzmYpsrZNRo2tfRurA66Z7fk4NQuzxM
|
||||
e6pH0+P/rtCPNcsuIZKop2RTd9eSv3hPcReNaZ/GkTs
|
||||
-> ssh-ed25519 BVsyTA ngQM3zUSkkt855E1MI25RuEWRYqaMVstY338Tq/n8yM
|
||||
wWtAV3MI0jQ9rlgeIO5DbPv0INH2KgV5Ic9NbXyNPDk
|
||||
--- JAi1rNmpk8X4L+TLJfqZ5r+AyFVd/rkUHBA/Mjjde3I
|
||||
ŸDO)SöÿøþxÞ±ªyµö|—3¨~ý`2æ*ʆ• Ôëý<C3AB>îè¶ÀÝ£Ðû¶Ë£'aAâfXFçÈÉÝðáäQXv[ï&a!úL©Í ª
|
|
@ -1,41 +0,0 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-ed25519 iDKjwg 1m2Nkhw2R1InZFZrOkzQCoQy4s/kduXyM44yWifllXc
|
||||
cxz6EWfaIJUjEkXEExFGKPrrl4iXnchkFfMiCpDgnZ8
|
||||
-> ssh-ed25519 uYcDNw nVtsI77gUtZKmvu6o/jkvh/Ab8KDgRuL7V6MDuFtBnk
|
||||
P7xVJA1a1ioe2tROajY1uvS1kLGrJW+YrXVf2Z2K2a4
|
||||
-> ssh-rsa f5THog
|
||||
rr17rPe7lJ2Zc0nsHhEch7mG7D27lnaMbAJ2Zsn4oHDXFn4cnSw4L/Zf+aZVIpNY
|
||||
ew2u24yBE5ButBh8t0wm2Di2SBir4cAQob7160Py5ZpqOHBGxACgxhfZm7f/FzLZ
|
||||
Ue0CUKebJI8KAqkjyayLLzESMECT5buhoJ4+K8U/B6O8NgGPrjS1Xjx1zCAs8tsG
|
||||
kQz2KsBFnIEH20qmj2ezmijJdkUJbyX2389jCIzZ95wOG0RcUH1+s0aMcuvvLptS
|
||||
05nSlmOlnwv7M8Jkwg+BC6l6xpoG3zpQDReEBTT3DYMRL3sNPV9eIHcPrWIXlANk
|
||||
7vqLPxNlu/gHhQSijcPICH0YiDZ3MIJdXtqVHxCFWmXlPAzfkSMwg2k3WT8fMSJ9
|
||||
ajEM0i6AIjaNAeY6cY87kGmfSjwRTSEbDSkC0B5VV1h2CZJDot7+9eZQ1HcwnP3j
|
||||
iLTijtB+dMAzpnQ8kA9bGnuOurTB3Jy+JxwejO21J1/rxBA+P0nATufnk5olhTKS
|
||||
vqkor0rxkV379SMpHLpbg4IbwdIjp+77GDJkofcAxZI8tmU2IF19dC1UsDfz15N/
|
||||
b984i7PpJ115U2oSbwBZ8WThx1i8I47/mabTU32IXvhfdsp9QmBoBIqUqdgHsU43
|
||||
LSBHRHiMy+3BfNA0M52oWEThtScOeqzwo3oSBCTM3xI
|
||||
-> ssh-rsa kFDS0A
|
||||
fgw9rO7pT7MLo1nNvZ05Ry+Gyjb27Trc5kZ7KYYya1BpCKjLnYwOaaoLtoHkGnuz
|
||||
bPJ4ouyMsWUiPpT/SZ5/uNHlSDS9dNF0RTzCAqSi31CwY5KFTfStzsOKeUvxCcGp
|
||||
Z9uyOEr1sOl1+gORWphrHmllSrXFAHHgOorLrtACkrQMxn678Wko13CFvDhtkl+l
|
||||
sqi+l+B5ffeJsaHmCLmrROGzWrCnT/1zwJV5KMF0HjBSOi+Fl+HxA9s6UCEHxTy/
|
||||
H8GvOooDGczgjg06yI2Puzo+DvhE/XOeFOoM/cLdGPnq/R8Mo4r4BDeBnQqbbBCI
|
||||
4LV0Ybz0jVpAHHCu5kAxIzc68d1mwmxYPW4pxMVDGaZKGoBnA9jkHA0DD0TKe62D
|
||||
ZBWtKAZb3gD4yDZfcbZABuXFszmFzKRmoE8YLmZDw0GwLu/It+ZtL9cxUZ+YmknP
|
||||
ZhBcy1NTlPhXlJdZBWImK8KKluf03BjBIAFm+ZGT1FiCnZft5SZFDf7PGq+PvRwT
|
||||
wk6UMeBiVbJvpVtjthHbur5FxXG+ly9wa9Y5bP3K2VnJkVcVt6NhkJ6Hg+g2FIZ4
|
||||
gzq+5azkX+7nSNr0dSR1Phk4j+6aahRc2Gb7SiMqo6nwKuWBL6SQRDuKwP1PaPvm
|
||||
aGfsduWhKZQM5ZeXBYkdgQqLgx4oAgbI2SujRaJlykE
|
||||
-> piv-p256 vRzPNw A77uRo1hsdtaU8Fze62NI3AocU7srSmd5A7y1PbUVEyQ
|
||||
LgD5sj6ZGGYiDausGO5lxERV71MFkZltzP3W4JIK59M
|
||||
-> piv-p256 zqq/iw A7rWVvgXoLOrF3w8wyR27/fGAPxeknuBMVF1yeNceSkN
|
||||
qAe7DwmCiFz72fy0Ica3SWZYNyvlsE1M/Odma5FKlyI
|
||||
-> ssh-ed25519 YFSOsg Hld4L4nxmssu+4vwIEE4Q13Xapfn38R42+MdT3c5Jyg
|
||||
gW3YzRgpc8SKyTp6o4BqmqFurr+lak+hKvYLFGdm2s8
|
||||
-> ssh-ed25519 iHV63A ODXmcURhm3oMgB5t4kigz1LoXMl0IqG7zUUog0FXRDw
|
||||
pa37B1B4FFTrh4UHDh2O4VBSQyxlaozHDNR8PCQ+gis
|
||||
-> ssh-ed25519 BVsyTA 1dkpnnRlhnqueC91EW7xn/q4MUUvleN23KyiTJM1ZlI
|
||||
QvpM4QaFx4ey3EZ8TNnbJjdeIgR5Nfbugw3X2Xv27wY
|
||||
--- dHSohj4s4bp6X8I2em011HuWwNNIDis6h4e/44CnTIU
|
||||
€Ð·^Pvî
^4YYpµä'äå}Xób½q5°½âW¦ ˜nv‹îß°B=í÷³¿ƒÐ÷*Å%Ñþ‹<C3BE>Ù¡nãÕi˜ÖÔT²]
|
|
@ -1,10 +1,21 @@
|
|||
let
|
||||
admins = import ../logins/admins.nix;
|
||||
# set ssh public keys here for your system and user
|
||||
axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
|
||||
b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
|
||||
hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
|
||||
hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
|
||||
teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
|
||||
|
||||
nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
|
||||
flora-6-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@flora-6";
|
||||
|
||||
adminKeys = builtins.foldl' (keys: login: keys ++ (builtins.attrValues login.secretEncryptionKeys)) [] (builtins.attrValues admins);
|
||||
baseKeys = [
|
||||
axeman-1
|
||||
b12f-bbcom
|
||||
hensoko-1
|
||||
hensoko-2
|
||||
teutat3s-1
|
||||
];
|
||||
|
||||
nachtigallKeys = [
|
||||
nachtigall-host
|
||||
|
@ -16,52 +27,49 @@ let
|
|||
in
|
||||
{
|
||||
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall
|
||||
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"flora6-wg-private-key.age".publicKeys = flora6Keys ++ adminKeys;
|
||||
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"mastodon-secret-key-base.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mastodon-otp-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mastodon-vapid-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mastodon-vapid-public-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mastodon-smtp-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mastodon-extra-env-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ baseKeys;
|
||||
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"forgejo-actions-runner-token.age".publicKeys = flora6Keys ++ adminKeys;
|
||||
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"matrix-mjolnir-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"searx-environment.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"drone-db-secrets.age".publicKeys = flora6Keys ++ baseKeys;
|
||||
"drone-secrets.age".publicKeys = flora6Keys ++ baseKeys;
|
||||
|
||||
"drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys;
|
||||
"drone-secrets.age".publicKeys = flora6Keys ++ adminKeys;
|
||||
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"mediawiki-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mediawiki-admin-password.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
|
||||
"coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"grafana-admin-password.age".publicKeys = flora6Keys ++ baseKeys;
|
||||
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ baseKeys;
|
||||
"grafana-smtp-password.age".publicKeys = flora6Keys ++ baseKeys;
|
||||
|
||||
"grafana-admin-password.age".publicKeys = flora6Keys ++ adminKeys;
|
||||
"grafana-keycloak-client-secret.age".publicKeys = flora6Keys ++ adminKeys;
|
||||
"grafana-smtp-password.age".publicKeys = flora6Keys ++ adminKeys;
|
||||
|
||||
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
|
||||
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys;
|
||||
"nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys;
|
||||
"nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys;
|
||||
}
|
||||
|
|
153
terraform/dns.tf
153
terraform/dns.tf
|
@ -1,186 +1,171 @@
|
|||
# https://registry.terraform.io/providers/namecheap/namecheap/latest/docs
|
||||
resource "namecheap_domain_records" "pub-solar" {
|
||||
domain = "pub.solar"
|
||||
mode = "OVERWRITE"
|
||||
domain = "pub.solar"
|
||||
mode = "OVERWRITE"
|
||||
email_type = "MX"
|
||||
|
||||
record {
|
||||
hostname = "flora-6"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
}
|
||||
record {
|
||||
hostname = "auth"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "ci"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
}
|
||||
record {
|
||||
hostname = "alerts"
|
||||
type = "CNAME"
|
||||
address = "flora-6.pub.solar."
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
}
|
||||
record {
|
||||
hostname = "git"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "stream"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "list"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "obs-portal"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
}
|
||||
record {
|
||||
hostname = "vpn"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
}
|
||||
record {
|
||||
hostname = "cache"
|
||||
type = "A"
|
||||
address = "95.217.225.160"
|
||||
type = "A"
|
||||
address = "95.217.225.160"
|
||||
}
|
||||
record {
|
||||
hostname = "factorio"
|
||||
type = "A"
|
||||
address = "80.244.242.2"
|
||||
type = "A"
|
||||
address = "80.244.242.2"
|
||||
}
|
||||
record {
|
||||
hostname = "collabora"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "@"
|
||||
type = "ALIAS"
|
||||
address = "nachtigall.pub.solar."
|
||||
ttl = 300
|
||||
type = "ALIAS"
|
||||
address = "nachtigall.pub.solar."
|
||||
ttl = 300
|
||||
}
|
||||
record {
|
||||
hostname = "chat"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "cloud"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "turn"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "grafana"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
type = "A"
|
||||
address = "80.71.153.210"
|
||||
}
|
||||
record {
|
||||
hostname = "hpb"
|
||||
type = "A"
|
||||
address = "80.71.153.239"
|
||||
type = "A"
|
||||
address = "80.71.153.239"
|
||||
}
|
||||
record {
|
||||
hostname = "files"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "search"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "wiki"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "mastodon"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "matrix"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "tmate"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "www"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
record {
|
||||
hostname = "@"
|
||||
type = "TXT"
|
||||
address = "v=spf1 include:spf.greenbaum.zone a:list.pub.solar ~all"
|
||||
type = "TXT"
|
||||
address = "v=spf1 include:spf.greenbaum.zone a:list.pub.solar ~all"
|
||||
}
|
||||
record {
|
||||
hostname = "list"
|
||||
type = "TXT"
|
||||
address = "v=spf1 a:list.pub.solar ?all"
|
||||
type = "TXT"
|
||||
address = "v=spf1 a:list.pub.solar ?all"
|
||||
}
|
||||
record {
|
||||
hostname = "_dmarc"
|
||||
type = "TXT"
|
||||
address = "v=DMARC1; p=reject;"
|
||||
type = "TXT"
|
||||
address = "v=DMARC1; p=reject;"
|
||||
}
|
||||
record {
|
||||
hostname = "_dmarc.list"
|
||||
type = "TXT"
|
||||
address = "v=DMARC1; p=reject;"
|
||||
}
|
||||
record {
|
||||
hostname = "modoboa._domainkey"
|
||||
type = "TXT"
|
||||
address = "v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx/EqLMpk0MyL1aQ0JVG44ypTRbZBVA13MFjEntxAvowaWtq1smRbnEwTTKgqUOrUyaM4dVmli1dedne4mk/ncqRAm02KuhtTY+5wXfhTKK53EhqehbKwH+Qvzb12983Qwdau/QTHiFHwXHufMaSsCvd9CRWCp9q68Q7noQqndJeLHT6L0eECd2Zk3ZxJuh+Fxdb7+Kw68Tf6z13Rs+MU01qLM7x0jmSQHa4cv2pk+7NTGMBRp6fVskfbqev5nFkZWJ7rhXEbP9Eukd/L3ro/ubs1quWJotG02gPRKE8fgkm1Ytlws1/pnqpuvKXQS1HzBEP1X2ExezJMzQ1SnZCigQIDAQAB"
|
||||
type = "TXT"
|
||||
address = "v=DMARC1; p=reject;"
|
||||
}
|
||||
record {
|
||||
hostname = "@"
|
||||
type = "MX"
|
||||
address = "mail.greenbaum.zone."
|
||||
mx_pref = "0"
|
||||
type = "MX"
|
||||
address = "mail.greenbaum.zone."
|
||||
mx_pref = "0"
|
||||
}
|
||||
record {
|
||||
hostname = "list"
|
||||
type = "MX"
|
||||
address = "list.pub.solar."
|
||||
mx_pref = "0"
|
||||
type = "MX"
|
||||
address = "list.pub.solar."
|
||||
mx_pref = "0"
|
||||
}
|
||||
record {
|
||||
hostname = "nachtigall"
|
||||
type = "A"
|
||||
address = "138.201.80.102"
|
||||
type = "A"
|
||||
address = "138.201.80.102"
|
||||
}
|
||||
record {
|
||||
hostname = "nachtigall"
|
||||
type = "AAAA"
|
||||
address = "2a01:4f8:172:1c25::1"
|
||||
type = "AAAA"
|
||||
address = "2a01:4f8:172:1c25::1"
|
||||
}
|
||||
record {
|
||||
hostname = "matrix.test"
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
type = "CNAME"
|
||||
address = "nachtigall.pub.solar."
|
||||
}
|
||||
# SRV records can only be changed via NameCheap Web UI
|
||||
# add comment
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue