style: run treefmt
All checks were successful
Flake checks / Check (pull_request) Successful in 2m36s

This commit is contained in:
teutat3s 2024-05-08 22:57:07 +02:00
parent affdc02afe
commit 2ca0bd7c3e
Signed by: teutat3s
GPG key ID: 4FA1D3FA524F22C1
74 changed files with 946 additions and 1319 deletions

View file

@ -1,9 +1,12 @@
# Process for handling a deletion request
### Keycloak
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
```
ssh barkeeper@nachtigall.pub.solar
@ -20,8 +23,8 @@ sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/2ec6f173-3
Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-user
### Nextcloud
```
ssh barkeeper@nachtigall.pub.solar
nextcloud-occ user:delete <username>
@ -29,8 +32,8 @@ nextcloud-occ user:delete <username>
Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#user-commands-label
### Mastodon
```
ssh barkeeper@nachtigall.pub.solar
sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
@ -38,8 +41,8 @@ sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
### Forgejo
```
ssh barkeeper@nachtigall.pub.solar
sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
@ -47,8 +50,8 @@ sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.
Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
### Matrix
```
ssh bartender@matrix.pub.solar -p 2020
curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
@ -56,6 +59,6 @@ curl --header "Authorization: Bearer <admin-access-token>" --request POST http:/
Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account
### OpenBikeSensor
Not implemented, see: https://github.com/openbikesensor/portal/issues/95

View file

@ -8,11 +8,13 @@ To deploy, make sure you have a [working development shell](./development-shell.
Then, run `deploy-rs` with the hostname of the server you want to deploy:
For nachtigall.pub.solar:
```
deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false
```
For flora-6.pub.solar:
```
deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false
```
@ -29,4 +31,5 @@ to enable switching to the new config quickly at a later moment.
You'll need to have SSH Access to the boxes to be able to run `deploy`.
### Getting SSH access
See [administrative-access.md](./administrative-access.md).

View file

@ -15,12 +15,15 @@ Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the det
You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
look for "namecheap API key" in the pub.solar Keepass database.
```
NAMECHEAP_API_KEY
NAMECHEAP_API_USER
NAMECHEAP_USER_NAME
```
You will probably also need to add your external IP to the [API allow list](https://ap.www.namecheap.com/settings/tools/apiaccess/whitelisted-ips).
```
dig -4 ip @dns.toys
```
@ -35,16 +38,19 @@ terraform init
```
Make your changes, e.g. in `dns.tf`.
```
$EDITOR dns.tf
```
Plan your changes using:
```
terraform plan -out pub-solar-infra.plan
```
After verification, apply your changes with:
```
terraform apply "pub-solar-infra.plan"
```
@ -52,7 +58,9 @@ terraform apply "pub-solar-infra.plan"
### Useful links
We use the Manta remote backend to save the terraform state for collaboration.
- https://www.terraform.io/language/v1.2.x/settings/backends/manta
Namecheap Terraform provider docs:
- https://registry.terraform.io/providers/namecheap/namecheap/latest/docs

View file

@ -1,9 +1,12 @@
# Process for getting a list of email addresses of all keycloak users
### Keycloak
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
```
ssh barkeeper@nachtigall.pub.solar

View file

@ -1,9 +1,12 @@
# Process for resetting keycloak user passwords
### Keycloak
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
```
ssh barkeeper@nachtigall.pub.solar

View file

@ -1,9 +1,12 @@
# Process for updating a keycloak realm via CLI
### Keycloak
Required:
- auth.pub.solar ops user credentials
- SSH access to host nachtigall
```
ssh barkeeper@nachtigall.pub.solar

View file

@ -24,6 +24,7 @@ deploy --targets '.#nachtigall'
```
Then, finalize the update by running the database migration script:
```
ssh barkeeper@nachtigall.pub.solar
docker exec -it mediawiki bash

View file

@ -1,10 +1,10 @@
# OpenBikeSensor Portal
## Docker Containers
* portal
* worker
* db
- portal
- worker
- db
## Run database migrations

View file

@ -1,3 +1 @@
# Reverting to an old version

View file

@ -6,4 +6,4 @@ After a boot, the encrypted root partition will have to be unlocked. This is don
ssh root@nachtigall.pub.solar -p2222
```
After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2.
After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2.

View file

@ -40,9 +40,13 @@
element-stickers.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs@{ self, ... }:
outputs =
inputs@{ self, ... }:
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ "x86_64-linux" "aarch64-linux" ];
systems = [
"x86_64-linux"
"aarch64-linux"
];
imports = [
inputs.nixos-flake.flakeModule
@ -52,37 +56,42 @@
./hosts
];
perSystem = { system, pkgs, config, ... }: {
_module.args = {
inherit inputs;
pkgs = import inputs.nixpkgs {
inherit system;
overlays = [
inputs.agenix.overlays.default
perSystem =
{
system,
pkgs,
config,
...
}:
{
_module.args = {
inherit inputs;
pkgs = import inputs.nixpkgs {
inherit system;
overlays = [ inputs.agenix.overlays.default ];
};
unstable = import inputs.unstable { inherit system; };
master = import inputs.master { inherit system; };
};
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
deploy-rs
nixpkgs-fmt
agenix
age-plugin-yubikey
cachix
editorconfig-checker
nodePackages.prettier
nvfetcher
shellcheck
shfmt
treefmt
nixos-generators
inputs.nixpkgs-2205.legacyPackages.${system}.terraform
jq
];
};
unstable = import inputs.unstable { inherit system; };
master = import inputs.master { inherit system; };
};
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
deploy-rs
nixpkgs-fmt
agenix
age-plugin-yubikey
cachix
editorconfig-checker
nodePackages.prettier
nvfetcher
shellcheck
shfmt
treefmt
nixos-generators
inputs.nixpkgs-2205.legacyPackages.${system}.terraform
jq
];
};
};
flake =
let
@ -92,19 +101,15 @@
inherit username;
nixosModules = builtins.listToAttrs (
map
(x: {
name = x;
value = import (./modules + "/${x}");
})
(builtins.attrNames (builtins.readDir ./modules))
map (x: {
name = x;
value = import (./modules + "/${x}");
}) (builtins.attrNames (builtins.readDir ./modules))
);
checks = builtins.mapAttrs
(
system: deployLib: deployLib.deployChecks self.deploy
)
inputs.deploy-rs.lib;
checks = builtins.mapAttrs (
system: deployLib: deployLib.deployChecks self.deploy
) inputs.deploy-rs.lib;
formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;

View file

@ -1,8 +1,9 @@
{ config
, lib
, pkgs
, flake
, ...
{
config,
lib,
pkgs,
flake,
...
}:
let
psCfg = config.pub-solar;

View file

@ -1,12 +1,11 @@
{ ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./configuration.nix
./triton-vmtools.nix
./wireguard.nix
];
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./configuration.nix
./triton-vmtools.nix
./wireguard.nix
];
}

View file

@ -1,15 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config
, lib
, pkgs
, modulesPath
, ...
}: {
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk" ];
boot.initrd.availableKernelModules = [
"ahci"
"virtio_pci"
"xhci_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];

View file

@ -1,7 +1,5 @@
{ pkgs
, flake
, ...
}: {
{ pkgs, flake, ... }:
{
environment.systemPackages = with pkgs; [
flake.inputs.triton-vmtools.packages.${pkgs.system}.default
];

View file

@ -2,7 +2,8 @@
config,
pkgs,
flake,
... }:
...
}:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
@ -18,16 +19,20 @@
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{ # nachtigall.pub.solar
{
# nachtigall.pub.solar
endpoint = "138.201.80.102:51820";
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
allowedIPs = [
"10.7.6.1/32"
"fd00:fae:fae:fae:fae:1::/96"
];
}
];
};
};
services.openssh.listenAddresses = [
services.openssh.listenAddresses = [
{
addr = "10.7.6.2";
port = 22;

View file

@ -1,4 +1,5 @@
{ flake, ... }: {
{ flake, ... }:
{
age.secrets."restic-repo-droppie" = {
file = "${flake.self}/secrets/restic-repo-droppie.age";
mode = "400";

View file

@ -1,8 +1,10 @@
{ flake
, config
, pkgs
, ...
}: {
{
flake,
config,
pkgs,
...
}:
{
# Use GRUB2 as the boot loader.
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
boot.loader.systemd-boot.enable = false;
@ -11,15 +13,11 @@
efiSupport = false;
mirroredBoots = [
{
devices = [
"/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371"
];
devices = [ "/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371" ];
path = "/boot1";
}
{
devices = [
"/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL"
];
devices = [ "/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL" ];
path = "/boot2";
}
];

View file

@ -1,15 +1,13 @@
{ flake, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./configuration.nix
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./configuration.nix
./networking.nix
./wireguard.nix
./backups.nix
];
./networking.nix
./wireguard.nix
./backups.nix
];
}

View file

@ -1,54 +1,54 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [ "ahci" "nvme" ];
boot.initrd.availableKernelModules = [
"ahci"
"nvme"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{
device = "root_pool/root";
fsType = "zfs";
};
fileSystems."/" = {
device = "root_pool/root";
fsType = "zfs";
};
fileSystems."/var/lib" =
{
device = "root_pool/data";
fsType = "zfs";
};
fileSystems."/var/lib" = {
device = "root_pool/data";
fsType = "zfs";
};
fileSystems."/var/lib/postgresql" =
{
device = "root_pool/data/postgresql";
fsType = "zfs";
};
fileSystems."/var/lib/postgresql" = {
device = "root_pool/data/postgresql";
fsType = "zfs";
};
fileSystems."/var/lib/docker" =
{
device = "root_pool/data/docker";
fsType = "zfs";
};
fileSystems."/var/lib/docker" = {
device = "root_pool/data/docker";
fsType = "zfs";
};
fileSystems."/boot1" =
{
device = "/dev/disk/by-uuid/5493-EFF5";
fsType = "vfat";
};
fileSystems."/boot1" = {
device = "/dev/disk/by-uuid/5493-EFF5";
fsType = "vfat";
};
fileSystems."/boot2" =
{
device = "/dev/disk/by-uuid/5494-BA1E";
fsType = "vfat";
};
fileSystems."/boot2" = {
device = "/dev/disk/by-uuid/5494-BA1E";
fsType = "vfat";
};
swapDevices = [ ];

View file

@ -2,7 +2,8 @@
config,
pkgs,
flake,
... }:
...
}:
{
networking.hostName = "nachtigall";
@ -24,5 +25,8 @@
}
];
networking.defaultGateway = "138.201.80.65";
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp35s0";
};
}

View file

@ -2,7 +2,8 @@
config,
pkgs,
flake,
... }:
...
}:
{
networking.firewall.allowedUDPPorts = [ 51820 ];
@ -18,16 +19,20 @@
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.admins.wireguardDevices ++ [
{ # flora-6.pub.solar
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
];
};
};
services.openssh.listenAddresses = [
services.openssh.listenAddresses = [
{
addr = "10.7.6.1";
port = 22;

View file

@ -1,16 +1,16 @@
let
lock = builtins.fromJSON (builtins.readFile builtins.path {
path = ../../flake.lock;
name = "lockPath";
});
lock = builtins.fromJSON (
builtins.readFile builtins.path {
path = ../../flake.lock;
name = "lockPath";
}
);
flake =
import
(
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
(fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
})
{
src = builtins.path {
path = ../../.;

View file

@ -1,4 +1,10 @@
{ self, lib, inputs, ... }: {
{
self,
lib,
inputs,
...
}:
{
# Configuration common to all Linux systems
flake = {
lib =

View file

@ -1,9 +1,9 @@
/*
* The contents of this file are adapted from digga
* https://github.com/divnix/digga
*
* Licensed under the MIT license
*/
The contents of this file are adapted from digga
https://github.com/divnix/digga
Licensed under the MIT license
*/
{ lib, inputs }:
let
@ -14,62 +14,61 @@ let
inherit system;
overlays = [
inputs.deploy-rs.overlay
(self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; })
(self: super: {
deploy-rs = {
inherit (pkgs) deploy-rs;
lib = super.deploy-rs.lib;
};
})
];
};
getFqdn = c:
getFqdn =
c:
let
net = c.config.networking;
fqdn =
if (net ? domain) && (net.domain != null)
then "${net.hostName}.${net.domain}"
else net.hostName;
if (net ? domain) && (net.domain != null) then "${net.hostName}.${net.domain}" else net.hostName;
in
fqdn;
in
{
mkDeployNodes = systemConfigurations: extraConfig:
mkDeployNodes =
systemConfigurations: extraConfig:
/*
*
Synopsis: mkNodes _systemConfigurations_ _extraConfig_
*
Synopsis: mkNodes _systemConfigurations_ _extraConfig_
Generate the `nodes` attribute expected by deploy-rs
where _systemConfigurations_ are `nodes`.
Generate the `nodes` attribute expected by deploy-rs
where _systemConfigurations_ are `nodes`.
_systemConfigurations_ should take the form of a flake's
_nixosConfigurations_. Note that deploy-rs does not currently support
deploying to darwin hosts.
_systemConfigurations_ should take the form of a flake's
_nixosConfigurations_. Note that deploy-rs does not currently support
deploying to darwin hosts.
_extraConfig_, if specified, will be merged into each of the
nodes' configurations.
_extraConfig_, if specified, will be merged into each of the
nodes' configurations.
Example _systemConfigurations_ input:
Example _systemConfigurations_ input:
```
{
hostname-1 = {
fastConnection = true;
sshOpts = [ "-p" "25" ];
};
hostname-2 = {
sshOpts = [ "-p" "19999" ];
sshUser = "root";
};
}
```
*
*/
lib.recursiveUpdate
(lib.mapAttrs
(
_: c: {
hostname = getFqdn c;
profiles.system = {
user = "root";
path = deployPkgs.deploy-rs.lib.activate.nixos c;
};
}
)
systemConfigurations)
extraConfig;
```
{
hostname-1 = {
fastConnection = true;
sshOpts = [ "-p" "25" ];
};
hostname-2 = {
sshOpts = [ "-p" "19999" ];
sshUser = "root";
};
}
```
*
*/
lib.recursiveUpdate (lib.mapAttrs (_: c: {
hostname = getFqdn c;
profiles.system = {
user = "root";
path = deployPkgs.deploy-rs.lib.activate.nixos c;
};
}) systemConfigurations) extraConfig;
}

View file

@ -10,7 +10,10 @@
{
# tuxnix
publicKey = "fTvULvdsc92binFaBV+uWwFi33bi8InShcaPnoxUZEA=";
allowedIPs = [ "10.7.6.203/32" "fd00:fae:fae:fae:fae:203::/96" ];
allowedIPs = [
"10.7.6.203/32"
"fd00:fae:fae:fae:fae:203::/96"
];
}
];
};
@ -27,9 +30,13 @@
} // sshPubKeys;
wireguardDevices = [
{ # stroopwafel
{
# stroopwafel
publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE=";
allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ];
allowedIPs = [
"10.7.6.200/32"
"fd00:fae:fae:fae:fae:200::/96"
];
}
];
};
@ -42,9 +49,13 @@
secretEncryptionKeys = sshPubKeys;
wireguardDevices = [
{ # judy
{
# judy
publicKey = "I+gN7v1VXkAGoSir6L8aebtLbguvy5nAx1QVDTzdckk=";
allowedIPs = [ "10.7.6.202/32" "fd00:fae:fae:fae:fae:202::/96" ];
allowedIPs = [
"10.7.6.202/32"
"fd00:fae:fae:fae:fae:202::/96"
];
}
];
};
@ -59,13 +70,21 @@
};
wireguardDevices = [
{ # dumpyourvms
{
# dumpyourvms
publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk=";
allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ];
allowedIPs = [
"10.7.6.201/32"
"fd00:fae:fae:fae:fae:201::/96"
];
}
{ # ryzensun
{
# ryzensun
publicKey = "oVF2/s7eIxyVjtG0MhKPx5SZ1JllZg+ZFVF2eVYtPGo=";
allowedIPs = [ "10.7.6.204/32" "fd00:fae:fae:fae:fae:204::/96" ];
allowedIPs = [
"10.7.6.204/32"
"fd00:fae:fae:fae:fae:204::/96"
];
}
];
};

View file

@ -1,13 +1,24 @@
{ lib, ... }: let
{ lib, ... }:
let
admins = import ./admins.nix;
robots = import ./robots.nix;
in {
in
{
flake = {
logins = {
admins = lib.lists.foldl (logins: adminConfig: {
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
wireguardDevices = logins.wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []);
}) { sshPubKeys = []; wireguardDevices = []; } (lib.attrsets.attrValues admins);
admins =
lib.lists.foldl
(logins: adminConfig: {
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
wireguardDevices =
logins.wireguardDevices
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
})
{
sshPubKeys = [ ];
wireguardDevices = [ ];
}
(lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots;
};
};

View file

@ -1,11 +1,12 @@
{ config
, lib
, pkgs
, flake
, ...
{
config,
lib,
pkgs,
flake,
...
}:
{
services.caddy = {
services.caddy = {
enable = lib.mkForce true;
group = config.pub-solar-os.authentication.robot.username;
email = config.pub-solar-os.adminEmail;
@ -14,5 +15,8 @@
grace_period 60s
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedTCPPorts = [
80
443
];
}

View file

@ -1,9 +1,11 @@
{ config
, lib
, pkgs
, self
, ...
}: {
{
config,
lib,
pkgs,
self,
...
}:
{
services.nginx.virtualHosts."collabora.${config.pub-solar-os.networking.domain}" = {
enableACME = true;
forceSSL = true;
@ -24,9 +26,7 @@
containers."collabora" = {
image = "collabora/code";
autoStart = true;
ports = [
"127.0.0.1:9980:9980"
];
ports = [ "127.0.0.1:9980:9980" ];
extraOptions = [
"--cap-add=MKNOD"
"--pull=always"

View file

@ -1,4 +1,11 @@
{ pkgs, config, flake, lib, ... }: {
{
pkgs,
config,
flake,
lib,
...
}:
{
imports = [
./nix.nix
./networking.nix
@ -29,7 +36,11 @@
config = {
environment = {
# Just a couple of global packages to make our lives easier
systemPackages = with pkgs; [ git vim wget ];
systemPackages = with pkgs; [
git
vim
wget
];
};
# Select internationalization properties

View file

@ -3,7 +3,8 @@
lib,
config,
...
}: {
}:
{
options.pub-solar-os.networking = with lib; {
domain = mkOption {
description = "domain on which all services should run. This defaults to pub.solar";
@ -23,8 +24,8 @@
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
networking.hosts = {
"10.7.6.1" = ["nachtigall.${config.pub-solar-os.networking.domain}"];
"10.7.6.2" = ["flora-6.${config.pub-solar-os.networking.domain}"];
"10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
"10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ];
};
services.openssh = {

View file

@ -1,11 +1,12 @@
{ config
, pkgs
, lib
, flake
, ...
}: {
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
];
{
config,
pkgs,
lib,
flake,
...
}:
{
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
nix = {
# Use default version alias for nix package
@ -25,7 +26,10 @@
# Prevents impurities in builds
sandbox = true;
# Give root and @wheel special privileges with nix
trusted-users = [ "root" "@wheel" ];
trusted-users = [
"root"
"@wheel"
];
# Allow only group wheel to connect to the nix daemon
allowed-users = [ "@wheel" ];
};

View file

@ -1,4 +1,5 @@
{ flake, config, ... }: {
{ flake, config, ... }:
{
home-manager.users.${config.pub-solar-os.authentication.username} = {
programs.git.enable = true;
programs.starship.enable = true;

View file

@ -4,7 +4,8 @@
lib,
config,
...
}: {
}:
{
options.pub-solar-os.authentication = with lib; {
username = mkOption {
description = "Username for the adminstrative user";
@ -41,7 +42,10 @@
users.users.${config.pub-solar-os.authentication.username} = {
name = config.pub-solar-os.authentication.username;
group = config.pub-solar-os.authentication.username;
extraGroups = [ "wheel" "docker" ];
extraGroups = [
"wheel"
"docker"
];
isNormalUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
};
@ -63,7 +67,8 @@
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
users.users.root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
users.users.root.initialHashedPassword =
config.pub-solar-os.authentication.root.initialHashedPassword;
security.sudo.wheelNeedsPassword = false;
};

View file

@ -1,4 +1,9 @@
{ flake, config, lib, ... }:
{
flake,
config,
lib,
...
}:
{
age.secrets."coturn-static-auth-secret" = {
file = "${flake.self}/secrets/coturn-static-auth-secret.age";
@ -19,8 +24,12 @@
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig =
let
externalIPv4s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses;
externalIPv6s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses;
externalIPv4s = lib.strings.concatMapStringsSep "\n" (
{ address, ... }: "external-ip=${address}"
) config.networking.interfaces.enp35s0.ipv4.addresses;
externalIPv6s = lib.strings.concatMapStringsSep "\n" (
{ address, ... }: "external-ip=${address}"
) config.networking.interfaces.enp35s0.ipv6.addresses;
in
''
${externalIPv4s}
@ -61,28 +70,35 @@
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
networking.firewall = {
interfaces.enp35s0 =
let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
range = with config.services.coturn; [
{
from = min-port;
to = max-port;
}
];
in
{
allowedUDPPortRanges = range;
allowedUDPPorts = [ 3478 5349 ];
allowedUDPPorts = [
3478
5349
];
allowedTCPPortRanges = [ ];
allowedTCPPorts = [ 3478 5349 ];
allowedTCPPorts = [
3478
5349
];
};
};
# get a certificate
security.acme.certs.${config.services.coturn.realm} = {
/* insert here the right configuration to obtain a certificate */
# insert here the right configuration to obtain a certificate
postRun = "systemctl restart coturn.service";
group = "turnserver";
};

View file

@ -1,4 +1,5 @@
{ pkgs, ... }: {
{ pkgs, ... }:
{
virtualisation.docker = {
enable = true;
extraOptions = ''

View file

@ -1,9 +1,11 @@
{ config
, lib
, pkgs
, flake
, ...
}: {
{
config,
lib,
pkgs,
flake,
...
}:
{
age.secrets.drone-secrets = {
file = "${flake.self}/secrets/drone-secrets.age";
mode = "600";
@ -26,9 +28,7 @@
users.groups.drone = { };
systemd.tmpfiles.rules = [
"d '/var/lib/drone-db' 0750 drone drone - -"
];
systemd.tmpfiles.rules = [ "d '/var/lib/drone-db' 0750 drone drone - -" ];
services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
logFormat = lib.mkForce ''
@ -66