style: run treefmt
All checks were successful
Flake checks / Check (pull_request) Successful in 2m36s
All checks were successful
Flake checks / Check (pull_request) Successful in 2m36s
This commit is contained in:
parent
affdc02afe
commit
2ca0bd7c3e
|
@ -1,9 +1,12 @@
|
|||
# Process for handling a deletion request
|
||||
|
||||
### Keycloak
|
||||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar ops user credentials
|
||||
- SSH access to host nachtigall
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
|
||||
|
@ -20,8 +23,8 @@ sudo --user keycloak kcadm.sh update --config /tmp/kcadm.config users/2ec6f173-3
|
|||
|
||||
Docs: https://www.keycloak.org/docs/latest/server_admin/index.html#updating-a-user
|
||||
|
||||
|
||||
### Nextcloud
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
nextcloud-occ user:delete <username>
|
||||
|
@ -29,8 +32,8 @@ nextcloud-occ user:delete <username>
|
|||
|
||||
Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html#user-commands-label
|
||||
|
||||
|
||||
### Mastodon
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
|
||||
|
@ -38,8 +41,8 @@ sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
|
|||
|
||||
Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
|
||||
|
||||
|
||||
### Forgejo
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.ini --purge --email <mail-address>
|
||||
|
@ -47,8 +50,8 @@ sudo -u gitea gitea admin user delete --config /var/lib/forgejo/custom/conf/app.
|
|||
|
||||
Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
|
||||
|
||||
|
||||
### Matrix
|
||||
|
||||
```
|
||||
ssh bartender@matrix.pub.solar -p 2020
|
||||
curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
|
||||
|
@ -56,6 +59,6 @@ curl --header "Authorization: Bearer <admin-access-token>" --request POST http:/
|
|||
|
||||
Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account
|
||||
|
||||
|
||||
### OpenBikeSensor
|
||||
|
||||
Not implemented, see: https://github.com/openbikesensor/portal/issues/95
|
||||
|
|
|
@ -8,11 +8,13 @@ To deploy, make sure you have a [working development shell](./development-shell.
|
|||
Then, run `deploy-rs` with the hostname of the server you want to deploy:
|
||||
|
||||
For nachtigall.pub.solar:
|
||||
|
||||
```
|
||||
deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false
|
||||
```
|
||||
|
||||
For flora-6.pub.solar:
|
||||
|
||||
```
|
||||
deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false
|
||||
```
|
||||
|
@ -29,4 +31,5 @@ to enable switching to the new config quickly at a later moment.
|
|||
You'll need to have SSH Access to the boxes to be able to run `deploy`.
|
||||
|
||||
### Getting SSH access
|
||||
|
||||
See [administrative-access.md](./administrative-access.md).
|
||||
|
|
|
@ -15,12 +15,15 @@ Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the det
|
|||
|
||||
You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
|
||||
look for "namecheap API key" in the pub.solar Keepass database.
|
||||
|
||||
```
|
||||
NAMECHEAP_API_KEY
|
||||
NAMECHEAP_API_USER
|
||||
NAMECHEAP_USER_NAME
|
||||
```
|
||||
|
||||
You will probably also need to add your external IP to the [API allow list](https://ap.www.namecheap.com/settings/tools/apiaccess/whitelisted-ips).
|
||||
|
||||
```
|
||||
dig -4 ip @dns.toys
|
||||
```
|
||||
|
@ -35,16 +38,19 @@ terraform init
|
|||
```
|
||||
|
||||
Make your changes, e.g. in `dns.tf`.
|
||||
|
||||
```
|
||||
$EDITOR dns.tf
|
||||
```
|
||||
|
||||
Plan your changes using:
|
||||
|
||||
```
|
||||
terraform plan -out pub-solar-infra.plan
|
||||
```
|
||||
|
||||
After verification, apply your changes with:
|
||||
|
||||
```
|
||||
terraform apply "pub-solar-infra.plan"
|
||||
```
|
||||
|
@ -52,7 +58,9 @@ terraform apply "pub-solar-infra.plan"
|
|||
### Useful links
|
||||
|
||||
We use the Manta remote backend to save the terraform state for collaboration.
|
||||
|
||||
- https://www.terraform.io/language/v1.2.x/settings/backends/manta
|
||||
|
||||
Namecheap Terraform provider docs:
|
||||
|
||||
- https://registry.terraform.io/providers/namecheap/namecheap/latest/docs
|
||||
|
|
|
@ -1,9 +1,12 @@
|
|||
# Process for getting a list of email addresses of all keycloak users
|
||||
|
||||
### Keycloak
|
||||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar ops user credentials
|
||||
- SSH access to host nachtigall
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
|
||||
|
|
|
@ -1,9 +1,12 @@
|
|||
# Process for resetting keycloak user passwords
|
||||
|
||||
### Keycloak
|
||||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar ops user credentials
|
||||
- SSH access to host nachtigall
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
|
||||
|
|
|
@ -1,9 +1,12 @@
|
|||
# Process for updating a keycloak realm via CLI
|
||||
|
||||
### Keycloak
|
||||
|
||||
Required:
|
||||
|
||||
- auth.pub.solar ops user credentials
|
||||
- SSH access to host nachtigall
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
|
||||
|
|
|
@ -24,6 +24,7 @@ deploy --targets '.#nachtigall'
|
|||
```
|
||||
|
||||
Then, finalize the update by running the database migration script:
|
||||
|
||||
```
|
||||
ssh barkeeper@nachtigall.pub.solar
|
||||
docker exec -it mediawiki bash
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
# OpenBikeSensor Portal
|
||||
|
||||
## Docker Containers
|
||||
* portal
|
||||
* worker
|
||||
* db
|
||||
|
||||
- portal
|
||||
- worker
|
||||
- db
|
||||
|
||||
## Run database migrations
|
||||
|
||||
|
|
|
@ -1,3 +1 @@
|
|||
# Reverting to an old version
|
||||
|
||||
|
||||
|
|
|
@ -6,4 +6,4 @@ After a boot, the encrypted root partition will have to be unlocked. This is don
|
|||
ssh root@nachtigall.pub.solar -p2222
|
||||
```
|
||||
|
||||
After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2.
|
||||
After connecting, paste the crypt passphrase you can find in the shared keepass. This will disconnect the SSH session right away and the server will keep booting into stage 2.
|
||||
|
|
87
flake.nix
87
flake.nix
|
@ -40,9 +40,13 @@
|
|||
element-stickers.inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, ... }:
|
||||
outputs =
|
||||
inputs@{ self, ... }:
|
||||
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
|
||||
systems = [ "x86_64-linux" "aarch64-linux" ];
|
||||
systems = [
|
||||
"x86_64-linux"
|
||||
"aarch64-linux"
|
||||
];
|
||||
|
||||
imports = [
|
||||
inputs.nixos-flake.flakeModule
|
||||
|
@ -52,37 +56,42 @@
|
|||
./hosts
|
||||
];
|
||||
|
||||
perSystem = { system, pkgs, config, ... }: {
|
||||
_module.args = {
|
||||
inherit inputs;
|
||||
pkgs = import inputs.nixpkgs {
|
||||
inherit system;
|
||||
overlays = [
|
||||
inputs.agenix.overlays.default
|
||||
perSystem =
|
||||
{
|
||||
system,
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}:
|
||||
{
|
||||
_module.args = {
|
||||
inherit inputs;
|
||||
pkgs = import inputs.nixpkgs {
|
||||
inherit system;
|
||||
overlays = [ inputs.agenix.overlays.default ];
|
||||
};
|
||||
unstable = import inputs.unstable { inherit system; };
|
||||
master = import inputs.master { inherit system; };
|
||||
};
|
||||
devShells.default = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
deploy-rs
|
||||
nixpkgs-fmt
|
||||
agenix
|
||||
age-plugin-yubikey
|
||||
cachix
|
||||
editorconfig-checker
|
||||
nodePackages.prettier
|
||||
nvfetcher
|
||||
shellcheck
|
||||
shfmt
|
||||
treefmt
|
||||
nixos-generators
|
||||
inputs.nixpkgs-2205.legacyPackages.${system}.terraform
|
||||
jq
|
||||
];
|
||||
};
|
||||
unstable = import inputs.unstable { inherit system; };
|
||||
master = import inputs.master { inherit system; };
|
||||
};
|
||||
devShells.default = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
deploy-rs
|
||||
nixpkgs-fmt
|
||||
agenix
|
||||
age-plugin-yubikey
|
||||
cachix
|
||||
editorconfig-checker
|
||||
nodePackages.prettier
|
||||
nvfetcher
|
||||
shellcheck
|
||||
shfmt
|
||||
treefmt
|
||||
nixos-generators
|
||||
inputs.nixpkgs-2205.legacyPackages.${system}.terraform
|
||||
jq
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
flake =
|
||||
let
|
||||
|
@ -92,19 +101,15 @@
|
|||
inherit username;
|
||||
|
||||
nixosModules = builtins.listToAttrs (
|
||||
map
|
||||
(x: {
|
||||
name = x;
|
||||
value = import (./modules + "/${x}");
|
||||
})
|
||||
(builtins.attrNames (builtins.readDir ./modules))
|
||||
map (x: {
|
||||
name = x;
|
||||
value = import (./modules + "/${x}");
|
||||
}) (builtins.attrNames (builtins.readDir ./modules))
|
||||
);
|
||||
|
||||
checks = builtins.mapAttrs
|
||||
(
|
||||
system: deployLib: deployLib.deployChecks self.deploy
|
||||
)
|
||||
inputs.deploy-rs.lib;
|
||||
checks = builtins.mapAttrs (
|
||||
system: deployLib: deployLib.deployChecks self.deploy
|
||||
) inputs.deploy-rs.lib;
|
||||
|
||||
formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
|
||||
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
}:
|
||||
let
|
||||
psCfg = config.pub-solar;
|
||||
|
|
|
@ -1,12 +1,11 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
./triton-vmtools.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
./triton-vmtools.nix
|
||||
./wireguard.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,15 +1,23 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, modulesPath
|
||||
, ...
|
||||
}: {
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [ ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk" ];
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ahci"
|
||||
"virtio_pci"
|
||||
"xhci_pci"
|
||||
"sr_mod"
|
||||
"virtio_blk"
|
||||
];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
{ pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
{ pkgs, flake, ... }:
|
||||
{
|
||||
environment.systemPackages = with pkgs; [
|
||||
flake.inputs.triton-vmtools.packages.${pkgs.system}.default
|
||||
];
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
... }:
|
||||
...
|
||||
}:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
|
||||
|
@ -18,16 +19,20 @@
|
|||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{ # nachtigall.pub.solar
|
||||
{
|
||||
# nachtigall.pub.solar
|
||||
endpoint = "138.201.80.102:51820";
|
||||
publicKey = "qzNywKY9RvqTnDO8eLik75/SHveaSk9OObilDzv+xkk=";
|
||||
allowedIPs = [ "10.7.6.1/32" "fd00:fae:fae:fae:fae:1::/96" ];
|
||||
allowedIPs = [
|
||||
"10.7.6.1/32"
|
||||
"fd00:fae:fae:fae:fae:1::/96"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.listenAddresses = [
|
||||
services.openssh.listenAddresses = [
|
||||
{
|
||||
addr = "10.7.6.2";
|
||||
port = 22;
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{ flake, ... }: {
|
||||
{ flake, ... }:
|
||||
{
|
||||
age.secrets."restic-repo-droppie" = {
|
||||
file = "${flake.self}/secrets/restic-repo-droppie.age";
|
||||
mode = "400";
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
{ flake
|
||||
, config
|
||||
, pkgs
|
||||
, ...
|
||||
}: {
|
||||
{
|
||||
flake,
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
# Use GRUB2 as the boot loader.
|
||||
# We don't use systemd-boot because Hetzner uses BIOS legacy boot.
|
||||
boot.loader.systemd-boot.enable = false;
|
||||
|
@ -11,15 +13,11 @@
|
|||
efiSupport = false;
|
||||
mirroredBoots = [
|
||||
{
|
||||
devices = [
|
||||
"/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371"
|
||||
];
|
||||
devices = [ "/dev/disk/by-id/nvme-SAMSUNG_MZVL21T0HCLR-00B00_S676NF0R517371" ];
|
||||
path = "/boot1";
|
||||
}
|
||||
{
|
||||
devices = [
|
||||
"/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL"
|
||||
];
|
||||
devices = [ "/dev/disk/by-id/nvme-KXG60ZNV1T02_TOSHIBA_Z9NF704ZF9ZL" ];
|
||||
path = "/boot2";
|
||||
}
|
||||
];
|
||||
|
|
|
@ -1,15 +1,13 @@
|
|||
{ flake, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
imports = [
|
||||
# Include the results of the hardware scan.
|
||||
./hardware-configuration.nix
|
||||
./configuration.nix
|
||||
|
||||
./networking.nix
|
||||
./wireguard.nix
|
||||
./backups.nix
|
||||
|
||||
];
|
||||
./networking.nix
|
||||
./wireguard.nix
|
||||
./backups.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,54 +1,54 @@
|
|||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||
# and may be overwritten by future invocations. Please make changes
|
||||
# to /etc/nixos/configuration.nix instead.
|
||||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
...
|
||||
}:
|
||||
|
||||
{
|
||||
imports =
|
||||
[
|
||||
(modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "ahci" "nvme" ];
|
||||
boot.initrd.availableKernelModules = [
|
||||
"ahci"
|
||||
"nvme"
|
||||
];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{
|
||||
device = "root_pool/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/" = {
|
||||
device = "root_pool/root";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib" =
|
||||
{
|
||||
device = "root_pool/data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/var/lib" = {
|
||||
device = "root_pool/data";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/postgresql" =
|
||||
{
|
||||
device = "root_pool/data/postgresql";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/var/lib/postgresql" = {
|
||||
device = "root_pool/data/postgresql";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/docker" =
|
||||
{
|
||||
device = "root_pool/data/docker";
|
||||
fsType = "zfs";
|
||||
};
|
||||
fileSystems."/var/lib/docker" = {
|
||||
device = "root_pool/data/docker";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/boot1" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/5493-EFF5";
|
||||
fsType = "vfat";
|
||||
};
|
||||
fileSystems."/boot1" = {
|
||||
device = "/dev/disk/by-uuid/5493-EFF5";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
fileSystems."/boot2" =
|
||||
{
|
||||
device = "/dev/disk/by-uuid/5494-BA1E";
|
||||
fsType = "vfat";
|
||||
};
|
||||
fileSystems."/boot2" = {
|
||||
device = "/dev/disk/by-uuid/5494-BA1E";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
... }:
|
||||
...
|
||||
}:
|
||||
{
|
||||
|
||||
networking.hostName = "nachtigall";
|
||||
|
@ -24,5 +25,8 @@
|
|||
}
|
||||
];
|
||||
networking.defaultGateway = "138.201.80.65";
|
||||
networking.defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
|
||||
networking.defaultGateway6 = {
|
||||
address = "fe80::1";
|
||||
interface = "enp35s0";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,7 +2,8 @@
|
|||
config,
|
||||
pkgs,
|
||||
flake,
|
||||
... }:
|
||||
...
|
||||
}:
|
||||
{
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
|
||||
|
@ -18,16 +19,20 @@
|
|||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{ # flora-6.pub.solar
|
||||
{
|
||||
# flora-6.pub.solar
|
||||
endpoint = "80.71.153.210:51820";
|
||||
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
|
||||
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
|
||||
allowedIPs = [
|
||||
"10.7.6.2/32"
|
||||
"fd00:fae:fae:fae:fae:2::/96"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.listenAddresses = [
|
||||
services.openssh.listenAddresses = [
|
||||
{
|
||||
addr = "10.7.6.1";
|
||||
port = 22;
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
let
|
||||
lock = builtins.fromJSON (builtins.readFile builtins.path {
|
||||
path = ../../flake.lock;
|
||||
name = "lockPath";
|
||||
});
|
||||
lock = builtins.fromJSON (
|
||||
builtins.readFile builtins.path {
|
||||
path = ../../flake.lock;
|
||||
name = "lockPath";
|
||||
}
|
||||
);
|
||||
flake =
|
||||
import
|
||||
(
|
||||
fetchTarball {
|
||||
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
|
||||
sha256 = lock.nodes.flake-compat.locked.narHash;
|
||||
}
|
||||
)
|
||||
(fetchTarball {
|
||||
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
|
||||
sha256 = lock.nodes.flake-compat.locked.narHash;
|
||||
})
|
||||
{
|
||||
src = builtins.path {
|
||||
path = ../../.;
|
||||
|
|
|
@ -1,4 +1,10 @@
|
|||
{ self, lib, inputs, ... }: {
|
||||
{
|
||||
self,
|
||||
lib,
|
||||
inputs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
# Configuration common to all Linux systems
|
||||
flake = {
|
||||
lib =
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
/*
|
||||
* The contents of this file are adapted from digga
|
||||
* https://github.com/divnix/digga
|
||||
*
|
||||
* Licensed under the MIT license
|
||||
*/
|
||||
The contents of this file are adapted from digga
|
||||
https://github.com/divnix/digga
|
||||
|
||||
Licensed under the MIT license
|
||||
*/
|
||||
|
||||
{ lib, inputs }:
|
||||
let
|
||||
|
@ -14,62 +14,61 @@ let
|
|||
inherit system;
|
||||
overlays = [
|
||||
inputs.deploy-rs.overlay
|
||||
(self: super: { deploy-rs = { inherit (pkgs) deploy-rs; lib = super.deploy-rs.lib; }; })
|
||||
(self: super: {
|
||||
deploy-rs = {
|
||||
inherit (pkgs) deploy-rs;
|
||||
lib = super.deploy-rs.lib;
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
getFqdn = c:
|
||||
getFqdn =
|
||||
c:
|
||||
let
|
||||
net = c.config.networking;
|
||||
fqdn =
|
||||
if (net ? domain) && (net.domain != null)
|
||||
then "${net.hostName}.${net.domain}"
|
||||
else net.hostName;
|
||||
if (net ? domain) && (net.domain != null) then "${net.hostName}.${net.domain}" else net.hostName;
|
||||
in
|
||||
fqdn;
|
||||
in
|
||||
{
|
||||
mkDeployNodes = systemConfigurations: extraConfig:
|
||||
mkDeployNodes =
|
||||
systemConfigurations: extraConfig:
|
||||
/*
|
||||
*
|
||||
Synopsis: mkNodes _systemConfigurations_ _extraConfig_
|
||||
*
|
||||
Synopsis: mkNodes _systemConfigurations_ _extraConfig_
|
||||
|
||||
Generate the `nodes` attribute expected by deploy-rs
|
||||
where _systemConfigurations_ are `nodes`.
|
||||
Generate the `nodes` attribute expected by deploy-rs
|
||||
where _systemConfigurations_ are `nodes`.
|
||||
|
||||
_systemConfigurations_ should take the form of a flake's
|
||||
_nixosConfigurations_. Note that deploy-rs does not currently support
|
||||
deploying to darwin hosts.
|
||||
_systemConfigurations_ should take the form of a flake's
|
||||
_nixosConfigurations_. Note that deploy-rs does not currently support
|
||||
deploying to darwin hosts.
|
||||
|
||||
_extraConfig_, if specified, will be merged into each of the
|
||||
nodes' configurations.
|
||||
_extraConfig_, if specified, will be merged into each of the
|
||||
nodes' configurations.
|
||||
|
||||
Example _systemConfigurations_ input:
|
||||
Example _systemConfigurations_ input:
|
||||
|
||||
```
|
||||
{
|
||||
hostname-1 = {
|
||||
fastConnection = true;
|
||||
sshOpts = [ "-p" "25" ];
|
||||
};
|
||||
hostname-2 = {
|
||||
sshOpts = [ "-p" "19999" ];
|
||||
sshUser = "root";
|
||||
};
|
||||
}
|
||||
```
|
||||
*
|
||||
*/
|
||||
lib.recursiveUpdate
|
||||
(lib.mapAttrs
|
||||
(
|
||||
_: c: {
|
||||
hostname = getFqdn c;
|
||||
profiles.system = {
|
||||
user = "root";
|
||||
path = deployPkgs.deploy-rs.lib.activate.nixos c;
|
||||
};
|
||||
}
|
||||
)
|
||||
systemConfigurations)
|
||||
extraConfig;
|
||||
```
|
||||
{
|
||||
hostname-1 = {
|
||||
fastConnection = true;
|
||||
sshOpts = [ "-p" "25" ];
|
||||
};
|
||||
hostname-2 = {
|
||||
sshOpts = [ "-p" "19999" ];
|
||||
sshUser = "root";
|
||||
};
|
||||
}
|
||||
```
|
||||
*
|
||||
*/
|
||||
lib.recursiveUpdate (lib.mapAttrs (_: c: {
|
||||
hostname = getFqdn c;
|
||||
profiles.system = {
|
||||
user = "root";
|
||||
path = deployPkgs.deploy-rs.lib.activate.nixos c;
|
||||
};
|
||||
}) systemConfigurations) extraConfig;
|
||||
}
|
||||
|
|
|
@ -10,7 +10,10 @@
|
|||
{
|
||||
# tuxnix
|
||||
publicKey = "fTvULvdsc92binFaBV+uWwFi33bi8InShcaPnoxUZEA=";
|
||||
allowedIPs = [ "10.7.6.203/32" "fd00:fae:fae:fae:fae:203::/96" ];
|
||||
allowedIPs = [
|
||||
"10.7.6.203/32"
|
||||
"fd00:fae:fae:fae:fae:203::/96"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -27,9 +30,13 @@
|
|||
} // sshPubKeys;
|
||||
|
||||
wireguardDevices = [
|
||||
{ # stroopwafel
|
||||
{
|
||||
# stroopwafel
|
||||
publicKey = "NNb7T8Jmn+V2dTZ8T6Fcq7hGomHGDckKoV3kK2oAhSE=";
|
||||
allowedIPs = [ "10.7.6.200/32" "fd00:fae:fae:fae:fae:200::/96" ];
|
||||
allowedIPs = [
|
||||
"10.7.6.200/32"
|
||||
"fd00:fae:fae:fae:fae:200::/96"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -42,9 +49,13 @@
|
|||
|
||||
secretEncryptionKeys = sshPubKeys;
|
||||
wireguardDevices = [
|
||||
{ # judy
|
||||
{
|
||||
# judy
|
||||
publicKey = "I+gN7v1VXkAGoSir6L8aebtLbguvy5nAx1QVDTzdckk=";
|
||||
allowedIPs = [ "10.7.6.202/32" "fd00:fae:fae:fae:fae:202::/96" ];
|
||||
allowedIPs = [
|
||||
"10.7.6.202/32"
|
||||
"fd00:fae:fae:fae:fae:202::/96"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
@ -59,13 +70,21 @@
|
|||
};
|
||||
|
||||
wireguardDevices = [
|
||||
{ # dumpyourvms
|
||||
{
|
||||
# dumpyourvms
|
||||
publicKey = "3UrVLQrwXnPAVXPiTAd7eM3fZYxnFSYgKAGpNMUwnUk=";
|
||||
allowedIPs = [ "10.7.6.201/32" "fd00:fae:fae:fae:fae:201::/96" ];
|
||||
allowedIPs = [
|
||||
"10.7.6.201/32"
|
||||
"fd00:fae:fae:fae:fae:201::/96"
|
||||
];
|
||||
}
|
||||
{ # ryzensun
|
||||
{
|
||||
# ryzensun
|
||||
publicKey = "oVF2/s7eIxyVjtG0MhKPx5SZ1JllZg+ZFVF2eVYtPGo=";
|
||||
allowedIPs = [ "10.7.6.204/32" "fd00:fae:fae:fae:fae:204::/96" ];
|
||||
allowedIPs = [
|
||||
"10.7.6.204/32"
|
||||
"fd00:fae:fae:fae:fae:204::/96"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
|
|
@ -1,13 +1,24 @@
|
|||
{ lib, ... }: let
|
||||
{ lib, ... }:
|
||||
let
|
||||
admins = import ./admins.nix;
|
||||
robots = import ./robots.nix;
|
||||
in {
|
||||
in
|
||||
{
|
||||
flake = {
|
||||
logins = {
|
||||
admins = lib.lists.foldl (logins: adminConfig: {
|
||||
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
|
||||
wireguardDevices = logins.wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else []);
|
||||
}) { sshPubKeys = []; wireguardDevices = []; } (lib.attrsets.attrValues admins);
|
||||
admins =
|
||||
lib.lists.foldl
|
||||
(logins: adminConfig: {
|
||||
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
|
||||
wireguardDevices =
|
||||
logins.wireguardDevices
|
||||
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
|
||||
})
|
||||
{
|
||||
sshPubKeys = [ ];
|
||||
wireguardDevices = [ ];
|
||||
}
|
||||
(lib.attrsets.attrValues admins);
|
||||
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
}:
|
||||
{
|
||||
services.caddy = {
|
||||
services.caddy = {
|
||||
enable = lib.mkForce true;
|
||||
group = config.pub-solar-os.authentication.robot.username;
|
||||
email = config.pub-solar-os.adminEmail;
|
||||
|
@ -14,5 +15,8 @@
|
|||
grace_period 60s
|
||||
'';
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, self
|
||||
, ...
|
||||
}: {
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
self,
|
||||
...
|
||||
}:
|
||||
{
|
||||
services.nginx.virtualHosts."collabora.${config.pub-solar-os.networking.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
@ -24,9 +26,7 @@
|
|||
containers."collabora" = {
|
||||
image = "collabora/code";
|
||||
autoStart = true;
|
||||
ports = [
|
||||
"127.0.0.1:9980:9980"
|
||||
];
|
||||
ports = [ "127.0.0.1:9980:9980" ];
|
||||
extraOptions = [
|
||||
"--cap-add=MKNOD"
|
||||
"--pull=always"
|
||||
|
|
|
@ -1,4 +1,11 @@
|
|||
{ pkgs, config, flake, lib, ... }: {
|
||||
{
|
||||
pkgs,
|
||||
config,
|
||||
flake,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
imports = [
|
||||
./nix.nix
|
||||
./networking.nix
|
||||
|
@ -29,7 +36,11 @@
|
|||
config = {
|
||||
environment = {
|
||||
# Just a couple of global packages to make our lives easier
|
||||
systemPackages = with pkgs; [ git vim wget ];
|
||||
systemPackages = with pkgs; [
|
||||
git
|
||||
vim
|
||||
wget
|
||||
];
|
||||
};
|
||||
|
||||
# Select internationalization properties
|
||||
|
|
|
@ -3,7 +3,8 @@
|
|||
lib,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
}:
|
||||
{
|
||||
options.pub-solar-os.networking = with lib; {
|
||||
domain = mkOption {
|
||||
description = "domain on which all services should run. This defaults to pub.solar";
|
||||
|
@ -23,8 +24,8 @@
|
|||
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 22 ];
|
||||
|
||||
networking.hosts = {
|
||||
"10.7.6.1" = ["nachtigall.${config.pub-solar-os.networking.domain}"];
|
||||
"10.7.6.2" = ["flora-6.${config.pub-solar-os.networking.domain}"];
|
||||
"10.7.6.1" = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
|
||||
"10.7.6.2" = [ "flora-6.${config.pub-solar-os.networking.domain}" ];
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
|
|
|
@ -1,11 +1,12 @@
|
|||
{ config
|
||||
, pkgs
|
||||
, lib
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||
];
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
flake,
|
||||
...
|
||||
}:
|
||||
{
|
||||
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
|
||||
|
||||
nix = {
|
||||
# Use default version alias for nix package
|
||||
|
@ -25,7 +26,10 @@
|
|||
# Prevents impurities in builds
|
||||
sandbox = true;
|
||||
# Give root and @wheel special privileges with nix
|
||||
trusted-users = [ "root" "@wheel" ];
|
||||
trusted-users = [
|
||||
"root"
|
||||
"@wheel"
|
||||
];
|
||||
# Allow only group wheel to connect to the nix daemon
|
||||
allowed-users = [ "@wheel" ];
|
||||
};
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{ flake, config, ... }: {
|
||||
{ flake, config, ... }:
|
||||
{
|
||||
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
||||
programs.git.enable = true;
|
||||
programs.starship.enable = true;
|
||||
|
|
|
@ -4,7 +4,8 @@
|
|||
lib,
|
||||
config,
|
||||
...
|
||||
}: {
|
||||
}:
|
||||
{
|
||||
options.pub-solar-os.authentication = with lib; {
|
||||
username = mkOption {
|
||||
description = "Username for the adminstrative user";
|
||||
|
@ -41,7 +42,10 @@
|
|||
users.users.${config.pub-solar-os.authentication.username} = {
|
||||
name = config.pub-solar-os.authentication.username;
|
||||
group = config.pub-solar-os.authentication.username;
|
||||
extraGroups = [ "wheel" "docker" ];
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
"docker"
|
||||
];
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
};
|
||||
|
@ -63,7 +67,8 @@
|
|||
|
||||
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
|
||||
|
||||
users.users.root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||
users.users.root.initialHashedPassword =
|
||||
config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
};
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
{ flake, config, lib, ... }:
|
||||
{
|
||||
flake,
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
age.secrets."coturn-static-auth-secret" = {
|
||||
file = "${flake.self}/secrets/coturn-static-auth-secret.age";
|
||||
|
@ -19,8 +24,12 @@
|
|||
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
|
||||
extraConfig =
|
||||
let
|
||||
externalIPv4s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv4.addresses;
|
||||
externalIPv6s = lib.strings.concatMapStringsSep "\n" ({ address, ... }: "external-ip=${address}") config.networking.interfaces.enp35s0.ipv6.addresses;
|
||||
externalIPv4s = lib.strings.concatMapStringsSep "\n" (
|
||||
{ address, ... }: "external-ip=${address}"
|
||||
) config.networking.interfaces.enp35s0.ipv4.addresses;
|
||||
externalIPv6s = lib.strings.concatMapStringsSep "\n" (
|
||||
{ address, ... }: "external-ip=${address}"
|
||||
) config.networking.interfaces.enp35s0.ipv6.addresses;
|
||||
in
|
||||
''
|
||||
${externalIPv4s}
|
||||
|
@ -61,28 +70,35 @@
|
|||
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
networking.firewall = {
|
||||
interfaces.enp35s0 =
|
||||
let
|
||||
range = with config.services.coturn; [{
|
||||
from = min-port;
|
||||
to = max-port;
|
||||
}];
|
||||
range = with config.services.coturn; [
|
||||
{
|
||||
from = min-port;
|
||||
to = max-port;
|
||||
}
|
||||
];
|
||||
in
|
||||
{
|
||||
allowedUDPPortRanges = range;
|
||||
allowedUDPPorts = [ 3478 5349 ];
|
||||
allowedUDPPorts = [
|
||||
3478
|
||||
5349
|
||||
];
|
||||
allowedTCPPortRanges = [ ];
|
||||
allowedTCPPorts = [ 3478 5349 ];
|
||||
allowedTCPPorts = [
|
||||
3478
|
||||
5349
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# get a certificate
|
||||
security.acme.certs.${config.services.coturn.realm} = {
|
||||
/* insert here the right configuration to obtain a certificate */
|
||||
# insert here the right configuration to obtain a certificate
|
||||
postRun = "systemctl restart coturn.service";
|
||||
group = "turnserver";
|
||||
};
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
{ pkgs, ... }: {
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
extraOptions = ''
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
{ config
|
||||
, lib
|
||||
, pkgs
|
||||
, flake
|
||||
, ...
|
||||
}: {
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
flake,
|
||||
...
|
||||
}:
|
||||
{
|
||||
age.secrets.drone-secrets = {
|
||||
file = "${flake.self}/secrets/drone-secrets.age";
|
||||
mode = "600";
|
||||
|
@ -26,9 +28,7 @@
|
|||
|
||||
users.groups.drone = { };
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '/var/lib/drone-db' 0750 drone drone - -"
|
||||
];
|
||||
systemd.tmpfiles.rules = [ "d '/var/lib/drone-db' 0750 drone drone - -" ];
|
||||
|
||||
services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
|
||||
logFormat = lib.mkForce ''
|
||||
|
@ -66 |