auth: use all sshPubKeys for disk unlock, fix tests, fix hm config

hosts: use correct wireguardDevices option
style: run nix fmt
2024-11-20 16:49:39 +01:00 · 2024-11-20 16:49:39 +01:00 · 2024-11-20 16:49:39 +01:00 · 2024-11-20 16:49:38 +01:00 · 2024-11-19 16:10:57 +00:00 · 2024-11-19 16:30:13 +01:00
27 changed files with 150 additions and 233 deletions
--- a/flake.lock
+++ b/flake.lock
@ -94,11 +94,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1729712798,
-        "narHash": "sha256-a+Aakkb+amHw4biOZ0iMo8xYl37uUL48YEXIC5PYJ/8=",
+        "lastModified": 1731895210,
+        "narHash": "sha256-z76Q/OXLxO/RxMII3fIt/TG665DANiE2lVvnolK2lXk=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "09a776702b004fdf9c41a024e1299d575ee18a7d",
+        "rev": "639d1520df9417ca2761536c3072688569e83c80",
        "type": "github"
      },
      "original": {
@ -185,11 +185,11 @@
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1727826117,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
        "type": "github"
      },
      "original": {
@ -280,11 +280,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1730041422,
-        "narHash": "sha256-aEz5/yUJN/PSEXwPBuKMs2FbAmz68fDIQ9B0tVRVmTo=",
+        "lastModified": 1731518114,
+        "narHash": "sha256-h9Wb3VjmXBZwTO3prRweUKwp2H9hZHCQKrkbU+2WPQs=",
        "ref": "main",
-        "rev": "09f7b1ed16c99f5fb5c5f9a2a73ccc9ff0645b35",
-        "revCount": 32,
+        "rev": "060ecccc5f8c92a0705ab91ff047811efd559468",
+        "revCount": 36,
        "type": "git",
        "url": "https://git.pub.solar/pub-solar/keycloak-theme"
      },
@ -320,11 +320,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1729757100,
-        "narHash": "sha256-x+8uGaX66V5+fUBHY23Q/OQyibQ38nISzxgj7A7Jqds=",
+        "lastModified": 1732016537,
+        "narHash": "sha256-XwXUK+meYnlhdQz2TVE4Wv+tsx1CkdGbDPt1tRzCNH4=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "04193f188e4144d7047f83ad1de81d6034d175cd",
+        "rev": "61cee20168a3ebb71a9efd70a55adebaadfbe4d4",
        "type": "github"
      },
      "original": {
@ -336,11 +336,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1729449015,
-        "narHash": "sha256-Gf04dXB0n4q0A9G5nTGH3zuMGr6jtJppqdeljxua1fo=",
+        "lastModified": 1731797254,
+        "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "89172919243df199fe237ba0f776c3e3e3d72367",
+        "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
        "type": "github"
      },
      "original": {
@ -352,14 +352,14 @@
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1727825735,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      },
      "original": {
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
      }
    },
    "root": {
@ -484,11 +484,11 @@
    },
    "unstable": {
      "locked": {
-        "lastModified": 1729665710,
-        "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
+        "lastModified": 1731676054,
+        "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
+        "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
        "type": "github"
      },
      "original": {
--- a/hosts/blue-shell/wireguard.nix
+++ b/hosts/blue-shell/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # trinkgenossin.pub.solar
          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
--- a/hosts/delite/wireguard.nix
+++ b/hosts/delite/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # trinkgenossin.pub.solar
          publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
--- a/hosts/metronom/wireguard.nix
+++ b/hosts/metronom/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:3::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/hosts/nachtigall/wireguard.nix
+++ b/hosts/nachtigall/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:1::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # tankstelle.pub.solar
          endpoint = "80.244.242.5:51820";
--- a/hosts/tankstelle/wireguard.nix
+++ b/hosts/tankstelle/wireguard.nix
@ -18,7 +18,7 @@
        "fd00:fae:fae:fae:fae:4::/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/hosts/trinkgenossin/wireguard.nix
+++ b/hosts/trinkgenossin/wireguard.nix
@ -22,7 +22,7 @@ in
        "${wireguardIPv6}/96"
      ];
      privateKeyFile = config.age.secrets.wg-private-key.path;
-      peers = flake.self.logins.admins.wireguardDevices ++ [
+      peers = flake.self.logins.wireguardDevices ++ [
        {
          # nachtigall.pub.solar
          endpoint = "138.201.80.102:51820";
--- a/logins/default.nix
+++ b/logins/default.nix
@ -6,19 +6,16 @@ in
 {
  flake = {
    logins = {
-      admins =
-        lib.lists.foldl
-          (logins: adminConfig: {
-            sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
-            wireguardDevices =
-              logins.wireguardDevices
-              ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
-          })
-          {
-            sshPubKeys = [ ];
-            wireguardDevices = [ ];
-          }
-          (lib.attrsets.attrValues admins);
+      admins = admins;
+      wireguardDevices = lib.lists.foldl (
+        wireguardDevices: adminConfig:
+        wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
+      ) [ ] (lib.attrsets.attrValues admins);
+      sshPubKeys = lib.lists.foldl (
+        sshPubKeys: adminConfig:
+        sshPubKeys
+        ++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
+      ) [ ] (lib.attrsets.attrValues admins);
      robots.sshPubKeys = lib.attrsets.attrValues robots;
    };
  };
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -54,9 +54,5 @@
    };

    time.timeZone = "Etc/UTC";
-
-    home-manager.users.${config.pub-solar-os.authentication.username} = {
-      home.stateVersion = "23.05";
-    };
  };
 }
--- a/modules/core/nix.nix
+++ b/modules/core/nix.nix
@ -11,6 +11,17 @@
    permittedInsecurePackages = [ "olm-3.2.16" ];
  };

+  system.activationScripts.diff-closures = {
+    text = ''
+      if [[ -e /run/current-system ]]; then
+        ${config.nix.package}/bin/nix store diff-closures \
+          /run/current-system "$systemConfig" \
+          --extra-experimental-features nix-command
+      fi
+    '';
+    supportsDryActivation = true;
+  };
+
  nix = {
    # Use default version alias for nix package
    package = pkgs.nix;
--- a/modules/core/terminal-tooling.nix
+++ b/modules/core/terminal-tooling.nix
@ -1,19 +1,27 @@
-{ flake, config, ... }:
+{ flake, lib, ... }:
 {
-  home-manager.users.${config.pub-solar-os.authentication.username} = {
-    programs.git.enable = true;
-    programs.starship.enable = true;
-    programs.bash.enable = true;
-    programs.neovim = {
-      enable = true;
-      vimAlias = true;
-      viAlias = true;
-      defaultEditor = true;
-      # configure = {
-      #   packages.myVimPackages = with pkgs.vimPlugins; {
-      #     start = [vim-nix vim-surrund rainbow];
-      #   };
-      # };
-    };
-  };
+  home-manager.users = (
+    lib.attrsets.foldlAttrs (
+      acc: name: value:
+      acc
+      // {
+        ${name} = {
+          programs.git.enable = true;
+          programs.starship.enable = true;
+          programs.bash.enable = true;
+          programs.neovim = {
+            enable = true;
+            vimAlias = true;
+            viAlias = true;
+            defaultEditor = true;
+            # configure = {
+            #   packages.myVimPackages = with pkgs.vimPlugins; {
+            #     start = [vim-nix vim-surrund rainbow];
+            #   };
+            # };
+          };
+        };
+      }
+    ) { } flake.self.logins.admins
+  );
 }
--- a/modules/core/users.nix
+++ b/modules/core/users.nix
@ -11,18 +11,6 @@
      inherit (lib) mkOption types;
    in
    {
-      username = mkOption {
-        description = "Username for the adminstrative user";
-        type = types.str;
-        default = flake.self.username;
-      };
-
-      sshPubKeys = mkOption {
-        description = "SSH Keys that should have administrative root access";
-        type = types.listOf types.str;
-        default = flake.self.logins.admins.sshPubKeys;
-      };
-
      root.initialHashedPassword = mkOption {
        description = "Hashed password of the root account";
        type = types.str;
@ -43,36 +31,60 @@
    };

  config = {
-    users.users.${config.pub-solar-os.authentication.username} = {
-      name = config.pub-solar-os.authentication.username;
-      group = config.pub-solar-os.authentication.username;
-      extraGroups = [
-        "wheel"
-        "docker"
-      ];
-      isNormalUser = true;
-      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
-    };
-    users.groups.${config.pub-solar-os.authentication.username} = { };
+    users.users =
+      (lib.attrsets.foldlAttrs (
+        acc: name: value:
+        acc
+        // {
+          ${name} = {
+            name = name;
+            group = name;
+            extraGroups = [
+              "wheel"
+              "docker"
+            ];
+            isNormalUser = true;
+            openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
+          };
+        }
+      ) { } flake.self.logins.admins)
+      // {
+        # TODO: Remove when we stop locking ourselves out.
+        root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
+        root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;

-    # TODO: Remove when we stop locking ourselves out.
-    users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
+        ${config.pub-solar-os.authentication.robot.username} = {
+          description = "CI and automation user";
+          home = "/home/${config.pub-solar-os.authentication.robot.username}";
+          createHome = true;
+          useDefaultShell = true;
+          uid = 998;
+          group = "${config.pub-solar-os.authentication.robot.username}";
+          isSystemUser = true;
+          openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
+        };
+      };

-    users.users.${config.pub-solar-os.authentication.robot.username} = {
-      description = "CI and automation user";
-      home = "/home/${config.pub-solar-os.authentication.robot.username}";
-      createHome = true;
-      useDefaultShell = true;
-      uid = 998;
-      group = "${config.pub-solar-os.authentication.robot.username}";
-      isSystemUser = true;
-      openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
-    };
+    home-manager.users = (
+      lib.attrsets.foldlAttrs (
+        acc: name: value:
+        acc
+        // {
+          ${name} = {
+            home.stateVersion = "23.05";
+          };
+        }
+      ) { } flake.self.logins.admins
+    );

-    users.groups.${config.pub-solar-os.authentication.robot.username} = { };
-
-    users.users.root.initialHashedPassword =
-      config.pub-solar-os.authentication.root.initialHashedPassword;
+    users.groups =
+      (lib.attrsets.foldlAttrs (
+        acc: name: value:
+        acc // { "${name}" = { }; }
+      ) { } flake.self.logins.admins)
+      // {
+        ${config.pub-solar-os.authentication.robot.username} = { };
+      };

    security.sudo.wheelNeedsPassword = false;
  };
--- a/modules/coturn/default.nix
+++ b/modules/coturn/default.nix
@ -5,9 +5,8 @@
  ...
 }:
 {
-  age.secrets."nachtigall-coturn-static-auth-secret" = {
-    file = "${flake.self}/secrets/nachtigall-coturn-static-auth-secret.age";
-    path = "/run/agenix/coturn-static-auth-secret";
+  age.secrets."coturn-static-auth-secret" = {
+    file = "${flake.self}/secrets/coturn-static-auth-secret.age";
    mode = "400";
    owner = "turnserver";
  };
@ -19,7 +18,7 @@
    min-port = 49000;
    max-port = 50000;
    use-auth-secret = true;
-    static-auth-secret-file = config.age.secrets."nachtigall-coturn-static-auth-secret".path;
+    static-auth-secret-file = config.age.secrets."coturn-static-auth-secret".path;
    realm = "turn.${config.pub-solar-os.networking.domain}";
    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@ -141,6 +141,12 @@
        LOGIN_REMEMBER_DAYS = 365;
      };

+      # See https://docs.gitea.com/administration/config-cheat-sheet#migrations-migrations
+      migrations = {
+        # This allows migrations from the same forgejo instance
+        ALLOW_LOCALNETWORKS = true;
+      };
+
      # https://forgejo.org/docs/next/admin/config-cheat-sheet/#indexer-indexer
      indexer = {
        REPO_INDEXER_ENABLED = true;
--- a/modules/matrix-irc/default.nix
+++ b/modules/matrix-irc/default.nix
@ -35,7 +35,8 @@ in
          port = 1113;
        };
        logging = {
-          level = "debug";
+          # set to debug for debugging
+          level = "warn";
          maxFiles = 5;
          toCosole = true;
        };
--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -283,7 +283,9 @@ in
      createDatabase = true;
      extraConfigFiles = config.pub-solar-os.matrix.matrix-authentication-service.extra-config-files;

+      # https://element-hq.github.io/matrix-authentication-service/reference/configuration.html
      settings = {
+        account.email_change_allowed = false;
        http.public_base = "https://mas.${config.pub-solar-os.networking.domain}";
        http.issuer = "https://mas.${config.pub-solar-os.networking.domain}";
        http.listeners = [
--- a/modules/prometheus/alert-rules.nix
+++ b/modules/prometheus/alert-rules.nix
@ -142,8 +142,8 @@ lib.mapAttrsToList

    cpu_using_90percent = {
      condition = ''100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) >= 90'';
-      time = "10m";
-      description = "{{$labels.instance}} is running with cpu usage > 90% for at least 10 minutes: {{$value}}";
+      time = "20m";
+      description = "{{$labels.instance}} is running with cpu usage > 90% for at least 20 minutes: {{$value}}";
    };

    reboot = {
@ -234,10 +234,10 @@ lib.mapAttrsToList
      };
    */

-    host_memory_under_memory_pressure = {
-      condition = "rate(node_vmstat_pgmajfault[1m]) > 1000";
-      description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}";
-    };
+    #host_memory_under_memory_pressure = {
+    #  condition = "rate(node_vmstat_pgmajfault[1m]) > 1000";
+    #  description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}";
+    #};

    # ext4_errors = {
    #   condition = "ext4_errors_value > 0";
--- a/modules/unlock-luks-on-boot/default.nix
+++ b/modules/unlock-luks-on-boot/default.nix
@ -10,7 +10,7 @@

      # Please create this manually the first time.
      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+      authorizedKeys = flake.self.logins.sshPubKeys;
    };
    postCommands = ''
      # Automatically ask for the password on SSH login
--- a/modules/unlock-zfs-on-boot/default.nix
+++ b/modules/unlock-zfs-on-boot/default.nix
@ -11,7 +11,7 @@

      # Please create this manually the first time.
      hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
-      authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
+      authorizedKeys = flake.self.logins.sshPubKeys;
    };
    # this will automatically load the zfs password prompt on login
    # and kill the other prompt so boot can continue
--- a/secrets/nachtigall-coturn-static-auth-secret.age
+++ b/secrets/nachtigall-coturn-static-auth-secret.age
--- a/secrets/drone-db-secrets.age
+++ b/secrets/drone-db-secrets.age
@ -1,43 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw 5slOxDM4xGALMpYxFm1WBX4Sds7itgPBMIiY97d7Egk
-mZNzn4I6obUHAdox6eVR4H82EZagZ1IrCcq0CDtK44Y
-> ssh-ed25519 uYcDNw w5lzhmA8wIMXihKF25d5jx4/Cc5BFE3Lw6ad60b0wBg
-v9z03cpts6oVlcTQ48hMw8rjWHp1JUOov2qCUjFN4bs
-> ssh-rsa f5THog
-A93Usdjf6yJFLFqDiy6UUIJ4faBgQXIvk0pZlABlj9M5n7fSf9uzR6sSih4HNCvm
-sMkZ4wKyQHJnUB4Uc2jGrdcWqpmP5MLYHhj74Rxsi6heZuCRf94KH7sE/03A958w
-jAV4v9z4EqmkvWLNQi/hxMVMs5A61Vs63WIX/TA6vhL8Yrn0FeIKlRZYUVIeMu42
-pbEuLWeIzbUioAuEA1ZKV5VDx+6ack8TS/Dj5bTNEnzFWpjnHjO0/GeQU+aaQZTe
-Zy325TcRosT0V7PIh0tDQZKKRpOH/e9LnDkd8NIjyfEsGdDYaP1EVOYVxPCqUDAh
-A0kV1kkTiBzaXDkuakc+HDCIxtYXLWthsmbD+vI3D7FlTl0CY4fOP0wwO/0rS5Yp
-KDuxjz89II1H4+ZvlcPUihyW7OEj4d+NwFQy+7Qq0Y9Ii0NONXNsnx17FKXJwOMo
-NKyLo097FvHV7k8F9wv9mmZboRulDAoRyDngeO0+SJA90uJass04DuiZvK+g3Hry
-xVzbkk59j9EQqUogopW/oSeSbUP0pvcKOahGcSIW8vmadDTgnN7zzqf3fq+dJ2TM
-QD2IXAwvoTFBE+9DnPOtptk1X1D2umZuAWTzGAseXOImrPFZ+bEr5MV3qLGlg7sL
-yA7Mvbp4diVdH5aePzeBefhxrYphz+yfCbELFTYam9g
-> ssh-rsa kFDS0A
-Ng0FhTDjASWJkrlNh+UZxU/dU/wfmoV1/fwTv6Xg69k/2qU9lk0oR6e5xAimvX6u
-h7rKAYt3zSRIFveGczPCflC1nycG9wLSpaoJghav+q+muoDQ/fbSKSgHFXITC7Me
-f/wblyWvJsUQbjxSW3g6/8EGz6FvpTnycPtD2vbRj+Ctq72GPA2ZWg/OC4jAUlDs
-r6X0Ql2jwWzy3Y12v0mPknlBezN8cIfjBmoNOWokUeGJIBjujlS7loA1yif09BLg
-PTSLCY1YH3QYcm6lCXK0HaNcMjSSk/ZK9D0wROriF9PBbkpWgg5NlIrqGaeqPN9z
-QwRR2DvhuCa1br57F36Y2LKGphYjmhWAtzCyQ0h9YQ+AzEy9uFCbK0IFyyeVl/fN
-+HBGgxacJBcEGsNV3mbJvh6dn1348eex0GgaQEf1B/lu/y66WHbmSqVyUDfWkqEz
-IytAC43VT2rKgg+B5u0d/JhLDLwXTp7iVDy52ul1n7keJHk8t1GDaufAXbWqalQ4
-vuyxs6ghSIXUi27IZrYblg/OEPFTBfcoMXkmCgyx5a+eK+DhnBazWjy5j+vgp2so
-ZQRQurbG02qpZasTwBM3iy4ZklX/uFjsKnk0c/YcmK4YcMviHcQQjdjKruEE93u+
-Za1KE+qZGLkhFCd9O3ZPMtEjRjpN10XIs5ylKQ9MKU4
-> piv-p256 vRzPNw AiNjNIR0OGHBu5Qn+bvn+Lk5VnpI2BQ3eJ3+2/FTJfZC
-elT3acRVdmtBl0qC5YbvfntxkJrsZwEJqlF6aN5hhWw
-> piv-p256 zqq/iw AjIzSibkqG+YcP894QekM61Wsty6MaKBghlWapHfU0Jn
-HyXBp8DxtnNsfuzZq13bwgma5CzLTf3UB5Eht6XUwe8
-> ssh-ed25519 YFSOsg WRBQZZYM+X26hfoH4zvNWQulZvVWP/Ha5OgkUmGK/Q4
-5Hw4ZDNawn5YRC673Op/sbpexOKeL3gez2B7oZxUKhA
-> ssh-ed25519 iHV63A wyr8R4DlqLAu0XypddVoFimK2ZMncWaa+KWV7vMEQm8
-puV3g1t5AbnEgC0S1U4ft1evB7KuNppEi1g/AtxHgWE
-> ssh-ed25519 BVsyTA 0N3iyyGqTCRAHHcK7QfN5xRttorc2E2GL0RDTIVIBU4
-Bph0OujqmXzi9IswduX9Mbh+yRdPKOwCf3fBv2zUzqI
-> ssh-ed25519 +3V2lQ 0p90VtsxWyGFaeeoTISIxQRyeKVk0HoGGq71tjpIPjg
-sRf73Tp3BJ0DsTnJO2xVGyCKjaX7C7oydXj+39dKMUg
--- +/HCG0s/x+c03NG5qrgliJ+5EXXI6UnuJz5XDv2aphY
-ÞšÂ<>™Ý@»=£L¬“7*®„ÐFq<46>UÒ*ûUê¿‰»È$e=þLgJ|*1Ï½BÚE ZG—_Ü5ê²ð—²ŽíÂ,òöÛi<C39B>_'¸d7
Ý3Ú“Nä3ãç¡*»ðªê<C2AA>£ŽáŽòqýŸ‰Oy#¶([l³†pÄf¼õ¾¥ö
--- a/secrets/drone-secrets.age
+++ b/secrets/drone-secrets.age
--- a/secrets/forgejo-actions-runner-token.age
+++ b/secrets/forgejo-actions-runner-token.age
@ -1,43 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw tm4AmC8yXPgR82lgsQR4VZn4xfGiK8o6fIn8pKPY6XQ
-IDnsYVD8noh2HdPNvjY/M5G+meR5rwvVI5SVN/cHEVM
-> ssh-ed25519 uYcDNw ZB7GyOvD8S8XLqE1AeMXWTPcJnvEntWbZ7TGg8CJVxc
-Bfb/+P2DEiKI9ZWH105rLAYQXTUwWftWtudUGnVtjSU
-> ssh-rsa f5THog
-Q3Hqks6BMGmP8TXnUkbblO8btrVdls7AUdxDW8e/w5biis/4awZVBHuZCLpiasM7
-7RWXcUep2VVyfCMb+8tedaf5a1MpGPDkZvdbxhfDVWZakh7vsEnth+gK2QsV0h8e
-eIgfDMA9J6DHXNCr4EYSf22PxY12KPqGqsMpVBhOZQuXoJwJy0ob3jbJEOYfPlu6
-V+TLYQNGQ2UQ+A7zjpUrGz1L+u7rUejY4Rv1BmCakg1bLEs8oSDmIVmsuVmFPqOI
-wqQJvnYlRAdioVQZwYCiqJech2QJ0ZhtC/ZeVp4c6TgFwB1ottxiAI8l7Bz1nFzW
-/E85qU3Jkh1tcNcLsVHj8+tnxwn1SSQ3xQxcOT9l1Po98sNapK7mwd/xx3pJ1hH8
-5YUQAtG80e5YmOBxkabVI4s612wACfK9JrIdL+uyIIzGeNHgoimjx7GuOCQ2ut6L
-gj/+Rcv3e0ERkNaXTXGkcdrsMTt45lGmyxUgxz6lbHgtqq+r+BHogiQ9cdPKwXuK
-wom4AvaMOBKCxtB4qVsuNHRd0I8OaA9Ab9SUvHCRvzCkJRHP4qc0zRJif7Rk4qRl
-rAGYwVxq3DRk2HHCQCYC26VqLU6B5LuAAqOipVhOeTfbgaSGD6Wfrt+XBBPmWB7o
-i9zDrk5GKehsPeDKgjh9uVd1y+IBHcWoYBxR5WPTYnA
-> ssh-rsa kFDS0A
-HS3y8/5wAej0jv0sQqhdGwWd79vUwkrLkoKKPmqo9HlJaO70Cr1bnAIdyA8PBphs
-NIRjIcdClbUBuelZudzuhHuEzH8/JMAVwgHoIiUxviEIr6JpJVBagtvSHp1nfDdn
-x/hkpt2isSYb6fVzYgewqkdD3tv9XEm/WR2JmzlfaNTV9N9x/HNJYy5iYoTWRxKr
-e8R7txdmgRaDDxpbkJdWBcoV9HVgytTMtvBkqGViWzaFDopb9nDlfN/C7/BkCp6H
-9b65JqznpIChoJV7+sK5SEw8VcFj7ikIHzREWscEn8XBb7Kth2iVukaEPM+BgGZz
-Irk0IdkSb/XmQFwsOLnQViwUjkFXGXwHyMdHIcU2qEzZ4PN0PgEengILt9vqWJs0
-qHxrA7sKiC1D8S0i1+Dn+DiI//1s5Bbmp1jk626tH6fNKqSOlpwM47IGArTxCAFd
-NMinIBnR47DUCXWheirsWF6yP7kwX7vOW1dR4UVJJnVPKkgjklwCZvJiNAo0Soo+
-95zuugaeobsJ+qz2Pv+l8BGYriOFpRIAu7YTy9yY7mqHwC5MoeY0G8eNg5UmEzFz
-JsEbKPsZcsMg4WdywzLU2aufK4M/Cd7lVPGZzuZ8hJHBF/EvTFov7L/HK5VnhZar
-CYtILdyiVvmMZ7dhEARG1GG988W9wMendikmKpM4dTA
-> piv-p256 vRzPNw AuCJRxHGmvv25VTHpnbfMLyLIj8K+daFD97wwHvFAqHl
-m4lPR+5h3+xmdL0OBfmNoxSM/O5Ca+2lVRLwITUtVmQ
-> piv-p256 zqq/iw ApNbp/6seWw6gCj/QWKLYlmuHaqdaSKVI+Hup1fKAO2O
-xpNXgDXMVFe15eS+L9lGaI0Ip2F13SuhjCTQLDtBIr0
-> ssh-ed25519 YFSOsg v9BtvUZh5HIvN7nsnErVrHbWTwRhWpj/SlHoiiJSIR0
-ol9z9juHfOCuZsSpuRl/zGFuJg5RzpKK1YnX+VDLDTA
-> ssh-ed25519 iHV63A yfa9P22C7+wCMqtRRSyiOhcFnLWPI50jMWxWpLarMT8
-VpU+Uv/20JJGkTWTATiF5JImMsDKwyHMj+Wp0mMC/MQ
-> ssh-ed25519 BVsyTA dUj/mHSyOm61h2ETa4tSX7Cyf+KRN8AMXCVKwMbJTE0
-E1EEPqVQSqlxSAi7DaMlaS1Az1D5XsasrPrIdwylSAE
-> ssh-ed25519 +3V2lQ AWBlXeuJq76UgQR0xQVPMN0NUq/mqa2iDlIDBBp/Wjo
-XiliN4FB5YQ7qmTyV3AIbvoCY8UoGS6Vi5LpVWrH9kg
--- V4Tp84/WJUM+/l+eEjlypE4Lx47BtkGFpEnNIdIB35E
-ô¡qzîL¡çzYNŽv×0[¿AöKN<ÛÀ<C39B>ö¦÷:,D<>¢S¹:!$`Õw©^‡àŽhi†O'(ž7!=ÿC(ÿï>´ûDÐ¾ÙFÐ=J
--- a/secrets/restic-password-droppie.age
+++ b/secrets/restic-password-droppie.age
@ -1,29 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 iDKjwg tSrbeVPpTxjeuCg6JiOdeIcaGWq/PUOyXrt+ZNIWmzI
-fz4B2nMu36G1DYPyNiu30Txx4cOLGyUreuBLqktORhY
-> ssh-ed25519 uYcDNw zySKp8qUnCKOCbIP17bWYvJ/TsKxLl/v/AEsfVQpHTc
-SYqaUEXJ7mSA2wY6I3i/hirEiqvXVnWH1NYtXbaMzbw
-> ssh-rsa kFDS0A
-MiyJjq7nn9B+PF9Lf6vD496FZUnUy5zI9H2kunJLhmYnr+7ZJaPGI+MW0cuPjsmM
-1XhmUC72zA9WTiuReGijl9GhIyU0D6vPx+ezQrx18dUGRJEqnvk5C75SCUuPGtUi
-DamPxJc781mnDSyW91MgRrqlBVwhfJ9Zmws3+/j8LODWb0T9Jvy0ywmFX4ilapr9
-6dqbNmwBZkfh2CKB9LtMG/DuSNicgHscpt4Mt7EogJRdgBrGIcA1u8BXUOwf+R8G
-Ya8VzoQV0iVhGtbff3g/6/0+UX9KEZBQc/aiT2ItrgUmgMyjAZo13Dj3pD2wPdfa
-t346symp7bcYxRea/U0hfmPdnixIKgBLTUZkzrMFza26QOvnSwiMxWY+//Vmbp3z
-0YCsyOQTQJVB+Q0pYE0+9EVI9bInP0LxHhM7mIdJroscRtY1YphjZUlFmcUXk0iC
-5g3/wdLr8KdT4aZ93m4WVgkBUzg8chhfMHb9uFvpHT9xeZHrV3u30TuJpmmuqMXK
-JD3+9xRzNVHwvfZuhD8B3vkK2tYO7pTxJytkJtdolx/uSju8SCm9F4lwt5y8rQd4
-7676QS0IWS1WItcpLrsgk9nWZUNzy78gBc39jtJUOsFDqJSdAWACq/jgYpnx6Bja
-5aZonRAp3fyCEavUpS4AQUJZGVx9EFp9LqXeUiIkCJU
-> ssh-ed25519 YFSOsg vJ7xw4zDSKBFuv8FT6ZnB83uGwHDnDsEwsvQ6urZkEk
-gOkuwjOX8U/qmPuGrPPb+FYy6PuJjrgCNFYrukkaIPA
-> ssh-ed25519 iHV63A FzZRHQB39iDTLm4y1QLWtfDi3jZn6i59nuSlf0d5mww
-5kiyKN7KFTv8pJgRAZTUMgR2+TInByFotDhAw307P6g
-> ssh-ed25519 BVsyTA rTjBaEI6AwwmpK9Q8elVJaSN60deXOMEmZPrsH9O1nY
-HikNbHzx3BEJ3hn4YPFr2p/cnSu3qr9cvgdKCxN6xY8
-> h|2u%UF\-grease Gcp2NG
-y6OjgzrOYEVgrY2+fv8a1xrVuoHQIPncGuGeLI0zHh4xf1qbzD2vKYp+W1fRBE8d
-/yPEGUe/T/ZjO+F4oF266HUR23wancFeFoGpfJgWQVS2oc0Z4aMuNebf/+Kw087W
-
--- GJBLNxBoH7vI1mkcCmfbm9UiG4xuwIOWS7IaJKuO6cc
-C<EFBFBD>3=¼,¦{-TçÄéÈµ	™-ˆ]äÌ·»æq=‡“û
Òú–=~}Î1®˜ lß„¿fúì_[žU_å›A€G.ÒdŽêÖrëa`×åUyÉPt+Ì½òö‡¯!<
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -92,7 +92,7 @@ in
  "mediawiki-oidc-client-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
  "mediawiki-secret-key.age".publicKeys = nachtigallKeys ++ adminKeys;

-  "nachtigall-coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "coturn-static-auth-secret.age".publicKeys = nachtigallKeys ++ adminKeys;

  "grafana-admin-password.age".publicKeys = trinkgenossinKeys ++ adminKeys;
  "grafana-keycloak-client-secret.age".publicKeys = trinkgenossinKeys ++ adminKeys;
--- a/tests/keycloak.nix
+++ b/tests/keycloak.nix
@ -66,7 +66,7 @@ in
  testScript =
    { nodes, ... }:
    let
-      user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
+      user = nodes.client.users.users.b12f;
      #uid = toString user.uid;
      bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
      gdbus = "${bus} gdbus";
--- a/tests/support/client.nix
+++ b/tests/support/client.nix
@ -11,7 +11,7 @@
  services.xserver.displayManager.gdm.enable = true;
  services.xserver.desktopManager.gnome.enable = true;
  services.xserver.displayManager.autoLogin.enable = true;
-  services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
+  services.xserver.displayManager.autoLogin.user = "b12f";

  systemd.user.services = {
    "org.gnome.Shell@wayland" = {
Author	SHA1	Message	Date
b12f	eb63779bb6	auth: use all sshPubKeys for disk unlock, fix tests, fix hm config All checks were successful Flake checks / Check (pull_request) Successful in 28m11s Details	2024-11-20 16:49:39 +01:00
b12f	acc537decd	hosts: use correct wireguardDevices option	2024-11-20 16:49:39 +01:00
b12f	2b72d9a5a8	style: run nix fmt	2024-11-20 16:49:39 +01:00
b12f	5366d07d44	auth: add user for each administrator After this has been tested successfully, root SSH login can be disabled. The advantages of having a user for each adminstrator: * Better security analysis: who issued executed what command, who touched which file, who used sudo at which time. * Possibility of granular access, e.g. person X is only allowed to manage service Y	2024-11-20 16:49:38 +01:00
teutat3s	10f71b1959	Merge pull request 'maintenance: update element-web, forgejo, nextcloud, matrix-synapse and others' (#269 ) from flake-updates into main Reviewed-on: #269 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-19 16:10:57 +00:00
teutat3s	8b8833e9c9	flake.lock: Update Some checks failed Flake checks / Check (pull_request) Has been cancelled Details Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc' (2024-11-10) → 'github:nix-community/disko/639d1520df9417ca2761536c3072688569e83c80' (2024-11-18) • Updated input 'nix-darwin': 'github:lnl7/nix-darwin/5c74ab862c8070cbf6400128a1b56abb213656da' (2024-11-09) → 'github:lnl7/nix-darwin/61cee20168a3ebb71a9efd70a55adebaadfbe4d4' (2024-11-19) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/9256f7c71a195ebe7a218043d9f93390d49e6884' (2024-11-10) → 'github:nixos/nixpkgs/e8c38b73aeb218e27163376a2d617e61a2ad9b59' (2024-11-16) • Updated input 'unstable': 'github:nixos/nixpkgs/76612b17c0ce71689921ca12d9ffdc9c23ce40b2' (2024-11-09) → 'github:nixos/nixpkgs/5e4fbfb6b3de1aa2872b76d49fafc942626e2add' (2024-11-15)	2024-11-19 16:30:13 +01:00
teutat3s	280dc37aa0	Merge pull request 'matrix-authentication-service: disable changing mail address' (#271 ) from matrix-mas-disable-email-change into main Reviewed-on: #271 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-19 15:29:15 +00:00
teutat3s	3d8fe3cef2	Merge pull request 'prometheus: disable daily e2e notification again' (#270 ) from alert-disable-e2e into main Reviewed-on: #270 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-19 15:29:04 +00:00
teutat3s	213c06ca87	matrix-authentication-service: disable changing mail All checks were successful Flake checks / Check (pull_request) Successful in 22m45s Details address. This should be done via auth.pub.solar	2024-11-19 13:57:23 +01:00
teutat3s	a491680165	prometheus: disable daily e2e notification again All checks were successful Flake checks / Check (pull_request) Successful in 27m35s Details	2024-11-19 13:56:42 +01:00
b12f	1ae1f68ce2	Merge pull request 'modules/forgejo: allow migrations from local networks' (#262 ) from forgejo/allow-local-migrations into main Reviewed-on: #262 Reviewed-by: teutat3s <teutat3s@noreply.git.pub.solar>	2024-11-14 11:10:44 +00:00
b12f	87f9bc92df	modules/forgejo: allow migrations from local networks	2024-11-14 11:10:44 +00:00
teutat3s	3b29b847b0	Merge pull request 'coturn: fix secret path' (#265 ) from fix-coturn-secret into main Reviewed-on: #265 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-13 20:39:47 +00:00
teutat3s	4923f033f5	coturn: fix secret path Some checks are pending Flake checks / Check (pull_request) Waiting to run Details this is fallout that was overlooked in #250	2024-11-13 21:25:12 +01:00
teutat3s	2424a3ec8b	Merge pull request 'keycloak: fix registration with pub.solar theme' (#264 ) from fix-keycloak-theme-for-registration into main Reviewed-on: #264 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-13 19:48:15 +00:00
teutat3s	b41edf0cfb	Merge pull request 'core: add activationScript to show closure diff' (#260 ) from closure-diffs into main Reviewed-on: #260 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-13 19:47:17 +00:00
teutat3s	0d6da8d678	Merge pull request 'maintenance: updates for element-web, forgejo, matrix-synapse and others' (#259 ) from flake-updates into main Reviewed-on: #259 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-13 19:47:05 +00:00
teutat3s	b87670d07d	keycloak: fix registration with pub.solar theme Some checks failed Flake checks / Check (pull_request) Failing after 56m37s Details This pulls in changes from * pub-solar/keycloak-theme#3 * pub-solar/keycloak-theme#4	2024-11-13 20:34:38 +01:00
teutat3s	73333537a5	Merge pull request 'alertmanager: alert on high load only after 20m' (#255 ) from alerts-tweak-load into main Reviewed-on: #255 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-12 14:47:53 +00:00
teutat3s	45d3b939bf	Merge pull request 'matrix-appservice-irc: reduce logging level to warn' (#256 ) from irc-reduce-logging into main Reviewed-on: #256 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-12 14:47:44 +00:00
teutat3s	904c7ed1e4	Merge pull request 'secrets: remove leftover secret files' (#257 ) from secrets-cleanup into main Reviewed-on: #257 Reviewed-by: hensoko <hensoko@noreply.git.pub.solar>	2024-11-12 14:47:35 +00:00
teutat3s	ab85ba751a	alertmanager: enable e2e_dead_man_switch All checks were successful Flake checks / Check (pull_request) Successful in 23m13s Details	2024-11-12 13:41:42 +01:00
teutat3s	a9c5edfeb3	alertmanager: don't alert on high memory page faults This alert is non actionable, we still monitor high memory usage.	2024-11-12 13:40:46 +01:00
teutat3s	7067d93ee2	flake.lock: Update All checks were successful Flake checks / Check (pull_request) Successful in 40m40s Details Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/09a776702b004fdf9c41a024e1299d575ee18a7d' (2024-10-23) → 'github:nix-community/disko/486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc' (2024-11-10) • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/3d04084d54bedc3d6b8b736c70ef449225c361b1' (2024-10-01) → 'github:hercules-ci/flake-parts/506278e768c2a08bec68eb62932193e341f55c90' (2024-11-01) • Updated input 'flake-parts/nixpkgs-lib': '`fb192fec7c`.tar.gz?narHash=sha256-0xHYkMkeLVQAMa7gvkddbPqpxph%2BhDzdu1XdGPJR%2BOs%3D' (2024-10-01) → '`cc2f280002`.tar.gz?narHash=sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s%3D' (2024-11-01) • Updated input 'nix-darwin': 'github:lnl7/nix-darwin/04193f188e4144d7047f83ad1de81d6034d175cd' (2024-10-24) → 'github:lnl7/nix-darwin/5c74ab862c8070cbf6400128a1b56abb213656da' (2024-11-09) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/89172919243df199fe237ba0f776c3e3e3d72367' (2024-10-20) → 'github:nixos/nixpkgs/9256f7c71a195ebe7a218043d9f93390d49e6884' (2024-11-10) • Updated input 'unstable': 'github:nixos/nixpkgs/2768c7d042a37de65bb1b5b3268fc987e534c49d' (2024-10-23) → 'github:nixos/nixpkgs/76612b17c0ce71689921ca12d9ffdc9c23ce40b2' (2024-11-09)	2024-11-11 20:05:12 +01:00
teutat3s	e48fe612e2	core: add activationScript to show closure diff All checks were successful Flake checks / Check (pull_request) Successful in 23m35s Details This is useful when updating a host, by doing a dry-run with deploy-rs we get a list of changed package versions.	2024-11-11 18:02:47 +01:00
teutat3s	34ce43a5e0	secrets: remove leftover secret files Some checks failed Flake checks / Check (pull_request) Has been cancelled Details After cleanup: ❯ find ./secrets -type f -name "*.age" \| wc -l 64 ❯ rg publicKeys secrets/secrets.nix \| wc -l 64	2024-11-07 12:22:27 +01:00
teutat3s	43b0c8d489	matrix-appservice-irc: reduce logging level to warn All checks were successful Flake checks / Check (pull_request) Successful in 22m38s Details	2024-11-06 21:29:27 +01:00
teutat3s	afe52ca6af	alertmanager: alert on high load only after 20m All checks were successful Flake checks / Check (pull_request) Successful in 2m8s Details	2024-11-06 21:28:28 +01:00