pub-solar/infra
6
1
Fork 3
Code Issues 27 Pull requests 11 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: pub-solar:main
Branches Tags
pub-solar:main
pub-solar:hensoko-docs-nixos-anywhere
pub-solar:nextcloud-add-comment
pub-solar:forgejo-fix-mailer-password
pub-solar:nextcloud-skeleton
pub-solar:feat/automated-account-deletion
pub-solar:keycloak-temp-file-del
pub-solar:feat/automated-account-deletion-24.11
pub-solar:matrix-rendezvous-server
pub-solar:ssl-cert-warning
pub-solar:feat/matrix-moderation-draupnir
pub-solar:nginx-maintenance
pub-solar:feat/matrix-moderation
pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pub-solar:feat/loomio
pub-solar:feat/matrix-hookshot
pub-solar:feat/libreddit
pub-solar:feat/invidious
..
compare: pub-solar:feat/matrix-moderation-draupnir
Branches Tags
pub-solar:hensoko-docs-nixos-anywhere
pub-solar:nextcloud-add-comment
pub-solar:main
pub-solar:forgejo-fix-mailer-password
pub-solar:nextcloud-skeleton
pub-solar:feat/automated-account-deletion
pub-solar:keycloak-temp-file-del
pub-solar:feat/automated-account-deletion-24.11
pub-solar:matrix-rendezvous-server
pub-solar:ssl-cert-warning
pub-solar:feat/matrix-moderation-draupnir
pub-solar:nginx-maintenance
pub-solar:feat/matrix-moderation
pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pub-solar:feat/loomio
pub-solar:feat/matrix-hookshot
pub-solar:feat/libreddit
pub-solar:feat/invidious

1 commit
main ... feat/matri

Author SHA1 Message Date
teutat3s
7ca53774ce
wip: matrix moderation with draupnir
All checks were successful
Flake checks / Check (pull_request) Successful in 5m38s
Details
2024-07-04 13:08:20 +02:00
185 changed files with 2374 additions and 6435 deletions
Show stats Expand all files Collapse all files

37
.editorconfig
View file

@ -20,8 +20,41 @@ indent_style = unset
indent_size = unset indent_size = unset
[{.*,secrets}/**] [{.*,secrets}/**]
end_of_line = false end_of_line = unset
insert_final_newline = false insert_final_newline = unset
trim_trailing_whitespace = unset
charset = unset
indent_style = unset
indent_size = unset
[*.rom]
end_of_line = unset
insert_final_newline = unset
trim_trailing_whitespace = unset
charset = unset
indent_style = unset
indent_size = unset
[*.py]
indent_size = 4
[*.md]
max_line_length = off
trim_trailing_whitespace = false
# Ignore diffs/patches
[*.{diff,patch}]
end_of_line = unset
insert_final_newline = unset
trim_trailing_whitespace = unset
indent_size = unset
charset = unset
indent_style = unset
indent_size = unset
[{.*,secrets}/**]
end_of_line = unset
insert_final_newline = unset
trim_trailing_whitespace = unset trim_trailing_whitespace = unset
charset = unset charset = unset
indent_style = unset indent_style = unset

17
.forgejo/workflows/check.yml
View file

@ -10,7 +10,7 @@ jobs:
- name: Check formatting - name: Check formatting
run: | run: |
nix --accept-flake-config --access-tokens '' develop --command treefmt --ci nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change
- name: Run flake checks - name: Run flake checks
run: | run: |
@ -18,7 +18,14 @@ jobs:
# Prevent cache garbage collection by creating GC roots # Prevent cache garbage collection by creating GC roots
mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results
sed -i 's/virtualisation.cores .*/virtualisation.cores = 16;/' tests/keycloak.nix for target in $(nix flake show --json --all-systems | jq '
sed -i 's/virtualisation.memorySize .*/virtualisation.memorySize = 16384;/' tests/keycloak.nix .["nixosConfigurations"] |
# 1 eval-worker needs about 13GB of memory to_entries[] |
nix --accept-flake-config --access-tokens '' develop --command nix-fast-build --no-nom --skip-cached --systems "x86_64-linux" --max-jobs 10 --eval-workers 2 --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/nix-fast-build .key
' | tr -d '"'
); do
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel"
done
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check

45
docs/administrative-access.md
View file

@ -28,18 +28,18 @@ People with admin access to the infrastructure are added to [`logins/admins.nix`
SSH is not reachable from the open internet. Instead, SSH Port 22 is protected by a wireguard VPN network. Thus, to get root access on the servers, at least two pieces of information have to be added to the admins config: SSH is not reachable from the open internet. Instead, SSH Port 22 is protected by a wireguard VPN network. Thus, to get root access on the servers, at least two pieces of information have to be added to the admins config:
1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`. 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network uses the subnets `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
One can access our hosts using this domain scheme: One can access our hosts using this domain scheme:
``` ```
ssh <unix-username>@<hostname>.wg.pub.solar ssh barkeeper@<hostname>.wg.pub.solar
``` ```
So, for example for `nachtigall`: So, for example for `nachtigall`:
``` ```
ssh teutat3s@nachtigall.wg.pub.solar ssh barkeeper@nachtigall.wg.pub.solar
``` ```
Example NixOS snippet for WireGuard client config Example NixOS snippet for WireGuard client config
@ -63,6 +63,12 @@ Example NixOS snippet for WireGuard client config
#endpoint = "138.201.80.102:51820"; #endpoint = "138.201.80.102:51820";
persistentKeepalive = 15; persistentKeepalive = 15;
} }
{ # flora-6.pub.solar
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [ "10.7.6.2/32" "fd00:fae:fae:fae:fae:2::/96" ];
endpoint = "80.71.153.210:51820";
persistentKeepalive = 15;
}
{ # metronom.pub.solar { # metronom.pub.solar
publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo="; publicKey = "zOSYGO7MfnOOUnzaTcWiKRQM0qqxR3JQrwx/gtEtHmo=";
allowedIPs = [ "10.7.6.3/32" "fd00:fae:fae:fae:fae:3::/96" ]; allowedIPs = [ "10.7.6.3/32" "fd00:fae:fae:fae:fae:3::/96" ];
@ -79,39 +85,6 @@ Example NixOS snippet for WireGuard client config
#endpoint = "80.244.242.5:51820"; #endpoint = "80.244.242.5:51820";
persistentKeepalive = 15; persistentKeepalive = 15;
} }
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
{
# delite.pub.solar
publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
allowedIPs = [
"10.7.6.6/32"
"fd00:fae:fae:fae:fae:6::/96"
];
#endpoint = "5.255.119.132:51820";
endpoint = "[2a04:52c0:124:9d8c::2]:51820";
persistentKeepalive = 15;
}
{
# blue-shell.pub.solar
publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
allowedIPs = [
"10.7.6.7/32"
"fd00:fae:fae:fae:fae:7::/96"
];
#endpoint = "194.13.83.205:51820";
endpoint = "[2a03:4000:43:24e::1]:51820";
persistentKeepalive = 15;
}
]; ];
}; };
}; };

36
docs/backups.md
View file

@ -1,36 +0,0 @@
# Backups
We use [Restic](https://restic.readthedocs.io/en/stable/) to create backups and push them to two repositories.
Check `./modules/backups.nix` and `./hosts/nachtigall/backups.nix` for working examples.
### Hetzner Storagebox
- Uses SFTP for transfer of backups
Adding a new host SSH public key to the storagebox:
First, [SSH to nachtigall](./administrative-access.md#ssh-access), then become root and add the new SSH public key
```
sudo -i
echo '<ssh-public-key>' | ssh -p23 u377325@u377325.your-storagebox.de install-ssh-key
```
[Link to Hetzner storagebox docs](https://docs.hetzner.com/robot/storage-box/backup-space-ssh-keys).
### Garage S3 buckets
- Uses S3 for transfer of backups
- One bucket per host, e.g. `nachtigall-backups`, `metronom-backups`
To start transfering backups from a new hosts, this is how to create a new bucket:
First, [SSH to trinkgenossin](./administrative-access.md#ssh-access), then use the `garage` CLI to create a new key and bucket:
```
export GARAGE_RPC_SECRET=<secret-in-keepass>
garage bucket create <hostname>-backups
garage key create <hostname>-backups-key
garage bucket allow <hostname>-backups --read --write --key <hostname>-backups-key
```

55
docs/cachix.md
View file

@ -1,55 +0,0 @@
# Cachix usage
URL: https://pub-solar.cachix.org
Requirements:
- [Install cachix](https://docs.cachix.org/installation)
- Optional: To push to the cache, you need to set `CACHIX_AUTH_TOKEN` in your environment. To generate one for you, follow the [Getting Started](https://docs.cachix.org/getting-started#authenticating) docs and login with your GitHub account.
- Add our binary cache [to your nix config](https://docs.cachix.org/faq#cachix-use-effects). To add the pub-solar cache, run:
```
cachix use pub-solar
```
Example to build and push a custom package of a host in this flake (e.g. after creating an overlay):
```
nix build --json -f . '.#nixosConfigurations.nachtigall.pkgs.keycloak^*' \
| jq -r '.[].outputs | to_entries[].value' \
| cachix push pub-solar
```
Example to build and push a package in the `nixpkgs` repo:
```
cd nixpkgs
nix build --json -f . 'pkgs.lix^*' \
| jq -r '.[].outputs | to_entries[].value' \
| cachix push pub-solar
```
Checking if a package has been correctly pushed to the cache:
```
nix build --json '/nix/store/f76xi83z4xk9sn6pbh38rh97yvqhb5m0-noto-fonts-color-emoji-png-2.042.drv^*' | jq -r '.[].outputs | to_entries[].value' | cachix push pub-solar
Pushing 1 paths (0 are already present) using zstd to cache pub-solar ⏳
✓ /nix/store/xpgpi84765dxqja3gd5pldj49xx2v0xl-noto-fonts-color-emoji-png-2.042 (10.30 MiB)
All done.
curl -I https://pub-solar.cachix.org/xpgpi84765dxqja3gd5pldj49xx2v0xl.narinfo
HTTP/2 200
date: Mon, 26 Aug 2024 09:31:10 GMT
content-type: text/x-nix-narinfo
traceparent: 00-b99db37cc9c2581b8d226cdf81e54507-794fc49193659c03-01
tracestate:
cache-control: public, max-age=14400
last-modified: Mon, 26 Aug 2024 09:31:10 GMT
cf-cache-status: EXPIRED
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A67KGsCIsYjoFdvndxJ0rkmb7BZ5ztIpm8WUJKAiUPRVWvbYeXU9gU27P7zryiUtArbwrLzHhhMija0yyXk0kwNa3suz8gNzKK6z1CX1FWDZiiP07rnq7zAg8nZbSBiEU%2FZrU9nSrR6mhuL9ihbmW1Hf"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8b92ceab0d19c80e-DUS
```

8
docs/deletion-request.md
View file

@ -34,13 +34,7 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server
### Mastodon ### Mastodon
``` ```
mkdir /tmp/tootctl
sudo chown mastodon /tmp/tootctl
cd /tmp/tootctl
sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address> sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
rm -r /tmp/tootctl
``` ```
Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete
@ -56,7 +50,7 @@ Docs: https://forgejo.org/docs/latest/admin/command-line/#delete
### Matrix ### Matrix
``` ```
curl --header "Authorization: Bearer <admin-access-token>" --request POST http://127.0.0.1:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}' curl --header "Authorization: Bearer <admin-access-token>" --request POST http://172.18.0.3:8008/_synapse/admin/v1/deactivate/@<username>:pub.solar --data '{"erase": true}'
``` ```
Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account Docs: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#deactivate-account

18
docs/deploying.md
View file

@ -7,29 +7,22 @@ be manually deployed.
To deploy, make sure you have a [working development shell](./development-shell.md). To deploy, make sure you have a [working development shell](./development-shell.md).
Then, run `deploy-rs` with the hostname of the server you want to deploy: Then, run `deploy-rs` with the hostname of the server you want to deploy:
### Dry-run
Use `--dry-activate` to show a diff of updated packages and all services that
would be restarted by the update. This will also put all files in place without
switching to the new generation, enabling a quick switch to the new config at a
later moment.
For nachtigall.pub.solar: For nachtigall.pub.solar:
``` ```
deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --dry-activate deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
``` ```
After reviewing the changes, apply the update with: For flora-6.pub.solar:
``` ```
deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results deploy --targets '.#flora-6' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
``` ```
For metronom.pub.solar (aarch64-linux): For metronom.pub.solar (aarch64-linux):
``` ```
deploy --targets '.#metronom' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build deploy --targets '.#metronom' --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build
``` ```
Usually we skip all rollback functionality, but if you want to deploy a change Usually we skip all rollback functionality, but if you want to deploy a change
@ -38,6 +31,9 @@ that might lock you out, e.g. to SSH, it might make sense to set these to `true`
To skip flake checks, e.g. because you already ran them manually before To skip flake checks, e.g. because you already ran them manually before
deployment, add the flag `--skip-checks` at the end of the command. deployment, add the flag `--skip-checks` at the end of the command.
`--dry-activate` can be used to only put all files in place without switching,
to enable switching to the new config quickly at a later moment.
We use `--keep-result --result-path ./results` to keep the last `result` We use `--keep-result --result-path ./results` to keep the last `result`
symlink of each `deploy` from being garbage collected. That way, we keep builds symlink of each `deploy` from being garbage collected. That way, we keep builds
cached in the Nix store. This is optional and both flags can be removed if disk cached in the Nix store. This is optional and both flags can be removed if disk

27
docs/dns.md
View file

@ -1,10 +1,18 @@
# Changing DNS entries # Changing DNS entries
Our current DNS provider is [namecheap](https://www.namecheap.com/). Our current DNS provider is [namecheap](https://www.namecheap.com/).
We use [OpenTofu](https://opentofu.org) to declaratively manage our pub.solar DNS records. We use [Terraform](https://www.terraform.io) to declaratively manage our pub.solar DNS records.
### Initial setup ### Initial setup
Skip this step if you already have a `triton` profile setup.
```
triton profile create
```
Please follow https://docs.greenbaum.cloud/en/devops/triton-cli.html for the details.
You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro), You will need to setup the following [namecheap API credentials](https://www.namecheap.com/support/api/intro),
look for "namecheap API key" in the pub.solar Keepass database. look for "namecheap API key" in the pub.solar Keepass database.
@ -20,15 +28,13 @@ You will probably also need to add your external IP to the [API allow list](http
dig -4 ip @dns.toys dig -4 ip @dns.toys
``` ```
Now, change into the terraform directory and initialize the terraform providers. To decrypt existing state, Now, change into the terraform directory and initialize the terraform providers.
search for "terraform state passphrase" in the pub.solar Keepass database.
``` ```
cd terraform cd terraform
export TF_VAR_state_passphrase=$(secret-tool lookup pub.solar terraform-state-passphrase-dns) export TRITON_KEY_ID=$(cat ~/.config/triton/profiles.d/lev-1-pub_solar.json | jq --raw-output .keyId)
alias tofu="terraform-backend-git --access-logs --tf tofu git terraform" terraform init
tofu init
``` ```
Make your changes, e.g. in `dns.tf`. Make your changes, e.g. in `dns.tf`.
@ -40,21 +46,20 @@ $EDITOR dns.tf
Plan your changes using: Plan your changes using:
``` ```
tofu plan -out pub-solar-infra.plan terraform plan -out pub-solar-infra.plan
``` ```
After verification, apply your changes with: After verification, apply your changes with:
``` ```
tofu apply "pub-solar-infra.plan" terraform apply "pub-solar-infra.plan"
``` ```
### Useful links ### Useful links
We use terraform-backend-git remote backend with opentofu state encryption for collaboration. We use the Manta remote backend to save the terraform state for collaboration.
- https://github.com/plumber-cd/terraform-backend-git - https://www.terraform.io/language/v1.2.x/settings/backends/manta
- https://opentofu.org/docs/language/state/encryption
Namecheap Terraform provider docs: Namecheap Terraform provider docs:

19
docs/drone-ci.md Normal file
View file

@ -0,0 +1,19 @@
# Drone CI
We currently use two CI systems, [drone CI](https://drone.io), reachable via
https://ci.pub.solar and [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/),
which UI is integrated into https://git.pub.solar, for example
https://git.pub.solar/pub-solar/infra/actions.
### Signing the `.drone.yml` file
Login to https://ci.pub.solar by clicking on the user icon in the bottom left.
After logging in, you can view your personal API token by clicking on the same
icon. If you're using the nix [development-shell](./development-shell.md), the
`drone` command will already be installed.
```
export DRONE_TOKEN=<your-drone-api-token>
drone --token $DRONE_TOKEN sign --save pub-solar/os
```

84
docs/garage.md
View file

@ -1,84 +0,0 @@
# Garage
### How-To create a new bucket + keys
Requirements:
- `garage` RPC credentials, in the shared keepass, search for 'garage rpc secret'.
- [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell`
```
ssh <unix-username>@trinkgenossin.wg.pub.solar
```
```
# Add a few spaces to avoid leaking the secret to the shell history
export GARAGE_RPC_SECRET=<secret-in-keepass>
```
Now, you can run the following command to check the cluster status:
```
garage status
```
Command to list all existing buckets:
```
garage bucket list
```
Creating a new bucket and access keys:
```
garage bucket create <bucket-name>
garage key create <bucket-name>-key
garage bucket allow <bucket-name> --read --write --key <bucket-name>-key
```
Full example for `mastodon` bucket:
```
garage bucket create mastodon
garage key create mastodon-key
garage bucket allow mastodon --read --write --key mastodon-key
```
Then [setup your favourite S3 client](https://garagehq.deuxfleurs.fr/documentation/connect/cli/)
or use the bucket with any [S3 compatible software](https://garagehq.deuxfleurs.fr/documentation/connect/).
Further reading:
- https://garagehq.deuxfleurs.fr/documentation/quick-start/
- https://garagehq.deuxfleurs.fr/documentation/connect/
- https://garagehq.deuxfleurs.fr/documentation/connect/apps/#mastodon
### Notes on manual setup steps
```
ssh <unix-username>@trinkgenossin.wg.pub.solar
# Add a few spaces to avoid leaking the secret to the shell history
export GARAGE_RPC_SECRET=<secret-in-keepass>
# Uses the default config /etc/garage.toml
garage node id
garage node connect <node-id2>
garage node connect <node-id3>
garage status
#Zones
#DE-1 DE-2 NL-1
garage layout assign fdaa -z DE-1 -c 800G -t trinkgenossin
garage layout assign 8835 -z DE-2 -c 800G -t blue-shell
garage layout assign 73da -z NL-1 -c 800G -t delite
garage layout show
garage layout apply --version 1
```
Source: https://garagehq.deuxfleurs.fr/documentation/cookbook/real-world/#creating-a-cluster-layout

20
docs/keycloak/delete-unverified-accounts.md
View file

@ -12,7 +12,7 @@ Run following after SSH'ing to `nachtigall`.
Credentials for the following command are in keepass. Create a keycloak Credentials for the following command are in keepass. Create a keycloak
config/credentials file at `/tmp/kcadm.config`: config/credentials file at `/tmp/kcadm.config`:
```bash ```
sudo --user keycloak kcadm.sh config credentials \ sudo --user keycloak kcadm.sh config credentials \
--config /tmp/kcadm.config \ --config /tmp/kcadm.config \
--server https://auth.pub.solar \ --server https://auth.pub.solar \
@ -22,7 +22,7 @@ sudo --user keycloak kcadm.sh config credentials \
Get list of accounts without a verified email address: Get list of accounts without a verified email address:
```bash ```
sudo --user keycloak kcadm.sh get \ sudo --user keycloak kcadm.sh get \
--config /tmp/kcadm.config \ --config /tmp/kcadm.config \
users \ users \
@ -35,7 +35,7 @@ Review list of accounts, especially check `createdTimestamp` if any accounts
were created in the past 2 days. If so, delete those from the were created in the past 2 days. If so, delete those from the
`/tmp/keycloak-unverified-accounts` file. `/tmp/keycloak-unverified-accounts` file.
```bash ```
createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) ) createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
# timestamps are in nanoseconds since epoch, so we need to strip the last three digits # timestamps are in nanoseconds since epoch, so we need to strip the last three digits
@ -46,17 +46,17 @@ vim /tmp/keycloak-unverified-accounts
Check how many accounts are going to be deleted: Check how many accounts are going to be deleted:
```bash ```
jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
``` ```
```bash ```
jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
``` ```
Final check before deletion (dry-run): Final check before deletion (dry-run):
```bash ```
for id in $(cat /tmp/keycloak-unverified-account-ids) for id in $(cat /tmp/keycloak-unverified-account-ids)
do do
echo sudo --user keycloak kcadm.sh delete \ echo sudo --user keycloak kcadm.sh delete \
@ -68,7 +68,7 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
THIS WILL DELETE ACCOUNTS: THIS WILL DELETE ACCOUNTS:
```bash ```
for id in $(cat /tmp/keycloak-unverified-account-ids) for id in $(cat /tmp/keycloak-unverified-account-ids)
do do
sudo --user keycloak kcadm.sh delete \ sudo --user keycloak kcadm.sh delete \
@ -77,9 +77,3 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
--realm pub.solar --realm pub.solar
done done
``` ```
Delete the temp files:
```bash
sudo rm /tmp/kcadm.config /tmp/keycloak-unverified-accounts /tmp/keycloak-unverified-account-ids
```

27
docs/matrix-suspend-account.md
View file

@ -1,27 +0,0 @@
# Matrix account suspension
> Unlike [account locking](https://spec.matrix.org/v1.12/client-server-api/#account-locking),
> [suspension](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/3823-code-for-account-suspension.md)
> allows the user to have a (largely) readonly view of their account.
> Homeserver administrators and moderators may use this functionality to
> temporarily deactivate an account, or place conditions on the account's
> experience. Critically, like locking, account suspension is reversible, unlike
> the deactivation mechanism currently available in Matrix - a destructive,
> irreversible, action.
Required:
- `matrix-synapse admin token`
- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
## Suspending an account
```bash
curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": true}'
```
## Unsuspending an account
```bash
curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": false}'
```

4
docs/mediawiki-updates.md
View file

@ -4,7 +4,7 @@ See the [mediawiki-oidc-docker repository](https://git.pub.solar/pub-solar/media
for instructions on updating our customized mediawiki docker image. for instructions on updating our customized mediawiki docker image.
To deploy a new docker image to `nachtigall`, first bump the mediawiki version To deploy a new docker image to `nachtigall`, first bump the mediawiki version
of the docker image tag in `modules/mediawiki/default.nix` (search for of the docker image tag in `hosts/nachtigall/apps/mediawiki.nix` (search for
`image`). `image`).
Next, push your changes to https://git.pub.solar and get them reviewed and Next, push your changes to https://git.pub.solar and get them reviewed and
@ -19,7 +19,7 @@ exit
``` ```
``` ```
deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results deploy --targets '.#nachtigall'
``` ```
Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`): Then, finalize the update by running the database migration script (in a [SSH](./administrative-access.md#ssh-access) shell on `nachtigall`):

19
docs/nextcloud.md
View file

@ -1,19 +0,0 @@
# Nextcloud debugging
Set loglevel to `0` for debug logs:
```nix
services.nextcloud.settings.loglevel = 0;
```
Then, logs appear in the `phpfpm-nextcloud.service` logs:
```bash
sudo journalctl -fu phpfpm-nextcloud
```
Make sure to set the loglevel back to the default `2` warning after debugging:
```nix
services.nextcloud.settings.loglevel = 2;
```

4
docs/nix-flake-updates.md
View file

@ -41,7 +41,3 @@ wrapped-ruby-mastodon-gems: 4.2.1 → 4.2.3
zfs-kernel: 2.2.1-6.1.64 → 2.2.2-6.1.66 zfs-kernel: 2.2.1-6.1.64 → 2.2.2-6.1.66
zfs-user: 2.2.1 → 2.2.2 zfs-user: 2.2.1 → 2.2.2
``` ```
### Deploying updates
See [deploying.md](./deploying.md).

13
docs/nixos-anywhere.md
View file

@ -1,13 +0,0 @@
```
curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-x86_64-linux.tar.gz | tar -xzf- -C /root
/root/kexec/run
```
```
mkdir -p /etc/secrets/initrd
ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key
```
```
nix run github:nix-community/nixos-anywhere -- --flake .#blue-shell root@194.13.83.205
```

228
flake.lock generated
View file

@ -14,11 +14,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1736955230, "lastModified": 1718371084,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -52,11 +52,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1727447169, "lastModified": 1718194053,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -87,26 +87,6 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1739634831,
"narHash": "sha256-xFnU+uUl48Icas2wPQ+ZzlL2O3n8f6J2LrzNK9f2nng=",
"owner": "nix-community",
"repo": "disko",
"rev": "fa5746ecea1772cf59b3f34c5816ab3531478142",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"element-stickers": { "element-stickers": {
"inputs": { "inputs": {
"maunium-stickerpicker": [ "maunium-stickerpicker": [
@ -185,11 +165,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1738453229, "lastModified": 1717285511,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -234,19 +214,18 @@
"type": "github" "type": "github"
} }
}, },
"fork": { "flake-utils_3": {
"locked": { "locked": {
"lastModified": 1738846146, "lastModified": 1653893745,
"narHash": "sha256-cIPiBEspPXQxju2AUZK9kjh6oqea+HkPFqmGv7yUztM=", "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "teutat3s", "owner": "numtide",
"repo": "nixpkgs", "repo": "flake-utils",
"rev": "e370f40b129e47b08562524ab4f053a172a94273", "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "teutat3s", "owner": "numtide",
"ref": "init-matrix-authentication-service-module-0.13.0", "repo": "flake-utils",
"repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
@ -257,16 +236,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1739570999, "lastModified": 1718530513,
"narHash": "sha256-eCc0/Q4bPpe4/AS+uzIrHLJcR6BxPQ69q2kD0/Qe6rU=", "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "254d47082e23dbf72fdeca1da6fe1da420f478d8", "rev": "a1fddf0967c33754271761d91a3d921772b30d0e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-24.11", "ref": "release-24.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@ -280,11 +259,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1738012343, "lastModified": 1707424749,
"narHash": "sha256-agMgWwVxXII+RtCqok8ROjzpKJung/5N5f2BVDmMC5Q=", "narHash": "sha256-eTvts5E3zmD4/DoAI9KedQjRwica0cg36wwIVp1NWbM=",
"ref": "main", "ref": "main",
"rev": "4ffd7bc8ea032991756c5e8e8a37b039789045bc", "rev": "1202a23c205b3c07a5feb5caf6813f21b3c69307",
"revCount": 38, "revCount": 30,
"type": "git", "type": "git",
"url": "https://git.pub.solar/pub-solar/keycloak-theme" "url": "https://git.pub.solar/pub-solar/keycloak-theme"
}, },
@ -298,11 +277,11 @@
"flake": false, "flake": false,
"locked": { "locked": {
"dir": "web", "dir": "web",
"lastModified": 1733177811, "lastModified": 1718796561,
"narHash": "sha256-1n7bPSCRw7keTCIu4tJGnUlkoId6H1+dPsTPzKo3Rrk=", "narHash": "sha256-RKAAHve17lrJokgAPkM2k/E+f9djencwwg3Xcd70Yfw=",
"owner": "maunium", "owner": "maunium",
"repo": "stickerpicker", "repo": "stickerpicker",
"rev": "89d3aece041c85ebe5a1ad4e620388af5227cbb0", "rev": "333567f481e60443360aa7199d481e1a45b3a523",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -320,11 +299,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1739548217, "lastModified": 1719128254,
"narHash": "sha256-rlv64erpr36xdmMDPgf9rhRXBYZ0BZb5nrw2ZPSk1sQ=", "narHash": "sha256-I7jMpq0CAOZA/i70+HDQO/ulLttyQu/K70cSESiMX7A=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "678b22642abde2ee77ae2218ab41d802f010e5b0", "rev": "50581970f37f06a4719001735828519925ef8310",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -334,49 +313,98 @@
"type": "github" "type": "github"
} }
}, },
"nixos-flake": {
"locked": {
"lastModified": 1719437091,
"narHash": "sha256-UIZasVC36DS5dli1VimK0VgL6JKuxDG9cMxKq1I6OQ0=",
"owner": "srid",
"repo": "nixos-flake",
"rev": "8cefa1e7af06d366f5d3fd7c97e9edbf4d38c476",
"type": "github"
},
"original": {
"owner": "srid",
"repo": "nixos-flake",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1739484910, "lastModified": 1719426051,
"narHash": "sha256-wjWLzdM7PIq4ZAe7k3vyjtgVJn6b0UeodtRFlM/6W5U=", "narHash": "sha256-yJL9VYQhaRM7xs0M867ZFxwaONB9T2Q4LnGo1WovuR4=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "0b73e36b1962620a8ac551a37229dd8662dac5c8", "rev": "89c49874fb15f4124bf71ca5f42a04f2ee5825fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.11", "ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-2205": {
"locked": {
"lastModified": 1685573264,
"narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "380be19fbd2d9079f677978361792cb25e8a3635",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-draupnir": {
"locked": {
"lastModified": 1720089221,
"narHash": "sha256-8abrPKFI9eqopZ/ewSeSPen4X9bs6xoyvFsfirvbJmk=",
"owner": "teutat3s",
"repo": "nixpkgs",
"rev": "078583b84242644a668ee29e995bce02192dbd16",
"type": "github"
},
"original": {
"owner": "teutat3s",
"ref": "draupnir-pr",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1738452942, "lastModified": 1717284937,
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", "narHash": "sha256-lIbdfCsf8LMFloheeE6N31+BMIeixqyQWbSr2vk79EQ=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/eb9ceca17df2ea50a250b6b27f7bf6ab0186f198.tar.gz"
} }
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"disko": "disko",
"element-stickers": "element-stickers", "element-stickers": "element-stickers",
"element-themes": "element-themes", "element-themes": "element-themes",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"fork": "fork",
"home-manager": "home-manager", "home-manager": "home-manager",
"keycloak-theme-pub-solar": "keycloak-theme-pub-solar", "keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
"maunium-stickerpicker": "maunium-stickerpicker", "maunium-stickerpicker": "maunium-stickerpicker",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nixos-flake": "nixos-flake",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-2205": "nixpkgs-2205",
"nixpkgs-draupnir": "nixpkgs-draupnir",
"simple-nixos-mailserver": "simple-nixos-mailserver", "simple-nixos-mailserver": "simple-nixos-mailserver",
"triton-vmtools": "triton-vmtools",
"unstable": "unstable" "unstable": "unstable"
} }
}, },
@ -387,21 +415,22 @@
"nixpkgs": [ "nixpkgs": [
"unstable" "unstable"
], ],
"nixpkgs-24_11": [ "nixpkgs-24_05": [
"nixpkgs" "nixpkgs"
] ],
"utils": "utils_2"
}, },
"locked": { "locked": {
"lastModified": 1734884447, "lastModified": 1718084203,
"narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=", "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "63209b1def2c9fc891ad271f474a3464a5833294", "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "nixos-24.11", "ref": "nixos-24.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }
@ -466,13 +495,52 @@
"type": "github" "type": "github"
} }
}, },
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"triton-vmtools": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"dir": "vmtools",
"lastModified": 1698443513,
"narHash": "sha256-wX2JIJ3JmJn6MAurdyjwZU+FZjLCwBArMrVSeeCb/ZU=",
"ref": "main",
"rev": "0d039dcf06afb8cbddd7ac54bae4d0d185f3e88e",
"revCount": 85,
"type": "git",
"url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools"
},
"original": {
"dir": "vmtools",
"ref": "main",
"type": "git",
"url": "https://git.pub.solar/pub-solar/infra-vintage?dir=vmtools"
}
},
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1739446958, "lastModified": 1719254875,
"narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2ff53fe64443980e139eaa286017f53f88336dd0", "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -499,6 +567,24 @@
"repo": "flake-utils", "repo": "flake-utils",
"type": "github" "type": "github"
} }
},
"utils_2": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

100
flake.nix
View file

@ -1,24 +1,24 @@
{ {
inputs = { inputs = {
# Track channels with commits tested and built by hydra # Track channels with commits tested and built by hydra
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
unstable.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable";
fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module-0.13.0";
nixpkgs-2205.url = "github:nixos/nixpkgs/nixos-22.05";
nixpkgs-draupnir.url = "github:teutat3s/nixpkgs/draupnir-pr";
nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-24.11"; home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
nixos-flake.url = "github:srid/nixos-flake";
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
disko.url = "github:nix-community/disko";
disko.inputs.nixpkgs.follows = "nixpkgs";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.nixpkgs.follows = "nixpkgs";
agenix.inputs.darwin.follows = "nix-darwin"; agenix.inputs.darwin.follows = "nix-darwin";
@ -27,6 +27,9 @@
keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main"; keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main";
keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs"; keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixpkgs";
triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra-vintage?ref=main&dir=vmtools";
triton-vmtools.inputs.nixpkgs.follows = "nixpkgs";
element-themes.url = "github:aaronraimist/element-themes/master"; element-themes.url = "github:aaronraimist/element-themes/master";
element-themes.flake = false; element-themes.flake = false;
@ -37,8 +40,8 @@
element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker"; element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
element-stickers.inputs.nixpkgs.follows = "nixpkgs"; element-stickers.inputs.nixpkgs.follows = "nixpkgs";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
simple-nixos-mailserver.inputs.nixpkgs-24_11.follows = "nixpkgs"; simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs";
simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable"; simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable";
}; };
@ -51,6 +54,7 @@
]; ];
imports = [ imports = [
inputs.nixos-flake.flakeModule
./logins ./logins
./lib ./lib
./overlays ./overlays
@ -62,7 +66,6 @@
system, system,
pkgs, pkgs,
config, config,
lib,
... ...
}: }:
{ {
@ -73,51 +76,12 @@
overlays = [ inputs.agenix.overlays.default ]; overlays = [ inputs.agenix.overlays.default ];
}; };
unstable = import inputs.unstable { inherit system; }; unstable = import inputs.unstable { inherit system; };
master = import inputs.master { inherit system; };
}; };
checks =
let
machinesPerSystem = {
aarch64-linux = [
"metronom"
];
x86_64-linux = [
"blue-shell"
"delite"
"nachtigall"
"tankstelle"
"trinkgenossin"
"underground"
];
};
nixosMachines = inputs.nixpkgs.lib.mapAttrs' (n: inputs.nixpkgs.lib.nameValuePair "nixos-${n}") (
inputs.nixpkgs.lib.genAttrs (machinesPerSystem.${system} or [ ]) (
name: self.nixosConfigurations.${name}.config.system.build.toplevel
)
);
nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
testDir = builtins.attrNames (builtins.readDir ./tests);
testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
in
builtins.listToAttrs (
map (x: {
name = "test-${lib.strings.removeSuffix ".nix" x}";
value = nixos-lib.runTest (
import (./tests + "/${x}") {
inherit self;
inherit pkgs;
inherit lib;
inherit config;
}
);
}) testFiles
)
// nixosMachines;
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [
deploy-rs deploy-rs
nix-fast-build nixpkgs-fmt
agenix agenix
age-plugin-yubikey age-plugin-yubikey
cachix cachix
@ -126,19 +90,22 @@
nvfetcher nvfetcher
shellcheck shellcheck
shfmt shfmt
treefmt2 treefmt
nixos-generators nixos-generators
opentofu inputs.nixpkgs-2205.legacyPackages.${system}.terraform
terraform-backend-git
terraform-ls
jq jq
]; ];
}; };
devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; }; devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
}; };
flake = { flake =
let
username = "barkeeper";
in
{
inherit username;
nixosModules = builtins.listToAttrs ( nixosModules = builtins.listToAttrs (
map (x: { map (x: {
name = x; name = x;
@ -150,29 +117,24 @@
system: deployLib: deployLib.deployChecks self.deploy system: deployLib: deployLib.deployChecks self.deploy
) inputs.deploy-rs.lib; ) inputs.deploy-rs.lib;
formatter."x86_64-linux" = inputs.nixpkgs.legacyPackages."x86_64-linux".nixfmt-rfc-style; formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations { deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
nachtigall = { nachtigall = {
hostname = "nachtigall.wg.pub.solar"; hostname = "nachtigall.wg.pub.solar";
sshUser = username;
};
flora-6 = {
hostname = "flora-6.wg.pub.solar";
sshUser = username;
}; };
metronom = { metronom = {
hostname = "metronom.wg.pub.solar"; hostname = "metronom.wg.pub.solar";
sshUser = username;
}; };
tankstelle = { tankstelle = {
hostname = "tankstelle.wg.pub.solar"; hostname = "tankstelle.wg.pub.solar";
}; sshUser = username;
underground = {
hostname = "80.244.242.3";
};
trinkgenossin = {
hostname = "trinkgenossin.wg.pub.solar";
};
delite = {
hostname = "delite.wg.pub.solar";
};
blue-shell = {
hostname = "blue-shell.wg.pub.solar";
}; };
}; };
}; };

33
hosts/blue-shell/configuration.nix
View file

@ -1,33 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
boot.loader.grub.enable = true;
boot.kernelParams = [
"boot.shell_on_fail=1"
"ip=dhcp"
];
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}

101
hosts/blue-shell/disk-config.nix
View file

@ -1,101 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/vdb";
content = {
type = "gpt";
partitions = {
bios = {
size = "1M";
type = "EF02"; # for grub MBR
};
boot = {
size = "1G";
type = "8300";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
extraOpenArgs = [ ];
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
passwordFile = "/tmp/luks-password";
content = {
type = "lvm_pv";
vg = "vg0";
};
};
};
};
};
};
data = {
type = "disk";
device = "/dev/vdc";
content = {
type = "gpt";
partitions = {
luks = {
size = "100%";
content = {
type = "luks";
name = "cryptdata";
extraOpenArgs = [ ];
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
passwordFile = "/tmp/luks-password";
content = {
type = "filesystem";
format = "xfs";
mountpoint = "/var/lib/garage/data";
mountOptions = [ "defaults" ];
};
};
};
};
};
};
};
lvm_vg = {
vg0 = {
type = "lvm_vg";
lvs = {
root = {
size = "100G";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [ "defaults" ];
};
};
swap = {
size = "16G";
content = {
type = "swap";
};
};
metadata = {
size = "50G";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/var/lib/garage/meta";
mountOptions = [ "defaults" ];
};
};
};
};
};
};
}

27
hosts/blue-shell/hardware-configuration.nix
View file

@ -1,27 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"sr_mod"
"virtio_blk"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

26
hosts/blue-shell/networking.nix
View file

@ -1,26 +0,0 @@
{
config,
pkgs,
flake,
...
}:
{
services.garage.settings.rpc_public_addr = "[2a03:4000:43:24e::1]:3901";
networking.hostName = "blue-shell";
networking.hostId = "00000005";
networking.useDHCP = false;
systemd.network.enable = true;
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens3";
address = [
"194.13.83.205/22"
"2a03:4000:43:24e::1/64"
];
gateway = [
"194.13.80.1"
"fe80::1"
];
};
}

51
hosts/blue-shell/wireguard.nix
View file

@ -1,51 +0,0 @@
{
config,
pkgs,
flake,
...
}:
let
wireguardIPv4 = "10.7.6.7";
wireguardIPv6 = "fd00:fae:fae:fae:fae:7::";
in
{
networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/blue-shell-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51820;
mtu = 1300;
ips = [
"${wireguardIPv4}/32"
"${wireguardIPv6}/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
];
};
};
services.openssh.listenAddresses = [
{
addr = wireguardIPv4;
port = 22;
}
{
addr = "[${wireguardIPv6}]";
port = 22;
}
];
}

165
hosts/default.nix
View file

@ -1,35 +1,9 @@
{ { self, ... }:
self,
inputs,
config,
...
}:
{ {
flake = { flake = {
nixosModules = {
home-manager = {
imports = [
inputs.home-manager.nixosModules.home-manager
{
home-manager.useGlobalPkgs = true;
home-manager.useUserPackages = true;
home-manager.extraSpecialArgs = {
flake = {
inherit self inputs config;
};
};
}
];
};
};
nixosConfigurations = { nixosConfigurations = {
nachtigall = self.inputs.nixpkgs.lib.nixosSystem { nachtigall = self.nixos-flake.lib.mkLinuxSystem {
specialArgs = { imports = [
flake = {
inherit self inputs config;
};
};
modules = [
self.inputs.agenix.nixosModules.default self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager self.nixosModules.home-manager
./nachtigall ./nachtigall
@ -37,7 +11,6 @@
self.nixosModules.unlock-zfs-on-boot self.nixosModules.unlock-zfs-on-boot
self.nixosModules.core self.nixosModules.core
self.nixosModules.docker self.nixosModules.docker
self.nixosModules.backups
self.nixosModules.nginx self.nixosModules.nginx
self.nixosModules.collabora self.nixosModules.collabora
@ -60,29 +33,41 @@
self.nixosModules.promtail self.nixosModules.promtail
self.nixosModules.searx self.nixosModules.searx
self.nixosModules.tmate self.nixosModules.tmate
self.nixosModules.tt-rss
self.nixosModules.obs-portal self.nixosModules.obs-portal
self.nixosModules.matrix self.nixosModules.matrix
self.nixosModules.matrix-draupnir
self.nixosModules.matrix-irc self.nixosModules.matrix-irc
self.nixosModules.matrix-telegram self.nixosModules.matrix-telegram
self.nixosModules.nginx-matrix self.nixosModules.nginx-matrix
]; ];
}; };
metronom = self.inputs.nixpkgs.lib.nixosSystem { flora-6 = self.nixos-flake.lib.mkLinuxSystem {
specialArgs = { imports = [
flake = { self.inputs.agenix.nixosModules.default
inherit self inputs config; self.nixosModules.home-manager
./flora-6
self.nixosModules.overlays
self.nixosModules.core
self.nixosModules.keycloak
self.nixosModules.caddy
self.nixosModules.drone
self.nixosModules.forgejo-actions-runner
self.nixosModules.grafana
self.nixosModules.prometheus
self.nixosModules.loki
];
}; };
};
modules = [ metronom = self.nixos-flake.lib.mkLinuxSystem {
imports = [
self.inputs.agenix.nixosModules.default self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager self.nixosModules.home-manager
./metronom ./metronom
self.nixosModules.overlays self.nixosModules.overlays
self.nixosModules.unlock-zfs-on-boot self.nixosModules.unlock-zfs-on-boot
self.nixosModules.core self.nixosModules.core
self.nixosModules.backups
self.nixosModules.mail self.nixosModules.mail
self.nixosModules.prometheus-exporters self.nixosModules.prometheus-exporters
self.nixosModules.promtail self.nixosModules.promtail
@ -91,117 +76,17 @@
]; ];
}; };
tankstelle = self.inputs.nixpkgs.lib.nixosSystem { tankstelle = self.nixos-flake.lib.mkLinuxSystem {
specialArgs = { imports = [
flake = {
inherit self inputs config;
};
};
modules = [
self.inputs.agenix.nixosModules.default self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager self.nixosModules.home-manager
./tankstelle ./tankstelle
self.nixosModules.overlays self.nixosModules.overlays
self.nixosModules.core self.nixosModules.core
self.nixosModules.backups
self.nixosModules.prometheus-exporters self.nixosModules.prometheus-exporters
self.nixosModules.promtail self.nixosModules.promtail
]; ];
}; };
trinkgenossin = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager
./trinkgenossin
self.nixosModules.backups
self.nixosModules.overlays
self.nixosModules.unlock-luks-on-boot
self.nixosModules.core
self.nixosModules.garage
self.nixosModules.nginx
# This module is already using options, and those options are used by the grafana module
self.nixosModules.keycloak
self.nixosModules.grafana
self.nixosModules.prometheus
self.nixosModules.loki
];
};
delite = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.inputs.agenix.nixosModules.default
self.inputs.disko.nixosModules.disko
self.nixosModules.home-manager
./delite
self.nixosModules.overlays
self.nixosModules.unlock-luks-on-boot
self.nixosModules.core
self.nixosModules.prometheus-exporters
self.nixosModules.promtail
self.nixosModules.garage
self.nixosModules.nginx
];
};
blue-shell = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.inputs.agenix.nixosModules.default
self.inputs.disko.nixosModules.disko
self.nixosModules.home-manager
./blue-shell
self.nixosModules.overlays
self.nixosModules.unlock-luks-on-boot
self.nixosModules.core
self.nixosModules.prometheus-exporters
self.nixosModules.promtail
self.nixosModules.garage
self.nixosModules.nginx
];
};
underground = self.inputs.nixpkgs.lib.nixosSystem {
specialArgs = {
flake = {
inherit self inputs config;
};
};
modules = [
self.inputs.agenix.nixosModules.default
self.nixosModules.home-manager
./underground
self.nixosModules.overlays
self.nixosModules.unlock-luks-on-boot
self.nixosModules.core
self.nixosModules.backups
self.nixosModules.keycloak
self.nixosModules.postgresql
self.nixosModules.matrix
self.nixosModules.matrix-irc
self.nixosModules.nginx
self.nixosModules.nginx-matrix
];
};
}; };
}; };
} }

33
hosts/delite/configuration.nix
View file

@ -1,33 +0,0 @@
{
flake,
config,
pkgs,
...
}:
{
boot.loader.grub.enable = true;
boot.kernelParams = [
"boot.shell_on_fail=1"
"ip=5.255.119.132::5.255.119.1:255.255.255.0:delite::off"
];
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}

13
hosts/delite/default.nix
View file

@ -1,13 +0,0 @@
{ flake, ... }:
{
imports = [
./hardware-configuration.nix
./configuration.nix
./disk-config.nix
./networking.nix
./wireguard.nix
#./backups.nix
];
}

84
hosts/delite/disk-config.nix
View file

@ -1,84 +0,0 @@
{
disko.devices = {
disk = {
main = {
type = "disk";
device = "/dev/vda";
content = {
type = "gpt";
partitions = {
bios = {
size = "1M";
type = "EF02"; # for grub MBR
};
boot = {
size = "1G";
type = "8300";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
luks = {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
extraOpenArgs = [ ];
# if you want to use the key for interactive login be sure there is no trailing newline
# for example use `echo -n "password" > /tmp/secret.key`
passwordFile = "/tmp/luks-password";
content = {
type = "lvm_pv";
vg = "vg0";
};
};
};
};
};
};
};
lvm_vg = {
vg0 = {
type = "lvm_vg";
lvs = {
root = {
size = "40G";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
mountOptions = [ "defaults" ];
};
};
swap = {
size = "8G";
content = {
type = "swap";
};
};
data = {
size = "800G";
content = {
type = "filesystem";
format = "xfs";
mountpoint = "/var/lib/garage/data";
mountOptions = [ "defaults" ];
};
};
metadata = {
size = "50G";
content = {
type = "filesystem";
format = "btrfs";
mountpoint = "/var/lib/garage/meta";
mountOptions = [ "defaults" ];
};
};
};
};
};
};
}

26
hosts/delite/hardware-configuration.nix
View file

@ -1,26 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules = [
"ata_piix"
"uhci_hcd"
"virtio_pci"
"virtio_blk"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

26
hosts/delite/networking.nix
View file

@ -1,26 +0,0 @@
{
config,
pkgs,
flake,
...
}:
{
services.garage.settings.rpc_public_addr = "[2a04:52c0:124:9d8c::2]:3901";
networking.hostName = "delite";
networking.hostId = "00000004";
networking.useDHCP = false;
systemd.network.enable = true;
systemd.network.networks."10-wan" = {
matchConfig.Name = "ens3";
address = [
"5.255.119.132/24"
"2a04:52c0:124:9d8c::2/48"
];
gateway = [
"5.255.119.1"
"2a04:52c0:124::1"
];
};
}

51
hosts/delite/wireguard.nix
View file

@ -1,51 +0,0 @@
{
config,
pkgs,
flake,
...
}:
let
wireguardIPv4 = "10.7.6.6";
wireguardIPv6 = "fd00:fae:fae:fae:fae:6::";
in
{
networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/delite-wg-private-key.age";
networking.wireguard.interfaces = {
wg-ssh = {
listenPort = 51820;
mtu = 1300;
ips = [
"${wireguardIPv4}/32"
"${wireguardIPv6}/96"
];
privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
];
};
};
services.openssh.listenAddresses = [
{
addr = wireguardIPv4;
port = 22;
}
{
addr = "[${wireguardIPv6}]";
port = 22;
}
];
}

72
hosts/flora-6/configuration.nix Normal file
View file

@ -0,0 +1,72 @@
{
config,
lib,
pkgs,
flake,
...
}:
let
psCfg = config.pub-solar;
in
{
config = {
# Override nix.conf for more agressive garbage collection
nix.extraOptions = lib.mkForce ''
experimental-features = flakes nix-command
min-free = 536870912
keep-outputs = false
keep-derivations = false
fallback = true
'';
# # #
# # # Triton host specific options
# # # DO NOT ALTER below this line, changes might render system unbootable
# # #
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Force getting the hostname from cloud-init
networking.hostName = lib.mkDefault "";
# We use cloud-init to configure networking, this option should fix
# systemd-networkd-wait-online timeouts
#systemd.services."systemd-networkd".environment.SYSTEMD_LOG_LEVEL = "debug";
systemd.network.wait-online.ignoredInterfaces = [
"docker0"
"wg-ssh"
];
# List services that you want to enable:
services.cloud-init.enable = true;
services.cloud-init.ext4.enable = true;
services.cloud-init.network.enable = true;
# use the default NixOS cloud-init config, but add some SmartOS customization to it
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
datasource_list: [ SmartOS ]
# Do not create the centos/ubuntu/debian user
users: [ ]
# mount second disk with label ephemeral0, gets formated by cloud-init
# this will fail to get added to /etc/fstab as it's read-only, but should
# mount at boot anyway
mounts:
- [ vdb, /data, auto, "defaults,nofail" ]
'';
# We manage the firewall with nix, too
# altough triton can also manage firewall rules via the triton fwrule subcommand
networking.firewall.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
}

8
hosts/blue-shell/default.nix → hosts/flora-6/default.nix
View file

@ -1,13 +1,11 @@
{ flake, ... }: { ... }:
{ {
imports = [ imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
./configuration.nix ./configuration.nix
./disk-config.nix ./triton-vmtools.nix
./networking.nix
./wireguard.nix ./wireguard.nix
#./backups.nix
]; ];
} }

38
hosts/trinkgenossin/hardware-configuration.nix → hosts/flora-6/hardware-configuration.nix
View file

@ -8,47 +8,45 @@
modulesPath, modulesPath,
... ...
}: }:
{ {
imports = [ ]; imports = [ ];
boot.initrd.availableKernelModules = [ boot.initrd.availableKernelModules = [
"ata_piix" "ahci"
"uhci_hcd"
"virtio_pci" "virtio_pci"
"xhci_pci"
"sr_mod" "sr_mod"
"virtio_blk" "virtio_blk"
"virtio_net"
]; ];
boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ]; boot.kernelModules = [ ];
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-uuid/52a1fd17-63d7-4d0a-b7ff-74aceaf6085a";
};
fileSystems."/" = { fileSystems."/" = {
device = "/dev/disk/by-label/nixos"; device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-label/boot"; device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
fileSystems."/data" = {
device = "/dev/disk/by-label/ephemeral0";
fsType = "ext4"; fsType = "ext4";
options = [
"defaults"
"nofail"
];
}; };
fileSystems."/var/lib/garage/data" = { swapDevices = [ ];
device = "/dev/disk/by-label/data";
fsType = "xfs";
};
fileSystems."/var/lib/garage/meta" = { networking.useDHCP = lib.mkDefault false;
device = "/dev/disk/by-label/metadata"; networking.networkmanager.enable = lib.mkForce false;
fsType = "btrfs";
};
swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
} }

6
hosts/flora-6/triton-vmtools.nix Normal file
View file

@ -0,0 +1,6 @@
{ pkgs, flake, ... }:
{
environment.systemPackages = with pkgs; [
flake.inputs.triton-vmtools.packages.${pkgs.system}.default
];
}

34
hosts/trinkgenossin/wireguard.nix → hosts/flora-6/wireguard.nix
View file

@ -4,25 +4,21 @@
flake, flake,
... ...
}: }:
let
wireguardIPv4 = "10.7.6.5";
wireguardIPv6 = "fd00:fae:fae:fae:fae:5::";
in
{ {
networking.firewall.allowedUDPPorts = [ 51820 ]; networking.firewall.allowedUDPPorts = [ 51820 ];
age.secrets.wg-private-key.file = "${flake.self}/secrets/trinkgenossin-wg-private-key.age"; age.secrets.wg-private-key.file = "${flake.self}/secrets/flora6-wg-private-key.age";
networking.wireguard.interfaces = { networking.wireguard.interfaces = {
wg-ssh = { wg-ssh = {
listenPort = 51820; listenPort = 51820;
mtu = 1300; mtu = 1300;
ips = [ ips = [
"${wireguardIPv4}/32" "10.7.6.2/32"
"${wireguardIPv6}/96" "fd00:fae:fae:fae:fae:2::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";
@ -51,35 +47,17 @@ in
"fd00:fae:fae:fae:fae:4::/96" "fd00:fae:fae:fae:fae:4::/96"
]; ];
} }
{
# delite.pub.solar
endpoint = "5.255.119.132:51820";
publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k=";
allowedIPs = [
"10.7.6.6/32"
"fd00:fae:fae:fae:fae:6::/96"
];
}
{
# blue-shell.pub.solar
endpoint = "194.13.83.205:51820";
publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8=";
allowedIPs = [
"10.7.6.7/32"
"fd00:fae:fae:fae:fae:7::/96"
];
}
]; ];
}; };
}; };
services.openssh.listenAddresses = [ services.openssh.listenAddresses = [
{ {
addr = wireguardIPv4; addr = "10.7.6.2";
port = 22; port = 22;
} }
{ {
addr = "[${wireguardIPv6}]"; addr = "[fd00:fae:fae:fae:fae:2::]";
port = 22; port = 22;
} }
]; ];

26
hosts/metronom/backups.nix
View file

@ -1,29 +1,13 @@
{ config, flake, ... }: { flake, ... }:
{ {
age.secrets."restic-repo-storagebox-metronom" = { age.secrets."restic-repo-droppie" = {
file = "${flake.self}/secrets/restic-repo-storagebox-metronom.age"; file = "${flake.self}/secrets/restic-repo-droppie.age";
mode = "400"; mode = "400";
owner = "root"; owner = "root";
}; };
age.secrets.restic-repo-garage-metronom = { age.secrets."restic-repo-storagebox" = {
file = "${flake.self}/secrets/restic-repo-garage-metronom.age"; file = "${flake.self}/secrets/restic-repo-storagebox.age";
mode = "400"; mode = "400";
owner = "root"; owner = "root";
}; };
age.secrets.restic-repo-garage-metronom-env = {
file = "${flake.self}/secrets/restic-repo-garage-metronom-env.age";
mode = "400";
owner = "root";
};
pub-solar-os.backups.repos.storagebox = {
passwordFile = config.age.secrets."restic-repo-storagebox-metronom".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/metronom-backups";
};
pub-solar-os.backups.repos.garage = {
passwordFile = config.age.secrets."restic-repo-garage-metronom".path;
environmentFile = config.age.secrets."restic-repo-garage-metronom-env".path;
repository = "s3:https://buckets.pub.solar/metronom-backups";
};
} }

8
hosts/metronom/configuration.nix
View file

@ -23,14 +23,6 @@
pools = [ "root_pool" ]; pools = [ "root_pool" ];
}; };
# Declarative SSH private key
age.secrets."metronom-root-ssh-key" = {
file = "${flake.self}/secrets/metronom-root-ssh-key.age";
path = "/root/.ssh/id_ed25519";
mode = "400";
owner = "root";
};
# Declarative SSH private key # Declarative SSH private key
#age.secrets."metronom-root-ssh-key" = { #age.secrets."metronom-root-ssh-key" = {
# file = "${flake.self}/secrets/metronom-root-ssh-key.age"; # file = "${flake.self}/secrets/metronom-root-ssh-key.age";

2
hosts/metronom/default.nix
View file

@ -7,6 +7,6 @@
./networking.nix ./networking.nix
./wireguard.nix ./wireguard.nix
./backups.nix #./backups.nix
]; ];
} }

22
hosts/metronom/wireguard.nix
View file

@ -18,7 +18,16 @@
"fd00:fae:fae:fae:fae:3::/96" "fd00:fae:fae:fae:fae:3::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";
@ -28,17 +37,6 @@
"fd00:fae:fae:fae:fae:1::/96" "fd00:fae:fae:fae:fae:1::/96"
]; ];
} }
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
]; ];
}; };
}; };

27
hosts/nachtigall/backups.nix
View file

@ -1,34 +1,13 @@
{ config, flake, ... }: { flake, ... }:
{ {
age.secrets."restic-repo-droppie" = { age.secrets."restic-repo-droppie" = {
file = "${flake.self}/secrets/restic-repo-droppie.age"; file = "${flake.self}/secrets/restic-repo-droppie.age";
mode = "400"; mode = "400";
owner = "root"; owner = "root";
}; };
age.secrets."restic-repo-storagebox-nachtigall" = { age.secrets."restic-repo-storagebox" = {
file = "${flake.self}/secrets/restic-repo-storagebox-nachtigall.age"; file = "${flake.self}/secrets/restic-repo-storagebox.age";
mode = "400"; mode = "400";
owner = "root"; owner = "root";
}; };
age.secrets.restic-repo-garage-nachtigall = {
file = "${flake.self}/secrets/restic-repo-garage-nachtigall.age";
mode = "400";
owner = "root";
};
age.secrets.restic-repo-garage-nachtigall-env = {
file = "${flake.self}/secrets/restic-repo-garage-nachtigall-env.age";
mode = "400";
owner = "root";
};
pub-solar-os.backups.repos.storagebox = {
passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
};
pub-solar-os.backups.repos.garage = {
passwordFile = config.age.secrets."restic-repo-garage-nachtigall".path;
environmentFile = config.age.secrets."restic-repo-garage-nachtigall-env".path;
repository = "s3:https://buckets.pub.solar/nachtigall-backups";
};
} }

74
hosts/nachtigall/configuration.nix
View file

@ -48,79 +48,9 @@
owner = "root"; owner = "root";
}; };
# keycloak pub-solar-os.auth.enable = true;
age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
#owner = "keycloak";
};
pub-solar-os.auth = { nixpkgs.config.permittedInsecurePackages = [ "keycloak-23.0.6" ];
enable = true;
database-password-file = config.age.secrets.keycloak-database-password.path;
};
# matrix-synapse
age.secrets."matrix-synapse-signing-key" = {
file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."matrix-synapse-secret-config.yaml" = {
file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."matrix-authentication-service-secret-config.yml" = {
file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
mode = "400";
owner = "matrix-authentication-service";
};
# matrix-appservice-irc
age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
file = "${flake.self}/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
mode = "400";
owner = "matrix-appservice-irc";
};
pub-solar-os.matrix = {
enable = true;
appservice-irc.mediaproxy.signingKeyPath =
config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
synapse = {
signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
extra-config-files = [
config.age.secrets."matrix-synapse-secret-config.yaml".path
# The registration file is automatically generated after starting the
# appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
app-service-config-files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-appservice-irc/registration.yml"
# "/matrix-appservice-slack-registration.yaml"
# "/hookshot-registration.yml"
# "/matrix-mautrix-signal-registration.yaml"
# "/matrix-mautrix-telegram-registration.yaml"
];
};
matrix-authentication-service.extra-config-files = [
config.age.secrets."matrix-authentication-service-secret-config.yml".path
];
};
systemd.services.postgresql = {
after = [ "var-lib-postgresql.mount" ];
requisite = [ "var-lib-postgresql.mount" ];
};
# This value determines the NixOS release with which your system is to be # This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database # compatible, in order to avoid breaking some software such as database

5
hosts/nachtigall/default.nix
View file

@ -9,10 +9,5 @@
./networking.nix ./networking.nix
./wireguard.nix ./wireguard.nix
./backups.nix ./backups.nix
"${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
];
disabledModules = [
"services/matrix/matrix-authentication-service.nix"
]; ];
} }

22
hosts/nachtigall/wireguard.nix
View file

@ -18,7 +18,16 @@
"fd00:fae:fae:fae:fae:1::/96" "fd00:fae:fae:fae:fae:1::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{
# flora-6.pub.solar
endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [
"10.7.6.2/32"
"fd00:fae:fae:fae:fae:2::/96"
];
}
{ {
# tankstelle.pub.solar # tankstelle.pub.solar
endpoint = "80.244.242.5:51820"; endpoint = "80.244.242.5:51820";
@ -28,17 +37,6 @@
"fd00:fae:fae:fae:fae:4::/96" "fd00:fae:fae:fae:fae:4::/96"
]; ];
} }
{
# trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
allowedIPs = [
"10.7.6.5/32"
"fd00:fae:fae:fae:fae:5::/96"
];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
}
]; ];
}; };
}; };

4
hosts/tankstelle/backups.nix
View file

@ -5,8 +5,8 @@
mode = "400"; mode = "400";
owner = "root"; owner = "root";
}; };
age.secrets."restic-repo-storagebox-tankstelle" = { age.secrets."restic-repo-storagebox" = {
file = "${flake.self}/secrets/restic-repo-storagebox-tankstelle.age"; file = "${flake.self}/secrets/restic-repo-storagebox.age";
mode = "400"; mode = "400";
owner = "root"; owner = "root";
}; };

3
hosts/tankstelle/configuration.nix
View file

@ -10,9 +10,6 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
# kernel same-page merging
hardware.ksm.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";

14
hosts/tankstelle/wireguard.nix
View file

@ -18,7 +18,7 @@
"fd00:fae:fae:fae:fae:4::/96" "fd00:fae:fae:fae:fae:4::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";
@ -29,15 +29,13 @@
]; ];
} }
{ {
# trinkgenossin.pub.solar # flora-6.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; endpoint = "80.71.153.210:51820";
publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU=";
allowedIPs = [ allowedIPs = [
"10.7.6.5/32" "10.7.6.2/32"
"fd00:fae:fae:fae:fae:5::/96" "fd00:fae:fae:fae:fae:2::/96"
]; ];
#endpoint = "85.215.152.22:51820";
endpoint = "[2a01:239:35d:f500::1]:51820";
persistentKeepalive = 15;
} }
]; ];
}; };

35
hosts/trinkgenossin/configuration.nix
View file

@ -1,35 +0,0 @@
{
flake,
config,
lib,
pkgs,
...
}:
{
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "/dev/vda" ];
boot.kernelParams = [
"boot.shell_on_fail=1"
"ip=dhcp"
];
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}

13
hosts/trinkgenossin/default.nix
View file

@ -1,13 +0,0 @@
{ flake, ... }:
{
imports = [
./hardware-configuration.nix
./configuration.nix
./networking.nix
./wireguard.nix
./forgejo-actions-runner.nix
#./backups.nix
];
}

15
hosts/trinkgenossin/networking.nix
View file

@ -1,15 +0,0 @@
{
config,
pkgs,
flake,
...
}:
{
services.garage.settings.rpc_public_addr = "[2a01:239:35d:f500::1]:3901";
networking.hostName = "trinkgenossin";
networking.hostId = "00000003";
networking.enableIPv6 = true;
networking.useDHCP = true;
}

81
hosts/underground/configuration.nix
View file

@ -1,81 +0,0 @@
{
flake,
config,
pkgs,
...
}:
{
# Use GRUB2 as the boot loader.
boot.loader.grub = {
enable = true;
devices = [ "/dev/vda" ];
};
pub-solar-os.networking.domain = "test.pub.solar";
systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
# keycloak
pub-solar-os.auth = {
enable = true;
database-password-file = "/tmp/dbf";
};
services.keycloak.database.createLocally = true;
# matrix-synapse
# test.pub.solar /.well-known is required for federation
services.nginx.virtualHosts."${config.pub-solar-os.networking.domain}" = {
default = true;
enableACME = true;
forceSSL = true;
};
age.secrets."staging-matrix-synapse-secret-config.yaml" = {
file = "${flake.self}/secrets/staging-matrix-synapse-secret-config.yaml.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."staging-matrix-authentication-service-secret-config.yml" = {
file = "${flake.self}/secrets/staging-matrix-authentication-service-secret-config.yml.age";
mode = "400";
owner = "matrix-authentication-service";
};
# matrix-appservice-irc
age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
file = "${flake.self}/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
mode = "400";
owner = "matrix-appservice-irc";
};
pub-solar-os.matrix = {
enable = true;
appservice-irc.mediaproxy.signingKeyPath =
config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
synapse = {
extra-config-files = [
config.age.secrets."staging-matrix-synapse-secret-config.yaml".path
# The registration file is automatically generated after starting the
# appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml
#"/var/lib/matrix-synapse/telegram-registration.yaml"
];
app-service-config-files = [
"/var/lib/matrix-appservice-irc/registration.yml"
#"/var/lib/matrix-synapse/telegram-registration.yaml"
];
};
matrix-authentication-service.extra-config-files = [
config.age.secrets."staging-matrix-authentication-service-secret-config.yml".path
];
};
services.openssh.openFirewall = true;
system.stateVersion = "24.05";
}

16
hosts/underground/default.nix
View file

@ -1,16 +0,0 @@
{ flake, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./configuration.nix
./networking.nix
"${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix"
];
disabledModules = [
"services/matrix/matrix-authentication-service.nix"
];
}

47
hosts/underground/hardware-configuration.nix
View file

@ -1,47 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [
"ahci"
"xhci_pci"
"virtio_pci"
"virtio_scsi"
"sd_mod"
"sr_mod"
];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptroot" = {
device = "/dev/disk/by-label/cryptroot";
};
fileSystems."/" = {
device = "/dev/disk/by-label/root";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "ext4";
};
swapDevices = [
{ device = "/dev/disk/by-label/swap"; }
];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

30
hosts/underground/networking.nix
View file

@ -1,30 +0,0 @@
{
config,
pkgs,
flake,
...
}:
{
networking.hostName = "underground";
networking = {
defaultGateway = {
address = "80.244.242.1";
interface = "enp1s0";
};
nameservers = [
"95.129.51.51"
"80.244.244.244"
];
interfaces.enp1s0 = {
useDHCP = false;
ipv4.addresses = [
{
address = "80.244.242.3";
prefixLength = 29;
}
];
};
};
}

17
logins/admins.nix
View file

@ -38,22 +38,6 @@
"fd00:fae:fae:fae:fae:200::/96" "fd00:fae:fae:fae:fae:200::/96"
]; ];
} }
{
# chocolatebar
publicKey = "AS9w0zDUFLcH6IiF6T1vsyZPWPJ3p5fKsjIsM2AoZz8=";
allowedIPs = [
"10.7.6.205/32"
"fd00:fae:fae:fae:fae:205::/96"
];
}
{
# biolimo
publicKey = "gnLq6KikFVVGxLxPW+3ZnreokEKLDoso+cUepPOZsBA=";
allowedIPs = [
"10.7.6.206/32"
"fd00:fae:fae:fae:fae:206::/96"
];
}
]; ];
}; };
@ -79,7 +63,6 @@
teutat3s = { teutat3s = {
sshPubKeys = { sshPubKeys = {
teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a"; teutat3s-1 = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a";
teutat3s-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
}; };
secretEncryptionKeys = { secretEncryptionKeys = {

23
logins/default.nix
View file

@ -6,16 +6,19 @@ in
{ {
flake = { flake = {
logins = { logins = {
admins = admins; admins =
wireguardDevices = lib.lists.foldl ( lib.lists.foldl
wireguardDevices: adminConfig: (logins: adminConfig: {
wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]) sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
) [ ] (lib.attrsets.attrValues admins); wireguardDevices =
sshPubKeys = lib.lists.foldl ( logins.wireguardDevices
sshPubKeys: adminConfig: ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
sshPubKeys })
++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ]) {
) [ ] (lib.attrsets.attrValues admins); sshPubKeys = [ ];
wireguardDevices = [ ];
}
(lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots; robots.sshPubKeys = lib.attrsets.attrValues robots;
}; };
}; };

7
logins/robots.nix
View file

@ -1,8 +1,7 @@
{ {
# Used for restic backups to droppie, a server run by @b12f # Used for restic backups to droppie, a server run by @b12f
"root@droppie" = "root@droppie" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
"hakkonaut" = # robot user on flora-6
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut"; "hakkonaut@flora-6" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6";
} }

292
modules/backups/default.nix
View file

@ -1,292 +0,0 @@
{
flake,
config,
lib,
pkgs,
...
}:
let
utils = import "${flake.inputs.nixpkgs}/nixos/lib/utils.nix" {
inherit lib;
inherit config;
inherit pkgs;
};
# Type for a valid systemd unit option. Needed for correctly passing "timerConfig" to "systemd.timers"
inherit (utils.systemdUtils.unitOptions) unitOption;
inherit (lib)
literalExpression
mkOption
mkPackageOption
types
;
in
{
options.pub-solar-os.backups = {
repos = mkOption {
description = ''
Configuration of Restic repositories.
'';
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
options = {
passwordFile = mkOption {
type = types.str;
description = ''
Read the repository password from a file.
'';
example = "/etc/nixos/restic-password";
};
environmentFile = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Read repository secrets as environment variables from a file.
'';
example = "/etc/nixos/restic-env";
};
repository = mkOption {
type = with types; nullOr str;
default = null;
description = ''
repository to backup to.
'';
example = "sftp:backup@192.168.1.100:/backups/${name}";
};
};
}
)
);
default = { };
example = {
remotebackup = {
repository = "sftp:backup@host:/backups/home";
passwordFile = "/etc/nixos/secrets/restic-password";
environmentFile = "/etc/nixos/secrets/restic-env";
};
};
};
restic = mkOption {
description = ''
Periodic backups to create with Restic.
'';
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
options = {
paths = mkOption {
# This is nullable for legacy reasons only. We should consider making it a pure listOf
# after some time has passed since this comment was added.
type = types.nullOr (types.listOf types.str);
default = [ ];
description = ''
Which paths to backup, in addition to ones specified via
`dynamicFilesFrom`. If null or an empty array and
`dynamicFilesFrom` is also null, no backup command will be run.
This can be used to create a prune-only job.
'';
example = [
"/var/lib/postgresql"
"/home/user/backup"
];
};
exclude = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Patterns to exclude when backing up. See
https://restic.readthedocs.io/en/latest/040_backup.html#excluding-files for
details on syntax.
'';
example = [
"/var/cache"
"/home/*/.cache"
".git"
];
};
timerConfig = mkOption {
type = types.nullOr (types.attrsOf unitOption);
default = {
OnCalendar = "daily";
Persistent = true;
};
description = ''
When to run the backup. See {manpage}`systemd.timer(5)` for
details. If null no timer is created and the backup will only
run when explicitly started.
'';
example = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
Persistent = true;
};
};
user = mkOption {
type = types.str;
default = "root";
description = ''
As which user the backup should run.
'';
example = "postgresql";
};
extraBackupArgs = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Extra arguments passed to restic backup.
'';
example = [ "--exclude-file=/etc/nixos/restic-ignore" ];
};
extraOptions = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
Extra extended options to be passed to the restic --option flag.
'';
example = [ "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" ];
};
initialize = mkOption {
type = types.bool;
default = false;
description = ''
Create the repository if it doesn't exist.
'';
};
pruneOpts = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of options (--keep-\* et al.) for 'restic forget
--prune', to automatically prune old snapshots. The
'forget' command is run *after* the 'backup' command, so
keep that in mind when constructing the --keep-\* options.
'';
example = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
runCheck = mkOption {
type = types.bool;
default = (builtins.length config.pub-solar-os.backups.restic.${name}.checkOpts > 0);
defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0'';
description = "Whether to run the `check` command with the provided `checkOpts` options.";
example = true;
};
checkOpts = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of options for 'restic check'.
'';
example = [ "--with-cache" ];
};
dynamicFilesFrom = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that produces a list of files to back up. The
results of this command are given to the '--files-from'
option. The result is merged with paths specified via `paths`.
'';
example = "find /home/matt/git -type d -name .git";
};
backupPrepareCommand = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that must run before starting the backup process.
'';
};
backupCleanupCommand = mkOption {
type = with types; nullOr str;
default = null;
description = ''
A script that must run after finishing the backup process.
'';
};
package = mkPackageOption pkgs "restic" { };
createWrapper = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to generate and add a script to the system path, that has the same environment variables set
as the systemd service. This can be used to e.g. mount snapshots or perform other opterations, without
having to manually specify most options.
'';
};
};
}
)
);
default = { };
example = {
localbackup = {
paths = [ "/home" ];
exclude = [ "/home/*/.cache" ];
initialize = true;
};
remotebackup = {
paths = [ "/home" ];
extraOptions = [
"sftp.command='ssh backup@host -i /etc/nixos/secrets/backup-private-key -s sftp'"
];
timerConfig = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
};
};
};
};
config = {
services.restic.backups =
let
repos = config.pub-solar-os.backups.repos;
restic = config.pub-solar-os.backups.restic;
repoNames = builtins.attrNames repos;
backupNames = builtins.attrNames restic;
createBackups =
backupName:
map (repoName: {
name = "${backupName}-${repoName}";
value = repos."${repoName}" // restic."${backupName}";
}) repoNames;
in
builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames));
# Used for pub-solar-os.backups.repos.storagebox
programs.ssh.knownHosts = {
"u377325.your-storagebox.de".publicKey =
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
"[u377325.your-storagebox.de]:23".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
};
};
}

4
modules/core/default.nix
View file

@ -54,5 +54,9 @@
}; };
time.timeZone = "Etc/UTC"; time.timeZone = "Etc/UTC";
home-manager.users.${config.pub-solar-os.authentication.username} = {
home.stateVersion = "23.05";
};
}; };
} }

8
modules/core/networking.nix
View file

@ -31,17 +31,13 @@
networking.hosts = { networking.hosts = {
"10.7.6.1" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ]; "10.7.6.1" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.2" = [ "flora-6.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.3" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ]; "10.7.6.3" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.4" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ]; "10.7.6.4" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.5" = [ "trinkgenossin.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.6" = [ "delite.wg.${config.pub-solar-os.networking.domain}" ];
"10.7.6.7" = [ "blue-shell.wg.${config.pub-solar-os.networking.domain}" ];
"fd00:fae:fae:fae:fae:1::" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ]; "fd00:fae:fae:fae:fae:1::" = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
"fd00:fae:fae:fae:fae:2::" = [ "flora-6.wg.${config.pub-solar-os.networking.domain}" ];
"fd00:fae:fae:fae:fae:3::" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ]; "fd00:fae:fae:fae:fae:3::" = [ "metronom.wg.${config.pub-solar-os.networking.domain}" ];
"fd00:fae:fae:fae:fae:4::" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ]; "fd00:fae:fae:fae:fae:4::" = [ "tankstelle.wg.${config.pub-solar-os.networking.domain}" ];
"fd00:fae:fae:fae:fae:5::" = [ "trinkgenossin.wg.${config.pub-solar-os.networking.domain}" ];
"fd00:fae:fae:fae:fae:6::" = [ "delite.wg.${config.pub-solar-os.networking.domain}" ];
"fd00:fae:fae:fae:fae:7::" = [ "blue-shell.wg.${config.pub-solar-os.networking.domain}" ];
}; };
services.openssh = { services.openssh = {

16
modules/core/nix.nix
View file

@ -6,21 +6,7 @@
... ...
}: }:
{ {
nixpkgs.config = lib.mkDefault { nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ ];
permittedInsecurePackages = [ "olm-3.2.16" ];
};
system.activationScripts.diff-closures = {
text = ''
if [[ -e /run/current-system ]]; then
${config.nix.package}/bin/nix store diff-closures \
/run/current-system "$systemConfig" \
--extra-experimental-features nix-command
fi
'';
supportsDryActivation = true;
};
nix = { nix = {
# Use default version alias for nix package # Use default version alias for nix package

20
modules/core/terminal-tooling.nix
View file

@ -1,20 +1,9 @@
{ flake, lib, ... }: { flake, config, ... }:
{ {
home-manager.users = ( home-manager.users.${config.pub-solar-os.authentication.username} = {
lib.attrsets.foldlAttrs (
acc: name: value:
acc
// {
${name} = {
programs.git.enable = true; programs.git.enable = true;
programs.starship.enable = true; programs.starship.enable = true;
programs.bash = { programs.bash.enable = true;
enable = true;
historyControl = [
"ignoredups"
"ignorespace"
];
};
programs.neovim = { programs.neovim = {
enable = true; enable = true;
vimAlias = true; vimAlias = true;
@ -27,7 +16,4 @@
# }; # };
}; };
}; };
}
) { } flake.self.logins.admins
);
} }

60
modules/core/users.nix
View file

@ -11,6 +11,18 @@
inherit (lib) mkOption types; inherit (lib) mkOption types;
in in
{ {
username = mkOption {
description = "Username for the adminstrative user";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption { root.initialHashedPassword = mkOption {
description = "Hashed password of the root account"; description = "Hashed password of the root account";
type = types.str; type = types.str;
@ -31,29 +43,22 @@
}; };
config = { config = {
users.users = users.users.${config.pub-solar-os.authentication.username} = {
(lib.attrsets.foldlAttrs ( name = config.pub-solar-os.authentication.username;
acc: name: value: group = config.pub-solar-os.authentication.username;
acc
// {
${name} = {
name = name;
group = name;
extraGroups = [ extraGroups = [
"wheel" "wheel"
"docker" "docker"
]; ];
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys; openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
}; };
} users.groups.${config.pub-solar-os.authentication.username} = { };
) { } flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out.
root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
${config.pub-solar-os.authentication.robot.username} = { # TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
users.users.${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user"; description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}"; home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true; createHome = true;
@ -63,28 +68,11 @@
isSystemUser = true; isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
}; };
};
home-manager.users = ( users.groups.${config.pub-solar-os.authentication.robot.username} = { };
lib.attrsets.foldlAttrs (
acc: name: value:
acc
// {
${name} = {
home.stateVersion = "23.05";
};
}
) { } flake.self.logins.admins
);
users.groups = users.users.root.initialHashedPassword =
(lib.attrsets.foldlAttrs ( config.pub-solar-os.authentication.root.initialHashedPassword;
acc: name: value:
acc // { "${name}" = { }; }
) { } flake.self.logins.admins)
// {
${config.pub-solar-os.authentication.robot.username} = { };
};
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
}; };

2
modules/coturn/default.nix
View file

@ -18,7 +18,7 @@
min-port = 49000; min-port = 49000;
max-port = 50000; max-port = 50000;
use-auth-secret = true; use-auth-secret = true;
static-auth-secret-file = config.age.secrets."coturn-static-auth-secret".path; static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
realm = "turn.${config.pub-solar-os.networking.domain}"; realm = "turn.${config.pub-solar-os.networking.domain}";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";

114
modules/drone/default.nix Normal file
View file

@ -0,0 +1,114 @@
{
config,
lib,
pkgs,
flake,
...
}:
{
age.secrets.drone-secrets = {
file = "${flake.self}/secrets/drone-secrets.age";
mode = "600";
owner = "drone";
};
age.secrets.drone-db-secrets = {
file = "${flake.self}/secrets/drone-db-secrets.age";
mode = "600";
owner = "drone";
};
users.users.drone = {
description = "Drone Service";
home = "/var/lib/drone";
useDefaultShell = true;
uid = 994;
group = "drone";
isSystemUser = true;
};
users.groups.drone = { };
systemd.tmpfiles.rules = [ "d '/var/lib/drone-db' 0750 drone drone - -" ];
services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :4000
'';
};
systemd.services."docker-network-drone" =
let
docker = config.virtualisation.oci-containers.backend;
dockerBin = "${pkgs.${docker}}/bin/${docker}";
in
{
serviceConfig.Type = "oneshot";
before = [ "docker-drone-server.service" ];
script = ''
${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24
'';
};
virtualisation = {
docker = {
enable = true; # sadly podman is not supported rightnow
extraOptions = ''
--data-root /data/docker
'';
};
oci-containers = {
backend = "docker";
containers."drone-db" = {
image = "postgres:14";
autoStart = true;
user = "994";
volumes = [ "/var/lib/drone-db:/var/lib/postgresql/data" ];
extraOptions = [ "--network=drone-net" ];
environmentFiles = [ config.age.secrets.drone-db-secrets.path ];
};
containers."drone-server" = {
image = "drone/drone:2";
autoStart = true;
user = "994";
ports = [ "127.0.0.1:4000:80" ];
dependsOn = [ "drone-db" ];
extraOptions = [
"--network=drone-net"
"--pull=always"
"--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
];
environment = {
DRONE_GITEA_SERVER = "https://git.${config.pub-solar-os.networking.domain}";
DRONE_SERVER_HOST = "ci.${config.pub-solar-os.networking.domain}";
DRONE_SERVER_PROTO = "https";
DRONE_DATABASE_DRIVER = "postgres";
};
environmentFiles = [ config.age.secrets.drone-secrets.path ];
};
containers."drone-docker-runner" = {
image = "drone/drone-runner-docker:1";
autoStart = true;
# needs to run as root
#user = "994";
volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
dependsOn = [ "drone-db" ];
extraOptions = [
"--network=drone-net"
"--pull=always"
"--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
];
environment = {
DRONE_RPC_HOST = "ci.${config.pub-solar-os.networking.domain}";
DRONE_RPC_PROTO = "https";
DRONE_RUNNER_CAPACITY = "2";
DRONE_RUNNER_NAME = "flora-6-docker-runner";
};
environmentFiles = [ config.age.secrets.drone-secrets.path ];
};
};
};
}

45
hosts/trinkgenossin/forgejo-actions-runner.nix → modules/forgejo-actions-runner/default.nix
View file

@ -1,54 +1,57 @@
{ {
config, config,
pkgs,
lib, lib,
pkgs,
flake, flake,
... ...
}: }:
let
hostname = config.networking.hostName;
in
{ {
age.secrets."forgejo-actions-runner-token.age" = { age.secrets.forgejo-actions-runner-token = {
file = "${flake.self}/secrets/trinkgenossin-forgejo-actions-runner-token.age"; file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
owner = "gitea-runner";
mode = "440"; mode = "440";
}; };
# Label configuration on gitea-actions-runner instance requires either docker or podman
virtualisation.docker.enable = true;
# Trust docker bridge interface traffic # Trust docker bridge interface traffic
# Needed for the docker runner to communicate with the act_runner cache # Needed for the docker runner to communicate with the act_runner cache
networking.firewall.trustedInterfaces = [ "br-+" ]; networking.firewall.trustedInterfaces = [ "br-+" ];
users.users.gitea-runner = { users.users.gitea-runner = {
home = "/var/lib/gitea-runner/${hostname}"; home = "/var/lib/gitea-runner/flora-6";
useDefaultShell = true; useDefaultShell = true;
group = "gitea-runner"; group = "gitea-runner";
# Required to interact with nix daemon
extraGroups = [ "wheel" ];
isSystemUser = true; isSystemUser = true;
}; };
users.groups.gitea-runner = { }; users.groups.gitea-runner = { };
systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ]; systemd.services."gitea-runner-flora\\x2d6".serviceConfig = {
DynamicUser = lib.mkForce false;
systemd.services."gitea-runner-${hostname}" = {
serviceConfig.DynamicUser = lib.mkForce false;
}; };
systemd.tmpfiles.rules = [
"d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -"
"d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -"
];
# forgejo actions runner # forgejo actions runner
# https://forgejo.org/docs/latest/admin/actions/ # https://forgejo.org/docs/latest/admin/actions/
# https://docs.gitea.com/usage/actions/quickstart # https://docs.gitea.com/usage/actions/quickstart
services.gitea-actions-runner = { services.gitea-actions-runner = {
package = pkgs.forgejo-runner; package = pkgs.forgejo-runner;
instances."${hostname}" = { instances."flora-6" = {
enable = true; enable = true;
name = hostname; name = config.networking.hostName;
url = "https://git.pub.solar"; url = "https://git.pub.solar";
tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path; tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
settings = {
cache = {
enabled = true;
dir = "/data/gitea-actions-runner/actcache";
host = "";
port = 0;
external_server = "";
};
};
labels = [ labels = [
# provide a debian 12 bookworm base with Node.js for actions # provide a debian 12 bookworm base with Node.js for actions
"debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm" "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
@ -56,6 +59,8 @@ in
"ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm" "ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# alpine with Node.js # alpine with Node.js
"alpine-latest:docker://node:20-alpine" "alpine-latest:docker://node:20-alpine"
# nix flakes enabled image with Node.js
"nix-flakes:docker://git.pub.solar/pub-solar/nix-flakes-node:latest"
]; ];
}; };
}; };

11
modules/forgejo/default.nix
View file

@ -65,7 +65,6 @@
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = pkgs.forgejo;
user = "gitea"; user = "gitea";
group = "gitea"; group = "gitea";
database = { database = {
@ -76,7 +75,7 @@
}; };
stateDir = "/var/lib/forgejo"; stateDir = "/var/lib/forgejo";
lfs.enable = true; lfs.enable = true;
secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path; mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
settings = { settings = {
DEFAULT.APP_NAME = "pub.solar git server"; DEFAULT.APP_NAME = "pub.solar git server";
@ -142,12 +141,6 @@
LOGIN_REMEMBER_DAYS = 365; LOGIN_REMEMBER_DAYS = 365;
}; };
# See https://docs.gitea.com/administration/config-cheat-sheet#migrations-migrations
migrations = {
# This allows migrations from the same forgejo instance
ALLOW_LOCALNETWORKS = true;
};
# https://forgejo.org/docs/next/admin/config-cheat-sheet/#indexer-indexer # https://forgejo.org/docs/next/admin/config-cheat-sheet/#indexer-indexer
indexer = { indexer = {
REPO_INDEXER_ENABLED = true; REPO_INDEXER_ENABLED = true;
@ -189,7 +182,7 @@
OnCalendar = "*-*-* 00:00:00 Etc/UTC"; OnCalendar = "*-*-* 00:00:00 Etc/UTC";
}; };
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = '' backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d gitea > /tmp/forgejo-backup.sql ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d gitea > /tmp/forgejo-backup.sql

142
modules/garage/default.nix
View file

@ -1,142 +0,0 @@
{
config,
lib,
pkgs,
flake,
...
}:
{
age.secrets."garage-rpc-secret" = {
file = "${flake.self}/secrets/garage-rpc-secret.age";
mode = "400";
};
age.secrets."garage-admin-token" = {
file = "${flake.self}/secrets/garage-admin-token.age";
mode = "400";
};
age.secrets."acme-namecheap-env" = {
file = "${flake.self}/secrets/acme-namecheap-env.age";
mode = "400";
};
networking.firewall.allowedTCPPorts = [
3900
3901
3902
];
networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 3903 ];
security.acme = {
defaults = {
# LEGO_DISABLE_CNAME_SUPPORT=true set here to fix issues with CNAME
# detection, as we use wildcard DNS for garage
environmentFile = config.age.secrets.acme-namecheap-env.path;
};
certs = {
# Wildcard certificate gets created automatically
"buckets.${config.pub-solar-os.networking.domain}" = {
# disable http challenge
webroot = null;
# enable dns challenge
dnsProvider = "namecheap";
};
# Wildcard certificate gets created automatically
"web.${config.pub-solar-os.networking.domain}" = {
# disable http challenge
webroot = null;
# enable dns challenge
dnsProvider = "namecheap";
};
};
};
services.nginx = {
upstreams.s3_backend.servers = {
"[::1]:3900" = { };
};
upstreams.web_backend.servers = {
"[::1]:3902" = { };
};
virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = {
serverAliases = [ "*.buckets.${config.pub-solar-os.networking.domain}" ];
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://s3_backend";
extraConfig = ''
client_max_body_size 64m;
proxy_max_temp_file_size 0;
'';
};
};
virtualHosts."web.${config.pub-solar-os.networking.domain}" = {
serverAliases = [ "*.web.${config.pub-solar-os.networking.domain}" ];
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://web_backend";
};
};
};
services.garage = {
enable = true;
package = pkgs.garage_1_0_1;
settings = {
data_dir = "/var/lib/garage/data";
metadata_dir = "/var/lib/garage/meta";
db_engine = "lmdb";
replication_factor = 3;
compression_level = 2;
rpc_bind_addr = "[::]:3901";
s3_api = {
s3_region = "eu-central";
api_bind_addr = "[::]:3900";
root_domain = ".buckets.${config.pub-solar-os.networking.domain}";
};
s3_web = {
bind_addr = "[::]:3902";
root_domain = ".web.${config.pub-solar-os.networking.domain}";
index = "index.html";
};
admin = {
api_bind_addr = "[::]:3903";
};
};
};
users.users.garage = {
isSystemUser = true;
home = "/var/lib/garage";
group = "garage";
};
users.groups.garage = { };
# Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix
# Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix
# for mounts + permissions to work
systemd.services.garage = {
serviceConfig = {
user = "garage";
group = "garage";
DynamicUser = false;
LoadCredential = [
"rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}"
"admin_token_path:${config.age.secrets.garage-admin-token.path}"
];
Environment = [
"GARAGE_ALLOW_WORLD_READABLE_SECRETS=true"
"GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path"
"GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path"
];
};
};
}

19
modules/grafana/default.nix
View file

@ -33,18 +33,15 @@
group = "grafana"; group = "grafana";
user = "grafana"; user = "grafana";
}; };
"grafana-dashboards/grafana-garage-dashboard-prometheus.json" = {
source = ./grafana-dashboards/grafana-garage-dashboard-prometheus.json;
group = "grafana";
user = "grafana";
};
}; };
services.nginx.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = { services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
enableACME = true; logFormat = lib.mkForce ''
forceSSL = true; output discard
locations."/".proxyPass = '';
"http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; extraConfig = ''
reverse_proxy :${toString config.services.grafana.settings.server.http_port}
'';
}; };
services.grafana = { services.grafana = {
@ -67,7 +64,7 @@
password = "\$__file{${config.age.secrets.grafana-smtp-password.path}}"; password = "\$__file{${config.age.secrets.grafana-smtp-password.path}}";
from_address = "no-reply@pub.solar"; from_address = "no-reply@pub.solar";
from_name = "grafana.pub.solar"; from_name = "grafana.pub.solar";
ehlo_identity = "grafana.pub.solar"; ehlo_identity = "flora-6.pub.solar";
}; };
security = { security = {
admin_email = "crew@pub.solar"; admin_email = "crew@pub.solar";

1048
modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json
View file

File diff suppressed because it is too large Load diff

28
modules/keycloak/default.nix
View file

@ -6,22 +6,23 @@
... ...
}: }:
{ {
options.pub-solar-os.auth = with lib; { options.pub-solar-os.auth = {
enable = mkEnableOption "Enable keycloak to run on the node"; enable = lib.mkEnableOption "Enable keycloak to run on the node";
realm = mkOption { realm = lib.mkOption {
description = "Name of the realm"; description = "Name of the realm";
type = types.str; type = lib.types.str;
default = config.pub-solar-os.networking.domain; default = config.pub-solar-os.networking.domain;
}; };
database-password-file = mkOption {
description = "Database password file path";
type = types.str;
};
}; };
config = lib.mkIf config.pub-solar-os.auth.enable { config = lib.mkIf config.pub-solar-os.auth.enable {
age.secrets.keycloak-database-password = {
file = "${flake.self}/secrets/keycloak-database-password.age";
mode = "600";
#owner = "keycloak";
};
services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = { services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
@ -45,13 +46,12 @@
# keycloak # keycloak
services.keycloak = { services.keycloak = {
enable = true; enable = true;
database.passwordFile = config.pub-solar-os.auth.database-password-file; database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = { settings = {
hostname = "auth.${config.pub-solar-os.networking.domain}"; hostname = "auth.${config.pub-solar-os.networking.domain}";
http-host = "127.0.0.1"; http-host = "127.0.0.1";
http-port = 8080; http-port = 8080;
proxy-headers = "xforwarded"; proxy = "edge";
http-enabled = true;
}; };
themes = { themes = {
"pub.solar" = "pub.solar" =
@ -59,12 +59,14 @@
}; };
}; };
pub-solar-os.backups.restic.keycloak = { services.restic.backups.keycloak-storagebox = {
paths = [ "/tmp/keycloak-backup.sql" ]; paths = [ "/tmp/keycloak-backup.sql" ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 03:00:00 Etc/UTC"; OnCalendar = "*-*-* 03:00:00 Etc/UTC";
}; };
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = '' backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
''; '';

4
modules/loki/default.nix
View file

@ -108,7 +108,7 @@
}; };
clients = [ clients = [
{ {
url = "http://trinkgenossin.wg.pub.solar:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; url = "http://flora-6.wg.pub.solar:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
} }
]; ];
scrape_configs = [ scrape_configs = [
@ -118,7 +118,7 @@
max_age = "24h"; max_age = "24h";
labels = { labels = {
job = "systemd-journal"; job = "systemd-journal";
host = "trinkgenossin"; host = "flora-6";
}; };
}; };
relabel_configs = [ relabel_configs = [

16
modules/mail/default.nix
View file

@ -67,20 +67,4 @@
}; };
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "security@pub.solar"; security.acme.defaults.email = "security@pub.solar";
pub-solar-os.backups.restic.mail = {
paths = [
"/var/vmail"
"/var/dkim"
];
timerConfig = {
OnCalendar = "*-*-* 02:00:00 Etc/UTC";
};
initialize = true;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
} }

2
modules/mailman/default.nix
View file

@ -91,7 +91,7 @@
OnCalendar = "*-*-* 02:00:00 Etc/UTC"; OnCalendar = "*-*-* 02:00:00 Etc/UTC";
}; };
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
pruneOpts = [ pruneOpts = [
"--keep-daily 7" "--keep-daily 7"

30
modules/mastodon/default.nix
View file

@ -7,21 +7,6 @@
}: }:
{ {
age.secrets."mastodon-active-record-encryption-deterministic-key" = {
file = "${flake.self}/secrets//mastodon-active-record-encryption-deterministic-key.age";
mode = "400";
owner = config.services.mastodon.user;
};
age.secrets."mastodon-active-record-encryption-key-derivation-salt" = {
file = "${flake.self}/secrets//mastodon-active-record-encryption-key-derivation-salt.age";
mode = "400";
owner = config.services.mastodon.user;
};
age.secrets."mastodon-active-record-encryption-primary-key" = {
file = "${flake.self}/secrets//mastodon-active-record-encryption-primary-key.age";
mode = "400";
owner = config.services.mastodon.user;
};
age.secrets."mastodon-secret-key-base" = { age.secrets."mastodon-secret-key-base" = {
file = "${flake.self}/secrets/mastodon-secret-key-base.age"; file = "${flake.self}/secrets/mastodon-secret-key-base.age";
mode = "400"; mode = "400";
@ -69,9 +54,6 @@
webProcesses = 2; webProcesses = 2;
# Threads per process used by the mastodon-web service # Threads per process used by the mastodon-web service
webThreads = 5; webThreads = 5;
activeRecordEncryptionDeterministicKeyFile = "/run/agenix/mastodon-active-record-encryption-deterministic-key";
activeRecordEncryptionKeyDerivationSaltFile = "/run/agenix/mastodon-active-record-encryption-key-derivation-salt";
activeRecordEncryptionPrimaryKeyFile = "/run/agenix/mastodon-active-record-encryption-primary-key";
secretKeyBaseFile = "/run/agenix/mastodon-secret-key-base"; secretKeyBaseFile = "/run/agenix/mastodon-secret-key-base";
otpSecretFile = "/run/agenix/mastodon-otp-secret"; otpSecretFile = "/run/agenix/mastodon-otp-secret";
vapidPrivateKeyFile = "/run/agenix/mastodon-vapid-private-key"; vapidPrivateKeyFile = "/run/agenix/mastodon-vapid-private-key";
@ -85,20 +67,20 @@
passwordFile = "/run/agenix/mastodon-smtp-password"; passwordFile = "/run/agenix/mastodon-smtp-password";
fromAddress = "mastodon-notifications@pub.solar"; fromAddress = "mastodon-notifications@pub.solar";
}; };
# Defined in ./opensearch.nix
elasticsearch.host = "127.0.0.1";
mediaAutoRemove = { mediaAutoRemove = {
olderThanDays = 7; olderThanDays = 7;
}; };
extraEnvFiles = [ "/run/agenix/mastodon-extra-env-secrets" ]; extraEnvFiles = [ "/run/agenix/mastodon-extra-env-secrets" ];
extraConfig = { extraConfig = {
WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}"; WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}";
# Defined in ./opensearch.nix
ES_HOST = "127.0.0.1";
# S3 File storage (optional) # S3 File storage (optional)
# ----------------------- # -----------------------
S3_ENABLED = "true"; S3_ENABLED = "true";
S3_BUCKET = "mastodon"; S3_BUCKET = "pub-solar-mastodon";
S3_REGION = "eu-central"; S3_REGION = "europe-west-1";
S3_ENDPOINT = "https://buckets.pub.solar"; S3_ENDPOINT = "https://gateway.tardigradeshare.io";
S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}"; S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}";
# Translation (optional) # Translation (optional)
# ----------------------- # -----------------------
@ -124,7 +106,7 @@
OnCalendar = "*-*-* 04:00:00 Etc/UTC"; OnCalendar = "*-*-* 04:00:00 Etc/UTC";
}; };
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = '' backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mastodon > /tmp/mastodon-backup.sql ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mastodon > /tmp/mastodon-backup.sql

24
modules/matrix-draupnir/default.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, flake, ... }:
{
imports = [ "${flake.inputs.nixpkgs-draupnir}/nixos/modules/services/matrix/draupnir.nix" ];
disabledModules = [ "services/matrix/draupnir.nix" ];
age.secrets."matrix-draupnir-access-token" = {
file = "${flake.self}/secrets/matrix-draupnir-access-token.age";
mode = "640";
owner = "root";
group = "draupnir";
};
services.draupnir = {
enable = true;
accessTokenFile = config.age.secrets.matrix-draupnir-access-token.path;
# https://github.com/the-draupnir-project/Draupnir/blob/main/config/default.yaml
settings = {
homeserverUrl = "http://localhost:8008";
managementRoom = "#moderators:pub.solar";
protectAllJoinedRooms = true;
};
};
}

27
modules/matrix-irc/default.nix
View file

@ -16,16 +16,11 @@ let
synapseClientPort = "${toString listenerWithClient.port}"; synapseClientPort = "${toString listenerWithClient.port}";
in in
{ {
options.pub-solar-os = { systemd.services.matrix-appservice-irc.serviceConfig.SystemCallFilter = lib.mkForce [
matrix.appservice-irc.mediaproxy = { "@system-service @pkey"
signingKeyPath = lib.mkOption { "~@privileged @resources"
description = "Path to file containing the IRC appservice mediaproxy signing key"; "@chown"
type = lib.types.str; ];
default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
};
};
};
config = {
services.matrix-appservice-irc = { services.matrix-appservice-irc = {
enable = true; enable = true;
localpart = "irc_bot"; localpart = "irc_bot";
@ -35,6 +30,7 @@ in
homeserver = { homeserver = {
domain = "${config.pub-solar-os.networking.domain}"; domain = "${config.pub-solar-os.networking.domain}";
url = "http://127.0.0.1:${synapseClientPort}"; url = "http://127.0.0.1:${synapseClientPort}";
media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
enablePresence = false; enablePresence = false;
}; };
ircService = { ircService = {
@ -44,21 +40,13 @@ in
port = 1113; port = 1113;
}; };
logging = { logging = {
# set to debug for debugging level = "debug";
level = "warn";
maxFiles = 5; maxFiles = 5;
toCosole = true; toCosole = true;
}; };
matrixHandler = { matrixHandler = {
eventCacheSize = 4096; eventCacheSize = 4096;
}; };
mediaProxy = {
signingKeyPath = config.pub-solar-os.matrix.appservice-irc.mediaproxy.signingKeyPath;
# keep media for 2 weeks
ttlSeconds = 1209600;
bindPort = 11111;
publicUrl = "https:///matrix.${config.pub-solar-os.networking.domain}/media";
};
metrics = { metrics = {
enabled = true; enabled = true;
remoteUserAgeBuckets = [ remoteUserAgeBuckets = [
@ -140,5 +128,4 @@ in
}; };
}; };
}; };
};
} }

164
modules/matrix/default.nix
View file

@ -1,7 +1,6 @@
{ {
flake, flake,
config, config,
lib,
pkgs, pkgs,
... ...
}: }:
@ -10,41 +9,24 @@ let
serverDomain = "${config.pub-solar-os.networking.domain}"; serverDomain = "${config.pub-solar-os.networking.domain}";
in in
{ {
options.pub-solar-os = { age.secrets."matrix-synapse-signing-key" = {
matrix = { file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
enable = lib.mkEnableOption "Enable matrix-synapse and matrix-authentication-service to run on the node"; mode = "400";
owner = "matrix-synapse";
synapse = {
app-service-config-files = lib.mkOption {
description = "List of app service config files";
type = lib.types.listOf lib.types.str;
default = [ ];
}; };
extra-config-files = lib.mkOption { age.secrets."matrix-synapse-secret-config.yaml" = {
description = "List of extra synapse config files"; file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
type = lib.types.listOf lib.types.str; mode = "400";
default = [ ]; owner = "matrix-synapse";
}; };
signing_key_path = lib.mkOption { age.secrets."matrix-synapse-sliding-sync-secret" = {
description = "Path to file containing the signing key"; file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
type = lib.types.str; mode = "400";
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; owner = "matrix-synapse";
};
}; };
matrix-authentication-service = {
extra-config-files = lib.mkOption {
description = "List of extra mas config files";
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
};
};
config = lib.mkIf config.pub-solar-os.matrix.enable {
services.matrix-synapse = { services.matrix-synapse = {
enable = true; enable = true;
settings = { settings = {
@ -119,17 +101,6 @@ in
enable_room_list_search = true; enable_room_list_search = true;
encryption_enabled_by_default_for_room_type = "off"; encryption_enabled_by_default_for_room_type = "off";
event_cache_size = "100K"; event_cache_size = "100K";
# https://github.com/element-hq/synapse/issues/11203
# No YAML deep-merge, so this needs to be in secret extraConfigFiles
# together with msc3861
#experimental_features = {
# # Room summary API
# msc3266_enabled = true;
# # Rendezvous server for QR Code generation
# msc4108_enabled = true;
#};
federation_rr_transactions_per_room_per_second = 50; federation_rr_transactions_per_room_per_second = 50;
federation_client_minimum_tls_version = "1.2"; federation_client_minimum_tls_version = "1.2";
forget_rooms_on_leave = true; forget_rooms_on_leave = true;
@ -223,7 +194,7 @@ in
} }
]; ];
signing_key_path = config.pub-solar-os.matrix.synapse.signing_key_path; signing_key_path = "/run/agenix/matrix-synapse-signing-key";
stream_writers = { }; stream_writers = { };
trusted_key_servers = [ { server_name = "matrix.org"; } ]; trusted_key_servers = [ { server_name = "matrix.org"; } ];
@ -269,90 +240,94 @@ in
}; };
user_ips_max_age = "28d"; user_ips_max_age = "28d";
app_service_config_files = config.pub-solar-os.matrix.synapse.app-service-config-files; app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
"/var/lib/matrix-appservice-irc/registration.yml"
# "/matrix-appservice-slack-registration.yaml"
# "/hookshot-registration.yml"
# "/matrix-mautrix-signal-registration.yaml"
# "/matrix-mautrix-telegram-registration.yaml"
];
modules = [
{
module = "mjolnir.Module";
config = {
# Prevent servers/users in the ban lists from inviting users on this
# server to rooms. Default true.
block_invites = true;
# Flag messages sent by servers/users in the ban lists as spam. Currently
# this means that spammy messages will appear as empty to users. Default
# false.
block_messages = false;
# Remove users from the user directory search by filtering matrix IDs and
# display names by the entries in the user ban list. Default false.
block_usernames = false;
# The room IDs of the ban lists to honour. Unlike other parts of Mjolnir,
# this list cannot be room aliases or permalinks. This server is expected
# to already be joined to the room - Mjolnir will not automatically join
# these rooms.
ban_lists = [ "!roomid:example.org" ];
};
}
];
}; };
withJemalloc = true; withJemalloc = true;
extraConfigFiles = config.pub-solar-os.matrix.synapse.extra-config-files; extraConfigFiles = [
"/run/agenix/matrix-synapse-secret-config.yaml"
# The registration file is automatically generated after starting the
# appservice for the first time.
# cp /var/lib/mautrix-telegram/telegram-registration.yaml \
# /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse \
# /var/lib/matrix-synapse/telegram-registration.yaml
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
extras = [ extras = [
"oidc" "oidc"
"redis" "redis"
]; ];
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; plugins = with config.services.matrix-synapse.package.plugins; [
matrix-synapse-shared-secret-auth
matrix-synapse-mjolnir-antispam
];
}; };
services.matrix-authentication-service = { services.matrix-sliding-sync = {
enable = true; enable = true;
createDatabase = true;
extraConfigFiles = config.pub-solar-os.matrix.matrix-authentication-service.extra-config-files;
# https://element-hq.github.io/matrix-authentication-service/reference/configuration.html
settings = { settings = {
account.email_change_allowed = false; SYNCV3_SERVER = "https://${publicDomain}";
http.public_base = "https://mas.${config.pub-solar-os.networking.domain}"; SYNCV3_BINDADDR = "127.0.0.1:8011";
http.issuer = "https://mas.${config.pub-solar-os.networking.domain}"; # The bind addr for Prometheus metrics, which will be accessible at
http.listeners = [ # /metrics at this address
{ SYNCV3_PROM = "127.0.0.1:9100";
name = "web";
resources = [
{ name = "discovery"; }
{ name = "human"; }
{ name = "oauth"; }
{ name = "compat"; }
{ name = "graphql"; }
{
name = "assets";
path = "${config.services.matrix-authentication-service.package}/share/matrix-authentication-service/assets";
}
];
binds = [
{
host = "0.0.0.0";
port = 8090;
}
];
proxy_protocol = false;
}
{
name = "internal";
resources = [
{ name = "health"; }
];
binds = [
{
host = "0.0.0.0";
port = 8081;
}
];
proxy_protocol = false;
}
];
passwords.enabled = false;
}; };
environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
}; };
pub-solar-os.backups.restic.matrix-synapse = { services.restic.backups.matrix-synapse-storagebox = {
paths = [ paths = [
"/var/lib/matrix-synapse" "/var/lib/matrix-synapse"
"/var/lib/matrix-appservice-irc" "/var/lib/matrix-appservice-irc"
"/var/lib/mautrix-telegram" "/var/lib/mautrix-telegram"
"/tmp/matrix-synapse-backup.sql" "/tmp/matrix-synapse-backup.sql"
"/tmp/matrix-authentication-service-backup.sql"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 05:00:00 Etc/UTC"; OnCalendar = "*-*-* 05:00:00 Etc/UTC";
}; };
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = '' backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix-authentication-service > /tmp/matrix-authentication-service-backup.sql
''; '';
backupCleanupCommand = '' backupCleanupCommand = ''
rm /tmp/matrix-synapse-backup.sql rm /tmp/matrix-synapse-backup.sql
rm /tmp/matrix-authentication-service-backup.sql
''; '';
pruneOpts = [ pruneOpts = [
"--keep-daily 7" "--keep-daily 7"
@ -360,5 +335,4 @@ in
"--keep-monthly 3" "--keep-monthly 3"
]; ];
}; };
};
} }

29
modules/mediawiki/default.nix
View file

@ -139,10 +139,6 @@ let
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
$wgPluggableAuth_EnableAutoLogin = false; $wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID'; $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
// Avoid getting logged out after 30 minutes
// https://www.mediawiki.org/wiki/Topic:W4be4h6t63vf3y8p
// https://www.mediawiki.org/wiki/Manual:$wgRememberMe
$wgRememberMe = 'always';
// https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
$wgPluggableAuth_Config[] = [ $wgPluggableAuth_Config[] = [
@ -215,7 +211,7 @@ in
backend = "docker"; backend = "docker";
containers."mediawiki" = { containers."mediawiki" = {
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.43.0"; image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.41.1";
user = "1000:${builtins.toString gid}"; user = "1000:${builtins.toString gid}";
autoStart = true; autoStart = true;
@ -236,27 +232,4 @@ in
}; };
}; };
}; };
pub-solar-os.backups.restic.mediawiki = {
paths = [
"/var/lib/mediawiki/images"
"/var/lib/mediawiki/uploads"
"/tmp/mediawiki-backup.sql"
];
timerConfig = {
OnCalendar = "*-*-* 00:30:00 Etc/UTC";
};
initialize = true;
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mediawiki > /tmp/mediawiki-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/mediawiki-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
} }

125
modules/nextcloud/default.nix
View file

@ -2,7 +2,6 @@
config, config,
pkgs, pkgs,
flake, flake,
lib,
... ...
}: }:
{ {
@ -23,32 +22,12 @@
forceSSL = true; forceSSL = true;
}; };
services.nextcloud = services.nextcloud = {
let
exiftool_1270 = pkgs.perlPackages.buildPerlPackage rec {
# NOTE nextcloud-memories needs this specific version of exiftool
pname = "Image-ExifTool";
version = "12.70";
src = pkgs.fetchFromGitHub {
owner = "exiftool";
repo = "exiftool";
rev = version;
hash = "sha256-YMWYPI2SDi3s4KCpSNwovemS5MDj5W9ai0sOkvMa8Zg=";
};
nativeBuildInputs = lib.optional pkgs.stdenv.hostPlatform.isDarwin pkgs.shortenPerlShebang;
postInstall = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
shortenPerlShebang $out/bin/exiftool
'';
};
in
{
hostName = "cloud.${config.pub-solar-os.networking.domain}"; hostName = "cloud.${config.pub-solar-os.networking.domain}";
home = "/var/lib/nextcloud"; home = "/var/lib/nextcloud";
enable = true; enable = true;
# When updating package, remember to update nextcloud30Packages in package = pkgs.nextcloud29;
# services.nextcloud.extraApps
package = pkgs.nextcloud30;
https = true; https = true;
secretFile = config.age.secrets."nextcloud-secrets".path; # secret secretFile = config.age.secrets."nextcloud-secrets".path; # secret
maxUploadSize = "1G"; maxUploadSize = "1G";
@ -66,6 +45,7 @@
dbuser = "nextcloud"; dbuser = "nextcloud";
dbtype = "pgsql"; dbtype = "pgsql";
dbname = "nextcloud"; dbname = "nextcloud";
dbtableprefix = "oc_";
}; };
settings = { settings = {
@ -93,39 +73,21 @@
allow_local_remote_servers = true; allow_local_remote_servers = true;
enable_previews = true; enable_previews = true;
jpeg_quality = 60;
enabledPreviewProviders = [ enabledPreviewProviders = [
"OC\\Preview\\PNG" "OC\\Preview\\PNG"
"OC\\Preview\\JPEG" "OC\\Preview\\JPEG"
"OC\\Preview\\GIF" "OC\\Preview\\GIF"
"OC\\Preview\\BMP" "OC\\Preview\\BMP"
"OC\\Preview\\HEIC"
"OC\\Preview\\TIFF"
"OC\\Preview\\XBitmap" "OC\\Preview\\XBitmap"
"OC\\Preview\\SVG"
"OC\\Preview\\WebP"
"OC\\Preview\\Font"
"OC\\Preview\\Movie" "OC\\Preview\\Movie"
"OC\\Preview\\ImaginaryPDF" "OC\\Preview\\PDF"
"OC\\Preview\\MP3" "OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\TXT" "OC\\Preview\\TXT"
"OC\\Preview\\MarkDown" "OC\\Preview\\MarkDown"
"OC\\Preview\\Imaginary"
]; ];
preview_imaginary_url = "http://127.0.0.1:${toString config.services.imaginary.port}/"; preview_max_x = "1024";
preview_max_filesize_image = 128; # MB preview_max_y = "768";
preview_max_memory = 512; # MB preview_max_scale_factor = "1";
preview_max_x = 2048; # px
preview_max_y = 2048; # px
preview_max_scale_factor = 1;
"preview_ffmpeg_path" = lib.getExe pkgs.ffmpeg-headless;
"memories.exiftool_no_local" = false;
"memories.exiftool" = "${exiftool_1270}/bin/exiftool";
"memories.vod.ffmpeg" = lib.getExe pkgs.ffmpeg;
"memories.vod.ffprobe" = lib.getExe' pkgs.ffmpeg-headless "ffprobe";
auth.bruteforce.protection.enabled = true; auth.bruteforce.protection.enabled = true;
trashbin_retention_obligation = "auto,7"; trashbin_retention_obligation = "auto,7";
@ -170,81 +132,10 @@
}; };
caching.redis = true; caching.redis = true;
appstoreEnable = true;
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
extraApps = {
inherit (pkgs.nextcloud30Packages.apps) memories previewgenerator recognize;
};
database.createLocally = true; database.createLocally = true;
}; };
# https://docs.nextcloud.com/server/30/admin_manual/installation/server_tuning.html#previews
services.imaginary = {
enable = true;
address = "127.0.0.1";
settings.return-size = true;
};
systemd = {
services =
let
occ = "/run/current-system/sw/bin/nextcloud-occ";
in
{
nextcloud-cron-preview-generator = {
environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.home}/config";
serviceConfig = {
ExecStart = "${occ} preview:pre-generate";
Type = "oneshot";
User = "nextcloud";
};
};
nextcloud-preview-generator-setup = {
wantedBy = [ "multi-user.target" ];
requires = [ "phpfpm-nextcloud.service" ];
after = [ "phpfpm-nextcloud.service" ];
environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.home}/config";
script = # bash
''
# check with:
# for size in squareSizes widthSizes heightSizes; do echo -n "$size: "; nextcloud-occ config:app:get previewgenerator $size; done
# extra commands run for preview generator:
# 32 icon file list
# 64 icon file list android app, photos app
# 96 nextcloud client VFS windows file preview
# 256 file app grid view, many requests
# 512 photos app tags
${occ} config:app:set --value="32 64 96 256 512" previewgenerator squareSizes
# 341 hover in maps app
# 1920 files/photos app when viewing picture
${occ} config:app:set --value="341 1920" previewgenerator widthSizes
# 256 hover in maps app
# 1080 files/photos app when viewing picture
${occ} config:app:set --value="256 1080" previewgenerator heightSizes
'';
serviceConfig = {
Type = "oneshot";
User = "nextcloud";
};
};
};
timers.nextcloud-cron-preview-generator = {
after = [ "nextcloud-setup.service" ];
timerConfig = {
OnCalendar = "*:0/10";
OnUnitActiveSec = "9m";
Persistent = true;
RandomizedDelaySec = 60;
Unit = "nextcloud-cron-preview-generator.service";
};
wantedBy = [ "timers.target" ];
};
};
services.restic.backups.nextcloud-storagebox = { services.restic.backups.nextcloud-storagebox = {
paths = [ paths = [
"/var/lib/nextcloud/data" "/var/lib/nextcloud/data"
@ -254,7 +145,7 @@
OnCalendar = "*-*-* 01:00:00 Etc/UTC"; OnCalendar = "*-*-* 01:00:00 Etc/UTC";
}; };
initialize = true; initialize = true;
passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
backupPrepareCommand = '' backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d nextcloud > /tmp/nextcloud-backup.sql ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d nextcloud > /tmp/nextcloud-backup.sql

12
modules/nginx-mastodon-files/default.nix
View file

@ -1,7 +1,8 @@
{ config, ... }: { config, ... }:
let let
objStorHost = "mastodon.web.pub.solar"; objStorHost = "link.tardigradeshare.io";
objStorBucket = "s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon";
in in
{ {
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
@ -9,12 +10,6 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
# Use variable to force nginx to perform a DNS resolution on its value,
# the IP of the object storage provider may not always remain the same.
extraConfig = ''
set $s3_backend 'https://${objStorHost}';
'';
locations = { locations = {
"= /" = { "= /" = {
index = "index.html"; index = "index.html";
@ -30,6 +25,7 @@ in
deny all; deny all;
} }
resolver 8.8.8.8;
proxy_set_header Host ${objStorHost}; proxy_set_header Host ${objStorHost};
proxy_set_header Connection \'\'; proxy_set_header Connection \'\';
proxy_set_header Authorization \'\'; proxy_set_header Authorization \'\';
@ -44,7 +40,7 @@ in
proxy_hide_header x-amz-bucket-region; proxy_hide_header x-amz-bucket-region;
proxy_hide_header x-amzn-requestid; proxy_hide_header x-amzn-requestid;
proxy_ignore_headers Set-Cookie; proxy_ignore_headers Set-Cookie;
proxy_pass $s3_backend$request_uri; proxy_pass https://${objStorHost}/${objStorBucket}$request_uri?download;
proxy_intercept_errors off; proxy_intercept_errors off;
proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_server_name on; proxy_ssl_server_name on;

68
modules/nginx-matrix/default.nix
View file

@ -10,20 +10,25 @@ let
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block"; add_header X-XSS-Protection "1; mode=block";
''; '';
clientConfig = import ./element-client-config.nix { inherit config lib pkgs; }; clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
wellKnownClient = domain: { wellKnownClient = domain: {
"m.homeserver".base_url = "https://matrix.${domain}"; "m.homeserver".base_url = "https://matrix.${domain}";
"m.identity_server".base_url = "https://matrix.${domain}"; "m.identity_server".base_url = "https://matrix.${domain}";
"org.matrix.msc2965.authentication" = { "org.matrix.msc3575.proxy".url = "https://matrix.${domain}";
issuer = "https://mas.${domain}/";
account = "https://mas.${domain}/account";
};
"im.vector.riot.e2ee".default = true; "im.vector.riot.e2ee".default = true;
"io.element.e2ee" = { "io.element.e2ee" = {
default = true; default = true;
secure_backup_required = false; secure_backup_required = false;
secure_backup_setup_methods = [ ]; secure_backup_setup_methods = [ ];
}; };
"m.integrations" = {
managers = [
{
api_url = "https://dimension.${domain}/api/v1/scalar";
ui_url = "https://dimension.${domain}/element";
}
];
};
}; };
wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; }; wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; };
wellKnownSupport = { wellKnownSupport = {
@ -80,27 +85,6 @@ in
root = pkgs.element-stickerpicker; root = pkgs.element-stickerpicker;
}; };
"mas.${config.pub-solar-os.networking.domain}" = {
root = "/dev/null";
forceSSL = lib.mkDefault true;
enableACME = lib.mkDefault true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:8090";
extraConfig = ''
${commonHeaders}
proxy_http_version 1.1;
# Forward the client IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
"matrix.${config.pub-solar-os.networking.domain}" = { "matrix.${config.pub-solar-os.networking.domain}" = {
root = "/dev/null"; root = "/dev/null";
@ -115,48 +99,28 @@ in
locations = { locations = {
# For telegram # For telegram
"/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = { "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
priority = 100;
proxyPass = "http://127.0.0.1:8009"; proxyPass = "http://127.0.0.1:8009";
extraConfig = commonHeaders; extraConfig = commonHeaders;
}; };
# For IRC appservice media proxy # sliding-sync
"/media" = { "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
priority = 100; proxyPass = "http://127.0.0.1:8011";
proxyPass = "http://127.0.0.1:${toString (config.services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort)}";
extraConfig = commonHeaders; extraConfig = commonHeaders;
}; };
# Forward to the auth service "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
"~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
priority = 100;
proxyPass = "http://127.0.0.1:8090";
extraConfig = ''
${commonHeaders}
proxy_http_version 1.1;
# Forward the client IP address
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
# Forward to Synapse
# as per https://element-hq.github.io/synapse/latest/reverse_proxy.html#nginx
"~ ^(/_matrix|/_synapse/client)" = {
priority = 200;
proxyPass = "http://127.0.0.1:8008"; proxyPass = "http://127.0.0.1:8008";
extraConfig = '' extraConfig = ''
${commonHeaders} ${commonHeaders}
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
client_body_buffer_size 25M; client_body_buffer_size 25M;
client_max_body_size 50M; client_max_body_size 50M;
proxy_max_temp_file_size 0; proxy_max_temp_file_size 0;
proxy_http_version 1.1;
''; '';
}; };
}; };

22
modules/nginx-matrix/element-client-config.nix
View file

@ -1,14 +1,9 @@
{ { pkgs, lib, ... }:
config,
pkgs,
lib,
...
}:
{ {
default_server_config = { default_server_config = {
"m.homeserver" = { "m.homeserver" = {
base_url = "https://matrix.${config.pub-solar-os.networking.domain}"; base_url = "https://matrix.pub.solar";
server_name = "${config.pub-solar-os.networking.domain}"; server_name = "pub.solar";
}; };
"m.identity_server" = { "m.identity_server" = {
base_url = ""; base_url = "";
@ -50,15 +45,4 @@
# FUTUREWORK: Replace with pub.solar logo # FUTUREWORK: Replace with pub.solar logo
auth_header_logo_url = "themes/element/img/logos/element-logo.svg"; auth_header_logo_url = "themes/element/img/logos/element-logo.svg";
}; };
# Enable Element Call Beta
features = {
feature_video_rooms = true;
feature_group_calls = true;
feature_element_call_video_rooms = true;
};
element_call = {
url = "https://call.element.io";
participant_limit = 50;
brand = "Element Call";
};
} }

2
modules/nginx-website/default.nix
View file

@ -7,7 +7,7 @@
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"www.${config.pub-solar-os.networking.domain}" = { "www.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; addSSL = true;
extraConfig = '' extraConfig = ''
error_log /dev/null; error_log /dev/null;

10
modules/nginx/default.nix
View file

@ -10,10 +10,9 @@ let
webserverGroup = "hakkonaut"; webserverGroup = "hakkonaut";
in in
{ {
users.users.nginx.extraGroups = [ webserverGroup ];
services.nginx = { services.nginx = {
enable = true; enable = true;
group = webserverGroup;
enableReload = true; enableReload = true;
proxyCachePath.cache = { proxyCachePath.cache = {
enable = true; enable = true;
@ -22,13 +21,6 @@ in
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
resolver.addresses = [
# quad9.net
"9.9.9.9"
"149.112.112.112"
"[2620:fe::fe]"
"[2620:fe::9]"
];
appendHttpConfig = '' appendHttpConfig = ''
# https://my.f5.com/manage/s/article/K51798430 # https://my.f5.com/manage/s/article/K51798430
proxy_headers_hash_bucket_size 128; proxy_headers_hash_bucket_size 128;

22
modules/obs-portal/default.nix
View file

@ -147,26 +147,4 @@ in
}; };
}; };
}; };
pub-solar-os.backups.restic.obs-portal = {
paths = [
"/var/lib/obs-portal/data"
"/tmp/obs-portal-backup.sql"
];
timerConfig = {
OnCalendar = "*-*-* 01:30:00 Etc/UTC";
};
initialize = true;
backupPrepareCommand = ''
${pkgs.docker}/bin/docker exec -i --user postgres obs-portal-db pg_dump obs > /tmp/obs-portal-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/obs-portal-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
} }

5
modules/postgresql/default.nix
View file

@ -25,4 +25,9 @@
full_page_writes = false; full_page_writes = false;
}; };
}; };
systemd.services.postgresql = {
after = [ "var-lib-postgresql.mount" ];
requisite = [ "var-lib-postgresql.mount" ];
};
} }

18
modules/prometheus/alert-rules.nix
View file

@ -142,8 +142,8 @@ lib.mapAttrsToList
cpu_using_90percent = { cpu_using_90percent = {
condition = ''100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) >= 90''; condition = ''100 - (avg by (instance) (irate(node_cpu_seconds_total{mode="idle"}[5m])) * 100) >= 90'';
time = "20m"; time = "10m";
description = "{{$labels.instance}} is running with cpu usage > 90% for at least 20 minutes: {{$value}}"; description = "{{$labels.instance}} is running with cpu usage > 90% for at least 10 minutes: {{$value}}";
}; };
reboot = { reboot = {
@ -234,10 +234,10 @@ lib.mapAttrsToList
}; };
*/ */
#host_memory_under_memory_pressure = { host_memory_under_memory_pressure = {
# condition = "rate(node_vmstat_pgmajfault[1m]) > 1000"; condition = "rate(node_vmstat_pgmajfault[1m]) > 1000";
# description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}"; description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}";
#}; };
# ext4_errors = { # ext4_errors = {
# condition = "ext4_errors_value > 0"; # condition = "ext4_errors_value > 0";
@ -250,10 +250,4 @@ lib.mapAttrsToList
# description = # description =
# "alertmanager: number of active silences has changed: {{$value}}"; # "alertmanager: number of active silences has changed: {{$value}}";
# }; # };
garage_cluster_healthy = {
condition = "cluster_healthy == 0";
time = "15m";
description = "garage cluster on {{$labels.instance}} is not healthy: {{$labels.result}}!";
};
}) })

83
modules/prometheus/default.nix
View file

@ -12,27 +12,15 @@
owner = "alertmanager"; owner = "alertmanager";
}; };
security.acme.certs = { services.caddy.virtualHosts."alerts.${config.pub-solar-os.networking.domain}" = {
"alerts.${config.pub-solar-os.networking.domain}" = { logFormat = lib.mkForce ''
# disable http challenge output discard
webroot = null; '';
# enable dns challenge extraConfig = ''
dnsProvider = "namecheap"; bind 10.7.6.2 fd00:fae:fae:fae:fae:2::
}; tls internal
}; reverse_proxy :${toString config.services.prometheus.alertmanager.port}
'';
services.nginx.virtualHosts."alerts.${config.pub-solar-os.networking.domain}" = {
enableACME = true;
forceSSL = true;
listenAddresses = [
"10.7.6.5"
"[fd00:fae:fae:fae:fae:5::]"
];
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.prometheus.alertmanager.port}";
};
}; };
services.prometheus = { services.prometheus = {
@ -53,6 +41,12 @@
{ {
job_name = "node-exporter"; job_name = "node-exporter";
static_configs = [ static_configs = [
{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
labels = {
instance = "flora-6";
};
}
{ {
targets = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ]; targets = [ "nachtigall.wg.${config.pub-solar-os.networking.domain}" ];
labels = { labels = {
@ -75,30 +69,6 @@
instance = "tankstelle"; instance = "tankstelle";
}; };
} }
{
targets = [
"trinkgenossin.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
];
labels = {
instance = "trinkgenossin";
};
}
{
targets = [
"delite.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
];
labels = {
instance = "delite";
};
}
{
targets = [
"blue-shell.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}"
];
labels = {
instance = "blue-shell";
};
}
]; ];
} }
{ {
@ -113,29 +83,6 @@
} }
]; ];
} }
{
job_name = "garage";
static_configs = [
{
targets = [ "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:3903" ];
labels = {
instance = "trinkgenossin";
};
}
{
targets = [ "delite.wg.${config.pub-solar-os.networking.domain}:3903" ];
labels = {
instance = "delite";
};
}
{
targets = [ "blue-shell.wg.${config.pub-solar-os.networking.domain}:3903" ];
labels = {
instance = "blue-shell";
};
}
];
}
]; ];
ruleFiles = [ ruleFiles = [

2
modules/promtail/default.nix
View file

@ -18,7 +18,7 @@
}; };
clients = [ clients = [
{ {
url = "http://trinkgenossin.wg.pub.solar:${toString flake.self.nixosConfigurations.trinkgenossin.config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; url = "http://flora-6.wg.pub.solar:${toString flake.self.nixosConfigurations.flora-6.config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push";
} }
]; ];
scrape_configs = [ scrape_configs = [

82
modules/tt-rss/default.nix
View file

@ -1,82 +0,0 @@
{
flake,
config,
pkgs,
...
}:
let
ttrss-auth-oidc = pkgs.stdenv.mkDerivation {
name = "ttrss-auth-oidc";
version = "7ebfbc91e92bb133beb907c6bde79279ee5156df";
src = pkgs.fetchgit {
url = "https://git.tt-rss.org/fox/ttrss-auth-oidc.git";
rev = "7ebfbc91e92bb133beb907c6bde79279ee5156df";
hash = "sha256-G6vZBvSWms6s6nHZWsxJjMGuubt/imiBvbp6ykwrZbg=";
};
installPhase = ''
mkdir -p $out/auth_oidc
cp -r * $out/auth_oidc
'';
};
in
{
age.secrets.tt-rss-database-password = {
file = "${flake.self}/secrets/tt-rss-database-password.age";
owner = "tt_rss";
mode = "600";
};
age.secrets.tt-rss-keycloak-client-secret = {
file = "${flake.self}/secrets/tt-rss-keycloak-client-secret.age";
owner = "tt_rss";
mode = "600";
};
age.secrets.tt-rss-smtp-password = {
file = "${flake.self}/secrets/tt-rss-smtp-password.age";
owner = "tt_rss";
mode = "600";
};
age.secrets.tt-rss-feed-crypt-key = {
file = "${flake.self}/secrets/tt-rss-feed-crypt-key.age";
owner = "tt_rss";
mode = "600";
};
services.nginx.virtualHosts."rss.${config.pub-solar-os.networking.domain}" = {
enableACME = true;
forceSSL = true;
};
services.tt-rss = {
enable = true;
virtualHost = "rss.${config.pub-solar-os.networking.domain}";
selfUrlPath = "https://rss.${config.pub-solar-os.networking.domain}";
root = "/var/lib/tt-rss";
logDestination = "";
plugins = [
"auth_internal"
"note"
"auth_oidc"
];
pluginPackages = [ ttrss-auth-oidc ];
email = {
server = "mail.pub.solar";
security = "tls";
login = "admins@pub.solar";
fromName = "pub.solar RSS server";
fromAddress = "rss@pub.solar";
digestSubject = "[RSS] New headlines for last 24 hours";
};
database = {
passwordFile = config.age.secrets.tt-rss-database-password.path;
createLocally = true;
};
extraConfig = ''
putenv('TTRSS_SMTP_PASSWORD=' . file_get_contents('${config.age.secrets.tt-rss-smtp-password.path}'));
putenv('TTRSS_AUTH_OIDC_NAME=pub.solar ID');
putenv('TTRSS_AUTH_OIDC_URL=https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/');
putenv('TTRSS_AUTH_OIDC_CLIENT_ID=tt-rss');
putenv('TTRSS_AUTH_OIDC_CLIENT_SECRET=' . file_get_contents('${config.age.secrets.tt-rss-keycloak-client-secret.path}'));
putenv('TTRSS_FEED_CRYPT_KEY=' . file_get_contents('${config.age.secrets.tt-rss-feed-crypt-key.path}'));
'';
};
}

20
modules/unlock-luks-on-boot/default.nix
View file

@ -1,20 +0,0 @@
{ flake, config, ... }:
{
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
# To prevent ssh clients from freaking out because a different host key is used,
# a different port for ssh is useful (assuming the same host has also a regular sshd running)
port = 2222;
# Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = flake.self.logins.sshPubKeys;
};
postCommands = ''
# Automatically ask for the password on SSH login
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
};
}

2
modules/unlock-zfs-on-boot/default.nix
View file

@ -11,7 +11,7 @@
# Please create this manually the first time. # Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = flake.self.logins.sshPubKeys; authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
}; };
# this will automatically load the zfs password prompt on login # this will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue # and kill the other prompt so boot can continue

7
overlays/default.nix
View file

@ -1,7 +1,7 @@
{ inputs, ... }: { self, inputs, ... }:
{ {
flake = { flake = {
nixosModules = { nixosModules = rec {
overlays = ( overlays = (
{ ... }: { ... }:
{ {
@ -10,9 +10,10 @@
final: prev: final: prev:
let let
unstable = import inputs.unstable { system = prev.system; }; unstable = import inputs.unstable { system = prev.system; };
nixpkgs-draupnir = import inputs.nixpkgs-draupnir { system = prev.system; };
in in
{ {
matrix-authentication-service = unstable.matrix-authentication-service; draupnir = nixpkgs-draupnir.draupnir;
element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker { element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
inherit (inputs) element-stickers maunium-stickerpicker; inherit (inputs) element-stickers maunium-stickerpicker;

48
secrets/acme-namecheap-env.age
View file

@ -1,48 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 NID4eA WtfgDmnK5l9s9DMhWgmk+tel+/uqPx8SHBd0qfWY3jk
ZS3Qu4v3pnA+lYzJ3kad7T3LhcY7oE8fPsGQ1uQH1AA
-> ssh-ed25519 9RQHxg SpHG3ijNizTi1YXvZCJS79Uwt4oGkYzqIme+eqQi9AQ
GqVhyfaTF6tLwuo0vIby0vBv3JufHz59IdNX9ifWtSA
-> ssh-ed25519 eP5MMw 9uU7tlyOzOxlsW/bfUmzjgicU3i2J5uCGWEVIljnHiM
tDJdTB1rBJTXVaGFOOmtG5n2Ae0XOCsi41S0EagRmeM
-> ssh-ed25519 uYcDNw ge+lEVE8+pS/S+eO+6sPqo/czym30CJbQnhTp11NsW4
jxL7Xhn/7JRylJ/JbeGkmhMMeJ8G2KPEKVVq1icQXKU
-> ssh-rsa f5THog
Ybod3f7gvCiBUcNyLV6AXoBchtRGspQah9JwygSGCtBKmWPOUSw3/DVva9nPVwHB
q4t05bEHINMZIoWy4l3VQ1jw+GTxW+6OeWDHrxHOG2hlu1/OT0tZnsQIjWwT/6Sg
fzy6X04yD2ADkwHH6VJYjC2Lxa7kEOeCeKOACyyab7rlXk+HauytUDlcF3Nl3nOc
JQZzfwIORU0XWVy+gDocwVqDaRJXZxhMW8oDjlU8BKgf/DpvExLfuZ9AHHJBU0Y9
HefbTbGO1s5J0T+HEkuIDce9iPQEe8ufaSVO6tKyHpgguIAiLIkjqrdLNRmXv/y8
9W653Xqar7fimd/sykb4K/PpdwvQcB9Ogy23t6s3Qxz5yPtC2m8IC3lgR+N+/nJO
n29QuXFBNUZu/QBXnWMS2QF09MGE2aav/CiwFuNiTf5D4UGGN3Y7XhX/KVOFJTZX
r1GLtch6rvD9RtfyKxAdbtCqbBEQJmoiut9ia5EzG4TvdPAE4XK3QNTn2BSmfjvI
3aXiXOFSbdJqkxyI6ZU2mUMMor3OWrXxWizDDYef6iHZxGlWFqA/kVXyZgdwTK9n
8Re6SYR8roH7T35eILzP4sskElN32UO/A+JyGfP1lOclGTlOrtp4HYTfY0NhhRJT
L7YIB0pNbaRxMBsxsxwU47j3qMkaO1uzP+DgpUacWJY
-> ssh-rsa kFDS0A
GJjiIApapBS6F8pmh6lblCHG3FlVWL+WKN1Gi2u/6Pa1YbkiBCgYFTQBwm5GsBMR
4tQwRJcQQDGgGddIH4/QcMAl1fTYLm3N1w8rueywgAbOwaWktKnJFYTj7lS6PSNr
bZyqyiGvgi0oYYSVjRnm7MmCrycuKmhcGHv1ijj5J8yOxe6qFsomsn9QZm1DmR/m
EZmc5DIYXjhuauzGgqtPVmjHi6hXTN8NX7Fg81aegko79yA12hmyHmaBj4P96Kqv
RyWZ9Moc3ccyxq74jNzp0eFuPNhUJuNBqrKozCc2Lo3KQAmoqI27THkF/HA8ECGP
BJDK7JdHBXyHhf/Fc5O5xOxHieIU8tHR0LLJn7VEvQyqTlKmWkZ5J53AqE8UDmm9
0gY6zFh7h3SjyBwqktzGJ9zXn3bp4fpg0M1+SaYp9Qf6hkJ9k79Zth4s4ggxgvOl
veib2sg3PCmL1OCMPMtyW3JkKsq0J+PtJdlAC9cmVvfvAMHKy2+aADsLt0H8Cpt2
cNOxbnU29eLWgG9uzcCXfqqNtmSia6LUMu71GahAuteZUV8RnDOZdCNW4U2Ohnq/
9znMqERVo0d3LgjaB0P3HXCCqhVFYTTDWg31R6N2RzSh7mb02CFgt7N+vHleQqAo
G/6Pb+kKYSEbU884z95+o56eQrvPunCN9Vu1CjEBfG4
-> piv-p256 vRzPNw A2dcPImS0ih5CjePQP5oPrPfwns6zAMP0J72P7fyzD/A
p46umKyZjbc1MjOQGnJIRu6V99O+/PmVXQvryX/9XW4
-> piv-p256 zqq/iw A5nBHU2O+bxsFqplf2GV6pK5wQ+hJ9l7tyFIe57QVKzw
Ik6aUY3t4geZ3yiWPqBGlBem9xNU83x7t3UA7pYB55I
-> ssh-ed25519 YFSOsg OhynWXlurzqU3ohq1ecH018Ja4wyWazDLv6isajeBUE
Xnjo8yS9IkMwCGNeLi6BABYxjXDLbpuTrVfwAxjDWdQ
-> ssh-ed25519 iHV63A 5CVIOtSwima5gIvwoAYExcy1tfOo8942RQ+SsflPbAM
4HV21GcuyddIjonOZZFgjgpR5smjce7OlMN3DCy0/sU
-> ssh-ed25519 BVsyTA mkLu2Vpr16bAZWimh6sViq5HlB1+lNOc2WPCxzgfqAg
cIDgWit139jipd7XmZcT8mTRDKK8rJV9xIxIaPVL9pM
-> ssh-ed25519 +3V2lQ eqfktAyV2Pia7T7XEfcYiHN9Jd4zivMzJk3in4XOTx0
gZzO+MTyBOJR1EgGn4Mhh4rnIyr3N9gmlFty83ou+GU
--- yJrzTzStOkRCNRu3Y+knfqTqHrwW0S0Bsko7oG/s86o
®,Bgm°þ÷€fåT¾èä`1†&1³%7Q˜(¯•¸Ÿ:?ßÝ
êÎø—æ‡ðj£ùÄO_rqwÃÏi£O®´D·)@0•ZK'óô+apU§<Ö`ºõµœctª. þ¡<C3BE>ÌXÇNæ+íŒÂh†Ù=‰'‡VÑn^HHöv±5aa²nKÝþ×

80
secrets/alertmanager-envfile.age
View file

@ -1,43 +1,43 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 NID4eA jIwfpP0rFLANj63MsJAse0R+TQbGf7mUStdusSLkkCg -> ssh-ed25519 Y0ZZaw TsTaRLA+9WtN9+FJWpXeP12Af5EXMbo+ANTaLC9YlC8
RHyxZqWGYMvhQYfZUc89GPly42u7MR9gSpR8aFWH6LI Yols084RY1C9gfOrDMwJcFRuGZ/5dgGuJey7RXqm7g0
-> ssh-ed25519 uYcDNw JGsVrWwxwA8ftUM+Fo1jFigWfpvNUwoNkK5zKIu582Y -> ssh-ed25519 uYcDNw ZLAINtv10PGMtK5TL5Tf0NyK/r1iww+vTC09ElMGoX0
BzM82Iqmta2Dtb8xey2nkoil7mDipn1iZtGMPKwPcPI EgBB3aiHHdaDue9+Zdxg6mTV2VHeLoDN9wT+hlAzVMk
-> ssh-rsa f5THog -> ssh-rsa f5THog
LkPMatwkNWAElm+RQiCHtHH2QPgVsAAd5b4qF0R0O6r+0CYzEF2OAOZ0LDsytTB8 aiJqMs3/u06tzs8lx2ISlQm87TDatqEn47v3LB3HehPanRpZx9O1HUIRTeiWkMU9
7oHAHxA6kAga/pqKUaJl28xw7ujVIb1CunZFvVSxtOTYRrEy1Rxe3AKUOm+ZmfPL XroGe27HQCCPd63QunBHUH7WStA10IS4rHVpMcULB5IM4jwcbOhSYSiGyY2sbv8+
66Ef58HWMCHzK9sc/ojo7Us4okfRhJBklB9lnORkSfdkvEHLeq0R0FfDtDCnynRD Nn/04ZOwrfzTabC7moV1DqAw6hnlDqKWp/q5N6xMb780w5vn6Poni3OJfuLaBWaT
SKqlx3VbdWe9k6UOJidA+dY8Wx0w2TQM1c21nDr4vXsXpZf6ttT4HvrqbSrS9V1c r6WhE5evVt3F4jyYI64fB2hFw4AR2N/zIMOMvBncLFwJf9lbIFdbsENZf94cYceF
nGofWP+72WinOpFRDQdLvdKvaNbLPwhigqL1VqaIcsnye5zZjQDNn+SYf55byBkS Tj150xdMPuErBsSJQOlfDYSmyioNN3UJUWiYsDeM3nbPEVPHhfTk6b2/lMhSQkcY
CMXj238UqvdDxB4E3mBEgpFxOnyi6kLQXcPEBF/xQ5fER0RS5MkWkuH4Up+BCQ+/ KcuMj/mN/7w7i4HSxW6mUcK2sUMV1BcSSGYRH9ZFf7kq++KpyiP7vB8vaZkcKbfJ
CppqZrw85OOa9jAyWxil3yLQNAnLGi/P+mesPxSI+i2Not9wbUTALr4COG+1qvfF qqrIcXTuXhR+/bWZWqf/GQOVwRwe1TnqN5MoZHipg3a/UCe0gMM617VwZcfhBzjA
2MbHiqREoajnQUJjhGhXaAA332X7hNuOF/DjmBr7i81oWVmKs6TjCDVL7Yo9xu3j eW6VUdjSewwA8YHEuDrAeoQ4CMs7y56EaIlr2IlQy6uzJPX9eeO0auO9RZ5AR40a
BcFqMlaOgr8gObwnyJ9BbtW4sBtnOeD5onPxWluV1+Ql8Idjmu/BKeuqIyGX6wFl 7un0FrlTJX9uorpCD/zi3tvd22W5qVoMGZ8vXJShZmT9he9K3Bv6XbzG4DJQ9/nv
606lbprSTRVjLZWvg3gWaIMlXdcnat9PmHeRk/yzTrHke2aFSkvUKLymnRCHETae xZ676HUYhWeyYZFBvt6DnEBneiDJFeaV2AeuQY+juHBOfBrbYmlE0S4Pd8uRSJ7w
Rh8ILeQTq36Ul9r7qklBNu4M7/f+jeX7gYPH/yDUCXc u5UJTT+RV5TkZhpCqqYm7DphYocnrv7Ic+QKmvKE4ls
-> ssh-rsa kFDS0A -> ssh-rsa kFDS0A
X1vrBlpHkWOVyhBokgO0yNDQk57S92xADIi88w2UU+nTYFgo/RsyTCCFAFMaDvR3 HhilpvIiUps80SXYUXg5vqNmcy8SACvxpC5dTVBU2n+4OVXQY/35Il5ZOrUX3U7a
kQdtorCowxQpKLnTzER8i2ABZAgAmUzGQuRPDKcqZuZH9oypNkBs6qeVI3TA5GKu arfVp/KaQF7Oncu3x8F6Tp1ibUwmoyAV6OYqqs128nEPwkNbJvwrLY3aEBm+NIzm
V/IfKLeR57K3cpZT+TcOzKUqm/AAZO+rwdnrfW9qVAb7vlo3TWawfBHb+Fl7y9JL gMlLRjj6EP84TVWgOsenQCS4l957f0QoNVxQ3f+GWdOiZZJFsv//ndsflng8zPlF
pEjhDMhnA7na67Ktz1MFm80XRneMTW+0NGtcTd1iQfjfHe0WfFuYU4H6aZ8ZpZYw bGZy8c1TxDZfOD0/kW3Nx05c9X0EHKOEoDUc0p4qntrWlflxcvLONCgv1gZuPMF+
2rLa+EmFqUpv0ELwdGViqmjUNwJunsJ6rhJZlMn43v5/XPLpapQr0zwtXzzfzZHd jMsPFP81eu3rkEUxefJ1qbvvGuW0cbzfwiStv7iGQ+Skh/vcoM0qw6p+csNKyHVO
HnI6/X97zPYUFDsUeI6x2CiVKHVWMGjJ9VPAexpJepZSkgI6On2/mfs4++XnDWLv 8nYFcs9kD8067zMnyuqiUHASfZ4rPqTji0iiPC5kZn6N0YSgz2bybkXcoqmy3m6y
qsvsJqVzM075eH0LUyXq4WGu7oJc4OdfMm1CrEBKAaqdKRl0HnBZGSER3C/qAhLK qs0S+RD99o2vCLhW46hZyKAgUyTU1DW42EmnZkPrLoqV7uin8fAwPO/98Q/b3Rkr
Ihbk+kti5C7GTzRyUlzkwINVFV0pePClLP7AC5vdKMhXysGQlxNJsTeUTdAOhrAm zBRtyTEbooHvOCL8limiRtDl+5LMcjRFNWk8AN+9vHMsYurXPNOCnd8n2Z4MbT2U
UeWnd0Xp+K8OBsUgyGktKBMofNAJ+MilSKt3x7tJk3QuQIGjqHCshpkMf0ckixrh AhpoAD/+8HXp0InBJ/sclITVAc6tPb2CbJW6mrFezH8Ri+/6u+zSF84JDd9ZrCOz
aDN9Rj+s0A8C3hrVv8z602jBrM5tfYOZv+q1/yFQo+ieic6Y9WEzzrTMJEHxFSzX oIshiGZmhP5mIuspVrxgKlm78a56vQrygpqzvuSSYk3zIJxmhEkZhw09/ga+rhyB
KadqfZii8HCGQODcXh8VRpWDVjzt/pDVR/zu/0YCP+0 pkKn7GRyZTfKjwt5nnvW5/bmQndTa13j+7RhkRgBSvU
-> piv-p256 vRzPNw A4KCXAKoTYy8euaKXot9+c5N21WG9/9uLPomiiI6rZ5W -> piv-p256 vRzPNw Awpc8paUfKnP6r0bYsaoeDE9GVSnads4/a3jCVScgS4V
vbTcLpDNM1qVdTBCUPMrlX2GpyeMUsKaKLFl5GVVdYY YydKOS09kyZDYN843SHIsYUimtSQKvGhIuycPWOFojc
-> piv-p256 zqq/iw ArX1s306JaaWVPiTA7XyzyTKcsBDHjeIiSoOg+5PhsBj -> piv-p256 zqq/iw A54xbcufPkLpTD+N47AiIe/xZ/0vA5kDJ4p3rIZw0a4A
zzmU1T5q5ff6TzIXhWqiVM0Oxxo/ln3uExBXBlLFcME 1WFP2K3tfUxtdKDBEmT3cx/u1i5nCzFR7cK4kN3WjC4
-> ssh-ed25519 YFSOsg tgHAr/emB3i+9Hd+q9oYCjkPO+RuXv22kimdXz06Zys -> ssh-ed25519 YFSOsg L0lPSkoPVRKGlJ9MzkJx+cQvnZw/5m/j/JO4aRzd52Q
p8sYz3j5I95ZBJroWxUSzWljcj8E3Ic9uwwyrUWm1+E o/N7zQkvbGGoadiJSvL6lfuP63uqzxEIxDtIg4tgKIo
-> ssh-ed25519 iHV63A 9UXBAcuwIfuoTHcWYhLVa9qtJ7UsLsIQsH2Bn0T/Wy8 -> ssh-ed25519 iHV63A qfLWZhbDisCSJ4vFFTR+XpRUR0WViuAqarf56M0ekT4
OvfX4cOKJYv9pwaQp3yD/QPZdDnGSC6f1qemtKENtpE ZSWW34pFRr0M2jFhnphIPJ5ch37ASM6OgTzyHSo0KAs
-> ssh-ed25519 BVsyTA nC+YMVK5YyCM79iNijTaBgIZDPi7Bvlunuzl2s9SrRw -> ssh-ed25519 BVsyTA JcFezSIfTF+AP8LYfFqz+wIpUrE0aoc1usiLtWxAPQE
xVUpZwdIcszqsRdZw74fJrSduzxqrO25EMfuypipys0 F9uhFyCPK46kIy+ud4V5/ESacQgc9R0JV+JTEZO6nBI
-> ssh-ed25519 +3V2lQ 4n/lkQ1nwcXD7mNc3DzIfC5xGF2mn27AoO36Chei8AA -> ssh-ed25519 +3V2lQ G4yT1e7B5O2Gy6tusRMxuWOFScynWfFY5AjrJvxMK1o
vDe0RU8Xm3L+/nFM0lKK3jv6hqiUE/YxZUFyHUsqAfI n1OVFRqzijWlc+B93cBNdFPz+8CBYOsI5hpF1wz7xr0
--- D4n9aVPWABXpzO9DI20yHf11MRJ5ACWVhT16bDls5pA --- 61u55uUc7z59iHF1IeyBLmcR6u7STUhpOPb/ODf75Vc
iR ÅÏÿ%µÙØY^Ï Ýñý’µ¶{“²°Ý”#®Z0´P6 šÿ+ÛÄR!iJ-\ul°9!å¬`Z÷¿Nh² <$kxpû´Ú H:}ò*ä/Tâ®Ñ$ÕbÀJ \F*ðòWîzÉ6 Ý ± Âì<î̹>e?ñ¼<C3B1>Ÿ6ÚµÌ~Ô!

43
secrets/blue-shell-wg-private-key.age
View file

@ -1,43 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 eP5MMw 3H1XEr/Vt2TOQUvGu3K54CxbigkVpaC6hofMOfFR60U
hqFTOoMhyhb/Fsywzu4nYXmEACOunenO/4NwPaVdrZs
-> ssh-ed25519 uYcDNw raghSMdCaiQrfGviMlc9Pwh8cx33IWh+mnsxL8jgTQM
aOMrh/746UulH7hkOV6XRiwEszgJtrI33mmzY5S2Ipg
-> ssh-rsa f5THog
Hm/2fpGDwqKG9K6zLYXuSDwOppDtDfw665ppaVzRvnNppizkilCohBzCrwXTMyeH
KKZKqaEt+n35wrurfMfqQf1AkamEimjlXCMmr9IwrBHbJeIJuHn6vGSOssQ0Sq4R
dr002QrKsGDzlL8dCLmaKU6VPTXcSbCOgDnBW/AyU7bvN51jtgm+jOIey7jH9Bm4
0nU0UNcPiShgSbXLPp0V6O/1zQBOVeFGyGenblAKlqLILPvc04f4703alqSbKwXF
q6GoS0Dipzr4N8X4Thzgc8H/YQ6cBVGQTebVGHqFEngLQ2C0yZWlDfJsKnKOGUce
xSxSskfzEv2s9VHDrXeiTAzSYaLoZI0JEDHOSICmZT2wqT1voFokIQV8twORGpOo
RAlNX0BULPEg5Mi2k3V4ZBcG5EwUjEcHAg+0cQ82D0f4OJEqMVIa3dse/lBbrFzC
/Gkr8+LPWVv7f+mRr3sdKtZ1nBwz1uTP5qIA9m92UeLVdVjmp20hixmlgftAbTBm
MtIH2xqkitpb6bhImGIbnxpg7U8IqQZNfavvOM9yqj0uud/Nh8ruUuwxci4RS7yP
YlIcompHudeirCLPvYx1T6nYRB2GB1tpTcyQN60pb6YC7lH9w/tLhZf8GFcMdIY8
eLx7FoWfNj2dIp8EpBrRUEaQlea6Eb1r2DYTjmNunnI
-> ssh-rsa kFDS0A
SPaIIABa0Wja26CIyeUvrlt+LWJY+Iw2+OouRZkMfi5YxDflb6SATesWh3zMD5+A
SOiA/oUiRfGRVMmqiEznd2BLyUO7FQDv8tIT38R3m8Nj2Lb/kWtuhPKqrk0PPvr+
kYR3iyM4klqccCzwOYwWfpO4ZkFACBApTOFYbU4WX50WDRQRco7M8funj10BAIsL
H7hOKtigx2RJaJDcU3MPHV4beECpKbeH9scICEDmi098UP3850g1lN5AR7NjWvLi
zr3Z8Up4UjEwH2mvuNnAbvA+0HOu5geIae+VUqy3EN7XFC5HnMHB6eK12Q1VAmF5
MbgkppMeoqLnxIdLT9xxRNhD50B3QR8MNHgaNWuBqfl86XPfXjxYP5kRaCAraego
nbE1gItlgIPESpf0ocfIEyXb0tSup8c+99ezgxBMrzNP6UtVGRhZvwLTpBZmrLoc
5P/hTr0WQE7d/6lmY9VyDsXasPU758tUhM/cJxmmUyZcCOhjAiJdWSYHe7AUjSQy
rUSKUSYwqM/epFNqdnanj4pmmRkSk/0AiEKikvb5DvWpHrnsL/EuQqtT382IGv6P
VA6ORv3BmL8IjNnTppZsG8k91WWHLEqxoDKUHg6WHfJ5XqnEM4maFsRZs53QLqLB
vjAxAeJHjFg13wkfJmo9mZNbw/0WXS/K+xmeOTYuH/8
-> piv-p256 vRzPNw AwPYD0NiFDZ3/0L0+BEUS0hm7RddL3sPXUshz7XtIQVi
7rzoQuAQQHxkuYFx5TrLEXZbGsERg78mAXcgQySwHGw
-> piv-p256 zqq/iw A0Ec624/7FOTPVAbZDjhsBy0i5L1Tw9LwYfH/7DeKHi9
djfKQINL2LVAAueovp/V1IGyhuy5LGQtOws5Dtih9sw
-> ssh-ed25519 YFSOsg 6EeEfNtlQ7/a5Rc5iShfSa2ZjIoN6QcLDI0hJgpF8AY
Tcp4iqFjBTTzSUAZrxRWe8QkvuEoPWVagNL4EiZLMIA
-> ssh-ed25519 iHV63A P8IDXAspyflmLqtPOqPWE+J9s9e3OccKc5+8s/Wi9H8
iRZba5723Ux5oo8YA2TDyiaWyGzHlAcvEiD7I99vq4o
-> ssh-ed25519 BVsyTA LB7gg2/eozH+f9BNC4Q1m6Pl7b6znkO5rPVgvKSjen4
AjNzM/44dMy7JyUcAT7c4pAFTtOuapiGtiqLdBPGrKA
-> ssh-ed25519 +3V2lQ NHbovTrC4cTSsqb3AfmVOJ/pL0QQbK9GpMUpQMAW7w8
iwAoDSQnucAzQPOgZZtl2bnJQ1mU19aoruItkQqJuZ8
--- itqKtiBSCvkVJ5boq7PeY3uRMemElImzWvSeTwbz3y4
×ZP38†¶0¿Òe¯8WjŽ÷[ªø#;ñHjÀëÏwïYÂœp¨µ“6W`ôhŒ²ªs§õvbÈ·èÓWu·ÔœxZ5f5½

81
secrets/coturn-static-auth-secret.age
View file

@ -1,43 +1,44 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 iDKjwg vLO2012STCeqJACpBNg5uKyWx/u0Yfvwxek3S+0Q1C4 -> ssh-ed25519 iDKjwg ZUEOvf7JnWeFNohEAhloJ0+YL2SwHujjm2YG85NLHyU
6vPjunf0CQeWTwznZXPc5iVL/eiF7SrPqGeuvgcfizM HwrrqLMlNmfSlZVt/lCkIwqmCYLARbDOBhIm+AYmDEM
-> ssh-ed25519 uYcDNw QwGWHxl6dTO1HEfw7pEtdvb2ne0RiNMb8SkWRIrRJQg -> ssh-ed25519 uYcDNw Lrek6ru/vb2JIZyALem40oNZCf3ia/U6sb5hRyDaakA
ffdyTEltr6wlrnA9isU17orFvSRmicPvX+w2t0QBJIY N34LLq2+qJOlbyaYXUtNP17fDPjF+evgZ6kOs7mVhYI
-> ssh-rsa f5THog -> ssh-rsa f5THog
XjKRMzLPZlrTQEDJzgCwBbjZwIy6fMYGLuBR8TS15SAIbttLoikF/AV5zqJDaE9j jmwJ+hV1/50cWemVUhPTkTFgnd7iJ0YLtjU4fEKXghWIlie/OR3AK++1f2UJxKT4
RaRJIIQV6LYCm1fHOsoua0XGxicvJkdithrDC4zsEEJ5n2luNj+sQd7h9ruOdkO5 Z/32ALRBnmb7FlAPyYbxIns3IUJP+Z/Il5SCeDrtwaUxmtluwXwwO07WlztqZJlO
l+Og+MphPM9naul+MJ/DluzS863DewkCNENEWe5H5MkHujOoqEsRsGdrRPXUbAPW bvZ0ifDazxOFZO6QfXQE2SaPDOqcH2AAiiL50eXMgbdY5lARYW2Qbai/2a4t/PuT
oNIr6h7FHCTFTkxfj1aAqDHdK8R4Yqo2K0vnHHfNS3PeN+CQJOrGNzokYybMRxqK Qn8WAwjyXOIdOnaYb/MZWyp0GQYsa3nEhYyOWvTSjSROEfR5qBtGNYkUBBTYF+YO
RXoJD0QKAUCV8cdXGr0XuS/ljv0lFODKhupy5ObYU71052nxo8j7KTq2NpZXqjul DGOYStbPSkIhnYYQmNajlcy9wMW5fH36ujGdnMH7C6DgcSCY2iTDTdE3cyCxAuaJ
PWyetcPtH5nLCs2L31XoBk7cEE8g/eSjPky3gSMdjGjdB7qskmuPcAHlHEwQzecG bRThKyXYsvhMKgrFzbhlgt68taESb4KcKcNO5r7lqqID/I0b/fVltsKpkXrSCB53
D6J1LjrPa8OMVD4AdR0KAXSnSvzt/RhyymiZWtBeKg52rm4KK3PVbJqq05m+PEYA Th/aXLXPUrYEkbdP6nqDBbUjeA8RDid1raIF1O29Ok72oU48q50QXqP8GF+honkg
a8wFT6fJOqmNr4gj4peIUHca0gYWhfzhLpXsj4/MKTPxzdUem/wbbMJrM7oQpwma HSdXmhPtlZyArlJNWogDaU9FkWp81E0JS8G0OnoNilCmiu7sF717GG4pkA6GTnaB
svN0vvqCUc2wfw2Apr3WwoAnNTIohZOngNkKNWNweXtPOee2qgZO3ko2wpFa+Yh+ hlJSiVWBPhmhVURIOKkRl5bIWLUvJESPLVVog/vsW7OJETOb2u+AlwvaBNY8w1wE
IMonHHVhtdchTidx4RttgDIaW/+i//XGfqPdmanO5wUmm+SwgqkkQkRHzmtbmgsq An+m/qNO/H9Nksw0B4C9nLfasE/nDvbOT/Igc7k6jP0sw6/PAWnosJY5vDyIpR8k
KlrAmjL5biH9f9sBItYMdKafgyQppMAQ3hXt5wgAgj8 7q3rBPnsZRXUr213ue8xs0G7SsbLheYNu3/D4YdB1tg
-> ssh-rsa kFDS0A -> ssh-rsa kFDS0A
XAY8GSsx8B5q039L14C/t4cGK2sAm9eqO33r//YgpI5nkvw+pZrbJegdCItfHXHd BwaozSAR0Lcn3ZOHhC/OuOYRZqW0ayV4kL7CSLgaw6x9WqA7NLcsE+HDr7aDx/lP
9BwBGOowTe5Qmj6RVfz4rwsj57HJbt6ivoIrU3vH+GLsNs4JIg5lwz1/WCsotw6W K7TmFGYMrOiIk3siZ4Qc/JwZXPiayxGITcwoY82L+FrJKJmQd6c/3exggsHlc7B9
8jQXiiZbA4nvzQzyZjJVKavTCfvbRXdzc+CUZiWgQDXsSFejp3ODeOvUds8YKWiz 1ijXoQgjnorlopI70Cyt3QLQyMCPFb7tuZFEKR0NqBzcFTi5fKVYcMrfa1WVxzMO
jYILyzUzyAf05HDC2SIUhfA/UoXokfpo6uZuryWXjRBgaRENa9csDnktc8V+61W7 0Ic+mhwMIAst6SQqOkqaVbtUYxATupQx+9FwThk+9NDety1vacb+lQ7hvCnImpTd
gUnu6yt/rN6oiBesnUZQK4sPd5YE6EcOT2gtLp1qKxtRuF9TEX25oLHi52kPBu8j uENry/G68I7zWhNuCeE6wj8lCplFkW7dvrJyoxUVokWheFnUKjziA3ZybfMyAmI9
TNGbCU2ImGW3Z6TkAj+/XQzwEIrbLgb7APMkI3DtWyIIxZn5QJdDOOCseKMKt2Lu vJZnTvTc/7UxJCnuk/pB89q3ttm8LFT6AFAwZ1PY2ndWBMRlnOaB0JXSBKXZCYYV
VH1RF9C26mqcx7+WGCJKylARX8sbT1/ZsCWSUnmenYuGNQQppMwcQGSICs0YmFkH bmJ/NSNdzyO9Q4MrKwYO+O8SOkVWM9EqKYv+FMO5CksU/N9EOUkpZeLpMYh1WXPX
XnV19+pt93i5rVFs9IUxFCqFKKjElCiPgIHe0QlGuxifeiMXYuNi8g4ObN5X6GEL BMKmXzRWp3YEsFH0g74ZBjFpTo+FK0bbRfYfTj7wtS9LpOFPr51qRDwv0zocM9cQ
MPm0+sr19dheOZicyxqJ/jSlEOP8bHgN/VDHjKtsMWQD9r3NfLH7btNjA8HTITDI MkpNtuSqpXboCLGytJE34pAsDY1BHJpdAOwlwavwK8N/yxlF89ktIAtHpOaV5QNF
YvLLVCP6OR3ZlMz2HUXDpbaPYSSZvrEtwkqCIe3ij6066Y5cTsYHWEwOvXaKYh9P r8oW2DLERj/s2yunrjZ5kQXaxbn2GBeml5gFyYWPnKVIa5x0PA6LgT2OMYd2x4vA
OJtPgLQDV9VfU9hK60E+C5qGQAvHhBgPUfXS8JMJkyw r7UGlMktJLosJGjJEUVLUHXarKkTz8Xwrw4vtaaLIyc
-> piv-p256 vRzPNw A2vUnNzWtQNNOU//b3muMZeM1qdO3GyREn73VgdxMX4Q -> piv-p256 vRzPNw ApWXG3ayudUSrW8zw38cU6hYVeCVZhIQm/ZbjKpZqgnb
6AzSUdoPB4zMbFsf0fr6sxbCsg+5/qmBtkCo3ry88Gc NqaQ7bjTAuMei08uNpVaK23uVmspjlkGyleF8phudVM
-> piv-p256 zqq/iw AwVuYkScYFB1OzvBz9255ebDwPO4o8szD79gPnzgK/t9 -> piv-p256 zqq/iw AxdOZ9zfYgKZJY9HhQokUHwSKbfKl7i7X+FPO30EADcr
UCm3jzlAPdfGvxO2VrE2DBvcGlaJpMTINJl2qcq+4oA qsniaELyEVrTeSaJG/lp3sCPCmbTUA7CWdMxA9tsBXc
-> ssh-ed25519 YFSOsg wUzSRyoZOde45Uv+KaN/ARAxIRt1bPAqN30P6nM9b1o -> ssh-ed25519 YFSOsg 64fhQVd3dvwHCBXa0QiK6E8rYA1jScm0UiBvJVuL6Eo
pmufkyRBD4BoL4a+dbS321KSdjPRrB09MssNU6N0dtE YAvXqNw6kQkTzBpDIboqa9gOoTgHE8hcaIMTg6UkODs
-> ssh-ed25519 iHV63A qyqt+LHR4YGE+P2D2mq7qOS959vLZ9K2yalLvGg3riw -> ssh-ed25519 iHV63A BlO/mSeyxTFBIa77g0Ce2CcaVf9SAiw9/OzkgnaHEV0
1oDuGVg7Jn+8MIlsHb8KCDImManVGnlIMoqFt9w9Wjg sjmnXCpwe5KTgIJ1ZaM8j1U4fYi2Y5/WpwpUfAe8Dbk
-> ssh-ed25519 BVsyTA skF/Np1FrFUSWJgCw5PN9uSy+bMezPHV7lH4jm67TCc -> ssh-ed25519 BVsyTA gt6iV6mhL2G957w7IbJVzNFV8QMHOzP5uOkgSp5QgzM
QrtBW86S8cB6GLsw6LVGK5jhFQS56MvATcPspGJwmAE Vvz1jjLKA9qbqAE1g0UyHySrrnG16ENdz9TxwyoML+g
-> ssh-ed25519 +3V2lQ DPCBFzgin6QTJx0QZ0+52qW+6xXmGA4M+hFEIFAvpC4 -> ssh-ed25519 +3V2lQ g453jshh1sgCdUyhg3jlU0A0X+byL5jobpu2toWTYRU
QuuoukU5PC4BW2ieS52rkGcPRPuvrROE37gZpd7cudw S2k6Nk+UBv8gcJZoIdZUc2Kd+Rv4jzzcEyGm+eb+KUg
--- fVPm/8JI93qQmr6bEdb8JEtRpKtsBHnK88A1tptYLIs --- 8ahetWGfwjnJYRnkeSS15sLjDBBtN28biMlYCPSvObQ
|9Á:\ÙŒèHÐ(„•a-[çf„-Bpýu[€,¤bz¿ö'jA¸á yp`4üð“ï<E2809C>lÆ•|—Nj3ç ;”˜¾¾)“±ëGȾb÷ÿ¦&ÓWãF/ý±yõ¹ icü'ióë4Aî6$}ß!IÚ3ó¨ÍÄ™ Ù3yŒ<79>ç¶;¶ƒ
O<EFBFBD>.<2E>œ[„Íf%jTà4ŸG¶÷ãÙ¸W#iÐzuä`'Á*zmû‡òèE‡6ÓضÑúéª[ê€

43
secrets/delite-wg-private-key.age
View file

@ -1,43 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 9RQHxg dVdaiC3H/M+tA/xIW3NdwQax68lkydLDLm6OxTx1lSc
HRLezYbdAPHNbQm/2WXT16wVX+ZC7GKlVp48aIECsdw
-> ssh-ed25519 uYcDNw SqHkg361mGpjrcynYld45CU/jfnPp55bt75apCWlADE
Z55QoOPVt2u1d5Q/96PHfA0MFAaO4y3CWuJNBnVy2IU
-> ssh-rsa f5THog
yKfwc4z4mIVfDJW5aEk7O9ddRL0YKOZFV+xKE6OyMGv6luJ+yM3QcPxu9yppCfMA
AIreVH2/4Tn+WhYv0dQuVeTR7SLqfn+TynkfK6ZZ8NbjSZXnakPqNLtOWi6C8VIH
MAfTTg1NGOG7E3TGmMqFrQnxYdpIvtfeGaBfiMhGLoWnCzJOzVkZSf1Qx+ibor1T
ZtJGsAVoAqGlFoWNDNrlemx9/5qxARe/GSSUyKtEb8VtbvN2hgJeg3YAKBANYkUS
C2Py72R662WBKPSd8vZRaQEJzP78b+LjBPmF98E8EZcHD/L6I6QRirpD8E89nN8b
/vp/Ze2q5R+9ot2TIO4Q9TJKLs8uMYUNUImrWQM9eBG444dmuTNDDfBFeI0Xwwug
FrHxS5pE8QzRdla/fIt/Py02F/734pb1LRCBPaLr5F7gFTBtIXe1TCvwfigiYrZ8
3zD4mpasIz1a7MlOIBIUuNAvAvJIwemenzxoCPTJUIPR9Ja06JUJe0qe/qOOaUAE
iio/a7XLYAUnTqHQ8efufS7RF8HB61Q5/CEtjE4NnpaiZkG+KQ57xjTwrfKSALxK
FN5ydIMY2aNg6Hh+n0MlCfpV2N8XYqOF4YWWRKY39516i8QCvvL21k+lt3P0Lpad
E5fn9FWoLqJw+evJsF/PyTrLT68tQbcY90mIGC6n/Ww
-> ssh-rsa kFDS0A
dTkAwE1+eD5KvpKvI0Wja9vV3wgKogv9ADKyf/u6meetXQ0isUnqxhqBbQZKhVqU
StNE4dSwg9gBwsPmNXJ2Avc9LMIBuhDomPOp8bqdO/r0IyDvJ+TngnJsroK7dfL5
foIDtakdAOVZM12ytm5hZlUNfXppAJUF1T9w5LIBWAMQQYJs39u+RrLfHoIvXTor
OvTikrdYfGiWdX3XIGQAfoPct3ZEKmD76ypH8ESw8kKF7ZfRQNDDP3LMbakoFs8K
Jrh5S9e3b5hdiDsv0DFtMISm8l6ec2mhhkVhSPgJ0mZYimMUg2QW1b61aTbE+LEI
K9O27ci1UKhxvLnxA3UWrYcm9SX3dvFgH8c+hJDdydHRGtMA3OU6Ut2HuGKaLfys
P7F7gffBTEeW2na2I00k3/oq9CCT4AP1d/CKlGd8ZtRvv5Axv6ThehCFZ/FLYGCg
kLBTHCX9qfvltdkKHIZwgxQ7JSGvNf/4bBzUz47o4gBhtnADaPondeLkqRS8sMwF
gq4UtG13Y2NfVYLtydrZCpUSMXekibZ8Rj2ER1uy1PD32clevgmgbTSyniSbJDa9
NFAeQS8KiyfvnxtLNNoMflR5yL2O4bX8Eo5ooaxILxga4M7ckcuKz2SMjDjpSBbK
ndwen9EsZuQwK9Av09h3gZeRy/t1ne6MtZrsTY5W7+Q
-> piv-p256 vRzPNw AyZQpsc9MqXbooqG+eK5gQQbfe4ka6pG7uixb8ONVGQz
FWuy/qAQidT6C8YMb3674epUzZw0Rb2NMCK5t9wdnT0
-> piv-p256 zqq/iw ApTqG55jHkxwd3cT2Hvw84V2DcoHo1M+q9eP2eLxSE2t
+27Dzy6pzGpOwTqUG17QaDC93O3PSJIfy/d4eBnuLw0
-> ssh-ed25519 YFSOsg mRmdt4AzDKbzKvMPOEHg+jQSRs2RF7f7ev/jzP7SuFE
VmNGaudQF6R8xDWBz6bFfmk2J8twCUEzcXj2AG5teKI
-> ssh-ed25519 iHV63A pXrKk8kpTBDxhiio5ZY7krRJIDkxYJZOMqCaW9Q7OGQ
9/xgfjzsd2JT6FQ2YWELl9jqph3+HTF8jChvbiHceJo
-> ssh-ed25519 BVsyTA z8nXuz2JOAn8t8OW+AzFRAXb5ulAuderatBFDrb6klY
Z+7S5aGCCV7f9WwHWr5LrsKW7rnpidImwoiP2dXcxew
-> ssh-ed25519 +3V2lQ p99nuu5l75p1y3Ea1yRdFBQSxvYRVRJzX1undANyFVk
QHzKD4WvtnRI0wgiaIYKWwXrG5Qg0vQ+V6eTJUk+A8k
--- od3JqYVYOFEDzaNHY5oDbfOjhUBsiQFd9pNGSkAw8Dk
øFJÒMmáž—>¿|ÉÏü‹µ ï¾ê0½µ:+‡¬¥U^ØÑÚYؼ÷æ/‰ŠwÊ X+8gtRNPÍ^\€N}«ü£

43
secrets/drone-db-secrets.age Normal file
View file

@ -0,0 +1,43 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw 5slOxDM4xGALMpYxFm1WBX4Sds7itgPBMIiY97d7Egk
mZNzn4I6obUHAdox6eVR4H82EZagZ1IrCcq0CDtK44Y
-> ssh-ed25519 uYcDNw w5lzhmA8wIMXihKF25d5jx4/Cc5BFE3Lw6ad60b0wBg
v9z03cpts6oVlcTQ48hMw8rjWHp1JUOov2qCUjFN4bs
-> ssh-rsa f5THog
A93Usdjf6yJFLFqDiy6UUIJ4faBgQXIvk0pZlABlj9M5n7fSf9uzR6sSih4HNCvm
sMkZ4wKyQHJnUB4Uc2jGrdcWqpmP5MLYHhj74Rxsi6heZuCRf94KH7sE/03A958w
jAV4v9z4EqmkvWLNQi/hxMVMs5A61Vs63WIX/TA6vhL8Yrn0FeIKlRZYUVIeMu42
pbEuLWeIzbUioAuEA1ZKV5VDx+6ack8TS/Dj5bTNEnzFWpjnHjO0/GeQU+aaQZTe
Zy325TcRosT0V7PIh0tDQZKKRpOH/e9LnDkd8NIjyfEsGdDYaP1EVOYVxPCqUDAh
A0kV1kkTiBzaXDkuakc+HDCIxtYXLWthsmbD+vI3D7FlTl0CY4fOP0wwO/0rS5Yp
KDuxjz89II1H4+ZvlcPUihyW7OEj4d+NwFQy+7Qq0Y9Ii0NONXNsnx17FKXJwOMo
NKyLo097FvHV7k8F9wv9mmZboRulDAoRyDngeO0+SJA90uJass04DuiZvK+g3Hry
xVzbkk59j9EQqUogopW/oSeSbUP0pvcKOahGcSIW8vmadDTgnN7zzqf3fq+dJ2TM
QD2IXAwvoTFBE+9DnPOtptk1X1D2umZuAWTzGAseXOImrPFZ+bEr5MV3qLGlg7sL
yA7Mvbp4diVdH5aePzeBefhxrYphz+yfCbELFTYam9g
-> ssh-rsa kFDS0A
Ng0FhTDjASWJkrlNh+UZxU/dU/wfmoV1/fwTv6Xg69k/2qU9lk0oR6e5xAimvX6u
h7rKAYt3zSRIFveGczPCflC1nycG9wLSpaoJghav+q+muoDQ/fbSKSgHFXITC7Me
f/wblyWvJsUQbjxSW3g6/8EGz6FvpTnycPtD2vbRj+Ctq72GPA2ZWg/OC4jAUlDs
r6X0Ql2jwWzy3Y12v0mPknlBezN8cIfjBmoNOWokUeGJIBjujlS7loA1yif09BLg
PTSLCY1YH3QYcm6lCXK0HaNcMjSSk/ZK9D0wROriF9PBbkpWgg5NlIrqGaeqPN9z
QwRR2DvhuCa1br57F36Y2LKGphYjmhWAtzCyQ0h9YQ+AzEy9uFCbK0IFyyeVl/fN
+HBGgxacJBcEGsNV3mbJvh6dn1348eex0GgaQEf1B/lu/y66WHbmSqVyUDfWkqEz
IytAC43VT2rKgg+B5u0d/JhLDLwXTp7iVDy52ul1n7keJHk8t1GDaufAXbWqalQ4
vuyxs6ghSIXUi27IZrYblg/OEPFTBfcoMXkmCgyx5a+eK+DhnBazWjy5j+vgp2so
ZQRQurbG02qpZasTwBM3iy4ZklX/uFjsKnk0c/YcmK4YcMviHcQQjdjKruEE93u+
Za1KE+qZGLkhFCd9O3ZPMtEjRjpN10XIs5ylKQ9MKU4
-> piv-p256 vRzPNw AiNjNIR0OGHBu5Qn+bvn+Lk5VnpI2BQ3eJ3+2/FTJfZC
elT3acRVdmtBl0qC5YbvfntxkJrsZwEJqlF6aN5hhWw
-> piv-p256 zqq/iw AjIzSibkqG+YcP894QekM61Wsty6MaKBghlWapHfU0Jn
HyXBp8DxtnNsfuzZq13bwgma5CzLTf3UB5Eht6XUwe8
-> ssh-ed25519 YFSOsg WRBQZZYM+X26hfoH4zvNWQulZvVWP/Ha5OgkUmGK/Q4
5Hw4ZDNawn5YRC673Op/sbpexOKeL3gez2B7oZxUKhA
-> ssh-ed25519 iHV63A wyr8R4DlqLAu0XypddVoFimK2ZMncWaa+KWV7vMEQm8
puV3g1t5AbnEgC0S1U4ft1evB7KuNppEi1g/AtxHgWE
-> ssh-ed25519 BVsyTA 0N3iyyGqTCRAHHcK7QfN5xRttorc2E2GL0RDTIVIBU4
Bph0OujqmXzi9IswduX9Mbh+yRdPKOwCf3fBv2zUzqI
-> ssh-ed25519 +3V2lQ 0p90VtsxWyGFaeeoTISIxQRyeKVk0HoGGq71tjpIPjg
sRf73Tp3BJ0DsTnJO2xVGyCKjaX7C7oydXj+39dKMUg
--- +/HCG0s/x+c03NG5qrgliJ+5EXXI6UnuJz5XDv2aphY
ÞšÂ<>™Ý@»=£L¬“7*®„ÐFq<46>UÒ*ûU꿉»È$e=þLgJ|*1ϽE ZG—_Ü5ê²ð—²ŽíÂ,òöÛi<C39B>_'¸d7 Ý3Ú“Nä3ãç¡*»ðªê<C2AA>£ŽáŽòqýŸ‰Oy#¶([l³†pÄf¼õ¾¥ö

BIN
secrets/drone-secrets.age Normal file
View file

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show more