Compare commits
2 commits
main
...
matrix-ren
Author | SHA1 | Date | |
---|---|---|---|
teutat3s | a59e57c532 | ||
Akshay Mankar | 56f987e424 |
|
@ -28,18 +28,18 @@ People with admin access to the infrastructure are added to [`logins/admins.nix`
|
|||
SSH is not reachable from the open internet. Instead, SSH Port 22 is protected by a wireguard VPN network. Thus, to get root access on the servers, at least two pieces of information have to be added to the admins config:
|
||||
|
||||
1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
|
||||
2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network uses the subnets `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
|
||||
2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
|
||||
|
||||
One can access our hosts using this domain scheme:
|
||||
|
||||
```
|
||||
ssh <unix-username>@<hostname>.wg.pub.solar
|
||||
ssh barkeeper@<hostname>.wg.pub.solar
|
||||
```
|
||||
|
||||
So, for example for `nachtigall`:
|
||||
|
||||
```
|
||||
ssh teutat3s@nachtigall.wg.pub.solar
|
||||
ssh barkeeper@nachtigall.wg.pub.solar
|
||||
```
|
||||
|
||||
Example NixOS snippet for WireGuard client config
|
||||
|
|
|
@ -7,29 +7,16 @@ be manually deployed.
|
|||
To deploy, make sure you have a [working development shell](./development-shell.md).
|
||||
Then, run `deploy-rs` with the hostname of the server you want to deploy:
|
||||
|
||||
### Dry-run
|
||||
|
||||
Use `--dry-activate` to show a diff of updated packages and all services that
|
||||
would be restarted by the update. This will also put all files in place without
|
||||
switching to the new generation, enabling a quick switch to the new config at a
|
||||
later moment.
|
||||
|
||||
For nachtigall.pub.solar:
|
||||
|
||||
```
|
||||
deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --dry-activate
|
||||
```
|
||||
|
||||
After reviewing the changes, apply the update with:
|
||||
|
||||
```
|
||||
deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results
|
||||
deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
|
||||
```
|
||||
|
||||
For metronom.pub.solar (aarch64-linux):
|
||||
|
||||
```
|
||||
deploy --targets '.#metronom' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build
|
||||
deploy --targets '.#metronom' --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build
|
||||
```
|
||||
|
||||
Usually we skip all rollback functionality, but if you want to deploy a change
|
||||
|
@ -38,6 +25,9 @@ that might lock you out, e.g. to SSH, it might make sense to set these to `true`
|
|||
To skip flake checks, e.g. because you already ran them manually before
|
||||
deployment, add the flag `--skip-checks` at the end of the command.
|
||||
|
||||
`--dry-activate` can be used to only put all files in place without switching,
|
||||
to enable switching to the new config quickly at a later moment.
|
||||
|
||||
We use `--keep-result --result-path ./results` to keep the last `result`
|
||||
symlink of each `deploy` from being garbage collected. That way, we keep builds
|
||||
cached in the Nix store. This is optional and both flags can be removed if disk
|
||||
|
|
|
@ -8,7 +8,7 @@ Requirements:
|
|||
- [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell`
|
||||
|
||||
```
|
||||
ssh <unix-username>@trinkgenossin.wg.pub.solar
|
||||
ssh barkeeper@trinkgenossin.wg.pub.solar
|
||||
```
|
||||
|
||||
```
|
||||
|
@ -58,7 +58,7 @@ Further reading:
|
|||
### Notes on manual setup steps
|
||||
|
||||
```
|
||||
ssh <unix-username>@trinkgenossin.wg.pub.solar
|
||||
ssh barkeeper@trinkgenossin.wg.pub.solar
|
||||
|
||||
# Add a few spaces to avoid leaking the secret to the shell history
|
||||
export GARAGE_RPC_SECRET=<secret-in-keepass>
|
||||
|
|
|
@ -41,7 +41,3 @@ wrapped-ruby-mastodon-gems: 4.2.1 → 4.2.3
|
|||
zfs-kernel: 2.2.1-6.1.64 → 2.2.2-6.1.66
|
||||
zfs-user: 2.2.1 → 2.2.2
|
||||
```
|
||||
|
||||
### Deploying updates
|
||||
|
||||
See [deploying.md](./deploying.md).
|
||||
|
|
44
flake.lock
44
flake.lock
|
@ -94,11 +94,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1734343412,
|
||||
"narHash": "sha256-b7G8oFp0Nj01BYUJ6ENC9Qf/HsYAIZvN9k/p0Kg/PFU=",
|
||||
"lastModified": 1731895210,
|
||||
"narHash": "sha256-z76Q/OXLxO/RxMII3fIt/TG665DANiE2lVvnolK2lXk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "a08bfe06b39e94eec98dd089a2c1b18af01fef19",
|
||||
"rev": "639d1520df9417ca2761536c3072688569e83c80",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -185,11 +185,11 @@
|
|||
"nixpkgs-lib": "nixpkgs-lib"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1733312601,
|
||||
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
|
||||
"lastModified": 1730504689,
|
||||
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
||||
"owner": "hercules-ci",
|
||||
"repo": "flake-parts",
|
||||
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
|
||||
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -298,11 +298,11 @@
|
|||
"flake": false,
|
||||
"locked": {
|
||||
"dir": "web",
|
||||
"lastModified": 1733177811,
|
||||
"narHash": "sha256-1n7bPSCRw7keTCIu4tJGnUlkoId6H1+dPsTPzKo3Rrk=",
|
||||
"lastModified": 1718796561,
|
||||
"narHash": "sha256-RKAAHve17lrJokgAPkM2k/E+f9djencwwg3Xcd70Yfw=",
|
||||
"owner": "maunium",
|
||||
"repo": "stickerpicker",
|
||||
"rev": "89d3aece041c85ebe5a1ad4e620388af5227cbb0",
|
||||
"rev": "333567f481e60443360aa7199d481e1a45b3a523",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -320,11 +320,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1733570843,
|
||||
"narHash": "sha256-sQJAxY1TYWD1UyibN/FnN97paTFuwBw3Vp3DNCyKsMk=",
|
||||
"lastModified": 1732016537,
|
||||
"narHash": "sha256-XwXUK+meYnlhdQz2TVE4Wv+tsx1CkdGbDPt1tRzCNH4=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "a35b08d09efda83625bef267eb24347b446c80b8",
|
||||
"rev": "61cee20168a3ebb71a9efd70a55adebaadfbe4d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -336,11 +336,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1734202038,
|
||||
"narHash": "sha256-LwcGIkORU8zfQ/8jAgptgPY8Zf9lGKB0vtNdQyEkaN8=",
|
||||
"lastModified": 1731797254,
|
||||
"narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "bcba2fbf6963bf6bed3a749f9f4cf5bff4adb96d",
|
||||
"rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -352,14 +352,14 @@
|
|||
},
|
||||
"nixpkgs-lib": {
|
||||
"locked": {
|
||||
"lastModified": 1733096140,
|
||||
"narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
|
||||
"lastModified": 1730504152,
|
||||
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||
},
|
||||
"original": {
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
|
@ -484,11 +484,11 @@
|
|||
},
|
||||
"unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1734119587,
|
||||
"narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=",
|
||||
"lastModified": 1731676054,
|
||||
"narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5",
|
||||
"rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
79
flake.nix
79
flake.nix
|
@ -120,43 +120,56 @@
|
|||
devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
|
||||
};
|
||||
|
||||
flake = {
|
||||
nixosModules = builtins.listToAttrs (
|
||||
map (x: {
|
||||
name = x;
|
||||
value = import (./modules + "/${x}");
|
||||
}) (builtins.attrNames (builtins.readDir ./modules))
|
||||
);
|
||||
flake =
|
||||
let
|
||||
username = "barkeeper";
|
||||
in
|
||||
{
|
||||
inherit username;
|
||||
|
||||
checks = builtins.mapAttrs (
|
||||
system: deployLib: deployLib.deployChecks self.deploy
|
||||
) inputs.deploy-rs.lib;
|
||||
nixosModules = builtins.listToAttrs (
|
||||
map (x: {
|
||||
name = x;
|
||||
value = import (./modules + "/${x}");
|
||||
}) (builtins.attrNames (builtins.readDir ./modules))
|
||||
);
|
||||
|
||||
formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
|
||||
checks = builtins.mapAttrs (
|
||||
system: deployLib: deployLib.deployChecks self.deploy
|
||||
) inputs.deploy-rs.lib;
|
||||
|
||||
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
|
||||
nachtigall = {
|
||||
hostname = "nachtigall.wg.pub.solar";
|
||||
};
|
||||
metronom = {
|
||||
hostname = "metronom.wg.pub.solar";
|
||||
};
|
||||
tankstelle = {
|
||||
hostname = "tankstelle.wg.pub.solar";
|
||||
};
|
||||
underground = {
|
||||
hostname = "80.244.242.3";
|
||||
};
|
||||
trinkgenossin = {
|
||||
hostname = "trinkgenossin.wg.pub.solar";
|
||||
};
|
||||
delite = {
|
||||
hostname = "delite.wg.pub.solar";
|
||||
};
|
||||
blue-shell = {
|
||||
hostname = "blue-shell.wg.pub.solar";
|
||||
formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
|
||||
|
||||
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
|
||||
nachtigall = {
|
||||
hostname = "nachtigall.wg.pub.solar";
|
||||
sshUser = username;
|
||||
};
|
||||
metronom = {
|
||||
hostname = "metronom.wg.pub.solar";
|
||||
sshUser = username;
|
||||
};
|
||||
tankstelle = {
|
||||
hostname = "tankstelle.wg.pub.solar";
|
||||
sshUser = username;
|
||||
};
|
||||
underground = {
|
||||
hostname = "80.244.242.3";
|
||||
sshUser = username;
|
||||
};
|
||||
trinkgenossin = {
|
||||
hostname = "trinkgenossin.wg.pub.solar";
|
||||
sshUser = username;
|
||||
};
|
||||
delite = {
|
||||
hostname = "delite.wg.pub.solar";
|
||||
sshUser = username;
|
||||
};
|
||||
blue-shell = {
|
||||
hostname = "blue-shell.wg.pub.solar";
|
||||
sshUser = username;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -22,7 +22,7 @@ in
|
|||
"${wireguardIPv6}/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{
|
||||
# trinkgenossin.pub.solar
|
||||
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
|
||||
|
|
|
@ -22,7 +22,7 @@ in
|
|||
"${wireguardIPv6}/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{
|
||||
# trinkgenossin.pub.solar
|
||||
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"fd00:fae:fae:fae:fae:3::/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{
|
||||
# nachtigall.pub.solar
|
||||
endpoint = "138.201.80.102:51820";
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"fd00:fae:fae:fae:fae:1::/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{
|
||||
# tankstelle.pub.solar
|
||||
endpoint = "80.244.242.5:51820";
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
"fd00:fae:fae:fae:fae:4::/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{
|
||||
# nachtigall.pub.solar
|
||||
endpoint = "138.201.80.102:51820";
|
||||
|
|
|
@ -22,7 +22,7 @@ in
|
|||
"${wireguardIPv6}/96"
|
||||
];
|
||||
privateKeyFile = config.age.secrets.wg-private-key.path;
|
||||
peers = flake.self.logins.wireguardDevices ++ [
|
||||
peers = flake.self.logins.admins.wireguardDevices ++ [
|
||||
{
|
||||
# nachtigall.pub.solar
|
||||
endpoint = "138.201.80.102:51820";
|
||||
|
|
|
@ -38,14 +38,6 @@
|
|||
"fd00:fae:fae:fae:fae:200::/96"
|
||||
];
|
||||
}
|
||||
{
|
||||
# chocolatebar
|
||||
publicKey = "AS9w0zDUFLcH6IiF6T1vsyZPWPJ3p5fKsjIsM2AoZz8=";
|
||||
allowedIPs = [
|
||||
"10.7.6.205/32"
|
||||
"fd00:fae:fae:fae:fae:205::/96"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
|
|
|
@ -6,16 +6,19 @@ in
|
|||
{
|
||||
flake = {
|
||||
logins = {
|
||||
admins = admins;
|
||||
wireguardDevices = lib.lists.foldl (
|
||||
wireguardDevices: adminConfig:
|
||||
wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ])
|
||||
) [ ] (lib.attrsets.attrValues admins);
|
||||
sshPubKeys = lib.lists.foldl (
|
||||
sshPubKeys: adminConfig:
|
||||
sshPubKeys
|
||||
++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ])
|
||||
) [ ] (lib.attrsets.attrValues admins);
|
||||
admins =
|
||||
lib.lists.foldl
|
||||
(logins: adminConfig: {
|
||||
sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
|
||||
wireguardDevices =
|
||||
logins.wireguardDevices
|
||||
++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
|
||||
})
|
||||
{
|
||||
sshPubKeys = [ ];
|
||||
wireguardDevices = [ ];
|
||||
}
|
||||
(lib.attrsets.attrValues admins);
|
||||
robots.sshPubKeys = lib.attrsets.attrValues robots;
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
{
|
||||
# Used for restic backups to droppie, a server run by @b12f
|
||||
"root@droppie" =
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
|
||||
"root@droppie" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
|
||||
|
||||
"hakkonaut" =
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
|
||||
"hakkonaut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
|
||||
}
|
||||
|
|
|
@ -283,10 +283,8 @@ in
|
|||
|
||||
# Used for pub-solar-os.backups.repos.storagebox
|
||||
programs.ssh.knownHosts = {
|
||||
"u377325.your-storagebox.de".publicKey =
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
|
||||
"[u377325.your-storagebox.de]:23".publicKey =
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
|
||||
"u377325.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
|
||||
"[u377325.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -54,5 +54,9 @@
|
|||
};
|
||||
|
||||
time.timeZone = "Etc/UTC";
|
||||
|
||||
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
||||
home.stateVersion = "23.05";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,33 +1,19 @@
|
|||
{ flake, lib, ... }:
|
||||
{ flake, config, ... }:
|
||||
{
|
||||
home-manager.users = (
|
||||
lib.attrsets.foldlAttrs (
|
||||
acc: name: value:
|
||||
acc
|
||||
// {
|
||||
${name} = {
|
||||
programs.git.enable = true;
|
||||
programs.starship.enable = true;
|
||||
programs.bash = {
|
||||
enable = true;
|
||||
historyControl = [
|
||||
"ignoredups"
|
||||
"ignorespace"
|
||||
];
|
||||
};
|
||||
programs.neovim = {
|
||||
enable = true;
|
||||
vimAlias = true;
|
||||
viAlias = true;
|
||||
defaultEditor = true;
|
||||
# configure = {
|
||||
# packages.myVimPackages = with pkgs.vimPlugins; {
|
||||
# start = [vim-nix vim-surrund rainbow];
|
||||
# };
|
||||
# };
|
||||
};
|
||||
};
|
||||
}
|
||||
) { } flake.self.logins.admins
|
||||
);
|
||||
home-manager.users.${config.pub-solar-os.authentication.username} = {
|
||||
programs.git.enable = true;
|
||||
programs.starship.enable = true;
|
||||
programs.bash.enable = true;
|
||||
programs.neovim = {
|
||||
enable = true;
|
||||
vimAlias = true;
|
||||
viAlias = true;
|
||||
defaultEditor = true;
|
||||
# configure = {
|
||||
# packages.myVimPackages = with pkgs.vimPlugins; {
|
||||
# start = [vim-nix vim-surrund rainbow];
|
||||
# };
|
||||
# };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -11,6 +11,18 @@
|
|||
inherit (lib) mkOption types;
|
||||
in
|
||||
{
|
||||
username = mkOption {
|
||||
description = "Username for the adminstrative user";
|
||||
type = types.str;
|
||||
default = flake.self.username;
|
||||
};
|
||||
|
||||
sshPubKeys = mkOption {
|
||||
description = "SSH Keys that should have administrative root access";
|
||||
type = types.listOf types.str;
|
||||
default = flake.self.logins.admins.sshPubKeys;
|
||||
};
|
||||
|
||||
root.initialHashedPassword = mkOption {
|
||||
description = "Hashed password of the root account";
|
||||
type = types.str;
|
||||
|
@ -31,60 +43,36 @@
|
|||
};
|
||||
|
||||
config = {
|
||||
users.users =
|
||||
(lib.attrsets.foldlAttrs (
|
||||
acc: name: value:
|
||||
acc
|
||||
// {
|
||||
${name} = {
|
||||
name = name;
|
||||
group = name;
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
"docker"
|
||||
];
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys;
|
||||
};
|
||||
}
|
||||
) { } flake.self.logins.admins)
|
||||
// {
|
||||
# TODO: Remove when we stop locking ourselves out.
|
||||
root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
|
||||
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||
users.users.${config.pub-solar-os.authentication.username} = {
|
||||
name = config.pub-solar-os.authentication.username;
|
||||
group = config.pub-solar-os.authentication.username;
|
||||
extraGroups = [
|
||||
"wheel"
|
||||
"docker"
|
||||
];
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
};
|
||||
users.groups.${config.pub-solar-os.authentication.username} = { };
|
||||
|
||||
${config.pub-solar-os.authentication.robot.username} = {
|
||||
description = "CI and automation user";
|
||||
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
||||
createHome = true;
|
||||
useDefaultShell = true;
|
||||
uid = 998;
|
||||
group = "${config.pub-solar-os.authentication.robot.username}";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
||||
};
|
||||
};
|
||||
# TODO: Remove when we stop locking ourselves out.
|
||||
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
|
||||
home-manager.users = (
|
||||
lib.attrsets.foldlAttrs (
|
||||
acc: name: value:
|
||||
acc
|
||||
// {
|
||||
${name} = {
|
||||
home.stateVersion = "23.05";
|
||||
};
|
||||
}
|
||||
) { } flake.self.logins.admins
|
||||
);
|
||||
users.users.${config.pub-solar-os.authentication.robot.username} = {
|
||||
description = "CI and automation user";
|
||||
home = "/home/${config.pub-solar-os.authentication.robot.username}";
|
||||
createHome = true;
|
||||
useDefaultShell = true;
|
||||
uid = 998;
|
||||
group = "${config.pub-solar-os.authentication.robot.username}";
|
||||
isSystemUser = true;
|
||||
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
|
||||
};
|
||||
|
||||
users.groups =
|
||||
(lib.attrsets.foldlAttrs (
|
||||
acc: name: value:
|
||||
acc // { "${name}" = { }; }
|
||||
) { } flake.self.logins.admins)
|
||||
// {
|
||||
${config.pub-solar-os.authentication.robot.username} = { };
|
||||
};
|
||||
users.groups.${config.pub-solar-os.authentication.robot.username} = { };
|
||||
|
||||
users.users.root.initialHashedPassword =
|
||||
config.pub-solar-os.authentication.root.initialHashedPassword;
|
||||
|
||||
security.sudo.wheelNeedsPassword = false;
|
||||
};
|
||||
|
|
|
@ -43,8 +43,7 @@
|
|||
services.nginx.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass =
|
||||
"http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
|
||||
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
|
||||
};
|
||||
|
||||
services.grafana = {
|
||||
|
|
|
@ -124,17 +124,6 @@ in
|
|||
enable_room_list_search = true;
|
||||
encryption_enabled_by_default_for_room_type = "off";
|
||||
event_cache_size = "100K";
|
||||
|
||||
# https://github.com/element-hq/synapse/issues/11203
|
||||
# No YAML deep-merge, so this needs to be in secret extraConfigFiles
|
||||
# together with msc3861
|
||||
#experimental_features = {
|
||||
# # Room summary API
|
||||
# msc3266_enabled = true;
|
||||
# # Rendezvous server for QR Code generation
|
||||
# msc4108_enabled = true;
|
||||
#};
|
||||
|
||||
federation_rr_transactions_per_room_per_second = 50;
|
||||
federation_client_minimum_tls_version = "1.2";
|
||||
forget_rooms_on_leave = true;
|
||||
|
@ -275,6 +264,19 @@ in
|
|||
user_ips_max_age = "28d";
|
||||
|
||||
app_service_config_files = config.pub-solar-os.matrix.synapse.app-service-config-files;
|
||||
|
||||
modules = [
|
||||
{
|
||||
module = "matrix_http_rendezvous_synapse.SynapseRendezvousModule";
|
||||
config = {
|
||||
prefix = "/_synapse/client/org.matrix.msc3886/rendezvous";
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
experimental_features = {
|
||||
msc3886_endpoint = "/_synapse/client/org.matrix.msc3886/rendezvous";
|
||||
};
|
||||
};
|
||||
|
||||
withJemalloc = true;
|
||||
|
@ -286,9 +288,14 @@ in
|
|||
"redis"
|
||||
];
|
||||
|
||||
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];
|
||||
plugins = with config.services.matrix-synapse.package.plugins; [
|
||||
matrix-synapse-shared-secret-auth
|
||||
matrix-http-rendezvous-synapse
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.matrix-synapse.environment.SYNAPSE_ASYNC_IO_REACTOR = "1";
|
||||
|
||||
services.matrix-authentication-service = {
|
||||
enable = true;
|
||||
createDatabase = true;
|
||||
|
|
|
@ -24,6 +24,14 @@ let
|
|||
secure_backup_required = false;
|
||||
secure_backup_setup_methods = [ ];
|
||||
};
|
||||
"m.integrations" = {
|
||||
managers = [
|
||||
{
|
||||
api_url = "https://dimension.${domain}/api/v1/scalar";
|
||||
ui_url = "https://dimension.${domain}/element";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; };
|
||||
wellKnownSupport = {
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
|
||||
# Please create this manually the first time.
|
||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||
authorizedKeys = flake.self.logins.sshPubKeys;
|
||||
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
};
|
||||
postCommands = ''
|
||||
# Automatically ask for the password on SSH login
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
# Please create this manually the first time.
|
||||
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
|
||||
authorizedKeys = flake.self.logins.sshPubKeys;
|
||||
authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
|
||||
};
|
||||
# this will automatically load the zfs password prompt on login
|
||||
# and kill the other prompt so boot can continue
|
||||
|
|
Binary file not shown.
Binary file not shown.
|
@ -66,7 +66,7 @@ in
|
|||
testScript =
|
||||
{ nodes, ... }:
|
||||
let
|
||||
user = nodes.client.users.users.b12f;
|
||||
user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
|
||||
#uid = toString user.uid;
|
||||
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
|
||||
gdbus = "${bus} gdbus";
|
||||
|
@ -81,8 +81,6 @@ in
|
|||
nachtigall.succeed("ping 127.0.0.1 -c 2")
|
||||
nachtigall.wait_for_unit("nginx.service")
|
||||
nachtigall.wait_for_unit("keycloak.service")
|
||||
nachtigall.wait_for_open_port(8080)
|
||||
nachtigall.wait_for_open_port(443)
|
||||
nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/")
|
||||
nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/")
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
services.xserver.displayManager.gdm.enable = true;
|
||||
services.xserver.desktopManager.gnome.enable = true;
|
||||
services.xserver.displayManager.autoLogin.enable = true;
|
||||
services.xserver.displayManager.autoLogin.user = "b12f";
|
||||
services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
|
||||
|
||||
systemd.user.services = {
|
||||
"org.gnome.Shell@wayland" = {
|
||||
|
|
|
@ -48,14 +48,12 @@
|
|||
acme_server.wait_for_unit("system.slice")
|
||||
acme_server.wait_for_unit("step-ca.service")
|
||||
acme_server.succeed("ping ca.test.pub.solar -c 2")
|
||||
acme_server.wait_for_open_port(443)
|
||||
acme_server.wait_until_succeeds("curl 127.0.0.1:443")
|
||||
|
||||
nachtigall.wait_for_unit("system.slice")
|
||||
nachtigall.succeed("ping test.pub.solar -c 2")
|
||||
nachtigall.succeed("ping ca.test.pub.solar -c 2")
|
||||
nachtigall.wait_for_unit("nginx.service")
|
||||
nachtigall.wait_for_open_port(443)
|
||||
nachtigall.wait_until_succeeds("curl https://test.pub.solar/")
|
||||
'';
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue