pub-solar/infra
6
1
Fork 3
Code Issues 27 Pull requests 10 Projects 1 Releases Packages Wiki Activity Actions

Compare commits

base: pub-solar:main
Branches Tags
pub-solar:main
pub-solar:updates-15-02
pub-solar:nextcloud-skeleton
pub-solar:feat/automated-account-deletion
pub-solar:keycloak-temp-file-del
pub-solar:feat/automated-account-deletion-24.11
pub-solar:matrix-rendezvous-server
pub-solar:ssl-cert-warning
pub-solar:feat/matrix-moderation-draupnir
pub-solar:nginx-maintenance
pub-solar:feat/matrix-moderation
pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pub-solar:feat/loomio
pub-solar:feat/matrix-hookshot
pub-solar:feat/libreddit
pub-solar:feat/invidious
..
compare: pub-solar:matrix-rendezvous-server
Branches Tags
pub-solar:updates-15-02
pub-solar:main
pub-solar:nextcloud-skeleton
pub-solar:feat/automated-account-deletion
pub-solar:keycloak-temp-file-del
pub-solar:feat/automated-account-deletion-24.11
pub-solar:matrix-rendezvous-server
pub-solar:ssl-cert-warning
pub-solar:feat/matrix-moderation-draupnir
pub-solar:nginx-maintenance
pub-solar:feat/matrix-moderation
pub-solar:fix/use-nix-firewall-nat-feature-for-forgejo-redirect
pub-solar:feat/loomio
pub-solar:feat/matrix-hookshot
pub-solar:feat/libreddit
pub-solar:feat/invidious

2 commits
main ... matrix-ren

Author SHA1 Message Date
teutat3s
a59e57c532
style: format using nixfmt-rfc-style
All checks were successful
Flake checks / Check (pull_request) Successful in 25m28s
Details
2024-11-20 15:49:31 +01:00
Akshay Mankar
56f987e424
matrix: Enable rendezvous server
Some checks failed
Flake checks / Check (pull_request) Failing after 32s
Details 
This will allow sign-in and device verification using QR codes
 2024-11-20 17:15:41 +05:30
49 changed files with 571 additions and 717 deletions
Show stats Expand all files Collapse all files

21
.forgejo/workflows/check.yml
View file

@ -18,7 +18,20 @@ jobs:
# Prevent cache garbage collection by creating GC roots # Prevent cache garbage collection by creating GC roots
mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results mkdir -p /var/lib/gitea-runner/tankstelle/.local/state/nix/results
sed -i 's/virtualisation.cores .*/virtualisation.cores = 16;/' tests/keycloak.nix for target in $(nix flake show --json --all-systems | jq --raw-output '
sed -i 's/virtualisation.memorySize .*/virtualisation.memorySize = 16384;/' tests/keycloak.nix .["nixosConfigurations"] |
# 1 eval-worker needs about 13GB of memory to_entries[] |
nix --accept-flake-config --access-tokens '' develop --command nix-fast-build --no-nom --skip-cached --systems "x86_64-linux" --max-jobs 10 --eval-workers 2 --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/nix-fast-build .key'
); do
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$target" ".#nixosConfigurations.${target}.config.system.build.toplevel"
done
for check in $(nix flake show --json --all-systems | jq --raw-output '
.checks."x86_64-linux" |
to_entries[] |
.key'
); do
nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
build --out-link /var/lib/gitea-runner/tankstelle/.local/state/nix/results/"$check" ".#checks.x86_64-linux.${check}"
done

6
docs/administrative-access.md
View file

@ -28,18 +28,18 @@ People with admin access to the infrastructure are added to [`logins/admins.nix`
SSH is not reachable from the open internet. Instead, SSH Port 22 is protected by a wireguard VPN network. Thus, to get root access on the servers, at least two pieces of information have to be added to the admins config: SSH is not reachable from the open internet. Instead, SSH Port 22 is protected by a wireguard VPN network. Thus, to get root access on the servers, at least two pieces of information have to be added to the admins config:
1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`. 1. **SSH Public key**: self-explanatory. Add your public key to your user attrset under `sshPubKeys`.
2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network uses the subnets `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair). 2. **Wireguard device**: each wireguard device has two parts: the public key and the IP addresses it should have in the wireguard network. The pub.solar wireguard network is spaced under `10.7.6.0/24` and `fd00:fae:fae:fae:fae::/80`. To add your device, it's best to choose a free number between 200 and 255 and use that in both the ipv4 and ipv6 ranges: `10.7.6.<ip-address>/32` `fd00:fae:fae:fae:fae:<ip-address>::/96`. For more information on how to generate keypairs, see [the NixOS Wireguard docs](https://nixos.wiki/wiki/WireGuard#Generate_keypair).
One can access our hosts using this domain scheme: One can access our hosts using this domain scheme:
``` ```
ssh <unix-username>@<hostname>.wg.pub.solar ssh barkeeper@<hostname>.wg.pub.solar
``` ```
So, for example for `nachtigall`: So, for example for `nachtigall`:
``` ```
ssh teutat3s@nachtigall.wg.pub.solar ssh barkeeper@nachtigall.wg.pub.solar
``` ```
Example NixOS snippet for WireGuard client config Example NixOS snippet for WireGuard client config

6
docs/deletion-request.md
View file

@ -34,13 +34,7 @@ Docs: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server
### Mastodon ### Mastodon
``` ```
mkdir /tmp/tootctl
sudo chown mastodon /tmp/tootctl
cd /tmp/tootctl
sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address> sudo -u mastodon mastodon-tootctl accounts delete --email <mail-address>
rm -r /tmp/tootctl
``` ```
Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete Docs: https://docs.joinmastodon.org/admin/tootctl/#accounts-delete

20
docs/deploying.md
View file

@ -7,29 +7,16 @@ be manually deployed.
To deploy, make sure you have a [working development shell](./development-shell.md). To deploy, make sure you have a [working development shell](./development-shell.md).
Then, run `deploy-rs` with the hostname of the server you want to deploy: Then, run `deploy-rs` with the hostname of the server you want to deploy:
### Dry-run
Use `--dry-activate` to show a diff of updated packages and all services that
would be restarted by the update. This will also put all files in place without
switching to the new generation, enabling a quick switch to the new config at a
later moment.
For nachtigall.pub.solar: For nachtigall.pub.solar:
``` ```
deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --dry-activate deploy --targets '.#nachtigall' --magic-rollback false --auto-rollback false --keep-result --result-path ./results
```
After reviewing the changes, apply the update with:
```
deploy --targets '.#nachtigall' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results
``` ```
For metronom.pub.solar (aarch64-linux): For metronom.pub.solar (aarch64-linux):
``` ```
deploy --targets '.#metronom' --ssh-user <unix-username> --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build deploy --targets '.#metronom' --magic-rollback false --auto-rollback false --keep-result --result-path ./results --remote-build
``` ```
Usually we skip all rollback functionality, but if you want to deploy a change Usually we skip all rollback functionality, but if you want to deploy a change
@ -38,6 +25,9 @@ that might lock you out, e.g. to SSH, it might make sense to set these to `true`
To skip flake checks, e.g. because you already ran them manually before To skip flake checks, e.g. because you already ran them manually before
deployment, add the flag `--skip-checks` at the end of the command. deployment, add the flag `--skip-checks` at the end of the command.
`--dry-activate` can be used to only put all files in place without switching,
to enable switching to the new config quickly at a later moment.
We use `--keep-result --result-path ./results` to keep the last `result` We use `--keep-result --result-path ./results` to keep the last `result`
symlink of each `deploy` from being garbage collected. That way, we keep builds symlink of each `deploy` from being garbage collected. That way, we keep builds
cached in the Nix store. This is optional and both flags can be removed if disk cached in the Nix store. This is optional and both flags can be removed if disk

4
docs/garage.md
View file

@ -8,7 +8,7 @@ Requirements:
- [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell` - [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell`
``` ```
ssh <unix-username>@trinkgenossin.wg.pub.solar ssh barkeeper@trinkgenossin.wg.pub.solar
``` ```
``` ```
@ -58,7 +58,7 @@ Further reading:
### Notes on manual setup steps ### Notes on manual setup steps
``` ```
ssh <unix-username>@trinkgenossin.wg.pub.solar ssh barkeeper@trinkgenossin.wg.pub.solar
# Add a few spaces to avoid leaking the secret to the shell history # Add a few spaces to avoid leaking the secret to the shell history
export GARAGE_RPC_SECRET=<secret-in-keepass> export GARAGE_RPC_SECRET=<secret-in-keepass>

20
docs/keycloak/delete-unverified-accounts.md
View file

@ -12,7 +12,7 @@ Run following after SSH'ing to `nachtigall`.
Credentials for the following command are in keepass. Create a keycloak Credentials for the following command are in keepass. Create a keycloak
config/credentials file at `/tmp/kcadm.config`: config/credentials file at `/tmp/kcadm.config`:
```bash ```
sudo --user keycloak kcadm.sh config credentials \ sudo --user keycloak kcadm.sh config credentials \
--config /tmp/kcadm.config \ --config /tmp/kcadm.config \
--server https://auth.pub.solar \ --server https://auth.pub.solar \
@ -22,7 +22,7 @@ sudo --user keycloak kcadm.sh config credentials \
Get list of accounts without a verified email address: Get list of accounts without a verified email address:
```bash ```
sudo --user keycloak kcadm.sh get \ sudo --user keycloak kcadm.sh get \
--config /tmp/kcadm.config \ --config /tmp/kcadm.config \
users \ users \
@ -35,7 +35,7 @@ Review list of accounts, especially check `createdTimestamp` if any accounts
were created in the past 2 days. If so, delete those from the were created in the past 2 days. If so, delete those from the
`/tmp/keycloak-unverified-accounts` file. `/tmp/keycloak-unverified-accounts` file.
```bash ```
createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) ) createdTimestamps=( $( nix run nixpkgs#jq -- -r '.[].createdTimestamp' < /tmp/keycloak-unverified-accounts ) )
# timestamps are in nanoseconds since epoch, so we need to strip the last three digits # timestamps are in nanoseconds since epoch, so we need to strip the last three digits
@ -46,17 +46,17 @@ vim /tmp/keycloak-unverified-accounts
Check how many accounts are going to be deleted: Check how many accounts are going to be deleted:
```bash ```
jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l jq -r '.[].id' < /tmp/keycloak-unverified-accounts | wc -l
``` ```
```bash ```
jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids jq -r '.[].id' < /tmp/keycloak-unverified-accounts > /tmp/keycloak-unverified-account-ids
``` ```
Final check before deletion (dry-run): Final check before deletion (dry-run):
```bash ```
for id in $(cat /tmp/keycloak-unverified-account-ids) for id in $(cat /tmp/keycloak-unverified-account-ids)
do do
echo sudo --user keycloak kcadm.sh delete \ echo sudo --user keycloak kcadm.sh delete \
@ -68,7 +68,7 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
THIS WILL DELETE ACCOUNTS: THIS WILL DELETE ACCOUNTS:
```bash ```
for id in $(cat /tmp/keycloak-unverified-account-ids) for id in $(cat /tmp/keycloak-unverified-account-ids)
do do
sudo --user keycloak kcadm.sh delete \ sudo --user keycloak kcadm.sh delete \
@ -77,9 +77,3 @@ for id in $(cat /tmp/keycloak-unverified-account-ids)
--realm pub.solar --realm pub.solar
done done
``` ```
Delete the temp files:
```bash
sudo rm /tmp/kcadm.config /tmp/keycloak-unverified-accounts /tmp/keycloak-unverified-account-ids
```

27
docs/matrix-suspend-account.md
View file

@ -1,27 +0,0 @@
# Matrix account suspension
> Unlike [account locking](https://spec.matrix.org/v1.12/client-server-api/#account-locking),
> [suspension](https://github.com/matrix-org/matrix-spec-proposals/blob/main/proposals/3823-code-for-account-suspension.md)
> allows the user to have a (largely) readonly view of their account.
> Homeserver administrators and moderators may use this functionality to
> temporarily deactivate an account, or place conditions on the account's
> experience. Critically, like locking, account suspension is reversible, unlike
> the deactivation mechanism currently available in Matrix - a destructive,
> irreversible, action.
Required:
- `matrix-synapse admin token`
- [SSH access to host `nachtigall`](./administrative-access.md#ssh-access)
## Suspending an account
```bash
curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": true}'
```
## Unsuspending an account
```bash
curl --header "Authorization: Bearer <admin-access-token>" --request PUT http://127.0.0.1:8008/_synapse/admin/v1/suspend/@<username>:pub.solar --data '{"suspend": false}'
```

4
docs/nix-flake-updates.md
View file

@ -41,7 +41,3 @@ wrapped-ruby-mastodon-gems: 4.2.1 → 4.2.3
zfs-kernel: 2.2.1-6.1.64 → 2.2.2-6.1.66 zfs-kernel: 2.2.1-6.1.64 → 2.2.2-6.1.66
zfs-user: 2.2.1 → 2.2.2 zfs-user: 2.2.1 → 2.2.2
``` ```
### Deploying updates
See [deploying.md](./deploying.md).

122
flake.lock generated
View file

@ -14,11 +14,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1736955230, "lastModified": 1723293904,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -94,11 +94,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1738765162, "lastModified": 1731895210,
"narHash": "sha256-3Z40qHaFScWUCVQrGc4Y+RdoPsh1R/wIh+AN4cTXP0I=", "narHash": "sha256-z76Q/OXLxO/RxMII3fIt/TG665DANiE2lVvnolK2lXk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "ff3568858c54bd306e9e1f2886f0f781df307dff", "rev": "639d1520df9417ca2761536c3072688569e83c80",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -185,11 +185,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1738453229, "lastModified": 1730504689,
"narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", "rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -236,16 +236,16 @@
}, },
"fork": { "fork": {
"locked": { "locked": {
"lastModified": 1738846146, "lastModified": 1729963002,
"narHash": "sha256-cIPiBEspPXQxju2AUZK9kjh6oqea+HkPFqmGv7yUztM=", "narHash": "sha256-2zrYfd/qdfExU5zVwvH80uJnKc/dMeK6zp3O1UtW2Mo=",
"owner": "teutat3s", "owner": "teutat3s",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e370f40b129e47b08562524ab4f053a172a94273", "rev": "005faaacbeede0296dec5c844f508027ab8a3ff6",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "teutat3s", "owner": "teutat3s",
"ref": "init-matrix-authentication-service-module-0.13.0", "ref": "init-matrix-authentication-service-module",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -257,16 +257,16 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1736373539, "lastModified": 1726989464,
"narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "bd65bc3cde04c16755955630b344bc9e35272c56", "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-24.11", "ref": "release-24.05",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
@ -280,11 +280,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1738012343, "lastModified": 1731518114,
"narHash": "sha256-agMgWwVxXII+RtCqok8ROjzpKJung/5N5f2BVDmMC5Q=", "narHash": "sha256-h9Wb3VjmXBZwTO3prRweUKwp2H9hZHCQKrkbU+2WPQs=",
"ref": "main", "ref": "main",
"rev": "4ffd7bc8ea032991756c5e8e8a37b039789045bc", "rev": "060ecccc5f8c92a0705ab91ff047811efd559468",
"revCount": 38, "revCount": 36,
"type": "git", "type": "git",
"url": "https://git.pub.solar/pub-solar/keycloak-theme" "url": "https://git.pub.solar/pub-solar/keycloak-theme"
}, },
@ -298,11 +298,11 @@
"flake": false, "flake": false,
"locked": { "locked": {
"dir": "web", "dir": "web",
"lastModified": 1733177811, "lastModified": 1718796561,
"narHash": "sha256-1n7bPSCRw7keTCIu4tJGnUlkoId6H1+dPsTPzKo3Rrk=", "narHash": "sha256-RKAAHve17lrJokgAPkM2k/E+f9djencwwg3Xcd70Yfw=",
"owner": "maunium", "owner": "maunium",
"repo": "stickerpicker", "repo": "stickerpicker",
"rev": "89d3aece041c85ebe5a1ad4e620388af5227cbb0", "rev": "333567f481e60443360aa7199d481e1a45b3a523",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -320,11 +320,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1739034224, "lastModified": 1732016537,
"narHash": "sha256-Mj/8jDzh1KNmUhWqEeVlW3hO9MZkxqioJGnmR7rivaE=", "narHash": "sha256-XwXUK+meYnlhdQz2TVE4Wv+tsx1CkdGbDPt1tRzCNH4=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "0b6f96a6b9efcfa8d3cc8023008bcbcd1b9bc1a4", "rev": "61cee20168a3ebb71a9efd70a55adebaadfbe4d4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -336,30 +336,30 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1739055578, "lastModified": 1731797254,
"narHash": "sha256-2MhC2Bgd06uI1A0vkdNUyDYsMD0SLNGKtD8600mZ69A=", "narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a45fa362d887f4d4a7157d95c28ca9ce2899b70e", "rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-24.11", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1738452942, "lastModified": 1730504152,
"narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
} }
}, },
"root": { "root": {
@ -387,21 +387,22 @@
"nixpkgs": [ "nixpkgs": [
"unstable" "unstable"
], ],
"nixpkgs-24_11": [ "nixpkgs-24_05": [
"nixpkgs" "nixpkgs"
] ],
"utils": "utils_2"
}, },
"locked": { "locked": {
"lastModified": 1734884447, "lastModified": 1718084203,
"narHash": "sha256-HA9fAmGNGf0cOYrhgoa+B6BxNVqGAYXfLyx8zIS0ZBY=", "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "63209b1def2c9fc891ad271f474a3464a5833294", "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "nixos-24.11", "ref": "nixos-24.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }
@ -466,13 +467,28 @@
"type": "github" "type": "github"
} }
}, },
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1739020877, "lastModified": 1731676054,
"narHash": "sha256-mIvECo/NNdJJ/bXjNqIh8yeoSjVLAuDuTUzAo7dzs8Y=", "narHash": "sha256-OZiZ3m8SCMfh3B6bfGC/Bm4x3qc1m2SVEAlkV6iY7Yg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a79cfe0ebd24952b580b1cf08cd906354996d547", "rev": "5e4fbfb6b3de1aa2872b76d49fafc942626e2add",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -499,6 +515,24 @@
"repo": "flake-utils", "repo": "flake-utils",
"type": "github" "type": "github"
} }
},
"utils_2": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

55
flake.nix
View file

@ -1,14 +1,14 @@
{ {
inputs = { inputs = {
# Track channels with commits tested and built by hydra # Track channels with commits tested and built by hydra
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
unstable.url = "github:nixos/nixpkgs/nixos-unstable"; unstable.url = "github:nixos/nixpkgs/nixos-unstable";
fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module-0.13.0"; fork.url = "github:teutat3s/nixpkgs/init-matrix-authentication-service-module";
nix-darwin.url = "github:lnl7/nix-darwin/master"; nix-darwin.url = "github:lnl7/nix-darwin/master";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
home-manager.url = "github:nix-community/home-manager/release-24.11"; home-manager.url = "github:nix-community/home-manager/release-24.05";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.url = "github:hercules-ci/flake-parts";
@ -37,8 +37,8 @@
element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker"; element-stickers.inputs.maunium-stickerpicker.follows = "maunium-stickerpicker";
element-stickers.inputs.nixpkgs.follows = "nixpkgs"; element-stickers.inputs.nixpkgs.follows = "nixpkgs";
simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.11"; simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
simple-nixos-mailserver.inputs.nixpkgs-24_11.follows = "nixpkgs"; simple-nixos-mailserver.inputs.nixpkgs-24_05.follows = "nixpkgs";
simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable"; simple-nixos-mailserver.inputs.nixpkgs.follows = "unstable";
}; };
@ -73,28 +73,11 @@
overlays = [ inputs.agenix.overlays.default ]; overlays = [ inputs.agenix.overlays.default ];
}; };
unstable = import inputs.unstable { inherit system; }; unstable = import inputs.unstable { inherit system; };
master = import inputs.master { inherit system; };
}; };
checks = checks =
let let
machinesPerSystem = {
aarch64-linux = [
"metronom"
];
x86_64-linux = [
"blue-shell"
"delite"
"nachtigall"
"tankstelle"
"trinkgenossin"
"underground"
];
};
nixosMachines = inputs.nixpkgs.lib.mapAttrs' (n: inputs.nixpkgs.lib.nameValuePair "nixos-${n}") (
inputs.nixpkgs.lib.genAttrs (machinesPerSystem.${system} or [ ]) (
name: self.nixosConfigurations.${name}.config.system.build.toplevel
)
);
nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { }; nixos-lib = import (inputs.nixpkgs + "/nixos/lib") { };
testDir = builtins.attrNames (builtins.readDir ./tests); testDir = builtins.attrNames (builtins.readDir ./tests);
testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir; testFiles = builtins.filter (n: builtins.match "^.*.nix$" n != null) testDir;
@ -111,13 +94,12 @@
} }
); );
}) testFiles }) testFiles
) );
// nixosMachines;
devShells.default = pkgs.mkShell { devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [
deploy-rs deploy-rs
nix-fast-build nixpkgs-fmt
agenix agenix
age-plugin-yubikey age-plugin-yubikey
cachix cachix
@ -126,9 +108,9 @@
nvfetcher nvfetcher
shellcheck shellcheck
shfmt shfmt
treefmt2 inputs.unstable.legacyPackages.${system}.treefmt2
nixos-generators nixos-generators
opentofu inputs.unstable.legacyPackages.${system}.opentofu
terraform-backend-git terraform-backend-git
terraform-ls terraform-ls
jq jq
@ -138,7 +120,13 @@
devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; }; devShells.ci = pkgs.mkShell { buildInputs = with pkgs; [ nodejs ]; };
}; };
flake = { flake =
let
username = "barkeeper";
in
{
inherit username;
nixosModules = builtins.listToAttrs ( nixosModules = builtins.listToAttrs (
map (x: { map (x: {
name = x; name = x;
@ -150,29 +138,36 @@
system: deployLib: deployLib.deployChecks self.deploy system: deployLib: deployLib.deployChecks self.deploy
) inputs.deploy-rs.lib; ) inputs.deploy-rs.lib;
formatter."x86_64-linux" = inputs.nixpkgs.legacyPackages."x86_64-linux".nixfmt-rfc-style; formatter."x86_64-linux" = inputs.unstable.legacyPackages."x86_64-linux".nixfmt-rfc-style;
deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations { deploy.nodes = self.lib.deploy.mkDeployNodes self.nixosConfigurations {
nachtigall = { nachtigall = {
hostname = "nachtigall.wg.pub.solar"; hostname = "nachtigall.wg.pub.solar";
sshUser = username;
}; };
metronom = { metronom = {
hostname = "metronom.wg.pub.solar"; hostname = "metronom.wg.pub.solar";
sshUser = username;
}; };
tankstelle = { tankstelle = {
hostname = "tankstelle.wg.pub.solar"; hostname = "tankstelle.wg.pub.solar";
sshUser = username;
}; };
underground = { underground = {
hostname = "80.244.242.3"; hostname = "80.244.242.3";
sshUser = username;
}; };
trinkgenossin = { trinkgenossin = {
hostname = "trinkgenossin.wg.pub.solar"; hostname = "trinkgenossin.wg.pub.solar";
sshUser = username;
}; };
delite = { delite = {
hostname = "delite.wg.pub.solar"; hostname = "delite.wg.pub.solar";
sshUser = username;
}; };
blue-shell = { blue-shell = {
hostname = "blue-shell.wg.pub.solar"; hostname = "blue-shell.wg.pub.solar";
sshUser = username;
}; };
}; };
}; };

2
hosts/blue-shell/wireguard.nix
View file

@ -22,7 +22,7 @@ in
"${wireguardIPv6}/96" "${wireguardIPv6}/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ {
# trinkgenossin.pub.solar # trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";

2
hosts/delite/wireguard.nix
View file

@ -22,7 +22,7 @@ in
"${wireguardIPv6}/96" "${wireguardIPv6}/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ {
# trinkgenossin.pub.solar # trinkgenossin.pub.solar
publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4=";

2
hosts/metronom/wireguard.nix
View file

@ -18,7 +18,7 @@
"fd00:fae:fae:fae:fae:3::/96" "fd00:fae:fae:fae:fae:3::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";

16
hosts/nachtigall/configuration.nix
View file

@ -73,24 +73,22 @@
owner = "matrix-synapse"; owner = "matrix-synapse";
}; };
age.secrets."matrix-synapse-sliding-sync-secret" = {
file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
mode = "400";
owner = "matrix-synapse";
};
age.secrets."matrix-authentication-service-secret-config.yml" = { age.secrets."matrix-authentication-service-secret-config.yml" = {
file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age"; file = "${flake.self}/secrets/matrix-authentication-service-secret-config.yml.age";
mode = "400"; mode = "400";
owner = "matrix-authentication-service"; owner = "matrix-authentication-service";
}; };
# matrix-appservice-irc
age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
file = "${flake.self}/secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
mode = "400";
owner = "matrix-appservice-irc";
};
pub-solar-os.matrix = { pub-solar-os.matrix = {
enable = true; enable = true;
appservice-irc.mediaproxy.signingKeyPath =
config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
synapse = { synapse = {
sliding-sync.enable = false;
signing_key_path = config.age.secrets."matrix-synapse-signing-key".path; signing_key_path = config.age.secrets."matrix-synapse-signing-key".path;
extra-config-files = [ extra-config-files = [
config.age.secrets."matrix-synapse-secret-config.yaml".path config.age.secrets."matrix-synapse-secret-config.yaml".path

4
hosts/nachtigall/default.nix
View file

@ -9,10 +9,12 @@
./networking.nix ./networking.nix
./wireguard.nix ./wireguard.nix
./backups.nix ./backups.nix
"${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix" "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
"${flake.inputs.unstable}/nixos/modules/services/web-apps/mastodon.nix"
]; ];
disabledModules = [ disabledModules = [
"services/matrix/matrix-authentication-service.nix " "services/matrix/matrix-authentication-service.nix "
"services/web-apps/mastodon.nix"
]; ];
} }

2
hosts/nachtigall/wireguard.nix
View file

@ -18,7 +18,7 @@
"fd00:fae:fae:fae:fae:1::/96" "fd00:fae:fae:fae:fae:1::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ {
# tankstelle.pub.solar # tankstelle.pub.solar
endpoint = "80.244.242.5:51820"; endpoint = "80.244.242.5:51820";

3
hosts/tankstelle/configuration.nix
View file

@ -10,9 +10,6 @@
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
# kernel same-page merging
hardware.ksm.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
system.stateVersion = "23.11"; system.stateVersion = "23.11";

2
hosts/tankstelle/wireguard.nix
View file

@ -18,7 +18,7 @@
"fd00:fae:fae:fae:fae:4::/96" "fd00:fae:fae:fae:fae:4::/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";

2
hosts/trinkgenossin/wireguard.nix
View file

@ -22,7 +22,7 @@ in
"${wireguardIPv6}/96" "${wireguardIPv6}/96"
]; ];
privateKeyFile = config.age.secrets.wg-private-key.path; privateKeyFile = config.age.secrets.wg-private-key.path;
peers = flake.self.logins.wireguardDevices ++ [ peers = flake.self.logins.admins.wireguardDevices ++ [
{ {
# nachtigall.pub.solar # nachtigall.pub.solar
endpoint = "138.201.80.102:51820"; endpoint = "138.201.80.102:51820";

9
hosts/underground/configuration.nix
View file

@ -42,17 +42,8 @@
owner = "matrix-authentication-service"; owner = "matrix-authentication-service";
}; };
# matrix-appservice-irc
age.secrets."matrix-appservice-irc-mediaproxy-signing-key" = {
file = "${flake.self}/secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age";
mode = "400";
owner = "matrix-appservice-irc";
};
pub-solar-os.matrix = { pub-solar-os.matrix = {
enable = true; enable = true;
appservice-irc.mediaproxy.signingKeyPath =
config.age.secrets."matrix-appservice-irc-mediaproxy-signing-key".path;
synapse = { synapse = {
extra-config-files = [ extra-config-files = [
config.age.secrets."staging-matrix-synapse-secret-config.yaml".path config.age.secrets."staging-matrix-synapse-secret-config.yaml".path

2
hosts/underground/default.nix
View file

@ -7,7 +7,7 @@
./configuration.nix ./configuration.nix
./networking.nix ./networking.nix
"${flake.inputs.fork}/nixos/modules/services/matrix/matrix-authentication-service.nix" "${flake.inputs.fork}/nixos/modules/services//matrix/matrix-authentication-service.nix"
]; ];
disabledModules = [ disabledModules = [

16
logins/admins.nix
View file

@ -38,22 +38,6 @@
"fd00:fae:fae:fae:fae:200::/96" "fd00:fae:fae:fae:fae:200::/96"
]; ];
} }
{
# chocolatebar
publicKey = "AS9w0zDUFLcH6IiF6T1vsyZPWPJ3p5fKsjIsM2AoZz8=";
allowedIPs = [
"10.7.6.205/32"
"fd00:fae:fae:fae:fae:205::/96"
];
}
{
# biolimo
publicKey = "gnLq6KikFVVGxLxPW+3ZnreokEKLDoso+cUepPOZsBA=";
allowedIPs = [
"10.7.6.206/32"
"fd00:fae:fae:fae:fae:206::/96"
];
}
]; ];
}; };

23
logins/default.nix
View file

@ -6,16 +6,19 @@ in
{ {
flake = { flake = {
logins = { logins = {
admins = admins; admins =
wireguardDevices = lib.lists.foldl ( lib.lists.foldl
wireguardDevices: adminConfig: (logins: adminConfig: {
wireguardDevices ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]) sshPubKeys = logins.sshPubKeys ++ (lib.attrsets.attrValues adminConfig.sshPubKeys);
) [ ] (lib.attrsets.attrValues admins); wireguardDevices =
sshPubKeys = lib.lists.foldl ( logins.wireguardDevices
sshPubKeys: adminConfig: ++ (if adminConfig ? "wireguardDevices" then adminConfig.wireguardDevices else [ ]);
sshPubKeys })
++ (if adminConfig ? "sshPubKeys" then lib.attrsets.attrValues adminConfig.sshPubKeys else [ ]) {
) [ ] (lib.attrsets.attrValues admins); sshPubKeys = [ ];
wireguardDevices = [ ];
}
(lib.attrsets.attrValues admins);
robots.sshPubKeys = lib.attrsets.attrValues robots; robots.sshPubKeys = lib.attrsets.attrValues robots;
}; };
}; };

6
logins/robots.nix
View file

@ -1,8 +1,6 @@
{ {
# Used for restic backups to droppie, a server run by @b12f # Used for restic backups to droppie, a server run by @b12f
"root@droppie" = "root@droppie" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie";
"hakkonaut" = "hakkonaut" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut";
} }

6
modules/backups/default.nix
View file

@ -283,10 +283,8 @@ in
# Used for pub-solar-os.backups.repos.storagebox # Used for pub-solar-os.backups.repos.storagebox
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
"u377325.your-storagebox.de".publicKey = "u377325.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==";
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw=="; "[u377325.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
"[u377325.your-storagebox.de]:23".publicKey =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
}; };
}; };
} }

4
modules/core/default.nix
View file

@ -54,5 +54,9 @@
}; };
time.timeZone = "Etc/UTC"; time.timeZone = "Etc/UTC";
home-manager.users.${config.pub-solar-os.authentication.username} = {
home.stateVersion = "23.05";
};
}; };
} }

20
modules/core/terminal-tooling.nix
View file

@ -1,20 +1,9 @@
{ flake, lib, ... }: { flake, config, ... }:
{ {
home-manager.users = ( home-manager.users.${config.pub-solar-os.authentication.username} = {
lib.attrsets.foldlAttrs (
acc: name: value:
acc
// {
${name} = {
programs.git.enable = true; programs.git.enable = true;
programs.starship.enable = true; programs.starship.enable = true;
programs.bash = { programs.bash.enable = true;
enable = true;
historyControl = [
"ignoredups"
"ignorespace"
];
};
programs.neovim = { programs.neovim = {
enable = true; enable = true;
vimAlias = true; vimAlias = true;
@ -28,6 +17,3 @@
}; };
}; };
} }
) { } flake.self.logins.admins
);
}

60
modules/core/users.nix
View file

@ -11,6 +11,18 @@
inherit (lib) mkOption types; inherit (lib) mkOption types;
in in
{ {
username = mkOption {
description = "Username for the adminstrative user";
type = types.str;
default = flake.self.username;
};
sshPubKeys = mkOption {
description = "SSH Keys that should have administrative root access";
type = types.listOf types.str;
default = flake.self.logins.admins.sshPubKeys;
};
root.initialHashedPassword = mkOption { root.initialHashedPassword = mkOption {
description = "Hashed password of the root account"; description = "Hashed password of the root account";
type = types.str; type = types.str;
@ -31,29 +43,22 @@
}; };
config = { config = {
users.users = users.users.${config.pub-solar-os.authentication.username} = {
(lib.attrsets.foldlAttrs ( name = config.pub-solar-os.authentication.username;
acc: name: value: group = config.pub-solar-os.authentication.username;
acc
// {
${name} = {
name = name;
group = name;
extraGroups = [ extraGroups = [
"wheel" "wheel"
"docker" "docker"
]; ];
isNormalUser = true; isNormalUser = true;
openssh.authorizedKeys.keys = lib.attrsets.attrValues value.sshPubKeys; openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
}; };
} users.groups.${config.pub-solar-os.authentication.username} = { };
) { } flake.self.logins.admins)
// {
# TODO: Remove when we stop locking ourselves out.
root.openssh.authorizedKeys.keys = flake.self.logins.sshPubKeys;
root.initialHashedPassword = config.pub-solar-os.authentication.root.initialHashedPassword;
${config.pub-solar-os.authentication.robot.username} = { # TODO: Remove when we stop locking ourselves out.
users.users.root.openssh.authorizedKeys.keys = config.pub-solar-os.authentication.sshPubKeys;
users.users.${config.pub-solar-os.authentication.robot.username} = {
description = "CI and automation user"; description = "CI and automation user";
home = "/home/${config.pub-solar-os.authentication.robot.username}"; home = "/home/${config.pub-solar-os.authentication.robot.username}";
createHome = true; createHome = true;
@ -63,28 +68,11 @@
isSystemUser = true; isSystemUser = true;
openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys; openssh.authorizedKeys.keys = config.pub-solar-os.authentication.robot.sshPubKeys;
}; };
};
home-manager.users = ( users.groups.${config.pub-solar-os.authentication.robot.username} = { };
lib.attrsets.foldlAttrs (
acc: name: value:
acc
// {
${name} = {
home.stateVersion = "23.05";
};
}
) { } flake.self.logins.admins
);
users.groups = users.users.root.initialHashedPassword =
(lib.attrsets.foldlAttrs ( config.pub-solar-os.authentication.root.initialHashedPassword;
acc: name: value:
acc // { "${name}" = { }; }
) { } flake.self.logins.admins)
// {
${config.pub-solar-os.authentication.robot.username} = { };
};
security.sudo.wheelNeedsPassword = false; security.sudo.wheelNeedsPassword = false;
}; };

3
modules/forgejo/default.nix
View file

@ -65,7 +65,6 @@
services.forgejo = { services.forgejo = {
enable = true; enable = true;
package = pkgs.forgejo;
user = "gitea"; user = "gitea";
group = "gitea"; group = "gitea";
database = { database = {
@ -76,7 +75,7 @@
}; };
stateDir = "/var/lib/forgejo"; stateDir = "/var/lib/forgejo";
lfs.enable = true; lfs.enable = true;
secrets.mailer.PASSWD = config.age.secrets.forgejo-mailer-password.path; mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
settings = { settings = {
DEFAULT.APP_NAME = "pub.solar git server"; DEFAULT.APP_NAME = "pub.solar git server";

3
modules/grafana/default.nix
View file

@ -43,8 +43,7 @@
services.nginx.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = { services.nginx.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = locations."/".proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
"http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
}; };
services.grafana = { services.grafana = {

3
modules/keycloak/default.nix
View file

@ -50,8 +50,7 @@
hostname = "auth.${config.pub-solar-os.networking.domain}"; hostname = "auth.${config.pub-solar-os.networking.domain}";
http-host = "127.0.0.1"; http-host = "127.0.0.1";
http-port = 8080; http-port = 8080;
proxy-headers = "xforwarded"; proxy = "edge";
http-enabled = true;
}; };
themes = { themes = {
"pub.solar" = "pub.solar" =

19
modules/matrix-irc/default.nix
View file

@ -16,16 +16,6 @@ let
synapseClientPort = "${toString listenerWithClient.port}"; synapseClientPort = "${toString listenerWithClient.port}";
in in
{ {
options.pub-solar-os = {
matrix.appservice-irc.mediaproxy = {
signingKeyPath = lib.mkOption {
description = "Path to file containing the IRC appservice mediaproxy signing key";
type = lib.types.str;
default = "/var/lib/matrix-appservice-irc/media-signingkey.jwk";
};
};
};
config = {
services.matrix-appservice-irc = { services.matrix-appservice-irc = {
enable = true; enable = true;
localpart = "irc_bot"; localpart = "irc_bot";
@ -35,6 +25,7 @@ in
homeserver = { homeserver = {
domain = "${config.pub-solar-os.networking.domain}"; domain = "${config.pub-solar-os.networking.domain}";
url = "http://127.0.0.1:${synapseClientPort}"; url = "http://127.0.0.1:${synapseClientPort}";
media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
enablePresence = false; enablePresence = false;
}; };
ircService = { ircService = {
@ -52,13 +43,6 @@ in
matrixHandler = { matrixHandler = {
eventCacheSize = 4096; eventCacheSize = 4096;
}; };
mediaProxy = {
signingKeyPath = config.pub-solar-os.matrix.appservice-irc.mediaproxy.signingKeyPath;
# keep media for 2 weeks
ttlSeconds = 1209600;
bindPort = 11111;
publicUrl = "https:///matrix.${config.pub-solar-os.networking.domain}/media";
};
metrics = { metrics = {
enabled = true; enabled = true;
remoteUserAgeBuckets = [ remoteUserAgeBuckets = [
@ -140,5 +124,4 @@ in
}; };
}; };
}; };
};
} }

51
modules/matrix/default.nix
View file

@ -32,6 +32,11 @@ in
type = lib.types.str; type = lib.types.str;
default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key"; default = "${config.services.matrix-synapse.dataDir}/homeserver.signing.key";
}; };
sliding-sync.enable = lib.mkEnableOption {
description = "Whether to enable a sliding-sync proxy, no longer needed with synapse version 1.114+";
default = false;
};
}; };
matrix-authentication-service = { matrix-authentication-service = {
@ -119,17 +124,6 @@ in
enable_room_list_search = true; enable_room_list_search = true;
encryption_enabled_by_default_for_room_type = "off"; encryption_enabled_by_default_for_room_type = "off";
event_cache_size = "100K"; event_cache_size = "100K";
# https://github.com/element-hq/synapse/issues/11203
# No YAML deep-merge, so this needs to be in secret extraConfigFiles
# together with msc3861
#experimental_features = {
# # Room summary API
# msc3266_enabled = true;
# # Rendezvous server for QR Code generation
# msc4108_enabled = true;
#};
federation_rr_transactions_per_room_per_second = 50; federation_rr_transactions_per_room_per_second = 50;
federation_client_minimum_tls_version = "1.2"; federation_client_minimum_tls_version = "1.2";
forget_rooms_on_leave = true; forget_rooms_on_leave = true;
@ -270,6 +264,19 @@ in
user_ips_max_age = "28d"; user_ips_max_age = "28d";
app_service_config_files = config.pub-solar-os.matrix.synapse.app-service-config-files; app_service_config_files = config.pub-solar-os.matrix.synapse.app-service-config-files;
modules = [
{
module = "matrix_http_rendezvous_synapse.SynapseRendezvousModule";
config = {
prefix = "/_synapse/client/org.matrix.msc3886/rendezvous";
};
}
];
experimental_features = {
msc3886_endpoint = "/_synapse/client/org.matrix.msc3886/rendezvous";
};
}; };
withJemalloc = true; withJemalloc = true;
@ -281,9 +288,14 @@ in
"redis" "redis"
]; ];
plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ]; plugins = with config.services.matrix-synapse.package.plugins; [
matrix-synapse-shared-secret-auth
matrix-http-rendezvous-synapse
];
}; };
systemd.services.matrix-synapse.environment.SYNAPSE_ASYNC_IO_REACTOR = "1";
services.matrix-authentication-service = { services.matrix-authentication-service = {
enable = true; enable = true;
createDatabase = true; createDatabase = true;
@ -334,13 +346,24 @@ in
}; };
}; };
services.matrix-sliding-sync = {
enable = config.pub-solar-os.matrix.synapse.sliding-sync.enable;
settings = {
SYNCV3_SERVER = "https://${publicDomain}";
SYNCV3_BINDADDR = "127.0.0.1:8011";
# The bind addr for Prometheus metrics, which will be accessible at
# /metrics at this address
SYNCV3_PROM = "127.0.0.1:9100";
};
environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
};
pub-solar-os.backups.restic.matrix-synapse = { pub-solar-os.backups.restic.matrix-synapse = {
paths = [ paths = [
"/var/lib/matrix-synapse" "/var/lib/matrix-synapse"
"/var/lib/matrix-appservice-irc" "/var/lib/matrix-appservice-irc"
"/var/lib/mautrix-telegram" "/var/lib/mautrix-telegram"
"/tmp/matrix-synapse-backup.sql" "/tmp/matrix-synapse-backup.sql"
"/tmp/matrix-authentication-service-backup.sql"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 05:00:00 Etc/UTC"; OnCalendar = "*-*-* 05:00:00 Etc/UTC";
@ -348,11 +371,9 @@ in
initialize = true; initialize = true;
backupPrepareCommand = '' backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix-authentication-service > /tmp/matrix-authentication-service-backup.sql
''; '';
backupCleanupCommand = '' backupCleanupCommand = ''
rm /tmp/matrix-synapse-backup.sql rm /tmp/matrix-synapse-backup.sql
rm /tmp/matrix-authentication-service-backup.sql
''; '';
pruneOpts = [ pruneOpts = [
"--keep-daily 7" "--keep-daily 7"

6
modules/mediawiki/default.nix
View file

@ -139,10 +139,6 @@ let
// https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration // https://www.mediawiki.org/wiki/Extension:PluggableAuth#Configuration
$wgPluggableAuth_EnableAutoLogin = false; $wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID'; $wgPluggableAuth_ButtonLabel = 'Login with pub.solar ID';
// Avoid getting logged out after 30 minutes
// https://www.mediawiki.org/wiki/Topic:W4be4h6t63vf3y8p
// https://www.mediawiki.org/wiki/Manual:$wgRememberMe
$wgRememberMe = 'always';
// https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak // https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Keycloak
$wgPluggableAuth_Config[] = [ $wgPluggableAuth_Config[] = [
@ -215,7 +211,7 @@ in
backend = "docker"; backend = "docker";
containers."mediawiki" = { containers."mediawiki" = {
image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.43.0"; image = "git.pub.solar/pub-solar/mediawiki-oidc-docker:1.42.1";
user = "1000:${builtins.toString gid}"; user = "1000:${builtins.toString gid}";
autoStart = true; autoStart = true;

123
modules/nextcloud/default.nix
View file

@ -2,7 +2,6 @@
config, config,
pkgs, pkgs,
flake, flake,
lib,
... ...
}: }:
{ {
@ -23,32 +22,12 @@
forceSSL = true; forceSSL = true;
}; };
services.nextcloud = services.nextcloud = {
let
exiftool_1270 = pkgs.perlPackages.buildPerlPackage rec {
# NOTE nextcloud-memories needs this specific version of exiftool
pname = "Image-ExifTool";
version = "12.70";
src = pkgs.fetchFromGitHub {
owner = "exiftool";
repo = "exiftool";
rev = version;
hash = "sha256-YMWYPI2SDi3s4KCpSNwovemS5MDj5W9ai0sOkvMa8Zg=";
};
nativeBuildInputs = lib.optional pkgs.stdenv.hostPlatform.isDarwin pkgs.shortenPerlShebang;
postInstall = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
shortenPerlShebang $out/bin/exiftool
'';
};
in
{
hostName = "cloud.${config.pub-solar-os.networking.domain}"; hostName = "cloud.${config.pub-solar-os.networking.domain}";
home = "/var/lib/nextcloud"; home = "/var/lib/nextcloud";
enable = true; enable = true;
# When updating package, remember to update nextcloud30Packages in package = pkgs.nextcloud29;
# services.nextcloud.extraApps
package = pkgs.nextcloud30;
https = true; https = true;
secretFile = config.age.secrets."nextcloud-secrets".path; # secret secretFile = config.age.secrets."nextcloud-secrets".path; # secret
maxUploadSize = "1G"; maxUploadSize = "1G";
@ -66,6 +45,7 @@
dbuser = "nextcloud"; dbuser = "nextcloud";
dbtype = "pgsql"; dbtype = "pgsql";
dbname = "nextcloud"; dbname = "nextcloud";
dbtableprefix = "oc_";
}; };
settings = { settings = {
@ -93,39 +73,21 @@
allow_local_remote_servers = true; allow_local_remote_servers = true;
enable_previews = true; enable_previews = true;
jpeg_quality = 60;
enabledPreviewProviders = [ enabledPreviewProviders = [
"OC\\Preview\\PNG" "OC\\Preview\\PNG"
"OC\\Preview\\JPEG" "OC\\Preview\\JPEG"
"OC\\Preview\\GIF" "OC\\Preview\\GIF"
"OC\\Preview\\BMP" "OC\\Preview\\BMP"
"OC\\Preview\\HEIC"
"OC\\Preview\\TIFF"
"OC\\Preview\\XBitmap" "OC\\Preview\\XBitmap"
"OC\\Preview\\SVG"
"OC\\Preview\\WebP"
"OC\\Preview\\Font"
"OC\\Preview\\Movie" "OC\\Preview\\Movie"
"OC\\Preview\\ImaginaryPDF" "OC\\Preview\\PDF"
"OC\\Preview\\MP3" "OC\\Preview\\MP3"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\TXT" "OC\\Preview\\TXT"
"OC\\Preview\\MarkDown" "OC\\Preview\\MarkDown"
"OC\\Preview\\Imaginary"
]; ];
preview_imaginary_url = "http://127.0.0.1:${toString config.services.imaginary.port}/"; preview_max_x = "1024";
preview_max_filesize_image = 128; # MB preview_max_y = "768";
preview_max_memory = 512; # MB preview_max_scale_factor = "1";
preview_max_x = 2048; # px
preview_max_y = 2048; # px
preview_max_scale_factor = 1;
"preview_ffmpeg_path" = lib.getExe pkgs.ffmpeg-headless;
"memories.exiftool_no_local" = false;
"memories.exiftool" = "${exiftool_1270}/bin/exiftool";
"memories.vod.ffmpeg" = lib.getExe pkgs.ffmpeg;
"memories.vod.ffprobe" = lib.getExe' pkgs.ffmpeg-headless "ffprobe";
auth.bruteforce.protection.enabled = true; auth.bruteforce.protection.enabled = true;
trashbin_retention_obligation = "auto,7"; trashbin_retention_obligation = "auto,7";
@ -170,81 +132,10 @@
}; };
caching.redis = true; caching.redis = true;
appstoreEnable = true;
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
extraApps = {
inherit (pkgs.nextcloud30Packages.apps) memories previewgenerator recognize;
};
database.createLocally = true; database.createLocally = true;
}; };
# https://docs.nextcloud.com/server/30/admin_manual/installation/server_tuning.html#previews
services.imaginary = {
enable = true;
address = "127.0.0.1";
settings.return-size = true;
};
systemd = {
services =
let
occ = "/run/current-system/sw/bin/nextcloud-occ";
in
{
nextcloud-cron-preview-generator = {
environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.home}/config";
serviceConfig = {
ExecStart = "${occ} preview:pre-generate";
Type = "oneshot";
User = "nextcloud";
};
};
nextcloud-preview-generator-setup = {
wantedBy = [ "multi-user.target" ];
requires = [ "phpfpm-nextcloud.service" ];
after = [ "phpfpm-nextcloud.service" ];
environment.NEXTCLOUD_CONFIG_DIR = "${config.services.nextcloud.home}/config";
script = # bash
''
# check with:
# for size in squareSizes widthSizes heightSizes; do echo -n "$size: "; nextcloud-occ config:app:get previewgenerator $size; done
# extra commands run for preview generator:
# 32 icon file list
# 64 icon file list android app, photos app
# 96 nextcloud client VFS windows file preview
# 256 file app grid view, many requests
# 512 photos app tags
${occ} config:app:set --value="32 64 96 256 512" previewgenerator squareSizes
# 341 hover in maps app
# 1920 files/photos app when viewing picture
${occ} config:app:set --value="341 1920" previewgenerator widthSizes
# 256 hover in maps app
# 1080 files/photos app when viewing picture
${occ} config:app:set --value="256 1080" previewgenerator heightSizes
'';
serviceConfig = {
Type = "oneshot";
User = "nextcloud";
};
};
};
timers.nextcloud-cron-preview-generator = {
after = [ "nextcloud-setup.service" ];
timerConfig = {
OnCalendar = "*:0/10";
OnUnitActiveSec = "9m";
Persistent = true;
RandomizedDelaySec = 60;
Unit = "nextcloud-cron-preview-generator.service";
};
wantedBy = [ "timers.target" ];
};
};
services.restic.backups.nextcloud-storagebox = { services.restic.backups.nextcloud-storagebox = {
paths = [ paths = [
"/var/lib/nextcloud/data" "/var/lib/nextcloud/data"

15
modules/nginx-matrix/default.nix
View file

@ -24,6 +24,14 @@ let
secure_backup_required = false; secure_backup_required = false;
secure_backup_setup_methods = [ ]; secure_backup_setup_methods = [ ];
}; };
"m.integrations" = {
managers = [
{
api_url = "https://dimension.${domain}/api/v1/scalar";
ui_url = "https://dimension.${domain}/element";
}
];
};
}; };
wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; }; wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; };
wellKnownSupport = { wellKnownSupport = {
@ -120,13 +128,6 @@ in
extraConfig = commonHeaders; extraConfig = commonHeaders;
}; };
# For IRC appservice media proxy
"/media" = {
priority = 100;
proxyPass = "http://127.0.0.1:${toString (config.services.matrix-appservice-irc.settings.ircService.mediaProxy.bindPort)}";
extraConfig = commonHeaders;
};
# Forward to the auth service # Forward to the auth service
"~ ^/_matrix/client/(.*)/(login|logout|refresh)" = { "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
priority = 100; priority = 100;

11
modules/nginx-matrix/element-client-config.nix
View file

@ -50,15 +50,4 @@
# FUTUREWORK: Replace with pub.solar logo # FUTUREWORK: Replace with pub.solar logo
auth_header_logo_url = "themes/element/img/logos/element-logo.svg"; auth_header_logo_url = "themes/element/img/logos/element-logo.svg";
}; };
# Enable Element Call Beta
features = {
feature_video_rooms = true;
feature_group_calls = true;
feature_element_call_video_rooms = true;
};
element_call = {
url = "https://call.element.io";
participant_limit = 50;
brand = "Element Call";
};
} }

2
modules/unlock-luks-on-boot/default.nix
View file

@ -10,7 +10,7 @@
# Please create this manually the first time. # Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = flake.self.logins.sshPubKeys; authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
}; };
postCommands = '' postCommands = ''
# Automatically ask for the password on SSH login # Automatically ask for the password on SSH login

2
modules/unlock-zfs-on-boot/default.nix
View file

@ -11,7 +11,7 @@
# Please create this manually the first time. # Please create this manually the first time.
hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
authorizedKeys = flake.self.logins.sshPubKeys; authorizedKeys = config.pub-solar-os.authentication.sshPubKeys;
}; };
# this will automatically load the zfs password prompt on login # this will automatically load the zfs password prompt on login
# and kill the other prompt so boot can continue # and kill the other prompt so boot can continue

7
overlays/default.nix
View file

@ -1,7 +1,7 @@
{ inputs, ... }: { self, inputs, ... }:
{ {
flake = { flake = {
nixosModules = { nixosModules = rec {
overlays = ( overlays = (
{ ... }: { ... }:
{ {
@ -12,11 +12,12 @@
unstable = import inputs.unstable { system = prev.system; }; unstable = import inputs.unstable { system = prev.system; };
in in
{ {
matrix-authentication-service = unstable.matrix-authentication-service;
element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; }; element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker { element-stickerpicker = prev.callPackage ./pkgs/element-stickerpicker {
inherit (inputs) element-stickers maunium-stickerpicker; inherit (inputs) element-stickers maunium-stickerpicker;
}; };
mastodon = unstable.mastodon;
matrix-authentication-service = unstable.matrix-authentication-service;
} }
) )
]; ];

BIN
secrets/matrix-appservice-irc-mediaproxy-signing-key.jwk.age
View file

Binary file not shown.

BIN
secrets/matrix-synapse-secret-config.yaml.age
View file

Binary file not shown.

45
secrets/matrix-synapse-sliding-sync-secret.age Normal file
View file

@ -0,0 +1,45 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg GPTqfaZZC6ze7BUkT1uF4VslvE29BFKm0+AlJk+DKQQ
GxI7erqw8p3GrCArh5vZOiTmYh40DVisCphNyFhNTqM
-> ssh-ed25519 uYcDNw oo52Nh9BCO5NNF0YyzracKfvMifSiREsxyQqiRZ6WTs
JvqwRX5yOMtEYgWyc7dIQs85wDghMRHQCIi6t5QxIwo
-> ssh-rsa f5THog
w+B5hc0E9u1fFWNNPaTtPmJfPJWUBbRwHYK/T69g2ORNfaBYynl0LL4vSUs8o9Gw
rwBY+cLpth6e4tS819H5C7HtvT47KR3KF8JLxVjA2mbVO83+BnWFjThjYB452CdI
KZvQQPhkSH/43YF6pjxnQjNWB/wroScyjGVtUamcij7YHxt71z0AAnyqE5PgWEc6
6/ao5gLfTKhcWpxkTTz8LHn05s9IppXywDrvpwtJaU8LKgJT2H6Epsaci348lG+I
tAZYODhQqP+yKl92DZbuQQCjxH5CJfhdBs2ZR63hQPj9OrIFRjLg4V+1gdcxzAuz
9FwwIeLq3uxWXPdwTRR8RUsHEGhKMcVty4PkW0vlt+VwZrZBhdz3k+ApVG7Jvclz
MPZYLzKC0DiODqPuA23ye6suFRCHXYfq3ZyCIIN6wOci0X0crSr9ZXW4M8R7aWaZ
XDeZRaUgvd54WI0HZhVWBvJQyswgUXf+/RkS4aI8IgnNV801x12h+mTdWX9BC/cD
YRIWBnGkfTX4WM4OEE2VEgqSDuKl/90o2LFIquIIJULVd2Vs5C2S8FhJcsT7+HmL
TFWnLeIfGbw7RDUeH0c/Bbg9NK11SZF0/VdRZcBQ/zIXBMBlL1EZsH1HfIfhKISN
PyHFB5kfmuVIBhDXgtDdgjKfDmQL9/9Aq1U4ZMBcUKA
-> ssh-rsa kFDS0A
KysKtr7wrKKJ8w+Dj7qjJstyXtKIw9weFi9oVwJkMvy2utn+JARs7puh7KC27TXC
slZJrHf4vx+y8qSjRS0W4z8CPl8/auiYOilepT9JoxwGUP7J/nTr5SCofgWcdZm5
FtgHoCcABjzcF+mrKUofuqrx6oYSDCS0JkV2tClQI6ybXnjRwIIicLmBN9UDHCuU
9ZOesYp5XrJyBoD3Zv51b19xJyOfuWAUQvlNPRH2TpgvisutpESU/o869z5AMn4Z
BfDD/0oR1ALbk/sB3r13Xi6oJZAB2AbggoQRlwvPeWc3MdS+bFNV2o2ue0ov6Fkd
U5C/GnJVlyE0cv9I+YvxtLT6T/Gf/yoUZGfB7xD5QkHpMIEmKxUYqGNBB/NcnFMY
Tal8jMDtZDEk+uk0MahE7GsL6Z3xrkKTevG+Rr3j+beFYie2RJbNwwUyQ1lL3EoA
Rx1AMk+nYlvxVHiciYJNh9nffgAXXwO255IkWvYzmuPBEP1LmqadA4fQPf5Rgj3u
DuOX3hJ+rIyRIoDXOZio3SDf+bb380xCxF+7efJ27Ep0sFviAq5qKeptbyt51Dp8
tlbeYAylhVbV9Zgd+EozwE7Btlfqt3sbUij/0Iy+BdOYSPLmvx3oKybpipZ0i3fo
KR/bZHlMKF1Ipd5L7zEwh5aTjImuomoyRyZG3NWdv44
-> piv-p256 vRzPNw A7FwWUuml/VyHcOmha3R/DOg1RvnRXcwjaJJH/sgmsBR
+CP1/qY8sHbR7nkFl1T5HPsjYLRPDCSR01DEJaim96o
-> piv-p256 zqq/iw AgYhaJWqe+QbVCHkXsU7AQhWhte/fjwVbOgmHVRPHsEE
7jNmDI62i/9RakJhbo3MP0qMgXYGlhAW9BKo8HLWQYc
-> ssh-ed25519 YFSOsg cGPMyhqcd20TDBeMkSDJ8hQ/vE9cuDgVi1hfcwAKVjw
U9GRSr607w5oUGr0rC6XqdWMD65JidY/Ri3Ex1dmGXI
-> ssh-ed25519 iHV63A cW7bblsvL1TwI6lp8KjPfUwB5EzWilLhc6Z2geE3SQw
PzBdZ/LXA7iGI7ZjErredqC7ehHsr5MCY3qENv0nZI8
-> ssh-ed25519 BVsyTA AGDqp6Rrp2vStBU9+eJMGf5O4SZQIASE63n8vbf8PEs
SFakjoivQrFkSUBGZ9sISKVhAxNOpc2RxugiBTSK9/k
-> ssh-ed25519 +3V2lQ MmMv45CQFAdgkV/B7InOY22iXzvIU8TY41SV5Jxx7RQ
vNIRE5wSXVzy4miZLV90T1TEOhOjYQT12GWtZpsTxJ8
--- EBBXvYr1OpETpgXOsUfJn6h1e4rXF+olz6DbhDUWCcw
.Œ
ösÊ~¦—åHͯk 2 ¦À9<C380> ¶§ Bz¤¨?°3ëþTÇJ`§gº¦P°çioÙÜr<C39C>Š€" ØÝöwÒs-K€6©òšfÝ
ß0XÎŒvùXª&£8 š¶gÐ=ÄzrH¥jh>

4
secrets/secrets.nix
View file

@ -67,14 +67,12 @@ in
"matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-mautrix-telegram-env-file.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-signing-key.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-synapse-secret-config.yaml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-synapse-sliding-sync-secret.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys; "matrix-authentication-service-secret-config.yml.age".publicKeys = nachtigallKeys ++ adminKeys;
"matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys = nachtigallKeys ++ adminKeys;
"staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys; "staging-matrix-synapse-secret-config.yaml.age".publicKeys = undergroundKeys ++ adminKeys;
"staging-matrix-authentication-service-secret-config.yml.age".publicKeys = "staging-matrix-authentication-service-secret-config.yml.age".publicKeys =
undergroundKeys ++ adminKeys; undergroundKeys ++ adminKeys;
"staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age".publicKeys =
undergroundKeys ++ adminKeys;
"nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-secrets.age".publicKeys = nachtigallKeys ++ adminKeys;
"nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys; "nextcloud-admin-pass.age".publicKeys = nachtigallKeys ++ adminKeys;

BIN
secrets/staging-matrix-appservice-irc-mediaproxy-signing-key.jwk.age
View file

Binary file not shown.

BIN
secrets/staging-matrix-synapse-secret-config.yaml.age
View file

Binary file not shown.

5
tests/keycloak.nix
View file

@ -46,7 +46,6 @@ in
systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ]; systemd.tmpfiles.rules = [ "f /tmp/dbf 1777 root root 10d password" ];
virtualisation.cores = 1;
virtualisation.memorySize = 4096; virtualisation.memorySize = 4096;
pub-solar-os.auth = { pub-solar-os.auth = {
@ -67,7 +66,7 @@ in
testScript = testScript =
{ nodes, ... }: { nodes, ... }:
let let
user = nodes.client.users.users.b12f; user = nodes.client.users.users.${nodes.client.pub-solar-os.authentication.username};
#uid = toString user.uid; #uid = toString user.uid;
bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus"; bus = "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u ${user.name})/bus";
gdbus = "${bus} gdbus"; gdbus = "${bus} gdbus";
@ -82,8 +81,6 @@ in
nachtigall.succeed("ping 127.0.0.1 -c 2") nachtigall.succeed("ping 127.0.0.1 -c 2")
nachtigall.wait_for_unit("nginx.service") nachtigall.wait_for_unit("nginx.service")
nachtigall.wait_for_unit("keycloak.service") nachtigall.wait_for_unit("keycloak.service")
nachtigall.wait_for_open_port(8080)
nachtigall.wait_for_open_port(443)
nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/") nachtigall.wait_until_succeeds("curl http://127.0.0.1:8080/")
nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/") nachtigall.wait_until_succeeds("curl https://auth.test.pub.solar/")

2
tests/support/client.nix
View file

@ -11,7 +11,7 @@
services.xserver.displayManager.gdm.enable = true; services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true; services.xserver.desktopManager.gnome.enable = true;
services.xserver.displayManager.autoLogin.enable = true; services.xserver.displayManager.autoLogin.enable = true;
services.xserver.displayManager.autoLogin.user = "b12f"; services.xserver.displayManager.autoLogin.user = config.pub-solar-os.authentication.username;
systemd.user.services = { systemd.user.services = {
"org.gnome.Shell@wayland" = { "org.gnome.Shell@wayland" = {

3
tests/website.nix
View file

@ -31,7 +31,6 @@
./support/global.nix ./support/global.nix
]; ];
virtualisation.cores = 1;
virtualisation.memorySize = 4096; virtualisation.memorySize = 4096;
networking.interfaces.eth0.ipv4.addresses = [ networking.interfaces.eth0.ipv4.addresses = [
@ -49,14 +48,12 @@
acme_server.wait_for_unit("system.slice") acme_server.wait_for_unit("system.slice")
acme_server.wait_for_unit("step-ca.service") acme_server.wait_for_unit("step-ca.service")
acme_server.succeed("ping ca.test.pub.solar -c 2") acme_server.succeed("ping ca.test.pub.solar -c 2")
acme_server.wait_for_open_port(443)
acme_server.wait_until_succeeds("curl 127.0.0.1:443") acme_server.wait_until_succeeds("curl 127.0.0.1:443")
nachtigall.wait_for_unit("system.slice") nachtigall.wait_for_unit("system.slice")
nachtigall.succeed("ping test.pub.solar -c 2") nachtigall.succeed("ping test.pub.solar -c 2")
nachtigall.succeed("ping ca.test.pub.solar -c 2") nachtigall.succeed("ping ca.test.pub.solar -c 2")
nachtigall.wait_for_unit("nginx.service") nachtigall.wait_for_unit("nginx.service")
nachtigall.wait_for_open_port(443, "test.pub.solar")
nachtigall.wait_until_succeeds("curl https://test.pub.solar/") nachtigall.wait_until_succeeds("curl https://test.pub.solar/")
''; '';
} }