Compare commits

..

135 commits
main ... infra

Author SHA1 Message Date
hensoko d5670ac8d2
Merge pull request 'chore: add Mastodon maintenance page' (#259) from chore/mastodon-maintenance into infra
Reviewed-on: #259
Reviewed-by: hensoko <hensoko@gssws.de>
2023-10-27 23:12:47 +02:00
Benjamin Bädorf dd9af147c7
chore: add Mastodon maintenance page
Depends on pub-solar/pub.solar#15 being
merged and deployed.
2023-10-27 22:54:39 +02:00
b12f b97fd41b92
Merge pull request 'infra: fix deploy-rs + collabora container' (#256) from infra-fix-deploy-collabora into infra
Reviewed-on: #256
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-10-13 11:26:43 +02:00
teutat3s 2579cc5284
Add some more docs to flora-6 README
Document how to deploy to flora-6

Document how to get SSH access
2023-10-08 14:35:47 +02:00
teutat3s c6675e75a6
Fix: always pull new docker images 2023-09-15 12:16:23 +02:00
teutat3s b0596b9f44
Fix collabora docker container 2023-09-15 12:15:57 +02:00
teutat3s 7715a89401
Fix deploy-rs, use flake binary again
Can be reverted once deploy-rs nixpkgs binary is up-to-date
See: https://github.com/serokell/deploy-rs/issues/232
2023-09-15 12:13:47 +02:00
b12f df50f9ff2d
Merge pull request 'chore: merge main into infra' (#255) from chore/infra-merge-main into infra
Reviewed-on: #255
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-09-13 13:29:18 +02:00
teutat3s 12307872d6
Merge branch 'main' into chore/infra-merge-main 2023-09-13 13:17:11 +02:00
b12f e260839584
Merge pull request 'Fix git ref git.b12f.io -> git.pub.solar' (#253) from infra-fix-git-ref-vm-tools into infra
Reviewed-on: #253
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-09-13 12:36:48 +02:00
teutat3s 9685baa34b
Fix formatting 2023-09-13 12:19:16 +02:00
teutat3s 93ccb899ba
Fix git ref git.b12f.io -> git.pub.solar 2023-09-13 12:06:28 +02:00
b12f 6691801d0f
Merge pull request 'feat: add collabora' (#252) from infra-collabora into infra
Reviewed-on: #252
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-09-13 11:11:15 +02:00
Benjamin Bädorf c5f0dca0d5
feat: add collabora 2023-09-13 10:25:23 +02:00
teutat3s 0691f3b4c7
Merge pull request 'keycloak: enable feature declarative-user-profile' (#248) from flora-6/keycloak-enable-custom-user-profile into infra
Reviewed-on: #248
2023-07-20 20:14:31 +02:00
teutat3s f4a29822fb
keycloak: enable feature declarative-user-profile
This is useful for setting required attributes, e.g. to exclude
firstName and lastName from the required attributes in the user profile
2023-07-20 20:10:02 +02:00
teutat3s 6af5bcf09f
Merge pull request 'keycloak: several fixes for the pub.solar keycloak theme' (#247) from flora-6/fix-keycloak-theme into infra
Reviewed-on: #247
2023-07-20 19:57:03 +02:00
teutat3s 75b97bb6c1
keycloak: several fixes for the pub.solar keycloak theme
See:
pub-solar/keycloak-theme#1
2023-07-20 19:53:46 +02:00
teutat3s 077241a9d9
Merge pull request 'chore/update-infra-07-23' (#236) from chore/update-infra-07-23 into infra
Reviewed-on: #236
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-07-15 03:17:39 +02:00
teutat3s 17c76ec7b1
caddy: use module from latest to enable gracefully
reloading upon config change instead of restarting
2023-07-13 21:16:12 +02:00
teutat3s bce484f55b
Bump flake inputs nixos + latest in lockfile
• Updated input 'latest':
    'github:nixos/nixpkgs/645ff62e09d294a30de823cb568e9c6d68e92606' (2023-07-01)
  → 'github:nixos/nixpkgs/2de8efefb6ce7f5e4e75bdf57376a96555986841' (2023-07-12)
• Updated input 'nixos':
    'github:nixos/nixpkgs/b72aa95f7f096382bff3aea5f8fde645bca07422' (2023-06-30)
  → 'github:nixos/nixpkgs/fcc147b1e9358a8386b2c4368bd928e1f63a7df2' (2023-07-13)
2023-07-13 21:15:57 +02:00
Benjamin Bädorf d909f093b2
Merge branch 'main' into chore/update-infra-07-23 2023-07-13 18:16:02 +02:00
b12f a25d399575
Merge pull request 'flora-6: add back openssh MACs that got removed' (#233) from infra-openssh-mac-defaults into infra
Reviewed-on: #233
Reviewed-by: Akshay Mankar <axeman@noreply.git.pub.solar>
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-07-07 14:43:51 +02:00
teutat3s 6fd2903516
flora-6: add back openssh MACs that got removed
from defaults

NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
This breaks compatibilty with clients that do not offer these MACs. For
compatibility reasons, we add back the old defaults.
See: https://github.com/NixOS/nixpkgs/pull/231165

https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
2023-07-07 12:13:57 +02:00
b12f e834cc685c
Merge pull request 'flora-6: use renamed options in gitea.settings.server and openssh.settings' (#232) from infra-gitea-module-settings into infra
Reviewed-on: #232
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-07-03 14:38:57 +02:00
teutat3s c36a22c556
flake: fix broken deploy-rs usage
Still doesn't use deploy-rs from nixpkgs because of usage in digga:
https://github.com/divnix/digga/blob/main/src/generators.nix#L77
2023-07-02 17:56:17 +02:00
teutat3s 9dbfb4eaaa
flora-6: use renamed openssh settings
trace: warning: The option `services.openssh.permitRootLogin' defined in `/nix/store/ha98lp4l8ccspyfn5liq0k9ds3cs20zl-source/hosts/flora-6/flora-6.nix' has been renamed to `services.openssh.settings.PermitRootLogin'.
trace: warning: The option `services.openssh.passwordAuthentication' defined in `/nix/store/ha98lp4l8ccspyfn5liq0k9ds3cs20zl-source/hosts/flora-6/flora-6.nix' has been renamed to `services.openssh.settings.PasswordAuthentication'.
2023-07-02 17:55:58 +02:00
teutat3s fc0768d353
gitea: use renamed options in gitea.settings.server
trace: warning: The option `services.gitea.rootUrl' defined in `hosts/flora-6/gitea.nix' has been renamed to `services.gitea.settings.server.ROOT_URL'.
trace: warning: The option `services.gitea.httpPort' defined in `hosts/flora-6/gitea.nix' has been renamed to `services.gitea.settings.server.HTTP_PORT'.
trace: warning: The option `services.gitea.httpAddress' defined in `hosts/flora-6/gitea.nix' has been renamed to `services.gitea.settings.server.HTTP_ADDR'.
trace: warning: The option `services.gitea.domain' defined in `hosts/flora-6/gitea.nix' has been renamed to `services.gitea.settings.server.DOMAIN'.
2023-07-02 17:55:58 +02:00
teutat3s b38c378003
Merge pull request 'infra: update to nixos-23.05' (#230) from infra-23.05 into infra
Reviewed-on: #230
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-07-02 14:59:04 +02:00
teutat3s 35ddf5d798
flake: update lock file
• Updated input 'darwin':
    'github:LnL7/nix-darwin/252541bd05a7f55f3704a3d014ad1badc1e3360d' (2023-05-10)
  → 'github:LnL7/nix-darwin/43587cdb726f73b962f12028055520dbd1d7233f' (2023-06-30)
• Updated input 'deploy':
    'github:serokell/deploy-rs/c80189917086e43d49eece2bd86f56813500a0eb' (2023-05-11)
  → 'github:serokell/deploy-rs/724463b5a94daa810abfc64a4f87faef4e00f984' (2023-06-14)
• Updated input 'home':
    'github:nix-community/home-manager/f9edbedaf015013eb35f8caacbe0c9666bbc16af' (2023-04-10)
  → 'github:nix-community/home-manager/07c347bb50994691d7b0095f45ebd8838cf6bc38' (2023-06-27)
• Removed input 'home/utils'
• Updated input 'latest':
    'github:nixos/nixpkgs/897876e4c484f1e8f92009fd11b7d988a121a4e7' (2023-05-06)
  → 'github:nixos/nixpkgs/645ff62e09d294a30de823cb568e9c6d68e92606' (2023-07-01)
• Updated input 'nixos':
    'github:nixos/nixpkgs/9656e85a15a0fe67847ee8cdb99a20d8df499962' (2023-05-12)
  → 'github:nixos/nixpkgs/b72aa95f7f096382bff3aea5f8fde645bca07422' (2023-06-30)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/81cd886719e10d4822b2a6caa96e95d56cc915ef' (2023-05-13)
  → 'github:nixos/nixos-hardware/429f232fe1dc398c5afea19a51aad6931ee0fb89' (2023-06-15)
• Added input 'nvfetcher':
    'github:berberman/nvfetcher/44196458acc2c28c32e456c50277d6148e71e708' (2023-06-22)
• Added input 'nvfetcher/flake-compat':
    follows 'flake-compat'
• Added input 'nvfetcher/flake-utils':
    'github:numtide/flake-utils/abfb11bd1aec8ced1c9bb9adfe68018230f4fb3c' (2023-06-19)
• Added input 'nvfetcher/flake-utils/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Added input 'nvfetcher/nixpkgs':
    follows 'nixos'
2023-07-02 13:29:39 +02:00
teutat3s 91a89f172d
flake: fix leftover merge conflict 2023-07-02 13:27:04 +02:00
teutat3s 38ebdcf0dc
Merge branch 'main' into infra 2023-07-02 13:26:12 +02:00
teutat3s 9bd45f0a10
Merge pull request 'Use forgejo instead of gitea, bump flake inputs' (#226) from infra-gitea-to-forgejo-bump-flakes into infra
Reviewed-on: #226
Reviewed-by: hensoko <hensoko@gssws.de>
2023-05-14 15:14:28 +02:00
teutat3s a63d3390e1
Merge pull request 'flora-6: init owncast' (#225) from infra-init-owncast into infra
Reviewed-on: #225
Reviewed-by: hensoko <hensoko@gssws.de>
2023-05-14 15:14:15 +02:00
teutat3s 7cbe86ff11
flora-6: use forgejo instead of gitea, bump flake
inputs:

• Updated input 'agenix':
    'github:ryantm/agenix/e64961977f60388dd0b49572bb0fc453b871f896' (2023-03-31)
  → 'github:ryantm/agenix/2994d002dcff5353ca1ac48ec584c7f6589fe447' (2023-04-21)
• Updated input 'darwin':
    'github:LnL7/nix-darwin/025912529dd0b31dead95519e944ea05f1ad56f2' (2023-04-10)
  → 'github:LnL7/nix-darwin/252541bd05a7f55f3704a3d014ad1badc1e3360d' (2023-05-10)
• Updated input 'deploy':
    'github:serokell/deploy-rs/8c9ea9605eed20528bf60fae35a2b613b901fd77' (2023-01-19)
  → 'github:serokell/deploy-rs/c80189917086e43d49eece2bd86f56813500a0eb' (2023-05-11)
• Updated input 'latest':
    'github:nixos/nixpkgs/db24d86dd8a4769c50d6b7295e81aa280cd93f35' (2023-04-10)
  → 'github:nixos/nixpkgs/897876e4c484f1e8f92009fd11b7d988a121a4e7' (2023-05-06)
• Updated input 'nixos':
    'github:nixos/nixpkgs/ea96b4af6148114421fda90df33cf236ff5ecf1d' (2023-04-10)
  → 'github:nixos/nixpkgs/9656e85a15a0fe67847ee8cdb99a20d8df499962' (2023-05-12)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/3006d2860a6ed5e01b0c3e7ffb730e9b293116e2' (2023-04-07)
  → 'github:nixos/nixos-hardware/81cd886719e10d4822b2a6caa96e95d56cc915ef' (2023-05-13)
2023-05-13 17:16:35 +02:00
teutat3s dd62bf1752
flora-6: init owncast 2023-05-13 16:50:58 +02:00
b12f ad5e0e74d5
Merge pull request 'flora-6: pub.solar webfinger should redirect to mastodon, too' (#222) from infra-fix-mastodon-webfinger into infra
Reviewed-on: #222
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-24 12:53:19 +02:00
b12f 22cd6bd627
Merge pull request 'infra: merge main branch' (#218) from infra-merge-main into infra
Reviewed-on: #218
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-24 12:53:13 +02:00
teutat3s a6970708ad
flora-6: pub.solar webfinger should redirect to
mastodon, if the query parameter matches resource

See: https://docs.joinmastodon.org/spec/webfinger/
and: https://docs.joinmastodon.org/admin/config/#web_domain
2023-04-22 03:22:05 +02:00
teutat3s e02a5b0e50
Merge branch 'main' into infra-merge-main 2023-04-17 14:44:01 +02:00
teutat3s af9b528cb9
Merge pull request 'infra: merge main and bump inputs in flake.lock' (#216) from infra-merge-main-bump-flake-lock into infra
Reviewed-on: #216
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-11 19:26:45 +02:00
teutat3s 141f950607
Disable unused test on infra branch 2023-04-11 19:19:28 +02:00
teutat3s 694f925804
Bump flake.lock inputs
• Updated input 'agenix':
    'github:ryantm/agenix/03b51fe8e459a946c4b88dcfb6446e45efb2c24e' (2023-03-04)
  → 'github:ryantm/agenix/e64961977f60388dd0b49572bb0fc453b871f896' (2023-03-31)
• Updated input 'darwin':
    'github:LnL7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09)
  → 'github:LnL7/nix-darwin/025912529dd0b31dead95519e944ea05f1ad56f2' (2023-04-10)
• Updated input 'home':
    'github:nix-community/home-manager/86bb69b0b1e10d99a30c4352f230f03106dd0f8a' (2023-03-02)
  → 'github:nix-community/home-manager/f9edbedaf015013eb35f8caacbe0c9666bbc16af' (2023-04-10)
• Updated input 'latest':
    'github:nixos/nixpkgs/3c5319ad3aa51551182ac82ea17ab1c6b0f0df89' (2023-03-04)
  → 'github:nixos/nixpkgs/db24d86dd8a4769c50d6b7295e81aa280cd93f35' (2023-04-10)
• Updated input 'nixos':
    'github:nixos/nixpkgs/96e18717904dfedcd884541e5a92bf9ff632cf39' (2023-03-02)
  → 'github:nixos/nixpkgs/ea96b4af6148114421fda90df33cf236ff5ecf1d' (2023-04-10)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/d63e86cbed3d399c4162594943bd8c1d8392e550' (2023-03-04)
  → 'github:nixos/nixos-hardware/3006d2860a6ed5e01b0c3e7ffb730e9b293116e2' (2023-04-07)
2023-04-11 19:00:18 +02:00
teutat3s ae2439a93a
Merge branch 'main' into infra-merge-main-bump-flake-lock 2023-04-11 18:59:36 +02:00
b12f a4e6dcdf16
Merge pull request 'flora-6: enable gitea mail notifications' (#215) from infra-gitea-enable-mail-notifications into infra
Reviewed-on: #215
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-04-11 18:42:13 +02:00
teutat3s 894c30c0d6
flora-6: enable gitea mail notifications, update
gitea mailer config section, see:

https://docs.gitea.io/en-us/config-cheat-sheet/#mailer-mailer
2023-04-11 18:35:57 +02:00
teutat3s d888af018c
Merge pull request 'flora-6: merge main branch' (#178) from flora-6/merge-main into infra
Reviewed-on: #178
2023-03-08 18:32:28 +01:00
teutat3s ff8733ce1c
Merge pull request 'flora-6: configure more agressive garbage collection' (#177) from flora-6/more-agressive-garbage-collection into infra
Reviewed-on: #177
2023-03-08 18:32:00 +01:00
teutat3s f9e70e18dc
flora-6: move ISO images to /data
There is a second, bigger disk attached to flora-6, let's use it
2023-03-05 23:54:56 +01:00
teutat3s 3e46501f41
Merge branch 'main' into flora-6/merge-main 2023-03-05 18:40:56 +01:00
teutat3s 80c1a7927a
flora-6: configure more agressive garbage
collection

Reason: it has already happened a few times, that flora-6 ran out of
disk space. With this fix, hopefully the garbage collection should
kick in earlier and prevent this from happening
2023-03-05 18:38:42 +01:00
teutat3s 9fdfc83cc7
Merge pull request 'gitea: re-enable GPG signing' (#176) from fix/gitea-gitconfig into infra
Reviewed-on: #176
2023-03-05 16:56:52 +01:00
teutat3s f0caf9b5a1
gitea: re-enable serverside GPG signing 2023-03-05 16:55:14 +01:00
teutat3s cc57376e7f Merge pull request 'infra: pull in gitea GPG fix from nixos-unstable' (#175) from bump/infra-flake-lock into infra
Reviewed-on: #175
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-03-05 15:30:07 +01:00
teutat3s df79b8a3c9
caddy: fix formatting 2023-03-05 15:22:57 +01:00
teutat3s d1175e82b4
Add Tailscale custom OIDC webfinger
See: https://tailscale.com/kb/1240/sso-custom-oidc/#webfinger-setup
2023-03-05 15:13:25 +01:00
teutat3s eaea884351
Bump flake.lock 2023-03-05 15:13:21 +01:00
hensoko 0b03bbe76b Merge pull request 'Add link for satzung in caddy' (#172) from feature/add-caddy-satzung-link into infra
Reviewed-on: #172
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-03-02 14:10:33 +01:00
Hendrik Sokolowski 354fd593bb
make link for satzung temporary 2023-03-01 22:16:49 +01:00
Hendrik Sokolowski 831c44fceb Add link for satzung in caddy 2023-02-27 23:12:05 +01:00
b12f 359a82a28e Merge pull request 'Mailman nixos module' (#167) from feature/mailman-nixos-module into infra
Reviewed-on: #167
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-02-26 14:44:30 +01:00
teutat3s 20b70c2481
ci: fix drone.yml signature 2023-02-26 00:24:02 +01:00
teutat3s 648a50c47e
Merge branch 'main' into feature/mailman-nixos-module 2023-02-25 18:37:06 +01:00
teutat3s 078441af96
Bump flake.lock 2023-02-25 18:23:39 +01:00
teutat3s a1cb071773
mailman: trigger postfix reload when caddy renews
TLS Let's Encrypt certificates
2023-02-25 18:21:53 +01:00
teutat3s 94cc00572e
drone: ensure docker starts before trying to
create docker network drone-net with systemd dependencies
2023-02-25 17:58:48 +01:00
teutat3s 1199820574
postfix: use caddy's certs for STARTTLS on port 25 2023-02-25 16:28:10 +01:00
teutat3s 5e5fb64dde
flora-6: postfix should use list.pub.solar as
hostname

- Send postmaster and root mails to admins@pub.solar
- Add TODO comment about django-keycloak
2023-02-25 15:55:44 +01:00
teutat3s 008e14482f
flora-6: clean up unneeded postfix config file 2023-02-25 15:55:44 +01:00
teutat3s bea032ad99
flora-6: init mailman with NixOS module
Docker containers were too complicated to setup
2023-02-25 15:55:44 +01:00
teutat3s 8f948f70c7
mailman wip 2023-02-25 15:55:43 +01:00
b12f b1d2bfef98 Merge pull request 'Update flake inputs in infra branch' (#169) from update/flora-6-flake-inputs into infra
Reviewed-on: #169
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-02-24 21:38:11 +01:00
teutat3s 6582d3142d
Bump flake.lock 2023-02-24 21:01:50 +01:00
b12f 1772e20e2e Merge pull request 'mailman: fix directory permissions' (#164) from fix/infra-mailman-dir-permissions into infra
Reviewed-on: #164
Reviewed-by: b12f <hello@benjaminbaedorf.eu>
2023-02-01 13:42:56 +01:00
teutat3s 93b5eab0ea
mailman: fix directory permissions 2023-02-01 13:38:10 +01:00
teutat3s f05a1191b9 Merge pull request 'flora-6: move docker data-root to /data' (#163) from fix/infra-move-docker-root into infra
Reviewed-on: #163
2023-02-01 13:30:00 +01:00
teutat3s c1dcea11fa
flora-6: move docker data-root to /data 2023-02-01 13:28:49 +01:00
teutat3s 34c59a3010 Merge pull request 'feature/mailman' (#160) from feature/mailman into infra
Reviewed-on: #160
Reviewed-by: teutat3s <teutates@mailbox.org>
2023-02-01 13:23:03 +01:00
teutat3s 3c422fee62
mailmain: fix postfix main.cf path 2023-02-01 13:17:04 +01:00
teutat3s b6ebd71c61
keycloak: use version 20.0.3 from nixos-22.11
It's the same version as on nixos-unstable
2023-02-01 13:15:30 +01:00
teutat3s 8fb6ba33b2
ci: check build of flora-6 in infra branch 2023-02-01 12:27:05 +01:00
teutat3s f00a009115
Merge branch 'main' into feature/mailman 2023-02-01 12:26:18 +01:00
teutat3s 9f0dcb8ed8
Use nix version from 22.11, prevent nvfetcher from
rebuilding so much: it has nix as a dependency and won't find its hash
in the binary cache if we override our nix version with the one from
nixos-unstable. 22.11 has 2.11.1 which should be recent enough for us.
2023-02-01 11:15:58 +01:00
teutat3s f49bc2b4b2
Bump flake.lock, fix agenix overlay
agenix now uses overlays.default to export its overlay
2023-02-01 11:14:50 +01:00
teutat3s 2a756869e3
Merge branch 'main' into feature/mailman 2023-02-01 10:10:28 +01:00
Benjamin Bädorf a8279af631
Merge branch 'feature/mailman' of git.pub.solar:pub-solar/os into feature/mailman 2023-01-31 22:44:12 +01:00
Benjamin Bädorf 61afca41e5
Add postfix to flora-6 2023-01-31 22:43:59 +01:00
teutat3s db7f5c5254
secrets: rekey for b12f-bbcom 2023-01-31 21:35:29 +01:00
Benjamin Bädorf 5ade1c028f
Build works 2023-01-31 21:32:16 +01:00
Benjamin Bädorf 8f0cde4c3d
Remove broken semicolon 2023-01-31 21:30:43 +01:00
Benjamin Bädorf 6c736b8684
Remove broken semicolon 2023-01-31 21:29:02 +01:00
Benjamin Bädorf 26318bcafc
feat/mailman: Add flora-6 config for mailman 2023-01-31 21:25:45 +01:00
Benjamin Bädorf a7d684e1f8
Add b12fs keys to infra secrets 2023-01-29 20:00:40 +01:00
teutat3s 997561f817
caddy: add to hakkonaut group
Add public SSH key to hakkonaut user
2023-01-29 17:39:34 +01:00
teutat3s 0e3b602809
drone: fix path for ISO upload on flora-6 2023-01-29 17:38:00 +01:00
teutat3s 440b38f896
Merge branch 'infra' of git.pub.solar:pub-solar/os into infra 2023-01-29 00:03:42 +01:00
teutat3s 8051531d77
base-user: userVariables -> variables 2023-01-29 00:00:56 +01:00
teutat3s 54ea93ced4
drone: fix docker runner env vars 2023-01-29 00:00:21 +01:00
teutat3s 9732e4edf1
Apply treefmt 2023-01-28 23:51:33 +01:00
teutat3s 7a7ff7b1df
flora-6: init drone docker runner 2023-01-28 23:50:31 +01:00
teutat3s 90b182e499
Merge branch 'main' into infra 2023-01-28 23:27:21 +01:00
b12f 72c84bb1e6 Merge pull request 'users/barkeeper: Add @axeman's ssh key' (#157) from add-akshay into infra
Reviewed-on: #157
2023-01-28 23:16:37 +01:00
Akshay Mankar 7454d5fc5f
users/barkeeper: Add @axeman's ssh key 2023-01-28 23:14:39 +01:00
teutat3s f375843f43
flora-6: init drone ci 2023-01-28 21:26:13 +01:00
teutat3s 291edb6b52
flora-6: update gitea config
change to new responsible MX
disable signing commits etc.
2023-01-28 15:15:46 +01:00
teutat3s cda684ae32
barkeeper: update password 2023-01-28 15:15:34 +01:00
teutat3s 6a6abc79c2
flora-6: ensure to disable NetworkManager 2023-01-28 15:15:17 +01:00
teutat3s de8dcbe9a2
networking: don't wait for network-online
It failed upon deployment with deploy-rs and caused it to rollback
2023-01-28 15:13:47 +01:00
teutat3s e9819fdec7
Bump flake.lock 2023-01-28 15:13:13 +01:00
teutat3s 645b10f2b9
flora-6: update Caddyfile, add missing pub.solar
config for www and mastodon well-known redirect
2023-01-21 23:22:50 +01:00
teutat3s f2c5739c97
Update flake.lock, remove fork flake input
gitea gpg PR got merged into nixos-unstable in
https://github.com/NixOS/nixpkgs/pull/203183
2023-01-21 23:21:16 +01:00
Benjamin Bädorf b1710c4013
flora6: fix caddy file_server directive name typo 2023-01-07 21:31:51 +01:00
Benjamin Bädorf f12f42827f
flora-6: Serve pub.solar website
Originally authored by @axeman
2023-01-07 21:26:14 +01:00
Benjamin Bädorf 8453b8c584
Add extra hensoko key 2023-01-07 21:23:49 +01:00
teutat3s 9ca8387d12
flora-6: redirect gitea login to keycloak 2022-11-29 00:55:18 +01:00
teutat3s 492b8695a3
Merge remote-tracking branch 'origin/nixos-22-11-racoon' into infra-22.11 2022-11-28 21:53:32 +01:00
teutat3s 9fb726b2d7
flora-6: add obs-portal to caddy
auth: redirect / to pub.solar ID management page
2022-11-28 15:32:21 +01:00
Benjamin Bädorf 161acca3a7
Update keycloak theme 2022-11-28 15:31:29 +01:00
Benjamin Bädorf 86cb6522ed
Update keycloak theme 2022-11-28 15:17:51 +01:00
Benjamin Bädorf 2b03c98cf2
Refactor flora-6 services a bit 2022-11-27 23:31:08 +01:00
teutat3s 756845c187
Bump flake.lock 2022-11-27 22:01:36 +01:00
teutat3s 7655260456
Pull in upstream commits from https://github.com/divnix/digga/pull/490
Improved flake-compat

Get the rev from the flake.lock file. Shouldn't be an issue for
first time users as the guide instructs users to generate a lock
file. `builtins.file` was used in accordance with nix.dev
reccommendations.

https://nix.dev/anti-patterns/language#reproducibility-referencing-top-level-directory-with

Rm tempfix
2022-11-27 22:01:21 +01:00
Hendrik Sokolowski b3f4727354
Update drone-config 2022-11-27 22:01:21 +01:00
teutat3s c345cb8af4
zsh: fetch plugins using nvfetcher 2022-11-27 22:01:21 +01:00
teutat3s 8fb95ce9dc
neovim: use nvfetcher for custom plugins 2022-11-27 22:01:21 +01:00
Hendrik Sokolowski cb829d0972
Make resume_offset optional 2022-11-27 22:01:21 +01:00
teutat3s ca22046f75
drone: use our custom drone-scp image 2022-11-27 22:01:20 +01:00
teutat3s 24c699698f
Bump flake.lock 2022-11-27 22:01:18 +01:00
teutat3s 1f2ba895a0
Clean some sessionVariables from global scope
Especially some XDG_* env vars polluted other users environment when set

globally
2022-11-27 21:57:34 +01:00
teutat3s a795bf4429
Rename flora6 -> flora-6 2022-11-27 21:56:40 +01:00
Benjamin Bädorf 1f2d56e0c9
Rename flora6 to flora-6
This aligns with the coming changes in hostnames in the terraform
infrastructure.
2022-11-26 02:40:51 +01:00
teutat3s 90bca8d0ba
Merge branch 'main' into infra 2022-10-05 14:45:12 +02:00
teutat3s 97d88096e8
core: disable SSH passwordAuthentication by default 2022-10-05 12:03:46 +02:00
teutat3s f0c12e38ee
Change user.publicKeys to a SSH keys string list 2022-10-05 12:03:42 +02:00
teutat3s 0e6df4e33b
flora6: init host 2022-10-05 12:02:28 +02:00
29 changed files with 1192 additions and 53 deletions

View file

@ -17,7 +17,7 @@ steps:
- nix $$NIX_FLAGS develop --command nix flake show
- nix $$NIX_FLAGS develop --command treefmt --fail-on-change
- nix $$NIX_FLAGS develop --command editorconfig-checker
- nix $$NIX_FLAGS build ".#nixosConfigurations.PubSolarOS.config.system.build.toplevel"
- nix $$NIX_FLAGS build ".#nixosConfigurations.flora-6.config.system.build.toplevel"
---
kind: pipeline
@ -44,7 +44,7 @@ steps:
from_secret: private_ssh_key
MANTA_USER: pub_solar
MANTA_URL: https://eu-central.manta.greenbaum.cloud
MANTA_KEY_ID: "5d:5f:3d:22:8d:37:1f:e6:d6:ab:06:18:d9:a2:04:67"
MANTA_KEY_ID: "59:9f:5a:6f:c4:e2:3b:32:7f:13:1f:de:b7:59:80:85"
commands:
- export TARGET_DIR="ci/$${DRONE_REPO}/$${DRONE_BUILD_NUMBER}"
- echo env var TARGET_DIR is set to $$TARGET_DIR
@ -149,6 +149,6 @@ volumes:
---
kind: signature
hmac: a116f78a0b22188052893bdb46aa40f8de66438826c10ced362ea183d7644d67
hmac: 17811add241edae457584ba78389886df02b5e51820d826ef5fb2d97de2430e2
...

View file

@ -30,11 +30,11 @@
]
},
"locked": {
"lastModified": 1696360011,
"narHash": "sha256-HpPv27qMuPou4acXcZ8Klm7Zt0Elv9dgDvSJaomWb9Y=",
"lastModified": 1694497842,
"narHash": "sha256-z03v/m0OwcLBok97KcUgMl8ZFw5Xwsi2z+n6nL7JdXY=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "8b6ea26d5d2e8359d06278364f41fbc4b903b28a",
"rev": "4496ab26628c5f43d2a5c577a06683c753e32fe2",
"type": "github"
},
"original": {
@ -54,11 +54,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1695052866,
"narHash": "sha256-agn7F9Oww4oU6nPiw+YiYI9Xb4vOOE73w8PAoBRP4AA=",
"lastModified": 1694513707,
"narHash": "sha256-wE5kHco3+FQjc+MwTPwLVqYz4hM7uno2CgXDXUFMCpc=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "e3f41832680801d0ee9e2ed33eb63af398b090e9",
"rev": "31c32fb2959103a796e07bbe47e0a5e287c343a8",
"type": "github"
},
"original": {
@ -89,6 +89,28 @@
"type": "github"
}
},
"devshell_2": {
"inputs": {
"nixpkgs": [
"keycloak-theme-pub-solar",
"nixpkgs"
],
"systems": "systems"
},
"locked": {
"lastModified": 1688380630,
"narHash": "sha256-8ilApWVb1mAi4439zS3iFeIT0ODlbrifm/fegWwgHjA=",
"owner": "numtide",
"repo": "devshell",
"rev": "f9238ec3d75cefbb2b42a44948c4e8fb1ae9a205",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"digga": {
"inputs": {
"darwin": [
@ -197,6 +219,39 @@
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1689068808,
"narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"fork": {
"locked": {
"lastModified": 1692960587,
@ -220,11 +275,11 @@
]
},
"locked": {
"lastModified": 1695108154,
"narHash": "sha256-gSg7UTVtls2yO9lKtP0yb66XBHT1Fx5qZSZbGMpSn2c=",
"lastModified": 1694465129,
"narHash": "sha256-8BQiuobMrCfCbGM7w6Snx+OBYdtTIm0+cGVaKwQ5BFg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "07682fff75d41f18327a871088d20af2710d4744",
"rev": "9787dffff5d315c9593d3f9fb0f9bf2097e1b57b",
"type": "github"
},
"original": {
@ -234,13 +289,36 @@
"type": "github"
}
},
"keycloak-theme-pub-solar": {
"inputs": {
"devshell": "devshell_2",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixos"
]
},
"locked": {
"lastModified": 1689875310,
"narHash": "sha256-gJxh8fVX24nZXBxstZcrzZhMRFG9jyOnQEfkgoRr39I=",
"ref": "main",
"rev": "c2c86bbf9855f16a231a596b75b443232a7b9395",
"revCount": 24,
"type": "git",
"url": "https://git.pub.solar/pub-solar/keycloak-theme"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://git.pub.solar/pub-solar/keycloak-theme"
}
},
"latest": {
"locked": {
"lastModified": 1696604326,
"narHash": "sha256-YXUNI0kLEcI5g8lqGMb0nh67fY9f2YoJsILafh6zlMo=",
"lastModified": 1694422566,
"narHash": "sha256-lHJ+A9esOz9vln/3CJG23FV6Wd2OoOFbDeEs4cMGMqc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "87828a0e03d1418e848d3dd3f3014a632e4a4f64",
"rev": "3a2786eea085f040a66ecde1bc3ddc7099f6dbeb",
"type": "github"
},
"original": {
@ -252,11 +330,11 @@
},
"nixos": {
"locked": {
"lastModified": 1696697597,
"narHash": "sha256-q26Qv4DQ+h6IeozF2o1secyQG0jt2VUT3V0K58jr3pg=",
"lastModified": 1694499547,
"narHash": "sha256-R7xMz1Iia6JthWRHDn36s/E248WB1/je62ovC/dUVKI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5a237aecb57296f67276ac9ab296a41c23981f56",
"rev": "e5f018cf150e29aac26c61dac0790ea023c46b24",
"type": "github"
},
"original": {
@ -268,11 +346,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1696614066,
"narHash": "sha256-nAyYhO7TCr1tikacP37O9FnGr2USOsVBD3IgvndUYjM=",
"lastModified": 1694591211,
"narHash": "sha256-NPP7XGZH+Q5ey7nE2zGLrBrzKmLYPhj8YgsTSdhH0D4=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "bb2db418b616fea536b1be7f6ee72fb45c11afe0",
"rev": "3ccd87fcdae4732fe33773cefa4375c641a057e7",
"type": "github"
},
"original": {
@ -306,9 +384,65 @@
"flake-compat": "flake-compat",
"fork": "fork",
"home": "home",
"keycloak-theme-pub-solar": "keycloak-theme-pub-solar",
"latest": "latest",
"nixos": "nixos",
"nixos-hardware": "nixos-hardware"
"nixos-hardware": "nixos-hardware",
"triton-vmtools": "triton-vmtools"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"triton-vmtools": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixos"
]
},
"locked": {
"dir": "vmtools",
"lastModified": 1694596254,
"narHash": "sha256-aqGmoQXVG0Q1SeZuIWws8dbn1JRnjOGxtDVs2SBzNR0=",
"ref": "main",
"rev": "463d525addaf05beaf4a632fd85e2a2b25ddf8ee",
"revCount": 69,
"type": "git",
"url": "https://git.pub.solar/pub-solar/infra?dir=vmtools"
},
"original": {
"dir": "vmtools",
"ref": "main",
"type": "git",
"url": "https://git.pub.solar/pub-solar/infra?dir=vmtools"
}
},
"utils": {

View file

@ -36,6 +36,12 @@
agenix.inputs.darwin.follows = "darwin";
nixos-hardware.url = "github:nixos/nixos-hardware";
triton-vmtools.url = "git+https://git.pub.solar/pub-solar/infra?ref=main&dir=vmtools";
triton-vmtools.inputs.nixpkgs.follows = "nixos";
keycloak-theme-pub-solar.url = "git+https://git.pub.solar/pub-solar/keycloak-theme?ref=main";
keycloak-theme-pub-solar.inputs.nixpkgs.follows = "nixos";
};
outputs = {
@ -46,6 +52,8 @@
nixos-hardware,
agenix,
deploy,
triton-vmtools,
keycloak-theme-pub-solar,
...
} @ inputs:
digga.lib.mkFlake
@ -61,14 +69,6 @@
channels = {
nixos = {
imports = [(digga.lib.importOverlays ./overlays)];
overlays = [
(self: super: {
deploy-rs = {
inherit (inputs.nixos.legacyPackages.x86_64-linux) deploy-rs;
lib = inputs.deploy.lib.x86_64-linux;
};
})
];
};
latest = {};
fork = {};
@ -114,12 +114,14 @@
];
};
PubSolarOS = {
tests = [
#(import ./tests/first-test.nix {
# Broken since https://github.com/NixOS/nixpkgs/commit/5bcef4224928fe45312f0ee321ddf0f0e8feeb7b
# Needs a fix in https://github.com/divnix/digga/blob/main/src/tests.nix#L12-L21
#tests = [
# (import ./tests/first-test.nix {
# pkgs = nixos.legacyPackages.x86_64-linux;
# lib = nixos.lib;
#})
];
# })
#];
};
};
importables = rec {
@ -150,6 +152,11 @@
pub-solar = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
barkeeper = {suites, ...}: {
imports = suites.base;
home.stateVersion = "21.03";
};
}; # digga.lib.importers.rakeLeaves ./users/hm;
@ -160,6 +167,16 @@
homeConfigurations = digga.lib.mkHomeConfigurations self.nixosConfigurations;
deploy.nodes = digga.lib.mkDeployNodes self.nixosConfigurations {
flora-6 = {
sshUser = "barkeeper";
hostname = "flora-6.pub.solar";
fastConnect = true;
profilesOrder = ["system" "direnv"];
profiles.direnv = {
user = "barkeeper";
path = deploy.lib.x86_64-linux.activate.home-manager self.homeConfigurationsPortable.x86_64-linux.barkeeper;
};
};
#example = {
# hostname = "example.com:22";
# sshUser = "bartender";

50
hosts/flora-6/README.md Normal file
View file

@ -0,0 +1,50 @@
# Deploy infra branch to flora-6
Use this command after updating flake inputs to update services on `flora-6`.
```
deploy --skip-checks --confirm-timeout 300 --targets '.#flora-6'
An alternative, if deployment always fails and rolls back.
```
deploy --skip-checks --magic-rollback false --auto-rollback false --targets '.#flora-6'
```
# SSH access to flora-6
Ensure your SSH public key is in place [here](./users/barkeeper/default.nix) and
was deployed by someone with access.
```
ssh barkeeper@flora-6.pub.solar
```
# Mailman on NixOS docs
- add reverse DNS record for IP
Manual setup done for mailman, adapted from https://nixos.wiki/wiki/Mailman:
```
# Add DNS records in infra repo using terraform:
# https://git.pub.solar/pub-solar/infra/commit/db234cdb5b55758a3d74387ada0760e06e166b9d
# Generate initial postfix_domains.db and postfix_lmtp.db databases for Postfix
sudo -u mailman mailman aliases
# Create a django superuser account
sudo -u mailman-web mailman-web createsuperuser
# Followed outlined steps in web UI
```
```

168
hosts/flora-6/caddy.nix Normal file
View file

@ -0,0 +1,168 @@
{
config,
lib,
pkgs,
self,
...
}: let
maintenanceMode = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
root * /srv/www/pub.solar
error * "Scheduled Maintenance" 503
handle_errors {
root * /srv/www/pub.solar
rewrite * /maintenance/index.html
file_server
}
'';
};
in {
systemd.tmpfiles.rules = [
"d '/data/srv/www/os/download/' 0750 hakkonaut hakkonaut - -"
];
services.caddy = {
enable = lib.mkForce true;
group = "hakkonaut";
email = "admins@pub.solar";
enableReload = true;
globalConfig = lib.mkForce ''
grace_period 60s
'';
virtualHosts = {
"pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
# Named matcher, used below for Mastodon webfinger
@query query resource=*
# PubSolarOS images
handle /os/download/* {
root * /data/srv/www
file_server /os/download/* browse
}
# serve base domain pub.solar for mastodon.pub.solar
# https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
handle /.well-known/host-meta {
redir https://mastodon.pub.solar{uri}
}
# Tailscale OIDC webfinger requirement plus Mastodon webfinger redirect
handle /.well-known/webfinger {
# Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
handle @query {
redir https://mastodon.pub.solar{uri}
}
respond 200 {
body `{
"subject": "acct:admins@pub.solar",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://auth.pub.solar/realms/pub.solar"
}
]
}`
}
}
# redirect to statutes
redir /satzung https://cloud.pub.solar/s/2tRCP9aZFCiWxQy temporary
# pub.solar website
handle {
root * /srv/www/pub.solar
try_files {path}.html {path}
file_server
}
# minimal error handling, respond with status code and text
handle_errors {
respond "{http.error.status_code} {http.error.status_text}"
}
'';
};
"www.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir https://pub.solar{uri}
'';
};
"mastodon.pub.solar" = maintenanceMode;
"auth.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir / /realms/pub.solar/account temporary
reverse_proxy :8080
'';
};
"git.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
redir /user/login /user/oauth2/keycloak temporary
reverse_proxy :3000
'';
};
"ci.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :4000
'';
};
"stream.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :5000
'';
};
"list.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
handle_path /static/* {
root * /var/lib/mailman-web-static
file_server
}
reverse_proxy :18507
'';
};
"collabora.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy :9980
'';
};
"obs-portal.pub.solar" = {
logFormat = lib.mkForce ''
output discard
'';
extraConfig = ''
reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000
'';
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
}

View file

@ -0,0 +1,38 @@
{
config,
lib,
pkgs,
self,
...
}: {
virtualisation = {
docker = {
enable = true; # sadly podman is not supported rightnow
extraOptions = ''
--data-root /data/docker
'';
};
oci-containers = {
backend = "docker";
containers."collabora" = {
image = "collabora/code";
autoStart = true;
ports = [
"9980:9980"
];
extraOptions = [
"--cap-add=MKNOD"
"--pull=always"
];
environment = {
server_name = "collabora.pub.solar";
aliasgroup1 = "https://cloud.pub.solar:443";
DONT_GEN_SSL_CERT = "1";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
SLEEPFORDEBUGGER = "0";
};
};
};
};
}

View file

@ -0,0 +1,5 @@
{...}: {
imports = [
./flora-6.nix
];
}

116
hosts/flora-6/drone.nix Normal file
View file

@ -0,0 +1,116 @@
{
config,
lib,
pkgs,
self,
...
}: {
age.secrets.drone-secrets = {
file = "${self}/secrets/drone-secrets.age";
mode = "600";
owner = "drone";
};
age.secrets.drone-db-secrets = {
file = "${self}/secrets/drone-db-secrets.age";
mode = "600";
owner = "drone";
};
users.users.drone = {
description = "Drone Service";
home = "/var/lib/drone";
useDefaultShell = true;
uid = 994;
group = "drone";
isSystemUser = true;
};
users.groups.drone = {};
systemd.tmpfiles.rules = [
"d '/var/lib/drone-db' 0750 drone drone - -"
];
systemd.services."docker-network-drone" = let
docker = config.virtualisation.oci-containers.backend;
dockerBin = "${pkgs.${docker}}/bin/${docker}";
in {
serviceConfig.Type = "oneshot";
before = ["docker-drone-server.service"];
script = ''
${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24
'';
};
virtualisation = {
docker = {
enable = true; # sadly podman is not supported rightnow
extraOptions = ''
--data-root /data/docker
'';
};
oci-containers = {
backend = "docker";
containers."drone-db" = {
image = "postgres:14";
autoStart = true;
user = "994";
volumes = [
"/var/lib/drone-db:/var/lib/postgresql/data"
];
extraOptions = [
"--network=drone-net"
];
environmentFiles = [
config.age.secrets.drone-db-secrets.path
];
};
containers."drone-server" = {
image = "drone/drone:2";
autoStart = true;
user = "994";
ports = [
"4000:80"
];
dependsOn = ["drone-db"];
extraOptions = [
"--network=drone-net"
"--pull=always"
];
environment = {
DRONE_GITEA_SERVER = "https://git.pub.solar";
DRONE_SERVER_HOST = "ci.pub.solar";
DRONE_SERVER_PROTO = "https";
DRONE_DATABASE_DRIVER = "postgres";
};
environmentFiles = [
config.age.secrets.drone-secrets.path
];
};
containers."drone-docker-runner" = {
image = "drone/drone-runner-docker:1";
autoStart = true;
# needs to run as root
#user = "994";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
dependsOn = ["drone-db"];
extraOptions = [
"--network=drone-net"
"--pull=always"
];
environment = {
DRONE_RPC_HOST = "ci.pub.solar";
DRONE_RPC_PROTO = "https";
DRONE_RUNNER_CAPACITY = "2";
DRONE_RUNNER_NAME = "flora-6-docker-runner";
};
environmentFiles = [
config.age.secrets.drone-secrets.path
];
};
};
};
}

168
hosts/flora-6/flora-6.nix Normal file
View file

@ -0,0 +1,168 @@
{
config,
latestModulesPath,
lib,
inputs,
pkgs,
profiles,
self,
...
}: let
psCfg = config.pub-solar;
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./triton-vmtools.nix
./caddy.nix
./drone.nix
./keycloak.nix
./gitea.nix
./mailman.nix
./owncast.nix
./collabora.nix
profiles.base-user
profiles.users.root # make sure to configure ssh keys
profiles.users.barkeeper
"${latestModulesPath}/services/misc/gitea.nix"
"${latestModulesPath}/services/web-servers/caddy/default.nix"
];
disabledModules = [
"services/misc/gitea.nix"
"services/web-servers/caddy/default.nix"
];
config = {
# # #
# # # pub.solar options
# # #
pub-solar.core = {
disk-encryption-active = false;
iso-options.enable = true;
lite = true;
};
# Allow sudo without a password for the barkeeper user
security.sudo.extraRules = [
{
users = ["${psCfg.user.name}"];
commands = [
{
command = "ALL";
options = ["NOPASSWD"];
}
];
}
];
# Override nix.conf for more agressive garbage collection
nix.extraOptions = lib.mkForce ''
min-free = 536870912
keep-outputs = false
keep-derivations = false
fallback = true
'';
# Machine user for CI pipelines
users.users.hakkonaut = {
description = "CI and automation user";
home = "/var/nix/iso-cache";
useDefaultShell = true;
uid = 998;
group = "hakkonaut";
isSystemUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
];
};
users.groups.hakkonaut = {};
# # #
# # # Triton host specific options
# # # DO NOT ALTER below this line, changes might render system unbootable
# # #
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Force getting the hostname from cloud-init
networking.hostName = lib.mkDefault "";
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
git
vim
wget
];
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
services.cloud-init.enable = true;
services.cloud-init.ext4.enable = true;
services.cloud-init.network.enable = true;
# use the default NixOS cloud-init config, but add some SmartOS customization to it
environment.etc."cloud/cloud.cfg.d/90_smartos.cfg".text = ''
datasource_list: [ SmartOS ]
# Do not create the centos/ubuntu/debian user
users: [ ]
# mount second disk with label ephemeral0, gets formated by cloud-init
# this will fail to get added to /etc/fstab as it's read-only, but should
# mount at boot anyway
mounts:
- [ vdb, /data, auto, "defaults,nofail" ]
'';
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
};
};
# We manage the firewall with nix, too
# altough triton can also manage firewall rules via the triton fwrule subcommand
networking.firewall.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
};
}

82
hosts/flora-6/gitea.nix Normal file
View file

@ -0,0 +1,82 @@
{
config,
lib,
pkgs,
self,
...
}: {
age.secrets.gitea-database-password = {
file = "${self}/secrets/gitea-database-password.age";
mode = "600";
owner = "gitea";
};
age.secrets.gitea-mailer-password = {
file = "${self}/secrets/gitea-mailer-password.age";
mode = "600";
owner = "gitea";
};
# gitea
services.gitea = {
enable = true;
package = pkgs.forgejo;
appName = "pub.solar git server";
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea-database-password.path;
};
lfs.enable = true;
mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
settings = {
server = {
ROOT_URL = "https://git.pub.solar";
DOMAIN = "git.pub.solar";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
};
mailer = {
ENABLED = true;
PROTOCOL = "smtps";
SMTP_ADDR = "mx2.greenbaum.cloud";
SMTP_PORT = 465;
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
USER = "admins@pub.solar";
};
"repository.signing" = {
SIGNING_KEY = "default";
MERGES = "always";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
# uncomment after initial deployment, first user is admin user
# required to setup SSO (oauth openid-connect, keycloak auth provider)
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
service.ENABLE_NOTIFY_MAIL = true;
session.COOKIE_SECURE = lib.mkForce true;
};
};
# See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
# Required for gitea server side gpg signatures
# configured/setup manually in:
# /var/lib/gitea/data/home/.gitconfig
# /var/lib/gitea/data/home/.gnupg/
# sudo su gitea
# export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
# gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
# TODO: implement declarative GPG key generation and
# gitea gitconfig
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
# Required to make gpg work without a graphical environment?
# otherwise generating a new gpg key fails with this error:
# gpg: agent_genkey failed: No pinentry
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
environment.variables = {
GPG_TTY = "$(tty)";
};
}

View file

@ -0,0 +1,44 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [];
boot.initrd.availableKernelModules = ["ahci" "virtio_pci" "xhci_pci" "sr_mod" "virtio_blk"];
boot.initrd.kernelModules = [];
boot.kernelModules = [];
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
autoResize = true;
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
fileSystems."/data" = {
device = "/dev/disk/by-label/ephemeral0";
fsType = "ext4";
options = [
"defaults"
"nofail"
];
};
swapDevices = [];
networking.useDHCP = lib.mkDefault false;
networking.networkmanager.enable = lib.mkForce false;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View file

@ -0,0 +1,30 @@
{
config,
lib,
inputs,
pkgs,
self,
...
}: {
age.secrets.keycloak-database-password = {
file = "${self}/secrets/keycloak-database-password.age";
mode = "700";
#owner = "keycloak";
};
# keycloak
services.keycloak = {
enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path;
settings = {
hostname = "auth.pub.solar";
http-host = "127.0.0.1";
http-port = 8080;
proxy = "edge";
features = "declarative-user-profile";
};
themes = {
"pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
};
};
}

102
hosts/flora-6/mailman.nix Normal file
View file

@ -0,0 +1,102 @@
{
config,
lib,
pkgs,
self,
...
}: let
# Source: https://github.com/NixOS/nixpkgs/blob/nixos-22.11/nixos/modules/services/mail/mailman.nix#L9C10-L10
# webEnv is required by the mailman-uwsgi systemd service
inherit (pkgs.mailmanPackages.buildEnvs {}) webEnv;
in {
networking.firewall.allowedTCPPorts = [25];
services.postfix = {
enable = true;
relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
# get TLS certs for list.pub.solar from caddy
# TODO: when caddy renews certs, postfix doesn't know about it
# implement custom built caddy with events exec handler or systemd-reload
# hook so postfix reloads, too
sslCert = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.crt";
sslKey = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.key";
config = {
transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
};
rootAlias = "admins@pub.solar";
postmasterAlias = "admins@pub.solar";
hostname = "list.pub.solar";
};
systemd.paths.watcher-caddy-ssl-file = {
description = "Watches for changes in caddy's TLS cert file (after renewals) to reload postfix";
documentation = ["systemd.path(5)"];
partOf = ["postfix-reload.service"];
pathConfig = {
PathChanged = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/list.pub.solar/list.pub.solar.crt";
Unit = "postfix-reload.service";
};
wantedBy = ["multi-user.target"];
};
systemd.services."postfix-reload" = {
description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-caddy-ssl-file.path";
documentation = ["systemd.path(5)"];
requires = ["postfix.service"];
after = ["postfix.service"];
startLimitIntervalSec = 10;
startLimitBurst = 5;
serviceConfig.Type = "oneshot";
script = ''
${pkgs.systemd}/bin/systemctl reload postfix
'';
wantedBy = ["multi-user.target"];
};
services.mailman = {
enable = true;
# We use caddy instead of nginx
#serve.enable = true;
hyperkitty.enable = true;
webHosts = ["list.pub.solar"];
siteOwner = "admins@pub.solar";
};
# TODO add django-keycloak as auth provider
# https://django-keycloak.readthedocs.io/en/latest/
## Extend settings.py directly since this can't be done via JSON
## settings (services.mailman.webSettings)
#environment.etc."mailman3/settings.py".text = ''
# INSTALLED_APPS.extend([
# "allauth.socialaccount.providers.github",
# "allauth.socialaccount.providers.gitlab"
# ])
#'';
systemd.services.mailman-uwsgi = let
uwsgiConfig.uwsgi = {
type = "normal";
plugins = ["python3"];
home = webEnv;
manage-script-name = true;
mount = "/=mailman_web.wsgi:application";
http = "127.0.0.1:18507";
};
uwsgiConfigFile = pkgs.writeText "uwsgi-mailman.json" (builtins.toJSON uwsgiConfig);
in {
wantedBy = ["multi-user.target"];
after = ["postgresql.service"];
requires = ["mailman-web-setup.service" "postgresql.service"];
restartTriggers = [config.environment.etc."mailman3/settings.py".source];
serviceConfig = {
# Since the mailman-web settings.py obstinately creates a logs
# dir in the cwd, change to the (writable) runtime directory before
# starting uwsgi.
ExecStart = "${pkgs.coreutils}/bin/env -C $RUNTIME_DIRECTORY ${pkgs.uwsgi.override {plugins = ["python3"];}}/bin/uwsgi --json ${uwsgiConfigFile}";
User = "mailman-web";
Group = "mailman";
RuntimeDirectory = "mailman-uwsgi";
};
};
}

24
hosts/flora-6/owncast.nix Normal file
View file

@ -0,0 +1,24 @@
{
config,
lib,
pkgs,
self,
...
}: {
# owncast
services.owncast = {
enable = true;
user = "owncast";
group = "owncast";
# The directory where owncast stores its data files.
dataDir = "/var/lib/owncast";
# Open the appropriate ports in the firewall for owncast.
openFirewall = true;
# The IP address to bind the owncast web server to.
listen = "127.0.0.1";
# TCP port where owncast rtmp service listens.
rtmp-port = 1935;
# TCP port where owncast web-gui listens.
port = 5000;
};
}

View file

@ -0,0 +1,9 @@
{
pkgs,
inputs,
...
}: {
environment.systemPackages = with pkgs; [
inputs.triton-vmtools.packages.${pkgs.system}.default
];
}

View file

@ -25,6 +25,11 @@ in {
programs.command-not-found.enable = false;
environment.systemPackages = with pkgs; [
ack
bat
exa
fd
neovim
screen
];

View file

@ -3,17 +3,17 @@
{
blesh-nvfetcher = {
pname = "blesh-nvfetcher";
version = "9d84b424daf31b192891c06275fff316fa5ddd35";
version = "4089c4e1cb411121472180189953664b978d8972";
src = fetchFromGitHub {
owner = "akinomyoga";
repo = "ble.sh";
rev = "9d84b424daf31b192891c06275fff316fa5ddd35";
rev = "4089c4e1cb411121472180189953664b978d8972";
fetchSubmodules = true;
deepClone = false;
leaveDotGit = true;
sha256 = "sha256-7aX5UtDB9pUHHeOi9n+qWsM2KGenHVL6O18vG9W8tmQ=";
sha256 = "sha256-ZLkiBm3vsRe42crLffM9Z8F5yzKvNRV2/AqK9RkuU+8=";
};
date = "2023-10-02";
date = "2023-07-18";
};
instant-nvim-nvfetcher = {
pname = "instant-nvim-nvfetcher";

View file

@ -7,6 +7,13 @@
psCfg = config.pub-solar;
wlroots = psCfg.graphical.wayland;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
globalVariables = {
EDITOR = "/run/current-system/sw/bin/nvim";
VISUAL = "/run/current-system/sw/bin/nvim";
# Make sure virsh runs without root
LIBVIRT_DEFAULT_URI = "qemu:///system";
};
variables = {
XDG_CONFIG_HOME = xdg.configHome;
XDG_CACHE_HOME = xdg.cacheHome;
@ -25,11 +32,8 @@
then "pixman"
else "gles2";
EDITOR = "/etc/profiles/per-user/${psCfg.user.name}/bin/nvim";
VISUAL = "/etc/profiles/per-user/${psCfg.user.name}/bin/nvim";
# fix "xdg-open fork-bomb" your preferred browser from here
BROWSER = "${pkgs.firefox-wayland}/bin/firefox";
BROWSER = "firefox";
# node
NODE_REPL_HISTORY = "${xdg.dataHome}/node_repl_history";
@ -41,9 +45,6 @@
NPM_CONFIG_CACHE = "${xdg.configHome}/npm";
# TODO: used to be XDG_RUNTIME_DIR NPM_CONFIG_TMP = "/tmp/npm";
# Make sure virsh runs without root
LIBVIRT_DEFAULT_URI = "qemu:///system";
# wine
WINEPREFIX = "${xdg.dataHome}/wineprefixes/default";
@ -120,5 +121,5 @@ in {
systemd.user.sessionVariables = variablesWithMeta;
};
environment.variables = variablesWithMeta;
environment.variables = globalVariables;
}

View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw aeKyGeq9/rWQneJZIkrovdlgAdRTqYuUeqPIhT5dEwk
pkwICt3TV2RSMo93GMqVNZ6kYorTE48yyVuSdbLlLDc
-> ssh-ed25519 BVsyTA nNb8z1VNBdzeojDeQ0aRO9W12LVN/Zc5mQmN+jOxInc
VeoBXWSz2ZbXcFTNc+XtWFtWUomC+PaG8pUrRoF1CCU
-> ssh-rsa kFDS0A
h7Wk2206zM8zX9RE1DSSmaEiMI/v3A3p7h+uQB5uLz9nK+l7z92H9nHMExErdA9u
CjS2/uG8pjHtktNk5/nOyx64myrr3Y/HvJlHKhshiQF26CKiANO1LZa+Vy+P/LyM
8uI1T+bvqSJLPVr0CJ4gJ32YL9CPp0BJCpR27RHtXhdni9n08biBaib8c6loaD8K
fZr7TPH40F1mrn9+3paR9vKedJuPwEj2dKiHKcqC2zHr4GW28HwL03xNfCtdWw7x
Zxjyxk1cagVfPHeG9ObliJOohWZSQB/B4byVaRs6EyhYI0noqg/hl60VcizMmu/+
PvXxOq2llAnOF0A5gA5b5LtFQD1xRPNLwe6F+rt076Fgt2qn3q3BQGKOahRv0vy6
d3fEGiZvSgiMFlB6JRHIz2PDbpYHHIAUDEPP3M7a5mdwgKyYyFjsboc5MbRSK609
oM1QmZg+14fdddisGjuzz96p2SYwcbQu7i4Haf/4i142FYUHYYLtreMTGsW3oCYq
Qa/SQ2Ip07BFBhGve73W8XXzNyYUW+GLsZOcX/NrxSjAYoVFKMzMVv8DGrt6SXap
yu6aR6065HJgKEWdssWce/g4xkVpYv7frXnYLdDseMFz7ZfMOc7ieAKYpS5Sb9r3
LMifMXPRAXkam5JMbVr6aF2k3FkTzeDKrhlH6aKgh5Q
-> ;cm1-grease
TvutGCeP
--- +a2HtxLwZbsg0VlFHB2tIo/ULFcjS6VZ+4EhyvnDVq8
ñuDz¤lìTN<54>?{ÕêpAjKSzöUŽn.C ©pQ¶ýˆÜüø¹YÿÅo¦‰âu.?¢Æk9';“|Ú€>«Qçlhd )ÄÔSË€7æ5?È›Ÿ+«ÕÛp"<22>.(ˆ<44>ÅP½@¯0+;W<20>Ö'Ã

BIN
secrets/drone-secrets.age Normal file

Binary file not shown.

View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw uzrzBJArGlkBnqZLu6KHIOprfw2g8fg0hnvC7GwNhxw
6VsKzFS5E11R9TJVSj23yZLjssFW3RNRXi65MaaYb4E
-> ssh-ed25519 BVsyTA 9QJTZgKGm4x9s4egO2vjxupre2kjOcf+o+bGen8e5nM
TQIW/4zvD5bxQRGmCujglMKI94wtCc3lGxEYVX6HfNY
-> ssh-rsa kFDS0A
L71mZDfLzaWsrwMxS2FHv4HaDv3AEPEZZFOxNroCVNT+4s/ZcYClqiKGrDWzSMvj
TPN+OPDamzzNjG67t2qkOspjb9aL5906Awnw4mfDjcX03+hoGA1z74bx8weeXf5U
6/5IxsPlVAjFOEd0Nu0GUW72pvQoVA4oAHrAw01YKcUGTJsF8XfpcNDt70df6IQT
JU+t6kw3uzUkdgotTatt7lngWIW8NUlMkpCYLEkTV6Xq5kiZBditaO9JgW7+dJw2
/4fDBo0eWE5IxSN/9aqbDZp4yMuRPbmdw4E0kV5kWixsR5l+8T4oQr8AfaOGBc5C
vnirQQvQ55DazihYb/04NO4EJn2/ZL2Y/7Pej7BiqVSItp8uc2U99pmigzI4nMIr
jL3ywv1QwP00R+iDlU1hlGkGjq2Ll0jbxvB8XD6GCKRSIo4pXvZDqFCnzGYz4TKE
mIxDfyS+HGlQTmuZFcrpqGUSY8SXK65w/7Wc1bHqCYRXBVpw24BTktQtPdaQRW4X
FxyPB8jXpw/HHQ1ITaheKCi2wrkWaivApHnbgBCqx4VuQgudQAViB2VQZOrcwOIR
tX23fuE4AhUkIUM8p80CoROZC+fxPGkx5qigzfLDgSdp6SBMB47RlSrmHI42v5oh
7Z8rbaXlby87zpqO7EzFO/ixpdBrTPyiCuV8oASMqWQ
-> {J_21-grease
aUQ
--- 2n/6hKYw0JRzr3HvMe2SFDdINMATOomDbAXfibwaCKA
œ =ÅRƇ__ª<<3C>ŒïѨ©¿jBøWü`<60>Nÿ3vѽ½tUpk:#tgý<0E>¡éîÜó̸˥5Ëʹ¤,§À•±xËå¤ùº7œ6ßVŠ[\hPYÙ ¹óÀèrû«

Binary file not shown.

View file

@ -0,0 +1,21 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw 6Ab765r1KhdPSNomPyArPOa9EpOK1gJH1O/2ImGovDE
AbIsUHJvTypKJbOE3LuLFXYkIzfTXxRmiLFy91HzaUE
-> ssh-ed25519 BVsyTA tCs+TlkHQMbqgeN28U2aLo3luZNHRemLKbsqX8gOSWU
PU1JXT1JjKeSZ5cybTuq+WOipWWmqhHGLtEVHi1/8pg
-> ssh-rsa kFDS0A
TQbtZUL6l+DJxir6AVNUWMNPXrzJ6Ns3xb2C9s+lXsvlTlm834H8nt/JxJBCeRoH
ymH0PcXKHCk54iPypW5KqFRIwoDYBTi3t3fSqjyLQk4eFNBjByGy+IVAaF6dcS5y
+pYwpZxgshv8u6iSEiRgLvqp0bIs/g/tPHowZ6ezlpyKOzh3+KRYK7e82dJFznwb
Q9V+PdWZJLqobbo4bmz7nT3qNlS75tpcVk2FAwsNB1pk3Q4ucbQb33eslSny93s9
DjGCQFOMCkSZwKk98jV8aV01Liu4+tgMty5Sb6+Ei/tt+4TvjlX3t6hl9kvCVQNn
gXjc1y2FxfuwN7hTnFYM6QAwB4ETUPwsyqoOAzfFWzpQNpit+ZOtRMw42gcSkhA7
RcyHeYGtQCeK+MKU9YaWZrDZjFjwpA7oxVkBGk6Xd6drVfw0tMurXpruuIzswo2Q
iwdSGNsyAmMAKIoAWrjyxuXodgAwii8JgLr93IfkEuOQ/izQQ5sJCFP4Q4pB/Svk
8yG62fflaJ6epTn2uEBD9EDqlNCGpDwNwdBnASdpcSCeooCqcqDIHpk0VJly+HiQ
VyxpD+3ZfaguUkiVC44oxAkQocitj8ypNmuGqphG+1ReN4ew8xi74f0WWq4lxkY4
DieriNG+NG4JS7SgUTz5ZStYbOuIJJ/n82TcejWkJGM
-> dqJ?-grease .CNJ%TkE
D6Hq2UnwetlWfmLWLcijubdNB2uJNjRRIw
--- +wyqgdU3ahUepcqy53z01275bJE6CadK4+yXH0bSvuI
ò¡ˆœÃ¿ÆV-j^/u˜»¼y{ŽÊ”Ášj¾Éø 7@¡øâhõ´©$†p«·íÜQ˜Ý'k œ£äz<>š#ö:¦<>àˆ·,¿4v}1š<C5A1>Ðr¥ÁüjeV

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,23 @@
age-encryption.org/v1
-> ssh-ed25519 Y0ZZaw ow3ZJJeaGDamcg9i41timzWkN4yMR/7GcEWfzCcbj3U
DnxakA3u8/S4Z6e7gHdn0HOPxj79wylERS1sCCyf8lg
-> ssh-ed25519 BVsyTA 8+2zeUwhNjVcF8asfDQN3TWQrcYu3Emcu7/v6E1dEk4
eeAkJNuF4oj2590vnW3Ve/mEG3mTN4opZKEDYjNMdXo
-> ssh-rsa kFDS0A
XLIvXYoewWG/pfqIKGdY+d1IexC4bGg6jKljuMrj9MN5lIvGbZlClETJwxyrKViW
ZZ19Mo16CBnsrnl0E6K+NRj+gpOAkdbWcPsx3JoHQyPCDlZnNlNJ4iIuXYE6SEM0
vuwWxQPA9OvgWB8Ck/WoRbhemtJzzkf11dGS0LHs4dITyo8is0YEZTj6IXgg4MDO
NtIsgkKo30PaLUQvjX/fhrUSrCZCxure15BFRh3TbgKbBmznSJkKXzEPqy95YG0H
XU0FDxnJlMLNfYJXyBjoJOzL/b2TU85HaNYKSbX9m2XT2vPn5taJDHiro+iFjqBs
UMWavJ7FbtdKS+iKUdA4DqlIQBopQM/SLH5SFVuQx1g/k6XgqL9gP/G0hjrzyvBO
tUA/Pc58P5OR52xYN+6Nvsooe9yFNzHklxZerCnNJfZhzNkVuCKuiM9EKfjq2F6V
sRGdZRIwu7cDP9zsa3AldsFiO6POIbl26nTE7SS4X0VLK+eBX1rXU8wl/XQqQFh0
N2rueaJ5Bs+cWd7MnzMWuzxCGwDuJomgr7i4JRYfwfVi7g2VyETX1TdbOXPl5JSP
/qN850rfhO/TbB2Rlc3ZZU+lDFLJmWnyh5nyqzv6bsGRMAhMYlvJ35pd7pitH6Wt
q9UU4+jX8cJ6g/rcwAYt/h0mOrwpyO1dpc2tbBufYVI
-> Iy*"-grease Jq*A C .]mQ9fl
0Nkdf7PXtL4atPLw9zvf2aAyDCdpya93eXHsLRa8M92OQ/g
--- CoJAKrsHzBMDUswYw62nAucSWUYmyB4S6sFh1tSz38E
Át…sw3f!žw*¹K4»zˆD {ÆÄ€lžò¨äÙnY¼y´Ù <09>TÊêâ 0ñ"xG
:G÷ª¢ê¼¶`ä~ÕÊ-£ç…~ZÏÁ&¤ÑŸµ 9ëÏÞÁ±æÙ$ìÜ<1C>g·\ûCsó> n÷Ä>©­ýDÊkí[¥¡»µ·Ü“t<ä5Ï¢±lQW-lâú´XˆÕ3má@ÅÅ3ÌZMõÍ<E28093>x}l5ᬯôœ¹QEœSÿ„l5
ÏÕšÿY1‰=þ0 ÅvD˜?ðÄKŸ6´%K ÀâáúÌœ¤b¸¢'š‡¾@§<ÝËÙø½²Ü¿$W,ZÇä,knªIç%PGóðÞ…zKp)ÛØq$^ð>ˆ¥£F0W+‰

View file

@ -1,8 +1,26 @@
let
# set ssh public keys here for your system and user
system = "";
user = "";
allKeys = [system user];
b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw==";
teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
flora-6 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP1InpTBN4AlF/4V8HHumAMLJzeO8DpzjUv9Co/+J09 root@pub-solar-infra-vm-1";
allKeys = [
flora-6
teutat3s-dumpyourvms
b12f-bbcom
];
deployKeys = [
flora-6
teutat3s-dumpyourvms
b12f-bbcom
];
in {
"secret.age".publicKeys = allKeys;
"gitea-database-password.age".publicKeys = deployKeys;
"gitea-mailer-password.age".publicKeys = deployKeys;
"keycloak-database-password.age".publicKeys = deployKeys;
"drone-secrets.age".publicKeys = deployKeys;
"drone-db-secrets.age".publicKeys = deployKeys;
"mailman-core-secrets.age".publicKeys = deployKeys;
"mailman-web-secrets.age".publicKeys = deployKeys;
"mailman-db-secrets.age".publicKeys = deployKeys;
}

View file

@ -59,6 +59,6 @@ in {
]
++ lib.optionals (pkgs.stdenv.hostPlatform.isLinux && !pkgs.stdenv.buildPlatform.isDarwin) [
(devos nixos-generators)
(devos deploy-rs.deploy-rs)
(devos inputs.deploy.packages.${pkgs.system}.deploy-rs)
];
}

View file

@ -0,0 +1,42 @@
{
config,
hmUsers,
pkgs,
lib,
...
}: let
psCfg = config.pub-solar;
in {
config = {
home-manager.users = {inherit (hmUsers) barkeeper;};
pub-solar = {
# These are your personal settings
# The only required settings are `name` and `password`,
# The rest is used for programs like git
user = {
name = "barkeeper";
description = "pub.solar infra user";
password = "$6$MCJ28kLwfNl9SNDq$Oh9eT6Sn6z4xGrQsLlIBI7cvJzX3P5As59OSZ.hoeBWc79Un2YdwH/hRIC.4ZDOuwQp0lHI82dNn/xeTaCn631";
fullName = "pub.solar infra barkeeper";
email = "admins@pub.solar";
gpgKeyId = "";
publicKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHx4A8rLYmFgTOp1fDGbbONN8SOT0l5wWrUSYFUcVzMPTyfdT23ZVIdVD5yZCySgi/7PSh5mVmyLIZVIXlNrZJg= @b12f Yubi Main"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFro/k4Mgqyh8yV/7Zwjc0dv60ZM7bROBU9JNd99P/4co6fxPt1pJiU/pEz2Dax/HODxgcO+jFZfvPEuLMCeAl0= YubiKey #10593996 PIV Slot 9a @teutat3s"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135 @hensoko"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb @hensoko"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKa5elEXgBc2luVBOHVWZisJgt0epFQOercPi0tZzPU root@cloud.pub.solar"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix"
];
};
};
};
}