From 65ec0779b7474d2668a38f181230808c4bd6e8a6 Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 9 Jul 2022 19:36:24 +0200 Subject: [PATCH 01/23] init basic untested config --- hosts/parsons/configuration.nix | 1 + services/gitea.nix | 108 ++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 services/gitea.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 937ea4a..c8aef57 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -17,6 +17,7 @@ ../../services/mail.nix ../../services/syncthing.nix ../../services/gitlab.nix + ../../services/gitea.nix ../../services/nginx-pages.nix ../../services/gitlab-runner.nix ../../services/lantifa.nix diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..5db2d08 --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: + +{ + containers.gitea = { + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.10"; + autoStart = true; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/gitea"; + isReadOnly = false; + }; + }; + path = (evalConfig { + hosts = { }; + groups = { }; + } ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ ((import sources.nix-hexchen) { }).profiles.nopersist ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + services.gitea = { + enable = true; + appName = "0x0: git for all creatures"; + rootUrl = "https://git.infra4future.de/"; + httpAddress = "0.0.0.0"; + httpPort = 3000; + lfs.enable = true; + disableRegistration = true; + database.type = "postgres"; + cookieSecure = true; + log.level = "Info"; + # mailerPasswordFile = + # "/var/lib/secrets/noreply"; # see below for access permissions + # settings = { + # mailer = { + # ENABLED = true; + # HOST = "0x0.rip:465"; + # FROM = "noreply@0x0.rip"; + # ENVELOPE_FROM = "noreply@0x0.rip"; + # USER = "noreply@0x0.rip"; + + # }; + repository = { + DEFAULT_PRIVATE = "public"; + PREFERRED_LICENSES = "Unlicense"; + DEFAULT_BRANCH = "main"; + }; + "repository.pull-requests" = { + DEFAULT_MERGE_STYLE = "merge"; + DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; + }; + "repository.upload".FILE_MAX_SIZE = 1024; + server = { + LANDING_PAGE = "explore"; + OFFLINE = true; + }; + security = { INSTALL_LOCK = true; }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + cron = { + ENABLED = true; + NOTICE_ON_SUCCESS = true; + }; + "cron.update_mirrors" = { + SCHEDULE = "@every 12h"; + PULL_LIMIT = "-1"; + PUSH_LIMIT = "-1"; + }; + "cron.git_gc_repos".ENABLED = true; + "cron.delete_old_actions".ENABLED = true; + }; + services.postgresqlBackup = { + enable = true; + databases = [ "gitea" ]; + startAt = "*-*-* 23:45:00"; + location = "/persist/backups/postgres"; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."git.infra4future.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${config.containers.gitea.localAddress}:3000"; + }; + }; +} From db5865fff22f3ddb59cb9148e9c9e4e5a30c657c Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 9 Jul 2022 19:39:40 +0200 Subject: [PATCH 02/23] !fixup add missing settings section --- services/gitea.nix | 75 +++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index 5db2d08..2b35352 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -49,45 +49,46 @@ log.level = "Info"; # mailerPasswordFile = # "/var/lib/secrets/noreply"; # see below for access permissions - # settings = { - # mailer = { - # ENABLED = true; - # HOST = "0x0.rip:465"; - # FROM = "noreply@0x0.rip"; - # ENVELOPE_FROM = "noreply@0x0.rip"; - # USER = "noreply@0x0.rip"; + settings = { + # mailer = { + # ENABLED = true; + # HOST = "0x0.rip:465"; + # FROM = "noreply@0x0.rip"; + # ENVELOPE_FROM = "noreply@0x0.rip"; + # USER = "noreply@0x0.rip"; - # }; - repository = { - DEFAULT_PRIVATE = "public"; - PREFERRED_LICENSES = "Unlicense"; - DEFAULT_BRANCH = "main"; + # }; + repository = { + DEFAULT_PRIVATE = "public"; + PREFERRED_LICENSES = "Unlicense"; + DEFAULT_BRANCH = "main"; + }; + "repository.pull-requests" = { + DEFAULT_MERGE_STYLE = "merge"; + DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; + }; + "repository.upload".FILE_MAX_SIZE = 1024; + server = { + LANDING_PAGE = "explore"; + OFFLINE = true; + }; + security = { INSTALL_LOCK = true; }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + cron = { + ENABLED = true; + NOTICE_ON_SUCCESS = true; + }; + "cron.update_mirrors" = { + SCHEDULE = "@every 12h"; + PULL_LIMIT = "-1"; + PUSH_LIMIT = "-1"; + }; + "cron.git_gc_repos".ENABLED = true; + "cron.delete_old_actions".ENABLED = true; }; - "repository.pull-requests" = { - DEFAULT_MERGE_STYLE = "merge"; - DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; - }; - "repository.upload".FILE_MAX_SIZE = 1024; - server = { - LANDING_PAGE = "explore"; - OFFLINE = true; - }; - security = { INSTALL_LOCK = true; }; - other = { - SHOW_FOOTER_VERSION = false; - SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; - }; - cron = { - ENABLED = true; - NOTICE_ON_SUCCESS = true; - }; - "cron.update_mirrors" = { - SCHEDULE = "@every 12h"; - PULL_LIMIT = "-1"; - PUSH_LIMIT = "-1"; - }; - "cron.git_gc_repos".ENABLED = true; - "cron.delete_old_actions".ENABLED = true; }; services.postgresqlBackup = { enable = true; From f9f1eee6fde9f2eb2c2d6ec7c7be93ec63a9942f Mon Sep 17 00:00:00 2001 From: stuebinm Date: Tue, 19 Jul 2022 17:32:00 +0200 Subject: [PATCH 03/23] update lantifa source urls & hashes --- services/lantifa.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/lantifa.nix b/services/lantifa.nix index 3b7c04d..e1649d2 100644 --- a/services/lantifa.nix +++ b/services/lantifa.nix @@ -40,7 +40,7 @@ extraConfig = let wikidb = pkgs.fetchzip { url = "https://www.kennel17.co.uk/uploads/testwiki/e/e9/WikiDB.zip"; - sha256 = "0pns9fk1ws54m7rgbfsrxqh6ayab16mmnvzba8m4malljgrbil8b"; + sha256 = "sha256-8pMNQwmGEsbIoSV1s4RL5Xqq4+f+GNOaCB8VlVnbweY="; }; in '' // Configure short URLs @@ -77,8 +77,8 @@ sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i"; }; intersection = pkgs.fetchzip { # This is the DynamicPageList extension - url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-4a70dbd.tar.gz"; - sha256 = "0s70fqkf5ylpsxy1h3hljic8708j6099mz12b6k03hgwc582yywi"; + url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-82eb087.tar.gz"; + sha256 = "sha256-TD58DvJ4CFASP4rIc94jeB4SN4zktLe33xZtz/Qg2dk="; }; PageForms = pkgs.fetchzip { url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip"; From b5a68e09fd46640e2c3820a83f51e3d14d827f25 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 20 Jul 2022 18:30:47 +0200 Subject: [PATCH 04/23] gitea: fix uffd login (note that this actually has to patch uffd) --- pkgs/uffd/default.nix | 5 ++--- pkgs/uffd/gitea-magic.patch | 32 ++++++++++++++++++++++++++++++++ services/gitea.nix | 6 ++++++ 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 pkgs/uffd/gitea-magic.patch diff --git a/pkgs/uffd/default.nix b/pkgs/uffd/default.nix index 9e23c8b..761ff6a 100644 --- a/pkgs/uffd/default.nix +++ b/pkgs/uffd/default.nix @@ -5,12 +5,11 @@ python3Packages.buildPythonPackage rec { version = "2.0.1"; src = fetchzip { - url = - "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; + url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4="; }; - patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ]; + patches = [ ./gitea-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ]; propagatedBuildInputs = with python3Packages; [ flask diff --git a/pkgs/uffd/gitea-magic.patch b/pkgs/uffd/gitea-magic.patch new file mode 100644 index 0000000..a2b3430 --- /dev/null +++ b/pkgs/uffd/gitea-magic.patch @@ -0,0 +1,32 @@ +From e3c0995160a653ef6cd8784b255036585b273b82 Mon Sep 17 00:00:00 2001 +From: stuebinm +Date: Wed, 20 Jul 2022 18:02:15 +0200 +Subject: [PATCH] magic gitea patch + +--- + uffd/oauth2/views.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/uffd/oauth2/views.py b/uffd/oauth2/views.py +index d13fd42..94352be 100644 +--- a/uffd/oauth2/views.py ++++ b/uffd/oauth2/views.py +@@ -230,6 +230,15 @@ def oauth_required(*scopes): + @oauth_required('profile') + def userinfo(): + user = request.oauth.user ++ client = request.oauth.client_id ++ if client == "gitea": ++ return jsonify( ++ id=user.unix_uid, ++ full_name=user.displayname, ++ login=user.loginname, ++ email=user.mail, ++ groups=[group.name for group in user.groups] ++ ) + return jsonify( + id=user.unix_uid, + name=user.displayname, +-- +2.36.0 + diff --git a/services/gitea.nix b/services/gitea.nix index 2b35352..ec370e7 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -22,6 +22,8 @@ imports = [ ((import sources.nix-hexchen) { }).profiles.nopersist ]; + environment.systemPackages = [ pkgs.gitea ]; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { @@ -63,6 +65,10 @@ PREFERRED_LICENSES = "Unlicense"; DEFAULT_BRANCH = "main"; }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + }; "repository.pull-requests" = { DEFAULT_MERGE_STYLE = "merge"; DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; From c854e10980d5ad6b4fb2d8b1efc654b7b2ed1c9f Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 22 Jul 2022 18:50:00 +0200 Subject: [PATCH 05/23] gitea: enable offline mode --- services/gitea.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gitea.nix b/services/gitea.nix index ec370e7..a270512 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -76,7 +76,7 @@ "repository.upload".FILE_MAX_SIZE = 1024; server = { LANDING_PAGE = "explore"; - OFFLINE = true; + OFFLINE_MODE = true; }; security = { INSTALL_LOCK = true; }; other = { From a1c5832a5125c590799f1719e676a1dec19167c4 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 1 Aug 2022 18:39:46 +0200 Subject: [PATCH 06/23] gitea: save state under /persist --- services/gitea.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gitea.nix b/services/gitea.nix index a270512..a84e505 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -24,6 +24,8 @@ environment.systemPackages = [ pkgs.gitea ]; + hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea"; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { From e246563f5723c234a64e6ea196f6d573695d0b0b Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 1 Aug 2022 20:54:17 +0200 Subject: [PATCH 07/23] git ssh: switch to gitea (instead of gitlab) --- services/gitea.nix | 13 +++++++++++++ services/gitlab.nix | 10 +++++----- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index a84e505..e24bcc6 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -104,6 +104,14 @@ startAt = "*-*-* 23:45:00"; location = "/persist/backups/postgres"; }; + services.openssh = { + enable = true; + passwordAuthentication = false; + listenAddresses = [ { + addr = "192.168.100.10"; + port = 22; + } ]; + }; })).config.system.build.toplevel; }; @@ -114,4 +122,9 @@ proxyPass = "http://${config.containers.gitea.localAddress}:3000"; }; }; + hexchen.nftables.nat.forwardPorts = [{ + ports = [ 22 ]; + destination = "${config.containers.gitea.localAddress}:22"; + proto = "tcp"; + }]; } diff --git a/services/gitlab.nix b/services/gitlab.nix index 5de66be..8a2c708 100644 --- a/services/gitlab.nix +++ b/services/gitlab.nix @@ -133,11 +133,11 @@ })).config.system.build.toplevel; }; - hexchen.nftables.nat.forwardPorts = [{ - ports = [ 22 ]; - destination = "${config.containers.gitlab.localAddress}:22"; - proto = "tcp"; - }]; + # hexchen.nftables.nat.forwardPorts = [{ + # ports = [ 22 ]; + # destination = "${config.containers.gitlab.localAddress}:22"; + # proto = "tcp"; + # }]; services.nginx.virtualHosts."gitlab.infra4future.de" = { locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80"; From 45ceeef189f95616ecb38a75dfe1828e591c7cb8 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 3 Aug 2022 11:26:05 +0200 Subject: [PATCH 08/23] gitea: git protocol v2 over ssh cf. https://docs.gitea.io/en-us/config-cheat-sheet/#git-git, entry for option ENABLE_AUTO_GIT_WIRE_PROTOCOL --- services/gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gitea.nix b/services/gitea.nix index e24bcc6..19d5455 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -111,6 +111,9 @@ addr = "192.168.100.10"; port = 22; } ]; + extraConfig = '' + AcceptEnv GIT_PROTOCOL + ''; }; })).config.system.build.toplevel; }; From f53cb24d2e55b5e083e4004e37ab1e47b632fe68 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 7 Sep 2022 22:06:16 +0200 Subject: [PATCH 09/23] update infra4future.de index website --- websites/infra4future.de/index.md | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/websites/infra4future.de/index.md b/websites/infra4future.de/index.md index 6c6d375..eabf560 100644 --- a/websites/infra4future.de/index.md +++ b/websites/infra4future.de/index.md @@ -23,34 +23,22 @@ Die Nutzung ist für alle offen! Einfach bei dem Login-Screen auf Registrieren k {% include a-name.html name="services" %} # Dienste -Bisher haben wir auf diesem Server schon einige Dienste installiert, darunter: +Sobald ihr einen Account für infra4future habt, könnt ihr euch mit diesem zu allen diesen Diensten einloggen ohne euch für jeden nochmal extra registrieren zu müssen. Eine vollständige Liste an für euch nutzbaren Diensten findet ihr unter [login.infra4future.de](https://login.infra4future.de). Dort könnt ihr außerdem euren Account verwalten und z.B. das Passwort, Mailadresse, oder Anzeigenamen ändern. + +Aktuell betreiben wir: - [Nextcloud](https://cloud.infra4future.de), mit dem ihr Dateien mit eurer Gruppe oder allen Teilen könnt, sowie einige Erweiterungen: - *Deck* und *Tasks* zum Verwalten (und Überblick-Behalten) über all die Projekte, die mensch so startet - ein Kalender - - Collabora — erlaubt euch, übliche Office-Dokumente direkt online zu bearbeiten - - ein Kochbuch, denn Essen ist wichtig für den Widerstand! 🍲 + - Onlyoffice — erlaubt euch, übliche Office-Dokumente direkt online zu bearbeiten - [Mattermost](https://mattermost.infra4future.de), eine Plattform zur Echtzeitkommunikation, ähnlich zu Slack. - - [Discourse](https://discuss.infra4future.de), ein Forum für asynchrone Kommunikation - - [Mumble](https://mumble.hacc.space), für Telefonkonferenzen. - - [LimeSurvey](https://survey.infra4future.de), ein Tool zum Erstellen und Durchführen von Umfragen - - [GitLab](https://gitlab.infra4future.de) und [GitLab Pages](https://gitlab.infra4future.de/help/user/project/pages/index.md), eine Hostingplattform für git-Repositories, zum gemeinschaftlichen auf-Software-einhacken (und Webseiten hosten). - - [hacc.media](https://hacc.media), unsere Videoplattform für Vorträge und ähnliches mit Klimabezug (schreibt uns eine Mail, falls ihr eure Aufnahmen dort auch sehen wollt) - -Sobald ihr einen Account für infra4future habt, könnt ihr euch mit diesem zu allen diesen Diensten einloggen ohne euch für jeden nochmal extra registrieren zu müssen. + - [Mumble](https://mumble.hacc.space), für Audiokonferenzen. + - [Hedgedoc](https://pad.infra4future.de), für schnelle, kollaborative Notizen. + - [Gitea](https://git.infra4future.de), eine Hostingplattform für git-Repositories, zum gemeinschaftlichen auf-Software-einhacken. Falls das eure Bedürfnisse noch nicht abdeckt oder ihr andere coole Software haben die ihr gerne benutzen würdet, meldet euch bei uns — wir können nichts versprechen, aber wenn möglich fügen wir gerne auch noch weitere Dienste dazu. -{% include banner.html quote="It is our predicament that we live in a finite world, and yet we behave as if it were infinite." author="Naomi Klein" %} -{% include a-name.html name="faq" %} -# Frequently Asked Questions - - -{% include faq.html question="Wo kann ich meinen Account bearbeiten?" answer="Deine persönlichen Details kannst du global auf https://auth.infra4future.de/auth/realms/forfuture/account" %} -{% include faq.html question="Ich suche einen Dienst für Videotelefonie" answer="Wir haben unseren Jitsi Dienst aufgrund des hohen Wartungsaufwands eingestellt. Wir können aber [meet.ffmuc.net](https://meet.ffmuc.net/) oder [senfcall.de](https://www.senfcall.de/) empfehlen!" %} - - From 3ea537459bbfd65c126ae0af04fd56b7d4c6e036 Mon Sep 17 00:00:00 2001 From: moira Date: Mon, 12 Sep 2022 19:05:32 +0200 Subject: [PATCH 10/23] change name --- common/users.nix | 4 ++-- services/mail.nix | 14 +++++++------- services/syncthing.nix | 8 ++------ websites/muc.hacc.earth/index.html | 2 +- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/common/users.nix b/common/users.nix index 7c4cbb9..22002ca 100644 --- a/common/users.nix +++ b/common/users.nix @@ -48,13 +48,13 @@ packages = with pkgs; [ ffmpeg ]; }; - schweby = { + moira = { uid = 1004; shell = pkgs.fish; isNormalUser = true; extraGroups = [ "wheel" "cdrom" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqj9RRfthjBl4+y4YH7aWetx5qs2KOE2B0oOw3pjRrQ schweby 2022-05-22" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcJRF71+XM5YZj+SaSiGcdVZ0IDxGBXIWssDtHiTtr moira_2022_06" ]; hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90"; }; diff --git a/services/mail.nix b/services/mail.nix index 518f973..211a2e1 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -42,7 +42,7 @@ "raphael@hacc.space".hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; - "schweby@hacc.space".hashedPassword = + "moira@hacc.space".hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; "zauberberg@hacc.space".hashedPassword = @@ -81,7 +81,7 @@ "hexchen@hacc.space" "octycs@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "stuebinm@hacc.space" "lenny@hacc.space" @@ -89,12 +89,12 @@ # admin: current people with access to the mail server and knowledge on how to use it™ "admin@hacc.space" = - [ "hexchen@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + [ "hexchen@hacc.space" "moira@hacc.space" "zauberberg@hacc.space" ]; # voc: hacc video operation center, various streaming-related things "voc@hacc.space" = [ "hexchen@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "octycs@hacc.space" "stuebinm@hacc.space" "zauberberg@hacc.space" @@ -105,13 +105,13 @@ # -- Regional: Germany -- # board of hacc e.V. "vorstand@hacc.space" = - [ "raphael@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + [ "raphael@hacc.space" "moira@hacc.space" "zauberberg@hacc.space" ]; # members of hacc e.V. "mitglieder@hacc.space" = [ "hexchen@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "lenny@hacc.space" "octycs@hacc.space" @@ -123,7 +123,7 @@ "hexchen@hacc.space" "octycs@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "stuebinm@hacc.space" "lenny@hacc.space" diff --git a/services/syncthing.nix b/services/syncthing.nix index 3eff7a7..40bab1c 100644 --- a/services/syncthing.nix +++ b/services/syncthing.nix @@ -7,10 +7,6 @@ configDir = "/persist/var/lib/syncthing/"; dataDir = "/persist/data/syncthing/"; devices = { - schweby = { - addresses = []; # empty = dynamic - id = "YF7DNNS-B63GERK-YFQ7G7Q-2DG7557-VIWFOTK-R3JOS63-T76POBQ-F6MO6AH"; - }; raphael-laptop = { addresses = []; # empty = dynamic id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG"; @@ -25,7 +21,7 @@ folders = { "/persist/data/syncthing/hacc/" = { id = "qt2ly-xvvvs"; - devices = [ "schweby" "conway" "raphael-laptop"]; + devices = [ "conway" "raphael-laptop"]; type = "receiveonly"; versioning = { type = "simple"; @@ -34,7 +30,7 @@ }; "/persist/data/syncthing/hacc_eV_vorstand/" = { id = "twwt7-fxrsr"; - devices = [ "schweby" "conway" "raphael-laptop"]; + devices = [ "conway" "raphael-laptop"]; # type = "receiveencrypted"; # no yet implemented }; }; diff --git a/websites/muc.hacc.earth/index.html b/websites/muc.hacc.earth/index.html index fbc0bb4..e386de9 100644 --- a/websites/muc.hacc.earth/index.html +++ b/websites/muc.hacc.earth/index.html @@ -402,7 +402,7 @@ registered at the local court Munich VR 208921
  • raphael or rw
  • zauberberg
    • -
  • schweby
    • +
  • moira
  • Satzung (statutes)
    • From 856cd79c374ba7b3556222abe680388613fc43fc Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 9 Jul 2022 19:36:24 +0200 Subject: [PATCH 11/23] init basic untested config --- hosts/parsons/configuration.nix | 1 + services/gitea.nix | 108 ++++++++++++++++++++++++++++++++ 2 files changed, 109 insertions(+) create mode 100644 services/gitea.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 937ea4a..c8aef57 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -17,6 +17,7 @@ ../../services/mail.nix ../../services/syncthing.nix ../../services/gitlab.nix + ../../services/gitea.nix ../../services/nginx-pages.nix ../../services/gitlab-runner.nix ../../services/lantifa.nix diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..5db2d08 --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,108 @@ +{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: + +{ + containers.gitea = { + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.10"; + autoStart = true; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/gitea"; + isReadOnly = false; + }; + }; + path = (evalConfig { + hosts = { }; + groups = { }; + } ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ ((import sources.nix-hexchen) { }).profiles.nopersist ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + services.gitea = { + enable = true; + appName = "0x0: git for all creatures"; + rootUrl = "https://git.infra4future.de/"; + httpAddress = "0.0.0.0"; + httpPort = 3000; + lfs.enable = true; + disableRegistration = true; + database.type = "postgres"; + cookieSecure = true; + log.level = "Info"; + # mailerPasswordFile = + # "/var/lib/secrets/noreply"; # see below for access permissions + # settings = { + # mailer = { + # ENABLED = true; + # HOST = "0x0.rip:465"; + # FROM = "noreply@0x0.rip"; + # ENVELOPE_FROM = "noreply@0x0.rip"; + # USER = "noreply@0x0.rip"; + + # }; + repository = { + DEFAULT_PRIVATE = "public"; + PREFERRED_LICENSES = "Unlicense"; + DEFAULT_BRANCH = "main"; + }; + "repository.pull-requests" = { + DEFAULT_MERGE_STYLE = "merge"; + DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; + }; + "repository.upload".FILE_MAX_SIZE = 1024; + server = { + LANDING_PAGE = "explore"; + OFFLINE = true; + }; + security = { INSTALL_LOCK = true; }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + cron = { + ENABLED = true; + NOTICE_ON_SUCCESS = true; + }; + "cron.update_mirrors" = { + SCHEDULE = "@every 12h"; + PULL_LIMIT = "-1"; + PUSH_LIMIT = "-1"; + }; + "cron.git_gc_repos".ENABLED = true; + "cron.delete_old_actions".ENABLED = true; + }; + services.postgresqlBackup = { + enable = true; + databases = [ "gitea" ]; + startAt = "*-*-* 23:45:00"; + location = "/persist/backups/postgres"; + }; + })).config.system.build.toplevel; + }; + + services.nginx.virtualHosts."git.infra4future.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${config.containers.gitea.localAddress}:3000"; + }; + }; +} From 7db9dbb4c2bb39ca3d4c03617a7d53865bc31273 Mon Sep 17 00:00:00 2001 From: schweby Date: Sat, 9 Jul 2022 19:39:40 +0200 Subject: [PATCH 12/23] !fixup add missing settings section --- services/gitea.nix | 75 +++++++++++++++++++++++----------------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index 5db2d08..2b35352 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -49,45 +49,46 @@ log.level = "Info"; # mailerPasswordFile = # "/var/lib/secrets/noreply"; # see below for access permissions - # settings = { - # mailer = { - # ENABLED = true; - # HOST = "0x0.rip:465"; - # FROM = "noreply@0x0.rip"; - # ENVELOPE_FROM = "noreply@0x0.rip"; - # USER = "noreply@0x0.rip"; + settings = { + # mailer = { + # ENABLED = true; + # HOST = "0x0.rip:465"; + # FROM = "noreply@0x0.rip"; + # ENVELOPE_FROM = "noreply@0x0.rip"; + # USER = "noreply@0x0.rip"; - # }; - repository = { - DEFAULT_PRIVATE = "public"; - PREFERRED_LICENSES = "Unlicense"; - DEFAULT_BRANCH = "main"; + # }; + repository = { + DEFAULT_PRIVATE = "public"; + PREFERRED_LICENSES = "Unlicense"; + DEFAULT_BRANCH = "main"; + }; + "repository.pull-requests" = { + DEFAULT_MERGE_STYLE = "merge"; + DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; + }; + "repository.upload".FILE_MAX_SIZE = 1024; + server = { + LANDING_PAGE = "explore"; + OFFLINE = true; + }; + security = { INSTALL_LOCK = true; }; + other = { + SHOW_FOOTER_VERSION = false; + SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; + }; + cron = { + ENABLED = true; + NOTICE_ON_SUCCESS = true; + }; + "cron.update_mirrors" = { + SCHEDULE = "@every 12h"; + PULL_LIMIT = "-1"; + PUSH_LIMIT = "-1"; + }; + "cron.git_gc_repos".ENABLED = true; + "cron.delete_old_actions".ENABLED = true; }; - "repository.pull-requests" = { - DEFAULT_MERGE_STYLE = "merge"; - DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; - }; - "repository.upload".FILE_MAX_SIZE = 1024; - server = { - LANDING_PAGE = "explore"; - OFFLINE = true; - }; - security = { INSTALL_LOCK = true; }; - other = { - SHOW_FOOTER_VERSION = false; - SHOW_FOOTER_TEMPLATE_LOAD_TIME = false; - }; - cron = { - ENABLED = true; - NOTICE_ON_SUCCESS = true; - }; - "cron.update_mirrors" = { - SCHEDULE = "@every 12h"; - PULL_LIMIT = "-1"; - PUSH_LIMIT = "-1"; - }; - "cron.git_gc_repos".ENABLED = true; - "cron.delete_old_actions".ENABLED = true; }; services.postgresqlBackup = { enable = true; From 639410011e678ef62e3c25d70612a69ca04bef63 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Tue, 19 Jul 2022 17:32:00 +0200 Subject: [PATCH 13/23] update lantifa source urls & hashes --- services/lantifa.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/services/lantifa.nix b/services/lantifa.nix index 3b7c04d..e1649d2 100644 --- a/services/lantifa.nix +++ b/services/lantifa.nix @@ -40,7 +40,7 @@ extraConfig = let wikidb = pkgs.fetchzip { url = "https://www.kennel17.co.uk/uploads/testwiki/e/e9/WikiDB.zip"; - sha256 = "0pns9fk1ws54m7rgbfsrxqh6ayab16mmnvzba8m4malljgrbil8b"; + sha256 = "sha256-8pMNQwmGEsbIoSV1s4RL5Xqq4+f+GNOaCB8VlVnbweY="; }; in '' // Configure short URLs @@ -77,8 +77,8 @@ sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i"; }; intersection = pkgs.fetchzip { # This is the DynamicPageList extension - url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-4a70dbd.tar.gz"; - sha256 = "0s70fqkf5ylpsxy1h3hljic8708j6099mz12b6k03hgwc582yywi"; + url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-82eb087.tar.gz"; + sha256 = "sha256-TD58DvJ4CFASP4rIc94jeB4SN4zktLe33xZtz/Qg2dk="; }; PageForms = pkgs.fetchzip { url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip"; From 6aa06aed18c93678668905e83428996042cbe353 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 20 Jul 2022 18:30:47 +0200 Subject: [PATCH 14/23] gitea: fix uffd login (note that this actually has to patch uffd) --- pkgs/uffd/default.nix | 5 ++--- pkgs/uffd/gitea-magic.patch | 32 ++++++++++++++++++++++++++++++++ services/gitea.nix | 6 ++++++ 3 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 pkgs/uffd/gitea-magic.patch diff --git a/pkgs/uffd/default.nix b/pkgs/uffd/default.nix index 9e23c8b..761ff6a 100644 --- a/pkgs/uffd/default.nix +++ b/pkgs/uffd/default.nix @@ -5,12 +5,11 @@ python3Packages.buildPythonPackage rec { version = "2.0.1"; src = fetchzip { - url = - "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; + url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4="; }; - patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ]; + patches = [ ./gitea-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ]; propagatedBuildInputs = with python3Packages; [ flask diff --git a/pkgs/uffd/gitea-magic.patch b/pkgs/uffd/gitea-magic.patch new file mode 100644 index 0000000..a2b3430 --- /dev/null +++ b/pkgs/uffd/gitea-magic.patch @@ -0,0 +1,32 @@ +From e3c0995160a653ef6cd8784b255036585b273b82 Mon Sep 17 00:00:00 2001 +From: stuebinm +Date: Wed, 20 Jul 2022 18:02:15 +0200 +Subject: [PATCH] magic gitea patch + +--- + uffd/oauth2/views.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/uffd/oauth2/views.py b/uffd/oauth2/views.py +index d13fd42..94352be 100644 +--- a/uffd/oauth2/views.py ++++ b/uffd/oauth2/views.py +@@ -230,6 +230,15 @@ def oauth_required(*scopes): + @oauth_required('profile') + def userinfo(): + user = request.oauth.user ++ client = request.oauth.client_id ++ if client == "gitea": ++ return jsonify( ++ id=user.unix_uid, ++ full_name=user.displayname, ++ login=user.loginname, ++ email=user.mail, ++ groups=[group.name for group in user.groups] ++ ) + return jsonify( + id=user.unix_uid, + name=user.displayname, +-- +2.36.0 + diff --git a/services/gitea.nix b/services/gitea.nix index 2b35352..ec370e7 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -22,6 +22,8 @@ imports = [ ((import sources.nix-hexchen) { }).profiles.nopersist ]; + environment.systemPackages = [ pkgs.gitea ]; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { @@ -63,6 +65,10 @@ PREFERRED_LICENSES = "Unlicense"; DEFAULT_BRANCH = "main"; }; + oauth2_client = { + ACCOUNT_LINKING = "auto"; + ENABLE_AUTO_REGISTRATION = true; + }; "repository.pull-requests" = { DEFAULT_MERGE_STYLE = "merge"; DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true; From 97459d817776dfebb62736a7758df1363c61f61d Mon Sep 17 00:00:00 2001 From: stuebinm Date: Fri, 22 Jul 2022 18:50:00 +0200 Subject: [PATCH 15/23] gitea: enable offline mode --- services/gitea.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/gitea.nix b/services/gitea.nix index ec370e7..a270512 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -76,7 +76,7 @@ "repository.upload".FILE_MAX_SIZE = 1024; server = { LANDING_PAGE = "explore"; - OFFLINE = true; + OFFLINE_MODE = true; }; security = { INSTALL_LOCK = true; }; other = { From 83cda0f44a6b25eab30638efd7991785b120a06e Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 1 Aug 2022 18:39:46 +0200 Subject: [PATCH 16/23] gitea: save state under /persist --- services/gitea.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/services/gitea.nix b/services/gitea.nix index a270512..a84e505 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -24,6 +24,8 @@ environment.systemPackages = [ pkgs.gitea ]; + hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea"; + nixpkgs.config.allowUnfree = true; networking.firewall.enable = false; networking.defaultGateway = { From 9bf75b9c3ddd1a2f7ca31679208f5d194a997a71 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Mon, 1 Aug 2022 20:54:17 +0200 Subject: [PATCH 17/23] git ssh: switch to gitea (instead of gitlab) --- services/gitea.nix | 13 +++++++++++++ services/gitlab.nix | 10 +++++----- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/services/gitea.nix b/services/gitea.nix index a84e505..e24bcc6 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -104,6 +104,14 @@ startAt = "*-*-* 23:45:00"; location = "/persist/backups/postgres"; }; + services.openssh = { + enable = true; + passwordAuthentication = false; + listenAddresses = [ { + addr = "192.168.100.10"; + port = 22; + } ]; + }; })).config.system.build.toplevel; }; @@ -114,4 +122,9 @@ proxyPass = "http://${config.containers.gitea.localAddress}:3000"; }; }; + hexchen.nftables.nat.forwardPorts = [{ + ports = [ 22 ]; + destination = "${config.containers.gitea.localAddress}:22"; + proto = "tcp"; + }]; } diff --git a/services/gitlab.nix b/services/gitlab.nix index 5de66be..8a2c708 100644 --- a/services/gitlab.nix +++ b/services/gitlab.nix @@ -133,11 +133,11 @@ })).config.system.build.toplevel; }; - hexchen.nftables.nat.forwardPorts = [{ - ports = [ 22 ]; - destination = "${config.containers.gitlab.localAddress}:22"; - proto = "tcp"; - }]; + # hexchen.nftables.nat.forwardPorts = [{ + # ports = [ 22 ]; + # destination = "${config.containers.gitlab.localAddress}:22"; + # proto = "tcp"; + # }]; services.nginx.virtualHosts."gitlab.infra4future.de" = { locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80"; From 6bba15faae1c81fc4724b31949e3c10dd8afea42 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Wed, 3 Aug 2022 11:26:05 +0200 Subject: [PATCH 18/23] gitea: git protocol v2 over ssh cf. https://docs.gitea.io/en-us/config-cheat-sheet/#git-git, entry for option ENABLE_AUTO_GIT_WIRE_PROTOCOL --- services/gitea.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/services/gitea.nix b/services/gitea.nix index e24bcc6..19d5455 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -111,6 +111,9 @@ addr = "192.168.100.10"; port = 22; } ]; + extraConfig = '' + AcceptEnv GIT_PROTOCOL + ''; }; })).config.system.build.toplevel; }; From 82e70e0151c5ff5715f05236877237226356befb Mon Sep 17 00:00:00 2001 From: moira Date: Mon, 12 Sep 2022 19:05:32 +0200 Subject: [PATCH 19/23] change name --- common/users.nix | 4 ++-- services/mail.nix | 14 +++++++------- services/syncthing.nix | 8 ++------ websites/muc.hacc.earth/index.html | 2 +- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/common/users.nix b/common/users.nix index 7c4cbb9..22002ca 100644 --- a/common/users.nix +++ b/common/users.nix @@ -48,13 +48,13 @@ packages = with pkgs; [ ffmpeg ]; }; - schweby = { + moira = { uid = 1004; shell = pkgs.fish; isNormalUser = true; extraGroups = [ "wheel" "cdrom" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqj9RRfthjBl4+y4YH7aWetx5qs2KOE2B0oOw3pjRrQ schweby 2022-05-22" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcJRF71+XM5YZj+SaSiGcdVZ0IDxGBXIWssDtHiTtr moira_2022_06" ]; hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90"; }; diff --git a/services/mail.nix b/services/mail.nix index 518f973..211a2e1 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -42,7 +42,7 @@ "raphael@hacc.space".hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/"; - "schweby@hacc.space".hashedPassword = + "moira@hacc.space".hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1"; "zauberberg@hacc.space".hashedPassword = @@ -81,7 +81,7 @@ "hexchen@hacc.space" "octycs@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "stuebinm@hacc.space" "lenny@hacc.space" @@ -89,12 +89,12 @@ # admin: current people with access to the mail server and knowledge on how to use it™ "admin@hacc.space" = - [ "hexchen@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + [ "hexchen@hacc.space" "moira@hacc.space" "zauberberg@hacc.space" ]; # voc: hacc video operation center, various streaming-related things "voc@hacc.space" = [ "hexchen@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "octycs@hacc.space" "stuebinm@hacc.space" "zauberberg@hacc.space" @@ -105,13 +105,13 @@ # -- Regional: Germany -- # board of hacc e.V. "vorstand@hacc.space" = - [ "raphael@hacc.space" "schweby@hacc.space" "zauberberg@hacc.space" ]; + [ "raphael@hacc.space" "moira@hacc.space" "zauberberg@hacc.space" ]; # members of hacc e.V. "mitglieder@hacc.space" = [ "hexchen@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "lenny@hacc.space" "octycs@hacc.space" @@ -123,7 +123,7 @@ "hexchen@hacc.space" "octycs@hacc.space" "raphael@hacc.space" - "schweby@hacc.space" + "moira@hacc.space" "zauberberg@hacc.space" "stuebinm@hacc.space" "lenny@hacc.space" diff --git a/services/syncthing.nix b/services/syncthing.nix index 3eff7a7..40bab1c 100644 --- a/services/syncthing.nix +++ b/services/syncthing.nix @@ -7,10 +7,6 @@ configDir = "/persist/var/lib/syncthing/"; dataDir = "/persist/data/syncthing/"; devices = { - schweby = { - addresses = []; # empty = dynamic - id = "YF7DNNS-B63GERK-YFQ7G7Q-2DG7557-VIWFOTK-R3JOS63-T76POBQ-F6MO6AH"; - }; raphael-laptop = { addresses = []; # empty = dynamic id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG"; @@ -25,7 +21,7 @@ folders = { "/persist/data/syncthing/hacc/" = { id = "qt2ly-xvvvs"; - devices = [ "schweby" "conway" "raphael-laptop"]; + devices = [ "conway" "raphael-laptop"]; type = "receiveonly"; versioning = { type = "simple"; @@ -34,7 +30,7 @@ }; "/persist/data/syncthing/hacc_eV_vorstand/" = { id = "twwt7-fxrsr"; - devices = [ "schweby" "conway" "raphael-laptop"]; + devices = [ "conway" "raphael-laptop"]; # type = "receiveencrypted"; # no yet implemented }; }; diff --git a/websites/muc.hacc.earth/index.html b/websites/muc.hacc.earth/index.html index fbc0bb4..e386de9 100644 --- a/websites/muc.hacc.earth/index.html +++ b/websites/muc.hacc.earth/index.html @@ -402,7 +402,7 @@ registered at the local court Munich VR 208921
    • raphael or rw
    • zauberberg
      • -
    • schweby
      • +
    • moira
  • Satzung (statutes)
    • From 04272968d0b9c9e5621428e2b71310cd43e071b9 Mon Sep 17 00:00:00 2001 From: hexchen Date: Sat, 24 Sep 2022 14:41:34 +0000 Subject: [PATCH 20/23] update and fix mattermost --- modules/mattermost.nix | 6 +----- nix/sources.json | 14 +++++++------- nix/sources.nix | 22 +++++++++++++++++++++- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/modules/mattermost.nix b/modules/mattermost.nix index c2a7509..122abce 100644 --- a/modules/mattermost.nix +++ b/modules/mattermost.nix @@ -6,13 +6,9 @@ let cfg = config.services.mattermost-patched; - defaultConfig = builtins.fromJSON (builtins.replaceStrings [ "\\u0026" ] [ "&" ] - (readFile "${pkgs.mattermost}/config/config.json") - ); - database = "postgres://${cfg.localDatabaseUser}:${cfg.localDatabasePassword}@localhost:5432/${cfg.localDatabaseName}?sslmode=disable&connect_timeout=10"; - mattermostConf = foldl recursiveUpdate defaultConfig + mattermostConf = foldl recursiveUpdate {} [ { ServiceSettings.SiteURL = cfg.siteUrl; ServiceSettings.ListenAddress = cfg.listenAddress; TeamSettings.SiteName = cfg.siteName; diff --git a/nix/sources.json b/nix/sources.json index 0ed84d7..cbc976c 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -23,7 +23,7 @@ "homepage": "https://mattermost.com", "owner": "mattermost", "repo": "mattermost-server", - "rev": "90c635041053fc53905be5735b0399bfe135080e", + "rev": "2ea14ef395fad8919b2f4137642a7f50b370ffba", "sha256": "1k5zqnc4yqnad2cw1wpqk22mjra08jz9gf4v692kbrgx3x4d13kh", "type": "tarball", "url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v6.7.2.tar.gz", @@ -75,10 +75,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "4dbec24ea806d348dd8f8e8e80051bbda708726a", - "sha256": "0jjg6cr6jg16fy368p49vpq4al86084jhls135jqqvnf778q43cf", + "rev": "eabc38219184cc3e04a974fe31857d8e0eac098d", + "sha256": "04ffwp2gzq0hhz7siskw6qh9ys8ragp7285vi1zh8xjksxn1msc5", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/4dbec24ea806d348dd8f8e8e80051bbda708726a.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/eabc38219184cc3e04a974fe31857d8e0eac098d.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "nixpkgs-unstable": { @@ -87,10 +87,10 @@ "homepage": "", "owner": "nixos", "repo": "nixpkgs", - "rev": "e0169d7a9d324afebf5679551407756c77af8930", - "sha256": "1nr7ih856ca2vl0blim4bz2yxz6cg7jfsx4z096hg0qa5i04zg95", + "rev": "ae1dc133ea5f1538d035af41e5ddbc2ebcb67b90", + "sha256": "0dq22dagzk76x2ws4dz88w018i6byamd6rnzqizx68bzimg6g7xn", "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/e0169d7a9d324afebf5679551407756c77af8930.tar.gz", + "url": "https://github.com/nixos/nixpkgs/archive/ae1dc133ea5f1538d035af41e5ddbc2ebcb67b90.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "workadventure": { diff --git a/nix/sources.nix b/nix/sources.nix index 1938409..9a01c8a 100644 --- a/nix/sources.nix +++ b/nix/sources.nix @@ -31,8 +31,28 @@ let if spec ? branch then "refs/heads/${spec.branch}" else if spec ? tag then "refs/tags/${spec.tag}" else abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + submodules = if spec ? submodules then spec.submodules else false; + submoduleArg = + let + nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; + emptyArgWithWarning = + if submodules == true + then + builtins.trace + ( + "The niv input \"${name}\" uses submodules " + + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + + "does not support them" + ) + {} + else {}; + in + if nixSupportsSubmodules + then { inherit submodules; } + else emptyArgWithWarning; in - builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; }; + builtins.fetchGit + ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); fetch_local = spec: spec.path; From 77d76253155ef0c2db4e6d32bec264e40433da6d Mon Sep 17 00:00:00 2001 From: moira Date: Sat, 24 Sep 2022 17:29:42 +0200 Subject: [PATCH 21/23] remove gitlab --- hosts/parsons/configuration.nix | 2 - services/gitlab-runner.nix | 64 ------------- services/gitlab.nix | 165 -------------------------------- 3 files changed, 231 deletions(-) delete mode 100644 services/gitlab-runner.nix delete mode 100644 services/gitlab.nix diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index c8aef57..738b83d 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -16,10 +16,8 @@ ../../services/hedgedoc-i4f.nix ../../services/mail.nix ../../services/syncthing.nix - ../../services/gitlab.nix ../../services/gitea.nix ../../services/nginx-pages.nix - ../../services/gitlab-runner.nix ../../services/lantifa.nix ../../services/vaultwarden.nix ../../services/uffd.nix diff --git a/services/gitlab-runner.nix b/services/gitlab-runner.nix deleted file mode 100644 index 6a467d6..0000000 --- a/services/gitlab-runner.nix +++ /dev/null @@ -1,64 +0,0 @@ -{config, pkgs, lib, ...}: - -{ - services.gitlab-runner = { - enable = true; - concurrent = 4; - services = { - infra4future = { - buildsDir = "/persist/var/lib/gitlab-runner/builds"; - dockerImage = "nixos/nix"; - executor = "docker"; - registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env"; - }; - nix = { - limit = 1; # don't run multiple jobs - registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env"; - dockerImage = "alpine"; - dockerVolumes = [ - "/nix/store:/nix/store:ro" - "/nix/var/nix/db:/nix/var/nix/db:ro" - "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" - ]; - dockerDisableCache = true; - preBuildScript = pkgs.writeScript "setup-container" '' - mkdir -p -m 0755 /nix/var/log/nix/drvs - mkdir -p -m 0755 /nix/var/nix/gcroots - mkdir -p -m 0755 /nix/var/nix/profiles - mkdir -p -m 0755 /nix/var/nix/temproots - mkdir -p -m 0755 /nix/var/nix/userpool - mkdir -p -m 1777 /nix/var/nix/gcroots/per-user - mkdir -p -m 1777 /nix/var/nix/profiles/per-user - mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root - mkdir -p -m 0700 "$HOME/.nix-defexpr" - . ${pkgs.nix}/etc/profile.d/nix.sh - ${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} - ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable - ${pkgs.nix}/bin/nix-channel --update nixpkgs - ''; - environmentVariables = { - ENV = "/etc/profile"; - USER = "root"; - NIX_REMOTE = "daemon"; - PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; - NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; - }; - tagList = [ "nix" ]; - }; - }; - }; - - systemd.services.gitlab-runner.serviceConfig = { - DynamicUser = lib.mkForce false; - User = "gitlab-runner"; - }; - - users.users.gitlab-runner = { - home = "/persist/var/lib/gitlab-runner"; - extraGroups = [ "docker" ]; - isSystemUser = true; - group = "nogroup"; - }; - - virtualisation.docker.storageDriver = "zfs"; -} diff --git a/services/gitlab.nix b/services/gitlab.nix deleted file mode 100644 index 8a2c708..0000000 --- a/services/gitlab.nix +++ /dev/null @@ -1,165 +0,0 @@ -{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}: - -{ - containers.gitlab = { - autoStart = true; - privateNetwork = true; - hostAddress = "192.168.100.1"; - localAddress = "192.168.100.7"; - - bindMounts = { - "/persist" = { - hostPath = "/persist/containers/gitlab"; - isReadOnly = false; - }; - }; - - path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { - boot.isContainer = true; - networking.useDHCP = false; - users.users.root.hashedPassword = ""; - - imports = [ - ../modules/mattermost.nix - ((import sources.nix-hexchen) {}).profiles.nopersist - ]; - - nixpkgs.config.allowUnfree = true; - networking.firewall.enable = false; - networking.defaultGateway = { - address = "192.168.100.1"; - interface = "eth0"; - }; - - services.gitlab = { - enable = true; - - databaseCreateLocally = true; - - host = "gitlab.infra4future.de"; - https = true; - port = 443; - - statePath = "/persist/gitlab"; - user = "git"; - databaseUsername = "git"; - - initialRootPasswordFile = "/persist/secrets/gitlab-root"; - secrets.secretFile = "/persist/secrets/gitlab-secret"; - secrets.dbFile = "/persist/secrets/gitlab-db"; - secrets.otpFile = "/persist/secrets/gitlab-otp"; - secrets.jwsFile = "/persist/secrets/gitlab-jws"; - - smtp = { - enable = true; - address = "mail.hacc.space"; - port = 587; - authentication = "plain"; - domain = "gitlab.infra4future.de"; - enableStartTLSAuto = true; - username = "noreply@infra4future.de"; - passwordFile = "/persist/secrets/noreply-pass"; - }; - - pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ]; - extraConfig = { - pages = { - enabled = true; - host = "4future.dev"; - port = 443; - https = true; - }; - omniauth = { - enabled = true; - auto_sign_in_with_provider = "oauth2_generic"; - allow_single_sign_on = ["oauth2_generic"]; - block_auto_created_users = false; - providers = [ - { - name = "oauth2_generic"; - label = "infra4future Login"; - app_id = "gitlab"; - app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; }; - args = { - client_options = { - site = "https://login.infra4future.de"; - user_info_url = "/oauth2/userinfo"; - authorize_url = "/oauth2/authorize"; - token_url = "/oauth2/token"; - }; - strategy_class ="OmniAuth::Strategies::OAuth2Generic"; - }; - } - ]; - }; - }; - }; - - services.redis.enable = true; - services.postgresql.package = pkgs.postgresql_13; - - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - virtualHosts."gitlab.infra4future.de" = { - default = true; - locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; - locations."/".extraConfig = '' - proxy_redirect off; - ''; - }; - }; - - services.openssh.enable = true; - services.openssh.passwordAuthentication = false; - - users.users.git = { - isSystemUser = true; - group = "gitlab"; - home = "/persist/gitlab/home"; - uid = 165; - }; - - services.coredns = { - enable = true; - config = '' - .:53 { - forward . 1.1.1.1 - } - ''; - }; - })).config.system.build.toplevel; - }; - - # hexchen.nftables.nat.forwardPorts = [{ - # ports = [ 22 ]; - # destination = "${config.containers.gitlab.localAddress}:22"; - # proto = "tcp"; - # }]; - - services.nginx.virtualHosts."gitlab.infra4future.de" = { - locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80"; - locations."/".extraConfig = '' - proxy_set_header X-Nginx-Proxy true; - proxy_redirect off; - ''; - enableACME = true; - forceSSL = true; - }; - - services.nginx.virtualHosts."4future.dev" = { - locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090"; - serverName = "~^((.*)\.)?4future\.dev$"; - useACMEHost = "4future.dev"; - forceSSL = true; - }; - - security.acme.certs."4future.dev" = { - dnsProvider = "cloudflare"; - credentialsFile = "/var/lib/acme/cloudflare.pass"; - extraDomainNames = [ "*.4future.dev" ]; - group = config.services.nginx.group; - }; -} From f2c90e5601e6e9068f9ff7779b68b5acdb01dc68 Mon Sep 17 00:00:00 2001 From: stuebinm Date: Sat, 24 Sep 2022 17:46:48 +0200 Subject: [PATCH 22/23] websites: remove mentions of gitlab.infra4future.de (one remains for now, will do that later once anyone from students for future says what to do in that case) --- websites/hacc.earth/index.html | 6 +++--- websites/hacc.earth/index_de.html | 3 +-- websites/infra4future.de/nutzungsbedingungen.md | 2 +- websites/muc.hacc.earth/index.html | 17 +++++++---------- 4 files changed, 12 insertions(+), 16 deletions(-) diff --git a/websites/hacc.earth/index.html b/websites/hacc.earth/index.html index 01ee6dc..8abfd94 100644 --- a/websites/hacc.earth/index.html +++ b/websites/hacc.earth/index.html @@ -349,7 +349,7 @@
  • Regular meetings of the hacc e.V., usually every 1st and 3rd Wednesday 7:30 p.m. at muCCC. At the moment we meet online on mumble.hacc.space.
  • Meetings of Klimanotstandbündnis in Siegen. See hacc group page.
  • - Propose changes to the hacc e.V. infrastructure. You can open an issue on our meta discussion repository or (if you are familiar with Nix) open a merge request on the nixfiles which control a growing part of our infrastructure. Or just ask us via one of hacc e.V. channels above. + Propose changes to the hacc e.V. infrastructure. You can open an issue or open a merge request on the nixfiles which control a growing part of our infrastructure. Or just ask us via one of hacc e.V. channels above.
  • Add you or your project to the hacc directory @@ -438,7 +438,7 @@ Unfortunately conflicts led to a split between the local chapter Munich and CHT

    About this page

    The hacc e.V. runs this page (hacc.earth) but not necessarily the linked projects. You can find more about our activities and involvements on our own page.
    -Also the source of the page can be found here. As with the hacc e.V. infrastructure in general you are invited to make change requests or just contact us to ask for changes. +Also the source of the page can be found here. As with the hacc e.V. infrastructure in general you are invited to make change requests or just contact us to ask for changes.

    The hacc logo was designed by Creatives for Future. @@ -451,7 +451,7 @@ The hacc logo was designed by Creatives

    diff --git a/websites/hacc.earth/index_de.html b/websites/hacc.earth/index_de.html index dc55ada..0f9b8d9 100644 --- a/websites/hacc.earth/index_de.html +++ b/websites/hacc.earth/index_de.html @@ -317,8 +317,7 @@
  • Regelmäßige Treffen von hacc in München, normalerweise jeden ersten und dritten Mittwoch im Monat um 19:00 Uhr beim muCCC. Im Moment treffen wir uns Online auf mumble.hacc.space.
  • Regelmäßige Treffen des Klimanotstandbündnis in Siegen. Jeden zweiten Sonntag, siehe hacc-Seite.
  • - Wenn du Vorschläge für Änderungen an unserer Infrastruktur hast, leg bitte einen Issue in unserem Meta-Diskussions-Repo an, - oder (falls du Nix kennst) erstelle einen Merge Request auf die nixfiles, über die wir einen (größer werdenden) Teil unserer Server verwalten. + Wenn du Vorschläge für Änderungen an unserer Infrastruktur hast, leg bitte einen Issue oder erstelle einen Merge Request auf die nixfiles, über die wir einen (größer werdenden) Teil unserer Server verwalten.
    • diff --git a/websites/infra4future.de/nutzungsbedingungen.md b/websites/infra4future.de/nutzungsbedingungen.md index ac1d214..cf0934f 100644 --- a/websites/infra4future.de/nutzungsbedingungen.md +++ b/websites/infra4future.de/nutzungsbedingungen.md @@ -16,7 +16,7 @@ title: Infra4future 1. Geltungsbereich der Nutzungsbedingungen - (1) Diese Nutzungsbedingungen gelten für das Online-Angebot Infra4future, das im Internet unter cloud.infra4future.de, talk.infra4future.de, mattermost.infra4future.de, auth.infra4future.de, social.infra4future.de, gitlab.infra4future.de, survey.infra4future.de, live.infra4future.de, 4future.dev und discuss.infra4future.de abrufbar ist. Hierbei handelt es sich um eine Plattform, auf der Nutzer Profile anlegen können. + (1) Diese Nutzungsbedingungen gelten für das Online-Angebot Infra4future, das im Internet unter cloud.infra4future.de, talk.infra4future.de, mattermost.infra4future.de, login.infra4future.de, git.infra4future.de, 4future.dev und discuss.infra4future.de abrufbar ist. Hierbei handelt es sich um eine Plattform, auf der Nutzer Profile anlegen können. (2) Sie können die derzeit gültigen Nutzungsbedingungen unter infra4future.de/nutzungsbedingungen.html abrufen und ausdrucken. diff --git a/websites/muc.hacc.earth/index.html b/websites/muc.hacc.earth/index.html index e386de9..a9aa0ba 100644 --- a/websites/muc.hacc.earth/index.html +++ b/websites/muc.hacc.earth/index.html @@ -300,14 +300,11 @@ Of course we also did and do support multiple events and groups in Munich and Ge
    • Regular meetings of the hacc e.V., usually every 1st and 3rd Wednesday 7:30 p.m. at muCCC. At the moment we meet online on mumble.hacc.space.
    • Regular matinanence of the hacc e.V. infrastrucutre, usually the Wednesday after the regular meeting sometime in the evening. Normally coordinated on mumble.hacc.space.
      • -
    • Help us running the hacc e.V. infrastructure like infra4future.de. You can open an issue on our meta discussion repository or (if you are familiar with Nix) open a merge request on the nixfiles which control a growing part of our infrastructure. Or just ask us via one of hacc e.V. channels above. +
    • Help us running the hacc e.V. infrastructure like infra4future.de. You can open an issue or create a merge request on the nixfiles which control a growing part of our infrastructure. Or just ask us via one of hacc e.V. channels above.
    • Interested in streaming and recording? Get in contact with hacc-voc
      • -
    • - The hacc blog can always use input. It's based on zola. The source of our blog is here. -
    • Use the wiki and add your project!
      • @@ -403,11 +400,11 @@ registered at the local court Munich VR 208921
    • raphael or rw
    • zauberberg
    • moira
      • -
    • -
  • Satzung (statutes)
    • -
  • Mitgliedsantrag (membership application)
    • -
  • Vereinfachter Spendennachweis (simplified proof of donation)
    • +
  • Satzung (statutes)
    • +
  • Mitgliedsantrag (membership application)
    • +
  • Vereinfachter Spendennachweis (simplified proof of donation)

    • @@ -430,7 +427,7 @@ Germany

    About this page

    -The source of the page can be found here. As with the hacc e.V. infrastructure in general you are invited to make change requests or just contact us to ask for changes. +The source of the page can be found here. As with the hacc e.V. infrastructure in general you are invited to make change requests or just contact us to ask for changes.

    The hacc logo was designed by Creatives for Future. @@ -443,7 +440,7 @@ The hacc logo was designed by Creatives