Compare commits
2 commits
main
...
feature/pl
Author | SHA1 | Date | |
---|---|---|---|
78845777ad | |||
a00e28d85a |
313 changed files with 4434 additions and 19007 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -2,4 +2,3 @@ result
|
|||
ecdsa_host
|
||||
secrets/
|
||||
.*.swp
|
||||
.deploy-gc/*
|
||||
|
|
16
.gitlab-ci.yml
Normal file
16
.gitlab-ci.yml
Normal file
|
@ -0,0 +1,16 @@
|
|||
stages:
|
||||
- build
|
||||
|
||||
build-parsons:
|
||||
tags:
|
||||
- nix
|
||||
stage: build
|
||||
script:
|
||||
- nix-build -A deploy.parsons
|
||||
|
||||
build-nixda:
|
||||
tags:
|
||||
- nix
|
||||
stage: build
|
||||
script:
|
||||
- nix-build -A deploy.nixda
|
|
@ -1 +0,0 @@
|
|||
websites/*
|
23
.sops.yaml
23
.sops.yaml
|
@ -1,23 +0,0 @@
|
|||
keys:
|
||||
- &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
|
||||
- &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
|
||||
- &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
|
||||
- &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
|
||||
- &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
|
||||
- &octycs-m age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
|
||||
- &zauberberg-conway age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
|
||||
- &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
|
||||
- &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
|
||||
creation_rules:
|
||||
- path_regex: secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *parsons
|
||||
- *hexchen-backup
|
||||
- *stuebinm-ilex
|
||||
- *stuebinm-surltesh-echer
|
||||
- *stuebinm-abbenay
|
||||
- *octycs-m
|
||||
- *zauberberg-conway
|
||||
- *moira-2022-06
|
||||
- *moira-openpgp
|
24
LICENSE
24
LICENSE
|
@ -1,24 +0,0 @@
|
|||
This is free and unencumbered software released into the public domain.
|
||||
|
||||
Anyone is free to copy, modify, publish, use, compile, sell, or
|
||||
distribute this software, either in source code form or as a compiled
|
||||
binary, for any purpose, commercial or non-commercial, and by any
|
||||
means.
|
||||
|
||||
In jurisdictions that recognize copyright laws, the author or authors
|
||||
of this software dedicate any and all copyright interest in the
|
||||
software to the public domain. We make this dedication for the benefit
|
||||
of the public at large and to the detriment of our heirs and
|
||||
successors. We intend this dedication to be an overt act of
|
||||
relinquishment in perpetuity of all present and future rights to this
|
||||
software under copyright law.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
For more information, please refer to <http://unlicense.org/>
|
87
README.md
87
README.md
|
@ -1,81 +1,32 @@
|
|||
# hacc nixfiles
|
||||
|
||||
Welcome to the hacc nixfiles (haccfiles). This is how we configure (most of)
|
||||
our infrastructure.
|
||||
welcome to hacc nixfiles (haccfiles). this is the code describing our nix-based infrastructure.
|
||||
|
||||
## General layout
|
||||
## structure
|
||||
|
||||
- `flake.nix`: Entrypoint & dependencies
|
||||
- `default.nix`: Entrypoint to the config
|
||||
- `common/`: configuration common to all hosts
|
||||
- `desktop/`: desktop-relevant communication
|
||||
- `modules/`: home-grown modules for hacc-specific services
|
||||
- `pkgs/`: packages we need which aren't in nixpkgs
|
||||
- `websites/`: static websites hosted by us
|
||||
- `common/`: meta-level config, reusable across machines
|
||||
- `parsons/`: our sole server, its config & the services it runs
|
||||
- `nix/`: sources files, managed with niv
|
||||
- `pkgs/`: packages we built and don't want to upstream
|
||||
|
||||
Right now, we only have a single host. We might add more again in the future.
|
||||
## working with the haccfiles
|
||||
|
||||
## Working with this repo
|
||||
|
||||
You will need a flake-enabled nix installation, and have your ssh config set up
|
||||
so that `ssh parsons` will connect to `parsons.hacc.space`.
|
||||
|
||||
### Deploying remotely
|
||||
|
||||
It's recommended to use [deploy_rs](https://github.com/serokell/deploy-rs):
|
||||
~~~shell
|
||||
deploy .#parsons -k [--dry-activate]
|
||||
~~~
|
||||
|
||||
Alternatively, using just `nixos-rebuild`:
|
||||
~~~shell
|
||||
nixos-rebuild --flake .#parsons --target-host parsons \
|
||||
--use-remote-sudo --use-substitutes [test|switch|dry-activate]
|
||||
~~~
|
||||
|
||||
### Re-deploying on parsons itself
|
||||
|
||||
Simply do:
|
||||
~~~shell
|
||||
nixos-rebuild --flake .#parsons [test|switch|dry-activate]
|
||||
~~~
|
||||
|
||||
## Working on websites
|
||||
|
||||
Websites are exposed as flake outputs: if you're working on a website & want to
|
||||
check it in a browser, do e.g.
|
||||
|
||||
~~~shell
|
||||
nix run .#\"muc.hacc.earth\"
|
||||
~~~
|
||||
|
||||
to start a local http server (note that some of our websites need a directory
|
||||
to be built in; these use `/tmp/hacc-website`).
|
||||
|
||||
To add a new website, add a new subdirectory to `websites`; nix will generate a
|
||||
vhost config based on that directory's name. Add a `default.nix` in your directory
|
||||
describing how to build the website, and give its derivation a `watch` attribute
|
||||
to make the `nix run` setup work.
|
||||
|
||||
## I don't want to build this long dependency / want a cached version!
|
||||
|
||||
If it's still available on parsons from a previous deploy, do:
|
||||
```shell
|
||||
nix copy --from ssh://parsons /nix/store/...
|
||||
deploy:
|
||||
``` shell
|
||||
nix build -f . deploy.$hostname && ./result switch
|
||||
```
|
||||
|
||||
Note: don't just copy the .drv file (which Nix complains about if it can't
|
||||
build something), that's just the description of how to build it! If you
|
||||
don't know the actual outpath, look in the .drv file (should start with
|
||||
`Derive([("out","[the path you want]"...`)
|
||||
`$hostname` can be replaced with any hostname or group
|
||||
|
||||
## committing to haccfiles
|
||||
- Things on `main` should always reflect the config that's actually deployed on
|
||||
parsons, except during testing / debugging sessions
|
||||
- Golden Rule: DO NOT COMMIT TO MAIN
|
||||
- exceptions apply, if you are not sure where to commit, don't commit to main
|
||||
- split up commits, every commit is one atomic change
|
||||
- follow the commit format: "place: $change"
|
||||
- place: e.g. `modules/$module`, `services/$service` ...
|
||||
- change: describe your change. Please wrap your lines sensibly (or configure
|
||||
your editor to do this for you)
|
||||
- e.g. no big "did some changes" but instead "updated service x", "updated service y", "update service z"
|
||||
- follow the commit format: "$prefix$place: $change"
|
||||
- prefix: one of fixup, nothing
|
||||
- place: one of "modules/$module", "$hostname/service", "common/($place)", "pkgs/$pkgs" or "sources"
|
||||
- change: describe your change, don't go over the character limit where git starts hiding/wrapping
|
||||
- Exception: autogenerated messages (merge commits, reverts, etc)
|
||||
- don't overuse merge commits, try to rebase things if possible with reasonable
|
||||
effort
|
||||
|
|
|
@ -1,9 +1,13 @@
|
|||
{ config, lib, pkgs, modules, sources, ... }:
|
||||
{ config, lib, pkgs, modules, ... }:
|
||||
|
||||
{
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
in {
|
||||
imports = [
|
||||
../modules
|
||||
./users.nix
|
||||
(sources.home-manager + "/nixos")
|
||||
modules.network.nftables
|
||||
];
|
||||
|
||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
||||
|
@ -15,31 +19,24 @@
|
|||
SystemMaxUse=512M
|
||||
MaxRetentionSec=48h
|
||||
'';
|
||||
nix.package = pkgs.lix;
|
||||
nix.gc.automatic = lib.mkDefault true;
|
||||
nix.gc.options = lib.mkDefault "--delete-older-than 7d";
|
||||
nix.settings.trusted-users = [ "root" "@wheel" ];
|
||||
nix.extraOptions = ''
|
||||
experimental-features = nix-command flakes
|
||||
'';
|
||||
nix.gc.options = lib.mkDefault "--delete-older-than 1w";
|
||||
nix.trustedUsers = [ "root" "@wheel" ];
|
||||
environment.variables.EDITOR = "vim";
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
ports = lib.mkDefault [ 62954 ];
|
||||
settings = {
|
||||
X11Forwarding = true;
|
||||
PermitRootLogin = "prohibit-password";
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
StreamLocalBindUnlink = true;
|
||||
passwordAuthentication = false;
|
||||
challengeResponseAuthentication = false;
|
||||
permitRootLogin = lib.mkDefault "prohibit-password";
|
||||
extraConfig = "StreamLocalBindUnlink yes";
|
||||
forwardX11 = true;
|
||||
};
|
||||
};
|
||||
programs.mosh.enable = true;
|
||||
programs.fish.enable = true;
|
||||
security.sudo.wheelNeedsPassword = lib.mkDefault false;
|
||||
|
||||
i18n.defaultLocale = "en_IE.UTF-8";
|
||||
time.timeZone = "UTC";
|
||||
console = {
|
||||
font = "Lat2-Terminus16";
|
||||
keyMap = "de";
|
||||
|
@ -48,8 +45,8 @@
|
|||
|
||||
environment.systemPackages = with pkgs; [
|
||||
smartmontools lm_sensors htop tcpdump nload iftop
|
||||
bottom
|
||||
ripgrep vgrep
|
||||
# bottom
|
||||
ripgrep
|
||||
git wget
|
||||
kitty.terminfo
|
||||
rsync pv progress
|
||||
|
@ -61,11 +58,11 @@
|
|||
whois
|
||||
iperf
|
||||
fd
|
||||
eza
|
||||
exa
|
||||
socat
|
||||
tmux
|
||||
gnupg
|
||||
vim neovim
|
||||
vim
|
||||
patchelf
|
||||
binutils
|
||||
dnsutils
|
||||
|
@ -73,13 +70,9 @@
|
|||
nmap
|
||||
s-tui stress
|
||||
ffmpeg-full
|
||||
bat
|
||||
niv
|
||||
sqlite-interactive
|
||||
hacc-scripts
|
||||
];
|
||||
|
||||
security.acme.defaults.email = "info+acme@hacc.space";
|
||||
security.acme.email = "info+acme@hacc.space";
|
||||
security.acme.acceptTerms = true;
|
||||
|
||||
services.nginx.appendHttpConfig = ''
|
||||
|
|
9
common/hexchen.nix
Normal file
9
common/hexchen.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{config, lib, pkgs, ...}:
|
||||
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
in {
|
||||
imports = [
|
||||
(import sources.nix-hexchen {}).users.hexchen.base
|
||||
];
|
||||
}
|
|
@ -1,6 +1,11 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./hexchen.nix
|
||||
];
|
||||
|
||||
home-manager.useGlobalPkgs = true;
|
||||
|
||||
users.users = {
|
||||
root = {
|
||||
|
@ -12,10 +17,14 @@
|
|||
uid = lib.mkForce 1000;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
};
|
||||
|
||||
stuebinm = {
|
||||
uid = 1005;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ0tCxsEilAzV6LaNpUpcjzyEn4ptw8kFz3R+Z3YjEF hexchen@backup"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI3T1eFS77URHZ/HVWkMOqx7W1U54zJtn9C7QWsHOtyH72i/4EVj8SxYqLllElh1kuKUXSUipPeEzVsipFVvfH0wEuTDgFffiSQ3a8lfUgdEBuoySwceEoPgc5deapkOmiDIDeeWlrRe3nqspLRrSWU1DirMxoFPbwqJXRvpl6qJPxRg+2IolDcXlZ6yxB4Vv48vzRfVzZNUz7Pjmy2ebU8PbDoFWL/S3m7yOzQpv3L7KYBz7+rkjuF3AU2vy6CAfIySkVpspZZLtkTGCIJF228ev0e8NvhuN6ZnjzXxVTQOy32HCdPdbBbicu0uHfZ5O7JX9DjGd8kk1r2dnZwwy/ hexchen@yubi5"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4CLJ+mFfq5XiBXROKewmN9WYmj+79bj/AoaR6Iud2pirulot3tkrrLe2cMjiNWFX8CGVqrsAELKUA8EyUTJfStlcTE0/QNESTRmdDaC+lZL41pWUO9KOiD6/0axAhHXrSJ0ScvbqtD0CtpnCKKxtuOflVPoUGZsH9cLKJNRKfEka0H0GgeKb5Tp618R/WNAQOwaCcXzg/nG4Bgv3gJW4Nm9IKy/MwRZqtILi8Mtd+2diTqpMwyNRmbenmRHCQ1vRw46joYkledVqrmSlfSMFgIHI1zRSBXb/JkG2IvIyB5TGbTkC4N2fqJNpH8wnCKuOvs46xmgdiRA26P48C2em3 hexchen@yubi5c"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQtJQ8fUfwsC9Q39sNpZ41RRbW91QXDLKltsYK+TLidQ5IJj2KsG/lkd433Tod6PzSvB2PcfIfnvUz7GQuS1UwXHMdLEy0/kqeYrSi6QlAxFyFBSTsUZ4d+HHwBBoXhu1Iaoch/FJNI0FhfBciIii05UyYuPj5zGgvWhnfD53Ll8HA6XVXhSK09+9GRGq57Mix5N9AkzfEF83aRUF9Qfl7Jl16rOjIgtS8hbL0kXIKUeCxZA2xi/lNHEQRriCiriPmPGOhiPcNXzbekw7IbFfE3If1CHnj7KA4KnafHAd+uHvQAce5Y4v2vMOPfGVh1cm84VTzdSPEW5V1hFjOlSnnuCQtAzkQLv8zed2NLj73GgFlcUrYKERcH84wydD0gEednNKsW8T2NzgO2eNCBf0LrcFp17qmWLv51A3jofEX5tQ3PZ7zbtR4DMUmrizrsBWDYiHJOMVeMs/9TnmIc3PL17qvVvFI7OcYxl+SPPpPtaBzxXZAMIvGFppzYxRylBcBhNvE+bXXgLFXh5cbUcwgXjvrX0y8Gv/5S4E55+i2rQMqC55+O48snoSeNlQDZV+B9setXoC93K9fBurmCX8ObnNRvvghcwUl9OBSW5K9TBdl6FF3+Z3gOCIxOMGQQKJUS5/g/eLFJ+13Y5qAPS49XJzaBiTmDrRi8x22p7sU1Q== stuebinm@in.tum.de"
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -24,7 +33,7 @@
|
|||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQqFXSlqW+D4ZtVdCiN9IT461iwyqy2taBRD3qkvXqn m@octycs.eu"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDobGLrA6YQAKdJkZMpAsqjlk744G/pCJEvAUNJDuT1Sr59BFKDchPT03exb0o39mjH4iqvw4JDI10RfylKbR1736Ji2yRLlbCzUdgv2CfZc28TAO0rscyT49RHJmzEEE5QD4Ge7MgvFBEmZKXAxntA8M8EbxxEVfzhWp3751BYkzrCbJiHMXcTb+BG9P6rmrraINmgUJxywym5PsMYt2sfHlVus3hSpWnCR/cu0nxmW9E6Tm6CzSkWOXOTdjVuc0Kgh5GXaKDROzJ9K7cJAhd5t8Yzqtpm2xfSU5FVVUH9i7PbXOo8FL82Xi6kWMgdFNLvKimxGqW+bCv3ROlyKWF4I+HQdfdL181KaOQ40jAvjmldrB/ZiEbuWYSBZ/XhxFkKrtBYPDFHq/a5lnH3OvcDm7+/LhwIKUnyZyQ2dXOLOTOEDsO/69xwNveCB8of9o/erDbOeb+d44cXUFpPMUTz4bHXEP6y+zz8TB8/aleGbLQCPUzRZfvazN95jGUDqkumi9B3Lf+W/KpjVUgu3NQsUuJn6khMYW9VefnJvHwzbWpqIzbzNePL4iZFECv4NHPQHO/katajnMbkCie9rfnLk1EjJnrSnZUInEygkW/7Eu4EQM2h7lU4HYfwP1c4ubCFdES0ELGqSuJRwd/ORDbgxbuKOQ7gZ3/lgHdr9KGqJQ== markus.amaseder@amaseder.de"
|
||||
];
|
||||
hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc.";
|
||||
};
|
||||
|
@ -34,53 +43,20 @@
|
|||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "cdrom" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfxXSy22k2EZwz1EtvIMwQKGWsswEBeLn5ClhuiI4Ma lukas@Conway.lan"
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de"
|
||||
];
|
||||
packages = with pkgs; [ ffmpeg ];
|
||||
};
|
||||
|
||||
moira = {
|
||||
schweby = {
|
||||
uid = 1004;
|
||||
shell = pkgs.fish;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "cdrom" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcJRF71+XM5YZj+SaSiGcdVZ0IDxGBXIWssDtHiTtr moira_2022_06"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUa7NLrRqQ3j4KSGIw0vSvLMTO0gSZeCypQnJ/Viqm8 openpgp:0xBE0BE8A3"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
|
||||
];
|
||||
hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90";
|
||||
};
|
||||
|
||||
stuebinm = {
|
||||
uid = 1005;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
shell = pkgs.fish;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7J3peZGB4XGJKI1dV5PdpQS+TzmoJ7qL//ipCG7G5K stuebinm@surltesh-echer"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPB74xA2GBXnDwPEEaxWLONdQyBwjDoJHYagKRQXwO2 stuebinm@abbenay"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8e9WrHsknoFwBm/YaigOSz9VI8dXRRR5G9BX4kKt9/ stuebinm@ilex"
|
||||
];
|
||||
};
|
||||
|
||||
leah2 = {
|
||||
uid = 1006;
|
||||
shell = pkgs.fish;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "cdrom" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4o/ncaQUorp/BeZesPnVhzvfoqLJW3WZHtz+CWQvFU"
|
||||
];
|
||||
};
|
||||
|
||||
floppy = {
|
||||
uid = 1007;
|
||||
shell = pkgs.fish;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "cdrom" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyVQhFDcoMnoYivQu1h8NCTWa+2WriZ1m5BilkuUk4u"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
11
default.nix
Normal file
11
default.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
rec {
|
||||
sources = import ./nix/sources.nix;
|
||||
pkgs = import ./pkgs {};
|
||||
inherit (pkgs) lib;
|
||||
inherit (import (sources.nix-hexchen + "/lib/hosts.nix") {
|
||||
inherit pkgs sources;
|
||||
inherit ((import sources.nix-hexchen) {}) modules;
|
||||
hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs;
|
||||
}) hosts groups;
|
||||
deploy = import (sources.nix-hexchen + "/lib/deploy.nix") { inherit pkgs hosts groups; };
|
||||
}
|
33
desktop/default.nix
Normal file
33
desktop/default.nix
Normal file
|
@ -0,0 +1,33 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
boot.plymouth.enable = true;
|
||||
nixpkgs.config = {
|
||||
mumble.speechdSupport = true;
|
||||
allowUnfree = true;
|
||||
};
|
||||
# boot.plymouth.splashBeforeUnlock = true;
|
||||
environment.systemPackages = with pkgs; [
|
||||
pulsemixer pavucontrol
|
||||
firefox git kitty j4-dmenu-desktop bemenu
|
||||
breeze-qt5 mako
|
||||
mpv youtube-dl
|
||||
wl-clipboard mumble
|
||||
xdg_utils
|
||||
slurp grim libnotify
|
||||
_1password-gui
|
||||
# gnome3.nautilus
|
||||
] ++ (with pkgs; [ alacritty picom feh copyq polybar cinnamon.nemo rofi arandr notepadqq nomacs bat ]);
|
||||
|
||||
sound.enable = true;
|
||||
hardware.pulseaudio = {
|
||||
enable = true;
|
||||
package = pkgs.pulseaudioFull;
|
||||
};
|
||||
networking.useDHCP = lib.mkDefault true;
|
||||
hardware.opengl.enable = true;
|
||||
services.xserver = {
|
||||
windowManager.bspwm.enable = true;
|
||||
layout = "de";
|
||||
};
|
||||
}
|
14
desktop/gnome.nix
Normal file
14
desktop/gnome.nix
Normal file
|
@ -0,0 +1,14 @@
|
|||
{config, lib, pkgs, ...}:
|
||||
|
||||
{
|
||||
services.xserver.displayManager.lightdm = {
|
||||
enable = true;
|
||||
};
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
# videoDrivers = [ "nvidia" ];
|
||||
};
|
||||
# hardware.nvidia.modesetting.enable = true;
|
||||
|
||||
services.xserver.desktopManager.plasma5.enable = true;
|
||||
}
|
10
desktop/streaming.nix
Normal file
10
desktop/streaming.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config, pkgs, ...}:
|
||||
|
||||
{
|
||||
boot = {
|
||||
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
|
||||
kernelModules = [ "v4l2loopback" ];
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [ obs-studio ];
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
+++
|
||||
title = "hacc infra documentation"
|
||||
page_template = "doc-page.html"
|
||||
sort_by="title"
|
||||
+++
|
||||
|
||||
|
10
docs/auth.md
10
docs/auth.md
|
@ -1,10 +0,0 @@
|
|||
+++
|
||||
title = "Authentication"
|
||||
categories = [ "services", "uffd" ]
|
||||
+++
|
||||
|
||||
We use [uffd](https://git.cccv.de/uffd/uffd) for our SSO, for better or worse.
|
||||
Mostly for worse.
|
||||
|
||||
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
+++
|
||||
title = "Domains"
|
||||
categories = [ "domains", "meta" ]
|
||||
+++
|
||||
|
||||
Perhaps too many of them.
|
||||
|
||||
## Domains
|
||||
|
||||
| domain | mc | status | date | reseller | owner | custody |
|
||||
| :------------------- | :-: | :-----: | :------: | :---------- | :--------- | :-----: |
|
||||
| 4future.dev | yes | | | | | hacc e.V. |
|
||||
| infra4future.de | yes | | | | | hacc e.V. |
|
||||
| hacc.space | yes | | | | | hacc e.V. |
|
||||
| hacc.earth | yes | | | | | hacc e.V. |
|
||||
| hacc.media | yes | | | | | hacc e.V. |
|
||||
| hacc.wiki | no | | | | | |
|
||||
|
||||
mc = managed by cloudflare
|
||||
status = (renewl | autorenewl | expires)
|
|
@ -1,16 +0,0 @@
|
|||
+++
|
||||
title = "Hostname schema"
|
||||
+++
|
||||
|
||||
[Badass Anarchist Women](https://listverse.com/2018/09/27/10-absolutely-badass-anarchist-women-who-challenged-the-system/)
|
||||
- keller
|
||||
- deCleyre
|
||||
- davidNeel
|
||||
- leGuin
|
||||
- [parsons](../parsons)
|
||||
- ohair
|
||||
- berneri
|
||||
- michel
|
||||
- sanger
|
||||
- goldman
|
||||
|
17
docs/lxc.md
17
docs/lxc.md
|
@ -1,17 +0,0 @@
|
|||
+++
|
||||
title = "LXC"
|
||||
categories = [ "lxc" ]
|
||||
+++
|
||||
|
||||
Some things don't easily run on NixOS. For these we have LXC containers running
|
||||
debian.
|
||||
|
||||
Right now, only onlyoffice is left.
|
||||
|
||||
## Useful commands
|
||||
- login to a container as root with a usable shell
|
||||
`lxc-attach -n <name> -- /usr/bin/sudo -i`
|
||||
- restarting the keycloak and ldap containers
|
||||
`lxc-stop -n <name> && lxc-start -n <name>`
|
||||
- restarting their network bridge:
|
||||
`systemctl restart lxcbr0-netdev.services`
|
|
@ -1,18 +0,0 @@
|
|||
+++
|
||||
title = "Rebooting Parsons"
|
||||
categories = [ "nix" ]
|
||||
+++
|
||||
|
||||
## Check integrity after unexpected shutdown
|
||||
These steps are only required if the server shut down unexpectedly or you suspect tampering.
|
||||
|
||||
TODO
|
||||
|
||||
## Unlock full disk encryption
|
||||
Connection to the server via the command listed in the shared password manager.
|
||||
Only the Vorstand has access to it!
|
||||
|
||||
Enter the passwords for dpool and zroot.
|
||||
|
||||
If both are correct, you will be disconnected and the server continues the boot sequence.
|
||||
The server should be up after about minute. Please check all services for availability.
|
|
@ -1,21 +0,0 @@
|
|||
+++
|
||||
title = "Secrets"
|
||||
categories = [ "services", "sops" ]
|
||||
+++
|
||||
|
||||
## Secret management
|
||||
|
||||
We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
|
||||
like to have in Git but don't want to be public. Entries in `secrets.yaml` are
|
||||
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
|
||||
derived from ssh keys.
|
||||
|
||||
For the initial set up, please take a look at the sops-nix Readme file.
|
||||
|
||||
To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
|
||||
file & open it in your $EDITOR, then re-encrypt it when you're done.
|
||||
|
||||
To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
|
||||
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
|
||||
the new set of keys.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
+++
|
||||
title = "Services"
|
||||
sort_by = "title"
|
||||
page_template = "doc-page.html"
|
||||
+++
|
|
@ -1,19 +0,0 @@
|
|||
+++
|
||||
title = "ACME / letsencrypt"
|
||||
categories = [ "domain", "https", "ssl", "tls", "Certificates" ]
|
||||
+++
|
||||
|
||||
|
||||
# Usage
|
||||
|
||||
We use the ACME module's nginx integration for basically everything. Beware of
|
||||
rate limits when redeploying lots of things at once! Let's Encrypt is a little
|
||||
picky about those.
|
||||
|
||||
|
||||
## Workarounds & peculiar configuration choices
|
||||
|
||||
Certs live under `/var/lib/acme/`
|
||||
|
||||
If you need to remove a cert for whatever reason, be aware that there is a
|
||||
hidden `.lego` folder, that contains state as well
|
|
@ -1,68 +0,0 @@
|
|||
+++
|
||||
title = "hedgedoc"
|
||||
taxonomies.categories = [ "services" ]
|
||||
+++
|
||||
|
||||
|
||||
hegedoc was once called codiMD, so container, config and users are still called codimd.
|
||||
|
||||
**Do NOT change this** unless you're sure what you're doing.
|
||||
|
||||
We have two instances:
|
||||
- `pad-hacc`/pad.hacc.space is connected to our SSO/uffd
|
||||
- `pad-i4f`/pad.infra4future.de is not connected to our SSO and meant to be more public
|
||||
|
||||
## Basic Troubleshooting
|
||||
|
||||
Usually if hedgedoc dies, it's because postgresql wasn't there yet. Just restart
|
||||
hedgedoc.
|
||||
|
||||
## More Troubles
|
||||
log into the container and take a look at the logs
|
||||
|
||||
~~~shell
|
||||
sudo nixos-container root-login codimd
|
||||
journalctl -e
|
||||
~~~
|
||||
|
||||
### fixing failed database upgrades
|
||||
|
||||
see https://docs.hedgedoc.org/guides/migration-troubleshooting/ (copied below
|
||||
for convenience?):
|
||||
|
||||
In some cases, HedgeDoc might apply migrations without correctly saving the
|
||||
progress. It will then refuse to start with "already exists"-errors like
|
||||
ERROR: type "enum_Notes_permission" already exists.
|
||||
|
||||
Get the name of the failing migration and append .js to it. For example, if
|
||||
you encounter this error:
|
||||
|
||||
~~~
|
||||
== 20180306150303-fix-enum: migrating =======
|
||||
|
||||
ERROR: type "enum_Notes_permission" already exists
|
||||
~~~
|
||||
|
||||
the name of the failed migration would be 20180306150303-fix-enum.js.
|
||||
|
||||
The SQL-statement may look like this:
|
||||
|
||||
~~~
|
||||
INSERT INTO "SequelizeMeta" (name) VALUES ('20180306150303-fix-enum.js');
|
||||
~~~
|
||||
|
||||
Make sure HedgeDoc does not run and insert the name into the SequelizeMeta table.
|
||||
Enter the container switch to the postgres user, open psql and commect to the
|
||||
codimd database:
|
||||
|
||||
~~~shell
|
||||
su postgres
|
||||
psql
|
||||
\l
|
||||
\c codimd
|
||||
UN adjusted SQL STAMEMENT from above ]
|
||||
\q
|
||||
~~~
|
||||
|
||||
Start HedgeDoc again and observe if it starts correctly. It may be necessary to
|
||||
repeat this process and insert multiple migrations into the SequelizeMeta table.
|
|
@ -1,65 +0,0 @@
|
|||
+++
|
||||
title = "mail"
|
||||
taxonomies.categories = [ "services" ]
|
||||
+++
|
||||
|
||||
Mail is not connected to our SSO!
|
||||
|
||||
## adding a mail account
|
||||
- We use `@hacc.space` for our mails
|
||||
- `@infra4future.de` is reserved for services, old user accounts will be
|
||||
forwarded & logins disabled
|
||||
- choose a name (no aliases or other names can be the same)
|
||||
- generate a sha-512 password hash ```mkpasswd -m sha-512``` - **never add an
|
||||
unhashed password!**
|
||||
- add your account to `loginAccounts =` in `//parsons/mail.nix`
|
||||
- build and redeploy parsons
|
||||
|
||||
**example:**
|
||||
```
|
||||
zwoelfontheshelf@hacc.space" = {
|
||||
hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUEdxrxdtgvzuGOkBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
|
||||
};
|
||||
```
|
||||
|
||||
## adding to a forward address
|
||||
- add the mail address to the corresponding `extraVirtualAliases =`
|
||||
- build and redeploy parsons
|
||||
|
||||
## adding a forward address
|
||||
- add the address to `extraVirtualAliases =`
|
||||
- add the addresses it should forward to
|
||||
- build and redeploy parsons
|
||||
|
||||
**example:**
|
||||
```
|
||||
"himmel@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
];
|
||||
```
|
||||
|
||||
## sending & receiving mail
|
||||
|
||||
### as a user
|
||||
- Your mail client should auto configure correctly
|
||||
|
||||
~~~
|
||||
mailserver: mail.hacc.space (everywhere)
|
||||
username: $your_mail_address
|
||||
sending via smtp: port 587 or 465
|
||||
recieving
|
||||
imap: port 993
|
||||
TLS and STARTTLS are supported
|
||||
~~~
|
||||
|
||||
- You can send mail as you and any alias you receive mail from. Set a second Identity in your e-mail client
|
||||
|
||||
### as an application
|
||||
- mailserver: `mail.hacc.space`
|
||||
- Do **not** use port 25. It's for server to server communication only.
|
||||
- Use smtp ports `587` or `465`
|
||||
- enable TLS if possible
|
||||
- only send mail from `noreply@infra4future.de`
|
||||
- Password is somewhere (TODO!)
|
||||
|
|
@ -1,40 +0,0 @@
|
|||
+++
|
||||
title = "mumble"
|
||||
taxonomies.categories = [ "mumble" ]
|
||||
+++
|
||||
|
||||
|
||||
[offical Docmuentation](https://wiki.mumble.info/wiki/Main_Page)
|
||||
|
||||
Mumble's server is called murmur, but the naming is inconsistent. Sometimes
|
||||
it's also just called mumble server.
|
||||
|
||||
# Usage
|
||||
|
||||
## registration
|
||||
Users need to be registered to join any other channel than public.
|
||||
An already registered user has to register them with the server.
|
||||
1. right click on the username
|
||||
2. choose register in the menu. Done.
|
||||
|
||||
## restricted channels
|
||||
Every channel in the hacc category except for plenum can only be accessed by
|
||||
members of the hacc group.
|
||||
|
||||
## adding users to a group
|
||||
Only admins can edit groups, and only registered users can be added to groups.
|
||||
1. right click on the Root channel
|
||||
2. select Edit...
|
||||
2. In Groups select $groupname
|
||||
3. make the change you want to make
|
||||
4. click "OK"
|
||||
|
||||
# Config details
|
||||
- the server is not registered with mumble & not on the public server list
|
||||
- the bitrate is set to 128kb/s; otherwise the client would complain that the
|
||||
server bitrate is less then the configured (default) in its local settings
|
||||
|
||||
# Hacks
|
||||
- murmur needs a TLS cert, which we get via the ACME module
|
||||
- there's a funny group setup so that hopefully murmurd can read the cert
|
||||
- this seems to work fine now, but was some source of trouble in the past
|
|
@ -1,18 +0,0 @@
|
|||
+++
|
||||
title = "$Service Name"
|
||||
draft = true ## Remove this line to make file appear on website
|
||||
+++
|
||||
|
||||
<general information & pointers to official documentation>
|
||||
|
||||
# Usage
|
||||
<usage from an admin's perspective>
|
||||
|
||||
# Config Notes
|
||||
<what should one keep in mind when reading the nix file?>
|
||||
|
||||
## Updating
|
||||
<anything to keep in mind?>
|
||||
|
||||
# Hacks
|
||||
<ugly things which might break or cause general ???? states>
|
|
@ -1,24 +0,0 @@
|
|||
+++
|
||||
title = "Use ZFS snapshot"
|
||||
taxonomies.categories = [ "zfs", "snapshot", "filesystem", "backup", "update", "upgrade" ]
|
||||
+++
|
||||
|
||||
## Make a ZFS snapshot
|
||||
~~~shell
|
||||
sudo zfs snapshot zroot/safe/persist@<name>
|
||||
~~~
|
||||
|
||||
## Rollback
|
||||
|
||||
### single files
|
||||
The snapshots can be accessed under `<mountpoint>/.zfs/snapshot/...`
|
||||
|
||||
### fully
|
||||
~~~shell
|
||||
sudo zfs rollback zroot/safe/persist@<name>
|
||||
~~~
|
||||
|
||||
## Delete a ZFS snapshot
|
||||
~~~shell
|
||||
sudo zfs destroy zroot/safe/persist@<name>
|
||||
~~~
|
229
flake.lock
229
flake.lock
|
@ -1,229 +0,0 @@
|
|||
{
|
||||
"nodes": {
|
||||
"blobs": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1604995301,
|
||||
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "blobs",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"deploy-rs": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1727447169,
|
||||
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
|
||||
"owner": "serokell",
|
||||
"repo": "deploy-rs",
|
||||
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "serokell",
|
||||
"repo": "deploy-rs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696426674,
|
||||
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
"inputs": {
|
||||
"blobs": "blobs",
|
||||
"flake-compat": [
|
||||
"deploy-rs",
|
||||
"flake-compat"
|
||||
],
|
||||
"nixpkgs": [
|
||||
"nixpkgs-unstable"
|
||||
],
|
||||
"nixpkgs-24_05": "nixpkgs-24_05"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1734370678,
|
||||
"narHash": "sha256-a8zkti1QM5Oxkdfnzr/NjrFlyqI36/kYV/X8G1jOmB4=",
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"repo": "nixos-mailserver",
|
||||
"rev": "c43d8c4a3ce84a7bebd110b06e69365484db6208",
|
||||
"type": "gitlab"
|
||||
},
|
||||
"original": {
|
||||
"owner": "simple-nixos-mailserver",
|
||||
"ref": "master",
|
||||
"repo": "nixos-mailserver",
|
||||
"type": "gitlab"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1734298236,
|
||||
"narHash": "sha256-aWhhqY44xBjMoO9r5fyPp5u8tqUNWRZ/m/P+abMSs5c=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "eb919d9300b6a18f8583f58aef16db458fbd7bec",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-24.11-small",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-24_05": {
|
||||
"locked": {
|
||||
"lastModified": 1731797254,
|
||||
"narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-24.05",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-oldstable": {
|
||||
"locked": {
|
||||
"lastModified": 1678761643,
|
||||
"narHash": "sha256-tapXZvg6Kg5Fm7Fm6i+7cRC5Exp2lX7cgMrqsfrGhuc=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c4aec3c021620d98861639946123214207e98344",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c4aec3c021620d98861639946123214207e98344",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1734318609,
|
||||
"narHash": "sha256-VPbVfHSvFs58T+kbseS7wa9WP6p2z7RJmjTnV4pAPQ0=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "66cdf593c0041cf1efc9b2889d80c9a5c497b284",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-unstable-small",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"deploy-rs": "deploy-rs",
|
||||
"nixos-mailserver": "nixos-mailserver",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-oldstable": "nixpkgs-oldstable",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"sops-nix": "sops-nix",
|
||||
"tracktrain": "tracktrain"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs-unstable"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1733965552,
|
||||
"narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"tracktrain": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1720213096,
|
||||
"narHash": "sha256-GrSXD6WvyiXcHx1s+48PEZVn/MTtBJAXpgds+NdEL2g=",
|
||||
"ref": "main",
|
||||
"rev": "2943327863bfe5c6e793e5c40e473a2755d45642",
|
||||
"revCount": 126,
|
||||
"type": "git",
|
||||
"url": "https://stuebinm.eu/git/tracktrain"
|
||||
},
|
||||
"original": {
|
||||
"ref": "main",
|
||||
"type": "git",
|
||||
"url": "https://stuebinm.eu/git/tracktrain"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701680307,
|
||||
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
88
flake.nix
88
flake.nix
|
@ -1,88 +0,0 @@
|
|||
{
|
||||
description = "hacc infra stuff";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "nixpkgs/nixos-24.11-small";
|
||||
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
|
||||
nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";
|
||||
|
||||
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
|
||||
tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
|
||||
tracktrain.flake = false;
|
||||
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
||||
|
||||
# these exist mostly to make the flake.lock somewhat more human-friendly
|
||||
# note that in theory doing this might break things, but it seems fairly unlikely
|
||||
nixos-mailserver.inputs = {
|
||||
nixpkgs.follows = "nixpkgs-unstable";
|
||||
flake-compat.follows = "/deploy-rs/flake-compat";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
|
||||
let modules = {
|
||||
bindMounts = import ./modules/bindmounts.nix;
|
||||
nopersist = import ./modules/nopersist.nix;
|
||||
encboot = import ./modules/encboot.nix;
|
||||
};
|
||||
profiles = {
|
||||
container = import ./modules/container-profile.nix;
|
||||
};
|
||||
pkgs = import ./pkgs {
|
||||
sources = inputs;
|
||||
system = "x86_64-linux";
|
||||
config.allowUnfree = true;
|
||||
};
|
||||
in {
|
||||
nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./parsons/configuration.nix
|
||||
./modules/buildinfo.nix
|
||||
./modules/containers.nix
|
||||
sops-nix.nixosModules.sops
|
||||
{ nixpkgs.pkgs = pkgs; }
|
||||
];
|
||||
specialArgs = {
|
||||
sources = inputs;
|
||||
inherit modules profiles;
|
||||
inherit (nixpkgs.lib) nixosSystem;
|
||||
};
|
||||
};
|
||||
|
||||
deploy.nodes.parsons = {
|
||||
hostname = "parsons";
|
||||
profiles.system = {
|
||||
user = "root";
|
||||
autoRollback = false;
|
||||
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
||||
self.nixosConfigurations.parsons;
|
||||
};
|
||||
};
|
||||
|
||||
# This is highly advised, and will prevent many possible mistakes
|
||||
checks = builtins.mapAttrs
|
||||
(system: deployLib: deployLib.deployChecks self.deploy)
|
||||
deploy-rs.lib;
|
||||
|
||||
apps.x86_64-linux =
|
||||
let
|
||||
mkApp = pkg: {
|
||||
type = "app";
|
||||
program = pkgs.lib.getExe pkg;
|
||||
};
|
||||
websites = pkgs.lib.mapAttrs (name: mkApp)
|
||||
self.nixosConfigurations.parsons.config.hacc.websites.builders;
|
||||
in
|
||||
{ docs = websites."docs.hacc.space"; } // websites;
|
||||
|
||||
packages.x86_64-linux = {
|
||||
inherit (pkgs) mattermost hacc-scripts;
|
||||
};
|
||||
};
|
||||
|
||||
}
|
71
hosts/nixda/configuration.nix
Normal file
71
hosts/nixda/configuration.nix
Normal file
|
@ -0,0 +1,71 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
./hardware-config.nix
|
||||
../../common
|
||||
../../desktop
|
||||
../../desktop/streaming.nix
|
||||
../../desktop/gnome.nix
|
||||
];
|
||||
|
||||
boot.loader.grub ={
|
||||
enable = true;
|
||||
version = 2;
|
||||
efiSupport = true;
|
||||
device = "nodev";
|
||||
};
|
||||
boot.loader.efi = {
|
||||
canTouchEfiVariables = true;
|
||||
efiSysMountPoint = "/boot";
|
||||
};
|
||||
|
||||
hardware.decklink.enable = true;
|
||||
|
||||
networking.hostName = "nixda"; # Define your hostname.
|
||||
|
||||
environment.systemPackages = with pkgs; [ blackmagicDesktopVideo blender ];
|
||||
|
||||
networking.wg-quick.interfaces.cornbox = {
|
||||
privateKeyFile = "/etc/wireguard/cornbox.key";
|
||||
address = [ "195.39.247.67/28" "2a0f:4ac0:1337::12/64" ];
|
||||
postUp = "/run/wrappers/bin/ping -c5 195.39.247.65";
|
||||
peers = [
|
||||
{
|
||||
persistentKeepalive = 25;
|
||||
allowedIPs = [ "2a0f:4ac0:1337::/48" "195.39.247.64/27" ];
|
||||
publicKey = "8IWyiQL3wKP9CD/4UdS9b8mcbL67mkUyeSPORgEPvV0=";
|
||||
endpoint = "cornbox.hetzner.chaoswit.ch:51821";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
services.xserver = {
|
||||
enable = true;
|
||||
videoDrivers = [ "nvidia" ];
|
||||
};
|
||||
hardware.nvidia.modesetting.enable = true;
|
||||
|
||||
boot.kernelPackages = pkgs.linuxPackages;
|
||||
boot.blacklistedKernelModules = [ "snd_blackmagic_io" ];
|
||||
|
||||
users.users.stream = {
|
||||
isNormalUser = true;
|
||||
password = "hacchacc";
|
||||
extraGroups = [ "audio" "video" ];
|
||||
};
|
||||
|
||||
services.pipewire.enable = true;
|
||||
services.pipewire.pulse.enable = true;
|
||||
hardware.pulseaudio.enable = lib.mkForce false;
|
||||
|
||||
# This value determines the NixOS release from which the default
|
||||
# settings for stateful data, like file locations and database versions
|
||||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||
# this value at the release version of the first install of this system.
|
||||
# Before changing this value read the documentation for this option
|
||||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||
system.stateVersion = "20.09"; # Did you read the comment?
|
||||
|
||||
}
|
31
hosts/nixda/hardware-config.nix
Normal file
31
hosts/nixda/hardware-config.nix
Normal file
|
@ -0,0 +1,31 @@
|
|||
{ config, lib, pkgs, modulesPath, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
[ (modulesPath + "/installer/scan/not-detected.nix")
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
|
||||
boot.initrd.kernelModules = [ ];
|
||||
boot.kernelModules = [ "kvm-amd" ];
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/dfbfee26-c2c0-4c0c-b145-6362c7650ac9";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=@nix" ];
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
{ device = "/dev/disk/by-uuid/dfbfee26-c2c0-4c0c-b145-6362c7650ac9";
|
||||
fsType = "btrfs";
|
||||
options = [ "subvol=@home" ];
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/A358-97BC";
|
||||
fsType = "vfat";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
}
|
|
@ -2,46 +2,47 @@
|
|||
|
||||
{
|
||||
imports = [
|
||||
../common
|
||||
../../common
|
||||
./hardware.nix
|
||||
modules.encboot
|
||||
modules.nopersist
|
||||
./nftables.nix
|
||||
./nextcloud.nix
|
||||
./mattermost.nix
|
||||
./murmur.nix
|
||||
./hedgedoc-hacc.nix
|
||||
./hedgedoc-i4f.nix
|
||||
./mail.nix
|
||||
./forgejo.nix
|
||||
./nginx-pages.nix
|
||||
./vaultwarden.nix
|
||||
./tracktrain.nix
|
||||
./uffd.nix
|
||||
modules.network.nftables modules.nftnat
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
|
||||
../../services/nextcloud
|
||||
../../services/mattermost.nix
|
||||
../../services/thelounge.nix
|
||||
../../services/murmur.nix
|
||||
../../services/hedgedoc-hacc.nix
|
||||
../../services/hedgedoc-i4f.nix
|
||||
../../services/mail.nix
|
||||
../../services/syncthing.nix
|
||||
../../services/gitlab.nix
|
||||
../../services/nginx-pages.nix
|
||||
../../services/gitlab-runner.nix
|
||||
../../services/unifi.nix
|
||||
../../services/lantifa.nix
|
||||
../../services/pluto.nix
|
||||
|
||||
./lxc.nix
|
||||
./monit.nix
|
||||
];
|
||||
|
||||
hacc.bindToPersist = [ "/var/lib/acme" ];
|
||||
|
||||
hacc.encboot = {
|
||||
hexchen.encboot = {
|
||||
enable = true;
|
||||
dataset = "-a";
|
||||
networkDrivers = [ "igb" ];
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = ../secrets.yaml;
|
||||
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
networking.hostId = "b2867696";
|
||||
networking.useDHCP = true;
|
||||
networking.nftables.enable = true;
|
||||
|
||||
networking.hostName = "parsons";
|
||||
hexchen.nftables.nat.enable = true;
|
||||
networking.nat.internalInterfaces = ["ve-+"];
|
||||
networking.nat.externalInterface = "enp35s0";
|
||||
|
||||
networking.interfaces.enp35s0.ipv6.addresses = [{
|
||||
address = "2a01:4f9:3a:2ddb::1";
|
||||
|
@ -51,6 +52,13 @@
|
|||
address = "fe80::1";
|
||||
interface = "enp35s0";
|
||||
};
|
||||
boot = {
|
||||
kernelModules = [ "nf_nat_ftp" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
|
||||
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
@ -70,8 +78,8 @@
|
|||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
services.restic.backups.tardis = {
|
||||
passwordFile = "/run/secrets/restic/system";
|
||||
environmentFile = "/run/secrets/restic/s3creds.env";
|
||||
passwordFile = "/persist/restic/system";
|
||||
s3CredentialsFile = "/persist/restic/system.s3creds";
|
||||
paths = [
|
||||
"/home"
|
||||
"/persist"
|
||||
|
@ -84,10 +92,5 @@
|
|||
repository = "b2:tardis-parsons:system";
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"restic/system" = {};
|
||||
"restic/s3creds.env" = {};
|
||||
};
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
|
@ -28,7 +28,6 @@
|
|||
fileSystems."/persist" =
|
||||
{ device = "zroot/safe/persist";
|
||||
fsType = "zfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
|
@ -56,6 +55,11 @@
|
|||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/docker" =
|
||||
{ device = "zroot/local/docker";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
}
|
|
@ -8,6 +8,7 @@
|
|||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
networking.nat.internalInterfaces = [ "lxcbr0" ];
|
||||
|
||||
virtualisation.lxc.enable = true;
|
||||
virtualisation.lxc.systemConfig = ''
|
||||
|
@ -26,4 +27,10 @@
|
|||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."auth.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://10.1.2.104:8080";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
}
|
|
@ -1,28 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.hacc;
|
||||
|
||||
in {
|
||||
|
||||
options.hacc.bindMounts = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = { };
|
||||
example = { "/etc/asdf" = "/persist/asdf"; };
|
||||
};
|
||||
options.hacc.bindToPersist = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [ "postgres" ];
|
||||
};
|
||||
|
||||
config.fileSystems = mapAttrs (_: device: {
|
||||
inherit device;
|
||||
options = [ "bind" ];
|
||||
}) cfg.bindMounts;
|
||||
|
||||
config.hacc.bindMounts = listToAttrs
|
||||
(map (name: { inherit name; value = "/persist${name}"; })
|
||||
cfg.bindToPersist);
|
||||
}
|
|
@ -1,29 +0,0 @@
|
|||
{ config, lib, pkgs, sources, ... }:
|
||||
|
||||
let
|
||||
self = sources.self;
|
||||
|
||||
formatDate = date: with lib.strings;
|
||||
let
|
||||
year = substring 0 4 date;
|
||||
month = substring 4 2 date;
|
||||
day = substring 6 2 date;
|
||||
hour = substring 8 2 date;
|
||||
minute = substring 10 2 date;
|
||||
second = substring 12 2 date;
|
||||
in
|
||||
"${year}-${month}-${day} ${hour}:${minute}:${second} UTC";
|
||||
in
|
||||
{
|
||||
system.nixos.label = "${config.system.nixos.release}-haccfiles-${self.shortRev or self.dirtyShortRev}";
|
||||
users.motd = ''
|
||||
Welcome to ${config.networking.hostName}, running NixOS ${config.system.nixos.release}!
|
||||
Built from haccfiles ${self.rev or self.dirtyRev}.
|
||||
Last commit was at ${formatDate self.lastModifiedDate}.
|
||||
${if self ? dirtyRev then "\nPlease remember to commit your changes.\n" else ""}
|
||||
'';
|
||||
|
||||
# used by monit
|
||||
environment.etc."haccfiles-commit".text = self.rev or self.dirtyRev;
|
||||
environment.etc."haccfiles-timestamp".text = builtins.toString self.lastModified;
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
{ lib, ...}:
|
||||
|
||||
{
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
networking.firewall.enable = false;
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
system.stateVersion = lib.mkDefault "21.05";
|
||||
}
|
|
@ -1,95 +0,0 @@
|
|||
{ config, lib, pkgs, modules, profiles, sources, nixosSystem, ... }:
|
||||
|
||||
let
|
||||
mkIPv4 = index: local:
|
||||
"192.168.${if local then "100" else "101"}.${toString index}";
|
||||
mkIPv6 = index: local:
|
||||
"fd00::${if local then "100" else "101"}:${toString index}";
|
||||
|
||||
evalConfig = nixosConfig: (nixosSystem {
|
||||
inherit (config.nixpkgs) system;
|
||||
modules = [
|
||||
nixosConfig
|
||||
modules.nopersist
|
||||
profiles.container
|
||||
{ nixpkgs.pkgs = lib.mkForce pkgs; }
|
||||
];
|
||||
specialArgs = {
|
||||
inherit modules sources;
|
||||
};
|
||||
}).config.system.build.toplevel;
|
||||
|
||||
in {
|
||||
options.hacc.containers = with lib.options;
|
||||
mkOption {
|
||||
description = ''
|
||||
hacc-specific containers. These are a thin wrapper around "normal" nixos containers:
|
||||
- they automatically get an IPv4/IPv6 address assigned
|
||||
(note that these are not guaranteed to be stable across config changes,
|
||||
so please use {option}`containers.<name>.hostAddress` & friends to
|
||||
reference them elsewhere)
|
||||
- they set a couple default options (e.g. ephemeral, autoStart, privateNetwork)
|
||||
- they are evaluated with our own version of {nix}`evalConfig`, which includes a
|
||||
couple more modules by default, use our version of `nixpkgs`, and includes the
|
||||
{nix}`profiles.containers` profile setting sane defaults for containers.
|
||||
'';
|
||||
default = { };
|
||||
type = with lib.types;
|
||||
types.attrsOf (types.submodule {
|
||||
options = {
|
||||
bindToPersist = mkOption {
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description =
|
||||
"Wether to mount /persist/containers/<name> at /persist into this container.";
|
||||
};
|
||||
|
||||
bindSecrets = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description =
|
||||
"Whether to mount /run/secrets/<name> at /secrets into this container.";
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
type = types.unspecified;
|
||||
description =
|
||||
"The container's config, to be evaluated with our own {nix}`evalConfig`.";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
|
||||
# wrapped into imap1, which enumerates the containers; IP addresses are then
|
||||
# simply assigned based on the order the containers are in the list.
|
||||
config.containers = lib.mkMerge (lib.imap1
|
||||
(index: { name, value }: let container = value; in {
|
||||
${name} = {
|
||||
hostAddress = mkIPv4 index false;
|
||||
localAddress = mkIPv4 index true;
|
||||
hostAddress6 = mkIPv6 index false;
|
||||
localAddress6 = mkIPv6 index true;
|
||||
|
||||
privateNetwork = true;
|
||||
autoStart = true;
|
||||
ephemeral = true;
|
||||
|
||||
bindMounts = lib.mkMerge [
|
||||
(lib.mkIf container.bindToPersist {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/${name}";
|
||||
isReadOnly = false;
|
||||
};
|
||||
})
|
||||
(lib.mkIf container.bindSecrets {
|
||||
"/secrets" = {
|
||||
hostPath = "/run/secrets/${name}";
|
||||
isReadOnly = true;
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
path = evalConfig container.config;
|
||||
};
|
||||
}) (lib.attrsToList config.hacc.containers));
|
||||
}
|
21
modules/decklink.nix
Normal file
21
modules/decklink.nix
Normal file
|
@ -0,0 +1,21 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.hardware.decklink;
|
||||
kernelPackages = config.boot.kernelPackages;
|
||||
in
|
||||
{
|
||||
options.hardware.decklink.enable = mkEnableOption "Enable hardware support for the Blackmagic Design Decklink audio/video interfaces.";
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
boot.kernelModules = [ "blackmagic" "blackmagic-io" "snd_blackmagic-io" ];
|
||||
boot.extraModulePackages = [ kernelPackages.decklink ];
|
||||
systemd.services."DecklinkVideoHelper" = {
|
||||
after = [ "syslog.target" "local-fs.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = "${pkgs.blackmagicDesktopVideo}/bin/DesktopVideoHelper -n";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,7 +1,9 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
in {
|
||||
imports = [
|
||||
./websites.nix
|
||||
./nftnat
|
||||
./decklink.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,45 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.hacc.encboot;
|
||||
|
||||
in {
|
||||
options = {
|
||||
hacc.encboot = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
networkDrivers = mkOption { type = with types; listOf str; };
|
||||
dataset = mkOption {
|
||||
type = types.str;
|
||||
default = "zroot";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
boot.initrd.kernelModules = cfg.networkDrivers;
|
||||
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
authorizedKeys = with lib;
|
||||
concatLists (mapAttrsToList (name: user:
|
||||
if elem "wheel" user.extraGroups then
|
||||
user.openssh.authorizedKeys.keys
|
||||
else
|
||||
[ ]) config.users.users);
|
||||
hostKeys = [ /etc/ssh/encboot_host ];
|
||||
};
|
||||
|
||||
postCommands = ''
|
||||
zpool import ${cfg.dataset}
|
||||
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
255
modules/mattermost.nix
Normal file
255
modules/mattermost.nix
Normal file
|
@ -0,0 +1,255 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.services.mattermost-patched;
|
||||
|
||||
defaultConfig = builtins.fromJSON (builtins.replaceStrings [ "\\u0026" ] [ "&" ]
|
||||
(readFile "${pkgs.mattermost}/config/config.json")
|
||||
);
|
||||
|
||||
database = "postgres://${cfg.localDatabaseUser}:${cfg.localDatabasePassword}@localhost:5432/${cfg.localDatabaseName}?sslmode=disable&connect_timeout=10";
|
||||
|
||||
mattermostConf = foldl recursiveUpdate defaultConfig
|
||||
[ { ServiceSettings.SiteURL = cfg.siteUrl;
|
||||
ServiceSettings.ListenAddress = cfg.listenAddress;
|
||||
TeamSettings.SiteName = cfg.siteName;
|
||||
}
|
||||
cfg.extraConfig
|
||||
];
|
||||
|
||||
mattermostConfJSON = pkgs.writeText "mattermost-config-raw.json" (builtins.toJSON mattermostConf);
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
services.mattermost-patched = {
|
||||
enable = mkEnableOption "Mattermost chat server";
|
||||
|
||||
statePath = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/mattermost";
|
||||
description = "Mattermost working directory";
|
||||
};
|
||||
|
||||
siteUrl = mkOption {
|
||||
type = types.str;
|
||||
example = "https://chat.example.com";
|
||||
description = ''
|
||||
URL this Mattermost instance is reachable under, without trailing slash.
|
||||
'';
|
||||
};
|
||||
|
||||
siteName = mkOption {
|
||||
type = types.str;
|
||||
default = "Mattermost";
|
||||
description = "Name of this Mattermost site.";
|
||||
};
|
||||
|
||||
listenAddress = mkOption {
|
||||
type = types.str;
|
||||
default = ":8065";
|
||||
example = "[::1]:8065";
|
||||
description = ''
|
||||
Address and port this Mattermost instance listens to.
|
||||
'';
|
||||
};
|
||||
|
||||
mutableConfig = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether the Mattermost config.json is writeable by Mattermost.
|
||||
|
||||
Most of the settings can be edited in the system console of
|
||||
Mattermost if this option is enabled. A template config using
|
||||
the options specified in services.mattermost will be generated
|
||||
but won't be overwritten on changes or rebuilds.
|
||||
|
||||
If this option is disabled, changes in the system console won't
|
||||
be possible (default). If an config.json is present, it will be
|
||||
overwritten!
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.attrs;
|
||||
default = { };
|
||||
description = ''
|
||||
Addtional configuration options as Nix attribute set in config.json schema.
|
||||
'';
|
||||
};
|
||||
|
||||
secretConfig = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Path to a json file containing secret config values, which should
|
||||
not be written into the Nix store. If it is not null (the default)
|
||||
and mutableConfig is set to false, then the mattermost service will
|
||||
join the file at this path into its config.
|
||||
|
||||
Note that this file cannot be used to overwrite values already
|
||||
specified by the other options of this module.
|
||||
'';
|
||||
};
|
||||
|
||||
localDatabaseCreate = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Create a local PostgreSQL database for Mattermost automatically.
|
||||
'';
|
||||
};
|
||||
|
||||
localDatabaseName = mkOption {
|
||||
type = types.str;
|
||||
default = "mattermost";
|
||||
description = ''
|
||||
Local Mattermost database name.
|
||||
'';
|
||||
};
|
||||
|
||||
localDatabaseUser = mkOption {
|
||||
type = types.str;
|
||||
default = "mattermost";
|
||||
description = ''
|
||||
Local Mattermost database username.
|
||||
'';
|
||||
};
|
||||
|
||||
localDatabasePassword = mkOption {
|
||||
type = types.str;
|
||||
default = "mmpgsecret";
|
||||
description = ''
|
||||
Password for local Mattermost database user.
|
||||
'';
|
||||
};
|
||||
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "mattermost";
|
||||
description = ''
|
||||
User which runs the Mattermost service.
|
||||
'';
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = "mattermost";
|
||||
description = ''
|
||||
Group which runs the Mattermost service.
|
||||
'';
|
||||
};
|
||||
|
||||
matterircd = {
|
||||
enable = mkEnableOption "Mattermost IRC bridge";
|
||||
parameters = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [ ];
|
||||
example = [ "-mmserver chat.example.com" "-bind [::]:6667" ];
|
||||
description = ''
|
||||
Set commandline parameters to pass to matterircd. See
|
||||
https://github.com/42wim/matterircd#usage for more information.
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkMerge [
|
||||
(mkIf cfg.enable {
|
||||
users.users = optionalAttrs (cfg.user == "mattermost") {
|
||||
mattermost = {
|
||||
group = cfg.group;
|
||||
uid = config.ids.uids.mattermost;
|
||||
home = cfg.statePath;
|
||||
};
|
||||
};
|
||||
|
||||
users.groups = optionalAttrs (cfg.group == "mattermost") {
|
||||
mattermost.gid = config.ids.gids.mattermost;
|
||||
};
|
||||
|
||||
services.postgresql.enable = cfg.localDatabaseCreate;
|
||||
|
||||
# The systemd service will fail to execute the preStart hook
|
||||
# if the WorkingDirectory does not exist
|
||||
system.activationScripts.mattermost = ''
|
||||
mkdir -p ${cfg.statePath}
|
||||
'';
|
||||
|
||||
systemd.services.mattermost = {
|
||||
description = "Mattermost chat service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" "postgresql.service" ];
|
||||
|
||||
preStart = ''
|
||||
mkdir -p ${cfg.statePath}/{data,config,logs}
|
||||
ln -sf ${pkgs.mattermost}/{bin,fonts,i18n,templates,client} ${cfg.statePath}
|
||||
'' + lib.optionalString (!cfg.mutableConfig) ''
|
||||
rm -f ${cfg.statePath}/config/config.json
|
||||
'' + (if cfg.secretConfig == null
|
||||
then ''
|
||||
cp ${mattermostConfJSON} ${cfg.statePath}/config/config.json
|
||||
''
|
||||
else ''
|
||||
${pkgs.jq}/bin/jq -s ".[1] * .[0]" ${cfg.secretConfig} ${mattermostConfJSON} > ${cfg.statePath}/config/config.json
|
||||
'')
|
||||
+ ''
|
||||
${pkgs.mattermost}/bin/mattermost config migrate ${cfg.statePath}/config/config.json ${database}
|
||||
'' + lib.optionalString cfg.mutableConfig ''
|
||||
if ! test -e "${cfg.statePath}/config/.initial-created"; then
|
||||
rm -f ${cfg.statePath}/config/config.json
|
||||
cp ${mattermostConfJSON} ${cfg.statePath}/config/config.json
|
||||
touch ${cfg.statePath}/config/.initial-created
|
||||
fi
|
||||
'' + lib.optionalString cfg.localDatabaseCreate ''
|
||||
if ! test -e "${cfg.statePath}/.db-created"; then
|
||||
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \
|
||||
${config.services.postgresql.package}/bin/psql postgres -c \
|
||||
"CREATE ROLE ${cfg.localDatabaseUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.localDatabasePassword}'"
|
||||
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \
|
||||
${config.services.postgresql.package}/bin/createdb \
|
||||
--owner ${cfg.localDatabaseUser} ${cfg.localDatabaseName}
|
||||
touch ${cfg.statePath}/.db-created
|
||||
fi
|
||||
'' + ''
|
||||
chown ${cfg.user}:${cfg.group} -R ${cfg.statePath}
|
||||
chmod u+rw,g+r,o-rwx -R ${cfg.statePath}
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
PermissionsStartOnly = true;
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
ExecStart = "${pkgs.mattermost}/bin/mattermost" +
|
||||
(lib.optionalString (!cfg.mutableConfig) " -c ${database}");
|
||||
WorkingDirectory = "${cfg.statePath}";
|
||||
Restart = "always";
|
||||
RestartSec = "10";
|
||||
LimitNOFILE = "49152";
|
||||
};
|
||||
unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service";
|
||||
};
|
||||
})
|
||||
(mkIf cfg.matterircd.enable {
|
||||
systemd.services.matterircd = {
|
||||
description = "Mattermost IRC bridge service";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
User = "nobody";
|
||||
Group = "nogroup";
|
||||
ExecStart = "${pkgs.matterircd}/bin/matterircd ${concatStringsSep " " cfg.matterircd.parameters}";
|
||||
WorkingDirectory = "/tmp";
|
||||
PrivateTmp = true;
|
||||
Restart = "always";
|
||||
RestartSec = "5";
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
746
modules/nextcloud.nix
Normal file
746
modules/nextcloud.nix
Normal file
|
@ -0,0 +1,746 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.nextcloud-patched;
|
||||
fpm = config.services.phpfpm.pools.nextcloud;
|
||||
|
||||
phpPackage =
|
||||
let
|
||||
base = pkgs.php74;
|
||||
in
|
||||
base.buildEnv {
|
||||
extensions = { enabled, all }: with all;
|
||||
enabled ++ [
|
||||
apcu redis memcached imagick
|
||||
];
|
||||
extraConfig = phpOptionsStr;
|
||||
};
|
||||
|
||||
toKeyValue = generators.toKeyValue {
|
||||
mkKeyValue = generators.mkKeyValueDefault {} " = ";
|
||||
};
|
||||
|
||||
phpOptions = {
|
||||
upload_max_filesize = cfg.maxUploadSize;
|
||||
post_max_size = cfg.maxUploadSize;
|
||||
memory_limit = cfg.maxUploadSize;
|
||||
} // cfg.phpOptions
|
||||
// optionalAttrs cfg.caching.apcu {
|
||||
"apc.enable_cli" = "1";
|
||||
};
|
||||
phpOptionsStr = toKeyValue phpOptions;
|
||||
|
||||
occ = pkgs.writeScriptBin "nextcloud-occ" ''
|
||||
#! ${pkgs.runtimeShell}
|
||||
cd ${cfg.package}
|
||||
sudo=exec
|
||||
if [[ "$USER" != nextcloud ]]; then
|
||||
sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
|
||||
fi
|
||||
export NEXTCLOUD_CONFIG_DIR="${cfg.home}/config"
|
||||
$sudo \
|
||||
${phpPackage}/bin/php \
|
||||
occ $*
|
||||
'';
|
||||
|
||||
inherit (config.system) stateVersion;
|
||||
|
||||
in {
|
||||
|
||||
imports = [
|
||||
(mkRemovedOptionModule [ "services" "nextcloud-patched" "nginx" "enable" ] ''
|
||||
The nextcloud module supports `nginx` as reverse-proxy by default and doesn't
|
||||
support other reverse-proxies officially.
|
||||
|
||||
However it's possible to use an alternative reverse-proxy by
|
||||
|
||||
* disabling nginx
|
||||
* setting `listen.owner` & `listen.group` in the phpfpm-pool to a different value
|
||||
|
||||
Further details about this can be found in the `Nextcloud`-section of the NixOS-manual
|
||||
(which can be openend e.g. by running `nixos-help`).
|
||||
'')
|
||||
];
|
||||
|
||||
options.services.nextcloud-patched = {
|
||||
enable = mkEnableOption "nextcloud";
|
||||
hostName = mkOption {
|
||||
type = types.str;
|
||||
description = "FQDN for the nextcloud instance.";
|
||||
};
|
||||
home = mkOption {
|
||||
type = types.str;
|
||||
default = "/var/lib/nextcloud";
|
||||
description = "Storage path of nextcloud.";
|
||||
};
|
||||
logLevel = mkOption {
|
||||
type = types.ints.between 0 4;
|
||||
default = 2;
|
||||
description = "Log level value between 0 (DEBUG) and 4 (FATAL).";
|
||||
};
|
||||
https = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Use https for generated links.";
|
||||
};
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
description = "Which package to use for the Nextcloud instance.";
|
||||
relatedPackages = [ "nextcloud18" "nextcloud19" "nextcloud20" "nextcloud21" ];
|
||||
};
|
||||
|
||||
maxUploadSize = mkOption {
|
||||
default = "512M";
|
||||
type = types.str;
|
||||
description = ''
|
||||
Defines the upload limit for files. This changes the relevant options
|
||||
in php.ini and nginx if enabled.
|
||||
'';
|
||||
};
|
||||
|
||||
skeletonDirectory = mkOption {
|
||||
default = "";
|
||||
type = types.str;
|
||||
description = ''
|
||||
The directory where the skeleton files are located. These files will be
|
||||
copied to the data directory of new users. Leave empty to not copy any
|
||||
skeleton files.
|
||||
'';
|
||||
};
|
||||
|
||||
webfinger = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable this option if you plan on using the webfinger plugin.
|
||||
The appropriate nginx rewrite rules will be added to your configuration.
|
||||
'';
|
||||
};
|
||||
|
||||
phpOptions = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {
|
||||
short_open_tag = "Off";
|
||||
expose_php = "Off";
|
||||
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
|
||||
display_errors = "stderr";
|
||||
"opcache.enable_cli" = "1";
|
||||
"opcache.interned_strings_buffer" = "8";
|
||||
"opcache.max_accelerated_files" = "10000";
|
||||
"opcache.memory_consumption" = "128";
|
||||
"opcache.revalidate_freq" = "1";
|
||||
"opcache.fast_shutdown" = "1";
|
||||
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
|
||||
catch_workers_output = "yes";
|
||||
};
|
||||
description = ''
|
||||
Options for PHP's php.ini file for nextcloud.
|
||||
'';
|
||||
};
|
||||
|
||||
poolSettings = mkOption {
|
||||
type = with types; attrsOf (oneOf [ str int bool ]);
|
||||
default = {
|
||||
"pm" = "dynamic";
|
||||
"pm.max_children" = "32";
|
||||
"pm.start_servers" = "2";
|
||||
"pm.min_spare_servers" = "2";
|
||||
"pm.max_spare_servers" = "4";
|
||||
"pm.max_requests" = "500";
|
||||
};
|
||||
description = ''
|
||||
Options for nextcloud's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
|
||||
'';
|
||||
};
|
||||
|
||||
poolConfig = mkOption {
|
||||
type = types.nullOr types.lines;
|
||||
default = null;
|
||||
description = ''
|
||||
Options for nextcloud's PHP pool. See the documentation on <literal>php-fpm.conf</literal> for details on configuration directives.
|
||||
'';
|
||||
};
|
||||
|
||||
config = {
|
||||
dbtype = mkOption {
|
||||
type = types.enum [ "sqlite" "pgsql" "mysql" ];
|
||||
default = "sqlite";
|
||||
description = "Database type.";
|
||||
};
|
||||
dbname = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "nextcloud";
|
||||
description = "Database name.";
|
||||
};
|
||||
dbuser = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "nextcloud";
|
||||
description = "Database user.";
|
||||
};
|
||||
dbpass = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Database password. Use <literal>dbpassFile</literal> to avoid this
|
||||
being world-readable in the <literal>/nix/store</literal>.
|
||||
'';
|
||||
};
|
||||
dbpassFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
The full path to a file that contains the database password.
|
||||
'';
|
||||
};
|
||||
dbhost = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = "localhost";
|
||||
description = ''
|
||||
Database host.
|
||||
|
||||
Note: for using Unix authentication with PostgreSQL, this should be
|
||||
set to <literal>/run/postgresql</literal>.
|
||||
'';
|
||||
};
|
||||
dbport = mkOption {
|
||||
type = with types; nullOr (either int str);
|
||||
default = null;
|
||||
description = "Database port.";
|
||||
};
|
||||
dbtableprefix = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = "Table prefix in Nextcloud database.";
|
||||
};
|
||||
adminuser = mkOption {
|
||||
type = types.str;
|
||||
default = "root";
|
||||
description = "Admin username.";
|
||||
};
|
||||
adminpass = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Admin password. Use <literal>adminpassFile</literal> to avoid this
|
||||
being world-readable in the <literal>/nix/store</literal>.
|
||||
'';
|
||||
};
|
||||
adminpassFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
The full path to a file that contains the admin's password. Must be
|
||||
readable by user <literal>nextcloud</literal>.
|
||||
'';
|
||||
};
|
||||
|
||||
extraTrustedDomains = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Trusted domains, from which the nextcloud installation will be
|
||||
acessible. You don't need to add
|
||||
<literal>services.nextcloud.hostname</literal> here.
|
||||
'';
|
||||
};
|
||||
|
||||
trustedProxies = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = ''
|
||||
Trusted proxies, to provide if the nextcloud installation is being
|
||||
proxied to secure against e.g. spoofing.
|
||||
'';
|
||||
};
|
||||
|
||||
overwriteProtocol = mkOption {
|
||||
type = types.nullOr (types.enum [ "http" "https" ]);
|
||||
default = null;
|
||||
example = "https";
|
||||
|
||||
description = ''
|
||||
Force Nextcloud to always use HTTPS i.e. for link generation. Nextcloud
|
||||
uses the currently used protocol by default, but when behind a reverse-proxy,
|
||||
it may use <literal>http</literal> for everything although Nextcloud
|
||||
may be served via HTTPS.
|
||||
'';
|
||||
};
|
||||
|
||||
defaultPhoneRegion = mkOption {
|
||||
default = null;
|
||||
type = types.nullOr types.str;
|
||||
example = "DE";
|
||||
description = ''
|
||||
<warning>
|
||||
<para>This option exists since Nextcloud 21! If older versions are used,
|
||||
this will throw an eval-error!</para>
|
||||
</warning>
|
||||
|
||||
<link xlink:href="https://www.iso.org/iso-3166-country-codes.html">ISO 3611-1</link>
|
||||
country codes for automatic phone-number detection without a country code.
|
||||
|
||||
With e.g. <literal>DE</literal> set, the <literal>+49</literal> can be omitted for
|
||||
phone-numbers.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
caching = {
|
||||
apcu = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to load the APCu module into PHP.
|
||||
'';
|
||||
};
|
||||
redis = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to load the Redis module into PHP.
|
||||
You still need to enable Redis in your config.php.
|
||||
See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
|
||||
'';
|
||||
};
|
||||
memcached = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to load the Memcached module into PHP.
|
||||
You still need to enable Memcached in your config.php.
|
||||
See https://docs.nextcloud.com/server/14/admin_manual/configuration_server/caching_configuration.html
|
||||
'';
|
||||
};
|
||||
};
|
||||
autoUpdateApps = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Run regular auto update of all apps installed from the nextcloud app store.
|
||||
'';
|
||||
};
|
||||
startAt = mkOption {
|
||||
type = with types; either str (listOf str);
|
||||
default = "05:00:00";
|
||||
example = "Sun 14:00:00";
|
||||
description = ''
|
||||
When to run the update. See `systemd.services.<name>.startAt`.
|
||||
'';
|
||||
};
|
||||
};
|
||||
occ = mkOption {
|
||||
type = types.package;
|
||||
default = occ;
|
||||
internal = true;
|
||||
description = ''
|
||||
The nextcloud-occ program preconfigured to target this Nextcloud instance.
|
||||
'';
|
||||
};
|
||||
|
||||
extraOptions = mkOption {
|
||||
type = types.attrs;
|
||||
default = "";
|
||||
description = ''
|
||||
Extra options which should be appended to nextcloud's config.php file
|
||||
'';
|
||||
};
|
||||
|
||||
secretFile = mkOption {
|
||||
type = types.nullOr types.str;
|
||||
default = null;
|
||||
description = ''
|
||||
Secret options which will be appended to nextcloud's config.php file (written in JSON, in the same
|
||||
form as the `extraOptions` option).
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (mkMerge [
|
||||
{ assertions = let acfg = cfg.config; in [
|
||||
{ assertion = !(acfg.dbpass != null && acfg.dbpassFile != null);
|
||||
message = "Please specify no more than one of dbpass or dbpassFile";
|
||||
}
|
||||
{ assertion = ((acfg.adminpass != null || acfg.adminpassFile != null)
|
||||
&& !(acfg.adminpass != null && acfg.adminpassFile != null));
|
||||
message = "Please specify exactly one of adminpass or adminpassFile";
|
||||
}
|
||||
{ assertion = versionOlder cfg.package.version "21" -> cfg.config.defaultPhoneRegion == null;
|
||||
message = "The `defaultPhoneRegion'-setting is only supported for Nextcloud >=21!";
|
||||
}
|
||||
];
|
||||
|
||||
warnings = []
|
||||
++ (optional (cfg.poolConfig != null) ''
|
||||
Using config.services.nextcloud.poolConfig is deprecated and will become unsupported in a future release.
|
||||
Please migrate your configuration to config.services.nextcloud.poolSettings.
|
||||
'')
|
||||
++ (optional (versionOlder cfg.package.version "18") ''
|
||||
A legacy Nextcloud install (from before NixOS 20.03) may be installed.
|
||||
|
||||
You're currently deploying an older version of Nextcloud. This may be needed
|
||||
since Nextcloud doesn't allow major version upgrades that skip multiple
|
||||
versions (i.e. an upgrade from 16 is possible to 17, but not 16 to 18).
|
||||
|
||||
It is assumed that Nextcloud will be upgraded from version 16 to 17.
|
||||
|
||||
* If this is a fresh install, there will be no upgrade to do now.
|
||||
|
||||
* If this server already had Nextcloud installed, first deploy this to your
|
||||
server, and wait until the upgrade to 17 is finished.
|
||||
|
||||
Then, set `services.nextcloud.package` to `pkgs.nextcloud18` to upgrade to
|
||||
Nextcloud version 18. Please note that Nextcloud 19 is already out and it's
|
||||
recommended to upgrade to nextcloud19 after that.
|
||||
'')
|
||||
++ (optional (versionOlder cfg.package.version "19") ''
|
||||
A legacy Nextcloud install (from before NixOS 20.09) may be installed.
|
||||
|
||||
If/After nextcloud18 is installed successfully, you can safely upgrade to
|
||||
nextcloud19. If not, please upgrade to nextcloud18 first since Nextcloud doesn't
|
||||
support upgrades that skip multiple versions (i.e. an upgrade from 17 to 19 isn't
|
||||
possible, but an upgrade from 18 to 19).
|
||||
'')
|
||||
++ (optional (versionOlder cfg.package.version "21") ''
|
||||
The latest Nextcloud release is v21 which can be installed by setting
|
||||
`services.nextcloud.package` to `pkgs.nextcloud21`. Please note that if you're
|
||||
on `pkgs.nextcloud19`, you'll have to install `pkgs.nextcloud20` first.
|
||||
'');
|
||||
|
||||
services.nextcloud-patched.package = with pkgs;
|
||||
mkDefault (
|
||||
if pkgs ? nextcloud
|
||||
then throw ''
|
||||
The `pkgs.nextcloud`-attribute has been removed. If it's supposed to be the default
|
||||
nextcloud defined in an overlay, please set `services.nextcloud.package` to
|
||||
`pkgs.nextcloud`.
|
||||
''
|
||||
else if versionOlder stateVersion "20.03" then nextcloud17
|
||||
else if versionOlder stateVersion "20.09" then nextcloud18
|
||||
else nextcloud19
|
||||
);
|
||||
}
|
||||
|
||||
{ systemd.timers.nextcloud-cron = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
timerConfig.OnBootSec = "5m";
|
||||
timerConfig.OnUnitActiveSec = "15m";
|
||||
timerConfig.Unit = "nextcloud-cron.service";
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
# When upgrading the Nextcloud package, Nextcloud can report errors such as
|
||||
# "The files of the app [all apps in /var/lib/nextcloud/apps] were not replaced correctly"
|
||||
# Restarting phpfpm on Nextcloud package update fixes these issues (but this is a workaround).
|
||||
phpfpm-nextcloud.restartTriggers = [ cfg.package ];
|
||||
|
||||
nextcloud-setup = let
|
||||
c = cfg.config;
|
||||
writePhpArrary = a: "[${concatMapStringsSep "," (val: ''"${toString val}"'') a}]";
|
||||
overrideConfig = pkgs.writeText "nextcloud-config.php" ''
|
||||
<?php
|
||||
${optionalString (c.dbpassFile != null) ''
|
||||
function nix_read_pwd() {
|
||||
$file = "${c.dbpassFile}";
|
||||
if (!file_exists($file)) {
|
||||
throw new \RuntimeException(sprintf(
|
||||
"Cannot start Nextcloud, dbpass file %s set by NixOS doesn't exist!",
|
||||
$file
|
||||
));
|
||||
}
|
||||
|
||||
return trim(file_get_contents($file));
|
||||
}
|
||||
''}
|
||||
${optionalString (cfg.secretFile != null) ''
|
||||
function nix_read_secrets() {
|
||||
$file = "${cfg.secretFile}";
|
||||
if (!file_exists($file)) {
|
||||
throw new \RuntimeException(sprintf(
|
||||
"Cannot start Nextcloud, secrets file %s set by NixOS doesn't exist!",
|
||||
$file
|
||||
));
|
||||
}
|
||||
|
||||
return json_decode(file_get_contents($file));
|
||||
}
|
||||
''}
|
||||
$CONFIG = [
|
||||
'apps_paths' => [
|
||||
[ 'path' => '${cfg.home}/apps', 'url' => '/apps', 'writable' => false ],
|
||||
[ 'path' => '${cfg.home}/store-apps', 'url' => '/store-apps', 'writable' => true ],
|
||||
],
|
||||
'datadirectory' => '${cfg.home}/data',
|
||||
'skeletondirectory' => '${cfg.skeletonDirectory}',
|
||||
${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"}
|
||||
'log_type' => 'syslog',
|
||||
'log_level' => '${builtins.toString cfg.logLevel}',
|
||||
${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"}
|
||||
${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"}
|
||||
${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"}
|
||||
${optionalString (c.dbport != null) "'dbport' => '${toString c.dbport}',"}
|
||||
${optionalString (c.dbuser != null) "'dbuser' => '${c.dbuser}',"}
|
||||
${optionalString (c.dbtableprefix != null) "'dbtableprefix' => '${toString c.dbtableprefix}',"}
|
||||
${optionalString (c.dbpass != null) "'dbpassword' => '${c.dbpass}',"}
|
||||
${optionalString (c.dbpassFile != null) "'dbpassword' => nix_read_pwd(),"}
|
||||
'dbtype' => '${c.dbtype}',
|
||||
'trusted_domains' => ${writePhpArrary ([ cfg.hostName ] ++ c.extraTrustedDomains)},
|
||||
'trusted_proxies' => ${writePhpArrary (c.trustedProxies)},
|
||||
${optionalString (c.defaultPhoneRegion != null) "'default_phone_region' => '${c.defaultPhoneRegion}',"}
|
||||
];
|
||||
|
||||
$EXTRACONFIG = json_decode('${builtins.toJSON cfg.extraOptions}', true);
|
||||
|
||||
array_push($CONFIG, $EXTRACONFIG);
|
||||
${optionalString (cfg.secretFile != null) "array_push($CONFIG, nix_read_secrets());"}
|
||||
'';
|
||||
occInstallCmd = let
|
||||
dbpass = if c.dbpassFile != null
|
||||
then ''"$(<"${toString c.dbpassFile}")"''
|
||||
else if c.dbpass != null
|
||||
then ''"${toString c.dbpass}"''
|
||||
else ''""'';
|
||||
adminpass = if c.adminpassFile != null
|
||||
then ''"$(<"${toString c.adminpassFile}")"''
|
||||
else ''"${toString c.adminpass}"'';
|
||||
installFlags = concatStringsSep " \\\n "
|
||||
(mapAttrsToList (k: v: "${k} ${toString v}") {
|
||||
"--database" = ''"${c.dbtype}"'';
|
||||
# The following attributes are optional depending on the type of
|
||||
# database. Those that evaluate to null on the left hand side
|
||||
# will be omitted.
|
||||
${if c.dbname != null then "--database-name" else null} = ''"${c.dbname}"'';
|
||||
${if c.dbhost != null then "--database-host" else null} = ''"${c.dbhost}"'';
|
||||
${if c.dbport != null then "--database-port" else null} = ''"${toString c.dbport}"'';
|
||||
${if c.dbuser != null then "--database-user" else null} = ''"${c.dbuser}"'';
|
||||
"--database-pass" = dbpass;
|
||||
${if c.dbtableprefix != null
|
||||
then "--database-table-prefix" else null} = ''"${toString c.dbtableprefix}"'';
|
||||
"--admin-user" = ''"${c.adminuser}"'';
|
||||
"--admin-pass" = adminpass;
|
||||
"--data-dir" = ''"${cfg.home}/data"'';
|
||||
});
|
||||
in ''
|
||||
${occ}/bin/nextcloud-occ maintenance:install \
|
||||
${installFlags}
|
||||
'';
|
||||
occSetTrustedDomainsCmd = concatStringsSep "\n" (imap0
|
||||
(i: v: ''
|
||||
${occ}/bin/nextcloud-occ config:system:set trusted_domains \
|
||||
${toString i} --value="${toString v}"
|
||||
'') ([ cfg.hostName ] ++ cfg.config.extraTrustedDomains));
|
||||
|
||||
in {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
before = [ "phpfpm-nextcloud.service" ];
|
||||
path = [ occ ];
|
||||
script = ''
|
||||
chmod og+x ${cfg.home}
|
||||
|
||||
${optionalString (c.dbpassFile != null) ''
|
||||
if [ ! -r "${c.dbpassFile}" ]; then
|
||||
echo "dbpassFile ${c.dbpassFile} is not readable by nextcloud:nextcloud! Aborting..."
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$(<${c.dbpassFile})" ]; then
|
||||
echo "dbpassFile ${c.dbpassFile} is empty!"
|
||||
exit 1
|
||||
fi
|
||||
''}
|
||||
${optionalString (c.adminpassFile != null) ''
|
||||
if [ ! -r "${c.adminpassFile}" ]; then
|
||||
echo "adminpassFile ${c.adminpassFile} is not readable by nextcloud:nextcloud! Aborting..."
|
||||
exit 1
|
||||
fi
|
||||
if [ -z "$(<${c.adminpassFile})" ]; then
|
||||
echo "adminpassFile ${c.adminpassFile} is empty!"
|
||||
exit 1
|
||||
fi
|
||||
''}
|
||||
|
||||
ln -sf ${cfg.package}/apps ${cfg.home}/
|
||||
|
||||
# create nextcloud directories.
|
||||
# if the directories exist already with wrong permissions, we fix that
|
||||
for dir in ${cfg.home}/config ${cfg.home}/data ${cfg.home}/store-apps; do
|
||||
if [ ! -e $dir ]; then
|
||||
install -o nextcloud -g nextcloud -d $dir
|
||||
elif [ $(stat -c "%G" $dir) != "nextcloud" ]; then
|
||||
chgrp -R nextcloud $dir
|
||||
fi
|
||||
done
|
||||
|
||||
ln -sf ${overrideConfig} ${cfg.home}/config/override.config.php
|
||||
|
||||
# Do not install if already installed
|
||||
if [[ ! -e ${cfg.home}/config/config.php ]]; then
|
||||
${occInstallCmd}
|
||||
fi
|
||||
|
||||
${occ}/bin/nextcloud-occ upgrade
|
||||
|
||||
${occ}/bin/nextcloud-occ config:system:delete trusted_domains
|
||||
${occSetTrustedDomainsCmd}
|
||||
'';
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.User = "nextcloud";
|
||||
};
|
||||
nextcloud-cron = {
|
||||
environment.NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.User = "nextcloud";
|
||||
serviceConfig.ExecStart = "${phpPackage}/bin/php -f ${cfg.package}/cron.php";
|
||||
};
|
||||
nextcloud-update-plugins = mkIf cfg.autoUpdateApps.enable {
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.ExecStart = "${occ}/bin/nextcloud-occ app:update --all";
|
||||
serviceConfig.User = "nextcloud";
|
||||
startAt = cfg.autoUpdateApps.startAt;
|
||||
};
|
||||
};
|
||||
|
||||
services.phpfpm = {
|
||||
pools.nextcloud = {
|
||||
user = "nextcloud";
|
||||
group = "nextcloud";
|
||||
phpOptions = phpOptionsStr;
|
||||
phpPackage = phpPackage;
|
||||
phpEnv = {
|
||||
NEXTCLOUD_CONFIG_DIR = "${cfg.home}/config";
|
||||
PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
|
||||
};
|
||||
settings = mapAttrs (name: mkDefault) {
|
||||
"listen.owner" = config.services.nginx.user;
|
||||
"listen.group" = config.services.nginx.group;
|
||||
} // cfg.poolSettings;
|
||||
extraConfig = cfg.poolConfig;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.nextcloud = {
|
||||
home = "${cfg.home}";
|
||||
group = "nextcloud";
|
||||
createHome = true;
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.nextcloud.members = [ "nextcloud" config.services.nginx.user ];
|
||||
|
||||
environment.systemPackages = [ occ ];
|
||||
|
||||
services.nginx.enable = mkDefault true;
|
||||
|
||||
services.nginx.virtualHosts.${cfg.hostName} = let
|
||||
major = toInt (versions.major cfg.package.version);
|
||||
in {
|
||||
root = cfg.package;
|
||||
locations = {
|
||||
"= /robots.txt" = {
|
||||
priority = 100;
|
||||
extraConfig = ''
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
"= /" = {
|
||||
priority = 100;
|
||||
extraConfig = ''
|
||||
if ( $http_user_agent ~ ^DavClnt ) {
|
||||
return 302 /remote.php/webdav/$is_args$args;
|
||||
}
|
||||
'';
|
||||
};
|
||||
"/" = {
|
||||
priority = 900;
|
||||
extraConfig = "rewrite ^ /index.php;";
|
||||
};
|
||||
"~ ^/store-apps" = {
|
||||
priority = 201;
|
||||
extraConfig = "root ${cfg.home};";
|
||||
};
|
||||
"^~ /.well-known" = {
|
||||
priority = 210;
|
||||
extraConfig = ''
|
||||
absolute_redirect off;
|
||||
location = /.well-known/carddav {
|
||||
return 301 /remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 /remote.php/dav;
|
||||
}
|
||||
location ~ ^/\.well-known/(?!acme-challenge|pki-validation) {
|
||||
return 301 /index.php$request_uri;
|
||||
}
|
||||
try_files $uri $uri/ =404;
|
||||
'';
|
||||
};
|
||||
"~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = ''
|
||||
return 404;
|
||||
'';
|
||||
"~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = ''
|
||||
return 404;
|
||||
'';
|
||||
"~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|oc[ms]-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = {
|
||||
priority = 500;
|
||||
extraConfig = ''
|
||||
include ${config.services.nginx.package}/conf/fastcgi.conf;
|
||||
fastcgi_split_path_info ^(.+?\.php)(\\/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
try_files $fastcgi_script_name =404;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param HTTPS ${if cfg.https then "on" else "off"};
|
||||
fastcgi_param modHeadersAvailable true;
|
||||
fastcgi_param front_controller_active true;
|
||||
fastcgi_pass unix:${fpm.socket};
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
fastcgi_read_timeout 120s;
|
||||
'';
|
||||
};
|
||||
"~ \\.(?:css|js|woff2?|svg|gif|map)$".extraConfig = ''
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 6M;
|
||||
access_log off;
|
||||
'';
|
||||
"~ ^\\/(?:updater|ocs-provider|ocm-provider)(?:$|\\/)".extraConfig = ''
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
'';
|
||||
"~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
|
||||
try_files $uri /index.php$request_uri;
|
||||
access_log off;
|
||||
'';
|
||||
};
|
||||
extraConfig = ''
|
||||
index index.php index.html /index.php$request_uri;
|
||||
expires 1m;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
add_header X-Frame-Options sameorigin;
|
||||
add_header Referrer-Policy no-referrer;
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
client_max_body_size ${cfg.maxUploadSize};
|
||||
fastcgi_buffers 64 4K;
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
${optionalString cfg.webfinger ''
|
||||
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
|
||||
''}
|
||||
'';
|
||||
};
|
||||
}
|
||||
]);
|
||||
}
|
60
modules/nftnat/default.nix
Normal file
60
modules/nftnat/default.nix
Normal file
|
@ -0,0 +1,60 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.hacc.nftables.nat;
|
||||
nats = config.networking.nat;
|
||||
in {
|
||||
options.hacc.nftables.nat = {
|
||||
enable = mkEnableOption "Wrap NAT into nftables.";
|
||||
forwardPorts = mkOption {
|
||||
type = with types; listOf (submodule {
|
||||
options = {
|
||||
ports = mkOption {
|
||||
type = types.listOf (types.either types.int (types.strMatching "[[:digit:]]+-[[:digit:]]+"));
|
||||
};
|
||||
destination = mkOption {
|
||||
type = types.str;
|
||||
example = "10.0.0.1";
|
||||
};
|
||||
proto = mkOption {
|
||||
type = types.str;
|
||||
default = "tcp";
|
||||
example = "udp";
|
||||
};
|
||||
};
|
||||
});
|
||||
default = [];
|
||||
example = [{ ports = [ 8080 "9100-9200" ]; destination = "192.168.100.2"; proto = "udp"; }];
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
networking.nat.enable = mkOverride 99 false;
|
||||
|
||||
boot = {
|
||||
kernelModules = [ "nf_nat_ftp" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = mkOverride 90 true;
|
||||
"net.ipv4.conf.default.forwarding" = mkOverride 90 true;
|
||||
};
|
||||
};
|
||||
|
||||
networking.nftables = {
|
||||
extraConfig = ''
|
||||
table ip nat {
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority -100
|
||||
${concatMapStringsSep "\n" (rule: "iif ${nats.externalInterface} ${rule.proto} dport { ${concatStringsSep ", " (map (x: toString x) rule.ports)} } dnat ${rule.destination}") cfg.forwardPorts}
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100
|
||||
${concatMapStringsSep "\n" (iface: "iifname ${replaceStrings ["+"] ["*"] iface} oifname ${nats.externalInterface} masquerade") nats.internalInterfaces}
|
||||
${concatMapStringsSep "\n" (addr: "ip saddr ${addr} oifname ${nats.externalInterface} masquerade") nats.internalIPs}
|
||||
}
|
||||
}
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,52 +0,0 @@
|
|||
{ config, lib, pkgs, modules, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
imports = [ modules.bindMounts ];
|
||||
|
||||
users.mutableUsers = false;
|
||||
|
||||
boot.initrd = mkIf (config.fileSystems."/".fsType or "notzfs" == "zfs") {
|
||||
network.ssh.hostKeys = mkIf config.hacc.encboot.enable
|
||||
(mkForce [ /persist/ssh/encboot_host ]);
|
||||
|
||||
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
|
||||
(mkAfter ''
|
||||
zfs rollback -r ${config.fileSystems."/".device}@blank
|
||||
'');
|
||||
|
||||
systemd = mkIf config.boot.initrd.systemd.enable {
|
||||
storePaths = [ pkgs.zfs ];
|
||||
services.rollback = {
|
||||
description = "Rollback ZFS datasets to a pristine state";
|
||||
wantedBy = [ "initrd.target" ];
|
||||
after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
|
||||
before = [ "sysroot.mount" ];
|
||||
path = [ pkgs.zfs ];
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
hostKeys = [
|
||||
{
|
||||
path = "/persist/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}
|
||||
{
|
||||
path = "/persist/ssh/ssh_host_rsa_key";
|
||||
type = "rsa";
|
||||
bits = 4096;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
services.postgresql.dataDir =
|
||||
"/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
|
||||
}
|
|
@ -1,62 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.hacc.websites;
|
||||
in
|
||||
|
||||
{
|
||||
options.hacc.websites = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
directory = mkOption {
|
||||
type = types.path;
|
||||
description = "all subdirectories of the given path are expected to contain a (static) website";
|
||||
};
|
||||
ignore = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = "subdirectories that shouldn't be published";
|
||||
};
|
||||
builders = mkOption {
|
||||
type = types.lazyAttrsOf types.package;
|
||||
default = {};
|
||||
description = "exposes website builders, for use with nix run";
|
||||
};
|
||||
};
|
||||
|
||||
config = let
|
||||
subdirs =
|
||||
let dirAttrs = filterAttrs
|
||||
(n: v: v == "directory" || lists.elem n cfg.ignore)
|
||||
(builtins.readDir cfg.directory);
|
||||
in mapAttrsToList (n: v: n) dirAttrs;
|
||||
mkWebsiteDrv = subdir:
|
||||
pkgs.callPackage "${cfg.directory}/${subdir}" {};
|
||||
mkWebsiteVHost = subdir: {
|
||||
name = subdir;
|
||||
# the nginx virtualhost config (for all sites) goes in here
|
||||
value = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/".root =
|
||||
(mkWebsiteDrv subdir).outPath;
|
||||
};
|
||||
};
|
||||
in mkIf cfg.enable {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts =
|
||||
listToAttrs (map mkWebsiteVHost subdirs);
|
||||
};
|
||||
hacc.websites.builders =
|
||||
listToAttrs (map (subdir: {
|
||||
name = subdir;
|
||||
value = if (mkWebsiteDrv subdir) ? watch then (mkWebsiteDrv subdir).watch else null;
|
||||
}) subdirs);
|
||||
};
|
||||
}
|
114
nix/sources.json
Normal file
114
nix/sources.json
Normal file
|
@ -0,0 +1,114 @@
|
|||
{
|
||||
"haccmap": {
|
||||
"branch": "master",
|
||||
"repo": "https://gitlab.infra4future.de/hacc/haccspace-rc3-map",
|
||||
"rev": "3b99ee7e5bb2f27044784d03572da77d39cb2427",
|
||||
"type": "git"
|
||||
},
|
||||
"home-manager": {
|
||||
"branch": "release-21.05",
|
||||
"description": "Manage a user environment using Nix [maintainer=@rycee] ",
|
||||
"homepage": "https://nix-community.github.io/home-manager/",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "b39647e52ed3c0b989e9d5c965e598ae4c38d7ef",
|
||||
"sha256": "0xw1vgwfdn75rgamcsi5j1iqfl0j06x8xp92k24wr9hayfr5m400",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nix-community/home-manager/archive/b39647e52ed3c0b989e9d5c965e598ae4c38d7ef.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"mattermost-server": {
|
||||
"branch": "master",
|
||||
"description": "Open source Slack-alternative in Golang and React - Mattermost",
|
||||
"homepage": "https://mattermost.com",
|
||||
"owner": "mattermost",
|
||||
"repo": "mattermost-server",
|
||||
"rev": "868b8d91db6e8a0525a9e93c50a388625d426a4a",
|
||||
"sha256": "1vihpmy7253yl87arlz8y9rahk1q69blykwm3172dk1hxajr7c13",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v5.37.1.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/refs/tags/v<version>.tar.gz",
|
||||
"version": "5.37.1"
|
||||
},
|
||||
"mattermost-webapp": {
|
||||
"sha256": "00q1kcfda2z69ijpw71a6cbj76p5f57nj7pym44pp4cadi2wz180",
|
||||
"type": "tarball",
|
||||
"url": "https://releases.mattermost.com/5.37.1/mattermost-5.37.1-linux-amd64.tar.gz",
|
||||
"url_template": "https://releases.mattermost.com/<version>/mattermost-<version>-linux-amd64.tar.gz",
|
||||
"version": "5.37.1"
|
||||
},
|
||||
"mumble-website": {
|
||||
"branch": "master",
|
||||
"repo": "https://gitlab.infra4future.de/hacc/infra4future/mumble.infra4future.de.git",
|
||||
"rev": "3a70bf8aa1f4bb56524d36153b84cfb538c4f787",
|
||||
"type": "git"
|
||||
},
|
||||
"niv": {
|
||||
"branch": "master",
|
||||
"description": "Easy dependency management for Nix projects",
|
||||
"homepage": "https://github.com/nmattia/niv",
|
||||
"owner": "nmattia",
|
||||
"repo": "niv",
|
||||
"rev": "e0ca65c81a2d7a4d82a189f1e23a48d59ad42070",
|
||||
"sha256": "1pq9nh1d8nn3xvbdny8fafzw87mj7gsmp6pxkdl65w2g18rmcmzx",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nmattia/niv/archive/e0ca65c81a2d7a4d82a189f1e23a48d59ad42070.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nix-hexchen": {
|
||||
"branch": "main",
|
||||
"ref": "main",
|
||||
"repo": "https://gitlab.com/hexchen/nixfiles",
|
||||
"rev": "ef358992030e9a6fa975a24bf4d9aa133bc72424",
|
||||
"sha256": "01hcdrpfc8g1bbc96h7gi04zmyxi9vd7392ncadwfkx5xfd2fp17",
|
||||
"type": "tarball",
|
||||
"url": "https://gitlab.com/hexchen/nixfiles/-/archive/ef358992030e9a6fa975a24bf4d9aa133bc72424.tar.gz",
|
||||
"url_template": "<repo>/-/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixos-mailserver": {
|
||||
"branch": "nixos-21.05",
|
||||
"ref": "nixos-21.05",
|
||||
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver",
|
||||
"rev": "5675b122a947b40e551438df6a623efad19fd2e7",
|
||||
"sha256": "1fwhb7a5v9c98nzhf3dyqf3a5ianqh7k50zizj8v5nmj3blxw4pi",
|
||||
"type": "tarball",
|
||||
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/5675b122a947b40e551438df6a623efad19fd2e7.tar.gz",
|
||||
"url_template": "<repo>/-/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs": {
|
||||
"branch": "nixos-21.05",
|
||||
"description": "Nix Packages collection",
|
||||
"homepage": "",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2",
|
||||
"sha256": "1aafqly1mcqxh0r15mrlsrs4znldhm7cizsmfp3d25lqssay6gjd",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nixos/nixpkgs/archive/2d6ab6c6b92f7aaf8bc53baba9754b9bfdce56f2.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"branch": "nixos-unstable",
|
||||
"description": "Nix Packages collection",
|
||||
"homepage": "",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "fe01052444c1d66ed6ef76df2af798c9769e9e79",
|
||||
"sha256": "0z99hwxgrvlf0psicwd97kdqqcc3qngfzmcz7k68q6q868y8582y",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/nixos/nixpkgs/archive/fe01052444c1d66ed6ef76df2af798c9769e9e79.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
},
|
||||
"pbb-nixfiles": {
|
||||
"branch": "main",
|
||||
"repo": "https://git.petabyte.dev/petabyteboy/nixfiles.git",
|
||||
"rev": "ce2d8bbb9eaf1bbc9bd00cb60bf633ecbae86415",
|
||||
"type": "git"
|
||||
},
|
||||
"workadventure": {
|
||||
"branch": "master",
|
||||
"repo": "https://stuebinm.eu/git/workadventure-nix",
|
||||
"rev": "9adf5b9de18ebfbd5e688bb1b3f040cbc8602c6f",
|
||||
"type": "git"
|
||||
}
|
||||
}
|
174
nix/sources.nix
Normal file
174
nix/sources.nix
Normal file
|
@ -0,0 +1,174 @@
|
|||
# This file has been generated by Niv.
|
||||
|
||||
let
|
||||
|
||||
#
|
||||
# The fetchers. fetch_<type> fetches specs of type <type>.
|
||||
#
|
||||
|
||||
fetch_file = pkgs: name: spec:
|
||||
let
|
||||
name' = sanitizeName name + "-src";
|
||||
in
|
||||
if spec.builtin or true then
|
||||
builtins_fetchurl { inherit (spec) url sha256; name = name'; }
|
||||
else
|
||||
pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
|
||||
|
||||
fetch_tarball = pkgs: name: spec:
|
||||
let
|
||||
name' = sanitizeName name + "-src";
|
||||
in
|
||||
if spec.builtin or true then
|
||||
builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
|
||||
else
|
||||
pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
|
||||
|
||||
fetch_git = name: spec:
|
||||
let
|
||||
ref =
|
||||
if spec ? ref then spec.ref else
|
||||
if spec ? branch then "refs/heads/${spec.branch}" else
|
||||
if spec ? tag then "refs/tags/${spec.tag}" else
|
||||
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
|
||||
in
|
||||
builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
|
||||
|
||||
fetch_local = spec: spec.path;
|
||||
|
||||
fetch_builtin-tarball = name: throw
|
||||
''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
|
||||
$ niv modify ${name} -a type=tarball -a builtin=true'';
|
||||
|
||||
fetch_builtin-url = name: throw
|
||||
''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
|
||||
$ niv modify ${name} -a type=file -a builtin=true'';
|
||||
|
||||
#
|
||||
# Various helpers
|
||||
#
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
|
||||
sanitizeName = name:
|
||||
(
|
||||
concatMapStrings (s: if builtins.isList s then "-" else s)
|
||||
(
|
||||
builtins.split "[^[:alnum:]+._?=-]+"
|
||||
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
|
||||
)
|
||||
);
|
||||
|
||||
# The set of packages used when specs are fetched using non-builtins.
|
||||
mkPkgs = sources: system:
|
||||
let
|
||||
sourcesNixpkgs =
|
||||
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
|
||||
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
|
||||
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
|
||||
in
|
||||
if builtins.hasAttr "nixpkgs" sources
|
||||
then sourcesNixpkgs
|
||||
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
|
||||
import <nixpkgs> {}
|
||||
else
|
||||
abort
|
||||
''
|
||||
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
|
||||
add a package called "nixpkgs" to your sources.json.
|
||||
'';
|
||||
|
||||
# The actual fetching function.
|
||||
fetch = pkgs: name: spec:
|
||||
|
||||
if ! builtins.hasAttr "type" spec then
|
||||
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
|
||||
else if spec.type == "file" then fetch_file pkgs name spec
|
||||
else if spec.type == "tarball" then fetch_tarball pkgs name spec
|
||||
else if spec.type == "git" then fetch_git name spec
|
||||
else if spec.type == "local" then fetch_local spec
|
||||
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
|
||||
else if spec.type == "builtin-url" then fetch_builtin-url name
|
||||
else
|
||||
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
|
||||
|
||||
# If the environment variable NIV_OVERRIDE_${name} is set, then use
|
||||
# the path directly as opposed to the fetched source.
|
||||
replace = name: drv:
|
||||
let
|
||||
saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
|
||||
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
|
||||
in
|
||||
if ersatz == "" then drv else
|
||||
# this turns the string into an actual Nix path (for both absolute and
|
||||
# relative paths)
|
||||
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
|
||||
|
||||
# Ports of functions for older nix versions
|
||||
|
||||
# a Nix version of mapAttrs if the built-in doesn't exist
|
||||
mapAttrs = builtins.mapAttrs or (
|
||||
f: set: with builtins;
|
||||
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
|
||||
);
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
|
||||
range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
|
||||
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
|
||||
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
|
||||
concatMapStrings = f: list: concatStrings (map f list);
|
||||
concatStrings = builtins.concatStringsSep "";
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
|
||||
optionalAttrs = cond: as: if cond then as else {};
|
||||
|
||||
# fetchTarball version that is compatible between all the versions of Nix
|
||||
builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchTarball;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
|
||||
else
|
||||
fetchTarball attrs;
|
||||
|
||||
# fetchurl version that is compatible between all the versions of Nix
|
||||
builtins_fetchurl = { url, name ? null, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchurl;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
|
||||
else
|
||||
fetchurl attrs;
|
||||
|
||||
# Create the final "sources" from the config
|
||||
mkSources = config:
|
||||
mapAttrs (
|
||||
name: spec:
|
||||
if builtins.hasAttr "outPath" spec
|
||||
then abort
|
||||
"The values in sources.json should not have an 'outPath' attribute"
|
||||
else
|
||||
spec // { outPath = replace name (fetch config.pkgs name spec); }
|
||||
) config.sources;
|
||||
|
||||
# The "config" used by the fetchers
|
||||
mkConfig =
|
||||
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
|
||||
, sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
|
||||
, system ? builtins.currentSystem
|
||||
, pkgs ? mkPkgs sources system
|
||||
}: rec {
|
||||
# The sources, i.e. the attribute set of spec name to spec
|
||||
inherit sources;
|
||||
|
||||
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
|
||||
inherit pkgs;
|
||||
};
|
||||
|
||||
in
|
||||
mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }
|
|
@ -1,86 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
hacc.containers.forgejo = {
|
||||
config = { lib, pkgs, ... }: {
|
||||
system.stateVersion = "21.11";
|
||||
|
||||
environment.systemPackages = [ pkgs.forgejo ];
|
||||
|
||||
hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
|
||||
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
package = pkgs.forgejo;
|
||||
lfs.enable = true;
|
||||
database.type = "postgres";
|
||||
settings = {
|
||||
repository = {
|
||||
DEFAULT_PRIVATE = "public";
|
||||
PREFERRED_LICENSES = "Unlicense";
|
||||
DEFAULT_BRANCH = "main";
|
||||
};
|
||||
oauth2_client = {
|
||||
ACCOUNT_LINKING = "auto";
|
||||
ENABLE_AUTO_REGISTRATION = true;
|
||||
};
|
||||
"repository.pull-requests" = {
|
||||
DEFAULT_MERGE_STYLE = "merge";
|
||||
DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true;
|
||||
};
|
||||
"repository.upload".FILE_MAX_SIZE = 1024;
|
||||
server = {
|
||||
LANDING_PAGE = "explore";
|
||||
OFFLINE_MODE = true;
|
||||
ROOT_URL = "https://git.infra4future.de";
|
||||
HTTP_PORT = 3000;
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
};
|
||||
security = { INSTALL_LOCK = true; };
|
||||
other = {
|
||||
SHOW_FOOTER_VERSION = false;
|
||||
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
|
||||
};
|
||||
cron = {
|
||||
ENABLED = true;
|
||||
NOTICE_ON_SUCCESS = true;
|
||||
};
|
||||
"cron.update_mirrors" = {
|
||||
SCHEDULE = "@every 12h";
|
||||
PULL_LIMIT = "-1";
|
||||
PUSH_LIMIT = "-1";
|
||||
};
|
||||
"cron.git_gc_repos".ENABLED = true;
|
||||
"cron.delete_old_actions".ENABLED = true;
|
||||
log.LEVEL = "Info";
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
session.COOKIE_SECURE = true;
|
||||
default.APP_NAME = "0x0: git for all creatures";
|
||||
};
|
||||
};
|
||||
services.postgresql.package = pkgs.postgresql_15;
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "forgejo" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
AcceptEnv = "GIT_PROTOCOL";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."git.infra4future.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.forgejo.localAddress}:3000";
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,91 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
|
||||
sops.secrets = {
|
||||
"hedgedoc-hacc/env" = {};
|
||||
};
|
||||
|
||||
containers.pad-hacc.bindMounts = {
|
||||
"/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
|
||||
};
|
||||
hacc.containers.pad-hacc = {
|
||||
config = { config, lib, ... }: {
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
settings = {
|
||||
allowAnonymous = true;
|
||||
allowFreeURL = true;
|
||||
allowGravatar = false;
|
||||
allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
|
||||
db = {
|
||||
host = "/run/postgresql";
|
||||
username = "codimd";
|
||||
dialect = "postgres";
|
||||
database = "codimd";
|
||||
};
|
||||
defaultPermission = "limited";
|
||||
domain = "pad.hacc.space";
|
||||
host = "0.0.0.0";
|
||||
protocolUseSSL = true;
|
||||
hsts.preload = false;
|
||||
email = false;
|
||||
oauth2 = {
|
||||
authorizationURL = "https://login.infra4future.de/oauth2/authorize";
|
||||
tokenURL = "https://login.infra4future.de/oauth2/token";
|
||||
clientID = "hedgedoc";
|
||||
# must be set to make the NixOS module happy, but env var takes precedence
|
||||
clientSecret = "lol nope";
|
||||
};
|
||||
};
|
||||
environmentFile = "/secrets/env";
|
||||
};
|
||||
systemd.services.hedgedoc.environment = {
|
||||
"CMD_LOGLEVEL" = "warn";
|
||||
"CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
|
||||
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
|
||||
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
|
||||
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
||||
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "codimd" ];
|
||||
ensureUsers = [{
|
||||
name = "codimd";
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
authentication = ''
|
||||
local all all trust
|
||||
host codimd codimd 127.0.0.1/32 trust
|
||||
'';
|
||||
package = pkgs.postgresql_15;
|
||||
};
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "codimd" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."pad.hacc.earth" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "pad.hacc.space";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.hacc.space" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
|
||||
extraConfig = ''
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
208
parsons/mail.nix
208
parsons/mail.nix
|
@ -1,208 +0,0 @@
|
|||
{ config, options, pkgs, lib, sources, ... }:
|
||||
|
||||
{
|
||||
imports = [ sources.nixos-mailserver.outPath ];
|
||||
|
||||
# reduce log spam
|
||||
systemd.services.rspamd.serviceConfig.LogLevelMax =
|
||||
3; # this is set to error because rspamd regularly complains about not enough learns
|
||||
systemd.services.dovecot2.serviceConfig.LogLevelMax = 5; # = notice
|
||||
|
||||
# stop postfix from dying if rspamd hiccups
|
||||
systemd.services.postfix.unitConfig = {
|
||||
Requires = lib.mkForce "dovecot2.service opendkim.service";
|
||||
};
|
||||
|
||||
mailserver = {
|
||||
mailDirectory = "/persist/mail";
|
||||
enable = true;
|
||||
fqdn = "mail.hacc.space";
|
||||
monitoring = {
|
||||
enable = true;
|
||||
alertAddress = "admin@hacc.space";
|
||||
};
|
||||
domains = [
|
||||
"hacc.space"
|
||||
"muc.hacc.space"
|
||||
"hacc.earth"
|
||||
"4future.dev"
|
||||
"4futu.re"
|
||||
"infra4future.de"
|
||||
];
|
||||
|
||||
loginAccounts = {
|
||||
"hexchen@hacc.space".hashedPassword =
|
||||
"$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
|
||||
|
||||
"octycs@hacc.space".hashedPassword =
|
||||
"$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
|
||||
"octycs@hacc.space".aliases = [ "markus@hacc.space" ];
|
||||
|
||||
"raphael@hacc.space".hashedPassword =
|
||||
"$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
|
||||
|
||||
"moira@hacc.space".hashedPassword =
|
||||
"$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
|
||||
|
||||
"zauberberg@hacc.space".hashedPassword =
|
||||
"$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
|
||||
"zauberberg@hacc.space".aliases = [ "lukas@hacc.space" ];
|
||||
|
||||
"stuebinm@hacc.space".hashedPassword =
|
||||
"$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB.";
|
||||
|
||||
"lenny@hacc.space".hashedPassword =
|
||||
"$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
|
||||
"lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];
|
||||
|
||||
"peter@hacc.space".hashedPassword =
|
||||
"$6$yvpfTC.7DDpqpsYy$7TrfmLvz/fRl.k5mSHhI67CNquJa3yEFbLuTJvpyJ8Dj7SaD2eoOHWqef.CNo.T08kYzaqMcM73whAxjXVEmc.";
|
||||
"peter@hacc.space".aliases = [ "linmob@hacc.space" ];
|
||||
|
||||
"finance@muc.hacc.space".hashedPassword =
|
||||
"$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";
|
||||
|
||||
"noreply@hacc.space" = {
|
||||
hashedPassword =
|
||||
"$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
|
||||
};
|
||||
|
||||
"noreply@infra4future.de" = {
|
||||
hashedPassword =
|
||||
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
|
||||
};
|
||||
|
||||
"mattermost@hacc.space" = {
|
||||
hashedPassword =
|
||||
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
|
||||
};
|
||||
};
|
||||
|
||||
extraVirtualAliases = {
|
||||
# address = forward address;
|
||||
|
||||
# -- International --
|
||||
# info/contact: main entrypoint, anyone can read or reply to this.
|
||||
"info@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
"raphael@hacc.space"
|
||||
"moira@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
"lenny@hacc.space"
|
||||
"peter@hacc.space"
|
||||
];
|
||||
|
||||
# admin: current people with access to the mail server and knowledge on how to use it™
|
||||
"admin@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"moira@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
];
|
||||
|
||||
# voc: hacc video operation center, various streaming-related things
|
||||
"voc@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"moira@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"lenny@hacc.space"
|
||||
"raphael@hacc.space"
|
||||
];
|
||||
|
||||
# -- Regional: Germany --
|
||||
# board of hacc e.V.
|
||||
"vorstand@hacc.space" =
|
||||
[ "raphael@hacc.space" "moira@hacc.space" "peter@hacc.space" ];
|
||||
|
||||
# members of hacc e.V.
|
||||
"mitglieder@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"raphael@hacc.space"
|
||||
"moira@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"lenny@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
"peter@hacc.space"
|
||||
];
|
||||
|
||||
# -- Regional: Munich --
|
||||
"muc@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
"raphael@hacc.space"
|
||||
"moira@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
"lenny@hacc.space"
|
||||
"peter@hacc.space"
|
||||
];
|
||||
};
|
||||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
# down nginx and opens port 80.
|
||||
certificateScheme = "acme-nginx";
|
||||
|
||||
# Only allow implict TLS
|
||||
enableImap = false;
|
||||
enablePop3 = false;
|
||||
|
||||
# Enable the ManageSieve protocol
|
||||
enableManageSieve = true;
|
||||
|
||||
};
|
||||
|
||||
services.postfix.submissionOptions.smtpd_sender_restrictions =
|
||||
lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
|
||||
services.postfix.submissionsOptions.smtpd_sender_restrictions =
|
||||
lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
|
||||
|
||||
services.postfix.virtual = ''
|
||||
postmaster@hacc.space admin@hacc.space
|
||||
abuse@hacc.space admin@hacc.space
|
||||
contact@hacc.space info@hacc.space
|
||||
hello@hacc.space info@hacc.space
|
||||
haccvoc@hacc.space voc@hacc.space
|
||||
@4future.dev @hacc.space
|
||||
@4futu.re @hacc.space
|
||||
@hacc.earth @hacc.space
|
||||
@infra4future.de @hacc.space
|
||||
'';
|
||||
|
||||
services.alps = {
|
||||
enable = true;
|
||||
theme = "alps";
|
||||
smtps = {
|
||||
port = 465;
|
||||
host = "mail.hacc.space";
|
||||
};
|
||||
imaps = {
|
||||
port = 993;
|
||||
host = "mail.hacc.space";
|
||||
};
|
||||
bindIP = "[::1]";
|
||||
};
|
||||
|
||||
systemd.services.alps.after = [ "dovecot2.service" "postfix.service" ];
|
||||
systemd.services.alps.bindsTo = [ "dovecot2.service" "postfix.service" ];
|
||||
|
||||
services.nginx.virtualHosts."mail.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://[::1]:1323";
|
||||
};
|
||||
|
||||
hacc.bindToPersist = [
|
||||
"/var/lib/rspamd"
|
||||
"/var/lib/opendkim"
|
||||
"/var/lib/postfix"
|
||||
"/var/lib/dovecot"
|
||||
"/var/sieve"
|
||||
"/var/lib/redis-rspamd"
|
||||
"/var/dkim"
|
||||
];
|
||||
}
|
|
@ -1,64 +0,0 @@
|
|||
{ config, options, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
checkHash = pkgs.writeScriptBin "check-commit-hash" ''
|
||||
#!${lib.getExe pkgs.fish}
|
||||
set wanted (${lib.getExe pkgs.curl} -s https://git.infra4future.de/api/v1/repos/hacc/haccfiles/branches/main \
|
||||
-H 'accept: application/json' | jq -r .commit.id)
|
||||
|
||||
if test $status != 0
|
||||
echo "could not reach git.infra4future.de"
|
||||
exit 2
|
||||
end
|
||||
|
||||
set actual (cat /etc/haccfiles-commit)
|
||||
if test $status != 0
|
||||
echo "/etc/haccfiles-commit does not exist??"
|
||||
exit 2
|
||||
end
|
||||
|
||||
if test $actual != $wanted
|
||||
echo "parsons was built on $actual, but commit on main is $wanted"
|
||||
exit 1
|
||||
end
|
||||
'';
|
||||
|
||||
checkDeployAge = pkgs.writeScriptBin "check-deploy-age" ''
|
||||
#!${lib.getExe pkgs.fish}
|
||||
|
||||
set date (date +%s)
|
||||
# we do this indirection here so monit's config won't change on each deploy
|
||||
set deploytimestamp (cat /etc/haccfiles-timestamp)
|
||||
set age (expr $date - $deploytimestamp)
|
||||
|
||||
if test $age -ge (expr 3600 \* 24 \* 10)
|
||||
echo "${config.networking.hostName} has not been deployed since 10 days, perhaps someone should do updates?"
|
||||
exit 1
|
||||
end
|
||||
'';
|
||||
in
|
||||
{
|
||||
mailserver.monitoring = {
|
||||
enable = true;
|
||||
alertAddress = "admin@hacc.space";
|
||||
config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default);
|
||||
};
|
||||
|
||||
services.monit.config = ''
|
||||
check host onlyoffice with address onlyoffice.infra4future.de
|
||||
start program "/run/current-system/sw/bin/lxc-start -n onlyoffice -f /persist/lxc/onlyoffice/config"
|
||||
stop program "/run/current-system/sw/bin/lxc-stop -n onlyoffice"
|
||||
if failed port 443 protocol https status = 302
|
||||
then restart
|
||||
|
||||
check program deployed-commit-on-main path ${lib.getExe checkHash}
|
||||
if status == 1 for 64 cycles then alert
|
||||
if status == 2 for 3 cycles then alert
|
||||
|
||||
check program is-system-running path ${pkgs.systemd}/bin/systemctl is-system-running
|
||||
if status != 0 then alert
|
||||
|
||||
check program check-deploy-age path ${lib.getExe checkDeployAge}
|
||||
if status == 1 then alert
|
||||
'';
|
||||
}
|
|
@ -1,30 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.murmur = {
|
||||
enable = true;
|
||||
logDays = -1;
|
||||
registerName = "hackers against climate change";
|
||||
welcometext = ''
|
||||
<br>Welcome to <b>mumble4future</b>!<br>Brought to you by <b style="color:red">infra4future</b>.<br>On <a href=https://mumble.hacc.space>mumble.hacc.space</a><br>Not confusing at all!
|
||||
'';
|
||||
sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
|
||||
sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
|
||||
bandwidth = 128000;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
|
||||
networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
|
||||
|
||||
# the mumble cert has its own group so that both nginx and murmur can read it
|
||||
users.groups.mumblecert = { };
|
||||
security.acme.certs."mumble.hacc.space" = {
|
||||
group = "mumblecert";
|
||||
extraDomainNames = [ "mumble.infra4future.de" ];
|
||||
reloadServices = [ "murmur" ];
|
||||
};
|
||||
users.users.nginx.extraGroups = [ "mumblecert" ];
|
||||
users.users.murmur.extraGroups = [ "mumblecert" ];
|
||||
|
||||
hacc.bindToPersist = [ "/var/lib/murmur" ];
|
||||
}
|
|
@ -1,89 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
containers.nextcloud.timeoutStartSec = "10 min";
|
||||
hacc.containers.nextcloud = {
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
environment.systemPackages = [ pkgs.htop ];
|
||||
|
||||
services.nextcloud = {
|
||||
enable = true;
|
||||
|
||||
# must be set manually; may not be incremented by more than one at
|
||||
# a time, otherwise nextcloud WILL break
|
||||
package = pkgs.nextcloud30;
|
||||
|
||||
home = "/persist/nextcloud";
|
||||
https = true;
|
||||
|
||||
hostName = "cloud.infra4future.de";
|
||||
config = {
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
||||
dbname = "nextcloud";
|
||||
# socket auth does not needs this, but the module insists it does
|
||||
adminpassFile = "/persist/adminpassfile";
|
||||
adminuser = "root";
|
||||
};
|
||||
|
||||
# multiple pools may be doable using services.phpfpm.pools,
|
||||
# but i have not tried this yet. The nextcloud module defines a
|
||||
# pool "nextcloud"
|
||||
poolSettings = {
|
||||
pm = "dynamic";
|
||||
"pm.max_children" = "32";
|
||||
"pm.max_requests" = "500";
|
||||
"pm.max_spare_servers" = "4";
|
||||
"pm.min_spare_servers" = "2";
|
||||
"pm.start_servers" = "2";
|
||||
};
|
||||
|
||||
settings = {
|
||||
instanceid = "ocxlphb7fbju";
|
||||
datadirectory = "/persist/nextcloud/data";
|
||||
loglevel = 0;
|
||||
"overwrite.cli.url" = "https://cloud.infra4future.de";
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_15;
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
{ # by default, postgres has unix sockets enabled, and allows a
|
||||
# system user `nextcloud` to log in without other authentication
|
||||
name = "nextcloud";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "nextcloud" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
|
||||
# ensure that postgres is running *before* running the setup
|
||||
systemd.services."nextcloud-setup" = {
|
||||
requires = ["postgresql.service"];
|
||||
after = ["postgresql.service"];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."cloud.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
client_max_body_size 0;
|
||||
add_header Cache-Control "no-store, no-cache, must-revalidate";
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
|
@ -1,23 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.firewall.enable = true;
|
||||
networking.firewall.logRefusedConnections = false;
|
||||
networking.nat.enable = true;
|
||||
|
||||
networking.nftables.enable = true;
|
||||
networking.nftables.tables.nat = {
|
||||
family = "ip";
|
||||
content = ''
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority -100
|
||||
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100
|
||||
iifname lxcbr0 oifname enp35s0 masquerade
|
||||
iifname ve-* oifname enp35s0 masquerade
|
||||
}
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
|
||||
{
|
||||
hacc.websites = {
|
||||
enable = true;
|
||||
directory = "${../.}/websites";
|
||||
};
|
||||
|
||||
|
||||
services.nginx.virtualHosts."parsons.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/~stuebinm/".root = "/persist/www/";
|
||||
};
|
||||
}
|
|
@ -1,137 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
sops.secrets = {
|
||||
"s4f-conference/env" = {};
|
||||
};
|
||||
|
||||
hacc.containers.s4f-conference = {
|
||||
bindSecrets = true;
|
||||
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
||||
lib.mkForce "/secrets/env";
|
||||
|
||||
services.mattermost = {
|
||||
enable = true;
|
||||
siteUrl = "https://s4f-conference.infra4future.de";
|
||||
siteName = "Scientists for Future Chat";
|
||||
listenAddress = "0.0.0.0:3000";
|
||||
mutableConfig = false;
|
||||
|
||||
statePath = "/persist/mattermost";
|
||||
|
||||
extraConfig = {
|
||||
ServiceSettings = {
|
||||
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
|
||||
EnableEmailInvitations = true;
|
||||
};
|
||||
TeamSettings = {
|
||||
EnableUserCreation = true;
|
||||
MaxUsersPerTeam = 2500;
|
||||
EnableUserDeactivation = true;
|
||||
EnableOpenServer = false;
|
||||
};
|
||||
PasswordSettings = {
|
||||
MinimumLength = 10;
|
||||
};
|
||||
FileSettings = {
|
||||
EnableFileAttachments = true;
|
||||
MaxFileSize = 52428800;
|
||||
DriverName = "local";
|
||||
Directory = "/persist/upload-storage";
|
||||
EnablePublicLink = true;
|
||||
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
|
||||
};
|
||||
EmailSettings = {
|
||||
EnableSignUpWithEmail = true;
|
||||
EnableSignInWithEmail = true;
|
||||
EnableSignInWithUsername = true;
|
||||
SendEmailNotifications = true;
|
||||
FeedbackName = "mattermost";
|
||||
FeedbackEmail = "mattermost@infra4future.de";
|
||||
ReplyToAddress = "mattermost@infra4future.de";
|
||||
FeedbackOrganization = "∆infra4future.de";
|
||||
EnableSMTPAuth = true;
|
||||
SMTPUsername = "noreply@infra4future.de";
|
||||
SMTPServer = "mail.hacc.space";
|
||||
SMTPPort = "465";
|
||||
SMTPServerTimeout = 10;
|
||||
ConnectionSecurity = "TLS";
|
||||
};
|
||||
RateLimitSettings.Enable = false;
|
||||
PrivacySettings = {
|
||||
ShowEmailAddress = false;
|
||||
ShowFullName = true;
|
||||
};
|
||||
# to disable the extra landing page advertising the app
|
||||
NativeAppSettings = {
|
||||
AppDownloadLink = "";
|
||||
AndroidAppDownloadLink = "";
|
||||
IosAppDownloadLink = "";
|
||||
};
|
||||
LogSettings = {
|
||||
EnableConsole = true;
|
||||
ConsoleLevel = "ERROR";
|
||||
EnableDiagnostics = false;
|
||||
EnableWebhookDebugging = false;
|
||||
};
|
||||
SupportSettings = {
|
||||
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||
AboutLink = "https://infra4future.de";
|
||||
SupportEmail = "info@infra4future.de";
|
||||
CustomTermsOfServiceEnabled = false;
|
||||
EnableAskCommunityLink = true;
|
||||
};
|
||||
AnnouncementSettings.EnableBanner = false;
|
||||
ComplianceSettings.Enable = false;
|
||||
ClusterSettings.Enable = false;
|
||||
MetricsSettings.Enable = false;
|
||||
GuestAccountsSettings.Enable = true;
|
||||
};
|
||||
|
||||
localDatabaseCreate = false;
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||||
package = pkgs.postgresql_15;
|
||||
ensureDatabases = [ "mattermost" ];
|
||||
ensureUsers = [ {
|
||||
name = "mattermost";
|
||||
ensureDBOwnership = true;
|
||||
} ];
|
||||
|
||||
authentication = lib.mkForce ''
|
||||
# Generated file; do not edit!
|
||||
local all all trust
|
||||
host mattermost mattermost ::1/128 trust
|
||||
'';
|
||||
};
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "mattermost" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
# Mattermost CSR Patch
|
||||
proxy_hide_header Content-Security-Policy;
|
||||
proxy_hide_header X-Frame-Options;
|
||||
proxy_redirect off;
|
||||
|
||||
client_max_body_size 100M;
|
||||
'';
|
||||
};
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
}
|
|
@ -1,105 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
tracktrain-config = ''
|
||||
dbstring: "dbname=tracktrain"
|
||||
gtfs: /persist/gtfs.zip
|
||||
assets: ${pkgs.tracktrain}/assets
|
||||
|
||||
warp:
|
||||
port: 4000
|
||||
|
||||
login:
|
||||
enable: true
|
||||
url: https://login.infra4future.de
|
||||
clientName: tracktrain
|
||||
# clientSecret defined in env file
|
||||
|
||||
logging:
|
||||
ntfyTopic: ping.stuebinm.eu/monit
|
||||
name: ilztalbahn
|
||||
'';
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"tracktrain/env" = {};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.tracktrain.localAddress}:4000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
# note: this shadows the /metrics endpoint of tracktrain
|
||||
# in case you remove this, please consider putting something
|
||||
# else here to keep it from being publicly scrapable
|
||||
locations."/metrics/" = {
|
||||
proxyPass = "http://${config.containers.tracktrain.localAddress}:2342";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
rewrite ^/metrics/(.*) /$1 break;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
hacc.containers.tracktrain = {
|
||||
bindSecrets = true;
|
||||
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
|
||||
systemd.services.tracktrain = {
|
||||
enable = true;
|
||||
|
||||
description = "tracks trains, hopefully";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "network.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
EnvironmentFile = "/secrets/env";
|
||||
DynamicUser = true;
|
||||
};
|
||||
path = [ pkgs.wget pkgs.ntfy-sh ];
|
||||
script = ''
|
||||
cd /tmp
|
||||
ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
|
||||
sleep 3
|
||||
${pkgs.tracktrain}/bin/tracktrain +RTS -T
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.postgresql.wantedBy = [ "tracktrain.service" ];
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_15;
|
||||
ensureDatabases = [ "tracktrain" ];
|
||||
ensureUsers = [ {
|
||||
name = "tracktrain";
|
||||
ensureDBOwnership = true;
|
||||
} ];
|
||||
authentication = ''
|
||||
local all all trust
|
||||
'';
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
port = 9001;
|
||||
scrapeConfigs = [ {
|
||||
job_name = "tracktrain";
|
||||
static_configs = [{
|
||||
targets = [ "0.0.0.0:4000" ];
|
||||
}];
|
||||
} ];
|
||||
};
|
||||
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
||||
"/secrets/env";
|
||||
hacc.bindToPersist = [ "/var/lib/grafana" ];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -1,66 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
hacc.containers.uffd = {
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
services.uwsgi = {
|
||||
enable = true;
|
||||
plugins = [ "python3" ];
|
||||
instance = {
|
||||
type = "normal";
|
||||
pythonPackages = _: [ pkgs.uffd ];
|
||||
module = "uffd:create_app()";
|
||||
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
|
||||
http = ":8080";
|
||||
env = [
|
||||
"CONFIG_PATH=/persist/uffd/uffd.conf"
|
||||
];
|
||||
hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."login.infra4future.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations = {
|
||||
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
|
||||
"/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd";
|
||||
"/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png";
|
||||
"/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg";
|
||||
"/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";
|
||||
"/static/mattermost.svg".return = "302 https://infra4future.de/assets/img/icons/mattermost.svg";
|
||||
"/static/nextcloud.svg".return = "302 https://infra4future.de/assets/img/icons/nextcloud.svg";
|
||||
"/static/hot_shit.svg".return = "302 https://infra4future.de/assets/img/icons/hot_shit.svg";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.auamost = {
|
||||
enable = true;
|
||||
|
||||
description = "mattermost aua gruppensync";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig.Type = "simple";
|
||||
path = [ pkgs.fish pkgs.curl pkgs.jq ];
|
||||
script = "${pkgs.hacc-scripts}/bin/uffd-sync-mattermost-groups.fish";
|
||||
startAt = "*:0/15";
|
||||
};
|
||||
|
||||
systemd.services.uffd-account-expiry-notification = {
|
||||
enable = true;
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig.Type = "simple";
|
||||
path = [ pkgs.hacc-scripts pkgs.sqlite-interactive pkgs.postfix ];
|
||||
script = ''
|
||||
uffd-unused-accounts-notification.scm -v admin
|
||||
'';
|
||||
startAt = "weekly";
|
||||
restartIfChanged = false;
|
||||
};
|
||||
|
||||
sops.secrets."auamost/secrets.fish" = { };
|
||||
|
||||
environment.systemPackages = with pkgs; [ curl jq ];
|
||||
}
|
|
@ -1,55 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
sops.secrets = {
|
||||
"vaultwarden/env" = {};
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
config = {
|
||||
DATA_FOLDER="/persist/var/lib/vaultwarden/data";
|
||||
LOG_LEVEL="error";
|
||||
SIGNUPS_ALLOWED=false;
|
||||
SIGNUPS_VERIFY=true;
|
||||
SIGNUPS_DOMAINS_WHITELIST="hacc.space";
|
||||
ORG_CREATION_USERS="admin@hacc.space";
|
||||
INVITATIONS_ALLOWED=true;
|
||||
INVITATION_ORG_NAME="haccwarden";
|
||||
|
||||
TRASH_AUTO_DELETE_DAYS=90;
|
||||
|
||||
DOMAIN="https://pw.hacc.space";
|
||||
ROCKET_ADDRESS="127.0.0.1";
|
||||
ROCKET_PORT=5354;
|
||||
ROCKET_WORKERS=2;
|
||||
|
||||
SMTP_HOST="mail.hacc.space";
|
||||
SMTP_FROM="vaultwarden@hacc.space";
|
||||
SMTP_FROM_NAME="haccwarden";
|
||||
SMTP_PORT=587;
|
||||
SMTP_USERNAME="noreply@infra4future.de";
|
||||
|
||||
};
|
||||
environmentFile = "/run/secrets/vaultwarden/env";
|
||||
dbBackend = "sqlite";
|
||||
backupDir = "/persist/data/vaultwarden_backups/";
|
||||
};
|
||||
|
||||
#work around ProtectSystem=strict, cleanup
|
||||
systemd.services.vaultwarden.serviceConfig = {
|
||||
ReadWritePaths = [ "/persist/var/lib/vaultwarden" ];
|
||||
StateDirectory = lib.mkForce "";
|
||||
};
|
||||
systemd.services.backup-vaultwarden.environment.DATA_FOLDER =
|
||||
lib.mkForce "/persist/var/lib/vaultwarden/data";
|
||||
|
||||
services.nginx.virtualHosts."pw.hacc.space" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:5354";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
}
|
25
pkgs/alps/default.nix
Normal file
25
pkgs/alps/default.nix
Normal file
|
@ -0,0 +1,25 @@
|
|||
{ lib, buildGoModule }:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "alps";
|
||||
version = "0.0.1";
|
||||
|
||||
src = fetchGit {
|
||||
url = "https://git.sr.ht/~migadu/alps";
|
||||
rev = "51498a2dc37987f55b022efb961b68a282be17ed";
|
||||
};
|
||||
|
||||
vendorSha256 = "0wc8fb03zlc1gl4nxlsh149gvpvrs3lc0smzrnam9smigg9gw4in";
|
||||
|
||||
subPackages = [ "cmd/alps" ];
|
||||
|
||||
postInstall = ''
|
||||
mkdir -p $out/share/alps
|
||||
cp -r $src/themes $out/share/alps/
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "A simple and extensible webmail.";
|
||||
homepage = "https://git.sr.ht/~migadu/alps";
|
||||
};
|
||||
}
|
49
pkgs/blackmagic-desktop-video/default.nix
Normal file
49
pkgs/blackmagic-desktop-video/default.nix
Normal file
|
@ -0,0 +1,49 @@
|
|||
{ stdenv, requireFile, lib,
|
||||
libcxx, libcxxabi
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "blackmagic-desktop-video";
|
||||
version = "12.0";
|
||||
|
||||
buildInputs = [
|
||||
libcxx libcxxabi
|
||||
];
|
||||
|
||||
src = requireFile {
|
||||
name = "Blackmagic_Desktop_Video_Linux_12.1.tar.gz";
|
||||
url = "https://www.blackmagicdesign.com/support/download/d99c3a1740b546f094ffbb30ddf1f4c1";
|
||||
sha256 = "51febf247d22412beea2d637fcc34cc19b1a46df9a5bf0e157d95705bf7c7b73";
|
||||
};
|
||||
|
||||
setSourceRoot = ''
|
||||
tar xf Blackmagic_Desktop_Video_Linux_12.1/other/x86_64/desktopvideo-12.1a9-x86_64.tar.gz
|
||||
sourceRoot=$NIX_BUILD_TOP/desktopvideo-12.1a9-x86_64
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
mkdir -p $out/{bin,share/doc,lib}
|
||||
cp -r $sourceRoot/usr/share/doc/desktopvideo $out/share/doc
|
||||
cp $sourceRoot/usr/lib/*.so $out/lib
|
||||
ln -s ${libcxx}/lib/* ${libcxxabi}/lib/* $out/lib
|
||||
cp $sourceRoot/usr/lib/blackmagic/DesktopVideo/libgcc_s.so.1 $out/lib/
|
||||
cp $sourceRoot/usr/lib/blackmagic/DesktopVideo/DesktopVideoHelper $out/bin/
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
postFixup = ''
|
||||
patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
|
||||
--set-rpath "$out/lib:${lib.makeLibraryPath [ libcxx libcxxabi ]}" \
|
||||
$out/bin/DesktopVideoHelper
|
||||
'';
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
homepage = "https://www.blackmagicdesign.com/support/family/capture-and-playback";
|
||||
maintainers = [ maintainers.hexchen ];
|
||||
license = licenses.unfree;
|
||||
description = "Supporting applications for Blackmagic Decklink. Doesn't include the desktop applications, only the helper required to make the driver work.";
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
48
pkgs/decklink/default.nix
Normal file
48
pkgs/decklink/default.nix
Normal file
|
@ -0,0 +1,48 @@
|
|||
{ stdenv, requireFile, fetchpatch, kernel }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "decklink";
|
||||
version = "12.0";
|
||||
|
||||
src = requireFile {
|
||||
name = "Blackmagic_Desktop_Video_Linux_12.1.tar.gz";
|
||||
url = "https://www.blackmagicdesign.com/support/download/d99c3a1740b546f094ffbb30ddf1f4c1";
|
||||
sha256 = "51febf247d22412beea2d637fcc34cc19b1a46df9a5bf0e157d95705bf7c7b73";
|
||||
};
|
||||
|
||||
KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
|
||||
INSTALL_MOD_PATH = placeholder "out";
|
||||
|
||||
nativeBuildInputs = kernel.moduleBuildDependencies;
|
||||
|
||||
setSourceRoot = ''
|
||||
tar xf Blackmagic_Desktop_Video_Linux_12.1/other/x86_64/desktopvideo-12.1a9-x86_64.tar.gz
|
||||
sourceRoot=$NIX_BUILD_TOP/desktopvideo-12.1a9-x86_64/usr/src
|
||||
'';
|
||||
|
||||
buildPhase = ''
|
||||
runHook preBuild
|
||||
|
||||
make -C $sourceRoot/blackmagic-12.1a9 -j$NIX_BUILD_CORES
|
||||
make -C $sourceRoot/blackmagic-io-12.1a9 -j$NIX_BUILD_CORES
|
||||
|
||||
runHook postBuild
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
|
||||
make -C $KERNELDIR M=$sourceRoot/blackmagic-12.1a9 modules_install
|
||||
make -C $KERNELDIR M=$sourceRoot/blackmagic-io-12.1a9 modules_install
|
||||
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
homepage = "https://www.blackmagicdesign.com/support/family/capture-and-playback";
|
||||
maintainers = [ maintainers.hexchen ];
|
||||
license = licenses.unfree;
|
||||
description = "Kernel module for the Blackmagic Design Decklink cards";
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
}
|
|
@ -1,32 +1,63 @@
|
|||
{ sources, ... }@args:
|
||||
{ config ? {}, system ? builtins.currentSystem, ... }@args:
|
||||
|
||||
let
|
||||
sources = import ../nix/sources.nix;
|
||||
pkgs = import sources.nixpkgs args;
|
||||
oldstable = import sources.nixpkgs-oldstable args;
|
||||
unstable = import sources.nixpkgs-unstable args;
|
||||
|
||||
callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
|
||||
|
||||
newpkgs = {
|
||||
alps = callPackage ./alps {};
|
||||
|
||||
mattermost = callPackage ./mattermost.nix {
|
||||
buildGoModule = unstable.buildGo122Module;
|
||||
docker = pkgs.docker.overrideAttrs (super: {
|
||||
moby = super.moby.overrideAttrs (super: {
|
||||
extraPath = super.extraPath + ":${pkgs.zfs}/bin";
|
||||
});
|
||||
});
|
||||
|
||||
linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
|
||||
decklink = callPackage ./decklink { kernel = ksuper.kernel; };
|
||||
});
|
||||
|
||||
blackmagicDesktopVideo = callPackage ./blackmagic-desktop-video { };
|
||||
|
||||
obs-studio = unstable.obs-studio.overrideAttrs (_: rec {
|
||||
wrapLibraries = with (pkgs // newpkgs); [
|
||||
xorg.libX11.out
|
||||
libvlc
|
||||
blackmagicDesktopVideo
|
||||
libcxx
|
||||
libcxxabi
|
||||
];
|
||||
postInstall = ''
|
||||
wrapProgram $out/bin/obs \
|
||||
--prefix "LD_LIBRARY_PATH" : "${pkgs.lib.makeLibraryPath wrapLibraries}"
|
||||
'';
|
||||
});
|
||||
|
||||
mattermost = callPackage ./mattermost {};
|
||||
|
||||
# a version of the lounge with some extra css that
|
||||
# hides things the hacc-voc doesn't need
|
||||
thelounge-hacked = pkgs.stdenv.mkDerivation {
|
||||
name = "thelounge-hacked";
|
||||
src = pkgs.thelounge;
|
||||
|
||||
phases = [ "buildPhase" "installPhase" ];
|
||||
buildPhase = ''
|
||||
cp $src/* -r .
|
||||
chmod 777 lib/node_modules/thelounge/public/css/style.css
|
||||
cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
cp * -r $out
|
||||
'';
|
||||
};
|
||||
|
||||
morph = callPackage ./morph.nix {
|
||||
buildGoModule = unstable.buildGo122Module;
|
||||
};
|
||||
|
||||
tracktrain = import sources.tracktrain {
|
||||
nixpkgs = unstable;
|
||||
compiler = "default";
|
||||
};
|
||||
|
||||
uffd = oldstable.callPackage ./uffd { };
|
||||
|
||||
hacc-scripts = callPackage ./scripts {};
|
||||
|
||||
inherit (oldstable) uwsgi flask;
|
||||
inherit (unstable) bottom;
|
||||
};
|
||||
|
||||
in pkgs.extend(_: _: newpkgs)
|
||||
|
|
|
@ -1,85 +0,0 @@
|
|||
{ lib
|
||||
, buildGoModule
|
||||
, fetchFromGitHub
|
||||
, nix-update-script
|
||||
, fetchurl
|
||||
, nixosTests
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "mattermost";
|
||||
# ESR releases only.
|
||||
# See https://docs.mattermost.com/upgrade/extended-support-release.html
|
||||
# When a new ESR version is available (e.g. 8.1.x -> 9.5.x), update
|
||||
# the version regex in passthru.updateScript as well.
|
||||
version = "9.11.5";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "mattermost";
|
||||
repo = "mattermost";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-bLZFeG6kBVP0ws50wtBam/bO206sQnz6va8PATAoRAQ=";
|
||||
};
|
||||
|
||||
# Needed because buildGoModule does not support go workspaces yet.
|
||||
# We use go 1.22's workspace vendor command, which is not yet available
|
||||
# in the default version of go used in nixpkgs, nor is it used by upstream:
|
||||
# https://github.com/mattermost/mattermost/issues/26221#issuecomment-1945351597
|
||||
overrideModAttrs = (_: {
|
||||
buildPhase = ''
|
||||
make setup-go-work
|
||||
go work vendor -e
|
||||
'';
|
||||
});
|
||||
|
||||
webapp = fetchurl {
|
||||
url = "https://releases.mattermost.com/${version}/mattermost-${version}-linux-amd64.tar.gz";
|
||||
hash = "sha256-jyaJUN8wpuBivKNdm7f1mYwygO8xC+Zxy0SdkDovdsA=";
|
||||
};
|
||||
|
||||
vendorHash = "sha256-Gwv6clnq7ihoFC8ox8iEM5xp/us9jWUrcmqA9/XbxBE=";
|
||||
|
||||
modRoot = "./server";
|
||||
preBuild = ''
|
||||
make setup-go-work
|
||||
'';
|
||||
|
||||
subPackages = [ "cmd/mattermost" ];
|
||||
offlineCache = webapp;
|
||||
|
||||
tags = [ "production" ];
|
||||
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
|
||||
];
|
||||
|
||||
postInstall = ''
|
||||
tar --strip 1 --directory $out -xf $webapp \
|
||||
mattermost/{client,i18n,fonts,templates,config}
|
||||
|
||||
# For some reason a bunch of these files are executable
|
||||
find $out/{client,i18n,fonts,templates,config} -type f -exec chmod -x {} \;
|
||||
'';
|
||||
|
||||
passthru = {
|
||||
updateScript = nix-update-script {
|
||||
extraArgs = [ "--version-regex" "^v(9\.11\.([0-9.]+))" ];
|
||||
};
|
||||
tests.mattermost = nixosTests.mattermost;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
description = "Mattermost is an open source platform for secure collaboration across the entire software development lifecycle";
|
||||
homepage = "https://www.mattermost.org";
|
||||
license = with licenses; [ agpl3Only asl20 ];
|
||||
maintainers = with maintainers; [ ryantm numinit kranzes mgdelacroix ];
|
||||
mainProgram = "mattermost";
|
||||
};
|
||||
}
|
50
pkgs/mattermost/default.nix
Normal file
50
pkgs/mattermost/default.nix
Normal file
|
@ -0,0 +1,50 @@
|
|||
{ stdenv, fetchurl, fetchFromGitHub, buildGoPackage, buildEnv }:
|
||||
|
||||
let
|
||||
sources = import ../../nix/sources.nix;
|
||||
version = sources.mattermost-webapp.version;
|
||||
|
||||
mattermost-server = buildGoPackage rec {
|
||||
pname = "mattermost-server";
|
||||
inherit version;
|
||||
|
||||
src = sources.mattermost-server.outPath;
|
||||
|
||||
goPackagePath = "github.com/mattermost/mattermost-server";
|
||||
|
||||
buildFlagsArray = ''
|
||||
-ldflags=
|
||||
-X ${goPackagePath}/model.BuildNumber=nixpkgs-${version}
|
||||
'';
|
||||
|
||||
};
|
||||
|
||||
mattermost-webapp = stdenv.mkDerivation {
|
||||
pname = "mattermost-webapp";
|
||||
inherit version;
|
||||
|
||||
src = sources.mattermost-webapp;
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
cp -r client $out
|
||||
cp -r i18n $out
|
||||
cp -r fonts $out
|
||||
cp -r templates $out
|
||||
cp -r config $out
|
||||
'';
|
||||
};
|
||||
|
||||
in
|
||||
buildEnv {
|
||||
name = "mattermost-${version}";
|
||||
paths = [ mattermost-server mattermost-webapp ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "Open-source, self-hosted Slack-alternative";
|
||||
homepage = "https://www.mattermost.org";
|
||||
license = with licenses; [ agpl3 asl20 ];
|
||||
maintainers = with maintainers; [ fpletz ryantm ];
|
||||
platforms = platforms.unix;
|
||||
};
|
||||
}
|
|
@ -1,33 +0,0 @@
|
|||
{ buildGoModule
|
||||
, fetchFromGitHub
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "mattermost-morph";
|
||||
version = "1.1.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "mattermost";
|
||||
repo = "morph";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-Orh/a9OlUVIlDdLXRpDAnHUmWRiM1N2oO+dijbuJzx8=";
|
||||
};
|
||||
|
||||
vendorHash = null;
|
||||
|
||||
subPackages = [ "cmd/morph" ];
|
||||
|
||||
tags = [ "production" ];
|
||||
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
|
||||
];
|
||||
|
||||
}
|
199
pkgs/pluto/Manifest.toml
Normal file
199
pkgs/pluto/Manifest.toml
Normal file
|
@ -0,0 +1,199 @@
|
|||
# This file is machine-generated - editing it directly is not advised
|
||||
|
||||
[[Artifacts]]
|
||||
deps = ["Pkg"]
|
||||
git-tree-sha1 = "c30985d8821e0cd73870b17b0ed0ce6dc44cb744"
|
||||
uuid = "56f22d72-fd6d-98f1-02f0-08ddc0907c33"
|
||||
version = "1.3.0"
|
||||
|
||||
[[Base64]]
|
||||
uuid = "2a0f44e3-6c83-55bd-87e4-b1978d98bd5f"
|
||||
|
||||
[[Configurations]]
|
||||
deps = ["Crayons", "ExproniconLite", "OrderedCollections", "TOML"]
|
||||
git-tree-sha1 = "b8486a417456d2fbbe2af13e24cef459c9f42429"
|
||||
uuid = "5218b696-f38b-4ac9-8b61-a12ec717816d"
|
||||
version = "0.15.4"
|
||||
|
||||
[[Crayons]]
|
||||
git-tree-sha1 = "3f71217b538d7aaee0b69ab47d9b7724ca8afa0d"
|
||||
uuid = "a8cc5b0e-0ffa-5ad4-8c14-923d3ee1735f"
|
||||
version = "4.0.4"
|
||||
|
||||
[[DataAPI]]
|
||||
git-tree-sha1 = "dfb3b7e89e395be1e25c2ad6d7690dc29cc53b1d"
|
||||
uuid = "9a962f9c-6df0-11e9-0e5d-c546b8b5ee8a"
|
||||
version = "1.6.0"
|
||||
|
||||
[[DataValueInterfaces]]
|
||||
git-tree-sha1 = "bfc1187b79289637fa0ef6d4436ebdfe6905cbd6"
|
||||
uuid = "e2d170a0-9d28-54be-80f0-106bbe20a464"
|
||||
version = "1.0.0"
|
||||
|
||||
[[Dates]]
|
||||
deps = ["Printf"]
|
||||
uuid = "ade2ca70-3891-5945-98fb-dc099432e06a"
|
||||
|
||||
[[Distributed]]
|
||||
deps = ["Random", "Serialization", "Sockets"]
|
||||
uuid = "8ba89e20-285c-5b6f-9357-94700520ee1b"
|
||||
|
||||
[[ExproniconLite]]
|
||||
git-tree-sha1 = "c97ce5069033ac15093dc44222e3ecb0d3af8966"
|
||||
uuid = "55351af7-c7e9-48d6-89ff-24e801d99491"
|
||||
version = "0.6.9"
|
||||
|
||||
[[FuzzyCompletions]]
|
||||
deps = ["REPL"]
|
||||
git-tree-sha1 = "9cde086faa37f32794be3d2df393ff064d43cd66"
|
||||
uuid = "fb4132e2-a121-4a70-b8a1-d5b831dcdcc2"
|
||||
version = "0.4.1"
|
||||
|
||||
[[HTTP]]
|
||||
deps = ["Base64", "Dates", "IniFile", "MbedTLS", "NetworkOptions", "Sockets", "URIs"]
|
||||
git-tree-sha1 = "b855bf8247d6e946c75bb30f593bfe7fe591058d"
|
||||
uuid = "cd3eb016-35fb-5094-929b-558a96fad6f3"
|
||||
version = "0.9.8"
|
||||
|
||||
[[IniFile]]
|
||||
deps = ["Test"]
|
||||
git-tree-sha1 = "098e4d2c533924c921f9f9847274f2ad89e018b8"
|
||||
uuid = "83e8ac13-25f8-5344-8a64-a9f2b223428f"
|
||||
version = "0.5.0"
|
||||
|
||||
[[InteractiveUtils]]
|
||||
deps = ["Markdown"]
|
||||
uuid = "b77e0a4c-d291-57a0-90e8-8db25a27a240"
|
||||
|
||||
[[IteratorInterfaceExtensions]]
|
||||
git-tree-sha1 = "a3f24677c21f5bbe9d2a714f95dcd58337fb2856"
|
||||
uuid = "82899510-4779-5014-852e-03e436cf321d"
|
||||
version = "1.0.0"
|
||||
|
||||
[[JLLWrappers]]
|
||||
deps = ["Preferences"]
|
||||
git-tree-sha1 = "642a199af8b68253517b80bd3bfd17eb4e84df6e"
|
||||
uuid = "692b3bcd-3c85-4b1f-b108-f13ce0eb3210"
|
||||
version = "1.3.0"
|
||||
|
||||
[[LibGit2]]
|
||||
deps = ["Printf"]
|
||||
uuid = "76f85450-5226-5b5a-8eaa-529ad045b433"
|
||||
|
||||
[[Libdl]]
|
||||
uuid = "8f399da3-3557-5675-b5ff-fb832c97cbdb"
|
||||
|
||||
[[LinearAlgebra]]
|
||||
deps = ["Libdl"]
|
||||
uuid = "37e2e46d-f89d-539d-b4ee-838fcccc9c8e"
|
||||
|
||||
[[Logging]]
|
||||
uuid = "56ddb016-857b-54e1-b83d-db4d58db5568"
|
||||
|
||||
[[Markdown]]
|
||||
deps = ["Base64"]
|
||||
uuid = "d6f4376e-aef5-505a-96c1-9c027394607a"
|
||||
|
||||
[[MbedTLS]]
|
||||
deps = ["Dates", "MbedTLS_jll", "Random", "Sockets"]
|
||||
git-tree-sha1 = "1c38e51c3d08ef2278062ebceade0e46cefc96fe"
|
||||
uuid = "739be429-bea8-5141-9913-cc70e7f3736d"
|
||||
version = "1.0.3"
|
||||
|
||||
[[MbedTLS_jll]]
|
||||
deps = ["Artifacts", "JLLWrappers", "Libdl", "Pkg"]
|
||||
git-tree-sha1 = "0eef589dd1c26a3ac9d753fe1a8bcad63f956fa6"
|
||||
uuid = "c8ffd9c3-330d-5841-b78e-0817d7145fa1"
|
||||
version = "2.16.8+1"
|
||||
|
||||
[[MsgPack]]
|
||||
deps = ["Serialization"]
|
||||
git-tree-sha1 = "a8cbf066b54d793b9a48c5daa5d586cf2b5bd43d"
|
||||
uuid = "99f44e22-a591-53d1-9472-aa23ef4bd671"
|
||||
version = "1.1.0"
|
||||
|
||||
[[NetworkOptions]]
|
||||
git-tree-sha1 = "ed3157f48a05543cce9b241e1f2815f7e843d96e"
|
||||
uuid = "ca575930-c2e3-43a9-ace4-1e988b2c1908"
|
||||
version = "1.2.0"
|
||||
|
||||
[[OrderedCollections]]
|
||||
git-tree-sha1 = "85f8e6578bf1f9ee0d11e7bb1b1456435479d47c"
|
||||
uuid = "bac558e1-5e72-5ebc-8fee-abe8a469f55d"
|
||||
version = "1.4.1"
|
||||
|
||||
[[Pkg]]
|
||||
deps = ["Dates", "LibGit2", "Libdl", "Logging", "Markdown", "Printf", "REPL", "Random", "SHA", "UUIDs"]
|
||||
uuid = "44cfe95a-1eb2-52ea-b672-e2afdf69b78f"
|
||||
|
||||
[[Pluto]]
|
||||
deps = ["Base64", "Configurations", "Dates", "Distributed", "FuzzyCompletions", "HTTP", "InteractiveUtils", "Logging", "Markdown", "MsgPack", "Pkg", "REPL", "Sockets", "TableIOInterface", "Tables", "UUIDs"]
|
||||
git-tree-sha1 = "85156b21dee3a4515ff479555eb958ad33c057aa"
|
||||
uuid = "c3e4b0f8-55cb-11ea-2926-15256bba5781"
|
||||
version = "0.14.5"
|
||||
|
||||
[[Preferences]]
|
||||
deps = ["TOML"]
|
||||
git-tree-sha1 = "00cfd92944ca9c760982747e9a1d0d5d86ab1e5a"
|
||||
uuid = "21216c6a-2e73-6563-6e65-726566657250"
|
||||
version = "1.2.2"
|
||||
|
||||
[[Printf]]
|
||||
deps = ["Unicode"]
|
||||
uuid = "de0858da-6303-5e67-8744-51eddeeeb8d7"
|
||||
|
||||
[[REPL]]
|
||||
deps = ["InteractiveUtils", "Markdown", "Sockets"]
|
||||
uuid = "3fa0cd96-eef1-5676-8a61-b3b8758bbffb"
|
||||
|
||||
[[Random]]
|
||||
deps = ["Serialization"]
|
||||
uuid = "9a3f8284-a2c9-5f02-9a11-845980a1fd5c"
|
||||
|
||||
[[SHA]]
|
||||
uuid = "ea8e919c-243c-51af-8825-aaa63cd721ce"
|
||||
|
||||
[[Serialization]]
|
||||
uuid = "9e88b42a-f829-5b0c-bbe9-9e923198166b"
|
||||
|
||||
[[Sockets]]
|
||||
uuid = "6462fe0b-24de-5631-8697-dd941f90decc"
|
||||
|
||||
[[TOML]]
|
||||
deps = ["Dates"]
|
||||
git-tree-sha1 = "44aaac2d2aec4a850302f9aa69127c74f0c3787e"
|
||||
uuid = "fa267f1f-6049-4f14-aa54-33bafae1ed76"
|
||||
version = "1.0.3"
|
||||
|
||||
[[TableIOInterface]]
|
||||
git-tree-sha1 = "9a0d3ab8afd14f33a35af7391491ff3104401a35"
|
||||
uuid = "d1efa939-5518-4425-949f-ab857e148477"
|
||||
version = "0.1.6"
|
||||
|
||||
[[TableTraits]]
|
||||
deps = ["IteratorInterfaceExtensions"]
|
||||
git-tree-sha1 = "c06b2f539df1c6efa794486abfb6ed2022561a39"
|
||||
uuid = "3783bdb8-4a98-5b6b-af9a-565f29a5fe9c"
|
||||
version = "1.0.1"
|
||||
|
||||
[[Tables]]
|
||||
deps = ["DataAPI", "DataValueInterfaces", "IteratorInterfaceExtensions", "LinearAlgebra", "TableTraits", "Test"]
|
||||
git-tree-sha1 = "c9d2d262e9a327be1f35844df25fe4561d258dc9"
|
||||
uuid = "bd369af6-aec1-5ad0-b16a-f7cc5008161c"
|
||||
version = "1.4.2"
|
||||
|
||||
[[Test]]
|
||||
deps = ["Distributed", "InteractiveUtils", "Logging", "Random"]
|
||||
uuid = "8dfed614-e22c-5e08-85e1-65c5234f0b40"
|
||||
|
||||
[[URIs]]
|
||||
git-tree-sha1 = "97bbe755a53fe859669cd907f2d96aee8d2c1355"
|
||||
uuid = "5c2747f8-b7ea-4ff2-ba2e-563bfd36b1d4"
|
||||
version = "1.3.0"
|
||||
|
||||
[[UUIDs]]
|
||||
deps = ["Random", "SHA"]
|
||||
uuid = "cf7118a7-6976-5b1a-9a39-7adc72f591a4"
|
||||
|
||||
[[Unicode]]
|
||||
uuid = "4ec0a83e-493e-50e2-b9ac-8f72acf5a8f5"
|
2
pkgs/pluto/Project.toml
Normal file
2
pkgs/pluto/Project.toml
Normal file
|
@ -0,0 +1,2 @@
|
|||
[deps]
|
||||
Pluto = "c3e4b0f8-55cb-11ea-2926-15256bba5781"
|
50
pkgs/pluto/Readme.org
Normal file
50
pkgs/pluto/Readme.org
Normal file
|
@ -0,0 +1,50 @@
|
|||
#+TITLE: Pluto standalone
|
||||
|
||||
This is a nix derivation that wraps a version of julia with the packages
|
||||
(and their dependency closure) defined in ~Packages.toml~; currently
|
||||
this is just Pluto. It also provides a little julia script that will
|
||||
activate this packageset (called a "julia depot"), and then start a
|
||||
Pluto notebook server on port 9999. Note that it does so without setting
|
||||
up any kind of authenticaton, so don't expose that port!
|
||||
|
||||
* TODOs
|
||||
- [ ] add more packages
|
||||
- [ ] more sensible auth
|
||||
- [ ] working precompilation; this would probably allow running this
|
||||
without a writable julia depot
|
||||
|
||||
* Steps to reproduce / update the julia-to-nix part of this:
|
||||
|
||||
In general, it is enough to follow the readme of julia2nix, but since
|
||||
that has a bunch of unstated assumptions and weird failure modes, here's a rough outline of how to actually do it:
|
||||
- using julia's package managing mode, make changes to ~Packages.toml~
|
||||
and ~Manifest.toml~. Be sure to use the same version of julia that
|
||||
will run on hainich (currently the ~julia_15~ package of
|
||||
nixpkgs-unstable), as otherwise hashes may be different
|
||||
- clone https://github.com/thomasjm/julia2nix somewhere
|
||||
- run ~julia2nix~ to generate the nix derivations
|
||||
+ unfortunately, jula2nix assumes that nixpkgs-unstable is available
|
||||
as ~<nixpkgs>~ from within nix; it may fail if you are on another
|
||||
channel. In that case, there seems to be no better solution than grepping for occurences of "<nixpkgs>" in jula2nix and replacing
|
||||
them with some other path that has the required version
|
||||
+ this will re-generate all the ~*.nix~ files in this directory, and
|
||||
probably reset all options. The defaults are reasonably sensible,
|
||||
but make sure to disable the ~precompile~ option in ~default.nix~
|
||||
(see below for why)
|
||||
- run ~nix-build --no-out-link~ to check if it worked and nix can
|
||||
build the julia depot
|
||||
- deploy hainich. Note that the derivation will only contain the
|
||||
package sources, not a compiled version. Julia will compile packages
|
||||
on startup (and cache them for subsequent runs), so after the deploy
|
||||
it may take a minute or two to actually run Pluto
|
||||
|
||||
* precompilation
|
||||
/In theory/, we should be able to precompile all the packages during
|
||||
nix-build, and then directly load them into julia and runtime.
|
||||
However, this currently fails, and even if precompiled packages are
|
||||
present in the depot built via nix, julia will refuse to use them and
|
||||
recompile them instead (in a second julia depot that is writable at
|
||||
runtime).
|
||||
|
||||
There's an open issue on this at jula2nix:
|
||||
https://github.com/thomasjm/julia2nix/issues/22
|
160
pkgs/pluto/common.nix
Normal file
160
pkgs/pluto/common.nix
Normal file
|
@ -0,0 +1,160 @@
|
|||
{
|
||||
callPackage,
|
||||
curl,
|
||||
fetchurl,
|
||||
git,
|
||||
stdenvNoCC,
|
||||
cacert,
|
||||
jq,
|
||||
julia,
|
||||
lib,
|
||||
python3,
|
||||
runCommand,
|
||||
stdenv,
|
||||
writeText,
|
||||
makeWrapper,
|
||||
|
||||
# Arguments
|
||||
makeWrapperArgs ? "",
|
||||
precompile ? true,
|
||||
extraBuildInputs ? []
|
||||
}:
|
||||
|
||||
let
|
||||
# We need to use a specially modified fetchgit that understands tree hashes, until
|
||||
# https://github.com/NixOS/nixpkgs/pull/104714 lands
|
||||
fetchgit = callPackage ./fetchgit {};
|
||||
|
||||
packages = callPackage ./packages.nix {};
|
||||
|
||||
### Repoify packages
|
||||
# This step is needed because leaveDotGit is not reproducible
|
||||
# https://github.com/NixOS/nixpkgs/issues/8567
|
||||
repoified = map (item: if item.src == null then item else item // { src = repoify item.name item.treehash item.src; }) packages.closure;
|
||||
repoify = name: treehash: src:
|
||||
runCommand ''${name}-repoified'' {buildInputs = [git];} ''
|
||||
mkdir -p $out
|
||||
cp -r ${src}/. $out
|
||||
cd $out
|
||||
git init
|
||||
git add . -f
|
||||
git config user.email "julia2nix@localhost"
|
||||
git config user.name "julia2nix"
|
||||
git commit -m "Dummy commit"
|
||||
|
||||
if [[ -n "${treehash}" ]]; then
|
||||
if [[ $(git cat-file -t ${treehash}) != "tree" ]]; then
|
||||
echo "Couldn't find desired tree object for ${name} in repoify (${treehash})"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
'';
|
||||
repoifiedReplaceInManifest = lib.filter (x: x.replaceUrlInManifest != null) repoified;
|
||||
|
||||
### Manifest.toml (processed)
|
||||
manifestToml = runCommand "Manifest.toml" { buildInputs = [jq]; } ''
|
||||
cp ${./Manifest.toml} ./Manifest.toml
|
||||
|
||||
echo ${writeText "packages.json" (lib.generators.toJSON {} repoifiedReplaceInManifest)}
|
||||
cat ${writeText "packages.json" (lib.generators.toJSON {} repoifiedReplaceInManifest)} | jq -r '.[]|[.name, .replaceUrlInManifest, .src] | @tsv' |
|
||||
while IFS=$'\t' read -r name replaceUrlInManifest src; do
|
||||
sed -i "s|$replaceUrlInManifest|file://$src|g" ./Manifest.toml
|
||||
done
|
||||
|
||||
cp ./Manifest.toml $out
|
||||
'';
|
||||
|
||||
### Overrides.toml
|
||||
fetchArtifact = x: stdenv.mkDerivation {
|
||||
name = x.name;
|
||||
src = fetchurl { url = x.url; sha256 = x.sha256; };
|
||||
sourceRoot = ".";
|
||||
dontConfigure = true;
|
||||
dontBuild = true;
|
||||
installPhase = "cp -r . $out";
|
||||
dontFixup = true;
|
||||
};
|
||||
artifactOverrides = lib.zipAttrsWith (name: values: fetchArtifact (lib.head (lib.head values))) (
|
||||
map (item: item.artifacts) packages.closure
|
||||
);
|
||||
overridesToml = runCommand "Overrides.toml" { buildInputs = [jq]; } ''
|
||||
echo '${lib.generators.toJSON {} artifactOverrides}' | jq -r '. | to_entries | map ((.key + " = \"" + .value + "\"")) | .[]' > $out
|
||||
'';
|
||||
|
||||
### Processed registry
|
||||
generalRegistrySrc = repoify "julia-general" "" (fetchgit {
|
||||
url = packages.registryUrl;
|
||||
rev = packages.registryRev;
|
||||
sha256 = packages.registrySha256;
|
||||
branchName = "master";
|
||||
});
|
||||
registry = runCommand "julia-registry" { buildInputs = [(python3.withPackages (ps: [ps.toml])) jq git]; } ''
|
||||
git clone ${generalRegistrySrc}/. $out
|
||||
cd $out
|
||||
|
||||
cat ${writeText "packages.json" (lib.generators.toJSON {} repoified)} | jq -r '.[]|[.name, .path, .src] | @tsv' |
|
||||
while IFS=$'\t' read -r name path src; do
|
||||
# echo "Processing: $name, $path, $src"
|
||||
if [[ "$path" != "null" ]]; then
|
||||
python -c "import toml; \
|
||||
packageTomlPath = '$path/Package.toml'; \
|
||||
contents = toml.load(packageTomlPath); \
|
||||
contents['repo'] = 'file://$src'; \
|
||||
f = open(packageTomlPath, 'w'); \
|
||||
f.write(toml.dumps(contents)); \
|
||||
"
|
||||
fi
|
||||
done
|
||||
|
||||
export HOME=$(pwd)
|
||||
git config --global user.email "julia-to-nix-depot@email.com"
|
||||
git config --global user.name "julia-to-nix-depot script"
|
||||
git add .
|
||||
git commit -m "Switch to local package repos"
|
||||
'';
|
||||
|
||||
depot = runCommand "julia-depot" {
|
||||
buildInputs = [git curl julia] ++ extraBuildInputs;
|
||||
inherit registry precompile;
|
||||
} ''
|
||||
export HOME=$(pwd)
|
||||
|
||||
echo "Using registry $registry"
|
||||
echo "Using Julia ${julia}/bin/julia"
|
||||
|
||||
cp ${manifestToml} ./Manifest.toml
|
||||
cp ${./Project.toml} ./Project.toml
|
||||
|
||||
mkdir -p $out/artifacts
|
||||
cp ${overridesToml} $out/artifacts/Overrides.toml
|
||||
|
||||
export JULIA_DEPOT_PATH=$out
|
||||
julia -e ' \
|
||||
using Pkg
|
||||
Pkg.Registry.add(RegistrySpec(path="${registry}"))
|
||||
|
||||
Pkg.activate(".")
|
||||
Pkg.instantiate()
|
||||
|
||||
# Remove the registry to save space
|
||||
Pkg.Registry.rm("General")
|
||||
'
|
||||
|
||||
if [[ -n "$precompile" ]]; then
|
||||
julia -e ' \
|
||||
using Pkg
|
||||
Pkg.activate(".")
|
||||
Pkg.precompile()
|
||||
'
|
||||
fi
|
||||
'';
|
||||
|
||||
in
|
||||
|
||||
runCommand "julia-env" {
|
||||
inherit julia depot makeWrapperArgs;
|
||||
buildInputs = [makeWrapper];
|
||||
} ''
|
||||
mkdir -p $out/bin
|
||||
makeWrapper $julia/bin/julia $out/bin/julia --suffix JULIA_DEPOT_PATH : "$depot" $makeWrapperArgs
|
||||
''
|
44
pkgs/pluto/default.nix
Normal file
44
pkgs/pluto/default.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ pkgs }:
|
||||
|
||||
with pkgs;
|
||||
|
||||
|
||||
let
|
||||
# The base Julia version
|
||||
baseJulia = julia_15;
|
||||
|
||||
# Extra libraries for Julia's LD_LIBRARY_PATH.
|
||||
# Recent Julia packages that use Artifacts.toml to specify their dependencies
|
||||
# shouldn't need this.
|
||||
# But if a package implicitly depends on some library being present at runtime, you can
|
||||
# add it here.
|
||||
extraLibs = [];
|
||||
|
||||
# Wrapped Julia with libraries and environment variables.
|
||||
# Note: setting The PYTHON environment variable is recommended to prevent packages
|
||||
# from trying to obtain their own with Conda.
|
||||
julia = runCommand "julia-wrapped" { buildInputs = [makeWrapper]; } ''
|
||||
mkdir -p $out/bin
|
||||
makeWrapper ${baseJulia}/bin/julia $out/bin/julia \
|
||||
--suffix LD_LIBRARY_PATH : "${lib.makeLibraryPath extraLibs}" \
|
||||
--set PYTHON ${python3}/bin/python
|
||||
'';
|
||||
|
||||
in
|
||||
|
||||
callPackage ./common.nix {
|
||||
inherit julia;
|
||||
|
||||
# Run Pkg.precompile() to precompile all packages?
|
||||
precompile = false;
|
||||
|
||||
# Extra arguments to makeWrapper when creating the final Julia wrapper.
|
||||
# By default, it will just put the new depot at the end of JULIA_DEPOT_PATH.
|
||||
# You can add additional flags here.
|
||||
makeWrapperArgs = "";
|
||||
|
||||
# Extra buildInputs for building the Julia depot. Useful if your packages have
|
||||
# additional build-time dependencies not managed through the Artifacts.toml system.
|
||||
# Defaults to extraLibs, but can be configured independently.
|
||||
extraBuildInputs = extraLibs;
|
||||
}
|
16
pkgs/pluto/fetchgit/builder.sh
Normal file
16
pkgs/pluto/fetchgit/builder.sh
Normal file
|
@ -0,0 +1,16 @@
|
|||
# tested so far with:
|
||||
# - no revision specified and remote has a HEAD which is used
|
||||
# - revision specified and remote has a HEAD
|
||||
# - revision specified and remote without HEAD
|
||||
source $stdenv/setup
|
||||
|
||||
header "exporting $url (rev $rev) into $out"
|
||||
|
||||
$SHELL $fetcher --builder --url "$url" --out "$out" --rev "$rev" \
|
||||
${leaveDotGit:+--leave-dotGit} \
|
||||
${deepClone:+--deepClone} \
|
||||
${fetchSubmodules:+--fetch-submodules} \
|
||||
${branchName:+--branch-name "$branchName"}
|
||||
|
||||
runHook postFetch
|
||||
stopNest
|
71
pkgs/pluto/fetchgit/default.nix
Normal file
71
pkgs/pluto/fetchgit/default.nix
Normal file
|
@ -0,0 +1,71 @@
|
|||
{stdenvNoCC, git, cacert}: let
|
||||
urlToName = url: rev: let
|
||||
inherit (stdenvNoCC.lib) removeSuffix splitString last;
|
||||
base = last (splitString ":" (baseNameOf (removeSuffix "/" url)));
|
||||
|
||||
matched = builtins.match "(.*).git" base;
|
||||
|
||||
short = builtins.substring 0 7 rev;
|
||||
|
||||
appendShort = if (builtins.match "[a-f0-9]*" rev) != null
|
||||
then "-${short}"
|
||||
else "";
|
||||
in "${if matched == null then base else builtins.head matched}${appendShort}";
|
||||
in
|
||||
{ url, rev ? "HEAD", md5 ? "", sha256 ? "", leaveDotGit ? deepClone
|
||||
, fetchSubmodules ? true, deepClone ? false
|
||||
, branchName ? null
|
||||
, name ? urlToName url rev
|
||||
, # Shell code executed after the file has been fetched
|
||||
# successfully. This can do things like check or transform the file.
|
||||
postFetch ? ""
|
||||
, preferLocalBuild ? true
|
||||
}:
|
||||
|
||||
/* NOTE:
|
||||
fetchgit has one problem: git fetch only works for refs.
|
||||
This is because fetching arbitrary (maybe dangling) commits may be a security risk
|
||||
and checking whether a commit belongs to a ref is expensive. This may
|
||||
change in the future when some caching is added to git (?)
|
||||
Usually refs are either tags (refs/tags/*) or branches (refs/heads/*)
|
||||
Cloning branches will make the hash check fail when there is an update.
|
||||
But not all patches we want can be accessed by tags.
|
||||
|
||||
The workaround is getting the last n commits so that it's likely that they
|
||||
still contain the hash we want.
|
||||
|
||||
for now : increase depth iteratively (TODO)
|
||||
|
||||
real fix: ask git folks to add a
|
||||
git fetch $HASH contained in $BRANCH
|
||||
facility because checking that $HASH is contained in $BRANCH is less
|
||||
expensive than fetching --depth $N.
|
||||
Even if git folks implemented this feature soon it may take years until
|
||||
server admins start using the new version?
|
||||
*/
|
||||
|
||||
assert deepClone -> leaveDotGit;
|
||||
|
||||
if md5 != "" then
|
||||
throw "fetchgit does not support md5 anymore, please use sha256"
|
||||
else
|
||||
stdenvNoCC.mkDerivation {
|
||||
inherit name;
|
||||
builder = ./builder.sh;
|
||||
fetcher = ./nix-prefetch-git; # This must be a string to ensure it's called with bash.
|
||||
nativeBuildInputs = [git];
|
||||
|
||||
outputHashAlgo = "sha256";
|
||||
outputHashMode = "recursive";
|
||||
outputHash = sha256;
|
||||
|
||||
inherit url rev leaveDotGit fetchSubmodules deepClone branchName postFetch;
|
||||
|
||||
GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
|
||||
|
||||
impureEnvVars = stdenvNoCC.lib.fetchers.proxyImpureEnvVars ++ [
|
||||
"GIT_PROXY_COMMAND" "SOCKS_SERVER"
|
||||
];
|
||||
|
||||
inherit preferLocalBuild;
|
||||
}
|
459
pkgs/pluto/fetchgit/nix-prefetch-git
Executable file
459
pkgs/pluto/fetchgit/nix-prefetch-git
Executable file
|
@ -0,0 +1,459 @@
|
|||
#! /usr/bin/env bash
|
||||
|
||||
set -e -o pipefail
|
||||
|
||||
url=
|
||||
rev=
|
||||
expHash=
|
||||
hashType=$NIX_HASH_ALGO
|
||||
deepClone=$NIX_PREFETCH_GIT_DEEP_CLONE
|
||||
leaveDotGit=$NIX_PREFETCH_GIT_LEAVE_DOT_GIT
|
||||
fetchSubmodules=
|
||||
builder=
|
||||
branchName=$NIX_PREFETCH_GIT_BRANCH_NAME
|
||||
|
||||
# ENV params
|
||||
out=${out:-}
|
||||
http_proxy=${http_proxy:-}
|
||||
|
||||
# populated by clone_user_rev()
|
||||
fullRev=
|
||||
humanReadableRev=
|
||||
commitDate=
|
||||
commitDateStrict8601=
|
||||
|
||||
if test -n "$deepClone"; then
|
||||
deepClone=true
|
||||
else
|
||||
deepClone=
|
||||
fi
|
||||
|
||||
if test "$leaveDotGit" != 1; then
|
||||
leaveDotGit=
|
||||
else
|
||||
leaveDotGit=true
|
||||
fi
|
||||
|
||||
usage(){
|
||||
echo >&2 "syntax: nix-prefetch-git [options] [URL [REVISION [EXPECTED-HASH]]]
|
||||
|
||||
Options:
|
||||
--out path Path where the output would be stored.
|
||||
--url url Any url understood by 'git clone'.
|
||||
--rev ref Any sha1 or references (such as refs/heads/master)
|
||||
--hash h Expected hash.
|
||||
--branch-name Branch name to check out into
|
||||
--deepClone Clone the entire repository.
|
||||
--no-deepClone Make a shallow clone of just the required ref.
|
||||
--leave-dotGit Keep the .git directories.
|
||||
--fetch-submodules Fetch submodules.
|
||||
--builder Clone as fetchgit does, but url, rev, and out option are mandatory.
|
||||
--quiet Only print the final json summary.
|
||||
"
|
||||
exit 1
|
||||
}
|
||||
|
||||
# some git commands print to stdout, which would contaminate our JSON output
|
||||
clean_git(){
|
||||
git "$@" >&2
|
||||
}
|
||||
|
||||
argi=0
|
||||
argfun=""
|
||||
for arg; do
|
||||
if test -z "$argfun"; then
|
||||
case $arg in
|
||||
--out) argfun=set_out;;
|
||||
--url) argfun=set_url;;
|
||||
--rev) argfun=set_rev;;
|
||||
--hash) argfun=set_hashType;;
|
||||
--branch-name) argfun=set_branchName;;
|
||||
--deepClone) deepClone=true;;
|
||||
--quiet) QUIET=true;;
|
||||
--no-deepClone) deepClone=;;
|
||||
--leave-dotGit) leaveDotGit=true;;
|
||||
--fetch-submodules) fetchSubmodules=true;;
|
||||
--builder) builder=true;;
|
||||
-h|--help) usage; exit;;
|
||||
*)
|
||||
: $((++argi))
|
||||
case $argi in
|
||||
1) url=$arg;;
|
||||
2) rev=$arg;;
|
||||
3) expHash=$arg;;
|
||||
*) exit 1;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
else
|
||||
case $argfun in
|
||||
set_*)
|
||||
var=${argfun#set_}
|
||||
eval $var=$arg
|
||||
;;
|
||||
esac
|
||||
argfun=""
|
||||
fi
|
||||
done
|
||||
|
||||
if test -z "$url"; then
|
||||
usage
|
||||
fi
|
||||
|
||||
|
||||
init_remote(){
|
||||
local url=$1
|
||||
clean_git init
|
||||
clean_git remote add origin "$url"
|
||||
( [ -n "$http_proxy" ] && clean_git config http.proxy "$http_proxy" ) || true
|
||||
}
|
||||
|
||||
# Return the reference of an hash if it exists on the remote repository.
|
||||
ref_from_hash(){
|
||||
local hash=$1
|
||||
git ls-remote origin | sed -n "\,$hash\t, { s,\(.*\)\t\(.*\),\2,; p; q}"
|
||||
}
|
||||
|
||||
# Return the hash of a reference if it exists on the remote repository.
|
||||
hash_from_ref(){
|
||||
local ref=$1
|
||||
git ls-remote origin | sed -n "\,\t$ref, { s,\(.*\)\t\(.*\),\1,; p; q}"
|
||||
}
|
||||
|
||||
# Returns a name based on the url and reference
|
||||
#
|
||||
# This function needs to be in sync with nix's fetchgit implementation
|
||||
# of urlToName() to re-use the same nix store paths.
|
||||
url_to_name(){
|
||||
local url=$1
|
||||
local ref=$2
|
||||
local base
|
||||
base=$(basename "$url" .git | cut -d: -f2)
|
||||
|
||||
if [[ $ref =~ ^[a-z0-9]+$ ]]; then
|
||||
echo "$base-${ref:0:7}"
|
||||
else
|
||||
echo "$base"
|
||||
fi
|
||||
}
|
||||
|
||||
# Fetch everything and checkout the right sha1
|
||||
checkout_hash(){
|
||||
local hash="$1"
|
||||
local ref="$2"
|
||||
|
||||
if test -z "$hash"; then
|
||||
hash=$(hash_from_ref "$ref")
|
||||
fi
|
||||
|
||||
clean_git fetch -t ${builder:+--progress} origin || return 1
|
||||
|
||||
local object_type=$(git cat-file -t "$hash")
|
||||
if [[ "$object_type" == "commit" ]]; then
|
||||
clean_git checkout -b "$branchName" "$hash" || return 1
|
||||
elif [[ "$object_type" == "tree" ]]; then
|
||||
clean_git config user.email "nix-prefetch-git@localhost"
|
||||
clean_git config user.name "nix-prefetch-git"
|
||||
commit_id=$(git commit-tree "$hash" -m "Commit created from tree hash $hash")
|
||||
clean_git checkout -b "$branchName" "$commit_id" || return 1
|
||||
else
|
||||
echo "Unrecognized git object type: $object_type"
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Fetch only a branch/tag and checkout it.
|
||||
checkout_ref(){
|
||||
local hash="$1"
|
||||
local ref="$2"
|
||||
|
||||
if [[ -n "$deepClone" ]]; then
|
||||
# The caller explicitly asked for a deep clone. Deep clones
|
||||
# allow "git describe" and similar tools to work. See
|
||||
# https://marc.info/?l=nix-dev&m=139641582514772
|
||||
# for a discussion.
|
||||
return 1
|
||||
fi
|
||||
|
||||
if test -z "$ref"; then
|
||||
ref=$(ref_from_hash "$hash")
|
||||
fi
|
||||
|
||||
if test -n "$ref"; then
|
||||
# --depth option is ignored on http repository.
|
||||
clean_git fetch ${builder:+--progress} --depth 1 origin +"$ref" || return 1
|
||||
clean_git checkout -b "$branchName" FETCH_HEAD || return 1
|
||||
else
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
# Update submodules
|
||||
init_submodules(){
|
||||
# Add urls into .git/config file
|
||||
clean_git submodule init
|
||||
|
||||
# list submodule directories and their hashes
|
||||
git submodule status |
|
||||
while read -r l; do
|
||||
local hash
|
||||
local dir
|
||||
local name
|
||||
local url
|
||||
|
||||
# checkout each submodule
|
||||
hash=$(echo "$l" | awk '{print $1}' | tr -d '-')
|
||||
dir=$(echo "$l" | sed -n 's/^.[0-9a-f]\+ \(.*[^)]*\)\( (.*)\)\?$/\1/p')
|
||||
name=$(
|
||||
git config -f .gitmodules --get-regexp submodule\..*\.path |
|
||||
sed -n "s,^\(.*\)\.path $dir\$,\\1,p")
|
||||
url=$(git config --get "${name}.url")
|
||||
|
||||
clone "$dir" "$url" "$hash" ""
|
||||
done
|
||||
}
|
||||
|
||||
clone(){
|
||||
local top=$PWD
|
||||
local dir="$1"
|
||||
local url="$2"
|
||||
local hash="$3"
|
||||
local ref="$4"
|
||||
|
||||
cd "$dir"
|
||||
|
||||
# Initialize the repository.
|
||||
init_remote "$url"
|
||||
|
||||
# Download data from the repository.
|
||||
checkout_ref "$hash" "$ref" ||
|
||||
checkout_hash "$hash" "$ref" || (
|
||||
echo 1>&2 "Unable to checkout $hash$ref from $url."
|
||||
exit 1
|
||||
)
|
||||
|
||||
# Checkout linked sources.
|
||||
if test -n "$fetchSubmodules"; then
|
||||
init_submodules
|
||||
fi
|
||||
|
||||
if [ -z "$builder" ] && [ -f .topdeps ]; then
|
||||
if tg help &>/dev/null; then
|
||||
echo "populating TopGit branches..."
|
||||
tg remote --populate origin
|
||||
else
|
||||
echo "WARNING: would populate TopGit branches but TopGit is not available" >&2
|
||||
echo "WARNING: install TopGit to fix the problem" >&2
|
||||
fi
|
||||
fi
|
||||
|
||||
cd "$top"
|
||||
}
|
||||
|
||||
# Remove all remote branches, remove tags not reachable from HEAD, do a full
|
||||
# repack and then garbage collect unreferenced objects.
|
||||
make_deterministic_repo(){
|
||||
local repo="$1"
|
||||
|
||||
# run in sub-shell to not touch current working directory
|
||||
(
|
||||
cd "$repo"
|
||||
# Remove files that contain timestamps or otherwise have non-deterministic
|
||||
# properties.
|
||||
rm -rf .git/logs/ .git/hooks/ .git/index .git/FETCH_HEAD .git/ORIG_HEAD \
|
||||
.git/refs/remotes/origin/HEAD .git/config
|
||||
|
||||
# Remove all remote branches.
|
||||
git branch -r | while read -r branch; do
|
||||
clean_git branch -rD "$branch"
|
||||
done
|
||||
|
||||
# Remove tags not reachable from HEAD. If we're exactly on a tag, don't
|
||||
# delete it.
|
||||
maybe_tag=$(git tag --points-at HEAD)
|
||||
git tag --contains HEAD | while read -r tag; do
|
||||
if [ "$tag" != "$maybe_tag" ]; then
|
||||
clean_git tag -d "$tag"
|
||||
fi
|
||||
done
|
||||
|
||||
# Do a full repack. Must run single-threaded, or else we lose determinism.
|
||||
clean_git config pack.threads 1
|
||||
clean_git repack -A -d -f
|
||||
rm -f .git/config
|
||||
|
||||
# Garbage collect unreferenced objects.
|
||||
# Note: --keep-largest-pack prevents non-deterministic ordering of packs
|
||||
# listed in .git/objects/info/packs by only using a single pack
|
||||
clean_git gc --prune=all --keep-largest-pack
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
clone_user_rev() {
|
||||
local dir="$1"
|
||||
local url="$2"
|
||||
local rev="${3:-HEAD}"
|
||||
|
||||
# Perform the checkout.
|
||||
case "$rev" in
|
||||
HEAD|refs/*)
|
||||
clone "$dir" "$url" "" "$rev" 1>&2;;
|
||||
*)
|
||||
if test -z "$(echo "$rev" | tr -d 0123456789abcdef)"; then
|
||||
clone "$dir" "$url" "$rev" "" 1>&2
|
||||
else
|
||||
# if revision is not hexadecimal it might be a tag
|
||||
clone "$dir" "$url" "" "refs/tags/$rev" 1>&2
|
||||
fi;;
|
||||
esac
|
||||
|
||||
pushd "$dir" >/dev/null
|
||||
fullRev=$( (git rev-parse "$rev" 2>/dev/null || git rev-parse "refs/heads/$branchName") | tail -n1)
|
||||
humanReadableRev=$(git describe "$fullRev" 2> /dev/null || git describe --tags "$fullRev" 2> /dev/null || echo -- none --)
|
||||
commitDate=$(git show -1 --no-patch --pretty=%ci "$fullRev")
|
||||
commitDateStrict8601=$(git show -1 --no-patch --pretty=%cI "$fullRev")
|
||||
popd >/dev/null
|
||||
|
||||
# Allow doing additional processing before .git removal
|
||||
eval "$NIX_PREFETCH_GIT_CHECKOUT_HOOK"
|
||||
if test -z "$leaveDotGit"; then
|
||||
echo "removing \`.git'..." >&2
|
||||
find "$dir" -name .git -print0 | xargs -0 rm -rf
|
||||
else
|
||||
find "$dir" -name .git | while read -r gitdir; do
|
||||
make_deterministic_repo "$(readlink -f "$gitdir/..")"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
exit_handlers=()
|
||||
|
||||
run_exit_handlers() {
|
||||
exit_status=$?
|
||||
for handler in "${exit_handlers[@]}"; do
|
||||
eval "$handler $exit_status"
|
||||
done
|
||||
}
|
||||
|
||||
trap run_exit_handlers EXIT
|
||||
|
||||
quiet_exit_handler() {
|
||||
exec 2>&3 3>&-
|
||||
if [ $1 -ne 0 ]; then
|
||||
cat "$errfile" >&2
|
||||
fi
|
||||
rm -f "$errfile"
|
||||
}
|
||||
|
||||
quiet_mode() {
|
||||
errfile="$(mktemp "${TMPDIR:-/tmp}/git-checkout-err-XXXXXXXX")"
|
||||
exit_handlers+=(quiet_exit_handler)
|
||||
exec 3>&2 2>"$errfile"
|
||||
}
|
||||
|
||||
json_escape() {
|
||||
local s="$1"
|
||||
s="${s//\\/\\\\}" # \
|
||||
s="${s//\"/\\\"}" # "
|
||||
s="${s//^H/\\\b}" # \b (backspace)
|
||||
s="${s//^L/\\\f}" # \f (form feed)
|
||||
s="${s//
|
||||
/\\\n}" # \n (newline)
|
||||
s="${s//^M/\\\r}" # \r (carriage return)
|
||||
s="${s// /\\t}" # \t (tab)
|
||||
echo "$s"
|
||||
}
|
||||
|
||||
print_results() {
|
||||
hash="$1"
|
||||
if ! test -n "$QUIET"; then
|
||||
echo "" >&2
|
||||
echo "git revision is $fullRev" >&2
|
||||
if test -n "$finalPath"; then
|
||||
echo "path is $finalPath" >&2
|
||||
fi
|
||||
echo "git human-readable version is $humanReadableRev" >&2
|
||||
echo "Commit date is $commitDate" >&2
|
||||
if test -n "$hash"; then
|
||||
echo "hash is $hash" >&2
|
||||
fi
|
||||
fi
|
||||
if test -n "$hash"; then
|
||||
cat <<EOF
|
||||
{
|
||||
"url": "$(json_escape "$url")",
|
||||
"rev": "$(json_escape "$fullRev")",
|
||||
"date": "$(json_escape "$commitDateStrict8601")",
|
||||
"path": "$(json_escape "$finalPath")",
|
||||
"$(json_escape "$hashType")": "$(json_escape "$hash")",
|
||||
"fetchSubmodules": $([[ -n "$fetchSubmodules" ]] && echo true || echo false),
|
||||
"deepClone": $([[ -n "$deepClone" ]] && echo true || echo false),
|
||||
"leaveDotGit": $([[ -n "$leaveDotGit" ]] && echo true || echo false)
|
||||
}
|
||||
EOF
|
||||
fi
|
||||
}
|
||||
|
||||
remove_tmpPath() {
|
||||
rm -rf "$tmpPath"
|
||||
}
|
||||
|
||||
if test -n "$QUIET"; then
|
||||
quiet_mode
|
||||
fi
|
||||
|
||||
if test -z "$branchName"; then
|
||||
branchName=fetchgit
|
||||
fi
|
||||
|
||||
if test -n "$builder"; then
|
||||
test -n "$out" -a -n "$url" -a -n "$rev" || usage
|
||||
mkdir -p "$out"
|
||||
clone_user_rev "$out" "$url" "$rev"
|
||||
else
|
||||
if test -z "$hashType"; then
|
||||
hashType=sha256
|
||||
fi
|
||||
|
||||
# If the hash was given, a file with that hash may already be in the
|
||||
# store.
|
||||
if test -n "$expHash"; then
|
||||
finalPath=$(nix-store --print-fixed-path --recursive "$hashType" "$expHash" "$(url_to_name "$url" "$rev")")
|
||||
if ! nix-store --check-validity "$finalPath" 2> /dev/null; then
|
||||
finalPath=
|
||||
fi
|
||||
hash=$expHash
|
||||
fi
|
||||
|
||||
# If we don't know the hash or a path with that hash doesn't exist,
|
||||
# download the file and add it to the store.
|
||||
if test -z "$finalPath"; then
|
||||
|
||||
tmpPath="$(mktemp -d "${TMPDIR:-/tmp}/git-checkout-tmp-XXXXXXXX")"
|
||||
exit_handlers+=(remove_tmpPath)
|
||||
|
||||
tmpFile="$tmpPath/$(url_to_name "$url" "$rev")"
|
||||
mkdir -p "$tmpFile"
|
||||
|
||||
# Perform the checkout.
|
||||
clone_user_rev "$tmpFile" "$url" "$rev"
|
||||
|
||||
# Compute the hash.
|
||||
hash=$(nix-hash --type $hashType --base32 "$tmpFile")
|
||||
|
||||
# Add the downloaded file to the Nix store.
|
||||
finalPath=$(nix-store --add-fixed --recursive "$hashType" "$tmpFile")
|
||||
|
||||
if test -n "$expHash" -a "$expHash" != "$hash"; then
|
||||
echo "hash mismatch for URL \`$url'. Got \`$hash'; expected \`$expHash'." >&2
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
print_results "$hash"
|
||||
|
||||
if test -n "$PRINT_PATH"; then
|
||||
echo "$finalPath"
|
||||
fi
|
||||
fi
|
350
pkgs/pluto/packages.nix
Normal file
350
pkgs/pluto/packages.nix
Normal file
|
@ -0,0 +1,350 @@
|
|||
# This file is autogenerated, do not edit by hand!
|
||||
{fetchgit}: {
|
||||
registryUrl = "https://github.com/JuliaRegistries/General.git";
|
||||
registryRev = "c67828a86f7501f4d487607ded065dbff37ee456";
|
||||
registrySha256 = "1jsg9wf6gwfaswld0d6mm9g8i4v2nrd7265a2an9xh3zdk1blcny";
|
||||
rootPackages = ["Pluto"];
|
||||
closure = [{
|
||||
name = "Artifacts";
|
||||
uuid = "56f22d72-fd6d-98f1-02f0-08ddc0907c33";
|
||||
path = "A/Artifacts";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "c30985d8821e0cd73870b17b0ed0ce6dc44cb744";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaPackaging/Artifacts.jl.git"; rev = "c30985d8821e0cd73870b17b0ed0ce6dc44cb744"; sha256 = "0i0s26ypiwg6zyb3aqn9kiyiblkkab1mfac9plmq2jv4hggm4jfc"; };
|
||||
} {
|
||||
name = "Base64";
|
||||
uuid = "2a0f44e3-6c83-55bd-87e4-b1978d98bd5f";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Configurations";
|
||||
uuid = "5218b696-f38b-4ac9-8b61-a12ec717816d";
|
||||
path = "C/Configurations";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "b8486a417456d2fbbe2af13e24cef459c9f42429";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/Roger-luo/Configurations.jl.git"; rev = "b8486a417456d2fbbe2af13e24cef459c9f42429"; sha256 = "1dz1h64nqgcv6ai70pfv2dv4mqx9rqmh08196k7j73bqlc6r00w1"; };
|
||||
} {
|
||||
name = "Crayons";
|
||||
uuid = "a8cc5b0e-0ffa-5ad4-8c14-923d3ee1735f";
|
||||
path = "C/Crayons";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "3f71217b538d7aaee0b69ab47d9b7724ca8afa0d";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/KristofferC/Crayons.jl.git"; rev = "3f71217b538d7aaee0b69ab47d9b7724ca8afa0d"; sha256 = "0v3zhjlnb2914bxcj4myl8pgb7m31p77aj2k1bckmqs96jdph10z"; };
|
||||
} {
|
||||
name = "DataAPI";
|
||||
uuid = "9a962f9c-6df0-11e9-0e5d-c546b8b5ee8a";
|
||||
path = "D/DataAPI";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "dfb3b7e89e395be1e25c2ad6d7690dc29cc53b1d";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaData/DataAPI.jl.git"; rev = "dfb3b7e89e395be1e25c2ad6d7690dc29cc53b1d"; sha256 = "14sfvkz169zcbap3gdwpj16qsap783h86fd07flfxk822abam11w"; };
|
||||
} {
|
||||
name = "DataValueInterfaces";
|
||||
uuid = "e2d170a0-9d28-54be-80f0-106bbe20a464";
|
||||
path = "D/DataValueInterfaces";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "bfc1187b79289637fa0ef6d4436ebdfe6905cbd6";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/queryverse/DataValueInterfaces.jl.git"; rev = "bfc1187b79289637fa0ef6d4436ebdfe6905cbd6"; sha256 = "0g2wj6q7jj956nx6g7dk8x7w1c4l2xcmnr1kq5x8s8fild9kslg8"; };
|
||||
} {
|
||||
name = "Dates";
|
||||
uuid = "ade2ca70-3891-5945-98fb-dc099432e06a";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Distributed";
|
||||
uuid = "8ba89e20-285c-5b6f-9357-94700520ee1b";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "ExproniconLite";
|
||||
uuid = "55351af7-c7e9-48d6-89ff-24e801d99491";
|
||||
path = "E/ExproniconLite";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "c97ce5069033ac15093dc44222e3ecb0d3af8966";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/Roger-luo/ExproniconLite.jl.git"; rev = "c97ce5069033ac15093dc44222e3ecb0d3af8966"; sha256 = "0qk73k71c6v0vsq705mmxfj4vg3qslppxy5c8magaf7v5yr605iv"; };
|
||||
} {
|
||||
name = "FuzzyCompletions";
|
||||
uuid = "fb4132e2-a121-4a70-b8a1-d5b831dcdcc2";
|
||||
path = "F/FuzzyCompletions";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "9cde086faa37f32794be3d2df393ff064d43cd66";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JunoLab/FuzzyCompletions.jl.git"; rev = "9cde086faa37f32794be3d2df393ff064d43cd66"; sha256 = "07sv88c472n6w4x7diy952igbcfm1s104ysnnvprld83312siw06"; };
|
||||
} {
|
||||
name = "HTTP";
|
||||
uuid = "cd3eb016-35fb-5094-929b-558a96fad6f3";
|
||||
path = "H/HTTP";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "b855bf8247d6e946c75bb30f593bfe7fe591058d";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaWeb/HTTP.jl.git"; rev = "b855bf8247d6e946c75bb30f593bfe7fe591058d"; sha256 = "10m7sqzm06c6pkn885gf6bjnbx4m8hcgy8lyzv15arlssrdracad"; };
|
||||
} {
|
||||
name = "IniFile";
|
||||
uuid = "83e8ac13-25f8-5344-8a64-a9f2b223428f";
|
||||
path = "I/IniFile";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "098e4d2c533924c921f9f9847274f2ad89e018b8";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaIO/IniFile.jl.git"; rev = "098e4d2c533924c921f9f9847274f2ad89e018b8"; sha256 = "19cn41w04hikrqdzlxhrgf21rfqhkvj9x1zvwh3yz9hqbf350xs9"; };
|
||||
} {
|
||||
name = "InteractiveUtils";
|
||||
uuid = "b77e0a4c-d291-57a0-90e8-8db25a27a240";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "IteratorInterfaceExtensions";
|
||||
uuid = "82899510-4779-5014-852e-03e436cf321d";
|
||||
path = "I/IteratorInterfaceExtensions";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "a3f24677c21f5bbe9d2a714f95dcd58337fb2856";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/queryverse/IteratorInterfaceExtensions.jl.git"; rev = "a3f24677c21f5bbe9d2a714f95dcd58337fb2856"; sha256 = "1slpay1dhja8f9gy6z7b3psgvgcknn963dvfqqakvg1grk9ppa09"; };
|
||||
} {
|
||||
name = "JLLWrappers";
|
||||
uuid = "692b3bcd-3c85-4b1f-b108-f13ce0eb3210";
|
||||
path = "J/JLLWrappers";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "642a199af8b68253517b80bd3bfd17eb4e84df6e";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaPackaging/JLLWrappers.jl.git"; rev = "642a199af8b68253517b80bd3bfd17eb4e84df6e"; sha256 = "0v7xhsv9z16d657yp47vgc86ggc01i1wigqh3n0d7i1s84z7xa0h"; };
|
||||
} {
|
||||
name = "LibGit2";
|
||||
uuid = "76f85450-5226-5b5a-8eaa-529ad045b433";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Libdl";
|
||||
uuid = "8f399da3-3557-5675-b5ff-fb832c97cbdb";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "LinearAlgebra";
|
||||
uuid = "37e2e46d-f89d-539d-b4ee-838fcccc9c8e";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Logging";
|
||||
uuid = "56ddb016-857b-54e1-b83d-db4d58db5568";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Markdown";
|
||||
uuid = "d6f4376e-aef5-505a-96c1-9c027394607a";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "MbedTLS";
|
||||
uuid = "739be429-bea8-5141-9913-cc70e7f3736d";
|
||||
path = "M/MbedTLS";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "1c38e51c3d08ef2278062ebceade0e46cefc96fe";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaLang/MbedTLS.jl.git"; rev = "1c38e51c3d08ef2278062ebceade0e46cefc96fe"; sha256 = "0zjzf2r57l24n3k0gcqkvx3izwn5827iv9ak0lqix0aa5967wvfb"; };
|
||||
} {
|
||||
name = "MbedTLS_jll";
|
||||
uuid = "c8ffd9c3-330d-5841-b78e-0817d7145fa1";
|
||||
path = "M/MbedTLS_jll";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "0eef589dd1c26a3ac9d753fe1a8bcad63f956fa6";
|
||||
artifacts = {
|
||||
"519367e9365948074c1fcc9f4365597f147a5ab7" = [{
|
||||
name = "MbedTLS";
|
||||
url = "https://github.com/JuliaBinaryWrappers/MbedTLS_jll.jl/releases/download/MbedTLS-v2.16.8+0/MbedTLS.v2.16.8.x86_64-linux-gnu.tar.gz";
|
||||
sha256 = "5968d98ac1d4fdbf44ed87b0687f916f69ab077961b3cc9ea6068e2d739bd953";
|
||||
}];
|
||||
};
|
||||
src = fetchgit { url = "https://github.com/JuliaBinaryWrappers/MbedTLS_jll.jl.git"; rev = "0eef589dd1c26a3ac9d753fe1a8bcad63f956fa6"; sha256 = "0x43cp26p4w799i1cy4j72l5b1dyqcsab98qjw6yydxk2wha5vw4"; };
|
||||
} {
|
||||
name = "MsgPack";
|
||||
uuid = "99f44e22-a591-53d1-9472-aa23ef4bd671";
|
||||
path = "M/MsgPack";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "a8cbf066b54d793b9a48c5daa5d586cf2b5bd43d";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaIO/MsgPack.jl.git"; rev = "a8cbf066b54d793b9a48c5daa5d586cf2b5bd43d"; sha256 = "1layiqjf9si38pfdcszppgcy4zbfqgld7jlw8x645sm9b17b19fg"; };
|
||||
} {
|
||||
name = "NetworkOptions";
|
||||
uuid = "ca575930-c2e3-43a9-ace4-1e988b2c1908";
|
||||
path = "N/NetworkOptions";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "ed3157f48a05543cce9b241e1f2815f7e843d96e";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaLang/NetworkOptions.jl.git"; rev = "ed3157f48a05543cce9b241e1f2815f7e843d96e"; sha256 = "02nm4v67lb1dzhgyyr9bg8kylyyhsgfsxf3nxhbl4hp9dz48an0a"; };
|
||||
} {
|
||||
name = "OrderedCollections";
|
||||
uuid = "bac558e1-5e72-5ebc-8fee-abe8a469f55d";
|
||||
path = "O/OrderedCollections";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "85f8e6578bf1f9ee0d11e7bb1b1456435479d47c";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaCollections/OrderedCollections.jl.git"; rev = "85f8e6578bf1f9ee0d11e7bb1b1456435479d47c"; sha256 = "0jaxcmvkp8zpqrz101yikdigz90s70i7in5wn8kybwzf0na3lhwf"; };
|
||||
} {
|
||||
name = "Pkg";
|
||||
uuid = "44cfe95a-1eb2-52ea-b672-e2afdf69b78f";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Pluto";
|
||||
uuid = "c3e4b0f8-55cb-11ea-2926-15256bba5781";
|
||||
path = "P/Pluto";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "85156b21dee3a4515ff479555eb958ad33c057aa";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/fonsp/Pluto.jl.git"; rev = "85156b21dee3a4515ff479555eb958ad33c057aa"; sha256 = "1dvgrj0likniafs06hrwfndbshqr5khdqdyylganc1m81652rz5x"; };
|
||||
} {
|
||||
name = "Preferences";
|
||||
uuid = "21216c6a-2e73-6563-6e65-726566657250";
|
||||
path = "P/Preferences";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "00cfd92944ca9c760982747e9a1d0d5d86ab1e5a";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaPackaging/Preferences.jl.git"; rev = "00cfd92944ca9c760982747e9a1d0d5d86ab1e5a"; sha256 = "1cail43iqzbi6m9v6981rhz47zf2lcvhs5ds5gdqvc9nx5frghxq"; };
|
||||
} {
|
||||
name = "Printf";
|
||||
uuid = "de0858da-6303-5e67-8744-51eddeeeb8d7";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "REPL";
|
||||
uuid = "3fa0cd96-eef1-5676-8a61-b3b8758bbffb";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Random";
|
||||
uuid = "9a3f8284-a2c9-5f02-9a11-845980a1fd5c";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "SHA";
|
||||
uuid = "ea8e919c-243c-51af-8825-aaa63cd721ce";
|
||||
path = "S/SHA";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Serialization";
|
||||
uuid = "9e88b42a-f829-5b0c-bbe9-9e923198166b";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Sockets";
|
||||
uuid = "6462fe0b-24de-5631-8697-dd941f90decc";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "TOML";
|
||||
uuid = "fa267f1f-6049-4f14-aa54-33bafae1ed76";
|
||||
path = "T/TOML";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "44aaac2d2aec4a850302f9aa69127c74f0c3787e";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaLang/TOML.jl.git"; rev = "44aaac2d2aec4a850302f9aa69127c74f0c3787e"; sha256 = "1xy19fc5lrj9kh298xhczvmjl1cx3p46fj2xlmkisaqxzhd782yd"; };
|
||||
} {
|
||||
name = "TableIOInterface";
|
||||
uuid = "d1efa939-5518-4425-949f-ab857e148477";
|
||||
path = "T/TableIOInterface";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "9a0d3ab8afd14f33a35af7391491ff3104401a35";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/lungben/TableIOInterface.jl.git"; rev = "9a0d3ab8afd14f33a35af7391491ff3104401a35"; sha256 = "0p2fi9jbyfg2j6rysv4if7dx8qw2mssb04i75j1zq607j8707kvn"; };
|
||||
} {
|
||||
name = "TableTraits";
|
||||
uuid = "3783bdb8-4a98-5b6b-af9a-565f29a5fe9c";
|
||||
path = "T/TableTraits";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "c06b2f539df1c6efa794486abfb6ed2022561a39";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/queryverse/TableTraits.jl.git"; rev = "c06b2f539df1c6efa794486abfb6ed2022561a39"; sha256 = "08ssb2630wm6j8f2qa985mn2vfibfm5kjcn4ayl2qkhfcyp8daw4"; };
|
||||
} {
|
||||
name = "Tables";
|
||||
uuid = "bd369af6-aec1-5ad0-b16a-f7cc5008161c";
|
||||
path = "T/Tables";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "c9d2d262e9a327be1f35844df25fe4561d258dc9";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaData/Tables.jl.git"; rev = "c9d2d262e9a327be1f35844df25fe4561d258dc9"; sha256 = "1q0wh4031zdp40k44jaix19pzy6cnwsa2p0zfz6799jbyqkg4kr1"; };
|
||||
} {
|
||||
name = "Test";
|
||||
uuid = "8dfed614-e22c-5e08-85e1-65c5234f0b40";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "URIs";
|
||||
uuid = "5c2747f8-b7ea-4ff2-ba2e-563bfd36b1d4";
|
||||
path = "U/URIs";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "97bbe755a53fe859669cd907f2d96aee8d2c1355";
|
||||
artifacts = {};
|
||||
src = fetchgit { url = "https://github.com/JuliaWeb/URIs.jl.git"; rev = "97bbe755a53fe859669cd907f2d96aee8d2c1355"; sha256 = "0kp4hg3kknkm2smlcizqfd33l9x4vkahc2714gnbjp39fj285b92"; };
|
||||
} {
|
||||
name = "UUIDs";
|
||||
uuid = "cf7118a7-6976-5b1a-9a39-7adc72f591a4";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
} {
|
||||
name = "Unicode";
|
||||
uuid = "4ec0a83e-493e-50e2-b9ac-8f72acf5a8f5";
|
||||
path = "null";
|
||||
replaceUrlInManifest = null;
|
||||
treehash = "None";
|
||||
artifacts = {};
|
||||
src = null;
|
||||
}];
|
||||
}
|
15
pkgs/pluto/pluto-standalone.jl
Normal file
15
pkgs/pluto/pluto-standalone.jl
Normal file
|
@ -0,0 +1,15 @@
|
|||
|
||||
using Pkg
|
||||
|
||||
Pkg.activate(".")
|
||||
|
||||
using Pluto
|
||||
|
||||
Pluto.run(
|
||||
launch_browser = false,
|
||||
require_secret_for_access = false,
|
||||
require_secret_for_open_links = false,
|
||||
port = 9999,
|
||||
host = "127.0.0.1",
|
||||
notebook_path_suggestion = "/notebooks"
|
||||
)
|
|
@ -1,16 +0,0 @@
|
|||
{ stdenvNoCC, gauche, fish }:
|
||||
|
||||
stdenvNoCC.mkDerivation {
|
||||
name = "hacc-utility-scripts";
|
||||
|
||||
src = ./.;
|
||||
|
||||
buildInputs = [ gauche fish ];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
fish -n $out/bin/*.fish
|
||||
cp *.{scm,fish} $out/bin
|
||||
chmod +x $out/bin/*
|
||||
'';
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
#!/usr/bin/env fish
|
||||
|
||||
source /run/secrets/auamost/secrets.fish
|
||||
|
||||
for i in (seq 1 (count $groups))
|
||||
set team $teams[$i]
|
||||
set group $groups[$i]
|
||||
set users (curl -s -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group")
|
||||
set usernames (echo "$users" | jq -c "[.[] | .loginname]")
|
||||
for user in (echo "$users" | jq -c ".[]")
|
||||
set id (echo "$user" | jq .id)
|
||||
set username (echo "$user" | jq .loginname)
|
||||
set email (echo "$user" | jq .email)
|
||||
curl -s -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \
|
||||
-d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}'
|
||||
end
|
||||
set userids (curl -s -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \
|
||||
-d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]')
|
||||
curl -s -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \
|
||||
-d "$userids"
|
||||
|
||||
if test "$group" = "hacc"
|
||||
continue
|
||||
end
|
||||
|
||||
set current_members (curl -s -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]')
|
||||
|
||||
# membership relations don't contain e.g. usernames, so fetch those, too
|
||||
set current_users (curl -s -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \
|
||||
-d "$current_members" | jq -c '.[]')
|
||||
|
||||
set userids (echo "$userids" | jq -c ".[].user_id")
|
||||
for member in $current_users
|
||||
set id (echo $member | jq .id)
|
||||
if not contains -i $id $userids > /dev/null then
|
||||
set id_unquoted (echo $member | jq -r .id)
|
||||
echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\)
|
||||
curl -s -X DELETE -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted"
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,121 +0,0 @@
|
|||
#!/usr/bin/env gosh
|
||||
|
||||
(use gauche.process)
|
||||
(use text.csv)
|
||||
(use scheme.list)
|
||||
(use gauche.parseopt)
|
||||
(use util.match)
|
||||
|
||||
(define cutoff-date "2023-01-01")
|
||||
|
||||
(define sqlite-path "/persist/containers/uffd/uffd/db.sqlite")
|
||||
(define sqlite-query
|
||||
"select displayname, mail, max(expires) as last_login from oauth2token join user on user_id=user.id group by user_id having last_login < '2023-01-01'
|
||||
union all select displayname, mail, '2022' from user where not exists (select * from oauth2token where user_id = user.id);")
|
||||
|
||||
(define dry #f)
|
||||
(define verbose #f)
|
||||
(define very-verbose #f)
|
||||
|
||||
(define (main args)
|
||||
(let-args (cdr args)
|
||||
((averbose "v|verbose")
|
||||
(averyverbose "very-verbose")
|
||||
(adry "n|dry-run")
|
||||
(help "h|help" => (cut show-help (car args)))
|
||||
. restargs
|
||||
)
|
||||
(set! dry adry)
|
||||
(set! verbose averbose)
|
||||
(when averyverbose
|
||||
(set! verbose #t)
|
||||
(set! very-verbose #t))
|
||||
(match restargs
|
||||
[("admin") (do-admin-mail)]
|
||||
[("send-reminder") (send-reminder-mails)]
|
||||
[("list-accounts") (do-list-accounts)]
|
||||
[_ (display "unknown command") (exit 1)]))
|
||||
0)
|
||||
|
||||
(define (do-admin-mail)
|
||||
(send-email "admin@hacc.space" "unused accounts list" (mk-admin-mail unused-accounts))
|
||||
(when verbose
|
||||
(display "done")))
|
||||
|
||||
(define (do-list-accounts)
|
||||
(display (string-join
|
||||
(map
|
||||
(lambda (row) (format "~a (~a)" (list-ref row 0) (list-ref row 1)))
|
||||
unused-accounts)
|
||||
"\n")))
|
||||
|
||||
(define (send-reminder-mails)
|
||||
(map (lambda (row)
|
||||
(send-email (list-ref row 1) "Unbenutzter infra4future.de Account" (mk-email (list-ref row 0) (list-ref row 2))))
|
||||
unused-accounts)
|
||||
(when verbose
|
||||
(display "done")))
|
||||
|
||||
|
||||
(define csv-reader
|
||||
(make-csv-reader #\,))
|
||||
|
||||
(define unused-accounts
|
||||
(map (lambda (str) (with-input-from-string str csv-reader))
|
||||
;; (process-output->string-list `(cat example.csv))))
|
||||
(process-output->string-list `(sqlite3 -csv ,sqlite-path ,sqlite-query))))
|
||||
|
||||
(define (mk-email displayname last-login)
|
||||
#"
|
||||
Hallo ~|displayname|!
|
||||
|
||||
Wir haben schon lange (seit über einem Jahr; dein letzter Login war um ~|last-login|)
|
||||
nichts mehr von dir gehört und würden demnächst deinen Account löschen wollen.
|
||||
Solltest du ihn noch benötigen logge dich bitte einfach auf https://login.infra4future.de ein.
|
||||
Falls nicht, musst du weiter nichts tun und wir werden deine Account in ca. 3 Monaten löschen.
|
||||
|
||||
Viele Grüße,
|
||||
das Infra4Future Team
|
||||
")
|
||||
|
||||
(define (mk-admin-mail rows)
|
||||
(format #"
|
||||
Meow!
|
||||
|
||||
this is the uffd-unused-accounts-notification.scm script. There are currently
|
||||
~~s accounts which have not logged in since ~|cutoff-date|. To mass-send account
|
||||
expiry reminders, invoke this script with the \"send-reminder\" option. To see a
|
||||
list of these accounts, invoke it with the \"list-accounts\" option.
|
||||
|
||||
(invoke me,, 🥺)
|
||||
" (length unused-accounts)))
|
||||
|
||||
; utility definitions
|
||||
|
||||
(define (send-email address subject text)
|
||||
(when verbose
|
||||
(display (format "sending email to ~a\n" address)))
|
||||
(let ([text (string-append "from: admin@hacc.space\n" "subject: " subject "\n" text "\n")])
|
||||
(when very-verbose
|
||||
(display text))
|
||||
(call-with-output-process
|
||||
(if dry '(cat) `(sendmail ,address))
|
||||
(lambda (port) (display text port))
|
||||
:on-abnormal-exit :ignore)))
|
||||
|
||||
(define (show-help progname)
|
||||
(display #"
|
||||
~|progname|: unused account expiry helper script.
|
||||
|
||||
Invoke as `~|progname| [options] admin' to send a list of unused accounts to administrators.
|
||||
|
||||
Invoke as `~|progname| [options] send-reminder' to send a reminder email to all
|
||||
currently unused accounts.
|
||||
|
||||
Options:
|
||||
-v --verbose show which emails are being sent
|
||||
--very-verbose also print emails to stdout
|
||||
-n --dry-run print emails to stdout instead
|
||||
-h --help show this help
|
||||
"))
|
||||
|
24
pkgs/thelounge/css-patch.css
Normal file
24
pkgs/thelounge/css-patch.css
Normal file
|
@ -0,0 +1,24 @@
|
|||
|
||||
/* Hides extra fields on connect screen */
|
||||
.connect-row:nth-of-type(4) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
.connect-row:nth-of-type(2) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
.connect-row:nth-of-type(5) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
|
||||
/* Hides side panel button */
|
||||
.header > button:first-child {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
/* Hides channel options button (includes leave option) */
|
||||
.header > button:nth-last-child(2) {
|
||||
display: none !important;
|
||||
}
|
|
@ -1,35 +0,0 @@
|
|||
{ stdenv, lib, python3Packages, fetchzip }:
|
||||
|
||||
python3Packages.buildPythonPackage rec {
|
||||
pname = "uffd";
|
||||
version = "2.0.1";
|
||||
PACKAGE_VERSION = version;
|
||||
|
||||
src = fetchzip {
|
||||
url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
|
||||
hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
|
||||
};
|
||||
|
||||
patches = [ ./forgejo-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ];
|
||||
|
||||
propagatedBuildInputs = with python3Packages; [
|
||||
flask
|
||||
flask_sqlalchemy
|
||||
flask_migrate
|
||||
qrcode
|
||||
fido2
|
||||
oauthlib
|
||||
flask-babel
|
||||
argon2_cffi
|
||||
itsdangerous
|
||||
alembic
|
||||
Mako
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
sed -i -e 's/==[0-9.]\+//g' setup.py
|
||||
'';
|
||||
|
||||
doCheck = false;
|
||||
doInstallCheck = false;
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
--- a/setup.py 2022-04-30 13:12:45.564651955 +0000
|
||||
+++ b/setup.py 2022-04-30 13:17:02.545809513 +0000
|
||||
@@ -41,31 +41,5 @@
|
||||
'Flask-Babel==0.11.2',
|
||||
'alembic==1.0.0',
|
||||
'argon2-cffi==18.3.0',
|
||||
-
|
||||
- # The main dependencies on their own lead to version collisions and pip is
|
||||
- # not very good at resolving them, so we pin the versions from Debian Buster
|
||||
- # for all dependencies.
|
||||
- 'certifi==2018.8.24',
|
||||
- #cffi==1.12.2'
|
||||
- 'cffi # v1.12.2 no longer works with python3.9. Newer versions seem to work fine.',
|
||||
- 'chardet==3.0.4',
|
||||
- 'click==7.0',
|
||||
- 'cryptography==2.6.1',
|
||||
- 'idna==2.6',
|
||||
- 'itsdangerous==0.24',
|
||||
- 'Jinja2==2.10',
|
||||
- 'MarkupSafe==1.1.0',
|
||||
- 'oauthlib==2.1.0',
|
||||
- 'pyasn1==0.4.2',
|
||||
- 'pycparser==2.19',
|
||||
- 'requests==2.21.0',
|
||||
- 'requests-oauthlib==1.0.0',
|
||||
- 'six==1.12.0',
|
||||
- 'SQLAlchemy==1.2.18',
|
||||
- 'urllib3==1.24.1',
|
||||
- 'Werkzeug==0.14.1',
|
||||
- 'python-dateutil==2.7.3',
|
||||
- #editor==1.0.3
|
||||
- 'Mako==1.0.7',
|
||||
],
|
||||
)
|
|
@ -1,10 +0,0 @@
|
|||
--- a/uffd/oauth2/views.py 2022-04-30 20:39:53.825474990 +0000
|
||||
+++ b/uffd/oauth2/views.py 2022-04-30 20:40:12.632389377 +0000
|
||||
@@ -234,6 +234,7 @@
|
||||
id=user.unix_uid,
|
||||
name=user.displayname,
|
||||
nickname=user.loginname,
|
||||
+ username=user.loginname,
|
||||
email=user.mail,
|
||||
groups=[group.name for group in user.groups]
|
||||
)
|
|
@ -1,32 +0,0 @@
|
|||
From e3c0995160a653ef6cd8784b255036585b273b82 Mon Sep 17 00:00:00 2001
|
||||
From: stuebinm <stuebinm@disroot.org>
|
||||
Date: Wed, 20 Jul 2022 18:02:15 +0200
|
||||
Subject: [PATCH] magic gitea patch
|
||||
|
||||
---
|
||||
uffd/oauth2/views.py | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/uffd/oauth2/views.py b/uffd/oauth2/views.py
|
||||
index d13fd42..94352be 100644
|
||||
--- a/uffd/oauth2/views.py
|
||||
+++ b/uffd/oauth2/views.py
|
||||
@@ -230,6 +230,15 @@ def oauth_required(*scopes):
|
||||
@oauth_required('profile')
|
||||
def userinfo():
|
||||
user = request.oauth.user
|
||||
+ client = request.oauth.client_id
|
||||
+ if client == "forgejo":
|
||||
+ return jsonify(
|
||||
+ id=user.unix_uid,
|
||||
+ full_name=user.displayname,
|
||||
+ login=user.loginname,
|
||||
+ email=user.mail,
|
||||
+ groups=[group.name for group in user.groups]
|
||||
+ )
|
||||
return jsonify(
|
||||
id=user.unix_uid,
|
||||
name=user.displayname,
|
||||
--
|
||||
2.36.0
|
||||
|
105
secrets.yaml
105
secrets.yaml
|
@ -1,105 +0,0 @@
|
|||
hedgedoc-hacc:
|
||||
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
|
||||
mattermost:
|
||||
env: ENC[AES256_GCM,data:ftWpGl6+sUMzJJKgfcPLvbFGGn16AKUPzPn8X6DNVMLrxZIkQ23Tk3ekKLKFpQEUtQfFjVlrTfFZezWKs4nVNLg2LmQqJNGMCCax5PRwAgoAsJ7pa9ewNmHT+EIXtZEjQgVfN5786Yno5n/6JJ1lz6EiGmdn7/0rF5TLGjzig17azazS1+lkIYY=,iv:SZvGGKpVRI/odHbmgY8M6t6zCk8RgM+7EQEgRiizglA=,tag:cInsVo/QD85m+LxldyRlnA==,type:str]
|
||||
tracktrain:
|
||||
env: ENC[AES256_GCM,data:W3+8qWomPgGJt5u50aAm9x/dilMpqKY11I2AdaIBTz5posc25ts0LB5S/Sxe1ROz4itpDK3QvjoFUTRhS39k4dwMr5lqXV8Ln4B+sPpvh7oBM8A5zydP8Jj1J1YqRt8++RTUmb4z41DIwb/yaZKMu6z0guXIu1yuYzcbCuk0xe/iOp6UUpfjOzzWTvxY54zY6kWcjHLiCSwD31Cd+MxMPfbUEkHt+0W+sBmYXGeEFI/6ULSB6FnGjNW6F9g=,iv:3ymah8HG+Yg6VYZZA/MRRjHDYvYJz01ezvhfQiftegg=,tag:trht+PRYfKgWJkg2wRwISQ==,type:str]
|
||||
vaultwarden:
|
||||
env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
|
||||
auamost:
|
||||
secrets.fish: ENC[AES256_GCM,data:QBteJdVPSWa4cmu1BVWJ3AMWWH4zIv2+G83fK0QsbA/fYoIU5jobCT3USyujNz+jQaAAxA45jmQbCWNAFLl1q8hP4i9EIikVECx0VKVXPXILBND+w7zPSLldAbOugRYt2iAt1dDADZPtulKlkz7usdafbB+2igLXdyFRLfIxDTOrBuqQ+5yeofQe5k0XWRcmQQ/1AV0JrRrmLmr69VKsR932JWD8XxmI/HFyZPzWdExBSOmvnj+m4K+DV4cVmN4t6XOY0dM3gRQ95DglEuGlp/V2o3GqwY0mXCvhM1eh81u8mPALKp6Pv2i2yU35F01Puf5t1FHGDfzp0bW0xuKEywfGjAOifFkSE/3JFir434B6G0DiJNpOIl6QJ6DA8rSKfuPdccm6Or0zX8iJGRHDJmREQ05V9l0jHAAxLNuNdbsxg+8kCWVVnW+d1YDn9KW7LbFlP+sx4Ef5leUYft/lYhF4Z5Xp3arqVrlebWjWIBEuZeJTnkE3y+TdUUCs360zzWHqsipGmo1+/88CEqL52FfUOlJ4VCR45/7nYZ3RaRBWDGFW8RvwmWSFSstEcEXQ01U8lCwyn40+blfltme3KJ1f+pWMrZAKhPlOlMHCYfjd7esWI2sYcQbTZqxH49GnW6dsW/W+eiLs3zlD/Deb2CugHe63zRdlivmVPOz4zD1PXcCVpEZHoTTiJl7Om9K2mPYq9wQN41wsDUrNL9p8m9UlhWKbjBh5UU7p6F6OhF5rKH/Fs8fIaPi6B8uamTvEmiOGTUWl3vmQjBvhM8fJWoIkRB8hgCisr9OZ,iv:8jVAImjeXbXfiLKg9G0PyLMTV8cAyDmukeittqjKFpQ=,tag:fLIcsWKbdFQ/vPCgi/W3Zw==,type:str]
|
||||
restic:
|
||||
s3creds.env: ENC[AES256_GCM,data:9WNu5S4KmdMXdshSpawEjIexAKH6vZCPwb9xyq6xmerly1lxSfFZzgg60M0L3L+I4joLTVi23YBB8Eh6Xfx9GgxNww7w7BjMCQs/X16ecDWlb346TKf+,iv:Gu4CbXXJAlQYXRqOjIAUYmn8EU4mrvcOVc2eCh1Ikzs=,tag:1xpVIonHiAGHsXTY9liPQQ==,type:str]
|
||||
system: ENC[AES256_GCM,data:RIgO0QHVjwp2D3LoU62vLzepASdsXxu0DqUTA6Voa3K1d4xFHX2u+UR8AcqR,iv:O0K8i5ivne7WU+ygDEUcrvKW6DIfXjVPY63gpfsxEFE=,tag:n/1atQ5qlyB0SMHrYiTCrA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHd0Rrem03aWMwUGgwMlM2
|
||||
dmRJdVYrRVNBTXZrVk5CdEFYcDRyN3VlcUhvCmE5L0lpbzdxanNBWFU1dEprUC9Y
|
||||
eUZqdHVmWks2V1g0SHZRN1BsSU96OU0KLS0tIGl1ZUg2aDNtREZWeUE5UXlPeHNG
|
||||
STcwOFgwK1lpWjdyTkd3c0dBTlAyK28KAKL7rPPH0DNRgL3qqCelAoUPnOy8MydL
|
||||
t2ft9ZmzkoiSdSt0Ad1U5IImQt9ZzhPtYYnYbiEVNcfuFCnGcqdoPw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvT0M2SmdwNmNyWWZ1V2o5
|
||||
OHZ4RDlIbTZONXc5Z0FPMm03V3UzVWhaRnhBCjU5dzZlbkZHRkdacG1nUng4S0p6
|
||||
Q1I5Vjg0Vk5wRzNGZTNONXdCMnpUTEEKLS0tIFo5K0tGdDZpLzNPb0llb0dJdk9u
|
||||
c3p5UVBjZWlNVkxFMlVaQ3VMVFdhZVUKxcIL/JMBEojPRlDLHUIuxKcMPMEEsTkS
|
||||
0zLjYVZL7YDS0dKdaZjaExHKrRzRpsY0qpDBHyhcyzRae1sWA4e5Kw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUmFJc24xV2JGS3dzK25F
|
||||
SVVXTjBaRUxJQ3hXZXlHYTRzaXZVNjVObEFZCmpPQUV1b0lySkUvcURObm1xNSt4
|
||||
WVQrbnlvZkQrbzloQzc4NlJCWnlPeGMKLS0tIDBVa2lpUmcrWURwWW8rc3ZmUUU1
|
||||
U0pGQjJackNhT0d4L2ZIOTdTUjBwcjQKCRWcpevMcv2HsWC4jyc/GzxxjkTEm+UF
|
||||
4QdXjJAHh2QLxV9aXF/k/KogebCFkBTirmyOhRKtBRkt87d1D9FKUA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWnZFOVFuTnFTMmpVMDFU
|
||||
dkw4UFlUenZzNkRuNy90NWk4aVNEd2J2Ukc0Cm9mM2dpZEJpVVY4TVB0WUxmTjEw
|
||||
VFJ3aHB6ZFh5YWptYTZ5cXVjTUNBVkEKLS0tIEx0dVRPVVVacHFCMDhFNE1NMnZy
|
||||
cUxicklTUGtPeTlnSFV1TUZqR1VmRnMKtJ+Q80SgqW/Jad8aF7pViGANHCsTMNEM
|
||||
7TbhITW+zWIhnviVS0xOqXrvQs4iBbMfiNnQbFS7tEX08AT2oAg6cw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT3ZNenJKWTZ3NjdqNWpR
|
||||
Zk9Ya3lsT1Jqd0RIWm8xdm16UjFzcFV1aGlBCkRuMllGSFVIUCs4UEJEQVVGQUxK
|
||||
L1FGNGJwYkFIdU4wOXdFQWt6RSsyR28KLS0tIEgya2xORURncHlvNHJNTnIrb2da
|
||||
emRETSt4WGFYeXR5UmNSajNpUStKUzAKxgDME0M1ewNE/BrL/wFjF4Yj7GupjRPF
|
||||
Fuxae5U3phphzOkflQtreM1ScbUGge8WeiSVWY3Pl1azsYo/yqg8Ew==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVEdpZmdSdnBaYnV2RWhT
|
||||
MmMxQW9PUUJ4enRqNjFIZ25kUEkvdHBpOXdRCmJkSTJyWklhTU5neUlybzR1Nkp6
|
||||
YlVHczNwRzl0d0hGalpvTFdEUlV3UHMKLS0tIGhQZXEvd2F0aTlna0FNL2wyaEdC
|
||||
U1oyWXcza08rTG1DS0dUYkZOVWZ4L1kKgpt6jG0lNBMdk/isa1A/tfKYjprnnIo5
|
||||
pi4t1c7CktFBkhMlOv6VPJCsQlP0YtZUh/uut70Kecv48+YH5gC/8A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRzc5WHAzcWhGSU1kdE1E
|
||||
Z1B0aFhqYUQzQ2ptK09YMm9odWh3U0w3bmtvCi9IcWFhOFhvYU5ISlVpTURMY2hX
|
||||
RG5mL1gvNkZ1SDdMZTR4QWxtRG1VUlkKLS0tIFl5UUdIR0JOSmF4OWx1OHBuaFJj
|
||||
N0FDY2xYRlpmaTgxWURGZWxWWktPV00KAHNeeqhzql4LInlJoD9u7ptFWZBgktvp
|
||||
tju4cZ/78VgdZIfEfnlzw8lsqpRx1z5Fw8K4CcXRJJLRVfHuj2CHTA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscDFuL0ZsdWxoUFJBd2xr
|
||||
ZXh3K0lSUnFmTVFTVHB5bGR2TC9lREdUczJrCnFSaGoyUnJjbXJ5d1lQd0RUcFJt
|
||||
REkvdEY2NzcveHpQRWZ1STBSemx0SkkKLS0tIGtyN0svS3lYcmxUbVJiU1RaK21l
|
||||
Ukh0VkVaeVBoOXQ1cmZ6WHNkYjQvTmsKG4914d+pSt1seoKiejoCvATOTaVFN4ih
|
||||
Y74W+WXyaKoQP3Q9QrbSURpE+ICfblxHmkbsPB/agNzZVWrfyBaX1A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqR01XampvRE92VnZ3OTZs
|
||||
YmJYaEN2eVJOVWt1OHE1bTdua1ArSC9oVm1ZClBsVFBSWWtLRUoyNDF0NlUwaUpo
|
||||
b0kyazNwRUFhS0RYd1pGNHNENWxQb28KLS0tIDhzdHhRN1FYczZBMksrM09UWUtJ
|
||||
bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
|
||||
S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-07-26T13:05:44Z"
|
||||
mac: ENC[AES256_GCM,data:9A8nX155dpCC1cvdH1hgeNKh0tt5FMaOKU7vZQ33jfWbiXOsJbp5iHKXxWOexFc70acyhdweoHwq61oJm2mzVufJIPA55ZAUItQcDXJCCeu6KswHug0tQtKHoCRSwdTdMTRNom4XjrpA/j4WWpuhoilyknycXqTpGHHVSdL2lYg=,iv:N0zwzGtGzAxhbmLzslbkXSr/iKmq5FeyT/iWeE4x2hQ=,tag:yIoLXpqlU2SlVRK5+S/qaw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
63
services/gitlab-runner.nix
Normal file
63
services/gitlab-runner.nix
Normal file
|
@ -0,0 +1,63 @@
|
|||
{config, pkgs, lib, ...}:
|
||||
|
||||
{
|
||||
services.gitlab-runner = {
|
||||
enable = true;
|
||||
concurrent = 4;
|
||||
services = {
|
||||
infra4future = {
|
||||
buildsDir = "/persist/var/lib/gitlab-runner/builds";
|
||||
dockerImage = "nixos/nix";
|
||||
executor = "docker";
|
||||
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
|
||||
};
|
||||
nix = {
|
||||
limit = 1; # don't run multiple jobs
|
||||
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
|
||||
dockerImage = "alpine";
|
||||
dockerVolumes = [
|
||||
"/nix/store:/nix/store:ro"
|
||||
"/nix/var/nix/db:/nix/var/nix/db:ro"
|
||||
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
|
||||
];
|
||||
dockerDisableCache = true;
|
||||
preBuildScript = pkgs.writeScript "setup-container" ''
|
||||
mkdir -p -m 0755 /nix/var/log/nix/drvs
|
||||
mkdir -p -m 0755 /nix/var/nix/gcroots
|
||||
mkdir -p -m 0755 /nix/var/nix/profiles
|
||||
mkdir -p -m 0755 /nix/var/nix/temproots
|
||||
mkdir -p -m 0755 /nix/var/nix/userpool
|
||||
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
|
||||
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
|
||||
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
|
||||
mkdir -p -m 0700 "$HOME/.nix-defexpr"
|
||||
. ${pkgs.nix}/etc/profile.d/nix.sh
|
||||
${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
|
||||
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
|
||||
${pkgs.nix}/bin/nix-channel --update nixpkgs
|
||||
'';
|
||||
environmentVariables = {
|
||||
ENV = "/etc/profile";
|
||||
USER = "root";
|
||||
NIX_REMOTE = "daemon";
|
||||
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
|
||||
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
|
||||
};
|
||||
tagList = [ "nix" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.gitlab-runner.serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
User = "gitlab-runner";
|
||||
};
|
||||
|
||||
users.users.gitlab-runner = {
|
||||
home = "/persist/var/lib/gitlab-runner";
|
||||
extraGroups = [ "docker" ];
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
virtualisation.docker.storageDriver = "zfs";
|
||||
}
|
168
services/gitlab.nix
Normal file
168
services/gitlab.nix
Normal file
|
@ -0,0 +1,168 @@
|
|||
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||
|
||||
{
|
||||
containers.gitlab = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.7";
|
||||
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/gitlab";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
../modules/mattermost.nix
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
services.gitlab = {
|
||||
enable = true;
|
||||
|
||||
databaseCreateLocally = true;
|
||||
|
||||
host = "gitlab.infra4future.de";
|
||||
https = true;
|
||||
port = 443;
|
||||
|
||||
statePath = "/persist/gitlab";
|
||||
user = "git";
|
||||
databaseUsername = "git";
|
||||
|
||||
initialRootPasswordFile = "/persist/secrets/gitlab-root";
|
||||
secrets.secretFile = "/persist/secrets/gitlab-secret";
|
||||
secrets.dbFile = "/persist/secrets/gitlab-db";
|
||||
secrets.otpFile = "/persist/secrets/gitlab-otp";
|
||||
secrets.jwsFile = "/persist/secrets/gitlab-jws";
|
||||
|
||||
smtp = {
|
||||
enable = true;
|
||||
address = "mail.hacc.space";
|
||||
port = 587;
|
||||
authentication = "plain";
|
||||
domain = "gitlab.infra4future.de";
|
||||
enableStartTLSAuto = true;
|
||||
username = "noreply@infra4future.de";
|
||||
passwordFile = "/persist/secrets/noreply-pass";
|
||||
};
|
||||
|
||||
pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
|
||||
extraConfig = {
|
||||
pages = {
|
||||
enabled = true;
|
||||
host = "4future.dev";
|
||||
port = 443;
|
||||
https = true;
|
||||
};
|
||||
omniauth = {
|
||||
enabled = true;
|
||||
auto_sign_in_with_provider = "openid_connect";
|
||||
allow_single_sign_on = ["openid_connect"];
|
||||
block_auto_created_users = false;
|
||||
providers = [
|
||||
{
|
||||
name = "openid_connect";
|
||||
label = "infra4future Login";
|
||||
args = {
|
||||
name = "openid_connect";
|
||||
scope = ["openid" "profile" "email"];
|
||||
response_type = "code";
|
||||
issuer = "https://auth.infra4future.de/auth/realms/forfuture";
|
||||
discovery = true;
|
||||
client_auth_method = "query";
|
||||
uid_field = "username";
|
||||
client_options = {
|
||||
identifier = "gitlab";
|
||||
secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
|
||||
redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback";
|
||||
};
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.redis.enable = true;
|
||||
services.postgresql.package = pkgs.postgresql_13;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedTlsSettings = true;
|
||||
virtualHosts."gitlab.infra4future.de" = {
|
||||
default = true;
|
||||
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||
locations."/".extraConfig = ''
|
||||
proxy_redirect off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh.enable = true;
|
||||
services.openssh.passwordAuthentication = false;
|
||||
|
||||
users.users.git = {
|
||||
isSystemUser = true;
|
||||
group = "gitlab";
|
||||
home = "/persist/gitlab/home";
|
||||
uid = 165;
|
||||
};
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
hexchen.nftables.nat.forwardPorts = [{
|
||||
ports = [ 22 ];
|
||||
destination = "${config.containers.gitlab.localAddress}:22";
|
||||
proto = "tcp";
|
||||
}];
|
||||
|
||||
services.nginx.virtualHosts."gitlab.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
|
||||
locations."/".extraConfig = ''
|
||||
proxy_set_header X-Nginx-Proxy true;
|
||||
proxy_redirect off;
|
||||
'';
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."4future.dev" = {
|
||||
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||
serverName = "~^((.*)\.)?4future\.dev$";
|
||||
useACMEHost = "4future.dev";
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
security.acme.certs."4future.dev" = {
|
||||
dnsProvider = "cloudflare";
|
||||
credentialsFile = "/var/lib/acme/cloudflare.pass";
|
||||
extraDomainNames = [ "*.4future.dev" ];
|
||||
group = config.services.nginx.group;
|
||||
};
|
||||
}
|
103
services/hedgedoc-hacc.nix
Normal file
103
services/hedgedoc-hacc.nix
Normal file
|
@ -0,0 +1,103 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||
|
||||
{
|
||||
containers.pad-hacc = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.5";
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/pad-hacc";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
../modules/mattermost.nix
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
configuration = {
|
||||
allowAnonymous = true;
|
||||
allowFreeURL = true;
|
||||
allowGravatar = false;
|
||||
allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
|
||||
dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
|
||||
defaultPermission = "limited";
|
||||
domain = "pad.hacc.space";
|
||||
host = "0.0.0.0";
|
||||
protocolUseSSL = true;
|
||||
hsts.preload = false;
|
||||
email = false;
|
||||
oauth2 = {
|
||||
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
clientID = "hedgedoc";
|
||||
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.hedgedoc.environment = {
|
||||
"CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||||
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
|
||||
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
|
||||
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
||||
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "codimd" ];
|
||||
ensureUsers = [{
|
||||
name = "codimd";
|
||||
ensurePermissions = {
|
||||
"DATABASE codimd" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "codimd" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
services.nginx.virtualHosts."pad.hacc.earth" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
globalRedirect = "pad.hacc.space";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.hacc.space" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
|
||||
extraConfig = ''
|
||||
add_header Access-Control-Allow-Origin "*";
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,20 +1,49 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, pkgs, modules, evalConfig, sources, ... }:
|
||||
|
||||
{
|
||||
hacc.containers.pad-i4f = {
|
||||
config = { config, lib, ... }: {
|
||||
containers.pad-i4f = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.6";
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/pad-i4f";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
../modules/mattermost.nix
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
settings = {
|
||||
configuration = {
|
||||
allowAnonymous = true;
|
||||
allowFreeURL = true;
|
||||
allowGravatar = false;
|
||||
allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ];
|
||||
db = {
|
||||
host = "/run/postgresql";
|
||||
dialect = "postgres";
|
||||
database = "hedgedoc";
|
||||
};
|
||||
dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc";
|
||||
defaultPermission = "freely";
|
||||
domain = "pad.infra4future.de";
|
||||
host = "0.0.0.0";
|
||||
|
@ -23,12 +52,8 @@
|
|||
email = false;
|
||||
};
|
||||
};
|
||||
systemd.services.hedgedoc.environment = {
|
||||
"CMD_LOGLEVEL" = "warn";
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_15;
|
||||
authentication = ''
|
||||
local all all trust
|
||||
host hedgedoc hedgedoc 127.0.0.1/32 trust
|
||||
|
@ -36,7 +61,9 @@
|
|||
ensureDatabases = [ "hedgedoc" ];
|
||||
ensureUsers = [{
|
||||
name = "hedgedoc";
|
||||
ensureDBOwnership = true;
|
||||
ensurePermissions = {
|
||||
"DATABASE hedgedoc" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
services.postgresqlBackup = {
|
||||
|
@ -45,8 +72,7 @@
|
|||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.infra4future.de" = {
|
118
services/lantifa.nix
Normal file
118
services/lantifa.nix
Normal file
|
@ -0,0 +1,118 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
|
||||
|
||||
let
|
||||
unstable = import (import ../nix/sources.nix).nixpkgs-unstable {};
|
||||
in {
|
||||
containers.lantifa = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.8";
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/lantifa";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
hexchen.bindmounts."/var/lib/mediawiki" = "/persist/var/lib/mediawiki";
|
||||
|
||||
imports = [
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
networking.hosts."127.0.0.1" = [ "wiki.lantifa.org" ];
|
||||
users.users.mediawiki.extraGroups = [ "keys" ];
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
services.mediawiki = {
|
||||
enable = true;
|
||||
name = "LANtifa";
|
||||
package = unstable.mediawiki;
|
||||
database.createLocally = true;
|
||||
passwordFile = "/var/lib/mediawiki/mediawiki-password";
|
||||
extraConfig = let
|
||||
wikidb = pkgs.fetchzip {
|
||||
url = "http://www.kennel17.co.uk/uploads/testwiki/archive/e/e9/20210407232657%21WikiDB.zip";
|
||||
sha256 = "0d4f2ygglz4w515a7lgw59500q3xmr92xxhsmh8p204yaa769x8v";
|
||||
};
|
||||
in ''
|
||||
// Configure short URLs
|
||||
$wgScriptPath = "";
|
||||
$wgArticlePath = "/wiki/$1";
|
||||
$wgUsePathInfo = true;
|
||||
|
||||
require_once('${wikidb}/WikiDB.php');
|
||||
$wgExtraNamespaces = array( 100 => "Table", 101 => "Table_Talk",);
|
||||
$wgWikiDBNamespaces = 100;
|
||||
$wgGroupPermissions['user']['writeapi'] = true;
|
||||
$wgDefaultUserOptions['visualeditor-enable'] = 1;
|
||||
$wgLogo = "images/c/c5/LantifaLogoFem0.3.png";
|
||||
|
||||
// PageForms config
|
||||
$wgGroupPermissions['*']['viewedittab'] = false;
|
||||
$wgGroupPermissions['user']['viewedittab'] = true;
|
||||
|
||||
// Moderation setting
|
||||
$wgModerationNotificationEnable = true;
|
||||
$wgModerationEmail = "wiki_mod@lantifa.org";
|
||||
$wgLogRestrictions["newusers"] = 'moderation';
|
||||
|
||||
// intersection / DynamicPageList config
|
||||
$wgDLPMaxCacheTime = 5 * 60;
|
||||
'';
|
||||
|
||||
extensions = {
|
||||
TemplateData = null;
|
||||
VisualEditor = null;
|
||||
InputBox = null;
|
||||
Moderation = pkgs.fetchzip {
|
||||
url = "https://github.com/edwardspec/mediawiki-moderation/archive/v1.4.20.tar.gz";
|
||||
sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i";
|
||||
};
|
||||
intersection = pkgs.fetchzip { # This is the DynamicPageList extension
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_36-789511a.tar.gz";
|
||||
sha256 = "0b5viv0d2pm1g68hynm8xbvcyw2cr3lgaxbqzdykk2yvvhc4w8j5";
|
||||
};
|
||||
PageForms = pkgs.fetchzip {
|
||||
url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip";
|
||||
sha256 = "172m7p941fbkl29h5bhanx3dn42jfmzgyvgmgm2lgdbmkawwly96";
|
||||
};
|
||||
};
|
||||
|
||||
virtualHost = {
|
||||
hostName = "wiki.lantifa.org";
|
||||
listen = [ { port = 80; } ];
|
||||
adminAddr = "admin@hacc.space";
|
||||
extraConfig = ''
|
||||
RewriteEngine On
|
||||
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
|
||||
RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L]
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.mysql.dataDir = "/persist/mysql";
|
||||
services.mysqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "mediawiki" ];
|
||||
calendar = "*-*-* 23:45:00";
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."wiki.lantifa.org" = {
|
||||
locations."/".proxyPass = "http://" + config.containers.lantifa.localAddress + "";
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
};
|
||||
}
|
157
services/mail.nix
Normal file
157
services/mail.nix
Normal file
|
@ -0,0 +1,157 @@
|
|||
{ config, pkgs, lib, sources, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
sources.nixos-mailserver.outPath
|
||||
];
|
||||
|
||||
mailserver = {
|
||||
mailDirectory = "/persist/mail";
|
||||
enable = true;
|
||||
fqdn = "mail.hacc.space";
|
||||
domains = [ "hacc.space" "muc.hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ];
|
||||
|
||||
loginAccounts = {
|
||||
"hexchen@hacc.space".hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
|
||||
"hexchen@hacc.space".aliases = [ "postmaster@hacc.space" "abuse@hacc.space" "hexchen@infra4future.de" ];
|
||||
|
||||
"octycs@hacc.space".hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
|
||||
"octycs@hacc.space".aliases = [ "markus@hacc.space" ];
|
||||
|
||||
"raphael@hacc.space".hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
|
||||
|
||||
"schweby@hacc.space".hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
|
||||
|
||||
"zauberberg@hacc.space".hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
|
||||
"zauberberg@hacc.space".aliases = [ "lukas@hacc.space" ];
|
||||
|
||||
"stuebinm@hacc.space".hashedPassword = "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB.";
|
||||
|
||||
"lenny@hacc.space".hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
|
||||
"lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];
|
||||
|
||||
"finance@muc.hacc.space".hashedPassword = "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";
|
||||
|
||||
# service accounts
|
||||
"noreply@hacc.space".hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
|
||||
"newsletter@hacc.space".hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1";
|
||||
"gitlab@infra4future.de".hashedPassword = "$6$8vvkYuxv$9xV5WktsqfgM3cWSxonjtaohm7oqvDC5qsgJCJBATwesjTRxd/QTLa7t7teK8Nzyl.Py26xz.NvYowCZQ4aBE1";
|
||||
"noreply@infra4future.de".hashedPassword = "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
|
||||
"discuss@infra4future.de".hashedPassword = "$6$8x8/OlMFjq1$S54jdBh7WjrdC6UtbYAHHzMJak7Ai/CjwmWBBbqh7yRHuZt.mfZrsfBNiL3JKBHE7seQ7JYRU99lJKCU6Aujg/";
|
||||
};
|
||||
|
||||
extraVirtualAliases = {
|
||||
# address = forward address;
|
||||
|
||||
# -- International --
|
||||
# info/contact: main entrypoint, anyone can read or reply to this.
|
||||
"info@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
"raphael@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
"lenny@hacc.space"
|
||||
];
|
||||
# admin: current people with access to the mail server and knowledge on how to use it
|
||||
"admin@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
];
|
||||
# voc: hacc video operation center, various streaming-related things
|
||||
"voc@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"lenny@hacc.space"
|
||||
];
|
||||
|
||||
# -- Regional: Germany --
|
||||
# board of hacc e.V.
|
||||
"vorstand@hacc.space" = [
|
||||
"raphael@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
];
|
||||
# members of hacc e.V.
|
||||
"mitglieder@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"raphael@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"lenny@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
];
|
||||
|
||||
# -- Regional: Munich --
|
||||
"muc@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"octycs@hacc.space"
|
||||
"raphael@hacc.space"
|
||||
"schweby@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
"lenny@hacc.space"
|
||||
];
|
||||
|
||||
# -- c3 world operation centre --
|
||||
"world@muc.hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"stuebinm@hacc.space"
|
||||
];
|
||||
};
|
||||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
# down nginx and opens port 80.
|
||||
certificateScheme = 3;
|
||||
|
||||
# Enable IMAP and POP3
|
||||
enableImap = true;
|
||||
enablePop3 = true;
|
||||
enableImapSsl = true;
|
||||
enablePop3Ssl = true;
|
||||
|
||||
# Enable the ManageSieve protocol
|
||||
enableManageSieve = true;
|
||||
|
||||
# whether to scan inbound emails for viruses (note that this requires at least
|
||||
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
|
||||
virusScanning = false;
|
||||
};
|
||||
services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
|
||||
services.postfix.submissionsOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
|
||||
services.postfix.virtual = ''
|
||||
@4future.dev @hacc.space
|
||||
@4futu.re @hacc.space
|
||||
@hacc.earth @hacc.space
|
||||
@discuss.infra4future.de discuss@infra4future.de
|
||||
admin@infra4future.de admin@hacc.space
|
||||
noreply@infra4future.de admin@hacc.space
|
||||
lukas@infra4future.de zauberberg@hacc.space
|
||||
info@infra4future.de admin@hacc.space
|
||||
postmaster@infra4future.de admin@hacc.space
|
||||
voc@infra4future.de voc@hacc.space
|
||||
haccvoc@infra4future.de voc@hacc.space
|
||||
contact@hacc.space info@hacc.space
|
||||
himmel@hacc.space admin@hacc.space
|
||||
divoc-patches@muc.hacc.space world@muc.hacc.space
|
||||
'';
|
||||
|
||||
systemd.services.alps = {
|
||||
enable = true;
|
||||
script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465";
|
||||
serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps";
|
||||
serviceConfig.Restart = "always";
|
||||
requiredBy = [ "multi-user.target" ];
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."mail.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://[::1]:1323";
|
||||
};
|
||||
}
|
|
@ -1,26 +1,50 @@
|
|||
{ config, pkgs, lib, ...}:
|
||||
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||
|
||||
{
|
||||
sops.secrets = {
|
||||
"mattermost/env" = {};
|
||||
let
|
||||
mattermost = pkgs.mattermost;
|
||||
in {
|
||||
containers.mattermost = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.3";
|
||||
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/mattermost";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
hacc.containers.mattermost = {
|
||||
bindSecrets = true;
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
environment.systemPackages = [ pkgs.morph pkgs.pgloader ];
|
||||
imports = [
|
||||
../modules/mattermost.nix
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
];
|
||||
|
||||
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
||||
lib.mkForce "/secrets/env";
|
||||
nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ];
|
||||
|
||||
services.mattermost = {
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
# couldn't figure out how to actually overwrite modules, so now
|
||||
# there's two mattermost modules ...
|
||||
services.mattermost-patched = {
|
||||
enable = true;
|
||||
siteUrl = "https://mattermost.infra4future.de";
|
||||
siteName = "Mattermost for Future";
|
||||
listenAddress = "0.0.0.0:3000";
|
||||
mutableConfig = false;
|
||||
|
||||
secretConfig = "/persist/mattermost/secrets.json";
|
||||
statePath = "/persist/mattermost";
|
||||
|
||||
extraConfig = {
|
||||
|
@ -54,7 +78,6 @@
|
|||
TeamSettings = {
|
||||
EnableTeamCreation = true;
|
||||
EnableUserCreation = true;
|
||||
MaxUsersPerTeam = 250;
|
||||
EnableOpenServer = false;
|
||||
EnableUserDeactivation = true;
|
||||
ExperimentalViewArchivedChannels = true;
|
||||
|
@ -98,21 +121,12 @@
|
|||
EnableSMTPAuth = true;
|
||||
SMTPUsername = "noreply@infra4future.de";
|
||||
SMTPServer = "mail.hacc.space";
|
||||
SMTPPort = "465";
|
||||
SMTPServerTimeout = 10;
|
||||
ConnectionSecurity = "TLS";
|
||||
};
|
||||
RateLimitSettings.Enable = false;
|
||||
PrivacySettings = {
|
||||
ShowEmailAddress = false;
|
||||
ShowFullName = true;
|
||||
};
|
||||
# to disable the extra landing page advertising the app
|
||||
NativeAppSettings = {
|
||||
AppDownloadLink = "";
|
||||
AndroidAppDownloadLink = "";
|
||||
IosAppDownloadLink = "";
|
||||
};
|
||||
SupportSettings = {
|
||||
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||
|
@ -126,9 +140,9 @@
|
|||
Enable = true;
|
||||
Id = "mattermost";
|
||||
Scope = "";
|
||||
AuthEndpoint = "https://login.infra4future.de/oauth2/authorize";
|
||||
TokenEndpoint = "https://login.infra4future.de/oauth2/token";
|
||||
UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo";
|
||||
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
||||
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
||||
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
||||
};
|
||||
# for some reason, these don't appear to be working; the startup
|
||||
# process complaines and sets these back to en
|
||||
|
@ -144,12 +158,18 @@
|
|||
Enable = true;
|
||||
EnableUploads = true;
|
||||
Plugins = {
|
||||
bigbluebutton = {
|
||||
adminonly = false;
|
||||
base_url = "https://bbb.infra4future.de/bigbluebutton/api";
|
||||
salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
|
||||
};
|
||||
"com.github.matterpoll.matterpoll" = {
|
||||
experimentalui = true;
|
||||
trigger = "poll";
|
||||
};
|
||||
};
|
||||
PluginStates = {
|
||||
bigbluebutton.Enable = true;
|
||||
"com.github.matterpoll.matterpoll".Enable = true;
|
||||
};
|
||||
};
|
||||
|
@ -158,8 +178,6 @@
|
|||
MetricsSettings.Enable = false;
|
||||
GuestAccountsSettings.Enable = false;
|
||||
FeatureFlags.CollapsedThreads = true;
|
||||
SqlSettings.DriverName = "postgres";
|
||||
SqlSettings.DataSource = "postgres:///mattermost?host=/run/postgresql";
|
||||
};
|
||||
|
||||
# turn of the weirder parts of this module (which insist on passwords
|
||||
|
@ -170,28 +188,43 @@
|
|||
localDatabaseCreate = false;
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||||
package = pkgs.postgresql_15;
|
||||
services.mysql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "mattermost" ];
|
||||
ensureUsers = [ {
|
||||
name = "mattermost";
|
||||
ensureDBOwnership = true;
|
||||
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
|
||||
} ];
|
||||
package = pkgs.mysql80;
|
||||
dataDir = "/persist/mysql";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||||
ensureDatabases = [ "mattermost" ];
|
||||
ensureUsers = [ {
|
||||
name = "mattermost";
|
||||
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
|
||||
} ];
|
||||
|
||||
authentication = lib.mkForce ''
|
||||
# Generated file; do not edit!
|
||||
local all all trust
|
||||
host mattermost mattermost ::1/128 trust
|
||||
'';
|
||||
};
|
||||
|
||||
services.postgresqlBackup = {
|
||||
networking.firewall.allowedTCPPorts = [ 3000 ];
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
databases = [ "mattermost" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."mattermost.infra4future.de" = {
|
44
services/murmur.nix
Normal file
44
services/murmur.nix
Normal file
|
@ -0,0 +1,44 @@
|
|||
{ config, lib, pkgs, sources, ... }:
|
||||
|
||||
let
|
||||
mumblesite = pkgs.stdenv.mkDerivation {
|
||||
name = "mumble.hacc.space-website";
|
||||
src = sources.mumble-website.outPath.outPath;
|
||||
buildPhase = ''
|
||||
${pkgs.jekyll.outPath}/bin/jekyll build
|
||||
'';
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
cp -r _site/* $out
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
|
||||
|
||||
services.murmur = {
|
||||
enable = true;
|
||||
logDays = -1;
|
||||
welcometext = "Welcome to mumble4future! Brought to you by infra4future. The server is now reachable under mumble.hacc.space, please update your bookmarks.";
|
||||
sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
|
||||
sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
|
||||
bandwidth = 128000;
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
|
||||
networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
|
||||
|
||||
services.nginx.virtualHosts =
|
||||
let vhost = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
root = mumblesite.outPath;
|
||||
};
|
||||
in {
|
||||
"mumble.infra4future.de" = vhost;
|
||||
"mumble.hacc.space" = vhost;
|
||||
};
|
||||
|
||||
# set ACLs so that the murmur user can read the certificates
|
||||
security.acme.certs."mumble.hacc.space".postRun = "setfacl -Rm u:murmur:rX /var/lib/acme/mumble.hacc.space";
|
||||
}
|
140
services/nextcloud/default.nix
Normal file
140
services/nextcloud/default.nix
Normal file
|
@ -0,0 +1,140 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
|
||||
|
||||
{
|
||||
containers.nextcloud = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.2";
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/nextcloud";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
imports = [
|
||||
((import sources.nix-hexchen) {}).profiles.nopersist
|
||||
../../modules/nextcloud.nix
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
environment.systemPackages = [ pkgs.htop ];
|
||||
|
||||
services.nextcloud-patched = {
|
||||
enable = true;
|
||||
|
||||
# must be set manually; may not be incremented by more than one at
|
||||
# a time, otherwise nextcloud WILL break
|
||||
package = pkgs.nextcloud21;
|
||||
|
||||
home = "/persist/nextcloud";
|
||||
https = true;
|
||||
|
||||
hostName = "cloud.infra4future.de";
|
||||
config = {
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
||||
dbname = "nextcloud";
|
||||
# there's also a adminpassFile option, but for testing this seems
|
||||
# enough (less fiddling with getting the file into a nixos
|
||||
# container for ad-hoc setups)
|
||||
adminpass = "lushfjwebrwhjebr";
|
||||
adminuser = "root";
|
||||
};
|
||||
|
||||
caching.redis = true;
|
||||
|
||||
# multiple pools may be doable using services.phpfpm.pools,
|
||||
# but i have not tried this yet. The nextcloud module defines a
|
||||
# pool "nextcloud"
|
||||
poolSettings = {
|
||||
pm = "dynamic";
|
||||
"pm.max_children" = "32";
|
||||
"pm.max_requests" = "500";
|
||||
"pm.max_spare_servers" = "4";
|
||||
"pm.min_spare_servers" = "2";
|
||||
"pm.start_servers" = "2";
|
||||
};
|
||||
|
||||
extraOptions = {
|
||||
instanceid = "ocxlphb7fbju";
|
||||
redis = {
|
||||
host = "/run/redis/redis.sock";
|
||||
port = 0;
|
||||
dbindex = 0;
|
||||
password = "secret";
|
||||
timeout = 1.5;
|
||||
};
|
||||
datadirectory = "/persist/data/ncdata";
|
||||
mail_smtpmode = "smtp";
|
||||
mail_smtpsecure = "ssl";
|
||||
mail_sendmailmode = "smtp";
|
||||
mail_from_address = "noreply";
|
||||
mail_domain = "infra4future.de";
|
||||
mail_smtpauthtype = "PLAIN";
|
||||
mail_smtpauth = 1;
|
||||
mail_smtphost = "mail.hacc.space";
|
||||
mail_smtpport = 465;
|
||||
mail_smtpname = "noreply@infra4future.de";
|
||||
loglevel = 0;
|
||||
"overwrite.cli.url" = "https://cloud.infra4future.de";
|
||||
};
|
||||
|
||||
# passwordsalt, secret, and mail_smtppassword go in here
|
||||
secretFile = "/persist/secrets.json";
|
||||
|
||||
};
|
||||
|
||||
services.redis = {
|
||||
enable = true;
|
||||
unixSocket = "/var/run/redis/redis.sock";
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
{ # by default, postgres has unix sockets enabled, and allows a
|
||||
# system user `nextcloud` to log in without other authentication
|
||||
name = "nextcloud";
|
||||
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
# ensure that postgres is running *before* running the setup
|
||||
systemd.services."nextcloud-setup" = {
|
||||
requires = ["postgresql.service"];
|
||||
after = ["postgresql.service"];
|
||||
};
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."cloud.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
}
|
32
services/nginx-pages.nix
Normal file
32
services/nginx-pages.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
domains = [ "www.infra4future.de" "hacc.earth" "www.hacc.earth" ];
|
||||
in {
|
||||
|
||||
services.nginx.virtualHosts =
|
||||
listToAttrs (map (host: nameValuePair host {
|
||||
useACMEHost = "infra4future.de";
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||
}) domains) // {
|
||||
"infra4future.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
|
||||
};
|
||||
"muc.hacc.earth" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass "http://${config.containers.gitlab.localAddress}:8090/infra4future/muc.hacc.earth/";
|
||||
proxy_set_header Host 'hacc.4future.dev';
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
security.acme.certs."infra4future.de" = {
|
||||
extraDomainNames = domains;
|
||||
};
|
||||
}
|
66
services/pluto.nix
Normal file
66
services/pluto.nix
Normal file
|
@ -0,0 +1,66 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let sources = import ../nix/sources.nix;
|
||||
in
|
||||
{
|
||||
containers.pluto = {
|
||||
autoStart = true;
|
||||
|
||||
bindMounts."/notebooks" = {
|
||||
hostPath = "/data/pluto";
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
config = {pkgs, config, ...}: {
|
||||
systemd.services.pluto =
|
||||
let
|
||||
julia = (import ../pkgs/pluto)
|
||||
{pkgs = import sources.nixpkgs {};};
|
||||
pluto = pkgs.stdenv.mkDerivation {
|
||||
name = "pluto-standalone";
|
||||
buildPhase = "mkdir $out";
|
||||
installPhase = ''
|
||||
cp *.toml $out
|
||||
cp *.jl $out
|
||||
'';
|
||||
src = ../pkgs/pluto;
|
||||
};
|
||||
in {
|
||||
enable = true;
|
||||
description = "Pluto.js notebook server";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
type = "simple";
|
||||
User = "pluto";
|
||||
Group = "pluto";
|
||||
};
|
||||
# julia needs some writable directory to keep state in
|
||||
# (especially precompiled artifacts). The wrapped version
|
||||
# of julia below will append this with a path from the
|
||||
# nix store that contains all needed packages, so this
|
||||
# should even work entirely without internet access.
|
||||
environment.JULIA_DEPOT_PATH = "/var/lib/julia";
|
||||
script = ''
|
||||
cd ${pluto.outPath}
|
||||
${julia}/bin/julia pluto-standalone.jl
|
||||
'';
|
||||
};
|
||||
users.users.pluto = {
|
||||
group = "pluto";
|
||||
home = "/notebooks";
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.pluto = {};
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/julia 0750 pluto pluto"
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
systemd.services."container@pluto".serviceConfig = {
|
||||
MemoryHigh = "2G"; # will throttle, but not a hard limit
|
||||
MemoryMax = "2.5G"; # hard limit
|
||||
CPUQuota = "100%"; # give CPU time roughly equivalent to one core
|
||||
};
|
||||
}
|
55
services/syncthing.nix
Normal file
55
services/syncthing.nix
Normal file
|
@ -0,0 +1,55 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
relay.enable = false;
|
||||
openDefaultPorts = true;
|
||||
configDir = "/persist/var/lib/syncthing/";
|
||||
dataDir = "/persist/data/syncthing/";
|
||||
declarative = {
|
||||
devices = {
|
||||
# schweby
|
||||
txsbcct = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "AQHOPTO-X3LWJXZ-2SPLSEW-MCVMX3R-VSLPPYE-NIOTDMW-QOYRSDZ-2LR7RAD";
|
||||
};
|
||||
octycs = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "KIJVGWZ-GRXPAUX-ZOTZDLS-KUKANCC-A2IBZRM-BT3RZK7-5M43O6R-OZD5IQE";
|
||||
};
|
||||
stuebinm-desktop = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "CWZTKG7-F45LE2O-TIT6IBC-RQD6MLH-K5ECUGJ-LOHJXF3-I2F4R6I-JVMRLAJ";
|
||||
};
|
||||
raphael-laptop = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG";
|
||||
};
|
||||
# zauberberg
|
||||
conway = {
|
||||
addresses = []; # empty = dynamic
|
||||
id = "HV7IU2N-Q4W3A7F-BSASR43-OB575SM-47FY2UW-7N5GMFM-PX3LWRN-HXBXMQF";
|
||||
};
|
||||
# hexchen
|
||||
storah = {
|
||||
addresses = [ "tcp://46.4.62.95:22000" "quic://46.4.62.95:22000" ];
|
||||
id = "SGHQ2JA-7FJ6CKM-N3I54R4-UOJC5KO-7W22O62-YLTF26F-S7DLZG4-ZLP7HAM";
|
||||
};
|
||||
};
|
||||
|
||||
folders = {
|
||||
"/persist/data/syncthing/hacc/" = {
|
||||
id = "qt2ly-xvvvs";
|
||||
devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
|
||||
type = "receiveonly";
|
||||
versioning = {
|
||||
type = "simple";
|
||||
params.keep = "10";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
}
|
86
services/thelounge.nix
Normal file
86
services/thelounge.nix
Normal file
|
@ -0,0 +1,86 @@
|
|||
{ config, lib, pkgs, evalConfig, ... }:
|
||||
|
||||
let
|
||||
# necessary since overlays won't propagate into the
|
||||
# container's config
|
||||
thelounge = pkgs.thelounge-hacked;
|
||||
in
|
||||
{
|
||||
containers.thelounge = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.4";
|
||||
|
||||
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
users.users.root.hashedPassword = "";
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
networking.firewall.enable = false;
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
services.thelounge = {
|
||||
enable = true;
|
||||
|
||||
extraConfig = {
|
||||
public = true;
|
||||
# respect X-Forwarded-For
|
||||
reverseProxy = true;
|
||||
defaults = {
|
||||
name = "libera chat";
|
||||
host = "irc.eu.libera.chat";
|
||||
port = 6697;
|
||||
# encrypt things!
|
||||
tls = true;
|
||||
# yes, please do actually check the cert …
|
||||
rejectUnauthorized = true;
|
||||
nick = "haccGuest%%%%";
|
||||
join = "#hacc-webchat";
|
||||
};
|
||||
lockNetwork = true;
|
||||
|
||||
# don't log messages (default is text / sqlite)
|
||||
messageStorage = [];
|
||||
|
||||
# darker theme
|
||||
#theme = "morning";
|
||||
|
||||
# these three should result in having link previews
|
||||
# which are fetched only by the server, then proxied
|
||||
# (i.e. clients won't directly connect to arbitrary
|
||||
# domains to get previews)
|
||||
prefetch = true;
|
||||
prefetchStorage = true;
|
||||
disableMediaPreview = true;
|
||||
|
||||
leaveMessage = "happy haccing";
|
||||
};
|
||||
};
|
||||
|
||||
# override the package we use
|
||||
systemd.services.thelounge.serviceConfig.ExecStart =
|
||||
pkgs.lib.mkForce "${thelounge}/bin/thelounge start";
|
||||
|
||||
services.coredns = {
|
||||
enable = true;
|
||||
config = ''
|
||||
.:53 {
|
||||
forward . 1.1.1.1
|
||||
}
|
||||
'';
|
||||
};
|
||||
})).config.system.build.toplevel;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."webchat.voc.hacc.space" = {
|
||||
locations."/".proxyPass =
|
||||
"http://${config.containers.thelounge.localAddress}:9000";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
}
|
10
services/unifi.nix
Normal file
10
services/unifi.nix
Normal file
|
@ -0,0 +1,10 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
services.unifi = {
|
||||
enable = true;
|
||||
openPorts = true;
|
||||
dataDir = "/persist/var/lib/unifi";
|
||||
};
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue