Compare commits
117 Commits
nextcloud-
...
main
Author | SHA1 | Date |
---|---|---|
stuebinm | 4622dcd956 | |
stuebinm | 8c3d3bf6db | |
stuebinm | 972a26163a | |
stuebinm | 27b8ef6784 | |
Moira | 8662943183 | |
stuebinm | f9005dd4d0 | |
stuebinm | f654b33a56 | |
stuebinm | 3dc63acf52 | |
stuebinm | 208bcaa898 | |
Moira | d4d3f6e5d2 | |
stuebinm | f75169ce0a | |
stuebinm | d99408486a | |
stuebinm | d20acbfe58 | |
Moira | 281745d7a6 | |
Moira | 1ad0a7751c | |
stuebinm | 5e51d5f252 | |
stuebinm | 069236027c | |
stuebinm | 283aba0c2c | |
stuebinm | faa83b6007 | |
stuebinm | e81472cb87 | |
stuebinm | 1cee814e04 | |
stuebinm | 8da02ed645 | |
stuebinm | 8283162109 | |
stuebinm | 8f7f5448a3 | |
stuebinm | 319e5894e0 | |
stuebinm | 55b0b3558d | |
stuebinm | 3fb25aa016 | |
stuebinm | 7b9e423999 | |
stuebinm | f29830ec93 | |
stuebinm | e12cc7dbf5 | |
stuebinm | cbc7827cb9 | |
stuebinm | 1042c90d8a | |
stuebinm | ea230c34b0 | |
stuebinm | 62917423e3 | |
stuebinm | 0f678c5e80 | |
stuebinm | 0140b7a9fb | |
stuebinm | 39531f1c48 | |
stuebinm | 461cb01126 | |
stuebinm | 2988939be0 | |
stuebinm | 7427df5167 | |
stuebinm | 1ccc0ccbca | |
stuebinm | 5dd817796f | |
stuebinm | a36d2a7617 | |
stuebinm | c28a1f6e2e | |
stuebinm | c681bb413c | |
Moira | 062e123046 | |
stuebinm | 93cc8b8172 | |
stuebinm | 816e175b33 | |
stuebinm | a3c6479dbe | |
stuebinm | abfc5618e9 | |
stuebinm | c0f37da12f | |
stuebinm | 12e4cba3e6 | |
stuebinm | 68dc640257 | |
stuebinm | 41d82ae436 | |
stuebinm | c2022d9c60 | |
stuebinm | 990d48a1c7 | |
stuebinm | d011fcb56d | |
stuebinm | b38e6a0ebc | |
stuebinm | a72f35de35 | |
stuebinm | 4e17d6034c | |
Moira | 2008876dc6 | |
Moira | 910caf3485 | |
stuebinm | 226508d4b0 | |
stuebinm | cb87d88a13 | |
stuebinm | 658e9046c5 | |
stuebinm | c3457207cd | |
stuebinm | 4d91e1f591 | |
stuebinm | 01d972c9ed | |
stuebinm | 9d187d212a | |
stuebinm | 17149be4bd | |
stuebinm | 920ea9e8d4 | |
stuebinm | f03a582345 | |
stuebinm | 641c59092c | |
stuebinm | b5855fe379 | |
Raphael Weniger | 0f19d712cb | |
stuebinm | 448ea1b831 | |
stuebinm | ea5a77703e | |
stuebinm | 8186160c1b | |
stuebinm | e03bf84d3a | |
stuebinm | a4288d77ce | |
stuebinm | 3ce4b83464 | |
stuebinm | 9e7929ab5f | |
stuebinm | a8f7ee667d | |
stuebinm | eae84263f5 | |
stuebinm | 6586f0c552 | |
stuebinm | f9d7496af7 | |
stuebinm | a17cd69a52 | |
stuebinm | 54fe6bfce7 | |
stuebinm | 17ead057f4 | |
stuebinm | 3407e873ef | |
stuebinm | 4b40d665fe | |
stuebinm | 6529cb79a0 | |
stuebinm | 72ca5b2888 | |
stuebinm | 74654f2fc0 | |
stuebinm | 4fb06c3e10 | |
stuebinm | d7d15f4b0b | |
stuebinm | c18215f356 | |
stuebinm | 6a4ff47443 | |
stuebinm | 109aada070 | |
Moira | 2d542e9167 | |
stuebinm | d8e937a91d | |
stuebinm | 57b6eac7c2 | |
stuebinm | e5d57ebec9 | |
stuebinm | 6a51e74c73 | |
stuebinm | 5bd2c5ab4c | |
stuebinm | 3099798468 | |
stuebinm | b5d4f76a1d | |
stuebinm | 003f2f7e44 | |
stuebinm | 0d75469590 | |
stuebinm | 49fa2325f3 | |
stuebinm | a3689d1c76 | |
stuebinm | eda184ee48 | |
stuebinm | 8d9df0e20e | |
stuebinm | fb3c1b0a96 | |
stuebinm | b30df7ea6d | |
stuebinm | 26f3f98a9c | |
Moira | f91ea850bc |
|
@ -0,0 +1,23 @@
|
|||
keys:
|
||||
- &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
|
||||
- &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
|
||||
- &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
|
||||
- &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
|
||||
- &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
|
||||
- &octycs-m age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
|
||||
- &zauberberg-conway age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
|
||||
- &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
|
||||
- &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
|
||||
creation_rules:
|
||||
- path_regex: secrets.yaml
|
||||
key_groups:
|
||||
- age:
|
||||
- *parsons
|
||||
- *hexchen-backup
|
||||
- *stuebinm-ilex
|
||||
- *stuebinm-surltesh-echer
|
||||
- *stuebinm-abbenay
|
||||
- *octycs-m
|
||||
- *zauberberg-conway
|
||||
- *moira-2022-06
|
||||
- *moira-openpgp
|
31
README.md
31
README.md
|
@ -1,22 +1,26 @@
|
|||
# hacc nixfiles
|
||||
|
||||
welcome to hacc nixfiles (haccfiles). this is the code describing our nix-based infrastructure.
|
||||
Welcome to the hacc nixfiles (haccfiles). This is how we configure (most of)
|
||||
our infrastructure.
|
||||
|
||||
## structure
|
||||
## General layout
|
||||
|
||||
- `flake.nix`: Entrypoint & dependencies
|
||||
- `common/`: configuration common to all hosts
|
||||
- `modules/`: home-grown modules for hacc-specific services
|
||||
- `pkgs/`: packages we built and don't want to upstream
|
||||
- `hosts/`: configuration.nix per host (currently there's only one of those)
|
||||
- `services/`: all services we run; imported in appropriate host config
|
||||
- `websites/`: static websites we deploy somewhere
|
||||
- `pkgs/`: packages we need which aren't in nixpkgs
|
||||
- `websites/`: static websites hosted by us
|
||||
- `common/`: meta-level config, reusable across machines
|
||||
- `parsons/`: our sole server, its config & the services it runs
|
||||
|
||||
## working with the haccfiles
|
||||
Right now, we only have a single host. We might add more again in the future.
|
||||
|
||||
## Working with this repo
|
||||
|
||||
You will need a flake-enabled nix installation, and have your ssh config set up
|
||||
so that `ssh parsons` will connect to `parsons.hacc.space`.
|
||||
|
||||
### Deploying remotely
|
||||
|
||||
It's recommended to use [deploy_rs](https://github.com/serokell/deploy-rs):
|
||||
~~~shell
|
||||
deploy .#parsons -k [--dry-activate]
|
||||
|
@ -28,13 +32,12 @@ nixos-rebuild --flake .#parsons --target-host parsons \
|
|||
--use-remote-sudo --use-substitutes [test|switch|dry-activate]
|
||||
~~~
|
||||
|
||||
If for some reason you have `nix` but not `nixos-rebuild`, you can still build the
|
||||
system closure using:
|
||||
~~~shell
|
||||
nix build .#nixosConfigurations.parsons.config.system.build.toplevel
|
||||
~~~
|
||||
### Re-deploying on parsons itself
|
||||
|
||||
(but you might have trouble deploying it)
|
||||
Simply do:
|
||||
~~~shell
|
||||
nixos-rebuild --flake .#parsons [test|switch|dry-activate]
|
||||
~~~
|
||||
|
||||
## Working on websites
|
||||
|
||||
|
|
|
@ -4,7 +4,6 @@
|
|||
imports = [
|
||||
../modules
|
||||
./users.nix
|
||||
modules.network.nftables
|
||||
];
|
||||
|
||||
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
|
||||
|
@ -27,13 +26,16 @@
|
|||
services.openssh = {
|
||||
enable = true;
|
||||
ports = lib.mkDefault [ 62954 ];
|
||||
passwordAuthentication = false;
|
||||
kbdInteractiveAuthentication = false;
|
||||
permitRootLogin = lib.mkDefault "prohibit-password";
|
||||
extraConfig = "StreamLocalBindUnlink yes";
|
||||
forwardX11 = true;
|
||||
settings = {
|
||||
X11Forwarding = true;
|
||||
PermitRootLogin = "prohibit-password";
|
||||
PasswordAuthentication = false;
|
||||
KbdInteractiveAuthentication = false;
|
||||
StreamLocalBindUnlink = true;
|
||||
};
|
||||
};
|
||||
programs.mosh.enable = true;
|
||||
programs.fish.enable = true;
|
||||
security.sudo.wheelNeedsPassword = lib.mkDefault false;
|
||||
|
||||
i18n.defaultLocale = "en_IE.UTF-8";
|
||||
|
@ -58,7 +60,7 @@
|
|||
whois
|
||||
iperf
|
||||
fd
|
||||
exa
|
||||
eza
|
||||
socat
|
||||
tmux
|
||||
gnupg
|
||||
|
|
|
@ -19,24 +19,12 @@
|
|||
];
|
||||
};
|
||||
|
||||
stuebinm = {
|
||||
uid = 1005;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
shell = pkgs.fish;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7J3peZGB4XGJKI1dV5PdpQS+TzmoJ7qL//ipCG7G5K stuebinm@surltesh-echer"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPB74xA2GBXnDwPEEaxWLONdQyBwjDoJHYagKRQXwO2 stuebinm@abbenay"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8e9WrHsknoFwBm/YaigOSz9VI8dXRRR5G9BX4kKt9/ stuebinm@ilex"
|
||||
];
|
||||
};
|
||||
|
||||
octycs = {
|
||||
uid = 1002;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDobGLrA6YQAKdJkZMpAsqjlk744G/pCJEvAUNJDuT1Sr59BFKDchPT03exb0o39mjH4iqvw4JDI10RfylKbR1736Ji2yRLlbCzUdgv2CfZc28TAO0rscyT49RHJmzEEE5QD4Ge7MgvFBEmZKXAxntA8M8EbxxEVfzhWp3751BYkzrCbJiHMXcTb+BG9P6rmrraINmgUJxywym5PsMYt2sfHlVus3hSpWnCR/cu0nxmW9E6Tm6CzSkWOXOTdjVuc0Kgh5GXaKDROzJ9K7cJAhd5t8Yzqtpm2xfSU5FVVUH9i7PbXOo8FL82Xi6kWMgdFNLvKimxGqW+bCv3ROlyKWF4I+HQdfdL181KaOQ40jAvjmldrB/ZiEbuWYSBZ/XhxFkKrtBYPDFHq/a5lnH3OvcDm7+/LhwIKUnyZyQ2dXOLOTOEDsO/69xwNveCB8of9o/erDbOeb+d44cXUFpPMUTz4bHXEP6y+zz8TB8/aleGbLQCPUzRZfvazN95jGUDqkumi9B3Lf+W/KpjVUgu3NQsUuJn6khMYW9VefnJvHwzbWpqIzbzNePL4iZFECv4NHPQHO/katajnMbkCie9rfnLk1EjJnrSnZUInEygkW/7Eu4EQM2h7lU4HYfwP1c4ubCFdES0ELGqSuJRwd/ORDbgxbuKOQ7gZ3/lgHdr9KGqJQ== markus.amaseder@amaseder.de"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQqFXSlqW+D4ZtVdCiN9IT461iwyqy2taBRD3qkvXqn m@octycs.eu"
|
||||
];
|
||||
hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc.";
|
||||
};
|
||||
|
@ -46,7 +34,7 @@
|
|||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "cdrom" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfxXSy22k2EZwz1EtvIMwQKGWsswEBeLn5ClhuiI4Ma lukas@Conway.lan"
|
||||
];
|
||||
packages = with pkgs; [ ffmpeg ];
|
||||
};
|
||||
|
@ -62,5 +50,37 @@
|
|||
];
|
||||
hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90";
|
||||
};
|
||||
|
||||
stuebinm = {
|
||||
uid = 1005;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" ];
|
||||
shell = pkgs.fish;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7J3peZGB4XGJKI1dV5PdpQS+TzmoJ7qL//ipCG7G5K stuebinm@surltesh-echer"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPB74xA2GBXnDwPEEaxWLONdQyBwjDoJHYagKRQXwO2 stuebinm@abbenay"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8e9WrHsknoFwBm/YaigOSz9VI8dXRRR5G9BX4kKt9/ stuebinm@ilex"
|
||||
];
|
||||
};
|
||||
|
||||
leah2 = {
|
||||
uid = 1006;
|
||||
shell = pkgs.fish;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "cdrom" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4o/ncaQUorp/BeZesPnVhzvfoqLJW3WZHtz+CWQvFU"
|
||||
];
|
||||
};
|
||||
|
||||
floppy = {
|
||||
uid = 1007;
|
||||
shell = pkgs.fish;
|
||||
isNormalUser = true;
|
||||
extraGroups = [ "wheel" "cdrom" ];
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyVQhFDcoMnoYivQu1h8NCTWa+2WriZ1m5BilkuUk4u"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
+++
|
||||
title = "hacc infra documentation"
|
||||
page_template = "doc-page.html"
|
||||
sort_by="title"
|
||||
+++
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
+++
|
||||
title = "Authentication"
|
||||
categories = [ "services", "uffd" ]
|
||||
+++
|
||||
|
||||
We use [uffd](https://git.cccv.de/uffd/uffd) for our SSO, for better or worse.
|
||||
Mostly for worse.
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
+++
|
||||
title = "Domains"
|
||||
categories = [ "domains", "meta" ]
|
||||
+++
|
||||
|
||||
Perhaps too many of them.
|
||||
|
||||
## Domains
|
||||
|
||||
| domain | mc | status | date | reseller | owner | custody |
|
||||
| :------------------- | :-: | :-----: | :------: | :---------- | :--------- | :-----: |
|
||||
| 4future.dev | yes | | | | | hacc e.V. |
|
||||
| infra4future.de | yes | | | | | hacc e.V. |
|
||||
| hacc.space | yes | | | | | hacc e.V. |
|
||||
| hacc.earth | yes | | | | | hacc e.V. |
|
||||
| hacc.media | yes | | | | | hacc e.V. |
|
||||
| hacc.wiki | no | | | | | |
|
||||
|
||||
mc = managed by cloudflare
|
||||
status = (renewl | autorenewl | expires)
|
|
@ -0,0 +1,16 @@
|
|||
+++
|
||||
title = "Hostname schema"
|
||||
+++
|
||||
|
||||
[Badass Anarchist Women](https://listverse.com/2018/09/27/10-absolutely-badass-anarchist-women-who-challenged-the-system/)
|
||||
- keller
|
||||
- deCleyre
|
||||
- davidNeel
|
||||
- leGuin
|
||||
- [parsons](../parsons)
|
||||
- ohair
|
||||
- berneri
|
||||
- michel
|
||||
- sanger
|
||||
- goldman
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
+++
|
||||
title = "LXC"
|
||||
categories = [ "lxc" ]
|
||||
+++
|
||||
|
||||
Some things don't easily run on NixOS. For these we have LXC containers running
|
||||
debian.
|
||||
|
||||
Right now, only onlyoffice is left.
|
||||
|
||||
## Useful commands
|
||||
- login to a container as root with a usable shell
|
||||
`lxc-attach -n <name> -- /usr/bin/sudo -i`
|
||||
- restarting the keycloak and ldap containers
|
||||
`lxc-stop -n <name> && lxc-start -n <name>`
|
||||
- restarting their network bridge:
|
||||
`systemctl restart lxcbr0-netdev.services`
|
|
@ -0,0 +1,18 @@
|
|||
+++
|
||||
title = "Rebooting Parsons"
|
||||
categories = [ "nix" ]
|
||||
+++
|
||||
|
||||
## Check integrity after unexpected shutdown
|
||||
These steps are only required if the server shut down unexpectedly or you suspect tampering.
|
||||
|
||||
TODO
|
||||
|
||||
## Unlock full disk encryption
|
||||
Connection to the server via the command listed in the shared password manager.
|
||||
Only the Vorstand has access to it!
|
||||
|
||||
Enter the passwords for dpool and zroot.
|
||||
|
||||
If both are correct, you will be disconnected and the server continues the boot sequence.
|
||||
The server should be up after about minute. Please check all services for availability.
|
|
@ -0,0 +1,21 @@
|
|||
+++
|
||||
title = "Secrets"
|
||||
categories = [ "services", "sops" ]
|
||||
+++
|
||||
|
||||
## Secret management
|
||||
|
||||
We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
|
||||
like to have in Git but don't want to be public. Entries in `secrets.yaml` are
|
||||
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
|
||||
derived from ssh keys.
|
||||
|
||||
For the initial set up, please take a look at the sops-nix Readme file.
|
||||
|
||||
To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
|
||||
file & open it in your $EDITOR, then re-encrypt it when you're done.
|
||||
|
||||
To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
|
||||
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
|
||||
the new set of keys.
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
+++
|
||||
title = "Services"
|
||||
sort_by = "title"
|
||||
page_template = "doc-page.html"
|
||||
+++
|
|
@ -0,0 +1,19 @@
|
|||
+++
|
||||
title = "ACME / letsencrypt"
|
||||
categories = [ "domain", "https", "ssl", "tls", "Certificates" ]
|
||||
+++
|
||||
|
||||
|
||||
# Usage
|
||||
|
||||
We use the ACME module's nginx integration for basically everything. Beware of
|
||||
rate limits when redeploying lots of things at once! Let's Encrypt is a little
|
||||
picky about those.
|
||||
|
||||
|
||||
## Workarounds & peculiar configuration choices
|
||||
|
||||
Certs live under `/var/lib/acme/`
|
||||
|
||||
If you need to remove a cert for whatever reason, be aware that there is a
|
||||
hidden `.lego` folder, that contains state as well
|
|
@ -0,0 +1,68 @@
|
|||
+++
|
||||
title = "hedgedoc"
|
||||
taxonomies.categories = [ "services" ]
|
||||
+++
|
||||
|
||||
|
||||
hegedoc was once called codiMD, so container, config and users are still called codimd.
|
||||
|
||||
**Do NOT change this** unless you're sure what you're doing.
|
||||
|
||||
We have two instances:
|
||||
- `pad-hacc`/pad.hacc.space is connected to our SSO/uffd
|
||||
- `pad-i4f`/pad.infra4future.de is not connected to our SSO and meant to be more public
|
||||
|
||||
## Basic Troubleshooting
|
||||
|
||||
Usually if hedgedoc dies, it's because postgresql wasn't there yet. Just restart
|
||||
hedgedoc.
|
||||
|
||||
## More Troubles
|
||||
log into the container and take a look at the logs
|
||||
|
||||
~~~shell
|
||||
sudo nixos-container root-login codimd
|
||||
journalctl -e
|
||||
~~~
|
||||
|
||||
### fixing failed database upgrades
|
||||
|
||||
see https://docs.hedgedoc.org/guides/migration-troubleshooting/ (copied below
|
||||
for convenience?):
|
||||
|
||||
In some cases, HedgeDoc might apply migrations without correctly saving the
|
||||
progress. It will then refuse to start with "already exists"-errors like
|
||||
ERROR: type "enum_Notes_permission" already exists.
|
||||
|
||||
Get the name of the failing migration and append .js to it. For example, if
|
||||
you encounter this error:
|
||||
|
||||
~~~
|
||||
== 20180306150303-fix-enum: migrating =======
|
||||
|
||||
ERROR: type "enum_Notes_permission" already exists
|
||||
~~~
|
||||
|
||||
the name of the failed migration would be 20180306150303-fix-enum.js.
|
||||
|
||||
The SQL-statement may look like this:
|
||||
|
||||
~~~
|
||||
INSERT INTO "SequelizeMeta" (name) VALUES ('20180306150303-fix-enum.js');
|
||||
~~~
|
||||
|
||||
Make sure HedgeDoc does not run and insert the name into the SequelizeMeta table.
|
||||
Enter the container switch to the postgres user, open psql and commect to the
|
||||
codimd database:
|
||||
|
||||
~~~shell
|
||||
su postgres
|
||||
psql
|
||||
\l
|
||||
\c codimd
|
||||
UN adjusted SQL STAMEMENT from above ]
|
||||
\q
|
||||
~~~
|
||||
|
||||
Start HedgeDoc again and observe if it starts correctly. It may be necessary to
|
||||
repeat this process and insert multiple migrations into the SequelizeMeta table.
|
|
@ -0,0 +1,65 @@
|
|||
+++
|
||||
title = "mail"
|
||||
taxonomies.categories = [ "services" ]
|
||||
+++
|
||||
|
||||
Mail is not connected to our SSO!
|
||||
|
||||
## adding a mail account
|
||||
- We use `@hacc.space` for our mails
|
||||
- `@infra4future.de` is reserved for services, old user accounts will be
|
||||
forwarded & logins disabled
|
||||
- choose a name (no aliases or other names can be the same)
|
||||
- generate a sha-512 password hash ```mkpasswd -m sha-512``` - **never add an
|
||||
unhashed password!**
|
||||
- add your account to `loginAccounts =` in `//parsons/mail.nix`
|
||||
- build and redeploy parsons
|
||||
|
||||
**example:**
|
||||
```
|
||||
zwoelfontheshelf@hacc.space" = {
|
||||
hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUEdxrxdtgvzuGOkBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
|
||||
};
|
||||
```
|
||||
|
||||
## adding to a forward address
|
||||
- add the mail address to the corresponding `extraVirtualAliases =`
|
||||
- build and redeploy parsons
|
||||
|
||||
## adding a forward address
|
||||
- add the address to `extraVirtualAliases =`
|
||||
- add the addresses it should forward to
|
||||
- build and redeploy parsons
|
||||
|
||||
**example:**
|
||||
```
|
||||
"himmel@hacc.space" = [
|
||||
"hexchen@hacc.space"
|
||||
"zauberberg@hacc.space"
|
||||
];
|
||||
```
|
||||
|
||||
## sending & receiving mail
|
||||
|
||||
### as a user
|
||||
- Your mail client should auto configure correctly
|
||||
|
||||
~~~
|
||||
mailserver: mail.hacc.space (everywhere)
|
||||
username: $your_mail_address
|
||||
sending via smtp: port 587 or 465
|
||||
recieving
|
||||
imap: port 993
|
||||
TLS and STARTTLS are supported
|
||||
~~~
|
||||
|
||||
- You can send mail as you and any alias you receive mail from. Set a second Identity in your e-mail client
|
||||
|
||||
### as an application
|
||||
- mailserver: `mail.hacc.space`
|
||||
- Do **not** use port 25. It's for server to server communication only.
|
||||
- Use smtp ports `587` or `465`
|
||||
- enable TLS if possible
|
||||
- only send mail from `noreply@infra4future.de`
|
||||
- Password is somewhere (TODO!)
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
+++
|
||||
title = "mumble"
|
||||
taxonomies.categories = [ "mumble" ]
|
||||
+++
|
||||
|
||||
|
||||
[offical Docmuentation](https://wiki.mumble.info/wiki/Main_Page)
|
||||
|
||||
Mumble's server is called murmur, but the naming is inconsistent. Sometimes
|
||||
it's also just called mumble server.
|
||||
|
||||
# Usage
|
||||
|
||||
## registration
|
||||
Users need to be registered to join any other channel than public.
|
||||
An already registered user has to register them with the server.
|
||||
1. right click on the username
|
||||
2. choose register in the menu. Done.
|
||||
|
||||
## restricted channels
|
||||
Every channel in the hacc category except for plenum can only be accessed by
|
||||
members of the hacc group.
|
||||
|
||||
## adding users to a group
|
||||
Only admins can edit groups, and only registered users can be added to groups.
|
||||
1. right click on the Root channel
|
||||
2. select Edit...
|
||||
2. In Groups select $groupname
|
||||
3. make the change you want to make
|
||||
4. click "OK"
|
||||
|
||||
# Config details
|
||||
- the server is not registered with mumble & not on the public server list
|
||||
- the bitrate is set to 128kb/s; otherwise the client would complain that the
|
||||
server bitrate is less then the configured (default) in its local settings
|
||||
|
||||
# Hacks
|
||||
- murmur needs a TLS cert, which we get via the ACME module
|
||||
- there's a funny group setup so that hopefully murmurd can read the cert
|
||||
- this seems to work fine now, but was some source of trouble in the past
|
|
@ -0,0 +1,18 @@
|
|||
+++
|
||||
title = "$Service Name"
|
||||
draft = true ## Remove this line to make file appear on website
|
||||
+++
|
||||
|
||||
<general information & pointers to official documentation>
|
||||
|
||||
# Usage
|
||||
<usage from an admin's perspective>
|
||||
|
||||
# Config Notes
|
||||
<what should one keep in mind when reading the nix file?>
|
||||
|
||||
## Updating
|
||||
<anything to keep in mind?>
|
||||
|
||||
# Hacks
|
||||
<ugly things which might break or cause general ???? states>
|
|
@ -0,0 +1,24 @@
|
|||
+++
|
||||
title = "Use ZFS snapshot"
|
||||
taxonomies.categories = [ "zfs", "snapshot", "filesystem", "backup", "update", "upgrade" ]
|
||||
+++
|
||||
|
||||
## Make a ZFS snapshot
|
||||
~~~shell
|
||||
sudo zfs snapshot zroot/safe/persist@<name>
|
||||
~~~
|
||||
|
||||
## Rollback
|
||||
|
||||
### single files
|
||||
The snapshots can be accessed under `<mountpoint>/.zfs/snapshot/...`
|
||||
|
||||
### fully
|
||||
~~~shell
|
||||
sudo zfs rollback zroot/safe/persist@<name>
|
||||
~~~
|
||||
|
||||
## Delete a ZFS snapshot
|
||||
~~~shell
|
||||
sudo zfs destroy zroot/safe/persist@<name>
|
||||
~~~
|
870
flake.lock
870
flake.lock
File diff suppressed because it is too large
Load Diff
67
flake.nix
67
flake.nix
|
@ -2,72 +2,56 @@
|
|||
description = "hacc infra stuff";
|
||||
|
||||
inputs = {
|
||||
mattermost-webapp.url = "https://releases.mattermost.com/7.1.5/mattermost-7.1.5-linux-amd64.tar.gz";
|
||||
mattermost-webapp.flake = false;
|
||||
mattermost-server.url = "github:mattermost/mattermost-server?ref=v7.1.5";
|
||||
mattermost-server.flake = false;
|
||||
nixpkgs.url = "nixpkgs/nixos-23.11-small";
|
||||
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
|
||||
nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";
|
||||
|
||||
nixpkgs.url = "nixpkgs/nixos-22.11";
|
||||
nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
|
||||
nix-hexchen.url = "gitlab:hexchen/nixfiles";
|
||||
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
|
||||
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
|
||||
tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
|
||||
tracktrain.flake = false;
|
||||
|
||||
deploy-rs.url = "github:serokell/deploy-rs";
|
||||
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
|
||||
|
||||
# these exist mostly to make the flake.lock somewhat more human-friendly
|
||||
# note that in theory doing this might break things, but it seems fairly unlikely
|
||||
nix-hexchen.inputs = {
|
||||
nixos-mailserver.follows = "nixos-mailserver";
|
||||
nixpkgs.follows = "nixpkgs-unstable";
|
||||
deploy-rs.follows = "deploy-rs";
|
||||
doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
|
||||
emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
|
||||
flake-utils.follows = "/deploy-rs/utils";
|
||||
};
|
||||
nixos-mailserver.inputs = {
|
||||
"nixpkgs-22_05".follows = "nixpkgs";
|
||||
nixpkgs.follows = "nixpkgs-unstable";
|
||||
"nixpkgs-23_05".follows = "nixpkgs";
|
||||
utils.follows = "/deploy-rs/utils";
|
||||
flake-compat.follows = "/deploy-rs/flake-compat";
|
||||
};
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, ... }@inputs:
|
||||
let modules = nix-hexchen.nixosModules;
|
||||
profiles = nix-hexchen.nixosModules.profiles // {
|
||||
outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
|
||||
let modules = {
|
||||
bindMounts = import ./modules/bindmounts.nix;
|
||||
nopersist = import ./modules/nopersist.nix;
|
||||
encboot = import ./modules/encboot.nix;
|
||||
};
|
||||
profiles = {
|
||||
container = import ./modules/container-profile.nix;
|
||||
};
|
||||
pkgs = import ./pkgs {
|
||||
sources = inputs;
|
||||
system = "x86_64-linux";
|
||||
config.allowUnfree = true;
|
||||
};
|
||||
evalConfig = config: (nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
config
|
||||
nix-hexchen.nixosModules.network.nftables
|
||||
{ nixpkgs.pkgs = pkgs; }
|
||||
];
|
||||
specialArgs = {
|
||||
inherit modules profiles evalConfig;
|
||||
sources = inputs;
|
||||
};
|
||||
}).config.system.build.toplevel;
|
||||
in {
|
||||
# do this by hand instead of via nix-hexchen/lib/hosts.nix, since that one
|
||||
# apparently can't support pkgs depending on flake inputs
|
||||
nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
./hosts/parsons/configuration.nix
|
||||
./parsons/configuration.nix
|
||||
./modules/buildinfo.nix
|
||||
./modules/containers.nix
|
||||
sops-nix.nixosModules.sops
|
||||
{ nixpkgs.pkgs = pkgs; }
|
||||
];
|
||||
specialArgs = {
|
||||
# with a few exceptions, the flake inputs can be used the same
|
||||
# as the niv-style (import nix/sources.nix {})
|
||||
sources = inputs;
|
||||
inherit modules profiles evalConfig;
|
||||
inherit modules profiles;
|
||||
inherit (nixpkgs.lib) nixosSystem;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -87,7 +71,10 @@
|
|||
deploy-rs.lib;
|
||||
|
||||
packages.x86_64-linux =
|
||||
self.nixosConfigurations.parsons.config.hacc.websites.builders;
|
||||
let
|
||||
websites = self.nixosConfigurations.parsons.config.hacc.websites.builders;
|
||||
in
|
||||
{ docs = websites."docs.hacc.space"; } // websites;
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.hacc;
|
||||
|
||||
in {
|
||||
|
||||
options.hacc.bindMounts = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = { };
|
||||
example = { "/etc/asdf" = "/persist/asdf"; };
|
||||
};
|
||||
options.hacc.bindToPersist = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
example = [ "postgres" ];
|
||||
};
|
||||
|
||||
config.fileSystems = mapAttrs (_: device: {
|
||||
inherit device;
|
||||
options = [ "bind" ];
|
||||
}) cfg.bindMounts;
|
||||
|
||||
config.hacc.bindMounts = listToAttrs
|
||||
(map (name: { inherit name; value = "/persist${name}"; })
|
||||
cfg.bindToPersist);
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
{ config, lib, pkgs, sources, ... }:
|
||||
|
||||
let
|
||||
self = sources.self;
|
||||
|
||||
formatDate = date: with lib.strings;
|
||||
let
|
||||
year = substring 0 4 date;
|
||||
month = substring 4 2 date;
|
||||
day = substring 6 2 date;
|
||||
hour = substring 8 2 date;
|
||||
minute = substring 10 2 date;
|
||||
second = substring 12 2 date;
|
||||
in
|
||||
"${year}-${month}-${day} ${hour}:${minute}:${second} UTC";
|
||||
in
|
||||
{
|
||||
system.nixos.label = "${config.system.nixos.release}-haccfiles-${self.shortRev or self.dirtyShortRev}";
|
||||
users.motd = ''
|
||||
Welcome to ${config.networking.hostName}, running NixOS ${config.system.nixos.release}!
|
||||
Built from haccfiles ${self.rev or self.dirtyRev}.
|
||||
Last commit was at ${formatDate self.lastModifiedDate}.
|
||||
${if self ? dirtyRev then "\nPlease remember to commit your changes.\n" else ""}
|
||||
'';
|
||||
|
||||
# used by monit
|
||||
environment.etc."haccfiles-commit".text = self.rev or self.dirtyRev;
|
||||
environment.etc."haccfiles-timestamp".text = builtins.toString self.lastModified;
|
||||
}
|
|
@ -14,12 +14,5 @@
|
|||
'';
|
||||
};
|
||||
|
||||
# I /suspect/ this is not actually needed.
|
||||
# TODO: find spoons to deal with potential breakage, test removing this
|
||||
networking.defaultGateway = {
|
||||
address = "192.168.100.1";
|
||||
interface = "eth0";
|
||||
};
|
||||
|
||||
system.stateVersion = lib.mkDefault "21.05";
|
||||
}
|
||||
|
|
|
@ -0,0 +1,95 @@
|
|||
{ config, lib, pkgs, modules, profiles, sources, nixosSystem, ... }:
|
||||
|
||||
let
|
||||
mkIPv4 = index: local:
|
||||
"192.168.${if local then "100" else "101"}.${toString index}";
|
||||
mkIPv6 = index: local:
|
||||
"fd00::${if local then "100" else "101"}:${toString index}";
|
||||
|
||||
evalConfig = nixosConfig: (nixosSystem {
|
||||
inherit (config.nixpkgs) system;
|
||||
modules = [
|
||||
nixosConfig
|
||||
modules.nopersist
|
||||
profiles.container
|
||||
{ nixpkgs.pkgs = lib.mkForce pkgs; }
|
||||
];
|
||||
specialArgs = {
|
||||
inherit modules sources;
|
||||
};
|
||||
}).config.system.build.toplevel;
|
||||
|
||||
in {
|
||||
options.hacc.containers = with lib.options;
|
||||
mkOption {
|
||||
description = ''
|
||||
hacc-specific containers. These are a thin wrapper around "normal" nixos containers:
|
||||
- they automatically get an IPv4/IPv6 address assigned
|
||||
(note that these are not guaranteed to be stable across config changes,
|
||||
so please use {option}`containers.<name>.hostAddress` & friends to
|
||||
reference them elsewhere)
|
||||
- they set a couple default options (e.g. ephemeral, autoStart, privateNetwork)
|
||||
- they are evaluated with our own version of {nix}`evalConfig`, which includes a
|
||||
couple more modules by default, use our version of `nixpkgs`, and includes the
|
||||
{nix}`profiles.containers` profile setting sane defaults for containers.
|
||||
'';
|
||||
default = { };
|
||||
type = with lib.types;
|
||||
types.attrsOf (types.submodule {
|
||||
options = {
|
||||
bindToPersist = mkOption {
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description =
|
||||
"Wether to mount /persist/containers/<name> at /persist into this container.";
|
||||
};
|
||||
|
||||
bindSecrets = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description =
|
||||
"Whether to mount /run/secrets/<name> at /secrets into this container.";
|
||||
};
|
||||
|
||||
config = mkOption {
|
||||
type = types.unspecified;
|
||||
description =
|
||||
"The container's config, to be evaluated with our own {nix}`evalConfig`.";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
|
||||
# wrapped into imap1, which enumerates the containers; IP addresses are then
|
||||
# simply assigned based on the order the containers are in the list.
|
||||
config.containers = lib.mkMerge (lib.imap1
|
||||
(index: { name, value }: let container = value; in {
|
||||
${name} = {
|
||||
hostAddress = mkIPv4 index false;
|
||||
localAddress = mkIPv4 index true;
|
||||
hostAddress6 = mkIPv6 index false;
|
||||
localAddress6 = mkIPv6 index true;
|
||||
|
||||
privateNetwork = true;
|
||||
autoStart = true;
|
||||
ephemeral = true;
|
||||
|
||||
bindMounts = lib.mkMerge [
|
||||
(lib.mkIf container.bindToPersist {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/${name}";
|
||||
isReadOnly = false;
|
||||
};
|
||||
})
|
||||
(lib.mkIf container.bindSecrets {
|
||||
"/secrets" = {
|
||||
hostPath = "/run/secrets/${name}";
|
||||
isReadOnly = true;
|
||||
};
|
||||
})
|
||||
];
|
||||
|
||||
path = evalConfig container.config;
|
||||
};
|
||||
}) (lib.attrsToList config.hacc.containers));
|
||||
}
|
|
@ -0,0 +1,45 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.hacc.encboot;
|
||||
|
||||
in {
|
||||
options = {
|
||||
hacc.encboot = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
networkDrivers = mkOption { type = with types; listOf str; };
|
||||
dataset = mkOption {
|
||||
type = types.str;
|
||||
default = "zroot";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
boot.initrd.kernelModules = cfg.networkDrivers;
|
||||
|
||||
boot.initrd.network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
port = 2222;
|
||||
authorizedKeys = with lib;
|
||||
concatLists (mapAttrsToList (name: user:
|
||||
if elem "wheel" user.extraGroups then
|
||||
user.openssh.authorizedKeys.keys
|
||||
else
|
||||
[ ]) config.users.users);
|
||||
hostKeys = [ /etc/ssh/encboot_host ];
|
||||
};
|
||||
|
||||
postCommands = ''
|
||||
zpool import ${cfg.dataset}
|
||||
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,52 @@
|
|||
{ config, lib, pkgs, modules, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
imports = [ modules.bindMounts ];
|
||||
|
||||
users.mutableUsers = false;
|
||||
|
||||
boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
|
||||
network.ssh.hostKeys = mkIf config.hacc.encboot.enable
|
||||
(mkForce [ /persist/ssh/encboot_host ]);
|
||||
|
||||
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
|
||||
(mkAfter ''
|
||||
zfs rollback -r ${config.fileSystems."/".device}@blank
|
||||
'');
|
||||
|
||||
systemd = mkIf config.boot.initrd.systemd.enable {
|
||||
storePaths = [ pkgs.zfs ];
|
||||
services.rollback = {
|
||||
description = "Rollback ZFS datasets to a pristine state";
|
||||
wantedBy = [ "initrd.target" ];
|
||||
after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
|
||||
before = [ "sysroot.mount" ];
|
||||
path = [ pkgs.zfs ];
|
||||
unitConfig.DefaultDependencies = "no";
|
||||
serviceConfig.Type = "oneshot";
|
||||
script = ''
|
||||
zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
hostKeys = [
|
||||
{
|
||||
path = "/persist/ssh/ssh_host_ed25519_key";
|
||||
type = "ed25519";
|
||||
}
|
||||
{
|
||||
path = "/persist/ssh/ssh_host_rsa_key";
|
||||
type = "rsa";
|
||||
bits = 4096;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
services.postgresql.dataDir =
|
||||
"/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
|
||||
}
|
|
@ -2,52 +2,44 @@
|
|||
|
||||
{
|
||||
imports = [
|
||||
../../common
|
||||
../common
|
||||
./hardware.nix
|
||||
modules.encboot
|
||||
modules.network.nftables
|
||||
modules.nftnat
|
||||
sources.nix-hexchen.nixosModules.profiles.nopersist
|
||||
|
||||
../../services/nextcloud.nix
|
||||
../../services/mattermost.nix
|
||||
../../services/thelounge.nix
|
||||
../../services/murmur.nix
|
||||
../../services/hedgedoc-hacc.nix
|
||||
../../services/hedgedoc-i4f.nix
|
||||
../../services/mail.nix
|
||||
../../services/gitea.nix
|
||||
../../services/nginx-pages.nix
|
||||
../../services/vaultwarden.nix
|
||||
../../services/tracktrain.nix
|
||||
../../services/uffd.nix
|
||||
|
||||
modules.nopersist
|
||||
./nftables.nix
|
||||
./nextcloud.nix
|
||||
./mattermost.nix
|
||||
./murmur.nix
|
||||
./hedgedoc-hacc.nix
|
||||
./hedgedoc-i4f.nix
|
||||
./mail.nix
|
||||
./forgejo.nix
|
||||
./nginx-pages.nix
|
||||
./vaultwarden.nix
|
||||
./tracktrain.nix
|
||||
./uffd.nix
|
||||
./lxc.nix
|
||||
./monit.nix
|
||||
];
|
||||
|
||||
hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme";
|
||||
# fileSystems."/var/lib/acme" = {
|
||||
# device = "/persist/var/lib/acme";
|
||||
# fsType = "bind";
|
||||
# };
|
||||
hacc.bindToPersist = [ "/var/lib/acme" ];
|
||||
|
||||
hexchen.encboot = {
|
||||
hacc.encboot = {
|
||||
enable = true;
|
||||
dataset = "-a";
|
||||
networkDrivers = [ "igb" ];
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = ../secrets.yaml;
|
||||
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
|
||||
|
||||
boot.loader.grub.enable = true;
|
||||
boot.loader.grub.version = 2;
|
||||
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
|
||||
networking.hostId = "b2867696";
|
||||
networking.useDHCP = true;
|
||||
networking.nftables.enable = true;
|
||||
hexchen.nftables.nat.enable = true;
|
||||
networking.nat.internalInterfaces = ["ve-+"];
|
||||
networking.nat.externalInterface = "enp35s0";
|
||||
|
||||
networking.hostName = "parsons";
|
||||
|
||||
|
@ -59,13 +51,6 @@
|
|||
address = "fe80::1";
|
||||
interface = "enp35s0";
|
||||
};
|
||||
boot = {
|
||||
kernelModules = [ "nf_nat_ftp" ];
|
||||
kernel.sysctl = {
|
||||
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
|
||||
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
@ -85,8 +70,8 @@
|
|||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
|
||||
services.restic.backups.tardis = {
|
||||
passwordFile = "/persist/restic/system";
|
||||
environmentFile = "/persist/restic/system.s3creds";
|
||||
passwordFile = "/run/secrets/restic/system";
|
||||
environmentFile = "/run/secrets/restic/s3creds.env";
|
||||
paths = [
|
||||
"/home"
|
||||
"/persist"
|
||||
|
@ -99,5 +84,10 @@
|
|||
repository = "b2:tardis-parsons:system";
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"restic/system" = {};
|
||||
"restic/s3creds.env" = {};
|
||||
};
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
|
@ -1,34 +1,16 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
containers.gitea = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.10";
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/gitea";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
hacc.containers.forgejo = {
|
||||
config = { lib, pkgs, ... }: {
|
||||
system.stateVersion = "21.11";
|
||||
|
||||
imports = [ profiles.nopersist profiles.container ];
|
||||
environment.systemPackages = [ pkgs.forgejo ];
|
||||
|
||||
environment.systemPackages = [ pkgs.gitea ];
|
||||
hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
|
||||
|
||||
hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea";
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
services.gitea = {
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
appName = "0x0: git for all creatures";
|
||||
rootUrl = "https://git.infra4future.de/";
|
||||
httpAddress = "0.0.0.0";
|
||||
httpPort = 3000;
|
||||
lfs.enable = true;
|
||||
database.type = "postgres";
|
||||
settings = {
|
||||
|
@ -49,6 +31,9 @@
|
|||
server = {
|
||||
LANDING_PAGE = "explore";
|
||||
OFFLINE_MODE = true;
|
||||
ROOT_URL = "https://git.infra4future.de";
|
||||
HTTP_PORT = 3000;
|
||||
HTTP_ADDR = "0.0.0.0";
|
||||
};
|
||||
security = { INSTALL_LOCK = true; };
|
||||
other = {
|
||||
|
@ -69,38 +54,32 @@
|
|||
log.LEVEL = "Info";
|
||||
service.DISABLE_REGISTRATION = true;
|
||||
session.COOKIE_SECURE = true;
|
||||
default.APP_NAME = "0x0: git for all creatures";
|
||||
};
|
||||
};
|
||||
services.postgresql.package = pkgs.postgresql_15;
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "gitea" ];
|
||||
databases = [ "forgejo" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
passwordAuthentication = false;
|
||||
listenAddresses = [ {
|
||||
addr = "192.168.100.10";
|
||||
port = 22;
|
||||
} ];
|
||||
extraConfig = ''
|
||||
AcceptEnv GIT_PROTOCOL
|
||||
'';
|
||||
settings = {
|
||||
PasswordAuthentication = false;
|
||||
AcceptEnv = "GIT_PROTOCOL";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."git.infra4future.de" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.gitea.localAddress}:3000";
|
||||
proxyPass = "http://${config.containers.forgejo.localAddress}:3000";
|
||||
};
|
||||
};
|
||||
hexchen.nftables.nat.forwardPorts = [{
|
||||
ports = [ 22 ];
|
||||
destination = "${config.containers.gitea.localAddress}:22";
|
||||
proto = "tcp";
|
||||
}];
|
||||
}
|
|
@ -28,6 +28,7 @@
|
|||
fileSystems."/persist" =
|
||||
{ device = "zroot/safe/persist";
|
||||
fsType = "zfs";
|
||||
neededForBoot = true;
|
||||
};
|
||||
|
||||
fileSystems."/home" =
|
||||
|
@ -55,11 +56,6 @@
|
|||
fsType = "zfs";
|
||||
};
|
||||
|
||||
fileSystems."/var/lib/docker" =
|
||||
{ device = "zroot/local/docker";
|
||||
fsType = "zfs";
|
||||
};
|
||||
|
||||
swapDevices = [ ];
|
||||
|
||||
}
|
|
@ -1,21 +1,16 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
containers.pad-hacc = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.5";
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/pad-hacc";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
imports = [ profiles.nopersist profiles.container ];
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
sops.secrets = {
|
||||
"hedgedoc-hacc/env" = {};
|
||||
};
|
||||
|
||||
containers.pad-hacc.bindMounts = {
|
||||
"/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
|
||||
};
|
||||
hacc.containers.pad-hacc = {
|
||||
config = { config, lib, ... }: {
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
@ -43,7 +38,7 @@
|
|||
clientSecret = "lol nope";
|
||||
};
|
||||
};
|
||||
environmentFile = "/persist/secrets.env";
|
||||
environmentFile = "/secrets/env";
|
||||
};
|
||||
systemd.services.hedgedoc.environment = {
|
||||
"CMD_LOGLEVEL" = "warn";
|
||||
|
@ -59,15 +54,13 @@
|
|||
ensureDatabases = [ "codimd" ];
|
||||
ensureUsers = [{
|
||||
name = "codimd";
|
||||
ensurePermissions = {
|
||||
"DATABASE codimd" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
authentication = ''
|
||||
local all all trust
|
||||
host codimd codimd 127.0.0.1/32 trust
|
||||
'';
|
||||
package = pkgs.postgresql_11;
|
||||
package = pkgs.postgresql_15;
|
||||
};
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
|
@ -75,7 +68,8 @@
|
|||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
});
|
||||
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."pad.hacc.earth" = {
|
||||
enableACME = true;
|
|
@ -1,21 +1,8 @@
|
|||
{ config, lib, pkgs, modules, evalConfig, sources, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
containers.pad-i4f = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.6";
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/pad-i4f";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
imports = [ profiles.nopersist profiles.container ];
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
hacc.containers.pad-i4f = {
|
||||
config = { config, lib, ... }: {
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
@ -41,7 +28,7 @@
|
|||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_11;
|
||||
package = pkgs.postgresql_15;
|
||||
authentication = ''
|
||||
local all all trust
|
||||
host hedgedoc hedgedoc 127.0.0.1/32 trust
|
||||
|
@ -49,9 +36,7 @@
|
|||
ensureDatabases = [ "hedgedoc" ];
|
||||
ensureUsers = [{
|
||||
name = "hedgedoc";
|
||||
ensurePermissions = {
|
||||
"DATABASE hedgedoc" = "ALL PRIVILEGES";
|
||||
};
|
||||
ensureDBOwnership = true;
|
||||
}];
|
||||
};
|
||||
services.postgresqlBackup = {
|
||||
|
@ -60,7 +45,8 @@
|
|||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
});
|
||||
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."pad.infra4future.de" = {
|
|
@ -8,7 +8,6 @@
|
|||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
networking.nat.internalInterfaces = [ "lxcbr0" ];
|
||||
|
||||
virtualisation.lxc.enable = true;
|
||||
virtualisation.lxc.systemConfig = ''
|
||||
|
@ -27,10 +26,4 @@
|
|||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."auth.infra4future.de" = {
|
||||
locations."/".proxyPass = "http://10.1.2.104:8080";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, lib, sources, ... }:
|
||||
{ config, options, pkgs, lib, sources, ... }:
|
||||
|
||||
{
|
||||
imports = [ sources.nixos-mailserver.outPath ];
|
||||
|
@ -65,13 +65,16 @@
|
|||
"noreply@hacc.space" = {
|
||||
hashedPassword =
|
||||
"$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
|
||||
sendOnly = true;
|
||||
};
|
||||
|
||||
"noreply@infra4future.de" = {
|
||||
hashedPassword =
|
||||
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
|
||||
sendOnly = true;
|
||||
};
|
||||
|
||||
"mattermost@hacc.space" = {
|
||||
hashedPassword =
|
||||
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -142,7 +145,7 @@
|
|||
|
||||
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
|
||||
# down nginx and opens port 80.
|
||||
certificateScheme = 3;
|
||||
certificateScheme = "acme-nginx";
|
||||
|
||||
# Only allow implict TLS
|
||||
enableImap = false;
|
||||
|
@ -184,11 +187,22 @@
|
|||
bindIP = "[::1]";
|
||||
};
|
||||
|
||||
systemd.services.alps.after = [ "dovecot2.service" ];
|
||||
systemd.services.alps.after = [ "dovecot2.service" "postfix.service" ];
|
||||
systemd.services.alps.bindsTo = [ "dovecot2.service" "postfix.service" ];
|
||||
|
||||
services.nginx.virtualHosts."mail.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "http://[::1]:1323";
|
||||
};
|
||||
|
||||
hacc.bindToPersist = [
|
||||
"/var/lib/rspamd"
|
||||
"/var/lib/opendkim"
|
||||
"/var/lib/postfix"
|
||||
"/var/lib/dovecot"
|
||||
"/var/sieve"
|
||||
"/var/lib/redis-rspamd"
|
||||
"/var/dkim"
|
||||
];
|
||||
}
|
|
@ -1,35 +1,17 @@
|
|||
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
|
||||
{ config, pkgs, lib, ...}:
|
||||
|
||||
let
|
||||
mattermost = pkgs.mattermost;
|
||||
in {
|
||||
containers.mattermost = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.3";
|
||||
{
|
||||
sops.secrets = {
|
||||
"mattermost/env" = {};
|
||||
};
|
||||
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/mattermost";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
imports = [ profiles.nopersist profiles.container ];
|
||||
nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
hacc.containers.mattermost = {
|
||||
bindSecrets = true;
|
||||
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
systemd.services.mattermost.serviceConfig.EnvironmentFile =
|
||||
"/persist/mattermost/secrets.env";
|
||||
# overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
|
||||
systemd.services.mattermost.serviceConfig.ExecStart =
|
||||
lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
|
||||
lib.mkForce "/secrets/env";
|
||||
|
||||
# couldn't figure out how to actually overwrite modules, so now
|
||||
# there's two mattermost modules ...
|
||||
services.mattermost = {
|
||||
enable = true;
|
||||
siteUrl = "https://mattermost.infra4future.de";
|
||||
|
@ -125,6 +107,12 @@ in {
|
|||
ShowEmailAddress = false;
|
||||
ShowFullName = true;
|
||||
};
|
||||
# to disable the extra landing page advertising the app
|
||||
NativeAppSettings = {
|
||||
AppDownloadLink = "";
|
||||
AndroidAppDownloadLink = "";
|
||||
IosAppDownloadLink = "";
|
||||
};
|
||||
SupportSettings = {
|
||||
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
|
||||
|
@ -199,11 +187,11 @@ in {
|
|||
|
||||
services.postgresql = {
|
||||
enable = lib.mkForce true; # mattermost sets this to false. wtf.
|
||||
package = pkgs.postgresql_11;
|
||||
package = pkgs.postgresql_15;
|
||||
ensureDatabases = [ "mattermost" ];
|
||||
ensureUsers = [ {
|
||||
name = "mattermost";
|
||||
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
|
||||
ensureDBOwnership = true;
|
||||
} ];
|
||||
|
||||
authentication = lib.mkForce ''
|
||||
|
@ -212,10 +200,13 @@ in {
|
|||
host mattermost mattermost ::1/128 trust
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 3000 ];
|
||||
|
||||
});
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "mattermost" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."mattermost.infra4future.de" = {
|
|
@ -0,0 +1,64 @@
|
|||
{ config, options, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
checkHash = pkgs.writeScriptBin "check-commit-hash" ''
|
||||
#!${lib.getExe pkgs.fish}
|
||||
set wanted (${lib.getExe pkgs.curl} -s https://git.infra4future.de/api/v1/repos/hacc/haccfiles/branches/main \
|
||||
-H 'accept: application/json' | jq -r .commit.id)
|
||||
|
||||
if test $status != 0
|
||||
echo "could not reach git.infra4future.de"
|
||||
exit 2
|
||||
end
|
||||
|
||||
set actual (cat /etc/haccfiles-commit)
|
||||
if test $status != 0
|
||||
echo "/etc/haccfiles-commit does not exist??"
|
||||
exit 2
|
||||
end
|
||||
|
||||
if test $actual != $wanted
|
||||
echo "parsons was built on $actual, but commit on main is $wanted"
|
||||
exit 1
|
||||
end
|
||||
'';
|
||||
|
||||
checkDeployAge = pkgs.writeScriptBin "check-deploy-age" ''
|
||||
#!${lib.getExe pkgs.fish}
|
||||
|
||||
set date (date +%s)
|
||||
# we do this indirection here so monit's config won't change on each deploy
|
||||
set deploytimestamp (cat /etc/haccfiles-timestamp)
|
||||
set age (expr $date - $deploytimestamp)
|
||||
|
||||
if test $age -ge (expr 3600 \* 24 \* 10)
|
||||
echo "${config.networking.hostName} has not been deployed since 10 days, perhaps someone should do updates?"
|
||||
exit 1
|
||||
end
|
||||
'';
|
||||
in
|
||||
{
|
||||
mailserver.monitoring = {
|
||||
enable = true;
|
||||
alertAddress = "admin@hacc.space";
|
||||
config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default);
|
||||
};
|
||||
|
||||
services.monit.config = ''
|
||||
check host onlyoffice with address onlyoffice.infra4future.de
|
||||
start program "/run/current-system/sw/bin/lxc-start onlyoffice"
|
||||
stop program "/run/current-system/sw/bin/lxc-stop onlyoffice"
|
||||
if failed port 443 protocol https status = 302
|
||||
then restart
|
||||
|
||||
check program deployed-commit-on-main path ${lib.getExe checkHash}
|
||||
if status == 1 for 10 cycles then alert
|
||||
if status == 2 for 3 cycles then alert
|
||||
|
||||
check program is-system-running path ${pkgs.systemd}/bin/systemctl is-system-running
|
||||
if status != 0 then alert
|
||||
|
||||
check program check-deploy-age path ${lib.getExe checkDeployAge}
|
||||
if status == 1 then alert
|
||||
'';
|
||||
}
|
|
@ -1,13 +1,13 @@
|
|||
{ config, lib, pkgs, sources, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
|
||||
|
||||
services.murmur = {
|
||||
enable = true;
|
||||
logDays = -1;
|
||||
welcometext =
|
||||
"Welcome to mumble4future! Brought to you by infra4future. The server is now reachable under mumble.hacc.space, please update your bookmarks.";
|
||||
registerName = "hackers against climate change";
|
||||
welcometext = ''
|
||||
<br>Welcome to <b>mumble4future</b>!<br>Brought to you by <b style="color:red">infra4future</b>.<br>On <a href=https://mumble.hacc.space>mumble.hacc.space</a><br>Not confusing at all!
|
||||
'';
|
||||
sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
|
||||
sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
|
||||
bandwidth = 128000;
|
||||
|
@ -25,4 +25,6 @@
|
|||
};
|
||||
users.users.nginx.extraGroups = [ "mumblecert" ];
|
||||
users.users.murmur.extraGroups = [ "mumblecert" ];
|
||||
|
||||
hacc.bindToPersist = [ "/var/lib/murmur" ];
|
||||
}
|
|
@ -1,30 +1,8 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
containers.nextcloud = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.2";
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/nextcloud";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, sources, ... }: {
|
||||
imports = [
|
||||
profiles.nopersist
|
||||
profiles.container
|
||||
(import "${sources.nixpkgs-unstable}/nixos/modules/services/web-apps/nextcloud.nix")
|
||||
];
|
||||
|
||||
disabledModules = [
|
||||
"services/web-apps/nextcloud.nix"
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
hacc.containers.nextcloud = {
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
environment.systemPackages = [ pkgs.htop ];
|
||||
|
||||
services.nextcloud = {
|
||||
|
@ -32,21 +10,19 @@
|
|||
|
||||
# must be set manually; may not be incremented by more than one at
|
||||
# a time, otherwise nextcloud WILL break
|
||||
package = pkgs.nextcloud25;
|
||||
package = pkgs.nextcloud27;
|
||||
|
||||
home = "/persist/nextcloud";
|
||||
https = true;
|
||||
|
||||
# true by default for backwards-compatability, but we don't need it
|
||||
enableBrokenCiphersForSSE = false;
|
||||
|
||||
hostName = "cloud.infra4future.de";
|
||||
config = {
|
||||
dbtype = "pgsql";
|
||||
dbuser = "nextcloud";
|
||||
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
|
||||
dbname = "nextcloud";
|
||||
adminpassFile = "/persist/nextcloud/config/admin_pw";
|
||||
# socket auth does not needs this, but the module insists it does
|
||||
adminpassFile = "/persist/adminpassfile";
|
||||
adminuser = "root";
|
||||
};
|
||||
|
||||
|
@ -72,23 +48,30 @@
|
|||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_11;
|
||||
package = pkgs.postgresql_15;
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
ensureUsers = [
|
||||
{ # by default, postgres has unix sockets enabled, and allows a
|
||||
# system user `nextcloud` to log in without other authentication
|
||||
name = "nextcloud";
|
||||
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
databases = [ "nextcloud" ];
|
||||
startAt = "*-*-* 23:45:00";
|
||||
location = "/persist/backups/postgres";
|
||||
};
|
||||
|
||||
# ensure that postgres is running *before* running the setup
|
||||
systemd.services."nextcloud-setup" = {
|
||||
requires = ["postgresql.service"];
|
||||
after = ["postgresql.service"];
|
||||
};
|
||||
});
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."cloud.infra4future.de" = {
|
|
@ -0,0 +1,22 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.firewall.enable = true;
|
||||
networking.nat.enable = true;
|
||||
|
||||
networking.nftables.enable = true;
|
||||
networking.nftables.tables.nat = {
|
||||
family = "ip";
|
||||
content = ''
|
||||
chain prerouting {
|
||||
type nat hook prerouting priority -100
|
||||
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
|
||||
}
|
||||
chain postrouting {
|
||||
type nat hook postrouting priority 100
|
||||
iifname lxcbr0 oifname enp35s0 masquerade
|
||||
iifname ve-* oifname enp35s0 masquerade
|
||||
}
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -0,0 +1,16 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
|
||||
{
|
||||
hacc.websites = {
|
||||
enable = true;
|
||||
directory = "${../.}/websites";
|
||||
};
|
||||
|
||||
|
||||
services.nginx.virtualHosts."parsons.hacc.space" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/~stuebinm/".root = "/persist/www/";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,102 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
let
|
||||
tracktrain-config = ''
|
||||
dbstring: "dbname=tracktrain"
|
||||
gtfs: /persist/gtfs.zip
|
||||
assets: ${pkgs.tracktrain}/assets
|
||||
|
||||
warp:
|
||||
port: 4000
|
||||
|
||||
login:
|
||||
enable: true
|
||||
url: https://login.infra4future.de
|
||||
clientname: tracktrain
|
||||
# clientsecret defined in env file
|
||||
|
||||
logging:
|
||||
ntfytopic: ping.stuebinm.eu/monit
|
||||
name: ilztalbahn
|
||||
'';
|
||||
in
|
||||
{
|
||||
sops.secrets = {
|
||||
"tracktrain/env" = {};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://${config.containers.tracktrain.localAddress}:4000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
# note: this shadows the /metrics endpoint of tracktrain
|
||||
# in case you remove this, please consider putting something
|
||||
# else here to keep it from being publicly scrapable
|
||||
locations."/metrics/" = {
|
||||
proxyPass = "http://${config.containers.tracktrain.localAddress}:2342";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
rewrite ^/metrics/(.*) /$1 break;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
hacc.containers.tracktrain = {
|
||||
bindSecrets = true;
|
||||
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
|
||||
systemd.services.tracktrain = {
|
||||
enable = true;
|
||||
|
||||
description = "tracks trains, hopefully";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "network.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
EnvironmentFile = "/secrets/env";
|
||||
DynamicUser = true;
|
||||
};
|
||||
path = [ pkgs.wget pkgs.ntfy-sh ];
|
||||
script = ''
|
||||
cd /tmp
|
||||
ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
|
||||
${pkgs.tracktrain}/bin/tracktrain +RTS -T
|
||||
'';
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_15;
|
||||
ensureDatabases = [ "tracktrain" ];
|
||||
ensureUsers = [ {
|
||||
name = "tracktrain";
|
||||
ensureDBOwnership = true;
|
||||
} ];
|
||||
authentication = ''
|
||||
local all all trust
|
||||
'';
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
port = 9001;
|
||||
scrapeConfigs = [ {
|
||||
job_name = "tracktrain";
|
||||
static_configs = [{
|
||||
targets = [ "0.0.0.0:4000" ];
|
||||
}];
|
||||
} ];
|
||||
};
|
||||
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
||||
"/secrets/env";
|
||||
hacc.bindToPersist = [ "/var/lib/grafana" ];
|
||||
};
|
||||
};
|
||||
|
||||
}
|
|
@ -0,0 +1,107 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
hacc.containers.uffd = {
|
||||
config = { config, lib, pkgs, ... }: {
|
||||
services.uwsgi = {
|
||||
enable = true;
|
||||
plugins = [ "python3" ];
|
||||
instance = {
|
||||
type = "normal";
|
||||
pythonPackages = _: [ pkgs.uffd ];
|
||||
module = "uffd:create_app()";
|
||||
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
|
||||
http = ":8080";
|
||||
env = [
|
||||
"CONFIG_PATH=/persist/uffd/uffd.conf"
|
||||
];
|
||||
hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."login.infra4future.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations = {
|
||||
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
|
||||
"/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd";
|
||||
"/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png";
|
||||
"/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg";
|
||||
"/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";
|
||||
"/static/mattermost.svg".return = "302 https://infra4future.de/assets/img/icons/mattermost.svg";
|
||||
"/static/nextcloud.svg".return = "302 https://infra4future.de/assets/img/icons/nextcloud.svg";
|
||||
"/static/hot_shit.svg".return = "302 https://infra4future.de/assets/img/icons/hot_shit.svg";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.auamost = {
|
||||
enable = true;
|
||||
|
||||
description = "mattermost aua gruppensync";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig.Type = "simple";
|
||||
path = [ pkgs.fish pkgs.curl pkgs.jq ];
|
||||
script = (pkgs.writeTextFile {
|
||||
name = "auamost.fish";
|
||||
executable = true;
|
||||
checkPhase = ''
|
||||
${lib.getExe pkgs.fish} -n $target
|
||||
'';
|
||||
text = ''
|
||||
#!${lib.getExe pkgs.fish}
|
||||
source /run/secrets/auamost/secrets.fish
|
||||
|
||||
for i in (seq 1 (count $groups))
|
||||
set team $teams[$i]
|
||||
set group $groups[$i]
|
||||
set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group")
|
||||
set usernames (echo "$users" | jq -c "[.[] | .loginname]")
|
||||
for user in (echo "$users" | jq -c ".[]")
|
||||
set id (echo "$user" | jq .id)
|
||||
set username (echo "$user" | jq .loginname)
|
||||
set email (echo "$user" | jq .email)
|
||||
curl -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \
|
||||
-d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}'
|
||||
end
|
||||
set userids (curl -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \
|
||||
-d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]')
|
||||
curl -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \
|
||||
-d "$userids"
|
||||
|
||||
if test "$group" = "hacc"
|
||||
continue
|
||||
end
|
||||
|
||||
set current_members (curl -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]')
|
||||
|
||||
# membership relations don't contain e.g. usernames, so fetch those, too
|
||||
set current_users (curl -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \
|
||||
-d "$current_members" | jq -c '.[]')
|
||||
|
||||
set userids (echo "$userids" | jq -c ".[].user_id")
|
||||
for member in $current_users
|
||||
set id (echo $member | jq .id)
|
||||
if not contains -i $id $userids > /dev/null then
|
||||
set id_unquoted (echo $member | jq -r .id)
|
||||
echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\)
|
||||
curl -X DELETE -H $mattermost_token \
|
||||
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted"
|
||||
end
|
||||
end
|
||||
end
|
||||
'';
|
||||
}).outPath;
|
||||
startAt = "*:0/15";
|
||||
};
|
||||
|
||||
sops.secrets."auamost/secrets.fish" = { };
|
||||
|
||||
environment.systemPackages = with pkgs; [ curl jq ];
|
||||
}
|
|
@ -1,6 +1,10 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
sops.secrets = {
|
||||
"vaultwarden/env" = {};
|
||||
};
|
||||
|
||||
services.vaultwarden = {
|
||||
enable = true;
|
||||
config = {
|
||||
|
@ -27,7 +31,7 @@
|
|||
SMTP_USERNAME="noreply@infra4future.de";
|
||||
|
||||
};
|
||||
environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD
|
||||
environmentFile = "/run/secrets/vaultwarden/env";
|
||||
dbBackend = "sqlite";
|
||||
backupDir = "/persist/data/vaultwarden_backups/";
|
||||
};
|
|
@ -1,55 +1,26 @@
|
|||
{ sources, system ? builtins.currentSystem, ... }@args:
|
||||
{ sources, ... }@args:
|
||||
|
||||
let
|
||||
pkgs = import sources.nixpkgs args;
|
||||
oldstable = import sources.nixpkgs-oldstable args;
|
||||
unstable = import sources.nixpkgs-unstable args;
|
||||
|
||||
callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
|
||||
|
||||
newpkgs = {
|
||||
|
||||
mattermost = callPackage ./mattermost {inherit sources;};
|
||||
mattermost = callPackage ./mattermost.nix {
|
||||
buildGoModule = unstable.buildGo122Module;
|
||||
};
|
||||
|
||||
tracktrain = import sources.tracktrain {
|
||||
nixpkgs = pkgs;
|
||||
compiler = "default";
|
||||
};
|
||||
|
||||
# a version of the lounge with some extra css that
|
||||
# hides things the hacc-voc doesn't need
|
||||
thelounge-hacked = pkgs.stdenv.mkDerivation {
|
||||
name = "thelounge-hacked";
|
||||
src = pkgs.thelounge;
|
||||
uffd = oldstable.callPackage ./uffd { };
|
||||
|
||||
phases = [ "buildPhase" "installPhase" ];
|
||||
buildPhase = ''
|
||||
cp $src/* -r .
|
||||
chmod 777 lib/node_modules/thelounge/public/css/style.css
|
||||
cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
cp * -r $out
|
||||
'';
|
||||
};
|
||||
|
||||
uffd = callPackage ./uffd {};
|
||||
|
||||
# netbox takes a python3, then overrides stuff on it before using it.
|
||||
# since overrides don't accumulate, this does both the override we want
|
||||
# and the one the netbox package would otherwise do, then disables overrides
|
||||
netbox = pkgs.netbox.override rec {
|
||||
python3 = (pkgs.python3.override {
|
||||
packageOverrides = self: super: {
|
||||
django = super.django_4;
|
||||
social-auth-core = super.social-auth-core.overrideAttrs ( old: {
|
||||
patches = [ ./netbox/0001-add-uffd-oauth2-backend.patch ];
|
||||
} );
|
||||
};
|
||||
}) // { override = ignored: python3; };
|
||||
};
|
||||
|
||||
inherit (unstable) vaultwarden vaultwarden-vault;
|
||||
inherit (oldstable) uwsgi flask;
|
||||
};
|
||||
|
||||
in pkgs.extend(_: _: newpkgs)
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
{ lib
|
||||
, buildGoModule
|
||||
, fetchFromGitHub
|
||||
, nix-update-script
|
||||
, fetchurl
|
||||
, nixosTests
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "mattermost";
|
||||
# ESR releases only.
|
||||
# See https://docs.mattermost.com/upgrade/extended-support-release.html
|
||||
# When a new ESR version is available (e.g. 8.1.x -> 9.5.x), update
|
||||
# the version regex in passthru.updateScript as well.
|
||||
version = "9.5.4";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "mattermost";
|
||||
repo = "mattermost";
|
||||
rev = "v${version}";
|
||||
hash = "sha256-iuUTAdgJJDSvUwVmcggJ4ZMVbQ19ymuIaB0PDIgEIdg=";
|
||||
};
|
||||
|
||||
# Needed because buildGoModule does not support go workspaces yet.
|
||||
# We use go 1.22's workspace vendor command, which is not yet available
|
||||
# in the default version of go used in nixpkgs, nor is it used by upstream:
|
||||
# https://github.com/mattermost/mattermost/issues/26221#issuecomment-1945351597
|
||||
overrideModAttrs = (_: {
|
||||
buildPhase = ''
|
||||
make setup-go-work
|
||||
go work vendor -e
|
||||
'';
|
||||
});
|
||||
|
||||
webapp = fetchurl {
|
||||
url = "https://releases.mattermost.com/${version}/mattermost-${version}-linux-amd64.tar.gz";
|
||||
hash = "sha256-OVq+puaXPJGOmW9pcgX24LXBfYLzuczRY7KG2tQBY3Q=";
|
||||
};
|
||||
|
||||
vendorHash = "sha256-TJCtgNf56A1U0EbV5gXjTro+YudVBRWiSZoBC3nJxnE=";
|
||||
|
||||
modRoot = "./server";
|
||||
preBuild = ''
|
||||
make setup-go-work
|
||||
'';
|
||||
|
||||
subPackages = [ "cmd/mattermost" ];
|
||||
|
||||
tags = [ "production" ];
|
||||
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
|
||||
"-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
|
||||
];
|
||||
|
||||
postInstall = ''
|
||||
tar --strip 1 --directory $out -xf $webapp \
|
||||
mattermost/{client,i18n,fonts,templates,config}
|
||||
|
||||
# For some reason a bunch of these files are executable
|
||||
find $out/{client,i18n,fonts,templates,config} -type f -exec chmod -x {} \;
|
||||
'';
|
||||
|
||||
passthru = {
|
||||
updateScript = nix-update-script {
|
||||
extraArgs = [ "--version-regex" "^v(9\.5\.([0-9.]+))" ];
|
||||
};
|
||||
tests.mattermost = nixosTests.mattermost;
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
description = "Mattermost is an open source platform for secure collaboration across the entire software development lifecycle";
|
||||
homepage = "https://www.mattermost.org";
|
||||
license = with licenses; [ agpl3 asl20 ];
|
||||
maintainers = with maintainers; [ ryantm numinit kranzes mgdelacroix ];
|
||||
mainProgram = "mattermost";
|
||||
};
|
||||
}
|
|
@ -1,52 +0,0 @@
|
|||
{ stdenv, fetchurl, fetchFromGitHub, buildGo118Module, buildEnv, lib, sources }:
|
||||
|
||||
let
|
||||
version = "7.1.4";
|
||||
|
||||
mattermost-server = buildGo118Module rec {
|
||||
pname = "mattermost-server";
|
||||
inherit version;
|
||||
|
||||
src = sources.mattermost-server.outPath;
|
||||
|
||||
vendorSha256 = "sha256-98riYN6MaBsKyaueogjXI7x3Lcionk0xcGt4DH684QU=";
|
||||
|
||||
subPackages = [ "cmd/mattermost" ];
|
||||
|
||||
ldflags = [
|
||||
"-s"
|
||||
"-w"
|
||||
"-X github.com/mattermost/mattermost-server/model.BuildNumber=nixpkgs-${version}"
|
||||
];
|
||||
|
||||
};
|
||||
|
||||
mattermost-webapp = stdenv.mkDerivation {
|
||||
pname = "mattermost-webapp";
|
||||
inherit version;
|
||||
|
||||
src = sources.mattermost-webapp;
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
cp -r client $out
|
||||
cp -r i18n $out
|
||||
cp -r fonts $out
|
||||
cp -r templates $out
|
||||
cp -r config $out
|
||||
'';
|
||||
};
|
||||
|
||||
in
|
||||
buildEnv {
|
||||
name = "mattermost-${version}";
|
||||
paths = [ mattermost-server mattermost-webapp ];
|
||||
|
||||
meta = with lib; {
|
||||
description = "Open-source, self-hosted Slack-alternative";
|
||||
homepage = "https://www.mattermost.org";
|
||||
license = with licenses; [ agpl3 asl20 ];
|
||||
maintainers = with maintainers; [ fpletz ryantm ];
|
||||
platforms = platforms.unix;
|
||||
};
|
||||
}
|
|
@ -1,70 +0,0 @@
|
|||
From 00e282e32b46bb4b6040dc3810599c693306c0ec Mon Sep 17 00:00:00 2001
|
||||
From: David Croft <david@sargasso.net>
|
||||
Date: Thu, 24 Mar 2022 11:09:14 +0000
|
||||
Subject: [PATCH] add uffd oauth2 backend
|
||||
|
||||
---
|
||||
social_core/backends/uffd.py | 51 ++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 51 insertions(+)
|
||||
create mode 100644 social_core/backends/uffd.py
|
||||
|
||||
diff --git a/social_core/backends/uffd.py b/social_core/backends/uffd.py
|
||||
new file mode 100644
|
||||
index 00000000..fb8ffb62
|
||||
--- /dev/null
|
||||
+++ b/social_core/backends/uffd.py
|
||||
@@ -0,0 +1,51 @@
|
||||
+from urllib.parse import urlencode
|
||||
+
|
||||
+from .oauth import BaseOAuth2
|
||||
+
|
||||
+
|
||||
+class UffdOAuth2(BaseOAuth2):
|
||||
+ """Uffd OAuth2 authentication backend
|
||||
+
|
||||
+ You need to set the following config:
|
||||
+ SOCIAL_AUTH_UFFD_KEY - client id
|
||||
+ SOCIAL_AUTH_UFFD_SECRET - client secret
|
||||
+ SOCIAL_AUTH_UFFD_BASE_URL - base url to uffd installation
|
||||
+ """
|
||||
+
|
||||
+ name = 'uffd'
|
||||
+ ACCESS_TOKEN_METHOD = 'POST'
|
||||
+ REFRESH_TOKEN_METHOD = 'POST'
|
||||
+ SCOPE_SEPARATOR = ' '
|
||||
+ STATE_PARAMETER = True
|
||||
+ REDIRECT_STATE = False
|
||||
+ EXTRA_DATA = [
|
||||
+ ('id', 'id'),
|
||||
+ ]
|
||||
+
|
||||
+ def get_user_details(self, response):
|
||||
+ """Return user details from a Uffd account"""
|
||||
+ fullname, first_name, last_name = self.get_user_names(fullname=response.get('name'))
|
||||
+ return {
|
||||
+ 'username': response.get('nickname'),
|
||||
+ 'email': response.get('email') or '',
|
||||
+ 'fullname': fullname,
|
||||
+ 'first_name': first_name,
|
||||
+ 'last_name': last_name,
|
||||
+ }
|
||||
+
|
||||
+ def user_data(self, access_token, *args, **kwargs):
|
||||
+ """Loads user data from service"""
|
||||
+ url = self.userinfo_url() + '?' + urlencode({'access_token': access_token})
|
||||
+ try:
|
||||
+ return self.get_json(url)
|
||||
+ except ValueError:
|
||||
+ return None
|
||||
+
|
||||
+ def authorization_url(self):
|
||||
+ return self.setting('BASE_URL') + '/oauth2/authorize'
|
||||
+
|
||||
+ def access_token_url(self):
|
||||
+ return self.setting('BASE_URL') + '/oauth2/token'
|
||||
+
|
||||
+ def userinfo_url(self):
|
||||
+ return self.setting('BASE_URL') + '/oauth2/userinfo'
|
||||
--
|
||||
2.38.1
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
|
||||
/* Hides extra fields on connect screen */
|
||||
.connect-row:nth-of-type(4) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
.connect-row:nth-of-type(2) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
.connect-row:nth-of-type(5) {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
|
||||
/* Hides side panel button */
|
||||
.header > button:first-child {
|
||||
display: none !important;
|
||||
}
|
||||
|
||||
/* Hides channel options button (includes leave option) */
|
||||
.header > button:nth-last-child(2) {
|
||||
display: none !important;
|
||||
}
|
|
@ -3,13 +3,14 @@
|
|||
python3Packages.buildPythonPackage rec {
|
||||
pname = "uffd";
|
||||
version = "2.0.1";
|
||||
PACKAGE_VERSION = version;
|
||||
|
||||
src = fetchzip {
|
||||
url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
|
||||
hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
|
||||
};
|
||||
|
||||
patches = [ ./gitea-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ];
|
||||
patches = [ ./forgejo-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ];
|
||||
|
||||
propagatedBuildInputs = with python3Packages; [
|
||||
flask
|
||||
|
|
|
@ -16,7 +16,7 @@ index d13fd42..94352be 100644
|
|||
def userinfo():
|
||||
user = request.oauth.user
|
||||
+ client = request.oauth.client_id
|
||||
+ if client == "gitea":
|
||||
+ if client == "forgejo":
|
||||
+ return jsonify(
|
||||
+ id=user.unix_uid,
|
||||
+ full_name=user.displayname,
|
|
@ -0,0 +1,105 @@
|
|||
hedgedoc-hacc:
|
||||
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
|
||||
mattermost:
|
||||
env: ENC[AES256_GCM,data:4GcV8UOYmVUjZoYc0Nq/vEWtxtYNV81zVTEyFnZIfY1k/Ar1MU+fn5A99JLIMc8U84/QupDU7TcneiN/wqPv2jYqGS7ixSNTk+x5uUPMarzKZ04ynav6FCWEvlSF0Sz4/5s/Pvp1Qi3zdv16ZVGUHbM8/wCcaZBkSS0ofwBTIXVsVYSRPFxLehtBgwjAnD46qS+YJmszmd7V5N/adWWF34vAdfLiO6Y7KDB3jnMLOPU6Drtw9L83AW6NuOtk8crZrI1dkTD/xUC07IvMhZpZVc9ktQJqIvlk/ADs5aIp/QYrjICdYvb8xC16oV7jC/7yzXzC/UuYbCvS5gnHGMK/CsBkmM9HXmQ6mWjrfuOJEkMHSefS7O8HyrNoNDSXq0ivCr6KJmwrz7NXNAE6a6xx9LMjs5DJ8H5fda1l5TGVAdA2tg==,iv:dG4cnEtUgUxw7zS2k15p+6//Bl19WquTfFIiz5Vi/0M=,tag:cMBU8CtFBBjfcfpO709Kpg==,type:str]
|
||||
tracktrain:
|
||||
env: ENC[AES256_GCM,data:W3+8qWomPgGJt5u50aAm9x/dilMpqKY11I2AdaIBTz5posc25ts0LB5S/Sxe1ROz4itpDK3QvjoFUTRhS39k4dwMr5lqXV8Ln4B+sPpvh7oBM8A5zydP8Jj1J1YqRt8++RTUmb4z41DIwb/yaZKMu6z0guXIu1yuYzcbCuk0xe/iOp6UUpfjOzzWTvxY54zY6kWcjHLiCSwD31Cd+MxMPfbUEkHt+0W+sBmYXGeEFI/6ULSB6FnGjNW6F9g=,iv:3ymah8HG+Yg6VYZZA/MRRjHDYvYJz01ezvhfQiftegg=,tag:trht+PRYfKgWJkg2wRwISQ==,type:str]
|
||||
vaultwarden:
|
||||
env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
|
||||
auamost:
|
||||
secrets.fish: ENC[AES256_GCM,data:QBteJdVPSWa4cmu1BVWJ3AMWWH4zIv2+G83fK0QsbA/fYoIU5jobCT3USyujNz+jQaAAxA45jmQbCWNAFLl1q8hP4i9EIikVECx0VKVXPXILBND+w7zPSLldAbOugRYt2iAt1dDADZPtulKlkz7usdafbB+2igLXdyFRLfIxDTOrBuqQ+5yeofQe5k0XWRcmQQ/1AV0JrRrmLmr69VKsR932JWD8XxmI/HFyZPzWdExBSOmvnj+m4K+DV4cVmN4t6XOY0dM3gRQ95DglEuGlp/V2o3GqwY0mXCvhM1eh81u8mPALKp6Pv2i2yU35F01Puf5t1FHGDfzp0bW0xuKEywfGjAOifFkSE/3JFir434B6G0DiJNpOIl6QJ6DA8rSKfuPdccm6Or0zX8iJGRHDJmREQ05V9l0jHAAxLNuNdbsxg+8kCWVVnW+d1YDn9KW7LbFlP+sx4Ef5leUYft/lYhF4Z5Xp3arqVrlebWjWIBEuZeJTnkE3y+TdUUCs360zzWHqsipGmo1+/88CEqL52FfUOlJ4VCR45/7nYZ3RaRBWDGFW8RvwmWSFSstEcEXQ01U8lCwyn40+blfltme3KJ1f+pWMrZAKhPlOlMHCYfjd7esWI2sYcQbTZqxH49GnW6dsW/W+eiLs3zlD/Deb2CugHe63zRdlivmVPOz4zD1PXcCVpEZHoTTiJl7Om9K2mPYq9wQN41wsDUrNL9p8m9UlhWKbjBh5UU7p6F6OhF5rKH/Fs8fIaPi6B8uamTvEmiOGTUWl3vmQjBvhM8fJWoIkRB8hgCisr9OZ,iv:8jVAImjeXbXfiLKg9G0PyLMTV8cAyDmukeittqjKFpQ=,tag:fLIcsWKbdFQ/vPCgi/W3Zw==,type:str]
|
||||
restic:
|
||||
s3creds.env: ENC[AES256_GCM,data:9WNu5S4KmdMXdshSpawEjIexAKH6vZCPwb9xyq6xmerly1lxSfFZzgg60M0L3L+I4joLTVi23YBB8Eh6Xfx9GgxNww7w7BjMCQs/X16ecDWlb346TKf+,iv:Gu4CbXXJAlQYXRqOjIAUYmn8EU4mrvcOVc2eCh1Ikzs=,tag:1xpVIonHiAGHsXTY9liPQQ==,type:str]
|
||||
system: ENC[AES256_GCM,data:RIgO0QHVjwp2D3LoU62vLzepASdsXxu0DqUTA6Voa3K1d4xFHX2u+UR8AcqR,iv:O0K8i5ivne7WU+ygDEUcrvKW6DIfXjVPY63gpfsxEFE=,tag:n/1atQ5qlyB0SMHrYiTCrA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHd0Rrem03aWMwUGgwMlM2
|
||||
dmRJdVYrRVNBTXZrVk5CdEFYcDRyN3VlcUhvCmE5L0lpbzdxanNBWFU1dEprUC9Y
|
||||
eUZqdHVmWks2V1g0SHZRN1BsSU96OU0KLS0tIGl1ZUg2aDNtREZWeUE5UXlPeHNG
|
||||
STcwOFgwK1lpWjdyTkd3c0dBTlAyK28KAKL7rPPH0DNRgL3qqCelAoUPnOy8MydL
|
||||
t2ft9ZmzkoiSdSt0Ad1U5IImQt9ZzhPtYYnYbiEVNcfuFCnGcqdoPw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvT0M2SmdwNmNyWWZ1V2o5
|
||||
OHZ4RDlIbTZONXc5Z0FPMm03V3UzVWhaRnhBCjU5dzZlbkZHRkdacG1nUng4S0p6
|
||||
Q1I5Vjg0Vk5wRzNGZTNONXdCMnpUTEEKLS0tIFo5K0tGdDZpLzNPb0llb0dJdk9u
|
||||
c3p5UVBjZWlNVkxFMlVaQ3VMVFdhZVUKxcIL/JMBEojPRlDLHUIuxKcMPMEEsTkS
|
||||
0zLjYVZL7YDS0dKdaZjaExHKrRzRpsY0qpDBHyhcyzRae1sWA4e5Kw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUmFJc24xV2JGS3dzK25F
|
||||
SVVXTjBaRUxJQ3hXZXlHYTRzaXZVNjVObEFZCmpPQUV1b0lySkUvcURObm1xNSt4
|
||||
WVQrbnlvZkQrbzloQzc4NlJCWnlPeGMKLS0tIDBVa2lpUmcrWURwWW8rc3ZmUUU1
|
||||
U0pGQjJackNhT0d4L2ZIOTdTUjBwcjQKCRWcpevMcv2HsWC4jyc/GzxxjkTEm+UF
|
||||
4QdXjJAHh2QLxV9aXF/k/KogebCFkBTirmyOhRKtBRkt87d1D9FKUA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWnZFOVFuTnFTMmpVMDFU
|
||||
dkw4UFlUenZzNkRuNy90NWk4aVNEd2J2Ukc0Cm9mM2dpZEJpVVY4TVB0WUxmTjEw
|
||||
VFJ3aHB6ZFh5YWptYTZ5cXVjTUNBVkEKLS0tIEx0dVRPVVVacHFCMDhFNE1NMnZy
|
||||
cUxicklTUGtPeTlnSFV1TUZqR1VmRnMKtJ+Q80SgqW/Jad8aF7pViGANHCsTMNEM
|
||||
7TbhITW+zWIhnviVS0xOqXrvQs4iBbMfiNnQbFS7tEX08AT2oAg6cw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT3ZNenJKWTZ3NjdqNWpR
|
||||
Zk9Ya3lsT1Jqd0RIWm8xdm16UjFzcFV1aGlBCkRuMllGSFVIUCs4UEJEQVVGQUxK
|
||||
L1FGNGJwYkFIdU4wOXdFQWt6RSsyR28KLS0tIEgya2xORURncHlvNHJNTnIrb2da
|
||||
emRETSt4WGFYeXR5UmNSajNpUStKUzAKxgDME0M1ewNE/BrL/wFjF4Yj7GupjRPF
|
||||
Fuxae5U3phphzOkflQtreM1ScbUGge8WeiSVWY3Pl1azsYo/yqg8Ew==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVEdpZmdSdnBaYnV2RWhT
|
||||
MmMxQW9PUUJ4enRqNjFIZ25kUEkvdHBpOXdRCmJkSTJyWklhTU5neUlybzR1Nkp6
|
||||
YlVHczNwRzl0d0hGalpvTFdEUlV3UHMKLS0tIGhQZXEvd2F0aTlna0FNL2wyaEdC
|
||||
U1oyWXcza08rTG1DS0dUYkZOVWZ4L1kKgpt6jG0lNBMdk/isa1A/tfKYjprnnIo5
|
||||
pi4t1c7CktFBkhMlOv6VPJCsQlP0YtZUh/uut70Kecv48+YH5gC/8A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRzc5WHAzcWhGSU1kdE1E
|
||||
Z1B0aFhqYUQzQ2ptK09YMm9odWh3U0w3bmtvCi9IcWFhOFhvYU5ISlVpTURMY2hX
|
||||
RG5mL1gvNkZ1SDdMZTR4QWxtRG1VUlkKLS0tIFl5UUdIR0JOSmF4OWx1OHBuaFJj
|
||||
N0FDY2xYRlpmaTgxWURGZWxWWktPV00KAHNeeqhzql4LInlJoD9u7ptFWZBgktvp
|
||||
tju4cZ/78VgdZIfEfnlzw8lsqpRx1z5Fw8K4CcXRJJLRVfHuj2CHTA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscDFuL0ZsdWxoUFJBd2xr
|
||||
ZXh3K0lSUnFmTVFTVHB5bGR2TC9lREdUczJrCnFSaGoyUnJjbXJ5d1lQd0RUcFJt
|
||||
REkvdEY2NzcveHpQRWZ1STBSemx0SkkKLS0tIGtyN0svS3lYcmxUbVJiU1RaK21l
|
||||
Ukh0VkVaeVBoOXQ1cmZ6WHNkYjQvTmsKG4914d+pSt1seoKiejoCvATOTaVFN4ih
|
||||
Y74W+WXyaKoQP3Q9QrbSURpE+ICfblxHmkbsPB/agNzZVWrfyBaX1A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqR01XampvRE92VnZ3OTZs
|
||||
YmJYaEN2eVJOVWt1OHE1bTdua1ArSC9oVm1ZClBsVFBSWWtLRUoyNDF0NlUwaUpo
|
||||
b0kyazNwRUFhS0RYd1pGNHNENWxQb28KLS0tIDhzdHhRN1FYczZBMksrM09UWUtJ
|
||||
bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
|
||||
S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-01T01:20:25Z"
|
||||
mac: ENC[AES256_GCM,data:2fVIskFTMl1jefsa3A9fbBBUBK3Ni9XpUjLbwgewEUEKDhwzHY7vjlauzEVtcFJhYkorG/I/0YkPE6PjHta8Qk4mAOfXeVeLDrwH0dmIoPxw+J4kCgRNgNGdhkvmSUBQKwmhfvG3owZnGvq6JfcKZW8HodXyZ+GQQNknGzoX1wQ=,iv:fIXw7lsLwMHsNpZyv9nil7pdXrYNm18UV87KY0Z2zJ4=,tag:L/zymgljJWopKN1q7rpPhg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
|
@ -1,9 +0,0 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
|
||||
{
|
||||
hacc.websites = {
|
||||
enable = true;
|
||||
directory = ../websites;
|
||||
};
|
||||
}
|
|
@ -1,73 +0,0 @@
|
|||
{ config, lib, pkgs, evalConfig, ... }:
|
||||
|
||||
let
|
||||
# necessary since overlays won't propagate into the
|
||||
# container's config
|
||||
thelounge = pkgs.thelounge-hacked;
|
||||
in
|
||||
{
|
||||
containers.thelounge = {
|
||||
autoStart = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.4";
|
||||
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, modules, sources, ... }: {
|
||||
# for some inexplicable reason this does not import nopersist.
|
||||
# i'm too lazy rn to deal with possible breakages if I add it.
|
||||
# if you have spoons & nothing else to do, consider this a suggestion!
|
||||
imports = [ profiles.container ];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
services.thelounge = {
|
||||
enable = true;
|
||||
|
||||
extraConfig = {
|
||||
public = true;
|
||||
# respect X-Forwarded-For
|
||||
reverseProxy = true;
|
||||
defaults = {
|
||||
name = "libera chat";
|
||||
host = "irc.eu.libera.chat";
|
||||
port = 6697;
|
||||
# encrypt things!
|
||||
tls = true;
|
||||
# yes, please do actually check the cert …
|
||||
rejectUnauthorized = true;
|
||||
nick = "haccGuest%%%%";
|
||||
join = "#hacc-webchat";
|
||||
};
|
||||
lockNetwork = true;
|
||||
|
||||
# don't log messages (default is text / sqlite)
|
||||
messageStorage = [];
|
||||
|
||||
# darker theme
|
||||
#theme = "morning";
|
||||
|
||||
# these three should result in having link previews
|
||||
# which are fetched only by the server, then proxied
|
||||
# (i.e. clients won't directly connect to arbitrary
|
||||
# domains to get previews)
|
||||
prefetch = true;
|
||||
prefetchStorage = true;
|
||||
disableMediaPreview = true;
|
||||
|
||||
leaveMessage = "happy haccing";
|
||||
};
|
||||
};
|
||||
|
||||
# override the package we use
|
||||
systemd.services.thelounge.serviceConfig.ExecStart =
|
||||
pkgs.lib.mkForce "${thelounge}/bin/thelounge start";
|
||||
});
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."webchat.voc.hacc.space" = {
|
||||
locations."/".proxyPass =
|
||||
"http://${config.containers.thelounge.localAddress}:9000";
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
}
|
|
@ -1,152 +0,0 @@
|
|||
{ config, lib, pkgs, inputs, evalConfig, ... }:
|
||||
|
||||
let
|
||||
tracktrain-config = ''
|
||||
dbstring: "dbname=tracktrain"
|
||||
gtfs: ./gtfs.zip
|
||||
|
||||
warp:
|
||||
port: 4000
|
||||
|
||||
login:
|
||||
enable: true
|
||||
url: https://login.infra4future.de
|
||||
clientname: tracktrain
|
||||
# clientsecret defined in env file
|
||||
'';
|
||||
in
|
||||
{
|
||||
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://192.168.42.41:4000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
# note: this shadows the /metrics endpoint of tracktrain
|
||||
# in case you remove this, please consider putting something
|
||||
# else here to keep it from being publicly scrapable
|
||||
locations."/metrics/" = {
|
||||
proxyPass = "http://192.168.42.41:2342";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
rewrite ^/metrics/(.*) /$1 break;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
containers.tracktrain = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.42.40";
|
||||
localAddress = "192.168.42.41";
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/tracktrain";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
system.stateVersion = "21.11";
|
||||
|
||||
imports = [ profiles.nopersist profiles.container ];
|
||||
|
||||
users.users.tracktrain = {
|
||||
group = "tracktrain";
|
||||
isSystemUser = true;
|
||||
};
|
||||
users.groups.tracktrain = {};
|
||||
|
||||
systemd.services.tracktrain = {
|
||||
enable = true;
|
||||
|
||||
description = "tracks trains, hopefully";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "network.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
EnvironmentFile = "/persist/secrets.env";
|
||||
User = "tracktrain";
|
||||
Group = "tracktrain";
|
||||
};
|
||||
path = [ pkgs.wget ];
|
||||
script = ''
|
||||
mkdir -p /persist/tracktrain
|
||||
cd /persist/tracktrain
|
||||
ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
|
||||
wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip" || sleep 4; wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip"
|
||||
${pkgs.tracktrain}/bin/tracktrain +RTS -T
|
||||
'';
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
|
||||
ensureDatabases = [ "tracktrain" ];
|
||||
ensureUsers = [ {
|
||||
name = "tracktrain";
|
||||
ensurePermissions = {
|
||||
"DATABASE tracktrain" = "ALL PRIVILEGES";
|
||||
};
|
||||
} ];
|
||||
authentication = ''
|
||||
local all all trust
|
||||
host all all 127.0.0.1/32 trust
|
||||
'';
|
||||
};
|
||||
|
||||
services.prometheus = {
|
||||
enable = true;
|
||||
port = 9001;
|
||||
scrapeConfigs = [ {
|
||||
job_name = "tracktrain";
|
||||
static_configs = [{
|
||||
targets = [ "0.0.0.0:4000" ];
|
||||
}];
|
||||
} ];
|
||||
};
|
||||
|
||||
services.grafana = {
|
||||
enable = true;
|
||||
settings.server = {
|
||||
serve_from_sub_path = true;
|
||||
domain = "tracktrain.ilztalbahn.eu";
|
||||
root_url = "https://%(domain)s/metrics/";
|
||||
http_port = 2342;
|
||||
http_addr = "0.0.0.0";
|
||||
};
|
||||
|
||||
settings."auth.generic_oauth" = {
|
||||
name = "uffd";
|
||||
enabled = true;
|
||||
allow_sign_up = true;
|
||||
empty_scopes = true;
|
||||
client_id = "ilztalbahn-grafana";
|
||||
client_secret = "\${GRAFANA_CLIENT_SECRET}";
|
||||
auth_url = "https://login.infra4future.de/oauth2/authorize";
|
||||
token_url = "https://login.infra4future.de/oauth2/token";
|
||||
api_url = "https://login.infra4future.de/oauth2/userinfo";
|
||||
};
|
||||
# disables the default login screen. comment out if for some
|
||||
# reason you do need it
|
||||
settings.auth.oauth_auto_login = true;
|
||||
settings.users.auto_assign_org_role = "Admin";
|
||||
|
||||
provision = {
|
||||
enable = true;
|
||||
datasources.settings.datasources = [ {
|
||||
url = "http://localhost:9001";
|
||||
type = "prometheus";
|
||||
name = "prometheus";
|
||||
} ];
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
||||
"/persist/secrets.env";
|
||||
});
|
||||
};
|
||||
|
||||
}
|
|
@ -1,65 +0,0 @@
|
|||
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
|
||||
|
||||
let
|
||||
uffd = pkgs.uffd;
|
||||
in {
|
||||
containers.uffd = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.1";
|
||||
localAddress = "192.168.100.9";
|
||||
autoStart = true;
|
||||
bindMounts = {
|
||||
"/persist" = {
|
||||
hostPath = "/persist/containers/uffd";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
|
||||
imports = [ profiles.nopersist profiles.container ];
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
services.uwsgi = {
|
||||
enable = true;
|
||||
plugins = [ "python3" ];
|
||||
instance = {
|
||||
type = "normal";
|
||||
pythonPackages = self: with self; [ uffd ];
|
||||
module = "uffd:create_app()";
|
||||
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
|
||||
http = ":8080";
|
||||
env = [
|
||||
"CONFIG_PATH=/persist/uffd/uffd.conf"
|
||||
];
|
||||
hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
services.nginx.virtualHosts."login.infra4future.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations = {
|
||||
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
|
||||
"/static".root = "${uffd}/lib/python3.10/site-packages/uffd";
|
||||
"/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png";
|
||||
"/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg";
|
||||
"/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";
|
||||
"/static/mattermost.svg".return = "302 https://infra4future.de/assets/img/icons/mattermost.svg";
|
||||
"/static/nextcloud.svg".return = "302 https://infra4future.de/assets/img/icons/nextcloud.svg";
|
||||
"/static/hot_shit.svg".return = "302 https://infra4future.de/assets/img/icons/hot_shit.svg";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.auamost = {
|
||||
enable = true;
|
||||
|
||||
description = "mattermost aua gruppensync";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig.Type = "simple";
|
||||
path = [ pkgs.curl pkgs.jq ];
|
||||
script = "${pkgs.fish}/bin/fish /persist/magic/mattermost-groupsync.fish";
|
||||
startAt = "*:0/15";
|
||||
};
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
# Markdown docs with zola.
|
||||
|
||||
[Zola](https://www.getzola.org/) is a static site generated written in Rust
|
||||
(which you'll notice since sometimes it panics).
|
||||
|
||||
To run the site locally:
|
||||
|
||||
```
|
||||
zola serve
|
||||
```
|
||||
|
||||
## Directory Layout
|
||||
|
||||
All the important stuff goes into `content`. If you create subdirectories, make
|
||||
sure you remembered to also create an `_index.md` file for it (if in doubt, just
|
||||
copy the one at `content/_index.md`); otherwise pages in there won't work.
|
||||
|
||||
`templates` is *not* for site templates, but specifies how markdown files should
|
||||
be turned into html. If an autogenerated link broke, you'll probably have to
|
||||
change something in there. `sass` and `static` do exactly what they sound like.
|
||||
|
||||
It usually shouldn't be necessary to change `config.toml`, but if it is, [here
|
||||
is the list of all available options](https://www.getzola.org/documentation/getting-started/configuration/).
|
||||
|
||||
|
||||
## File Layout
|
||||
|
||||
Markdown files start with a frontmatter that should look something like so:
|
||||
|
||||
```markdown
|
||||
+++
|
||||
title = "blåhaj"
|
||||
taxonomies.categories = [ "flausch" ]
|
||||
+++
|
||||
|
||||
[actual markdown goes here]
|
||||
```
|
||||
|
||||
The frontmatter is TOML; the `taxonomies.*` keys are special and can be used to
|
||||
aggregate posts if enabled in `config.toml` (currently that's only the case for
|
||||
`categories`, though). See also the [list of all available keys](https://www.getzola.org/documentation/content/page/).
|
||||
|
||||
Please don't repeat the page's title in markdown, otherwise it'll appear twice
|
||||
in the html.
|
|
@ -0,0 +1,35 @@
|
|||
# Zola's configuration file,
|
||||
#
|
||||
# see https://www.getzola.org/documentation/getting-started/configuration/
|
||||
# for available keys.
|
||||
|
||||
# The URL the site will be built for
|
||||
base_url = "https://docs.hacc.space"
|
||||
|
||||
compile_sass = true
|
||||
default_language = "en"
|
||||
|
||||
# might be useful — this isn't a blog, obviously, but updates for new entries
|
||||
# could still be nice, I guess
|
||||
generate_feed = true
|
||||
feed_filename = "atom.xml"
|
||||
|
||||
build_search_index = true
|
||||
|
||||
taxonomies = [
|
||||
{ name = "categories", feed = false},
|
||||
]
|
||||
|
||||
[markdown]
|
||||
highlight_code = true
|
||||
|
||||
[extra] # user-defined keys
|
||||
|
||||
# site title text
|
||||
main_title = "haccfiles documentation"
|
||||
|
||||
# navbar entries
|
||||
main_menu = [
|
||||
{url = "$BASE_URL", name = "Home"},
|
||||
{url = "$BASE_URL/categories", name = "Categories"}
|
||||
]
|
|
@ -0,0 +1 @@
|
|||
../../docs
|
|
@ -0,0 +1,22 @@
|
|||
{ copyPathToStore, stdenvNoCC, zola, writeScriptBin }:
|
||||
|
||||
stdenvNoCC.mkDerivation rec {
|
||||
name = "docs.hacc.space-static";
|
||||
|
||||
src = ./.;
|
||||
content = copyPathToStore ../../docs;
|
||||
|
||||
phases = [ "buildPhase" ];
|
||||
buildInputs = [ zola ];
|
||||
buildPhase = ''
|
||||
cp -r $src/* .
|
||||
rm content
|
||||
ln -s $content content
|
||||
zola build --output-dir $out
|
||||
'';
|
||||
|
||||
watch = writeScriptBin "watch" ''
|
||||
cd $(git rev-parse --show-toplevel)/websites/docs.hacc.space
|
||||
${zola}/bin/zola serve --output-dir /tmp/hacc-docs "$@"
|
||||
'';
|
||||
}
|
|
@ -0,0 +1,168 @@
|
|||
|
||||
@font-face {
|
||||
font-family: 'share-tech';
|
||||
src: url('ShareTech-Regular.ttf') format('truetype');
|
||||
}
|
||||
|
||||
html {
|
||||
overflow: hidden;
|
||||
height: 100%;
|
||||
}
|
||||
|
||||
body {
|
||||
background-color: #000;
|
||||
color: #fff;
|
||||
|
||||
overflow-y: auto;
|
||||
overflow-x: hidden;
|
||||
height: 100%;
|
||||
}
|
||||
|
||||
#content {
|
||||
font-family: 'share-tech';
|
||||
margin-left: auto;
|
||||
margin-right: auto;
|
||||
max-width: 60em;
|
||||
font-size: 16pt;
|
||||
position: relative;
|
||||
}
|
||||
|
||||
p.subtitle {
|
||||
font-size: 14pt;
|
||||
font-style: normal;
|
||||
color: gray;
|
||||
}
|
||||
|
||||
article {
|
||||
margin-bottom: 4em;
|
||||
}
|
||||
|
||||
#searchresults {
|
||||
width: 90%;
|
||||
text-align: right;
|
||||
right: 0;
|
||||
position: absolute;
|
||||
background-color: black;
|
||||
top: 5em;
|
||||
color: gray;
|
||||
}
|
||||
|
||||
#searchresults div {
|
||||
padding: 0.5em;
|
||||
border-top: 1px dashed gray;
|
||||
}
|
||||
|
||||
#searchresults div:last-child {
|
||||
border-bottom: 1px dashed gray;
|
||||
}
|
||||
|
||||
.searchresultprevtext {
|
||||
white-space: nowrap;
|
||||
overflow: hidden;
|
||||
text-overflow: ellipsis;
|
||||
display: inline-block;
|
||||
width: 40em;
|
||||
float: left;
|
||||
}
|
||||
|
||||
footer.content {
|
||||
top: 50px;
|
||||
color: #cccccc;
|
||||
font-size: 14px;
|
||||
margin-bottom: 4em;
|
||||
}
|
||||
|
||||
footer a {
|
||||
color: #cccccc;
|
||||
}
|
||||
|
||||
.logo {
|
||||
position: relative;
|
||||
width: 100%;
|
||||
}
|
||||
.logo > img {
|
||||
width: 300px;
|
||||
max-width: 100%;
|
||||
}
|
||||
|
||||
h1 {
|
||||
font-size: 32pt;
|
||||
}
|
||||
|
||||
#headernav {
|
||||
text-align: right;
|
||||
margin: 1em;
|
||||
}
|
||||
|
||||
#headernav > a {
|
||||
padding: 0.2em;
|
||||
font-size: 20pt;
|
||||
font-family: share-tech;
|
||||
}
|
||||
|
||||
h1, h2, h3, h4, h5, h6{
|
||||
font-weight: 600;
|
||||
display: inline;
|
||||
font-family: share-tech;
|
||||
background: rgb(59,115,185);
|
||||
background: linear-gradient(90deg, rgb(59, 115, 185) 0%, rgb(229, 35, 33) 100%);
|
||||
background-clip: border-box;
|
||||
color: transparent;
|
||||
-webkit-background-clip: text;
|
||||
background-clip: text;
|
||||
}
|
||||
/*
|
||||
h4 {
|
||||
//font-weight: 600;
|
||||
//display: inline;
|
||||
font-family: share-tech;
|
||||
//background: rgb(59,115,185);
|
||||
//background: linear-gradient(90deg, rgb(59, 115, 185) 0%, rgb(229, 35, 33) 100%);
|
||||
//background-clip: border-box;
|
||||
color: #fff;
|
||||
//-webkit-background-clip: text;
|
||||
//background-clip: text;
|
||||
}
|
||||
*/
|
||||
a {
|
||||
text-decoration: none;
|
||||
color: #3b73b9;
|
||||
transition: color .1s linear;
|
||||
}
|
||||
a:hover {
|
||||
/*color: #e52321;*/
|
||||
color: #4e9af9;
|
||||
}
|
||||
|
||||
ul {
|
||||
margin-top: 0;
|
||||
}
|
||||
|
||||
|
||||
pre {
|
||||
padding: 1rem;
|
||||
overflow: auto;
|
||||
font-size: 16px;
|
||||
}
|
||||
// The line numbers already provide some kind of left/right padding
|
||||
pre[data-linenos] {
|
||||
padding: 1rem 0;
|
||||
}
|
||||
pre table td {
|
||||
padding: 0;
|
||||
}
|
||||
// The line number cells
|
||||
pre table td:nth-of-type(1) {
|
||||
text-align: center;
|
||||
user-select: none;
|
||||
}
|
||||
pre mark {
|
||||
// If you want your highlights to take the full width.
|
||||
display: block;
|
||||
// The default background colour of a mark is bright yellow
|
||||
background-color: rgba(254, 252, 232, 0.9);
|
||||
}
|
||||
pre table {
|
||||
width: 100%;
|
||||
border-collapse: collapse;
|
||||
}
|
Binary file not shown.
Binary file not shown.
After Width: | Height: | Size: 3.7 KiB |
Binary file not shown.
After Width: | Height: | Size: 5.2 KiB |
|
@ -0,0 +1,52 @@
|
|||
|
||||
function mkDiv (res) {
|
||||
let div = document.createElement("div");
|
||||
let a = document.createElement("a");
|
||||
a.innerText = res.doc.title;
|
||||
a.href = res.ref;
|
||||
let text = document.createElement("span");
|
||||
text.innerText = res.doc.body.slice(0,400).replaceAll("\n", " ");
|
||||
text.classList.add("searchresultprevtext");
|
||||
|
||||
div.appendChild(text);
|
||||
div.appendChild(a);
|
||||
return div;
|
||||
}
|
||||
|
||||
window.onload = () => {
|
||||
console.log("hello!")
|
||||
let searchbox = document.getElementById("searchbox");
|
||||
searchbox.innerHTML =
|
||||
"<input id='searchinput' placeholder='search ...'></input> \
|
||||
<div id='searchresults' style='display:none'></div>";
|
||||
|
||||
let searchinput = document.getElementById("searchinput");
|
||||
let searchresults = document.getElementById("searchresults");
|
||||
|
||||
let index = elasticlunr.Index.load(window.searchIndex);
|
||||
|
||||
searchinput.addEventListener("keyup", () => {
|
||||
let term = searchinput.value.trim();
|
||||
let results = [];
|
||||
if (term !== "") {
|
||||
results = index.search(term, {});
|
||||
console.log(results);
|
||||
|
||||
while (searchresults.lastChild) {
|
||||
searchresults.removeChild(searchresults.lastChild)
|
||||
}
|
||||
if (results.length !== 0) {
|
||||
let resultdivs = results.map(mkDiv);
|
||||
resultdivs.map((div) => searchresults.appendChild(div));
|
||||
} else {
|
||||
searchresults.innerHTML =
|
||||
term.length <= 4 ?
|
||||
"<div>Need at least four characters to search.</div>"
|
||||
: "<div>No results here.</div>";
|
||||
}
|
||||
searchresults.style.display = "initial";
|
||||
} else {
|
||||
searchresults.style.display = "none";
|
||||
}
|
||||
});
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<title>{{ config.extra.main_title }}</title>
|
||||
<link rel="icon" type="image/png" href="favicon.png">
|
||||
<link rel="alternate" type="application/atom+xml" title="Feed" href="{{ get_url(path="atom.xml", trailing_slash=false) }}">
|
||||
<link rel="stylesheet" href="{{ get_url(path="style.css", trailing_slash=false) | safe }}">
|
||||
<script src="{{ get_url(path="search_index.en.js", trailing_slash=false) | safe }}"></script>
|
||||
<script src="{{ get_url(path="elasticlunr.min.js", trailing_slash=false) | safe }}"></script>
|
||||
<script src="{{ get_url(path="search.js", trailing_slash=false) | safe }}"></script>
|
||||
{% block head_extra %}
|
||||
{% endblock head_extra %}
|
||||
</head>
|
||||
<body>
|
||||
<div id="content">
|
||||
<header style="height:10em">
|
||||
<a href="{{config.base_url}}"><h2 style="float:left">{{ config.extra.main_title }}</h2></a>
|
||||
<nav id="headernav" style="float:right">
|
||||
{% for item in config.extra.main_menu %}
|
||||
<a itemprop="url"
|
||||
class="{% if item.url | replace(from="$BASE_URL", to=config.base_url) == current_url %}active{% endif %}"
|
||||
href="{{ item.url | safe | replace(from="$BASE_URL", to=config.base_url) }}">
|
||||
{{ item.name }}
|
||||
</a>
|
||||
{% endfor %}
|
||||
<div id="searchbox">
|
||||
</div>
|
||||
</nav>
|
||||
</header>
|
||||
|
||||
{% block content %} {% endblock %}
|
||||
|
||||
<footer class="content" style="z-index: 200">
|
||||
<div>
|
||||
<a href="https://git.infra4future.de/hacc/haccfiles">Source in git</a> •
|
||||
<a href="https://infra4future.de/impressum.html">Imprint</a>
|
||||
</div>
|
||||
</footer>
|
||||
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
|
@ -0,0 +1,12 @@
|
|||
{% extends "base.html" %}
|
||||
|
||||
{% block content %}
|
||||
<h1 class="title">
|
||||
{{ section.title }}
|
||||
</h1>
|
||||
<ul>
|
||||
{% for page in section.pages %}
|
||||
<li><a href="{{ page.permalink | safe }}">{{ page.title }}</a></li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
{% endblock content %}
|
|
@ -0,0 +1,17 @@
|
|||
{% extends "base.html" %}
|
||||
|
||||
{% block content %}
|
||||
<main>
|
||||
|
||||
<h1>Categories</h1>
|
||||
<p>
|
||||
{% if terms %}
|
||||
<ul>
|
||||
{% for term in terms %}
|
||||
<li><a href="{{ term.permalink | safe }}">{{ term.name }}</a> ({{ term.pages | length }})</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
{% endif %}
|
||||
</p>
|
||||
</main>
|
||||
{% endblock content %}
|
|
@ -0,0 +1,12 @@
|
|||
{% extends "base.html" %}
|
||||
|
||||
{% import "post_macros.html" as post_macros %}
|
||||
{% block content %}
|
||||
|
||||
<h1>Posts in category "{{ term.name }}"</h1>
|
||||
{% for page in term.pages %}
|
||||
<p>
|
||||
<h2><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h2>
|
||||
</p>
|
||||
{% endfor %}
|
||||
{% endblock content %}
|
|
@ -0,0 +1,15 @@
|
|||
{% extends "base.html" %}
|
||||
|
||||
{% import "post_macros.html" as post_macros %}
|
||||
{% block content %}
|
||||
<main>
|
||||
<article itemscope itemtype="http://schema.org/CreativeWork">
|
||||
<header>
|
||||
<h1><a href="{{ page.permalink | safe }}">
|
||||
{{ page.title }}
|
||||
</a></h1>
|
||||
</header>
|
||||
{{ page.content | safe }}
|
||||
</article>
|
||||
</main>
|
||||
{% endblock content %}
|
|
@ -0,0 +1,23 @@
|
|||
{% extends "base.html" %}
|
||||
|
||||
{% block content %}
|
||||
<main>
|
||||
{% for page in section.pages %}
|
||||
<p>
|
||||
<h3><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h3>
|
||||
</p>
|
||||
{% endfor %}
|
||||
|
||||
{% for sub in section.subsections %}
|
||||
{% set subsection = get_section(path=sub) %}
|
||||
<p>
|
||||
<h2><a href="{{ subsection.permalink | safe }}">{{ subsection.title }}</a></h2>
|
||||
{% for page in subsection.pages %}
|
||||
<p>
|
||||
<h3 style="margin-left:1em"><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h3>
|
||||
</p>
|
||||
{% endfor %}
|
||||
</p>
|
||||
{% endfor %}
|
||||
</main>
|
||||
{% endblock content %}
|
|
@ -0,0 +1,15 @@
|
|||
{% macro paginator_nav(paginator) %}
|
||||
|
||||
<nav>
|
||||
<p>
|
||||
{% if paginator.previous %}
|
||||
<a href="{{ paginator.previous }}">« Previous</a> |
|
||||
{% endif %}
|
||||
<span>Page {{ paginator.current_index }} of {{ paginator.number_pagers }}</span>
|
||||
{% if paginator.next %}
|
||||
| <a href="{{ paginator.next }}">Next »</a>
|
||||
{% endif %}
|
||||
</p>
|
||||
</nav>
|
||||
|
||||
{% endmacro paginator_nav %}
|
|
@ -0,0 +1,15 @@
|
|||
{% extends "index.html" %}
|
||||
|
||||
{% block content %}
|
||||
<h1>{{ section.title }}</h1>
|
||||
<p>{{ section.content | safe }}</p>
|
||||
<p>Pages in section</p>
|
||||
<ul>
|
||||
{% for page in section.pages | reverse %}
|
||||
<li>
|
||||
<em> <a href="{{ page.permalink }}"> {{ page.title }} </a> </em>
|
||||
</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
|
||||
{% endblock content %}
|
|
@ -14,6 +14,7 @@ stdenvNoCC.mkDerivation rec {
|
|||
'';
|
||||
|
||||
watch = writeScriptBin "watch" ''
|
||||
${sfz}/bin/sfz -r ${src} "$@"
|
||||
cd $(git rev-parse --show-toplevel)/websites/hacc.earth
|
||||
${sfz}/bin/sfz "$@"
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -270,10 +270,7 @@
|
|||
<a href="https://muc.hacc.earth">hacc e.V.</a>, local chapter Munich<sup><a href="#history">*</a></sup>
|
||||
<ul>
|
||||
<li>
|
||||
<a href="https://web.libera.chat/#hacc">#hacc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc:libera.chat">#hacc:libera.chat</a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="https://web.libera.chat/#hacc-muc">#hacc-muc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:libera.chat">#hacc-muc:libera.chat</a>
|
||||
<a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-muc">#hacc-muc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:hackint.org">#hacc-muc:hackint.org</a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="https://chaos.social/@hacc">@hacc@chaos.social</a>
|
||||
|
|
|
@ -14,6 +14,7 @@ stdenvNoCC.mkDerivation rec {
|
|||
'';
|
||||
|
||||
watch = writeScriptBin "watch" ''
|
||||
${sfz}/bin/sfz -r ${src}
|
||||
cd $(git rev-parse --show-toplevel)/websites/help.studentsforfuture.info
|
||||
${sfz}/bin/sfz "$@"
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -12,7 +12,8 @@ stdenvNoCC.mkDerivation rec {
|
|||
'';
|
||||
|
||||
watch = writeScriptBin "watch" ''
|
||||
cd $(git rev-parse --show-toplevel)/websites/infra4future.de
|
||||
rm -rf /tmp/hacc-website
|
||||
${jekyll}/bin/jekyll serve -s ${src} --disable-disk-cache -d /tmp/hacc-website
|
||||
${jekyll}/bin/jekyll serve --disable-disk-cache -d /tmp/hacc-website "$@"
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -14,6 +14,7 @@ stdenvNoCC.mkDerivation rec {
|
|||
'';
|
||||
|
||||
watch = writeScriptBin "watch" ''
|
||||
${sfz}/bin/sfz -r ${src}
|
||||
cd $(git rev-parse --show-toplevel)/websites/muc.hacc.earth
|
||||
${sfz}/bin/sfz "$@"
|
||||
'';
|
||||
}
|
||||
|
|
|
@ -267,13 +267,10 @@ Of course we also did and do support multiple events and groups in Munich and Ge
|
|||
<p>
|
||||
<ul>
|
||||
<li>
|
||||
<a href="https://web.libera.chat/#hacc">#hacc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc:libera.chat">#hacc:libera.chat</a>, general chat in English
|
||||
<a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-muc">#hacc-muc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:hackint.org">#hacc-muc:hackint.org</a>, chat of the local chapter Munich in German
|
||||
</li>
|
||||
<li>
|
||||
<a href="https://web.libera.chat/#hacc-muc">#hacc-muc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:libera.chat">#hacc-muc:libera.chat</a>, chat of the local chapter Munich in German
|
||||
</li>
|
||||
<li>
|
||||
<a href="https://web.libera.chat/#hacc-voc">#hacc-voc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-voc:libera.chat">#hacc-voc:libera.chat</a>
|
||||
<a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-voc">#hacc-voc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-voc:hackint.org">#hacc-voc:hackint.org</a>
|
||||
</li>
|
||||
<li>
|
||||
<a href="https://chaos.social/@hacc">@hacc@chaos.social</a>
|
||||
|
|
|
@ -12,7 +12,8 @@ stdenvNoCC.mkDerivation rec {
|
|||
'';
|
||||
|
||||
watch = writeScriptBin "watch" ''
|
||||
cd $(git rev-parse --show-toplevel)/websites/mumble.infra4future.de
|
||||
rm -rf /tmp/hacc-website
|
||||
${jekyll}/bin/jekyll serve -s ${src} --disable-disk-cache -d /tmp/hacc-website
|
||||
${jekyll}/bin/jekyll serve --disable-disk-cache -d /tmp/hacc-website "$@"
|
||||
'';
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue