Compare commits

..

190 commits

Author SHA1 Message Date
cb012aba67 mattermost: 9.11.4 → 9.11.5
this is a security release:
https://mattermost.com/blog/mattermost-security-updates-10-1-3-10-0-3-9-11-5-esr-9-5-13-esr-released/
2024-11-20 00:22:24 +01:00
aaf4e86da3 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/5354a00f3cdbab47090bdc51aedbe13d1e2aa9b1' (2024-11-10)
  → 'github:NixOS/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682' (2024-11-17)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/3f42f0b61e6c45ca80d87cec5dd11e121d6b9c14' (2024-11-11)
  → 'github:NixOS/nixpkgs/0705964c881cea8896474610188905ba41b59b08' (2024-11-19)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
  → 'github:Mic92/sops-nix/e39947d0ee8e341fa7108bd02a33cdfa24a1360e' (2024-11-18)
• Removed input 'sops-nix/nixpkgs-stable'
2024-11-19 23:56:17 +01:00
6c72210b0e flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/5012ef7926747f739c65bd2e1ceff96da30fb3b8' (2024-11-03)
  → 'github:NixOS/nixpkgs/5354a00f3cdbab47090bdc51aedbe13d1e2aa9b1' (2024-11-10)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/b16bcbe0262b6f203c41a4cd162d07576461f267' (2024-11-04)
  → 'github:NixOS/nixpkgs/3f42f0b61e6c45ca80d87cec5dd11e121d6b9c14' (2024-11-11)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e9b5eef9b51cdf966c76143e13a9476725b2f760' (2024-11-03)
  → 'github:Mic92/sops-nix/f1675e3b0e1e663a4af49be67ecbc9e749f85eb7' (2024-11-10)
2024-11-11 13:11:24 +01:00
243f091a49 pkgs/scripts: move auamost into hacc-scripts
we've had this for ages, and since I started with the new scripts
directory under pkgs (and anticipated we'll write more), it seems like a
good idea to move that script there and have them all in one place.
Certainly better than having it as one extremely long string inside Nix.
2024-11-11 01:12:22 +01:00
3345eb97dc pkgs/scripts: fix --help output for unused accounts script 2024-11-10 11:39:44 +01:00
589499fbf5 mattermost: 9.11.3 → 9.11.4
this is a security release. announcement by upstream:
https://mattermost.com/blog/mattermost-security-updates-10-1-2-10-0-2-9-11-4-esr-9-5-12-esr-released/
2024-11-04 14:00:11 +01:00
0fa4849c3d flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/ef498e16f8a10e92d559e1f6e01412444acefaff' (2024-10-27)
  → 'github:NixOS/nixpkgs/5012ef7926747f739c65bd2e1ceff96da30fb3b8' (2024-11-03)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/e4735dbdda8288aef24141f3ae8848a14f06fe08' (2024-10-27)
  → 'github:NixOS/nixpkgs/b16bcbe0262b6f203c41a4cd162d07576461f267' (2024-11-04)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56' (2024-10-27)
  → 'github:Mic92/sops-nix/e9b5eef9b51cdf966c76143e13a9476725b2f760' (2024-11-03)
2024-11-04 13:44:30 +01:00
c6dc74b3b7 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e2589a4d25269cfa6a22022d01cd740d8abaa82b' (2024-10-21)
  → 'github:NixOS/nixpkgs/ef498e16f8a10e92d559e1f6e01412444acefaff' (2024-10-27)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/a5e6a9e979367ee14f65d9c38119c30272f8455f' (2024-10-21)
  → 'github:NixOS/nixpkgs/e4735dbdda8288aef24141f3ae8848a14f06fe08' (2024-10-27)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/c504fd7ac946d7a1b17944d73b261ca0a0b226a5' (2024-10-20)
  → 'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56' (2024-10-27)
2024-10-28 11:23:30 +01:00
60acc52ec7 do not restart the uffd unused accounts notifier on each deploy 2024-10-28 11:22:17 +01:00
7be555013a uffd script: fix subject/from header 2024-10-28 00:30:43 +01:00
ca0c1192a0 pkgs/scripts: uffd-unused-accounts-notification.scm
this is a helper script to send emails to people who've not logged in
for a while (currently hard-coded to "since 2023-01-01"). It also sends
weekly reminders to admins giving the current number of unused accounts.

It is in $PATH for all normal users; for usage, invoke it with --help,
or just see the email it send to admin@.
2024-10-25 18:49:04 +02:00
0caa57a30e update inputs 2024-10-21 18:50:12 +02:00
60c661317c update inputs 2024-10-14 13:30:09 +02:00
a5dd06225b
parsons/nftables: don't log refused connections 2024-10-11 14:22:52 +02:00
1d92eb6de9
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/90fe4c0103687f9c6124b783762deee2561d335a' (2024-10-07)
  → 'github:NixOS/nixpkgs/c505ebf777526041d792a49d5f6dd4095ea391a7' (2024-10-11)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/dbddb7982786880db5849eef097107bceef1b165' (2024-10-07)
  → 'github:NixOS/nixpkgs/7045aa75c71e90ae3bbb486d35414b08add9c424' (2024-10-11)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/2750ed784e93e745a33fb55be7c2657adfb57c00' (2024-10-06)
  → 'github:Mic92/sops-nix/06535d0e3d0201e6a8080dd32dbfde339b94f01b' (2024-10-08)
2024-10-11 14:17:24 +02:00
2d99878838
mattermost: 9.11.2 → 9.11.3
this is a security release. announcement by upstream:
https://mattermost.com/blog/mattermost-security-updates-10-0-1-9-11-3-esr-9-5-11-esr-released/
2024-10-11 14:16:18 +02:00
da3795d35b update inputs 2024-10-07 15:54:27 +02:00
41670c996f
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e91cee8db967c83f041119233779caa73ff5f328' (2024-09-29)
  → 'github:NixOS/nixpkgs/6adbd5b505bb0255c30c6e9b22b5f345601afc46' (2024-10-02)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/a6d0207fea9212d28cd3d487efe6bc699663b93a' (2024-09-30)
  → 'github:NixOS/nixpkgs/c98ddb920493f24dd57ea34a18dafdbd16eeace0' (2024-10-03)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/127a96f49ddc377be6ba76964411bab11ae27803' (2024-09-27)
  → 'github:Mic92/sops-nix/3198a242e547939c5e659353551b0668ec150268' (2024-09-30)
2024-10-03 12:50:20 +02:00
b409d603a9 update inputs 2024-09-30 14:47:42 +02:00
6cd10a640c mattermost: 9.11.1 → 9.11.2
this is a security release. announcement by upstream:
https://mattermost.com/blog/mattermost-security-updates-9-11-2-esr-9-10-3-9-5-10-esr-released/
2024-09-27 15:22:05 +02:00
cb7975e778 update inputs 2024-09-23 17:48:25 +02:00
697bbedd41 update inputs 2024-09-16 13:43:49 +02:00
2ef1aeca1b update inputs 2024-09-09 12:00:17 +02:00
d27d9e8722 update inputs 2024-09-02 20:39:22 +02:00
c295604a13 flake.nix: expose mattermost under packages.*
this makes it easier to update, e.g. by doing "nix-update -F
mattermost".
2024-08-30 17:56:10 +02:00
4dc9cdac91 flake.nix: move websites from packages.* to apps.*
this should not change their behaviour with "nix run", which was
the reason for putting them there in the first place (however, it does
remove the ability to build them with "nix build", but afaik this has
never been used by anyone).

This means the packages.* output is now left unused, so we can use it
instead for things that actually are programs which want to expose
(see the next commit after this one for an example).
2024-08-30 17:55:03 +02:00
67da5a7c8a mattermost 9.11.0 → 9.11.1
this is a security release. announcement by upstream:
https://mattermost.com/blog/mattermost-security-updates-9-11-1-9-10-2-9-9-3-9-5-9-esr-released/
2024-08-30 17:41:49 +02:00
272b3e6e51 update inputs 2024-08-28 13:31:50 +02:00
4d5e82a0d9 mattermost: disable the big blue buttom plugin
this has not been used for quite some time, and since the new mattermost
version displays the plugin's button more prominently it's now definitly
time to remove this.
2024-08-19 22:05:03 +02:00
1cc938a0b8 update inputs 2024-08-19 21:30:40 +02:00
c3c7fe44de mattermost: jump ESR versions (9.5.x → 9.11.x) 2024-08-17 22:01:18 +02:00
eaa25de128 mattermost: make it work with nix-update
this mirrors a change in the nixpkgs definition: the nix-update script
has a hardcoded list of attributes it will update. We can re-use one of
them to make it update mattermost's web frontend at the same time as it
updates mattermost itself.

The list of attribute names is here:
  https://github.com/Mic92/nix-update/tree/1.3.1?tab=readme-ov-file#features
original nixpkgs commit by numinit was
  1451a58a57e1bd1592460268bdde30cf72923010
  1451a58a57
2024-08-17 21:58:50 +02:00
5d598bafaa update inputs 2024-08-12 13:41:58 +02:00
79610d6adc update inputs 2024-08-04 19:15:48 +02:00
ea2500ff79 update inputs 2024-07-29 20:29:33 +02:00
34a27e9dc8 mattermost 9.5.7 → 9.5.8
this is a security release. announcement by upstream:
Link: https://mattermost.com/blog/mattermost-security-updates-9-10-1-9-9-2-9-8-3-9-5-8-esr-released/
2024-07-26 17:13:06 +02:00
960426f68f Revert "s4f-conference: another mattermost"
This reverts commit d933a6ef98.

The conference was held months ago, and as agreed beforehand, we would
delete this instance after two months, which is now.

This revert was partially done by hand, since sops does not play nice
with automated git merged (these lead to mac mismatches).
2024-07-26 15:06:04 +02:00
87b1f4a0eb nextcloud28 → nextcloud29 2024-07-25 18:37:43 +02:00
9e7f02ae7b update inputs 2024-07-22 22:28:22 +02:00
47ee7ac1ab update inputs 2024-07-15 15:26:10 +02:00
db2d353029 inputs: make sops-nix/nixpkgs follow nixpkgs-unstable
deduplicates our nixpkgs instances a little
2024-07-15 15:25:33 +02:00
84dddea096 mattermost 9.5.6 → 9.5.7
this is a security release. announcement & changelog by upstream:
  https://mattermost.com/blog/mattermost-security-updates-9-9-1-9-8-2-9-7-6-9-5-7-esr-released/
2024-07-14 22:45:56 +02:00
e88833120a update inputs 2024-07-08 21:34:27 +02:00
d1e5820166 tracktrain: update
this includes the jump to conftrack, a custom-written configuration
library that'll hopefully be less annoying to deal with than conferer.

It's very much unstable & somewhat incomplete software for now, but
should hopefully reach a stable state soon (this deployment is thus
basically part of testing it).

It also means we can finally write camelCase in config keys without
having the config library fail on us!
2024-07-05 23:12:20 +02:00
5fe7a12b74 forgejo: unbundle, use from nixos-unstable-small
this is almost a revert of 147fe172d9,
but we now use the forgejo package of nixos-unstable-small instead of
that from stable nixos.

we were never noticably faster than forgejo maintainance upstream (turns
out that unlike mattermost, some services actually get updated in time);
no update was ever more than just copying the latest upstream package
recipe.

As a side-effect, this also updates forgejo to 7.0.5, which is a
security release:
  https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-5
2024-07-05 13:24:13 +02:00
fbeaf68490 nextcloud: longer startup timeout
it sometimes takes a long while to boot & signal being ready to systemd,
which will kill it after the timeout is reached, after which it's rinse
and repeat and yay for a boot loop.
2024-07-02 15:11:38 +02:00
2de13398e6 update nixpkgs-unstable-small
this includes the fix for a remote code excecution as root
 https://github.com/NixOS/nixpkgs/pull/323761
 (probably CVE-2024-6387)

annoyingly it did not bump the version number (to check that the fix
is indeed there, one has to check wich patches are applied).

it also adds nextcloud to the permitteed insecure packages because we
again didn't update it in time (in fairness, it is also broken).

fun irony!
2024-07-01 14:47:37 +02:00
89dd5499a4 update inputs 2024-06-24 17:48:24 +02:00
cabc8706a3 hotfix: set monit onlyoffice (re)start to config 2024-06-19 21:01:03 +02:00
b314c296b2 update to nixos 24.05 2024-06-19 20:51:44 +02:00
8dcc83b017 update inputs 2024-06-17 17:27:51 +02:00
7a05ceb813 forgejo 7.0.2 → 7.0.4
copies the state of 7.0.3 on nixpkgs master, updates to 7.0.4
2024-06-13 21:03:56 +02:00
5f982dad47 update inputs 2024-06-10 01:24:54 +02:00
f045684f7a mattermost 9.5.5 → 9.5.6
this is a security release. announcement & information by upstream:
https://mattermost.com/blog/mattermost-security-updates-9-8-1-9-7-5-9-6-3-9-5-6-esr-released/
2024-06-04 22:02:39 +02:00
47869a3c8d update inputs 2024-05-27 21:17:42 +02:00
1f871af807 s4f-conference: increase MaxUsersPerTeam 2024-05-22 21:25:07 +02:00
cca5abe131 update tracktrain 2024-05-22 20:20:24 +02:00
83d800164c update inputs
note: tracktrain is now built on nixpkgs-unstable haskell packages;
using nixpkgs-stable with a newer version of haskellPackages.filepath is
unfortunately broken for now.

We can move back to nixpkgs-stable with it once the 24.05 release has
happened.
2024-05-21 17:44:15 +02:00
4ffedfe532 s4f-conference: allow larger uploads
they should probably be using nextcloud for this, but i can't be
bothered to make them a group there, so here we go 🤷
2024-05-21 17:38:34 +02:00
285a8e6a8e mattermost: switch to postgresql
this depends on a whole lot of imperative nonsense being done at the
same time, which i have done.

of special interest to anyone attempting to understand this is
 https://docs.mattermost.com/deploy/postgres-migration.html
for the general shape of incompetence at work,
 https://docs.mattermost.com/install/setting-up-socket-based-mattermost-database.html#with-unix-socket
for yet another interesting syntax for database connection strings, and
 https://github.com/dimitri/pgloader/issues/782#issuecomment-502323324
for a truly astonishing take on how to do database migrations, which
unfortunately i have followed.

As far as I can tell, everything has kept working. Downtime was mostly
spent understanding connection string syntax and their horribly buggy
parsers.

Note for people with server access:
 - i have kept the temporary files (including logs) around in
   /persist/migration inside the container should we ever need them
   again
 - there's a zfs snapshot @pre-postgres with the old state
2024-05-19 23:26:53 +02:00
ed667e15e9 mattermost: packages required for migration 2024-05-19 23:24:26 +02:00
75cc371c01 pkgs: add morph, a mattermost migration tool
this is preliminary work for migrating mattermost from mysql to
postgresql.

This tool is specific to mattermost, but at least it's easy enough to
build. I'm not sure if it makes sense to upstream, but I guess we can
keep it around here.
2024-05-19 23:23:30 +02:00
0a208223c8 update tracktrain
this is a small (temporary) bugfix
2024-05-19 18:08:16 +02:00
8b6ce305d7 mattermost: 9.5.4 → 9.5.5
this is a security release. upstream information:
https://mattermost.com/blog/mattermost-dot-releases-9-7-4-and-9-5-5-esr-released/
2024-05-17 21:08:24 +02:00
215bed6418 update tracktrain 2024-05-16 22:17:09 +02:00
147fe172d9 bundle forgejo @ v7.0.2
this bundles the current package recipe of forgejo in nixpkgs-unstable.
Implies updating forgejo, since nixpkgs-stable is still on 1.20.6 (v6 in
the new version scheme).

This'll mean we have to manually update it same as with mattermost, and
can potentially also help with upstream changes. If we get tired of
that, we can always decide to just use the nixpkgs-unstable version
directly.
2024-05-16 19:06:15 +02:00
2cd0de8eeb common: add sqlite-interactive to systemPackages
we have stuff stored in sqlite, might as well have the client available
by default, given how often we use it.

sqlite-interactive is an override on sqlite in nixpkgs which enables
support for readline & ncurses, which are off by default.
2024-05-15 22:42:18 +02:00
3e40d82579 common: *licks the infra*
Since Lix is now in nixpkgs-unstable-small, I think it's a good time to
use it. This does mean that we now pull in our nix implementation from
an unstable channel, but overall I'm more confident in the Lix team's
ability to not break things than I am in the Nix team's ability to
backport (& then actually release) security updates.

(once Lix is on a stable channel, we can switch back to using it from there)
2024-05-13 14:42:39 +02:00
f749f4ed48 update inputs 2024-05-13 14:39:43 +02:00
679df4d856 mattermost: remove outdated comment
this is misleading and incorrect, the option does work, and is not also
set in the secrets env file.
2024-05-08 14:33:14 +02:00
05af3ac4f8 mattermost: don't pretend we use postgresql
I have little idea what happened here, but this postgres is entirely
unused. The actual database is in mysql, and always has been — the
postgres does contain a mattermost database with the correct tables, but
these are empty.
2024-05-08 14:33:14 +02:00
efadc5ada9 monit: increase delay for deployed-commit-on-main
there's little point in having it alert while people are working on the
config & test-deploying things; it's meant to remind later, in case we
forget committing the result.
2024-05-08 14:33:14 +02:00
d933a6ef98 s4f-conference: another mattermost
this one's not connected to our SSO and intended for short-term use
only, after which it will be deleted again.

I've gone through at least some of mattermost's options to see how many
of these are actually relevant anymore. Some can be left out.

Unlike the other mattermost it also doesn't use any mysql.
2024-05-08 14:32:52 +02:00
6e84a9f9f8 tracktrain: bugfix update 2024-05-04 02:30:35 +02:00
8c3d3bf6db monitoring: warn if no deploy for 10 days
this is not entirely accurate — the lastModified attribute of a flake's
self-input gives the date of the last commit, not the last deploy. But I
figure it's close enough and less obscure to check than reading in the
last date via nix-env.

inspired by: we did no server updates for two weeks.
2024-05-02 22:33:47 +02:00
972a26163a update inputs 2024-05-02 22:33:40 +02:00
27b8ef6784 tracktrain: update
This is the initial version for this year's run of absurd train
operations. I won't dare to call it a release for at least another month
or so, so no version number.

Changes done in our nixfiles:
 - tracktrain now needs ntfy-sh so people (read: I) can get push
   notifications if things break or at least look a little weird
 - I removed the grafana instance; seems like somewhere in the last year
   they changed how to host it under a sub-path (ours was at /metrics),
   so it broke, and I'm not feeling any particular urge to fix it
 - last year's database contents have been yoten
 - also manually updated the gtfs (though I intend to implement logic
   for fetching it in tracktrain, I first need to drag Ilztalbahn into
   actually publishing up-to-date versions again first)
2024-05-02 00:33:39 +02:00
8662943183 mattermost 9.5.2 → 9.5.3 2024-04-28 10:53:52 +02:00
f9005dd4d0 forgejo/openssh: listen on all interfaces
this doesn't help us with anything yet, but it does at least mean that
this openssh now also listens on IPv6, which it didn't before.

(reaching the container from the outside still does not work)
2024-04-27 23:19:20 +02:00
f654b33a56 modules/containers: a hacc-specific containers module
this started with emily pointing out to me that it's possible to
generate IP addresses for containers in Nix (hence no need to worry
about ever having collisions, as we had before), but then I thought,
hey, while I'm at it, I can also write a little container module so we
have a little less repetition in our configs in general (and a more
reasonable place for our custom evalConfig than just keeping it around
in flake.nix).

See the option descriptions in modules/containers.nix for further
details.

Apart from giving all containers a new IP address (and also shiny new
IPv6 addresses), this should be a no-op for the actual built system.
2024-04-19 19:15:22 +02:00
3dc63acf52 modules/buildinfo: simplify implementation
turns out there is a string-slicing function, I just overlooked it when
writing this file (it's even a builtin). So let's use that instead.
2024-04-19 03:38:50 +02:00
208bcaa898 update inputs 2024-04-15 21:58:05 +02:00
d4d3f6e5d2 add m4dz 2024-04-09 20:14:29 +02:00
f75169ce0a switch to nixpkgs-small channels
these get more frequent updates, but we might (sometimes) wind up having
to build stuff ourselves that hydra hasn't gotten to yet.
2024-04-09 01:20:24 +02:00
d99408486a update inputs 2024-04-09 01:02:51 +02:00
d20acbfe58 monit: a couple new checks
move the monit config out of mail.nix, and add two checks:
 - has any systemd unit failed?
 - is the currently deployed commit the tip of the main branch of
   haccfiles?
2024-04-07 16:30:57 +02:00
281745d7a6 simplify nat on parsons 2024-04-07 16:25:08 +02:00
1ad0a7751c use networking.firewall instead of nftables.ruleset 2024-04-07 15:57:51 +02:00
5e51d5f252 docs: do not rebuild on each change
this does slight tweaking of paths to make the docs.hacc.space
derivation no longer depend on our entire flake, so we won't have to
rebuild it as often.
2024-04-06 23:16:43 +02:00
069236027c meta: add build info to motd / system label, remove /etc/haccfiles 2024-04-06 23:15:37 +02:00
283aba0c2c update inputs 2024-03-31 00:20:51 +01:00
faa83b6007 mattermost 9.5.2 → 9.5.3 2024-03-30 23:38:41 +01:00
e81472cb87 monit: restart onlyoffice if failed
this should hopefully help with our consistent onlyoffice-does-not-work-but-no-one-noticed
problems (yes, monit runs as root and can do that).

"then restart" will still send an alert if it restarted the unit (see monit's man page)
2024-03-26 17:06:36 +01:00
1cee814e04 update inputs 2024-03-23 22:42:41 +01:00
8da02ed645 update inputs
later than usual this week
2024-03-15 16:00:58 +01:00
8283162109 mattermost: remove flake inputs, copy nixpkgs package
this copies the current mattermost package definition from upstream
nixpkgs into our repo as-is (that definition itself being a modified
version of our definition that I upstreamed recently).

Since apparently no one else is maintaining the nixpkgs package and I am
apparently maintaining a mattermost package mostly on my own anyways,
this should make upstreaming future changes easier.
2024-03-11 00:13:18 +01:00
8f7f5448a3 mattermost: 9.5.1 → 9.5.2 2024-03-08 18:14:37 +01:00
319e5894e0 alps: hopefully fix the startup issue
alps frequently fails to start (e.g. during a system activation script)
since either its configured imap or smtp servers are not reachable
yet (i.e. their process has not yet opened the corresponding port).

This should hopefully fix that behaviour:
 - also set BindsTo, telling systemd to only start alps once the
   required units have entered "active" state (not just after it has
   started them)
 - also require postfix to be present, since that provides smtp
2024-03-05 17:03:09 +01:00
55b0b3558d update inputs 2024-03-05 16:45:24 +01:00
3fb25aa016 update inputs 2024-03-05 16:45:08 +01:00
7b9e423999 forgejo: final name changes gitea → forgejo
mostly just replacing strings to avoid confusion later on. Since our
containers are now ephemeral, renaming them is basically a non-issue
(though the files under /persist/containers & the uffd client name had
to be changed manually)
2024-02-25 23:24:07 +01:00
f29830ec93 format nftables.nix 2024-02-25 17:53:54 +01:00
e12cc7dbf5 mattermost: 8.1.10 → 9.5.1
This jumps Mattermost ESR Versions (see [1] for their release cycle). The
new version makes use of Go's workspace feature, which unfortunately the
buildGoModule function does not (yet?) support [2], and unfortunately this
breaks the previous build process for mattermost.

Further, the new release also makes use of private modules only included
in the (non-free) enterprise version of mattermost which makes it impossible
to build in the usual way even outside of nixpkgs's build abstractions [3].

Both issues can be solved by using Go 1.22, which has added support for
vendoring when using workspaces, and instructing it to ignore errors with
the -e flag. This requires overriding the go-modules derivation's buildPhase.

Finally, this now also build the commands/mmctl subpackage, which contains
a cli utility to administrate mattermost. This currently has its own nixpkgs
package for no reason i can see at all (it also has a version mismatch
between nixpkgs's mattermost and nixpkgs's mmctl).

[1] https://docs.mattermost.com/upgrade/extended-support-release.html
[2] https://github.com/NixOS/nixpkgs/issues/203039
[3] https://github.com/mattermost/mattermost/issues/26221
2024-02-25 17:22:39 +01:00
cbc7827cb9 make all nixos containers ephemeral 2024-02-22 21:15:41 +01:00
1042c90d8a update inputs 2024-02-20 16:33:43 +01:00
ea230c34b0 remove nix-hexchen from flake inputs
fun fact: this commit delets more lines (in flake.lock) than were
removed during the previous commits (to vendor nix-hexchen's modules
into our repo)
2024-02-18 13:47:54 +01:00
62917423e3 render nftables's ruleset
This does the same as the last commit did for the nftnat module, but for
the more general nftables module. Note the weird whatspace again.
2024-02-18 13:39:54 +01:00
0f678c5e80 render nftnat's extraConfig
this removes usage of the nftnat module by rendering it into a static
nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is
concerned, hence the slightly off-putting whitespace of the multi-line
string.

This seems to me to be a better approach than just bundling the module,
since we only use it for two things (giving the containers network
access & forwarding port 22 to forgejo), which to me doesn't press for
using a custom module we can't really maintain on our own.
2024-02-17 00:04:51 +00:00
0140b7a9fb bundle encboot
this does nothing but move the module & rename the hexchen.* options to hacc.*
2024-02-17 00:04:51 +00:00
39531f1c48 bundle hexchen's nopersist & bindmount moduls
the bind mount module has been tweaked in a couple ways:
 - rename hexchen.* to hacc.*
 - rename bindmount to bindMount to make it consistent with usage in
   the nixpkgs container module
 - add a hacc.bindToPersist option as shorthand for prepending /perist
   to a path via bind mount

the nopersist module has been shortened a little by moving
service-specific things which are used once out into the individual
service files, and removing those which we don't need at all (this also
means we get to loose a mkForce or two in case of mismatches between
hexchen's and our current config).
2024-02-17 00:04:51 +00:00
461cb01126 uncurse mattermost
thanks to emily for the secret nixpkgs knowledge!
2024-02-16 23:19:56 +01:00
2988939be0 mattermost 8.1.9 → 8.1.10 (cursed)
see the comment in pkgs/mattermost.nix
2024-02-16 19:44:22 +01:00
7427df5167 mattermost: firewall.allowedTCPPorts redundant
our containers profile already sets networking.firewall = false, so this
does exactly nothing except cause confusion.
2024-02-12 21:07:53 +01:00
1ccc0ccbca update inputs, mattermost 8.1.8 → 8.1.9 2024-02-07 22:53:34 +01:00
5dd817796f parsons/gitea.nix → parsons/forgejo.nix
forgot this last time ...
2024-02-01 00:10:00 +01:00
a36d2a7617 update inputs 2024-01-30 14:46:02 +01:00
c28a1f6e2e monit: check for onlyoffice status 2024-01-28 22:56:33 +01:00
c681bb413c gitea → forgejo 2024-01-28 16:07:18 +01:00
062e123046 common/users: add floppy & leah2 2024-01-28 15:57:07 +01:00
93cc8b8172 backups: psql dumps for mattermost & nextcloud 2024-01-28 15:48:13 +01:00
816e175b33 restic: move secrets into sops 2024-01-28 15:32:18 +01:00
a3c6479dbe update inputs 2024-01-23 20:05:36 +01:00
abfc5618e9 mattermost 8.1.7 → 8.1.8 2024-01-19 00:58:12 +01:00
c0f37da12f update inputs 2024-01-16 02:38:20 +01:00
12e4cba3e6 websites: better watch scripts
nix run .#\"<domain>\" will now actually listen for changes in the
source repository, and not first copy the entire thing into the nix
store.
2024-01-12 00:41:15 +01:00
68dc640257 fix docs.hacc.space
this is a slightly cursed work around; see the comment.

Alternatively, we could pass in the $src attribute of that derivation
via callPackage (passing it through all the way from flake.nix), but tbh
that sounds like too much effort rn.

Have fun with confusingly long paths in the nix store 🙃
2024-01-12 00:31:32 +01:00
41d82ae436 meta: new structure
we decided to:
 - get rid of unused packages
 - simpify the directory layout since we only have one host anyways
 - move our docs (such as they are) in-tree
2024-01-11 23:49:26 +01:00
c2022d9c60 add a .rgignore
to make Moira less annoyed when using ripgrep
2024-01-11 21:30:22 +01:00
990d48a1c7 update inputs; simple-nixos-mailserver now has a 23.11 branch 2024-01-08 22:25:55 +01:00
d011fcb56d update inputs
back to normal weekly updates now
2024-01-02 17:21:44 +01:00
b38e6a0ebc move the auamost.fish script into haccfiles
This is our script to synchronise groups between uffd and mattermost,
since there seems to be no better way to do that. It has long lived
under /persist/magic/auamost since it contained sensitive data (both
which groups are on our platform & access tokens to both uffd's and
mattermost's API with admin-level permissions).

This splits the script up into a non-sensitive part which lives in Nix,
and a small snippet that just sets all the sensitive stuff into env vars
in sops, so we can manage the entire thing with our usual setup.
2023-12-30 19:03:25 +01:00
a72f35de35 update inputs (smtp smuggling)
also hexchen's nixfiles now set the mysql data dir, so we now have
one more mkForce.
2023-12-27 16:56:52 +01:00
4e17d6034c update inputs 2023-12-23 03:56:55 +01:00
2008876dc6 !fixup: add a " also whitespace 2023-12-16 20:41:26 +01:00
910caf3485 servies/murmur: update some text 2023-12-16 18:49:29 +01:00
226508d4b0 tracktrain: use psql15 2023-12-12 00:10:35 +01:00
cb87d88a13 gitea: please use postgresql 15
whoops, forgot this one. why do modules bundle other modules, anyways?
2023-12-08 19:51:48 +01:00
658e9046c5 /persist is needed for boot & sops-activation 2023-12-08 19:46:07 +01:00
c3457207cd update mattermost hash
turns out you can't just re-use it across NixOS versions.
2023-12-08 01:12:24 +01:00
4d91e1f591 remove zroot/local/docker from fstab 2023-12-08 00:54:51 +01:00
01d972c9ed mattermost 8.1.6 → 8.1.7 2023-12-08 00:54:42 +01:00
9d187d212a initial work towards nixos 23.11
Note: this updates all postgres instances, since postgresql_11 no longer
exists.
2023-12-02 22:05:46 +01:00
17149be4bd update inputs 2023-11-21 15:44:28 +01:00
920ea9e8d4 flake updates & mattermost 8.1.5 → 8.1.6 2023-11-14 19:58:36 +01:00
f03a582345 updates: mattermost 8.1.4 → 8.1.5 2023-11-07 17:36:53 +01:00
641c59092c fix a mistake in flake outputs
`nix run ...` should run websites; I broke this earlier.
2023-11-04 18:21:07 +01:00
b5855fe379 unpin nix-hexchen
bug which broke things in 448ea1b831
got fixed upstream.
2023-11-04 18:20:30 +01:00
0f19d712cb Removed <del>-tag at #hacc:hackint.org link 2023-11-01 20:38:55 +00:00
448ea1b831 updates, but pin older nix-hexchen 2023-11-01 18:36:54 +01:00
ea5a77703e updates
general updates of flake input & mattermost minor version bump (8.1.3 → 8.1.4)
2023-10-27 18:41:39 +02:00
8186160c1b update nixpkgs 2023-10-16 20:56:08 +02:00
e03bf84d3a mattermost: jump ESR versions 7.8.x → 8.1.3
package definition adjusted by comparing to the current version in
Nixpkgs.
2023-10-07 22:27:23 +02:00
a4288d77ce update
(inputs & mattermost security release)
2023-10-07 20:02:02 +02:00
3ce4b83464 update inputs 2023-10-01 15:53:33 +00:00
9e7929ab5f fix auamost
????

fish doesn't find jq if it's not in environment.systemPackages, dunno why.
2023-09-28 01:11:02 +02:00
a8f7ee667d downgrade nextcloud module
whoops, forgot to commit this bit in the remove-unstable commit, and
lack energy to go back & amend & rebase
2023-09-28 01:11:02 +02:00
eae84263f5 less verbose container definitions
move some options (the nopersist & container profiles + allowUnfree
packages) into the evalConfig used for containers, so we don't have to
repeat ourselves as much.

also removed some no-longer-needed specialArgs.

also made thelounge work with nopersist, which for some reason it didn't
use before.
2023-09-28 01:11:02 +02:00
6586f0c552 remove unstable
this downgrades vaultwarden back to what's in stable; this was the last
thing we used from unstable, so remove that as well.
2023-09-28 01:11:02 +02:00
f9d7496af7 various absurd fixes 2023-09-28 01:11:02 +02:00
a17cd69a52 keep using the old uffd's pythonPackages, lol 2023-09-28 01:11:02 +02:00
54fe6bfce7 Revert "new uffd packaging"
This reverts commit 90f4971e88d22da6b2a213bbeb1790f456024b36, and resets
the uffd version to the one we are already using, in hopes of making the
update slightly less painfull (haha).
2023-09-28 01:11:02 +02:00
17ead057f4 update inputs 2023-09-28 01:11:02 +02:00
3407e873ef new uffd packaging 2023-09-28 01:11:02 +02:00
4b40d665fe update inputs
this now no longer needs to be built with allow_broken; tracktrain's
packaging now includes an override to remove the marked-broken state.
2023-09-28 01:11:02 +02:00
6529cb79a0 update inputs 2023-09-28 01:11:02 +02:00
72ca5b2888 initial work for 23.05
in theory this might be ready to deploy. Potential hazards & things to
know when actually doing so:

 1. the mysql version used by mattermost was updated (the old uses an
    openssl which is marked insecure). Might have to migrate a database
 2. lots of settings now use RFC 42-style settings, which might contain
    new typos
 3. this updates uffd (& changes the patches we apply). Since version
    dependencies of uffd are basically "whatever debian has" we have
    never bothered to match them, but afaik have also never updated uffd
    since the initial deploy some years ago. No guarantee it still
    works.
 4. tracktrain depends on haskellPackages.conferer-warp, which is
    currently marked broken. There is no reason for this (it builds
    fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1.
    cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a
    merge of haskell-updates into 23.05
2023-09-28 01:11:02 +02:00
74654f2fc0 websites: rooms on libera → hackint.org 2023-09-25 17:28:18 +02:00
4fb06c3e10 mattermost 7.8.10 → 7.8.11
(another security update)
2023-09-20 00:33:36 +02:00
d7d15f4b0b websites: chats are on raccoon.college for now 2023-09-12 22:28:53 +02:00
c18215f356 mattermost 7.8.8 → 7.8.10 2023-09-06 17:02:46 +02:00
6a4ff47443 mattermost 7.8.7 → 7.8.8 2023-07-19 22:20:45 +02:00
109aada070 mattermost 7.8.5 → 7.8.7 2023-07-08 00:33:11 +02:00
2d542e9167 remove auth.infra4future.de 2023-05-27 16:26:48 +02:00
d8e937a91d mattermost: 7.1.8 → 7.8.5 2023-05-19 23:06:15 +02:00
57b6eac7c2 tracktrain: upstream is slow in updating gtfs, use our own
note: I am author of both the file now under /persist/containers/tracktrain
& the upstream one at ilztalbahn.eu, but don't have direct access to the
wordpress instance running there, and no one who does has yet uploaded
the new file.
2023-05-17 17:49:56 +02:00
e5d57ebec9 sops/tracktrain: fix a missed non-declarative secret 2023-05-17 17:49:28 +02:00
6a51e74c73 enable receiving mail on mattermost@
otherwise we apparently cause feedback loops? pfft.
2023-05-05 16:28:37 +02:00
5bd2c5ab4c remove apparently unnecessary nextcloud config 2023-05-04 00:46:48 +02:00
3099798468 remove apparently unnessary mattermost lib.mkForce 2023-05-04 00:40:59 +02:00
b5d4f76a1d rotate octycs's ssh key 2023-05-04 00:40:44 +02:00
003f2f7e44 move all on-disk secrets into sops
this only concerns secrets which are in a raw file. Some of our
services (e.g. nextclouds) keeps secrets in its database; these remain
untouched.

Not yet deployed because of shitty train internet.
2023-05-03 23:04:13 +02:00
0d75469590 rotate zauberberg's ssh key 2023-05-03 22:33:12 +02:00
49fa2325f3 sops-nix proof of concept
this is currently deployed and appears to be working. please everyone
have a look at it & then decide if we want to use this for the other
secrets as well.
2023-04-19 20:08:45 +02:00
a3689d1c76 mattermost: 7.1.7 → 7.1.8
this is a security update, see
https://mattermost.com/blog/mattermost-security-updates-7-9-2-7-8-3-esr-7-7-4-7-1-8-esr-released/
for more.
2023-04-15 19:02:42 +02:00
eda184ee48 netbox: remove python override workaround
this is currently unused anyways, but in case we ever do need it again,
https://github.com/NixOS/nixpkgs/pull/223268 has removed the need for
the weird override workaround.
2023-04-05 23:04:59 +02:00
8d9df0e20e mattermost: 7.1.4 → 7.1.7
apparently the 7.1.x series is now old enough that even though it
does still get security fixes, the mattermost team no longer mentions
this on their blog, so we missed out on a couple. fun!
2023-03-24 03:49:37 +01:00
fb3c1b0a96 symlink haccfiles into /etc/haccfiles
upsides:
 - we will no longer get confused about which state is currently deployed
downsides:
 - deploys get slower, since it has to uploads the entire haccfiles each time
2023-03-23 15:29:29 +01:00
b30df7ea6d unbreak tracktrain css 2023-03-16 15:03:13 +01:00
26f3f98a9c update inputs 2023-03-15 21:50:48 +01:00
f91ea850bc
mail: reenable recieving mail on noreply@
because mail providers are sending out abuse mails for fbls they're
causing *shrung*
2023-03-15 19:06:36 +01:00
87 changed files with 2224 additions and 1665 deletions

1
.rgignore Normal file
View file

@ -0,0 +1 @@
websites/*

23
.sops.yaml Normal file
View file

@ -0,0 +1,23 @@
keys:
- &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
- &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
- &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
- &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
- &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
- &octycs-m age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
- &zauberberg-conway age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
- &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
- &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
creation_rules:
- path_regex: secrets.yaml
key_groups:
- age:
- *parsons
- *hexchen-backup
- *stuebinm-ilex
- *stuebinm-surltesh-echer
- *stuebinm-abbenay
- *octycs-m
- *zauberberg-conway
- *moira-2022-06
- *moira-openpgp

View file

@ -1,22 +1,26 @@
# hacc nixfiles # hacc nixfiles
welcome to hacc nixfiles (haccfiles). this is the code describing our nix-based infrastructure. Welcome to the hacc nixfiles (haccfiles). This is how we configure (most of)
our infrastructure.
## structure ## General layout
- `flake.nix`: Entrypoint & dependencies - `flake.nix`: Entrypoint & dependencies
- `common/`: configuration common to all hosts
- `modules/`: home-grown modules for hacc-specific services - `modules/`: home-grown modules for hacc-specific services
- `pkgs/`: packages we built and don't want to upstream - `pkgs/`: packages we need which aren't in nixpkgs
- `hosts/`: configuration.nix per host (currently there's only one of those) - `websites/`: static websites hosted by us
- `services/`: all services we run; imported in appropriate host config - `common/`: meta-level config, reusable across machines
- `websites/`: static websites we deploy somewhere - `parsons/`: our sole server, its config & the services it runs
## working with the haccfiles Right now, we only have a single host. We might add more again in the future.
## Working with this repo
You will need a flake-enabled nix installation, and have your ssh config set up You will need a flake-enabled nix installation, and have your ssh config set up
so that `ssh parsons` will connect to `parsons.hacc.space`. so that `ssh parsons` will connect to `parsons.hacc.space`.
### Deploying remotely
It's recommended to use [deploy_rs](https://github.com/serokell/deploy-rs): It's recommended to use [deploy_rs](https://github.com/serokell/deploy-rs):
~~~shell ~~~shell
deploy .#parsons -k [--dry-activate] deploy .#parsons -k [--dry-activate]
@ -28,13 +32,12 @@ nixos-rebuild --flake .#parsons --target-host parsons \
--use-remote-sudo --use-substitutes [test|switch|dry-activate] --use-remote-sudo --use-substitutes [test|switch|dry-activate]
~~~ ~~~
If for some reason you have `nix` but not `nixos-rebuild`, you can still build the ### Re-deploying on parsons itself
system closure using:
~~~shell
nix build .#nixosConfigurations.parsons.config.system.build.toplevel
~~~
(but you might have trouble deploying it) Simply do:
~~~shell
nixos-rebuild --flake .#parsons [test|switch|dry-activate]
~~~
## Working on websites ## Working on websites

View file

@ -4,7 +4,6 @@
imports = [ imports = [
../modules ../modules
./users.nix ./users.nix
modules.network.nftables
]; ];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
@ -16,6 +15,7 @@
SystemMaxUse=512M SystemMaxUse=512M
MaxRetentionSec=48h MaxRetentionSec=48h
''; '';
nix.package = pkgs.lix;
nix.gc.automatic = lib.mkDefault true; nix.gc.automatic = lib.mkDefault true;
nix.gc.options = lib.mkDefault "--delete-older-than 7d"; nix.gc.options = lib.mkDefault "--delete-older-than 7d";
nix.settings.trusted-users = [ "root" "@wheel" ]; nix.settings.trusted-users = [ "root" "@wheel" ];
@ -27,13 +27,16 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
ports = lib.mkDefault [ 62954 ]; ports = lib.mkDefault [ 62954 ];
passwordAuthentication = false; settings = {
kbdInteractiveAuthentication = false; X11Forwarding = true;
permitRootLogin = lib.mkDefault "prohibit-password"; PermitRootLogin = "prohibit-password";
extraConfig = "StreamLocalBindUnlink yes"; PasswordAuthentication = false;
forwardX11 = true; KbdInteractiveAuthentication = false;
StreamLocalBindUnlink = true;
};
}; };
programs.mosh.enable = true; programs.mosh.enable = true;
programs.fish.enable = true;
security.sudo.wheelNeedsPassword = lib.mkDefault false; security.sudo.wheelNeedsPassword = lib.mkDefault false;
i18n.defaultLocale = "en_IE.UTF-8"; i18n.defaultLocale = "en_IE.UTF-8";
@ -58,7 +61,7 @@
whois whois
iperf iperf
fd fd
exa eza
socat socat
tmux tmux
gnupg gnupg
@ -72,6 +75,8 @@
ffmpeg-full ffmpeg-full
bat bat
niv niv
sqlite-interactive
hacc-scripts
]; ];
security.acme.defaults.email = "info+acme@hacc.space"; security.acme.defaults.email = "info+acme@hacc.space";

View file

@ -19,24 +19,12 @@
]; ];
}; };
stuebinm = {
uid = 1005;
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7J3peZGB4XGJKI1dV5PdpQS+TzmoJ7qL//ipCG7G5K stuebinm@surltesh-echer"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPB74xA2GBXnDwPEEaxWLONdQyBwjDoJHYagKRQXwO2 stuebinm@abbenay"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8e9WrHsknoFwBm/YaigOSz9VI8dXRRR5G9BX4kKt9/ stuebinm@ilex"
];
};
octycs = { octycs = {
uid = 1002; uid = 1002;
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDobGLrA6YQAKdJkZMpAsqjlk744G/pCJEvAUNJDuT1Sr59BFKDchPT03exb0o39mjH4iqvw4JDI10RfylKbR1736Ji2yRLlbCzUdgv2CfZc28TAO0rscyT49RHJmzEEE5QD4Ge7MgvFBEmZKXAxntA8M8EbxxEVfzhWp3751BYkzrCbJiHMXcTb+BG9P6rmrraINmgUJxywym5PsMYt2sfHlVus3hSpWnCR/cu0nxmW9E6Tm6CzSkWOXOTdjVuc0Kgh5GXaKDROzJ9K7cJAhd5t8Yzqtpm2xfSU5FVVUH9i7PbXOo8FL82Xi6kWMgdFNLvKimxGqW+bCv3ROlyKWF4I+HQdfdL181KaOQ40jAvjmldrB/ZiEbuWYSBZ/XhxFkKrtBYPDFHq/a5lnH3OvcDm7+/LhwIKUnyZyQ2dXOLOTOEDsO/69xwNveCB8of9o/erDbOeb+d44cXUFpPMUTz4bHXEP6y+zz8TB8/aleGbLQCPUzRZfvazN95jGUDqkumi9B3Lf+W/KpjVUgu3NQsUuJn6khMYW9VefnJvHwzbWpqIzbzNePL4iZFECv4NHPQHO/katajnMbkCie9rfnLk1EjJnrSnZUInEygkW/7Eu4EQM2h7lU4HYfwP1c4ubCFdES0ELGqSuJRwd/ORDbgxbuKOQ7gZ3/lgHdr9KGqJQ== markus.amaseder@amaseder.de" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQqFXSlqW+D4ZtVdCiN9IT461iwyqy2taBRD3qkvXqn m@octycs.eu"
]; ];
hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc."; hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc.";
}; };
@ -46,7 +34,7 @@
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "cdrom" ]; extraGroups = [ "wheel" "cdrom" ];
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfxXSy22k2EZwz1EtvIMwQKGWsswEBeLn5ClhuiI4Ma lukas@Conway.lan"
]; ];
packages = with pkgs; [ ffmpeg ]; packages = with pkgs; [ ffmpeg ];
}; };
@ -62,5 +50,37 @@
]; ];
hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90"; hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90";
}; };
stuebinm = {
uid = 1005;
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7J3peZGB4XGJKI1dV5PdpQS+TzmoJ7qL//ipCG7G5K stuebinm@surltesh-echer"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPB74xA2GBXnDwPEEaxWLONdQyBwjDoJHYagKRQXwO2 stuebinm@abbenay"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8e9WrHsknoFwBm/YaigOSz9VI8dXRRR5G9BX4kKt9/ stuebinm@ilex"
];
};
leah2 = {
uid = 1006;
shell = pkgs.fish;
isNormalUser = true;
extraGroups = [ "wheel" "cdrom" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4o/ncaQUorp/BeZesPnVhzvfoqLJW3WZHtz+CWQvFU"
];
};
floppy = {
uid = 1007;
shell = pkgs.fish;
isNormalUser = true;
extraGroups = [ "wheel" "cdrom" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyVQhFDcoMnoYivQu1h8NCTWa+2WriZ1m5BilkuUk4u"
];
};
}; };
} }

7
docs/_index.md Normal file
View file

@ -0,0 +1,7 @@
+++
title = "hacc infra documentation"
page_template = "doc-page.html"
sort_by="title"
+++

10
docs/auth.md Normal file
View file

@ -0,0 +1,10 @@
+++
title = "Authentication"
categories = [ "services", "uffd" ]
+++
We use [uffd](https://git.cccv.de/uffd/uffd) for our SSO, for better or worse.
Mostly for worse.

20
docs/domains.md Normal file
View file

@ -0,0 +1,20 @@
+++
title = "Domains"
categories = [ "domains", "meta" ]
+++
Perhaps too many of them.
## Domains
| domain | mc | status | date | reseller | owner | custody |
| :------------------- | :-: | :-----: | :------: | :---------- | :--------- | :-----: |
| 4future.dev | yes | | | | | hacc e.V. |
| infra4future.de | yes | | | | | hacc e.V. |
| hacc.space | yes | | | | | hacc e.V. |
| hacc.earth | yes | | | | | hacc e.V. |
| hacc.media | yes | | | | | hacc e.V. |
| hacc.wiki | no | | | | | |
mc = managed by cloudflare
status = (renewl | autorenewl | expires)

16
docs/hostnames.md Normal file
View file

@ -0,0 +1,16 @@
+++
title = "Hostname schema"
+++
[Badass Anarchist Women](https://listverse.com/2018/09/27/10-absolutely-badass-anarchist-women-who-challenged-the-system/)
- keller
- deCleyre
- davidNeel
- leGuin
- [parsons](../parsons)
- ohair
- berneri
- michel
- sanger
- goldman

17
docs/lxc.md Normal file
View file

@ -0,0 +1,17 @@
+++
title = "LXC"
categories = [ "lxc" ]
+++
Some things don't easily run on NixOS. For these we have LXC containers running
debian.
Right now, only onlyoffice is left.
## Useful commands
- login to a container as root with a usable shell
`lxc-attach -n <name> -- /usr/bin/sudo -i`
- restarting the keycloak and ldap containers
`lxc-stop -n <name> && lxc-start -n <name>`
- restarting their network bridge:
`systemctl restart lxcbr0-netdev.services`

18
docs/rebooting.md Normal file
View file

@ -0,0 +1,18 @@
+++
title = "Rebooting Parsons"
categories = [ "nix" ]
+++
## Check integrity after unexpected shutdown
These steps are only required if the server shut down unexpectedly or you suspect tampering.
TODO
## Unlock full disk encryption
Connection to the server via the command listed in the shared password manager.
Only the Vorstand has access to it!
Enter the passwords for dpool and zroot.
If both are correct, you will be disconnected and the server continues the boot sequence.
The server should be up after about minute. Please check all services for availability.

21
docs/secrets.md Normal file
View file

@ -0,0 +1,21 @@
+++
title = "Secrets"
categories = [ "services", "sops" ]
+++
## Secret management
We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
like to have in Git but don't want to be public. Entries in `secrets.yaml` are
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
derived from ssh keys.
For the initial set up, please take a look at the sops-nix Readme file.
To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
file & open it in your $EDITOR, then re-encrypt it when you're done.
To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
the new set of keys.

5
docs/services/_index.md Normal file
View file

@ -0,0 +1,5 @@
+++
title = "Services"
sort_by = "title"
page_template = "doc-page.html"
+++

19
docs/services/acme.md Normal file
View file

@ -0,0 +1,19 @@
+++
title = "ACME / letsencrypt"
categories = [ "domain", "https", "ssl", "tls", "Certificates" ]
+++
# Usage
We use the ACME module's nginx integration for basically everything. Beware of
rate limits when redeploying lots of things at once! Let's Encrypt is a little
picky about those.
## Workarounds & peculiar configuration choices
Certs live under `/var/lib/acme/`
If you need to remove a cert for whatever reason, be aware that there is a
hidden `.lego` folder, that contains state as well

68
docs/services/hedgedoc.md Normal file
View file

@ -0,0 +1,68 @@
+++
title = "hedgedoc"
taxonomies.categories = [ "services" ]
+++
hegedoc was once called codiMD, so container, config and users are still called codimd.
**Do NOT change this** unless you're sure what you're doing.
We have two instances:
- `pad-hacc`/pad.hacc.space is connected to our SSO/uffd
- `pad-i4f`/pad.infra4future.de is not connected to our SSO and meant to be more public
## Basic Troubleshooting
Usually if hedgedoc dies, it's because postgresql wasn't there yet. Just restart
hedgedoc.
## More Troubles
log into the container and take a look at the logs
~~~shell
sudo nixos-container root-login codimd
journalctl -e
~~~
### fixing failed database upgrades
see https://docs.hedgedoc.org/guides/migration-troubleshooting/ (copied below
for convenience?):
In some cases, HedgeDoc might apply migrations without correctly saving the
progress. It will then refuse to start with "already exists"-errors like
ERROR: type "enum_Notes_permission" already exists.
Get the name of the failing migration and append .js to it. For example, if
you encounter this error:
~~~
== 20180306150303-fix-enum: migrating =======
ERROR: type "enum_Notes_permission" already exists
~~~
the name of the failed migration would be 20180306150303-fix-enum.js.
The SQL-statement may look like this:
~~~
INSERT INTO "SequelizeMeta" (name) VALUES ('20180306150303-fix-enum.js');
~~~
Make sure HedgeDoc does not run and insert the name into the SequelizeMeta table.
Enter the container switch to the postgres user, open psql and commect to the
codimd database:
~~~shell
su postgres
psql
\l
\c codimd
UN adjusted SQL STAMEMENT from above ]
\q
~~~
Start HedgeDoc again and observe if it starts correctly. It may be necessary to
repeat this process and insert multiple migrations into the SequelizeMeta table.

65
docs/services/mail.md Normal file
View file

@ -0,0 +1,65 @@
+++
title = "mail"
taxonomies.categories = [ "services" ]
+++
Mail is not connected to our SSO!
## adding a mail account
- We use `@hacc.space` for our mails
- `@infra4future.de` is reserved for services, old user accounts will be
forwarded & logins disabled
- choose a name (no aliases or other names can be the same)
- generate a sha-512 password hash ```mkpasswd -m sha-512``` - **never add an
unhashed password!**
- add your account to `loginAccounts =` in `//parsons/mail.nix`
- build and redeploy parsons
**example:**
```
zwoelfontheshelf@hacc.space" = {
hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUEdxrxdtgvzuGOkBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
};
```
## adding to a forward address
- add the mail address to the corresponding `extraVirtualAliases =`
- build and redeploy parsons
## adding a forward address
- add the address to `extraVirtualAliases =`
- add the addresses it should forward to
- build and redeploy parsons
**example:**
```
"himmel@hacc.space" = [
"hexchen@hacc.space"
"zauberberg@hacc.space"
];
```
## sending & receiving mail
### as a user
- Your mail client should auto configure correctly
~~~
mailserver: mail.hacc.space (everywhere)
username: $your_mail_address
sending via smtp: port 587 or 465
recieving
imap: port 993
TLS and STARTTLS are supported
~~~
- You can send mail as you and any alias you receive mail from. Set a second Identity in your e-mail client
### as an application
- mailserver: `mail.hacc.space`
- Do **not** use port 25. It's for server to server communication only.
- Use smtp ports `587` or `465`
- enable TLS if possible
- only send mail from `noreply@infra4future.de`
- Password is somewhere (TODO!)

40
docs/services/mumble.md Normal file
View file

@ -0,0 +1,40 @@
+++
title = "mumble"
taxonomies.categories = [ "mumble" ]
+++
[offical Docmuentation](https://wiki.mumble.info/wiki/Main_Page)
Mumble's server is called murmur, but the naming is inconsistent. Sometimes
it's also just called mumble server.
# Usage
## registration
Users need to be registered to join any other channel than public.
An already registered user has to register them with the server.
1. right click on the username
2. choose register in the menu. Done.
## restricted channels
Every channel in the hacc category except for plenum can only be accessed by
members of the hacc group.
## adding users to a group
Only admins can edit groups, and only registered users can be added to groups.
1. right click on the Root channel
2. select Edit...
2. In Groups select $groupname
3. make the change you want to make
4. click "OK"
# Config details
- the server is not registered with mumble & not on the public server list
- the bitrate is set to 128kb/s; otherwise the client would complain that the
server bitrate is less then the configured (default) in its local settings
# Hacks
- murmur needs a TLS cert, which we get via the ACME module
- there's a funny group setup so that hopefully murmurd can read the cert
- this seems to work fine now, but was some source of trouble in the past

View file

@ -0,0 +1,18 @@
+++
title = "$Service Name"
draft = true ## Remove this line to make file appear on website
+++
<general information & pointers to official documentation>
# Usage
<usage from an admin's perspective>
# Config Notes
<what should one keep in mind when reading the nix file?>
## Updating
<anything to keep in mind?>
# Hacks
<ugly things which might break or cause general ???? states>

24
docs/snapshots.md Normal file
View file

@ -0,0 +1,24 @@
+++
title = "Use ZFS snapshot"
taxonomies.categories = [ "zfs", "snapshot", "filesystem", "backup", "update", "upgrade" ]
+++
## Make a ZFS snapshot
~~~shell
sudo zfs snapshot zroot/safe/persist@<name>
~~~
## Rollback
### single files
The snapshots can be accessed under `<mountpoint>/.zfs/snapshot/...`
### fully
~~~shell
sudo zfs rollback zroot/safe/persist@<name>
~~~
## Delete a ZFS snapshot
~~~shell
sudo zfs destroy zroot/safe/persist@<name>
~~~

View file

@ -16,58 +16,6 @@
"type": "gitlab" "type": "gitlab"
} }
}, },
"colmena": {
"inputs": {
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"stable": "stable"
},
"locked": {
"lastModified": 1675730932,
"narHash": "sha256-XcmirehPIcZGS7PzkS3WvAYQ9GBlBvCxYToIOIV2PVE=",
"owner": "zhaofengli",
"repo": "colmena",
"rev": "e034c15825c439131e4489de5a82cf8e5398fa61",
"type": "github"
},
"original": {
"owner": "zhaofengli",
"ref": "main",
"repo": "colmena",
"type": "github"
}
},
"cyberchaos": {
"inputs": {
"digital-nftables": "digital-nftables",
"digital-secretFiles": "digital-secretFiles",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
]
},
"locked": {
"host": "cyberchaos.dev",
"lastModified": 1675679997,
"narHash": "sha256-Gr+YTufBFFdkA5LHX7h9FGLXp1rl99GH59VNst9rTSg=",
"owner": "cyberchaoscreatures",
"repo": "nixlib",
"rev": "d27cf5ebde98528054adeec64cc757f59e6ce006",
"type": "gitlab"
},
"original": {
"host": "cyberchaos.dev",
"owner": "cyberchaoscreatures",
"ref": "update-akkoma",
"repo": "nixlib",
"type": "gitlab"
}
},
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
@ -77,11 +25,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1674127017, "lastModified": 1727447169,
"narHash": "sha256-QO1xF7stu5ZMDLbHN30LFolMAwY6TVlzYvQoUs1RD68=", "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "8c9ea9605eed20528bf60fae35a2b613b901fd77", "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -90,193 +38,14 @@
"type": "github" "type": "github"
} }
}, },
"digital-nftables": {
"flake": false,
"locked": {
"lastModified": 1666650247,
"narHash": "sha256-qMeq9JD9B1Ay2KHn8+VX5ESO9nOduo3yFLS5bqzcnLw=",
"owner": "~digital",
"repo": "digital-nixfiles",
"rev": "937355ebc323c4b6db253ac7ac165e30ce6958a0",
"type": "sourcehut"
},
"original": {
"owner": "~digital",
"ref": "testing",
"repo": "digital-nixfiles",
"type": "sourcehut"
}
},
"digital-secretFiles": {
"flake": false,
"locked": {
"lastModified": 1665365432,
"narHash": "sha256-HF09GMEeDG7/EuLxsqzyR50OwNQY3jvsS86Q5dxl4uA=",
"owner": "~digital",
"repo": "secretFiles",
"rev": "4146e87c049867c9f0786327a746e0a94fda85a7",
"type": "sourcehut"
},
"original": {
"owner": "~digital",
"ref": "main",
"repo": "secretFiles",
"type": "sourcehut"
}
},
"doom-emacs": {
"flake": false,
"locked": {
"lastModified": 1662497747,
"narHash": "sha256-4n7E1fqda7cn5/F2jTkOnKw1juG6XMS/FI9gqODL3aU=",
"owner": "doomemacs",
"repo": "doomemacs",
"rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac",
"type": "github"
},
"original": {
"owner": "doomemacs",
"repo": "doomemacs",
"rev": "3853dff5e11655e858d0bfae64b70cb12ef685ac",
"type": "github"
}
},
"doom-snippets": {
"flake": false,
"locked": {
"lastModified": 1662645711,
"narHash": "sha256-XKpPCtECGZQ5bFPPDUX3oAltXOJNwAI/OktxiLnADRE=",
"owner": "doomemacs",
"repo": "snippets",
"rev": "03a62fe7edf7e87fdbd925713fbd3bf292d14b00",
"type": "github"
},
"original": {
"owner": "doomemacs",
"repo": "snippets",
"type": "github"
}
},
"emacs-overlay": {
"flake": false,
"locked": {
"lastModified": 1675362118,
"narHash": "sha256-11CqDTkQA9P5I4InVCXmj/IaHvz4nUJaLNFiDiHVvIg=",
"owner": "nix-community",
"repo": "emacs-overlay",
"rev": "a018577287e390e01654a8b44d57d183a51b72b2",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "emacs-overlay",
"type": "github"
}
},
"emacs-so-long": {
"flake": false,
"locked": {
"lastModified": 1575031854,
"narHash": "sha256-xIa5zO0ZaToDrec1OFjBK6l39AbA4l/CE4LInVu2hi0=",
"owner": "hlissner",
"repo": "emacs-so-long",
"rev": "ed666b0716f60e8988c455804de24b55919e71ca",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "emacs-so-long",
"type": "github"
}
},
"evil-escape": {
"flake": false,
"locked": {
"lastModified": 1588439096,
"narHash": "sha256-aB2Ge5o/93B18tPf4fN1c+O46CNh/nOqwLJbox4c8Gw=",
"owner": "hlissner",
"repo": "evil-escape",
"rev": "819f1ee1cf3f69a1ae920e6004f2c0baeebbe077",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "evil-escape",
"type": "github"
}
},
"evil-markdown": {
"flake": false,
"locked": {
"lastModified": 1626852210,
"narHash": "sha256-HBBuZ1VWIn6kwK5CtGIvHM1+9eiNiKPH0GUsyvpUVN8=",
"owner": "Somelauw",
"repo": "evil-markdown",
"rev": "8e6cc68af83914b2fa9fd3a3b8472573dbcef477",
"type": "github"
},
"original": {
"owner": "Somelauw",
"repo": "evil-markdown",
"type": "github"
}
},
"evil-org-mode": {
"flake": false,
"locked": {
"lastModified": 1607203864,
"narHash": "sha256-JxwqVYDN6OIJEH15MVI6XOZAPtUWUhJQWHyzcrUvrFg=",
"owner": "hlissner",
"repo": "evil-org-mode",
"rev": "a9706da260c45b98601bcd72b1d2c0a24a017700",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "evil-org-mode",
"type": "github"
}
},
"evil-quick-diff": {
"flake": false,
"locked": {
"lastModified": 1575189609,
"narHash": "sha256-oGzl1ayW9rIuq0haoiFS7RZsS8NFMdEA7K1BSozgnJU=",
"owner": "rgrinberg",
"repo": "evil-quick-diff",
"rev": "69c883720b30a892c63bc89f49d4f0e8b8028908",
"type": "github"
},
"original": {
"owner": "rgrinberg",
"repo": "evil-quick-diff",
"type": "github"
}
},
"explain-pause-mode": {
"flake": false,
"locked": {
"lastModified": 1595842060,
"narHash": "sha256-++znrjiDSx+cy4okFBBXUBkRFdtnE2x+trkmqjB3Njs=",
"owner": "lastquestion",
"repo": "explain-pause-mode",
"rev": "2356c8c3639cbeeb9751744dbe737267849b4b51",
"type": "github"
},
"original": {
"owner": "lastquestion",
"repo": "explain-pause-mode",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1668681692, "lastModified": 1696426674,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -285,522 +54,108 @@
"type": "github" "type": "github"
} }
}, },
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"format-all": {
"flake": false,
"locked": {
"lastModified": 1581716637,
"narHash": "sha256-ul7LCe60W8TIvUmUtZtZRo8489TK9iTPDsLHmzxY57M=",
"owner": "lassik",
"repo": "emacs-format-all-the-code",
"rev": "47d862d40a088ca089c92cd393c6dca4628f87d3",
"type": "github"
},
"original": {
"owner": "lassik",
"repo": "emacs-format-all-the-code",
"rev": "47d862d40a088ca089c92cd393c6dca4628f87d3",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"utils": "utils_2"
},
"locked": {
"lastModified": 1675935446,
"narHash": "sha256-WajulTn7QdwC7QuXRBavrANuIXE5z+08EdxdRw1qsNs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2dce7f1a55e785a22d61668516df62899278c9e4",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"mattermost-server": {
"flake": false,
"locked": {
"lastModified": 1670418889,
"narHash": "sha256-rCTLA3MPFcDJ88n8B595/WwNUT5c1wNuCwTrcWSHzFU=",
"owner": "mattermost",
"repo": "mattermost-server",
"rev": "7a6d9432c216f5868c9ca29b86083cdee7df75f6",
"type": "github"
},
"original": {
"owner": "mattermost",
"ref": "v7.1.5",
"repo": "mattermost-server",
"type": "github"
}
},
"mattermost-webapp": {
"flake": false,
"locked": {
"narHash": "sha256-DYHHv5Bivk7yanRyl7ccD33ohgp8/J66xVXZs9NZmnU=",
"type": "tarball",
"url": "https://releases.mattermost.com/7.1.5/mattermost-7.1.5-linux-amd64.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://releases.mattermost.com/7.1.5/mattermost-7.1.5-linux-amd64.tar.gz"
}
},
"nix-doom-emacs": {
"inputs": {
"doom-emacs": "doom-emacs",
"doom-snippets": "doom-snippets",
"emacs-overlay": "emacs-overlay",
"emacs-so-long": "emacs-so-long",
"evil-escape": "evil-escape",
"evil-markdown": "evil-markdown",
"evil-org-mode": "evil-org-mode",
"evil-quick-diff": "evil-quick-diff",
"explain-pause-mode": "explain-pause-mode",
"flake-compat": "flake-compat_4",
"flake-utils": [
"nix-hexchen",
"flake-utils"
],
"format-all": "format-all",
"nix-straight": "nix-straight",
"nixpkgs": [
"nix-hexchen",
"nixpkgs"
],
"nose": "nose",
"ob-racket": "ob-racket",
"org": "org",
"org-contrib": "org-contrib",
"org-yt": "org-yt",
"php-extras": "php-extras",
"revealjs": "revealjs",
"rotate-text": "rotate-text",
"sln-mode": "sln-mode",
"ts-fold": "ts-fold",
"ws-butler": "ws-butler"
},
"locked": {
"lastModified": 1675387812,
"narHash": "sha256-fGjWMg97w1mP0cDIR9Y8qCa77sEtiIdYzqiRB+P2YcM=",
"owner": "nix-community",
"repo": "nix-doom-emacs",
"rev": "8de922e4e23158790970a266234a853305b1928d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-doom-emacs",
"type": "github"
}
},
"nix-hexchen": {
"inputs": {
"colmena": "colmena",
"cyberchaos": "cyberchaos",
"deploy-rs": [
"deploy-rs"
],
"doom-emacs": [
"nix-hexchen",
"nix-doom-emacs",
"doom-emacs"
],
"emacs-overlay": [
"nix-hexchen",
"nix-doom-emacs",
"emacs-overlay"
],
"flake-compat": "flake-compat_3",
"flake-utils": [
"deploy-rs",
"utils"
],
"home-manager": "home-manager",
"nix-doom-emacs": "nix-doom-emacs",
"nixos-hardware": "nixos-hardware",
"nixos-mailserver": [
"nixos-mailserver"
],
"nixpkgs": [
"nixpkgs-unstable"
],
"sops-nix": "sops-nix",
"waybar-iceportal": "waybar-iceportal"
},
"locked": {
"lastModified": 1676235298,
"narHash": "sha256-MWWX8P4nhtfFvwhvDBRrjVfXSG3el8rKQHV/NBAA0hE=",
"owner": "hexchen",
"repo": "nixfiles",
"rev": "29ea80ce8b05b0fd329c1f7928be9b4c443294c6",
"type": "gitlab"
},
"original": {
"owner": "hexchen",
"repo": "nixfiles",
"type": "gitlab"
}
},
"nix-straight": {
"flake": false,
"locked": {
"lastModified": 1666982610,
"narHash": "sha256-xjgIrmUsekVTE+MpZb5DMU8DQf9DJ/ZiR0o30L9/XCc=",
"owner": "nix-community",
"repo": "nix-straight.el",
"rev": "ad10364d64f472c904115fd38d194efe1c3f1226",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-straight.el",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1675933606,
"narHash": "sha256-y427VhPQHOKkYvkc9MMsL/2R7M11rQxzsRdRLM3htx8=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "44ae00e02e8036a66c08f4decdece7e3bbbefee2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixos-hardware",
"type": "github"
}
},
"nixos-mailserver": { "nixos-mailserver": {
"inputs": { "inputs": {
"blobs": "blobs", "blobs": "blobs",
"flake-compat": [
"deploy-rs",
"flake-compat"
],
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
], ],
"nixpkgs-22_05": [ "nixpkgs-24_05": [
"nixpkgs" "nixpkgs"
], ],
"utils": "utils_3" "utils": [
"deploy-rs",
"utils"
]
}, },
"locked": { "locked": {
"lastModified": 1655930346, "lastModified": 1718084203,
"narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=", "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d", "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "nixos-22.05", "ref": "nixos-24.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1676177817, "lastModified": 1731842749,
"narHash": "sha256-OQnBnuKkpwkfNY31xQyfU5hNpLs1ilWt+hVY6ztEEOM=", "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1b82144edfcd0c86486d2e07c7298f85510e7fb8", "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-22.11", "ref": "nixos-24.05-small",
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": { "nixpkgs-oldstable": {
"locked": { "locked": {
"lastModified": 1676162277, "lastModified": 1678761643,
"narHash": "sha256-GK3cnvKNo1l0skGYXXiLJ/TLqdKyIYXd7jOlo0gN+Qw=", "narHash": "sha256-tapXZvg6Kg5Fm7Fm6i+7cRC5Exp2lX7cgMrqsfrGhuc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d863ca850a06d91365c01620dcac342574ecf46f", "rev": "c4aec3c021620d98861639946123214207e98344",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c4aec3c021620d98861639946123214207e98344",
"type": "github" "type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1676150441, "lastModified": 1732007104,
"narHash": "sha256-Nfeua9Ua/dGHOQpzOjLtkyMyW/ysQCvZJ9Dd74QQSNk=", "narHash": "sha256-qaWPxgLAvtIHTDcm0qJuc+WNYjcy4ZKigOyn2ag4ihM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6d87734c880d704f6ee13e5c0fe835b98918c34e", "rev": "0705964c881cea8896474610188905ba41b59b08",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixpkgs-unstable", "ref": "nixos-unstable-small",
"type": "indirect" "type": "indirect"
} }
}, },
"nose": {
"flake": false,
"locked": {
"lastModified": 1400604510,
"narHash": "sha256-daEi8Kta1oGaDEmUUDDQMahTTPOpvNpDKk22rlr7cB0=",
"owner": "emacsattic",
"repo": "nose",
"rev": "f8528297519eba911696c4e68fa88892de9a7b72",
"type": "github"
},
"original": {
"owner": "emacsattic",
"repo": "nose",
"type": "github"
}
},
"ob-racket": {
"flake": false,
"locked": {
"lastModified": 1584656173,
"narHash": "sha256-rBUYDDCXb+3D4xTPQo9UocbTPZ32kWV1Uya/1DmZknU=",
"owner": "xchrishawk",
"repo": "ob-racket",
"rev": "83457ec9e1e96a29fd2086ed19432b9d75787673",
"type": "github"
},
"original": {
"owner": "xchrishawk",
"repo": "ob-racket",
"type": "github"
}
},
"org": {
"flake": false,
"locked": {
"lastModified": 1673519709,
"narHash": "sha256-XtGk32Lw2iGDgH5Q4Rjhig0Iq5hpIM0EKQoptJ+nT3k=",
"owner": "emacs-straight",
"repo": "org-mode",
"rev": "ecb62e2e317b1a4b5b8a6c0f111ed7ef18413040",
"type": "github"
},
"original": {
"owner": "emacs-straight",
"repo": "org-mode",
"type": "github"
}
},
"org-contrib": {
"flake": false,
"locked": {
"lastModified": 1664301003,
"narHash": "sha256-8CAq/EB52RMQHNLZM0uc/1N5gKTfxGhf7WFt9sMKoD8=",
"owner": "emacsmirror",
"repo": "org-contrib",
"rev": "aa104c0bbc3113f6d3d167b20bd8d6bf6a285f0f",
"type": "github"
},
"original": {
"owner": "emacsmirror",
"repo": "org-contrib",
"type": "github"
}
},
"org-yt": {
"flake": false,
"locked": {
"lastModified": 1527381913,
"narHash": "sha256-dzQ6B7ryzatHCTLyEnRSbWO0VUiX/FHYnpHTs74aVUs=",
"owner": "TobiasZawada",
"repo": "org-yt",
"rev": "40cc1ac76d741055cbefa13860d9f070a7ade001",
"type": "github"
},
"original": {
"owner": "TobiasZawada",
"repo": "org-yt",
"type": "github"
}
},
"php-extras": {
"flake": false,
"locked": {
"lastModified": 1573312690,
"narHash": "sha256-r4WyVbzvT0ra4Z6JywNBOw5RxOEYd6Qe2IpebHXkj1U=",
"owner": "arnested",
"repo": "php-extras",
"rev": "d410c5af663c30c01d461ac476d1cbfbacb49367",
"type": "github"
},
"original": {
"owner": "arnested",
"repo": "php-extras",
"type": "github"
}
},
"revealjs": {
"flake": false,
"locked": {
"lastModified": 1674652670,
"narHash": "sha256-ViqeZlOjQTlY0KM7YcOOjdgkxRLPMZrRKXTqtyc1I00=",
"owner": "hakimel",
"repo": "reveal.js",
"rev": "b1a9842b2f4544a2fda546383db38cc7a81f6b74",
"type": "github"
},
"original": {
"owner": "hakimel",
"repo": "reveal.js",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"mattermost-server": "mattermost-server",
"mattermost-webapp": "mattermost-webapp",
"nix-hexchen": "nix-hexchen",
"nixos-mailserver": "nixos-mailserver", "nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-oldstable": "nixpkgs-oldstable",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"tracktrain": "tracktrain" "tracktrain": "tracktrain"
} }
}, },
"rotate-text": {
"flake": false,
"locked": {
"lastModified": 1322962747,
"narHash": "sha256-SOeOgSlcEIsKhUiYDJv0p+mLUb420s9E2BmvZQvZ0wk=",
"owner": "debug-ito",
"repo": "rotate-text.el",
"rev": "48f193697db996855aee1ad2bc99b38c6646fe76",
"type": "github"
},
"original": {
"owner": "debug-ito",
"repo": "rotate-text.el",
"type": "github"
}
},
"sln-mode": {
"flake": false,
"locked": {
"lastModified": 1423727528,
"narHash": "sha256-XqkqPyEJuTtFslOz1fpTf/Klbd/zA7IGpzpmum/MGao=",
"owner": "sensorflo",
"repo": "sln-mode",
"rev": "0f91d1b957c7d2a7bab9278ec57b54d57f1dbd9c",
"type": "github"
},
"original": {
"owner": "sensorflo",
"repo": "sln-mode",
"type": "github"
}
},
"sops-nix": { "sops-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nix-hexchen", "nixpkgs-unstable"
"nixpkgs" ]
],
"nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1676171095, "lastModified": 1731954233,
"narHash": "sha256-2laeSjBAAJ9e/C3uTIPb287iX8qeVLtWiilw1uxqG+A=", "narHash": "sha256-vvXx1m2Rsw7MkbKJdpcICzz4YPgZPApGKQGhNZfkhOI=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "c5dab21d8706afc7ceb05c23d4244dcb48d6aade", "rev": "e39947d0ee8e341fa7108bd02a33cdfa24a1360e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -809,30 +164,29 @@
"type": "github" "type": "github"
} }
}, },
"stable": { "systems": {
"locked": { "locked": {
"lastModified": 1669735802, "lastModified": 1681028828,
"narHash": "sha256-qtG/o/i5ZWZLmXw108N2aPiVsxOcidpHJYNkT45ry9Q=", "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "NixOS", "owner": "nix-systems",
"repo": "nixpkgs", "repo": "default",
"rev": "731cc710aeebecbf45a258e977e8b68350549522", "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nix-systems",
"ref": "nixos-22.11", "repo": "default",
"repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"tracktrain": { "tracktrain": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1674936614, "lastModified": 1720213096,
"narHash": "sha256-BsF4CzI8ukthTsczo9VJIlz+9ILEMXlYMTvh0lIlzDI=", "narHash": "sha256-GrSXD6WvyiXcHx1s+48PEZVn/MTtBJAXpgds+NdEL2g=",
"ref": "main", "ref": "main",
"rev": "1612bb5aec55af06f66012ff2627f533e7a57c67", "rev": "2943327863bfe5c6e793e5c40e473a2755d45642",
"revCount": 82, "revCount": 126,
"type": "git", "type": "git",
"url": "https://stuebinm.eu/git/tracktrain" "url": "https://stuebinm.eu/git/tracktrain"
}, },
@ -842,101 +196,21 @@
"url": "https://stuebinm.eu/git/tracktrain" "url": "https://stuebinm.eu/git/tracktrain"
} }
}, },
"ts-fold": {
"flake": false,
"locked": {
"lastModified": 1673328482,
"narHash": "sha256-6yQ35uJDAK531QNQZgloQaOQayRa8azOlOMbO8lXsHE=",
"owner": "jcs-elpa",
"repo": "ts-fold",
"rev": "75d6f9ed317b042b5bc7cb21503596d1c7a1b8c0",
"type": "github"
},
"original": {
"owner": "jcs-elpa",
"repo": "ts-fold",
"type": "github"
}
},
"utils": { "utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_3": {
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"waybar-iceportal": {
"inputs": { "inputs": {
"nixpkgs": [ "systems": "systems"
"nix-hexchen",
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1661258114, "lastModified": 1701680307,
"narHash": "sha256-wdm35mfyjz/eFrtd9fMeAJwfUk6XskbyM115wYI1kVA=", "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "e1mo", "owner": "numtide",
"repo": "waybar-iceportal", "repo": "flake-utils",
"rev": "13b297c2cc0b4b56d4caccd626a16b455d8d49e5", "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "e1mo", "owner": "numtide",
"repo": "waybar-iceportal", "repo": "flake-utils",
"type": "github"
}
},
"ws-butler": {
"flake": false,
"locked": {
"lastModified": 1634511126,
"narHash": "sha256-c0y0ZPtxxICPk+eaNbbQf6t+FRCliNY54CCz9QHQ8ZI=",
"owner": "hlissner",
"repo": "ws-butler",
"rev": "572a10c11b6cb88293de48acbb59a059d36f9ba5",
"type": "github"
},
"original": {
"owner": "hlissner",
"repo": "ws-butler",
"type": "github" "type": "github"
} }
} }

View file

@ -2,72 +2,59 @@
description = "hacc infra stuff"; description = "hacc infra stuff";
inputs = { inputs = {
mattermost-webapp.url = "https://releases.mattermost.com/7.1.5/mattermost-7.1.5-linux-amd64.tar.gz"; nixpkgs.url = "nixpkgs/nixos-24.05-small";
mattermost-webapp.flake = false; nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
mattermost-server.url = "github:mattermost/mattermost-server?ref=v7.1.5"; nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";
mattermost-server.flake = false;
nixpkgs.url = "nixpkgs/nixos-22.11"; nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
nix-hexchen.url = "gitlab:hexchen/nixfiles";
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-22.05";
tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main"; tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
tracktrain.flake = false; tracktrain.flake = false;
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
# these exist mostly to make the flake.lock somewhat more human-friendly # these exist mostly to make the flake.lock somewhat more human-friendly
# note that in theory doing this might break things, but it seems fairly unlikely # note that in theory doing this might break things, but it seems fairly unlikely
nix-hexchen.inputs = {
nixos-mailserver.follows = "nixos-mailserver";
nixpkgs.follows = "nixpkgs-unstable";
deploy-rs.follows = "deploy-rs";
doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
flake-utils.follows = "/deploy-rs/utils";
};
nixos-mailserver.inputs = { nixos-mailserver.inputs = {
"nixpkgs-22_05".follows = "nixpkgs"; "nixpkgs-24_05".follows = "nixpkgs";
nixpkgs.follows = "nixpkgs-unstable"; nixpkgs.follows = "nixpkgs-unstable";
utils.follows = "/deploy-rs/utils";
flake-compat.follows = "/deploy-rs/flake-compat";
}; };
}; };
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, ... }@inputs: outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
let modules = nix-hexchen.nixosModules; let modules = {
profiles = nix-hexchen.nixosModules.profiles // { bindMounts = import ./modules/bindmounts.nix;
nopersist = import ./modules/nopersist.nix;
encboot = import ./modules/encboot.nix;
};
profiles = {
container = import ./modules/container-profile.nix; container = import ./modules/container-profile.nix;
}; };
pkgs = import ./pkgs { pkgs = import ./pkgs {
sources = inputs; sources = inputs;
system = "x86_64-linux"; system = "x86_64-linux";
config.allowUnfree = true;
config.permittedInsecurePackages = [ "nextcloud-27.1.11" ];
}; };
evalConfig = config: (nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
config
nix-hexchen.nixosModules.network.nftables
{ nixpkgs.pkgs = pkgs; }
];
specialArgs = {
inherit modules profiles evalConfig;
sources = inputs;
};
}).config.system.build.toplevel;
in { in {
# do this by hand instead of via nix-hexchen/lib/hosts.nix, since that one
# apparently can't support pkgs depending on flake inputs
nixosConfigurations.parsons = nixpkgs.lib.nixosSystem { nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
./hosts/parsons/configuration.nix ./parsons/configuration.nix
./modules/buildinfo.nix
./modules/containers.nix
sops-nix.nixosModules.sops
{ nixpkgs.pkgs = pkgs; } { nixpkgs.pkgs = pkgs; }
]; ];
specialArgs = { specialArgs = {
# with a few exceptions, the flake inputs can be used the same
# as the niv-style (import nix/sources.nix {})
sources = inputs; sources = inputs;
inherit modules profiles evalConfig; inherit modules profiles;
inherit (nixpkgs.lib) nixosSystem;
}; };
}; };
@ -86,8 +73,20 @@
(system: deployLib: deployLib.deployChecks self.deploy) (system: deployLib: deployLib.deployChecks self.deploy)
deploy-rs.lib; deploy-rs.lib;
packages.x86_64-linux = apps.x86_64-linux =
self.nixosConfigurations.parsons.config.hacc.websites.builders; let
mkApp = pkg: {
type = "app";
program = pkgs.lib.getExe pkg;
};
websites = pkgs.lib.mapAttrs (name: mkApp)
self.nixosConfigurations.parsons.config.hacc.websites.builders;
in
{ docs = websites."docs.hacc.space"; } // websites;
packages.x86_64-linux = {
inherit (pkgs) mattermost hacc-scripts;
};
}; };
} }

28
modules/bindmounts.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.hacc;
in {
options.hacc.bindMounts = mkOption {
type = types.attrsOf types.str;
default = { };
example = { "/etc/asdf" = "/persist/asdf"; };
};
options.hacc.bindToPersist = mkOption {
type = types.listOf types.str;
default = [];
example = [ "postgres" ];
};
config.fileSystems = mapAttrs (_: device: {
inherit device;
options = [ "bind" ];
}) cfg.bindMounts;
config.hacc.bindMounts = listToAttrs
(map (name: { inherit name; value = "/persist${name}"; })
cfg.bindToPersist);
}

29
modules/buildinfo.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, sources, ... }:
let
self = sources.self;
formatDate = date: with lib.strings;
let
year = substring 0 4 date;
month = substring 4 2 date;
day = substring 6 2 date;
hour = substring 8 2 date;
minute = substring 10 2 date;
second = substring 12 2 date;
in
"${year}-${month}-${day} ${hour}:${minute}:${second} UTC";
in
{
system.nixos.label = "${config.system.nixos.release}-haccfiles-${self.shortRev or self.dirtyShortRev}";
users.motd = ''
Welcome to ${config.networking.hostName}, running NixOS ${config.system.nixos.release}!
Built from haccfiles ${self.rev or self.dirtyRev}.
Last commit was at ${formatDate self.lastModifiedDate}.
${if self ? dirtyRev then "\nPlease remember to commit your changes.\n" else ""}
'';
# used by monit
environment.etc."haccfiles-commit".text = self.rev or self.dirtyRev;
environment.etc."haccfiles-timestamp".text = builtins.toString self.lastModified;
}

View file

@ -14,12 +14,5 @@
''; '';
}; };
# I /suspect/ this is not actually needed.
# TODO: find spoons to deal with potential breakage, test removing this
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
system.stateVersion = lib.mkDefault "21.05"; system.stateVersion = lib.mkDefault "21.05";
} }

95
modules/containers.nix Normal file
View file

@ -0,0 +1,95 @@
{ config, lib, pkgs, modules, profiles, sources, nixosSystem, ... }:
let
mkIPv4 = index: local:
"192.168.${if local then "100" else "101"}.${toString index}";
mkIPv6 = index: local:
"fd00::${if local then "100" else "101"}:${toString index}";
evalConfig = nixosConfig: (nixosSystem {
inherit (config.nixpkgs) system;
modules = [
nixosConfig
modules.nopersist
profiles.container
{ nixpkgs.pkgs = lib.mkForce pkgs; }
];
specialArgs = {
inherit modules sources;
};
}).config.system.build.toplevel;
in {
options.hacc.containers = with lib.options;
mkOption {
description = ''
hacc-specific containers. These are a thin wrapper around "normal" nixos containers:
- they automatically get an IPv4/IPv6 address assigned
(note that these are not guaranteed to be stable across config changes,
so please use {option}`containers.<name>.hostAddress` & friends to
reference them elsewhere)
- they set a couple default options (e.g. ephemeral, autoStart, privateNetwork)
- they are evaluated with our own version of {nix}`evalConfig`, which includes a
couple more modules by default, use our version of `nixpkgs`, and includes the
{nix}`profiles.containers` profile setting sane defaults for containers.
'';
default = { };
type = with lib.types;
types.attrsOf (types.submodule {
options = {
bindToPersist = mkOption {
default = true;
type = types.bool;
description =
"Wether to mount /persist/containers/<name> at /persist into this container.";
};
bindSecrets = mkOption {
default = false;
type = types.bool;
description =
"Whether to mount /run/secrets/<name> at /secrets into this container.";
};
config = mkOption {
type = types.unspecified;
description =
"The container's config, to be evaluated with our own {nix}`evalConfig`.";
};
};
});
};
# wrapped into imap1, which enumerates the containers; IP addresses are then
# simply assigned based on the order the containers are in the list.
config.containers = lib.mkMerge (lib.imap1
(index: { name, value }: let container = value; in {
${name} = {
hostAddress = mkIPv4 index false;
localAddress = mkIPv4 index true;
hostAddress6 = mkIPv6 index false;
localAddress6 = mkIPv6 index true;
privateNetwork = true;
autoStart = true;
ephemeral = true;
bindMounts = lib.mkMerge [
(lib.mkIf container.bindToPersist {
"/persist" = {
hostPath = "/persist/containers/${name}";
isReadOnly = false;
};
})
(lib.mkIf container.bindSecrets {
"/secrets" = {
hostPath = "/run/secrets/${name}";
isReadOnly = true;
};
})
];
path = evalConfig container.config;
};
}) (lib.attrsToList config.hacc.containers));
}

45
modules/encboot.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
with lib;
let cfg = config.hacc.encboot;
in {
options = {
hacc.encboot = {
enable = mkOption {
type = types.bool;
default = false;
};
networkDrivers = mkOption { type = with types; listOf str; };
dataset = mkOption {
type = types.str;
default = "zroot";
};
};
};
config = mkIf cfg.enable {
boot.initrd.kernelModules = cfg.networkDrivers;
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys = with lib;
concatLists (mapAttrsToList (name: user:
if elem "wheel" user.extraGroups then
user.openssh.authorizedKeys.keys
else
[ ]) config.users.users);
hostKeys = [ /etc/ssh/encboot_host ];
};
postCommands = ''
zpool import ${cfg.dataset}
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
'';
};
};
}

52
modules/nopersist.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, lib, pkgs, modules, ... }:
with lib;
{
imports = [ modules.bindMounts ];
users.mutableUsers = false;
boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
network.ssh.hostKeys = mkIf config.hacc.encboot.enable
(mkForce [ /persist/ssh/encboot_host ]);
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
(mkAfter ''
zfs rollback -r ${config.fileSystems."/".device}@blank
'');
systemd = mkIf config.boot.initrd.systemd.enable {
storePaths = [ pkgs.zfs ];
services.rollback = {
description = "Rollback ZFS datasets to a pristine state";
wantedBy = [ "initrd.target" ];
after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
before = [ "sysroot.mount" ];
path = [ pkgs.zfs ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
'';
};
};
};
services.openssh = {
hostKeys = [
{
path = "/persist/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
services.postgresql.dataDir =
"/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
}

View file

@ -2,52 +2,44 @@
{ {
imports = [ imports = [
../../common ../common
./hardware.nix ./hardware.nix
modules.encboot modules.encboot
modules.network.nftables modules.nopersist
modules.nftnat ./nftables.nix
sources.nix-hexchen.nixosModules.profiles.nopersist ./nextcloud.nix
./mattermost.nix
../../services/nextcloud.nix ./murmur.nix
../../services/mattermost.nix ./hedgedoc-hacc.nix
../../services/thelounge.nix ./hedgedoc-i4f.nix
../../services/murmur.nix ./mail.nix
../../services/hedgedoc-hacc.nix ./forgejo.nix
../../services/hedgedoc-i4f.nix ./nginx-pages.nix
../../services/mail.nix ./vaultwarden.nix
../../services/gitea.nix ./tracktrain.nix
../../services/nginx-pages.nix ./uffd.nix
../../services/vaultwarden.nix
../../services/tracktrain.nix
../../services/uffd.nix
./lxc.nix ./lxc.nix
./monit.nix
]; ];
hexchen.bindmounts."/var/lib/acme" = "/persist/var/lib/acme"; hacc.bindToPersist = [ "/var/lib/acme" ];
# fileSystems."/var/lib/acme" = {
# device = "/persist/var/lib/acme";
# fsType = "bind";
# };
hexchen.encboot = { hacc.encboot = {
enable = true; enable = true;
dataset = "-a"; dataset = "-a";
networkDrivers = [ "igb" ]; networkDrivers = [ "igb" ];
}; };
sops.defaultSopsFile = ../secrets.yaml;
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
boot.supportedFilesystems = [ "zfs" ]; boot.supportedFilesystems = [ "zfs" ];
networking.hostId = "b2867696"; networking.hostId = "b2867696";
networking.useDHCP = true; networking.useDHCP = true;
networking.nftables.enable = true; networking.nftables.enable = true;
hexchen.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "enp35s0";
networking.hostName = "parsons"; networking.hostName = "parsons";
@ -59,13 +51,6 @@
address = "fe80::1"; address = "fe80::1";
interface = "enp35s0"; interface = "enp35s0";
}; };
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = lib.mkOverride 90 true;
"net.ipv4.conf.default.forwarding" = lib.mkOverride 90 true;
};
};
services.nginx = { services.nginx = {
enable = true; enable = true;
@ -85,8 +70,8 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
services.restic.backups.tardis = { services.restic.backups.tardis = {
passwordFile = "/persist/restic/system"; passwordFile = "/run/secrets/restic/system";
environmentFile = "/persist/restic/system.s3creds"; environmentFile = "/run/secrets/restic/s3creds.env";
paths = [ paths = [
"/home" "/home"
"/persist" "/persist"
@ -99,5 +84,10 @@
repository = "b2:tardis-parsons:system"; repository = "b2:tardis-parsons:system";
}; };
sops.secrets = {
"restic/system" = {};
"restic/s3creds.env" = {};
};
system.stateVersion = "21.05"; system.stateVersion = "21.05";
} }

View file

@ -1,34 +1,16 @@
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: { config, lib, pkgs, ... }:
{ {
containers.gitea = { hacc.containers.forgejo = {
privateNetwork = true; config = { lib, pkgs, ... }: {
hostAddress = "192.168.100.1";
localAddress = "192.168.100.10";
autoStart = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/gitea";
isReadOnly = false;
};
};
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
system.stateVersion = "21.11"; system.stateVersion = "21.11";
imports = [ profiles.nopersist profiles.container ]; environment.systemPackages = [ pkgs.forgejo ];
environment.systemPackages = [ pkgs.gitea ]; hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
hexchen.bindmounts."/var/lib/gitea" = "/persist/gitea"; services.forgejo = {
nixpkgs.config.allowUnfree = true;
services.gitea = {
enable = true; enable = true;
appName = "0x0: git for all creatures";
rootUrl = "https://git.infra4future.de/";
httpAddress = "0.0.0.0";
httpPort = 3000;
lfs.enable = true; lfs.enable = true;
database.type = "postgres"; database.type = "postgres";
settings = { settings = {
@ -49,6 +31,9 @@
server = { server = {
LANDING_PAGE = "explore"; LANDING_PAGE = "explore";
OFFLINE_MODE = true; OFFLINE_MODE = true;
ROOT_URL = "https://git.infra4future.de";
HTTP_PORT = 3000;
HTTP_ADDR = "0.0.0.0";
}; };
security = { INSTALL_LOCK = true; }; security = { INSTALL_LOCK = true; };
other = { other = {
@ -69,38 +54,32 @@
log.LEVEL = "Info"; log.LEVEL = "Info";
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true; session.COOKIE_SECURE = true;
default.APP_NAME = "0x0: git for all creatures";
}; };
}; };
services.postgresql.package = pkgs.postgresql_15;
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;
databases = [ "gitea" ]; databases = [ "forgejo" ];
startAt = "*-*-* 23:45:00"; startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres"; location = "/persist/backups/postgres";
}; };
services.openssh = { services.openssh = {
enable = true; enable = true;
passwordAuthentication = false; settings = {
listenAddresses = [ { PasswordAuthentication = false;
addr = "192.168.100.10"; AcceptEnv = "GIT_PROTOCOL";
port = 22; };
} ];
extraConfig = ''
AcceptEnv GIT_PROTOCOL
'';
}; };
}); };
}; };
services.nginx.virtualHosts."git.infra4future.de" = { services.nginx.virtualHosts."git.infra4future.de" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://${config.containers.gitea.localAddress}:3000"; proxyPass = "http://${config.containers.forgejo.localAddress}:3000";
}; };
}; };
hexchen.nftables.nat.forwardPorts = [{
ports = [ 22 ];
destination = "${config.containers.gitea.localAddress}:22";
proto = "tcp";
}];
} }

View file

@ -28,6 +28,7 @@
fileSystems."/persist" = fileSystems."/persist" =
{ device = "zroot/safe/persist"; { device = "zroot/safe/persist";
fsType = "zfs"; fsType = "zfs";
neededForBoot = true;
}; };
fileSystems."/home" = fileSystems."/home" =
@ -55,11 +56,6 @@
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/var/lib/docker" =
{ device = "zroot/local/docker";
fsType = "zfs";
};
swapDevices = [ ]; swapDevices = [ ];
} }

View file

@ -1,21 +1,16 @@
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: { config, lib, pkgs, ... }:
{ {
containers.pad-hacc = {
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.5";
autoStart = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/pad-hacc";
isReadOnly = false;
};
};
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
imports = [ profiles.nopersist profiles.container ];
nixpkgs.config.allowUnfree = true;
sops.secrets = {
"hedgedoc-hacc/env" = {};
};
containers.pad-hacc.bindMounts = {
"/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
};
hacc.containers.pad-hacc = {
config = { config, lib, ... }: {
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
settings = { settings = {
@ -43,7 +38,7 @@
clientSecret = "lol nope"; clientSecret = "lol nope";
}; };
}; };
environmentFile = "/persist/secrets.env"; environmentFile = "/secrets/env";
}; };
systemd.services.hedgedoc.environment = { systemd.services.hedgedoc.environment = {
"CMD_LOGLEVEL" = "warn"; "CMD_LOGLEVEL" = "warn";
@ -59,15 +54,13 @@
ensureDatabases = [ "codimd" ]; ensureDatabases = [ "codimd" ];
ensureUsers = [{ ensureUsers = [{
name = "codimd"; name = "codimd";
ensurePermissions = { ensureDBOwnership = true;
"DATABASE codimd" = "ALL PRIVILEGES";
};
}]; }];
authentication = '' authentication = ''
local all all trust local all all trust
host codimd codimd 127.0.0.1/32 trust host codimd codimd 127.0.0.1/32 trust
''; '';
package = pkgs.postgresql_11; package = pkgs.postgresql_15;
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;
@ -75,7 +68,8 @@
startAt = "*-*-* 23:45:00"; startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres"; location = "/persist/backups/postgres";
}; };
}); hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
};
}; };
services.nginx.virtualHosts."pad.hacc.earth" = { services.nginx.virtualHosts."pad.hacc.earth" = {
enableACME = true; enableACME = true;

View file

@ -1,21 +1,8 @@
{ config, lib, pkgs, modules, evalConfig, sources, ... }: { config, lib, pkgs, ... }:
{ {
containers.pad-i4f = { hacc.containers.pad-i4f = {
privateNetwork = true; config = { config, lib, ... }: {
hostAddress = "192.168.100.1";
localAddress = "192.168.100.6";
autoStart = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/pad-i4f";
isReadOnly = false;
};
};
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
imports = [ profiles.nopersist profiles.container ];
nixpkgs.config.allowUnfree = true;
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
settings = { settings = {
@ -41,7 +28,7 @@
}; };
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_11; package = pkgs.postgresql_15;
authentication = '' authentication = ''
local all all trust local all all trust
host hedgedoc hedgedoc 127.0.0.1/32 trust host hedgedoc hedgedoc 127.0.0.1/32 trust
@ -49,9 +36,7 @@
ensureDatabases = [ "hedgedoc" ]; ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{ ensureUsers = [{
name = "hedgedoc"; name = "hedgedoc";
ensurePermissions = { ensureDBOwnership = true;
"DATABASE hedgedoc" = "ALL PRIVILEGES";
};
}]; }];
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
@ -60,7 +45,8 @@
startAt = "*-*-* 23:45:00"; startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres"; location = "/persist/backups/postgres";
}; };
}); hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
};
}; };
services.nginx.virtualHosts."pad.infra4future.de" = { services.nginx.virtualHosts."pad.infra4future.de" = {

View file

@ -8,7 +8,6 @@
prefixLength = 24; prefixLength = 24;
} }
]; ];
networking.nat.internalInterfaces = [ "lxcbr0" ];
virtualisation.lxc.enable = true; virtualisation.lxc.enable = true;
virtualisation.lxc.systemConfig = '' virtualisation.lxc.systemConfig = ''
@ -27,10 +26,4 @@
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
}; };
services.nginx.virtualHosts."auth.infra4future.de" = {
locations."/".proxyPass = "http://10.1.2.104:8080";
enableACME = true;
forceSSL = true;
};
} }

View file

@ -1,4 +1,4 @@
{ config, pkgs, lib, sources, ... }: { config, options, pkgs, lib, sources, ... }:
{ {
imports = [ sources.nixos-mailserver.outPath ]; imports = [ sources.nixos-mailserver.outPath ];
@ -65,13 +65,16 @@
"noreply@hacc.space" = { "noreply@hacc.space" = {
hashedPassword = hashedPassword =
"$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/"; "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
sendOnly = true;
}; };
"noreply@infra4future.de" = { "noreply@infra4future.de" = {
hashedPassword = hashedPassword =
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV."; "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
sendOnly = true; };
"mattermost@hacc.space" = {
hashedPassword =
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
}; };
}; };
@ -142,7 +145,7 @@
# Use Let's Encrypt certificates. Note that this needs to set up a stripped # Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80. # down nginx and opens port 80.
certificateScheme = 3; certificateScheme = "acme-nginx";
# Only allow implict TLS # Only allow implict TLS
enableImap = false; enableImap = false;
@ -184,11 +187,22 @@
bindIP = "[::1]"; bindIP = "[::1]";
}; };
systemd.services.alps.after = [ "dovecot2.service" ]; systemd.services.alps.after = [ "dovecot2.service" "postfix.service" ];
systemd.services.alps.bindsTo = [ "dovecot2.service" "postfix.service" ];
services.nginx.virtualHosts."mail.hacc.space" = { services.nginx.virtualHosts."mail.hacc.space" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://[::1]:1323"; locations."/".proxyPass = "http://[::1]:1323";
}; };
hacc.bindToPersist = [
"/var/lib/rspamd"
"/var/lib/opendkim"
"/var/lib/postfix"
"/var/lib/dovecot"
"/var/sieve"
"/var/lib/redis-rspamd"
"/var/dkim"
];
} }

View file

@ -1,35 +1,19 @@
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}: { config, pkgs, lib, ...}:
let {
mattermost = pkgs.mattermost; sops.secrets = {
in { "mattermost/env" = {};
containers.mattermost = { };
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.3";
bindMounts = { hacc.containers.mattermost = {
"/persist" = { bindSecrets = true;
hostPath = "/persist/containers/mattermost";
isReadOnly = false;
};
};
path = evalConfig ({ config, lib, pkgs, profiles, ... }: { config = { config, lib, pkgs, ... }: {
imports = [ profiles.nopersist profiles.container ]; environment.systemPackages = [ pkgs.morph pkgs.pgloader ];
nixpkgs.overlays = [ (self: super: { inherit mattermost; }) ];
nixpkgs.config.allowUnfree = true;
systemd.services.mattermost.serviceConfig.EnvironmentFile = systemd.services.mattermost.serviceConfig.EnvironmentFile =
"/persist/mattermost/secrets.env"; lib.mkForce "/secrets/env";
# overwrite the -c flag given in the module. this can be removed once we're on nixos 22.05
systemd.services.mattermost.serviceConfig.ExecStart =
lib.mkForce "${pkgs.mattermost}/bin/mattermost -c /persist/mattermost/config/config.json";
# couldn't figure out how to actually overwrite modules, so now
# there's two mattermost modules ...
services.mattermost = { services.mattermost = {
enable = true; enable = true;
siteUrl = "https://mattermost.infra4future.de"; siteUrl = "https://mattermost.infra4future.de";
@ -78,8 +62,6 @@ in {
}; };
LogSettings = { LogSettings = {
EnableConsole = true; EnableConsole = true;
# note: for some reason this doesn't work (mattermost still sets it to DEBUG);
# it's also set in secrets.env, where for some reason it does
ConsoleLevel = "ERROR"; ConsoleLevel = "ERROR";
EnableDiagnostics = false; EnableDiagnostics = false;
EnableWebhookDebugging = false; EnableWebhookDebugging = false;
@ -125,6 +107,12 @@ in {
ShowEmailAddress = false; ShowEmailAddress = false;
ShowFullName = true; ShowFullName = true;
}; };
# to disable the extra landing page advertising the app
NativeAppSettings = {
AppDownloadLink = "";
AndroidAppDownloadLink = "";
IosAppDownloadLink = "";
};
SupportSettings = { SupportSettings = {
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html"; TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html"; PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
@ -156,18 +144,12 @@ in {
Enable = true; Enable = true;
EnableUploads = true; EnableUploads = true;
Plugins = { Plugins = {
bigbluebutton = {
adminonly = false;
base_url = "https://bbb.infra4future.de/bigbluebutton/api";
salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
};
"com.github.matterpoll.matterpoll" = { "com.github.matterpoll.matterpoll" = {
experimentalui = true; experimentalui = true;
trigger = "poll"; trigger = "poll";
}; };
}; };
PluginStates = { PluginStates = {
bigbluebutton.Enable = true;
"com.github.matterpoll.matterpoll".Enable = true; "com.github.matterpoll.matterpoll".Enable = true;
}; };
}; };
@ -176,6 +158,8 @@ in {
MetricsSettings.Enable = false; MetricsSettings.Enable = false;
GuestAccountsSettings.Enable = false; GuestAccountsSettings.Enable = false;
FeatureFlags.CollapsedThreads = true; FeatureFlags.CollapsedThreads = true;
SqlSettings.DriverName = "postgres";
SqlSettings.DataSource = "postgres:///mattermost?host=/run/postgresql";
}; };
# turn of the weirder parts of this module (which insist on passwords # turn of the weirder parts of this module (which insist on passwords
@ -186,36 +170,28 @@ in {
localDatabaseCreate = false; localDatabaseCreate = false;
}; };
services.mysql = {
enable = true;
ensureDatabases = [ "mattermost" ];
ensureUsers = [ {
name = "mattermost";
ensurePermissions = { "mattermost.*" = "ALL PRIVILEGES"; };
} ];
package = pkgs.mysql80;
dataDir = "/persist/mysql";
};
services.postgresql = { services.postgresql = {
enable = lib.mkForce true; # mattermost sets this to false. wtf. enable = lib.mkForce true; # mattermost sets this to false. wtf.
package = pkgs.postgresql_11; package = pkgs.postgresql_15;
ensureDatabases = [ "mattermost" ]; ensureDatabases = [ "mattermost" ];
ensureUsers = [ { ensureUsers = [ {
name = "mattermost"; name = "mattermost";
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; }; ensureDBOwnership = true;
} ]; } ];
authentication = lib.mkForce '' authentication = lib.mkForce ''
# Generated file; do not edit! # Generated file; do not edit!
local all all trust local all all trust
host mattermost mattermost ::1/128 trust
''; '';
}; };
networking.firewall.allowedTCPPorts = [ 3000 ]; services.postgresqlBackup = {
enable = true;
}); databases = [ "mattermost" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
};
}; };
services.nginx.virtualHosts."mattermost.infra4future.de" = { services.nginx.virtualHosts."mattermost.infra4future.de" = {

64
parsons/monit.nix Normal file
View file

@ -0,0 +1,64 @@
{ config, options, lib, pkgs, ... }:
let
checkHash = pkgs.writeScriptBin "check-commit-hash" ''
#!${lib.getExe pkgs.fish}
set wanted (${lib.getExe pkgs.curl} -s https://git.infra4future.de/api/v1/repos/hacc/haccfiles/branches/main \
-H 'accept: application/json' | jq -r .commit.id)
if test $status != 0
echo "could not reach git.infra4future.de"
exit 2
end
set actual (cat /etc/haccfiles-commit)
if test $status != 0
echo "/etc/haccfiles-commit does not exist??"
exit 2
end
if test $actual != $wanted
echo "parsons was built on $actual, but commit on main is $wanted"
exit 1
end
'';
checkDeployAge = pkgs.writeScriptBin "check-deploy-age" ''
#!${lib.getExe pkgs.fish}
set date (date +%s)
# we do this indirection here so monit's config won't change on each deploy
set deploytimestamp (cat /etc/haccfiles-timestamp)
set age (expr $date - $deploytimestamp)
if test $age -ge (expr 3600 \* 24 \* 10)
echo "${config.networking.hostName} has not been deployed since 10 days, perhaps someone should do updates?"
exit 1
end
'';
in
{
mailserver.monitoring = {
enable = true;
alertAddress = "admin@hacc.space";
config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default);
};
services.monit.config = ''
check host onlyoffice with address onlyoffice.infra4future.de
start program "/run/current-system/sw/bin/lxc-start -n onlyoffice -f /persist/lxc/onlyoffice/config"
stop program "/run/current-system/sw/bin/lxc-stop -n onlyoffice"
if failed port 443 protocol https status = 302
then restart
check program deployed-commit-on-main path ${lib.getExe checkHash}
if status == 1 for 64 cycles then alert
if status == 2 for 3 cycles then alert
check program is-system-running path ${pkgs.systemd}/bin/systemctl is-system-running
if status != 0 then alert
check program check-deploy-age path ${lib.getExe checkDeployAge}
if status == 1 then alert
'';
}

View file

@ -1,13 +1,13 @@
{ config, lib, pkgs, sources, ... }: { config, lib, pkgs, ... }:
{ {
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
services.murmur = { services.murmur = {
enable = true; enable = true;
logDays = -1; logDays = -1;
welcometext = registerName = "hackers against climate change";
"Welcome to mumble4future! Brought to you by infra4future. The server is now reachable under mumble.hacc.space, please update your bookmarks."; welcometext = ''
<br>Welcome to <b>mumble4future</b>!<br>Brought to you by <b style="color:red">infra4future</b>.<br>On <a href=https://mumble.hacc.space>mumble.hacc.space</a><br>Not confusing at all!
'';
sslKey = "/var/lib/acme/mumble.hacc.space/key.pem"; sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem"; sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
bandwidth = 128000; bandwidth = 128000;
@ -25,4 +25,6 @@
}; };
users.users.nginx.extraGroups = [ "mumblecert" ]; users.users.nginx.extraGroups = [ "mumblecert" ];
users.users.murmur.extraGroups = [ "mumblecert" ]; users.users.murmur.extraGroups = [ "mumblecert" ];
hacc.bindToPersist = [ "/var/lib/murmur" ];
} }

View file

@ -1,30 +1,9 @@
{ config, lib, pkgs, profiles, modules, evalConfig, ... }: { config, lib, pkgs, ... }:
{ {
containers.nextcloud = { containers.nextcloud.timeoutStartSec = "10 min";
autoStart = true; hacc.containers.nextcloud = {
privateNetwork = true; config = { config, lib, pkgs, ... }: {
hostAddress = "192.168.100.1";
localAddress = "192.168.100.2";
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/nextcloud";
isReadOnly = false;
};
};
path = evalConfig ({ config, lib, pkgs, profiles, sources, ... }: {
imports = [
profiles.nopersist
profiles.container
(import "${sources.nixpkgs-unstable}/nixos/modules/services/web-apps/nextcloud.nix")
];
disabledModules = [
"services/web-apps/nextcloud.nix"
];
nixpkgs.config.allowUnfree = true;
environment.systemPackages = [ pkgs.htop ]; environment.systemPackages = [ pkgs.htop ];
services.nextcloud = { services.nextcloud = {
@ -32,21 +11,19 @@
# must be set manually; may not be incremented by more than one at # must be set manually; may not be incremented by more than one at
# a time, otherwise nextcloud WILL break # a time, otherwise nextcloud WILL break
package = pkgs.nextcloud25; package = pkgs.nextcloud29;
home = "/persist/nextcloud"; home = "/persist/nextcloud";
https = true; https = true;
# true by default for backwards-compatability, but we don't need it
enableBrokenCiphersForSSE = false;
hostName = "cloud.infra4future.de"; hostName = "cloud.infra4future.de";
config = { config = {
dbtype = "pgsql"; dbtype = "pgsql";
dbuser = "nextcloud"; dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud"; dbname = "nextcloud";
adminpassFile = "/persist/nextcloud/config/admin_pw"; # socket auth does not needs this, but the module insists it does
adminpassFile = "/persist/adminpassfile";
adminuser = "root"; adminuser = "root";
}; };
@ -62,7 +39,7 @@
"pm.start_servers" = "2"; "pm.start_servers" = "2";
}; };
extraOptions = { settings = {
instanceid = "ocxlphb7fbju"; instanceid = "ocxlphb7fbju";
datadirectory = "/persist/nextcloud/data"; datadirectory = "/persist/nextcloud/data";
loglevel = 0; loglevel = 0;
@ -72,23 +49,30 @@
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_11; package = pkgs.postgresql_15;
ensureDatabases = [ "nextcloud" ]; ensureDatabases = [ "nextcloud" ];
ensureUsers = [ ensureUsers = [
{ # by default, postgres has unix sockets enabled, and allows a { # by default, postgres has unix sockets enabled, and allows a
# system user `nextcloud` to log in without other authentication # system user `nextcloud` to log in without other authentication
name = "nextcloud"; name = "nextcloud";
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES"; ensureDBOwnership = true;
} }
]; ];
}; };
services.postgresqlBackup = {
enable = true;
databases = [ "nextcloud" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
# ensure that postgres is running *before* running the setup # ensure that postgres is running *before* running the setup
systemd.services."nextcloud-setup" = { systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"]; requires = ["postgresql.service"];
after = ["postgresql.service"]; after = ["postgresql.service"];
}; };
}); };
}; };
services.nginx.virtualHosts."cloud.infra4future.de" = { services.nginx.virtualHosts."cloud.infra4future.de" = {

23
parsons/nftables.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
{
networking.firewall.enable = true;
networking.firewall.logRefusedConnections = false;
networking.nat.enable = true;
networking.nftables.enable = true;
networking.nftables.tables.nat = {
family = "ip";
content = ''
chain prerouting {
type nat hook prerouting priority -100
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
}
chain postrouting {
type nat hook postrouting priority 100
iifname lxcbr0 oifname enp35s0 masquerade
iifname ve-* oifname enp35s0 masquerade
}
'';
};
}

16
parsons/nginx-pages.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, ... }:
{
hacc.websites = {
enable = true;
directory = "${../.}/websites";
};
services.nginx.virtualHosts."parsons.hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/~stuebinm/".root = "/persist/www/";
};
}

137
parsons/s4f-conference.nix Normal file
View file

@ -0,0 +1,137 @@
{ config, lib, pkgs, ... }:
{
sops.secrets = {
"s4f-conference/env" = {};
};
hacc.containers.s4f-conference = {
bindSecrets = true;
config = { config, lib, pkgs, ... }: {
systemd.services.mattermost.serviceConfig.EnvironmentFile =
lib.mkForce "/secrets/env";
services.mattermost = {
enable = true;
siteUrl = "https://s4f-conference.infra4future.de";
siteName = "Scientists for Future Chat";
listenAddress = "0.0.0.0:3000";
mutableConfig = false;
statePath = "/persist/mattermost";
extraConfig = {
ServiceSettings = {
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
EnableEmailInvitations = true;
};
TeamSettings = {
EnableUserCreation = true;
MaxUsersPerTeam = 2500;
EnableUserDeactivation = true;
EnableOpenServer = false;
};
PasswordSettings = {
MinimumLength = 10;
};
FileSettings = {
EnableFileAttachments = true;
MaxFileSize = 52428800;
DriverName = "local";
Directory = "/persist/upload-storage";
EnablePublicLink = true;
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
};
EmailSettings = {
EnableSignUpWithEmail = true;
EnableSignInWithEmail = true;
EnableSignInWithUsername = true;
SendEmailNotifications = true;
FeedbackName = "mattermost";
FeedbackEmail = "mattermost@infra4future.de";
ReplyToAddress = "mattermost@infra4future.de";
FeedbackOrganization = "infra4future.de";
EnableSMTPAuth = true;
SMTPUsername = "noreply@infra4future.de";
SMTPServer = "mail.hacc.space";
SMTPPort = "465";
SMTPServerTimeout = 10;
ConnectionSecurity = "TLS";
};
RateLimitSettings.Enable = false;
PrivacySettings = {
ShowEmailAddress = false;
ShowFullName = true;
};
# to disable the extra landing page advertising the app
NativeAppSettings = {
AppDownloadLink = "";
AndroidAppDownloadLink = "";
IosAppDownloadLink = "";
};
LogSettings = {
EnableConsole = true;
ConsoleLevel = "ERROR";
EnableDiagnostics = false;
EnableWebhookDebugging = false;
};
SupportSettings = {
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
AboutLink = "https://infra4future.de";
SupportEmail = "info@infra4future.de";
CustomTermsOfServiceEnabled = false;
EnableAskCommunityLink = true;
};
AnnouncementSettings.EnableBanner = false;
ComplianceSettings.Enable = false;
ClusterSettings.Enable = false;
MetricsSettings.Enable = false;
GuestAccountsSettings.Enable = true;
};
localDatabaseCreate = false;
};
services.postgresql = {
enable = lib.mkForce true; # mattermost sets this to false. wtf.
package = pkgs.postgresql_15;
ensureDatabases = [ "mattermost" ];
ensureUsers = [ {
name = "mattermost";
ensureDBOwnership = true;
} ];
authentication = lib.mkForce ''
# Generated file; do not edit!
local all all trust
host mattermost mattermost ::1/128 trust
'';
};
services.postgresqlBackup = {
enable = true;
databases = [ "mattermost" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
};
};
services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
locations."/" = {
proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
proxyWebsockets = true;
extraConfig = ''
# Mattermost CSR Patch
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
proxy_redirect off;
client_max_body_size 100M;
'';
};
forceSSL = true;
enableACME = true;
};
}

102
parsons/tracktrain.nix Normal file
View file

@ -0,0 +1,102 @@
{ config, lib, pkgs, ... }:
let
tracktrain-config = ''
dbstring: "dbname=tracktrain"
gtfs: /persist/gtfs.zip
assets: ${pkgs.tracktrain}/assets
warp:
port: 4000
login:
enable: true
url: https://login.infra4future.de
clientName: tracktrain
# clientSecret defined in env file
logging:
ntfyTopic: ping.stuebinm.eu/monit
name: ilztalbahn
'';
in
{
sops.secrets = {
"tracktrain/env" = {};
};
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${config.containers.tracktrain.localAddress}:4000";
proxyWebsockets = true;
};
# note: this shadows the /metrics endpoint of tracktrain
# in case you remove this, please consider putting something
# else here to keep it from being publicly scrapable
locations."/metrics/" = {
proxyPass = "http://${config.containers.tracktrain.localAddress}:2342";
proxyWebsockets = true;
extraConfig = ''
rewrite ^/metrics/(.*) /$1 break;
'';
};
};
hacc.containers.tracktrain = {
bindSecrets = true;
config = { config, lib, pkgs, ... }: {
systemd.services.tracktrain = {
enable = true;
description = "tracks trains, hopefully";
wantedBy = [ "multi-user.target" ];
requires = [ "network.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
EnvironmentFile = "/secrets/env";
DynamicUser = true;
};
path = [ pkgs.wget pkgs.ntfy-sh ];
script = ''
cd /tmp
ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
${pkgs.tracktrain}/bin/tracktrain +RTS -T
'';
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
ensureDatabases = [ "tracktrain" ];
ensureUsers = [ {
name = "tracktrain";
ensureDBOwnership = true;
} ];
authentication = ''
local all all trust
'';
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [ {
job_name = "tracktrain";
static_configs = [{
targets = [ "0.0.0.0:4000" ];
}];
} ];
};
systemd.services.grafana.serviceConfig.EnvironmentFile =
"/secrets/env";
hacc.bindToPersist = [ "/var/lib/grafana" ];
};
};
}

View file

@ -1,47 +1,31 @@
{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: { config, lib, pkgs, ... }:
let
uffd = pkgs.uffd;
in {
containers.uffd = {
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.9";
autoStart = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/uffd";
isReadOnly = false;
};
};
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
imports = [ profiles.nopersist profiles.container ];
nixpkgs.config.allowUnfree = true;
{
hacc.containers.uffd = {
config = { config, lib, pkgs, ... }: {
services.uwsgi = { services.uwsgi = {
enable = true; enable = true;
plugins = [ "python3" ]; plugins = [ "python3" ];
instance = { instance = {
type = "normal"; type = "normal";
pythonPackages = self: with self; [ uffd ]; pythonPackages = _: [ pkgs.uffd ];
module = "uffd:create_app()"; module = "uffd:create_app()";
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock"; # socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
http = ":8080"; http = ":8080";
env = [ env = [
"CONFIG_PATH=/persist/uffd/uffd.conf" "CONFIG_PATH=/persist/uffd/uffd.conf"
]; ];
hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.10/site-packages/uffd flask db upgrade"; hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
}; };
}; };
}); };
}; };
services.nginx.virtualHosts."login.infra4future.de" = { services.nginx.virtualHosts."login.infra4future.de" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations = { locations = {
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080"; "/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
"/static".root = "${uffd}/lib/python3.10/site-packages/uffd"; "/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd";
"/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png"; "/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png";
"/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg"; "/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg";
"/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg"; "/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";
@ -58,8 +42,25 @@ in {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
serviceConfig.Type = "simple"; serviceConfig.Type = "simple";
path = [ pkgs.curl pkgs.jq ]; path = [ pkgs.fish pkgs.curl pkgs.jq ];
script = "${pkgs.fish}/bin/fish /persist/magic/mattermost-groupsync.fish"; script = "${pkgs.hacc-scripts}/bin/uffd-sync-mattermost-groups.fish";
startAt = "*:0/15"; startAt = "*:0/15";
}; };
systemd.services.uffd-account-expiry-notification = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig.Type = "simple";
path = [ pkgs.hacc-scripts pkgs.sqlite-interactive pkgs.postfix ];
script = ''
uffd-unused-accounts-notification.scm -v admin
'';
startAt = "weekly";
restartIfChanged = false;
};
sops.secrets."auamost/secrets.fish" = { };
environment.systemPackages = with pkgs; [ curl jq ];
} }

View file

@ -1,6 +1,10 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
sops.secrets = {
"vaultwarden/env" = {};
};
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
config = { config = {
@ -27,7 +31,7 @@
SMTP_USERNAME="noreply@infra4future.de"; SMTP_USERNAME="noreply@infra4future.de";
}; };
environmentFile = "/persist/var/lib/vaultwarden/vaultwarden.env"; #contains SMTP_PASSWORD environmentFile = "/run/secrets/vaultwarden/env";
dbBackend = "sqlite"; dbBackend = "sqlite";
backupDir = "/persist/data/vaultwarden_backups/"; backupDir = "/persist/data/vaultwarden_backups/";
}; };

View file

@ -1,55 +1,37 @@
{ sources, system ? builtins.currentSystem, ... }@args: { sources, ... }@args:
let let
pkgs = import sources.nixpkgs args; pkgs = import sources.nixpkgs args;
oldstable = import sources.nixpkgs-oldstable args;
unstable = import sources.nixpkgs-unstable args; unstable = import sources.nixpkgs-unstable args;
callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs); callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
newpkgs = { newpkgs = {
mattermost = callPackage ./mattermost {inherit sources;}; mattermost = callPackage ./mattermost.nix {
buildGoModule = unstable.buildGo122Module;
};
morph = callPackage ./morph.nix {
buildGoModule = unstable.buildGo122Module;
};
forgejo = unstable.forgejo;
tracktrain = import sources.tracktrain { tracktrain = import sources.tracktrain {
nixpkgs = pkgs; nixpkgs = unstable;
compiler = "default";
}; };
# a version of the lounge with some extra css that uffd = oldstable.callPackage ./uffd { };
# hides things the hacc-voc doesn't need
thelounge-hacked = pkgs.stdenv.mkDerivation {
name = "thelounge-hacked";
src = pkgs.thelounge;
phases = [ "buildPhase" "installPhase" ]; hacc-scripts = callPackage ./scripts {};
buildPhase = ''
cp $src/* -r .
chmod 777 lib/node_modules/thelounge/public/css/style.css
cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css
'';
installPhase = '' inherit (oldstable) uwsgi flask;
mkdir -p $out
cp * -r $out
'';
};
uffd = callPackage ./uffd {}; # TODO: once on nixos 24.05, remove this inherit
inherit (unstable) lix;
# netbox takes a python3, then overrides stuff on it before using it.
# since overrides don't accumulate, this does both the override we want
# and the one the netbox package would otherwise do, then disables overrides
netbox = pkgs.netbox.override rec {
python3 = (pkgs.python3.override {
packageOverrides = self: super: {
django = super.django_4;
social-auth-core = super.social-auth-core.overrideAttrs ( old: {
patches = [ ./netbox/0001-add-uffd-oauth2-backend.patch ];
} );
};
}) // { override = ignored: python3; };
};
inherit (unstable) vaultwarden vaultwarden-vault;
}; };
in pkgs.extend(_: _: newpkgs) in pkgs.extend(_: _: newpkgs)

85
pkgs/mattermost.nix Normal file
View file

@ -0,0 +1,85 @@
{ lib
, buildGoModule
, fetchFromGitHub
, nix-update-script
, fetchurl
, nixosTests
}:
buildGoModule rec {
pname = "mattermost";
# ESR releases only.
# See https://docs.mattermost.com/upgrade/extended-support-release.html
# When a new ESR version is available (e.g. 8.1.x -> 9.5.x), update
# the version regex in passthru.updateScript as well.
version = "9.11.5";
src = fetchFromGitHub {
owner = "mattermost";
repo = "mattermost";
rev = "v${version}";
hash = "sha256-bLZFeG6kBVP0ws50wtBam/bO206sQnz6va8PATAoRAQ=";
};
# Needed because buildGoModule does not support go workspaces yet.
# We use go 1.22's workspace vendor command, which is not yet available
# in the default version of go used in nixpkgs, nor is it used by upstream:
# https://github.com/mattermost/mattermost/issues/26221#issuecomment-1945351597
overrideModAttrs = (_: {
buildPhase = ''
make setup-go-work
go work vendor -e
'';
});
webapp = fetchurl {
url = "https://releases.mattermost.com/${version}/mattermost-${version}-linux-amd64.tar.gz";
hash = "sha256-jyaJUN8wpuBivKNdm7f1mYwygO8xC+Zxy0SdkDovdsA=";
};
vendorHash = "sha256-Gwv6clnq7ihoFC8ox8iEM5xp/us9jWUrcmqA9/XbxBE=";
modRoot = "./server";
preBuild = ''
make setup-go-work
'';
subPackages = [ "cmd/mattermost" ];
offlineCache = webapp;
tags = [ "production" ];
ldflags = [
"-s"
"-w"
"-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
"-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
"-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
"-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
"-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
"-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
];
postInstall = ''
tar --strip 1 --directory $out -xf $webapp \
mattermost/{client,i18n,fonts,templates,config}
# For some reason a bunch of these files are executable
find $out/{client,i18n,fonts,templates,config} -type f -exec chmod -x {} \;
'';
passthru = {
updateScript = nix-update-script {
extraArgs = [ "--version-regex" "^v(9\.11\.([0-9.]+))" ];
};
tests.mattermost = nixosTests.mattermost;
};
meta = with lib; {
description = "Mattermost is an open source platform for secure collaboration across the entire software development lifecycle";
homepage = "https://www.mattermost.org";
license = with licenses; [ agpl3Only asl20 ];
maintainers = with maintainers; [ ryantm numinit kranzes mgdelacroix ];
mainProgram = "mattermost";
};
}

View file

@ -1,52 +0,0 @@
{ stdenv, fetchurl, fetchFromGitHub, buildGo118Module, buildEnv, lib, sources }:
let
version = "7.1.4";
mattermost-server = buildGo118Module rec {
pname = "mattermost-server";
inherit version;
src = sources.mattermost-server.outPath;
vendorSha256 = "sha256-98riYN6MaBsKyaueogjXI7x3Lcionk0xcGt4DH684QU=";
subPackages = [ "cmd/mattermost" ];
ldflags = [
"-s"
"-w"
"-X github.com/mattermost/mattermost-server/model.BuildNumber=nixpkgs-${version}"
];
};
mattermost-webapp = stdenv.mkDerivation {
pname = "mattermost-webapp";
inherit version;
src = sources.mattermost-webapp;
installPhase = ''
mkdir -p $out
cp -r client $out
cp -r i18n $out
cp -r fonts $out
cp -r templates $out
cp -r config $out
'';
};
in
buildEnv {
name = "mattermost-${version}";
paths = [ mattermost-server mattermost-webapp ];
meta = with lib; {
description = "Open-source, self-hosted Slack-alternative";
homepage = "https://www.mattermost.org";
license = with licenses; [ agpl3 asl20 ];
maintainers = with maintainers; [ fpletz ryantm ];
platforms = platforms.unix;
};
}

33
pkgs/morph.nix Normal file
View file

@ -0,0 +1,33 @@
{ buildGoModule
, fetchFromGitHub
}:
buildGoModule rec {
pname = "mattermost-morph";
version = "1.1.0";
src = fetchFromGitHub {
owner = "mattermost";
repo = "morph";
rev = "v${version}";
hash = "sha256-Orh/a9OlUVIlDdLXRpDAnHUmWRiM1N2oO+dijbuJzx8=";
};
vendorHash = null;
subPackages = [ "cmd/morph" ];
tags = [ "production" ];
ldflags = [
"-s"
"-w"
"-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
"-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
"-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
"-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
"-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
"-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
];
}

View file

@ -1,70 +0,0 @@
From 00e282e32b46bb4b6040dc3810599c693306c0ec Mon Sep 17 00:00:00 2001
From: David Croft <david@sargasso.net>
Date: Thu, 24 Mar 2022 11:09:14 +0000
Subject: [PATCH] add uffd oauth2 backend
---
social_core/backends/uffd.py | 51 ++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
create mode 100644 social_core/backends/uffd.py
diff --git a/social_core/backends/uffd.py b/social_core/backends/uffd.py
new file mode 100644
index 00000000..fb8ffb62
--- /dev/null
+++ b/social_core/backends/uffd.py
@@ -0,0 +1,51 @@
+from urllib.parse import urlencode
+
+from .oauth import BaseOAuth2
+
+
+class UffdOAuth2(BaseOAuth2):
+ """Uffd OAuth2 authentication backend
+
+ You need to set the following config:
+ SOCIAL_AUTH_UFFD_KEY - client id
+ SOCIAL_AUTH_UFFD_SECRET - client secret
+ SOCIAL_AUTH_UFFD_BASE_URL - base url to uffd installation
+ """
+
+ name = 'uffd'
+ ACCESS_TOKEN_METHOD = 'POST'
+ REFRESH_TOKEN_METHOD = 'POST'
+ SCOPE_SEPARATOR = ' '
+ STATE_PARAMETER = True
+ REDIRECT_STATE = False
+ EXTRA_DATA = [
+ ('id', 'id'),
+ ]
+
+ def get_user_details(self, response):
+ """Return user details from a Uffd account"""
+ fullname, first_name, last_name = self.get_user_names(fullname=response.get('name'))
+ return {
+ 'username': response.get('nickname'),
+ 'email': response.get('email') or '',
+ 'fullname': fullname,
+ 'first_name': first_name,
+ 'last_name': last_name,
+ }
+
+ def user_data(self, access_token, *args, **kwargs):
+ """Loads user data from service"""
+ url = self.userinfo_url() + '?' + urlencode({'access_token': access_token})
+ try:
+ return self.get_json(url)
+ except ValueError:
+ return None
+
+ def authorization_url(self):
+ return self.setting('BASE_URL') + '/oauth2/authorize'
+
+ def access_token_url(self):
+ return self.setting('BASE_URL') + '/oauth2/token'
+
+ def userinfo_url(self):
+ return self.setting('BASE_URL') + '/oauth2/userinfo'
--
2.38.1

16
pkgs/scripts/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ stdenvNoCC, gauche, fish }:
stdenvNoCC.mkDerivation {
name = "hacc-utility-scripts";
src = ./.;
buildInputs = [ gauche fish ];
installPhase = ''
mkdir -p $out/bin
fish -n $out/bin/*.fish
cp *.{scm,fish} $out/bin
chmod +x $out/bin/*
'';
}

View file

@ -0,0 +1,47 @@
#!/usr/bin/env fish
source /run/secrets/auamost/secrets.fish
for i in (seq 1 (count $groups))
set team $teams[$i]
set group $groups[$i]
set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group")
set usernames (echo "$users" | jq -c "[.[] | .loginname]")
for user in (echo "$users" | jq -c ".[]")
set id (echo "$user" | jq .id)
set username (echo "$user" | jq .loginname)
set email (echo "$user" | jq .email)
curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \
-d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}'
end
set userids (curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \
-d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]')
curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \
-d "$userids"
if test "$group" = "hacc"
continue
end
set current_members (curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]')
# membership relations don't contain e.g. usernames, so fetch those, too
set current_users (curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \
-d "$current_members" | jq -c '.[]')
set userids (echo "$userids" | jq -c ".[].user_id")
for member in $current_users
set id (echo $member | jq .id)
if not contains -i $id $userids > /dev/null then
set id_unquoted (echo $member | jq -r .id)
echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\)
curl -X DELETE -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted"
end
end
end

View file

@ -0,0 +1,121 @@
#!/usr/bin/env gosh
(use gauche.process)
(use text.csv)
(use scheme.list)
(use gauche.parseopt)
(use util.match)
(define cutoff-date "2023-01-01")
(define sqlite-path "/persist/containers/uffd/uffd/db.sqlite")
(define sqlite-query
"select displayname, mail, max(expires) as last_login from oauth2token join user on user_id=user.id group by user_id having last_login < '2023-01-01'
union all select displayname, mail, '2022' from user where not exists (select * from oauth2token where user_id = user.id);")
(define dry #f)
(define verbose #f)
(define very-verbose #f)
(define (main args)
(let-args (cdr args)
((averbose "v|verbose")
(averyverbose "very-verbose")
(adry "n|dry-run")
(help "h|help" => (cut show-help (car args)))
. restargs
)
(set! dry adry)
(set! verbose averbose)
(when averyverbose
(set! verbose #t)
(set! very-verbose #t))
(match restargs
[("admin") (do-admin-mail)]
[("send-reminder") (send-reminder-mails)]
[("list-accounts") (do-list-accounts)]
[_ (display "unknown command") (exit 1)]))
0)
(define (do-admin-mail)
(send-email "admin@hacc.space" "unused accounts list" (mk-admin-mail unused-accounts))
(when verbose
(display "done")))
(define (do-list-accounts)
(display (string-join
(map
(lambda (row) (format "~a (~a)" (list-ref row 0) (list-ref row 1)))
unused-accounts)
"\n")))
(define (send-reminder-mails)
(map (lambda (row)
(send-email (list-ref row 1) "Unbenutzter infra4future.de Account" (mk-email (list-ref row 0) (list-ref row 2))))
unused-accounts)
(when verbose
(display "done")))
(define csv-reader
(make-csv-reader #\,))
(define unused-accounts
(map (lambda (str) (with-input-from-string str csv-reader))
;; (process-output->string-list `(cat example.csv))))
(process-output->string-list `(sqlite3 -csv ,sqlite-path ,sqlite-query))))
(define (mk-email displayname last-login)
#"
Hallo ~|displayname|!
Wir haben schon lange (seit über einem Jahr; dein letzter Login war um ~|last-login|)
nichts mehr von dir gehört und würden demnächst deinen Account löschen wollen.
Solltest du ihn noch benötigen logge dich bitte einfach auf https://login.infra4future.de ein.
Falls nicht, musst du weiter nichts tun und wir werden deine Account in ca. 3 Monaten löschen.
Viele Grüße,
das Infra4Future Team
")
(define (mk-admin-mail rows)
(format #"
Meow!
this is the uffd-unused-accounts-notification.scm script. There are currently
~~s accounts which have not logged in since ~|cutoff-date|. To mass-send account
expiry reminders, invoke this script with the \"send-reminder\" option. To see a
list of these accounts, invoke it with the \"list-accounts\" option.
(invoke me,, 🥺)
" (length unused-accounts)))
; utility definitions
(define (send-email address subject text)
(when verbose
(display (format "sending email to ~a\n" address)))
(let ([text (string-append "from: admin@hacc.space\n" "subject: " subject "\n" text "\n")])
(when very-verbose
(display text))
(call-with-output-process
(if dry '(cat) `(sendmail ,address))
(lambda (port) (display text port))
:on-abnormal-exit :ignore)))
(define (show-help progname)
(display #"
~|progname|: unused account expiry helper script.
Invoke as `~|progname| [options] admin' to send a list of unused accounts to administrators.
Invoke as `~|progname| [options] send-reminder' to send a reminder email to all
currently unused accounts.
Options:
-v --verbose show which emails are being sent
--very-verbose also print emails to stdout
-n --dry-run print emails to stdout instead
-h --help show this help
"))

View file

@ -1,24 +0,0 @@
/* Hides extra fields on connect screen */
.connect-row:nth-of-type(4) {
display: none !important;
}
.connect-row:nth-of-type(2) {
display: none !important;
}
.connect-row:nth-of-type(5) {
display: none !important;
}
/* Hides side panel button */
.header > button:first-child {
display: none !important;
}
/* Hides channel options button (includes leave option) */
.header > button:nth-last-child(2) {
display: none !important;
}

View file

@ -3,13 +3,14 @@
python3Packages.buildPythonPackage rec { python3Packages.buildPythonPackage rec {
pname = "uffd"; pname = "uffd";
version = "2.0.1"; version = "2.0.1";
PACKAGE_VERSION = version;
src = fetchzip { src = fetchzip {
url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4="; hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
}; };
patches = [ ./gitea-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ]; patches = [ ./forgejo-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ];
propagatedBuildInputs = with python3Packages; [ propagatedBuildInputs = with python3Packages; [
flask flask

View file

@ -16,7 +16,7 @@ index d13fd42..94352be 100644
def userinfo(): def userinfo():
user = request.oauth.user user = request.oauth.user
+ client = request.oauth.client_id + client = request.oauth.client_id
+ if client == "gitea": + if client == "forgejo":
+ return jsonify( + return jsonify(
+ id=user.unix_uid, + id=user.unix_uid,
+ full_name=user.displayname, + full_name=user.displayname,

105
secrets.yaml Normal file
View file

@ -0,0 +1,105 @@
hedgedoc-hacc:
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
mattermost:
env: ENC[AES256_GCM,data:ftWpGl6+sUMzJJKgfcPLvbFGGn16AKUPzPn8X6DNVMLrxZIkQ23Tk3ekKLKFpQEUtQfFjVlrTfFZezWKs4nVNLg2LmQqJNGMCCax5PRwAgoAsJ7pa9ewNmHT+EIXtZEjQgVfN5786Yno5n/6JJ1lz6EiGmdn7/0rF5TLGjzig17azazS1+lkIYY=,iv:SZvGGKpVRI/odHbmgY8M6t6zCk8RgM+7EQEgRiizglA=,tag:cInsVo/QD85m+LxldyRlnA==,type:str]
tracktrain:
env: ENC[AES256_GCM,data:W3+8qWomPgGJt5u50aAm9x/dilMpqKY11I2AdaIBTz5posc25ts0LB5S/Sxe1ROz4itpDK3QvjoFUTRhS39k4dwMr5lqXV8Ln4B+sPpvh7oBM8A5zydP8Jj1J1YqRt8++RTUmb4z41DIwb/yaZKMu6z0guXIu1yuYzcbCuk0xe/iOp6UUpfjOzzWTvxY54zY6kWcjHLiCSwD31Cd+MxMPfbUEkHt+0W+sBmYXGeEFI/6ULSB6FnGjNW6F9g=,iv:3ymah8HG+Yg6VYZZA/MRRjHDYvYJz01ezvhfQiftegg=,tag:trht+PRYfKgWJkg2wRwISQ==,type:str]
vaultwarden:
env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
auamost:
secrets.fish: ENC[AES256_GCM,data:QBteJdVPSWa4cmu1BVWJ3AMWWH4zIv2+G83fK0QsbA/fYoIU5jobCT3USyujNz+jQaAAxA45jmQbCWNAFLl1q8hP4i9EIikVECx0VKVXPXILBND+w7zPSLldAbOugRYt2iAt1dDADZPtulKlkz7usdafbB+2igLXdyFRLfIxDTOrBuqQ+5yeofQe5k0XWRcmQQ/1AV0JrRrmLmr69VKsR932JWD8XxmI/HFyZPzWdExBSOmvnj+m4K+DV4cVmN4t6XOY0dM3gRQ95DglEuGlp/V2o3GqwY0mXCvhM1eh81u8mPALKp6Pv2i2yU35F01Puf5t1FHGDfzp0bW0xuKEywfGjAOifFkSE/3JFir434B6G0DiJNpOIl6QJ6DA8rSKfuPdccm6Or0zX8iJGRHDJmREQ05V9l0jHAAxLNuNdbsxg+8kCWVVnW+d1YDn9KW7LbFlP+sx4Ef5leUYft/lYhF4Z5Xp3arqVrlebWjWIBEuZeJTnkE3y+TdUUCs360zzWHqsipGmo1+/88CEqL52FfUOlJ4VCR45/7nYZ3RaRBWDGFW8RvwmWSFSstEcEXQ01U8lCwyn40+blfltme3KJ1f+pWMrZAKhPlOlMHCYfjd7esWI2sYcQbTZqxH49GnW6dsW/W+eiLs3zlD/Deb2CugHe63zRdlivmVPOz4zD1PXcCVpEZHoTTiJl7Om9K2mPYq9wQN41wsDUrNL9p8m9UlhWKbjBh5UU7p6F6OhF5rKH/Fs8fIaPi6B8uamTvEmiOGTUWl3vmQjBvhM8fJWoIkRB8hgCisr9OZ,iv:8jVAImjeXbXfiLKg9G0PyLMTV8cAyDmukeittqjKFpQ=,tag:fLIcsWKbdFQ/vPCgi/W3Zw==,type:str]
restic:
s3creds.env: ENC[AES256_GCM,data:9WNu5S4KmdMXdshSpawEjIexAKH6vZCPwb9xyq6xmerly1lxSfFZzgg60M0L3L+I4joLTVi23YBB8Eh6Xfx9GgxNww7w7BjMCQs/X16ecDWlb346TKf+,iv:Gu4CbXXJAlQYXRqOjIAUYmn8EU4mrvcOVc2eCh1Ikzs=,tag:1xpVIonHiAGHsXTY9liPQQ==,type:str]
system: ENC[AES256_GCM,data:RIgO0QHVjwp2D3LoU62vLzepASdsXxu0DqUTA6Voa3K1d4xFHX2u+UR8AcqR,iv:O0K8i5ivne7WU+ygDEUcrvKW6DIfXjVPY63gpfsxEFE=,tag:n/1atQ5qlyB0SMHrYiTCrA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHd0Rrem03aWMwUGgwMlM2
dmRJdVYrRVNBTXZrVk5CdEFYcDRyN3VlcUhvCmE5L0lpbzdxanNBWFU1dEprUC9Y
eUZqdHVmWks2V1g0SHZRN1BsSU96OU0KLS0tIGl1ZUg2aDNtREZWeUE5UXlPeHNG
STcwOFgwK1lpWjdyTkd3c0dBTlAyK28KAKL7rPPH0DNRgL3qqCelAoUPnOy8MydL
t2ft9ZmzkoiSdSt0Ad1U5IImQt9ZzhPtYYnYbiEVNcfuFCnGcqdoPw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvT0M2SmdwNmNyWWZ1V2o5
OHZ4RDlIbTZONXc5Z0FPMm03V3UzVWhaRnhBCjU5dzZlbkZHRkdacG1nUng4S0p6
Q1I5Vjg0Vk5wRzNGZTNONXdCMnpUTEEKLS0tIFo5K0tGdDZpLzNPb0llb0dJdk9u
c3p5UVBjZWlNVkxFMlVaQ3VMVFdhZVUKxcIL/JMBEojPRlDLHUIuxKcMPMEEsTkS
0zLjYVZL7YDS0dKdaZjaExHKrRzRpsY0qpDBHyhcyzRae1sWA4e5Kw==
-----END AGE ENCRYPTED FILE-----
- recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUmFJc24xV2JGS3dzK25F
SVVXTjBaRUxJQ3hXZXlHYTRzaXZVNjVObEFZCmpPQUV1b0lySkUvcURObm1xNSt4
WVQrbnlvZkQrbzloQzc4NlJCWnlPeGMKLS0tIDBVa2lpUmcrWURwWW8rc3ZmUUU1
U0pGQjJackNhT0d4L2ZIOTdTUjBwcjQKCRWcpevMcv2HsWC4jyc/GzxxjkTEm+UF
4QdXjJAHh2QLxV9aXF/k/KogebCFkBTirmyOhRKtBRkt87d1D9FKUA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWnZFOVFuTnFTMmpVMDFU
dkw4UFlUenZzNkRuNy90NWk4aVNEd2J2Ukc0Cm9mM2dpZEJpVVY4TVB0WUxmTjEw
VFJ3aHB6ZFh5YWptYTZ5cXVjTUNBVkEKLS0tIEx0dVRPVVVacHFCMDhFNE1NMnZy
cUxicklTUGtPeTlnSFV1TUZqR1VmRnMKtJ+Q80SgqW/Jad8aF7pViGANHCsTMNEM
7TbhITW+zWIhnviVS0xOqXrvQs4iBbMfiNnQbFS7tEX08AT2oAg6cw==
-----END AGE ENCRYPTED FILE-----
- recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT3ZNenJKWTZ3NjdqNWpR
Zk9Ya3lsT1Jqd0RIWm8xdm16UjFzcFV1aGlBCkRuMllGSFVIUCs4UEJEQVVGQUxK
L1FGNGJwYkFIdU4wOXdFQWt6RSsyR28KLS0tIEgya2xORURncHlvNHJNTnIrb2da
emRETSt4WGFYeXR5UmNSajNpUStKUzAKxgDME0M1ewNE/BrL/wFjF4Yj7GupjRPF
Fuxae5U3phphzOkflQtreM1ScbUGge8WeiSVWY3Pl1azsYo/yqg8Ew==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVEdpZmdSdnBaYnV2RWhT
MmMxQW9PUUJ4enRqNjFIZ25kUEkvdHBpOXdRCmJkSTJyWklhTU5neUlybzR1Nkp6
YlVHczNwRzl0d0hGalpvTFdEUlV3UHMKLS0tIGhQZXEvd2F0aTlna0FNL2wyaEdC
U1oyWXcza08rTG1DS0dUYkZOVWZ4L1kKgpt6jG0lNBMdk/isa1A/tfKYjprnnIo5
pi4t1c7CktFBkhMlOv6VPJCsQlP0YtZUh/uut70Kecv48+YH5gC/8A==
-----END AGE ENCRYPTED FILE-----
- recipient: age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRzc5WHAzcWhGSU1kdE1E
Z1B0aFhqYUQzQ2ptK09YMm9odWh3U0w3bmtvCi9IcWFhOFhvYU5ISlVpTURMY2hX
RG5mL1gvNkZ1SDdMZTR4QWxtRG1VUlkKLS0tIFl5UUdIR0JOSmF4OWx1OHBuaFJj
N0FDY2xYRlpmaTgxWURGZWxWWktPV00KAHNeeqhzql4LInlJoD9u7ptFWZBgktvp
tju4cZ/78VgdZIfEfnlzw8lsqpRx1z5Fw8K4CcXRJJLRVfHuj2CHTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscDFuL0ZsdWxoUFJBd2xr
ZXh3K0lSUnFmTVFTVHB5bGR2TC9lREdUczJrCnFSaGoyUnJjbXJ5d1lQd0RUcFJt
REkvdEY2NzcveHpQRWZ1STBSemx0SkkKLS0tIGtyN0svS3lYcmxUbVJiU1RaK21l
Ukh0VkVaeVBoOXQ1cmZ6WHNkYjQvTmsKG4914d+pSt1seoKiejoCvATOTaVFN4ih
Y74W+WXyaKoQP3Q9QrbSURpE+ICfblxHmkbsPB/agNzZVWrfyBaX1A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqR01XampvRE92VnZ3OTZs
YmJYaEN2eVJOVWt1OHE1bTdua1ArSC9oVm1ZClBsVFBSWWtLRUoyNDF0NlUwaUpo
b0kyazNwRUFhS0RYd1pGNHNENWxQb28KLS0tIDhzdHhRN1FYczZBMksrM09UWUtJ
bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-26T13:05:44Z"
mac: ENC[AES256_GCM,data:9A8nX155dpCC1cvdH1hgeNKh0tt5FMaOKU7vZQ33jfWbiXOsJbp5iHKXxWOexFc70acyhdweoHwq61oJm2mzVufJIPA55ZAUItQcDXJCCeu6KswHug0tQtKHoCRSwdTdMTRNom4XjrpA/j4WWpuhoilyknycXqTpGHHVSdL2lYg=,iv:N0zwzGtGzAxhbmLzslbkXSr/iKmq5FeyT/iWeE4x2hQ=,tag:yIoLXpqlU2SlVRK5+S/qaw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -1,9 +0,0 @@
{ config, pkgs, ... }:
{
hacc.websites = {
enable = true;
directory = ../websites;
};
}

View file

@ -1,73 +0,0 @@
{ config, lib, pkgs, evalConfig, ... }:
let
# necessary since overlays won't propagate into the
# container's config
thelounge = pkgs.thelounge-hacked;
in
{
containers.thelounge = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.4";
path = evalConfig ({ config, lib, pkgs, profiles, modules, sources, ... }: {
# for some inexplicable reason this does not import nopersist.
# i'm too lazy rn to deal with possible breakages if I add it.
# if you have spoons & nothing else to do, consider this a suggestion!
imports = [ profiles.container ];
nixpkgs.config.allowUnfree = true;
services.thelounge = {
enable = true;
extraConfig = {
public = true;
# respect X-Forwarded-For
reverseProxy = true;
defaults = {
name = "libera chat";
host = "irc.eu.libera.chat";
port = 6697;
# encrypt things!
tls = true;
# yes, please do actually check the cert …
rejectUnauthorized = true;
nick = "haccGuest%%%%";
join = "#hacc-webchat";
};
lockNetwork = true;
# don't log messages (default is text / sqlite)
messageStorage = [];
# darker theme
#theme = "morning";
# these three should result in having link previews
# which are fetched only by the server, then proxied
# (i.e. clients won't directly connect to arbitrary
# domains to get previews)
prefetch = true;
prefetchStorage = true;
disableMediaPreview = true;
leaveMessage = "happy haccing";
};
};
# override the package we use
systemd.services.thelounge.serviceConfig.ExecStart =
pkgs.lib.mkForce "${thelounge}/bin/thelounge start";
});
};
services.nginx.virtualHosts."webchat.voc.hacc.space" = {
locations."/".proxyPass =
"http://${config.containers.thelounge.localAddress}:9000";
enableACME = true;
forceSSL = true;
};
}

View file

@ -1,152 +0,0 @@
{ config, lib, pkgs, inputs, evalConfig, ... }:
let
tracktrain-config = ''
dbstring: "dbname=tracktrain"
gtfs: ./gtfs.zip
warp:
port: 4000
login:
enable: true
url: https://login.infra4future.de
clientname: tracktrain
# clientsecret defined in env file
'';
in
{
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://192.168.42.41:4000";
proxyWebsockets = true;
};
# note: this shadows the /metrics endpoint of tracktrain
# in case you remove this, please consider putting something
# else here to keep it from being publicly scrapable
locations."/metrics/" = {
proxyPass = "http://192.168.42.41:2342";
proxyWebsockets = true;
extraConfig = ''
rewrite ^/metrics/(.*) /$1 break;
'';
};
};
containers.tracktrain = {
privateNetwork = true;
hostAddress = "192.168.42.40";
localAddress = "192.168.42.41";
autoStart = true;
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/tracktrain";
isReadOnly = false;
};
};
path = evalConfig ({ config, lib, pkgs, profiles, ... }: {
system.stateVersion = "21.11";
imports = [ profiles.nopersist profiles.container ];
users.users.tracktrain = {
group = "tracktrain";
isSystemUser = true;
};
users.groups.tracktrain = {};
systemd.services.tracktrain = {
enable = true;
description = "tracks trains, hopefully";
wantedBy = [ "multi-user.target" ];
requires = [ "network.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
EnvironmentFile = "/persist/secrets.env";
User = "tracktrain";
Group = "tracktrain";
};
path = [ pkgs.wget ];
script = ''
mkdir -p /persist/tracktrain
cd /persist/tracktrain
ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip" || sleep 4; wget "https://ilztalbahn.eu/wp-content/uploads/2020/07/gtfs.zip"
${pkgs.tracktrain}/bin/tracktrain +RTS -T
'';
};
services.postgresql = {
enable = true;
ensureDatabases = [ "tracktrain" ];
ensureUsers = [ {
name = "tracktrain";
ensurePermissions = {
"DATABASE tracktrain" = "ALL PRIVILEGES";
};
} ];
authentication = ''
local all all trust
host all all 127.0.0.1/32 trust
'';
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [ {
job_name = "tracktrain";
static_configs = [{
targets = [ "0.0.0.0:4000" ];
}];
} ];
};
services.grafana = {
enable = true;
settings.server = {
serve_from_sub_path = true;
domain = "tracktrain.ilztalbahn.eu";
root_url = "https://%(domain)s/metrics/";
http_port = 2342;
http_addr = "0.0.0.0";
};
settings."auth.generic_oauth" = {
name = "uffd";
enabled = true;
allow_sign_up = true;
empty_scopes = true;
client_id = "ilztalbahn-grafana";
client_secret = "\${GRAFANA_CLIENT_SECRET}";
auth_url = "https://login.infra4future.de/oauth2/authorize";
token_url = "https://login.infra4future.de/oauth2/token";
api_url = "https://login.infra4future.de/oauth2/userinfo";
};
# disables the default login screen. comment out if for some
# reason you do need it
settings.auth.oauth_auto_login = true;
settings.users.auto_assign_org_role = "Admin";
provision = {
enable = true;
datasources.settings.datasources = [ {
url = "http://localhost:9001";
type = "prometheus";
name = "prometheus";
} ];
};
};
systemd.services.grafana.serviceConfig.EnvironmentFile =
"/persist/secrets.env";
});
};
}

View file

@ -0,0 +1,44 @@
# Markdown docs with zola.
[Zola](https://www.getzola.org/) is a static site generated written in Rust
(which you'll notice since sometimes it panics).
To run the site locally:
```
zola serve
```
## Directory Layout
All the important stuff goes into `content`. If you create subdirectories, make
sure you remembered to also create an `_index.md` file for it (if in doubt, just
copy the one at `content/_index.md`); otherwise pages in there won't work.
`templates` is *not* for site templates, but specifies how markdown files should
be turned into html. If an autogenerated link broke, you'll probably have to
change something in there. `sass` and `static` do exactly what they sound like.
It usually shouldn't be necessary to change `config.toml`, but if it is, [here
is the list of all available options](https://www.getzola.org/documentation/getting-started/configuration/).
## File Layout
Markdown files start with a frontmatter that should look something like so:
```markdown
+++
title = "blåhaj"
taxonomies.categories = [ "flausch" ]
+++
[actual markdown goes here]
```
The frontmatter is TOML; the `taxonomies.*` keys are special and can be used to
aggregate posts if enabled in `config.toml` (currently that's only the case for
`categories`, though). See also the [list of all available keys](https://www.getzola.org/documentation/content/page/).
Please don't repeat the page's title in markdown, otherwise it'll appear twice
in the html.

View file

@ -0,0 +1,35 @@
# Zola's configuration file,
#
# see https://www.getzola.org/documentation/getting-started/configuration/
# for available keys.
# The URL the site will be built for
base_url = "https://docs.hacc.space"
compile_sass = true
default_language = "en"
# might be useful — this isn't a blog, obviously, but updates for new entries
# could still be nice, I guess
generate_feed = true
feed_filename = "atom.xml"
build_search_index = true
taxonomies = [
{ name = "categories", feed = false},
]
[markdown]
highlight_code = true
[extra] # user-defined keys
# site title text
main_title = "haccfiles documentation"
# navbar entries
main_menu = [
{url = "$BASE_URL", name = "Home"},
{url = "$BASE_URL/categories", name = "Categories"}
]

View file

@ -0,0 +1 @@
../../docs

View file

@ -0,0 +1,22 @@
{ copyPathToStore, stdenvNoCC, zola, writeShellScriptBin }:
stdenvNoCC.mkDerivation rec {
name = "docs.hacc.space-static";
src = ./.;
content = copyPathToStore ../../docs;
phases = [ "buildPhase" ];
buildInputs = [ zola ];
buildPhase = ''
cp -r $src/* .
rm content
ln -s $content content
zola build --output-dir $out
'';
watch = writeShellScriptBin "watch" ''
cd $(git rev-parse --show-toplevel)/websites/docs.hacc.space
${zola}/bin/zola serve --output-dir /tmp/hacc-docs "$@"
'';
}

View file

@ -0,0 +1,168 @@
@font-face {
font-family: 'share-tech';
src: url('ShareTech-Regular.ttf') format('truetype');
}
html {
overflow: hidden;
height: 100%;
}
body {
background-color: #000;
color: #fff;
overflow-y: auto;
overflow-x: hidden;
height: 100%;
}
#content {
font-family: 'share-tech';
margin-left: auto;
margin-right: auto;
max-width: 60em;
font-size: 16pt;
position: relative;
}
p.subtitle {
font-size: 14pt;
font-style: normal;
color: gray;
}
article {
margin-bottom: 4em;
}
#searchresults {
width: 90%;
text-align: right;
right: 0;
position: absolute;
background-color: black;
top: 5em;
color: gray;
}
#searchresults div {
padding: 0.5em;
border-top: 1px dashed gray;
}
#searchresults div:last-child {
border-bottom: 1px dashed gray;
}
.searchresultprevtext {
white-space: nowrap;
overflow: hidden;
text-overflow: ellipsis;
display: inline-block;
width: 40em;
float: left;
}
footer.content {
top: 50px;
color: #cccccc;
font-size: 14px;
margin-bottom: 4em;
}
footer a {
color: #cccccc;
}
.logo {
position: relative;
width: 100%;
}
.logo > img {
width: 300px;
max-width: 100%;
}
h1 {
font-size: 32pt;
}
#headernav {
text-align: right;
margin: 1em;
}
#headernav > a {
padding: 0.2em;
font-size: 20pt;
font-family: share-tech;
}
h1, h2, h3, h4, h5, h6{
font-weight: 600;
display: inline;
font-family: share-tech;
background: rgb(59,115,185);
background: linear-gradient(90deg, rgb(59, 115, 185) 0%, rgb(229, 35, 33) 100%);
background-clip: border-box;
color: transparent;
-webkit-background-clip: text;
background-clip: text;
}
/*
h4 {
//font-weight: 600;
//display: inline;
font-family: share-tech;
//background: rgb(59,115,185);
//background: linear-gradient(90deg, rgb(59, 115, 185) 0%, rgb(229, 35, 33) 100%);
//background-clip: border-box;
color: #fff;
//-webkit-background-clip: text;
//background-clip: text;
}
*/
a {
text-decoration: none;
color: #3b73b9;
transition: color .1s linear;
}
a:hover {
/*color: #e52321;*/
color: #4e9af9;
}
ul {
margin-top: 0;
}
pre {
padding: 1rem;
overflow: auto;
font-size: 16px;
}
// The line numbers already provide some kind of left/right padding
pre[data-linenos] {
padding: 1rem 0;
}
pre table td {
padding: 0;
}
// The line number cells
pre table td:nth-of-type(1) {
text-align: center;
user-select: none;
}
pre mark {
// If you want your highlights to take the full width.
display: block;
// The default background colour of a mark is bright yellow
background-color: rgba(254, 252, 232, 0.9);
}
pre table {
width: 100%;
border-collapse: collapse;
}

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.2 KiB

View file

@ -0,0 +1,52 @@
function mkDiv (res) {
let div = document.createElement("div");
let a = document.createElement("a");
a.innerText = res.doc.title;
a.href = res.ref;
let text = document.createElement("span");
text.innerText = res.doc.body.slice(0,400).replaceAll("\n", " ");
text.classList.add("searchresultprevtext");
div.appendChild(text);
div.appendChild(a);
return div;
}
window.onload = () => {
console.log("hello!")
let searchbox = document.getElementById("searchbox");
searchbox.innerHTML =
"<input id='searchinput' placeholder='search ...'></input> \
<div id='searchresults' style='display:none'></div>";
let searchinput = document.getElementById("searchinput");
let searchresults = document.getElementById("searchresults");
let index = elasticlunr.Index.load(window.searchIndex);
searchinput.addEventListener("keyup", () => {
let term = searchinput.value.trim();
let results = [];
if (term !== "") {
results = index.search(term, {});
console.log(results);
while (searchresults.lastChild) {
searchresults.removeChild(searchresults.lastChild)
}
if (results.length !== 0) {
let resultdivs = results.map(mkDiv);
resultdivs.map((div) => searchresults.appendChild(div));
} else {
searchresults.innerHTML =
term.length <= 4 ?
"<div>Need at least four characters to search.</div>"
: "<div>No results here.</div>";
}
searchresults.style.display = "initial";
} else {
searchresults.style.display = "none";
}
});
}

View file

@ -0,0 +1,43 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>{{ config.extra.main_title }}</title>
<link rel="icon" type="image/png" href="favicon.png">
<link rel="alternate" type="application/atom+xml" title="Feed" href="{{ get_url(path="atom.xml", trailing_slash=false) }}">
<link rel="stylesheet" href="{{ get_url(path="style.css", trailing_slash=false) | safe }}">
<script src="{{ get_url(path="search_index.en.js", trailing_slash=false) | safe }}"></script>
<script src="{{ get_url(path="elasticlunr.min.js", trailing_slash=false) | safe }}"></script>
<script src="{{ get_url(path="search.js", trailing_slash=false) | safe }}"></script>
{% block head_extra %}
{% endblock head_extra %}
</head>
<body>
<div id="content">
<header style="height:10em">
<a href="{{config.base_url}}"><h2 style="float:left">{{ config.extra.main_title }}</h2></a>
<nav id="headernav" style="float:right">
{% for item in config.extra.main_menu %}
<a itemprop="url"
class="{% if item.url | replace(from="$BASE_URL", to=config.base_url) == current_url %}active{% endif %}"
href="{{ item.url | safe | replace(from="$BASE_URL", to=config.base_url) }}">
{{ item.name }}
</a>
{% endfor %}
<div id="searchbox">
</div>
</nav>
</header>
{% block content %} {% endblock %}
<footer class="content" style="z-index: 200">
<div>
<a href="https://git.infra4future.de/hacc/haccfiles">Source in git</a> &bull;
<a href="https://infra4future.de/impressum.html">Imprint</a>
</div>
</footer>
</div>
</body>
</html>

View file

@ -0,0 +1,12 @@
{% extends "base.html" %}
{% block content %}
<h1 class="title">
{{ section.title }}
</h1>
<ul>
{% for page in section.pages %}
<li><a href="{{ page.permalink | safe }}">{{ page.title }}</a></li>
{% endfor %}
</ul>
{% endblock content %}

View file

@ -0,0 +1,17 @@
{% extends "base.html" %}
{% block content %}
<main>
<h1>Categories</h1>
<p>
{% if terms %}
<ul>
{% for term in terms %}
<li><a href="{{ term.permalink | safe }}">{{ term.name }}</a> ({{ term.pages | length }})</li>
{% endfor %}
</ul>
{% endif %}
</p>
</main>
{% endblock content %}

View file

@ -0,0 +1,12 @@
{% extends "base.html" %}
{% import "post_macros.html" as post_macros %}
{% block content %}
<h1>Posts in category "{{ term.name }}"</h1>
{% for page in term.pages %}
<p>
<h2><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h2>
</p>
{% endfor %}
{% endblock content %}

View file

@ -0,0 +1,15 @@
{% extends "base.html" %}
{% import "post_macros.html" as post_macros %}
{% block content %}
<main>
<article itemscope itemtype="http://schema.org/CreativeWork">
<header>
<h1><a href="{{ page.permalink | safe }}">
{{ page.title }}
</a></h1>
</header>
{{ page.content | safe }}
</article>
</main>
{% endblock content %}

View file

@ -0,0 +1,23 @@
{% extends "base.html" %}
{% block content %}
<main>
{% for page in section.pages %}
<p>
<h3><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h3>
</p>
{% endfor %}
{% for sub in section.subsections %}
{% set subsection = get_section(path=sub) %}
<p>
<h2><a href="{{ subsection.permalink | safe }}">{{ subsection.title }}</a></h2>
{% for page in subsection.pages %}
<p>
<h3 style="margin-left:1em"><a href="{{ page.permalink | safe }}">{{ page.title }}</a></h3>
</p>
{% endfor %}
</p>
{% endfor %}
</main>
{% endblock content %}

View file

@ -0,0 +1,15 @@
{% macro paginator_nav(paginator) %}
<nav>
<p>
{% if paginator.previous %}
<a href="{{ paginator.previous }}">&laquo; Previous</a> |
{% endif %}
<span>Page {{ paginator.current_index }} of {{ paginator.number_pagers }}</span>
{% if paginator.next %}
| <a href="{{ paginator.next }}">Next &raquo;</a>
{% endif %}
</p>
</nav>
{% endmacro paginator_nav %}

View file

@ -0,0 +1,15 @@
{% extends "index.html" %}
{% block content %}
<h1>{{ section.title }}</h1>
<p>{{ section.content | safe }}</p>
<p>Pages in section</p>
<ul>
{% for page in section.pages | reverse %}
<li>
<em> <a href="{{ page.permalink }}"> {{ page.title }} </a> </em>
</li>
{% endfor %}
</ul>
{% endblock content %}

View file

@ -1,4 +1,4 @@
{ stdenvNoCC, sfz, writeScriptBin }: { stdenvNoCC, sfz, writeShellScriptBin }:
stdenvNoCC.mkDerivation rec { stdenvNoCC.mkDerivation rec {
name = "hacc.earth-static"; name = "hacc.earth-static";
@ -13,7 +13,8 @@ stdenvNoCC.mkDerivation rec {
rm $out/default.nix rm $out/default.nix
''; '';
watch = writeScriptBin "watch" '' watch = writeShellScriptBin "watch" ''
${sfz}/bin/sfz -r ${src} "$@" cd $(git rev-parse --show-toplevel)/websites/hacc.earth
${sfz}/bin/sfz "$@"
''; '';
} }

View file

@ -270,10 +270,7 @@
<a href="https://muc.hacc.earth">hacc e.V.</a>, local chapter Munich<sup><a href="#history">*</a></sup> <a href="https://muc.hacc.earth">hacc e.V.</a>, local chapter Munich<sup><a href="#history">*</a></sup>
<ul> <ul>
<li> <li>
<a href="https://web.libera.chat/#hacc">#hacc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc:libera.chat">#hacc:libera.chat</a> <a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-muc">#hacc-muc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:hackint.org">#hacc-muc:hackint.org</a>
</li>
<li>
<a href="https://web.libera.chat/#hacc-muc">#hacc-muc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:libera.chat">#hacc-muc:libera.chat</a>
</li> </li>
<li> <li>
<a href="https://chaos.social/@hacc">@hacc@chaos.social</a> <a href="https://chaos.social/@hacc">@hacc@chaos.social</a>

View file

@ -1,4 +1,4 @@
{ stdenvNoCC, sfz, writeScriptBin }: { stdenvNoCC, sfz, writeShellScriptBin }:
stdenvNoCC.mkDerivation rec { stdenvNoCC.mkDerivation rec {
name = "muc.hacc.earth-static"; name = "muc.hacc.earth-static";
@ -13,7 +13,8 @@ stdenvNoCC.mkDerivation rec {
rm $out/default.nix rm $out/default.nix
''; '';
watch = writeScriptBin "watch" '' watch = writeShellScriptBin "watch" ''
${sfz}/bin/sfz -r ${src} cd $(git rev-parse --show-toplevel)/websites/help.studentsforfuture.info
${sfz}/bin/sfz "$@"
''; '';
} }

View file

@ -6,8 +6,8 @@
<meta name="format-detection" content="telephone=no"> <meta name="format-detection" content="telephone=no">
<meta name="description" content="{% if page.description %}{{ page.description | strip_html | strip_newlines | truncate: 160 }}{% else %}{{ site.description }}{% endif %}"> <meta name="description" content="{% if page.description %}{{ page.description | strip_html | strip_newlines | truncate: 160 }}{% else %}{{ site.description }}{% endif %}">
<link rel="icon" href="{{"/assets/img/favicon.png" | prepend: site.baseurl }}"> <link rel="icon" href="{{"assets/img/favicon.png" | prepend: site.baseurl }}">
<link rel="stylesheet" href="{{ "/assets/css/main.css" | prepend: site.baseurl }}"> <link rel="stylesheet" href="{{ "assets/css/main.css" | prepend: site.baseurl }}">
<!-- Emoji script for chrome --> <!-- Emoji script for chrome -->
<!-- <script src="assets/js/twemoji.min.js"></script>--> <!-- <script src="assets/js/twemoji.min.js"></script>-->

View file

@ -1,4 +1,4 @@
{ jekyll, stdenvNoCC, writeScriptBin }: { jekyll, stdenvNoCC, writeShellScriptBin }:
stdenvNoCC.mkDerivation rec { stdenvNoCC.mkDerivation rec {
name = "infra4future.de-static"; name = "infra4future.de-static";
@ -11,8 +11,9 @@ stdenvNoCC.mkDerivation rec {
${jekyll}/bin/jekyll build -d $out --disable-disk-cache ${jekyll}/bin/jekyll build -d $out --disable-disk-cache
''; '';
watch = writeScriptBin "watch" '' watch = writeShellScriptBin "watch" ''
cd $(git rev-parse --show-toplevel)/websites/infra4future.de
rm -rf /tmp/hacc-website rm -rf /tmp/hacc-website
${jekyll}/bin/jekyll serve -s ${src} --disable-disk-cache -d /tmp/hacc-website ${jekyll}/bin/jekyll serve --disable-disk-cache -d /tmp/hacc-website "$@"
''; '';
} }

View file

@ -1,69 +0,0 @@
---
layout: "simple_page"
title: Infra4future.de - docs
---
# Hallo zusammen 👋️
## Was ist das hier?
Das hier ist der infra4future.de-Server. Aufgebaut und administriert wird er zurzeit von hacc (Hackers against Climate Change) München, nachdem unter einigen Klimaorgas der Wunsch nach einer gemeinsamen Plattform und allgemein einer besseren Infrastruktur als Telegramgruppen aufkam.
Wenn du hier bist, hast du vermutlich deine Mailadresse an einen Admin weitergegeben und bist auf diesen Server eingeladen worden. Schau dich doch einfach mal um!
Die vollständige Übersicht über alle hier betriebenen Dienste findest du auf [infra4future.de](https://infra4future.de).
### Was gibt es hier alles?
Alle wichtigen Funktionen findet ihr oben in der Leiste aufgereiht:
#### Files / Nextcloud:
Files (hier bist du gerade): hier kannst du alle Arten von Dateien ablegen, entweder private Dateien nur für dich, oder Dateien, die du mit einer bestimmten Gruppe von Personen (oder allen hier auf den Server) teilst. Meistens finden sich hier auch Dateien deiner Gruppe. Direkt zu Anfang bekommst du eine Liste mit einigen wichtigen Ordnern angezeigt:
* about: Hier finden sich Informationen über infra4future.de, Anleitungen, hilfreiche Tipps, etc.
* weitere Ordner: üblicherweise solltest du noch mindestens einen Ordner finden, der den Namen deiner Orga trägt. Dieser ist Gruppenintern; nur Menschen aus deiner Gruppe können ihn sehen
* private Ordner/Dateien: du kannst auch selbst Dateien & Ordner erstellen. Sofern du sie nicht mit anderen teilst sind diese privat und können nur von dir eingesehen werden. Bitte beachtet, dass wir nur begrenzte Mittel haben und daher allen Accounts zunächst nur 5 GiB Speicher zur Verfügung gestellt werden (falls ihr mehr braucht, meldet euch bei uns siehe unten)
Natürlich könnt ihr eigene Dateien hochladen, neue Dokumente erstellen oder bereits vorhandene kopieren, verändern (übrigens auch kollaborativ, i.e. zeitgleich mit anderen) oder auf euren eigenen Rechner herunterladen. Das gilt für einfache Textdokumente, aber auch komplexere Dateiformat wie z.B. .odt (auch genutzt z.B. von LibreOffice).
Einzelne Dateien könnt ihr auch kommentieren oder mit tags versehen, nach denen ihr später suchen könnt nützlich ist das z.B. besonders bei Photos.
#### Galerie:
Eine Galerie. Hier werden alle Bilder angezeigt, die auch unter `Files` für dich sichtbar sind.
#### Kalender:
Hier sind Kalender. Ziemlich selbsterklärend — klickt auf einen Tag, um dort einen Eintrag anzulegen. Wie bei Dateien auch gibt es persönliche Kalender (nur für euch) und Kalender, die für ganze Gruppen oder alle einsehbar sind (nützlich für Termine, die viele Betreffen, z.B. den nächsten Streik oder Congress).
#### Deck:
Ein Kanban-Board für Todos. Hier kannst du Aufgaben als kleine "Notizzettel" anlegen, die dann auf verschiedenen Stapeln (z.B. "wichtig", "in Bearbeitung", "Hilfe gesucht", "fertig") abgelegt werden. Ganz nützlich, um komplexere Aufgaben zu sortieren.
Das Prinzip ist evtl. bekannt von Kanban, Wekan, oder auch Trello.
#### Tasks:
Eine etwas traditionellere Todo-Liste. Du kannst Listen für dich selbst oder Gruppen anlegen, und einzelnen Todos beliebig viele Unterpunkte anhängen.
#### Polls:
Hier könnt ihr (öffentliche) Abstimmungen erstellen. Falls ihr innerhalb eurer Gruppe über etwas abstimmen lassen wollt, ist es vieleicht besser stattdessen eine Abstimmung direkt in Mattermost zu erstellen.
#### Forms:
Umfragen (i.e. deutlich allgemeiner als einfache Abstimmungen).
#### Mattermost:
Ein Echtzeit-Chat mit verschiedenen Channels (grob vergleichbar mit Slack oder Rocket.Chat). Evtl. musst du dich hier nochmal gesondert einloggen, da Mattermost nicht selbst Teil von Nextcloud ist.
Mattermost ist auch unter einem eigenen Link erreichbar: [mattermost.infra4future.de](https://mattermost.infra4future.de)
Mattermost hat selbst unterstützung für Abstimmungen, die dann direkt im Chat auftauchen & ggf. einfacher von allen Beteiligten gesehn werden als Nextcloud Polls. Um eine zu erstellen, tippt einfach "/poll" in das Nachrichtenfeld & schickt die Nachricht ab. Es erscheint dann ein Menü zum erstellen der Abstimmung.
### Mehr Infos:
im Ordner `hilfe` findet ihr Handbücher zu den einzelnen Diensten auf diesem Server.

View file

@ -1,29 +0,0 @@
---
layout: "simple_page"
title: Infra4future.de
slogan: Saving the climate with infrastructure
---
# Mobilapps für infra4future.de
Manchmal kann es ganz nützlich sein, auch unterwegs Orga-Kram zu erledigen. Auf diesem Server laufen eine ganze Reihe an Diensten — leider lassen sich die auf Android oder iOS nicht alle in eine App packen, anders als im Browser, wo alles schön oben in der Leiste steht.
Ein grober Überblick:
## Nextcloud (Android/iOS)
Erhältlich: im App Store/Play Store. Nicht durch das blaue Nextcloud-Logo verwirren lassen, es ist die richtige App.
Einrichtung: am Anfang werdet ihr gefragt, auf welchem Server ihr euch anmelden wollt. Dort einfach `cloud.infra4future.de` angeben, dann auf `mit infra4future.de anmelden` und euch mit euren Zugangsdaten dort einloggen.
Die Nextcloud-App gibt es für Android und iOS. Damit habt ihr Zugriff auf Dateien und ein paar weitere grundlegende Sachen. Außerdem gibt es in der Seitenleiste Links auf `Talk` und das `Forum`. Dort müsst ihr euch noch einmal extra anmelden (keine Sorge, die Anmeldedaten sind selbstverständlich dieselben).
## Mattermost
ihr könnt die ganz normale Mattermost-App benutzen; genauso wie bei Nextcloud auch müsst ihr dabei am Anfang einmal angeben, zu welchem Server ihr euch verbinden wollt. Gebt dort einfach `mattermost.infra4future.de` ein, danach werdet ihr auf den normalen Anmeldedialog (auf `login.infra4future.de...`) weiter geleitet. Meldet euch dort an, danach solltet ihr in der App eure Teams & Chat sehen.
## Hilfe suchen
falls etwas nicht wie hier beschrieben funktioniert, sagt uns am besten bescheid: entweder per Mail an admin@infra4future.de oder im IRC #hacc-infra-pub auf `libera.chat`.

View file

@ -39,8 +39,6 @@ Aktuell betreiben wir:
- [Hedgedoc](https://pad.infra4future.de), für schnelle, kollaborative Notizen. - [Hedgedoc](https://pad.infra4future.de), für schnelle, kollaborative Notizen.
- [Gitea](https://git.infra4future.de), eine Hostingplattform für git-Repositories, zum gemeinschaftlichen auf-Software-einhacken. - [Gitea](https://git.infra4future.de), eine Hostingplattform für git-Repositories, zum gemeinschaftlichen auf-Software-einhacken.
Detaillierte Beschreibungen aller Dienste findet ihr [hier](docs/index).
Falls das eure Bedürfnisse noch nicht abdeckt oder ihr andere coole Software haben die ihr gerne benutzen würdet, meldet euch bei uns — wir können nichts versprechen, aber wenn möglich fügen wir gerne auch noch weitere Dienste dazu. Falls das eure Bedürfnisse noch nicht abdeckt oder ihr andere coole Software haben die ihr gerne benutzen würdet, meldet euch bei uns — wir können nichts versprechen, aber wenn möglich fügen wir gerne auch noch weitere Dienste dazu.

View file

@ -1,4 +1,4 @@
{ stdenvNoCC, sfz, writeScriptBin }: { stdenvNoCC, sfz, writeShellScriptBin }:
stdenvNoCC.mkDerivation rec { stdenvNoCC.mkDerivation rec {
name = "muc.hacc.earth-static"; name = "muc.hacc.earth-static";
@ -13,7 +13,8 @@ stdenvNoCC.mkDerivation rec {
rm $out/default.nix rm $out/default.nix
''; '';
watch = writeScriptBin "watch" '' watch = writeShellScriptBin "watch" ''
${sfz}/bin/sfz -r ${src} cd $(git rev-parse --show-toplevel)/websites/muc.hacc.earth
${sfz}/bin/sfz "$@"
''; '';
} }

View file

@ -267,13 +267,10 @@ Of course we also did and do support multiple events and groups in Munich and Ge
<p> <p>
<ul> <ul>
<li> <li>
<a href="https://web.libera.chat/#hacc">#hacc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc:libera.chat">#hacc:libera.chat</a>, general chat in English <a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-muc">#hacc-muc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:hackint.org">#hacc-muc:hackint.org</a>, chat of the local chapter Munich in German
</li> </li>
<li> <li>
<a href="https://web.libera.chat/#hacc-muc">#hacc-muc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-muc:libera.chat">#hacc-muc:libera.chat</a>, chat of the local chapter Munich in German <a href="https://webirc.hackint.org/#ircs://irc.hackint.org/#hacc-voc">#hacc-voc</a> on hackint.org or as matrix bridge <a href="https://matrix.to/#/#hacc-voc:hackint.org">#hacc-voc:hackint.org</a>
</li>
<li>
<a href="https://web.libera.chat/#hacc-voc">#hacc-voc</a> on irc.libera.chat or as matrix bridge <a href="https://matrix.to/#/#hacc-voc:libera.chat">#hacc-voc:libera.chat</a>
</li> </li>
<li> <li>
<a href="https://chaos.social/@hacc">@hacc@chaos.social</a> <a href="https://chaos.social/@hacc">@hacc@chaos.social</a>

View file

@ -1,4 +1,4 @@
{ jekyll, stdenvNoCC, writeScriptBin }: { jekyll, stdenvNoCC, writeShellScriptBin }:
stdenvNoCC.mkDerivation rec { stdenvNoCC.mkDerivation rec {
name = "mumble.infra4future.de-static"; name = "mumble.infra4future.de-static";
@ -11,8 +11,9 @@ stdenvNoCC.mkDerivation rec {
${jekyll}/bin/jekyll build -d $out --disable-disk-cache ${jekyll}/bin/jekyll build -d $out --disable-disk-cache
''; '';
watch = writeScriptBin "watch" '' watch = writeShellScriptBin "watch" ''
cd $(git rev-parse --show-toplevel)/websites/mumble.infra4future.de
rm -rf /tmp/hacc-website rm -rf /tmp/hacc-website
${jekyll}/bin/jekyll serve -s ${src} --disable-disk-cache -d /tmp/hacc-website ${jekyll}/bin/jekyll serve --disable-disk-cache -d /tmp/hacc-website "$@"
''; '';
} }