Compare commits

..

1 commit

Author SHA1 Message Date
9e89ff6aa9
mumble: ssl for everyone :party: 2022-09-24 16:30:14 +02:00
12 changed files with 281 additions and 68 deletions

View file

@ -16,8 +16,10 @@
../../services/hedgedoc-i4f.nix
../../services/mail.nix
../../services/syncthing.nix
../../services/gitlab.nix
../../services/gitea.nix
../../services/nginx-pages.nix
../../services/gitlab-runner.nix
../../services/lantifa.nix
../../services/vaultwarden.nix
../../services/uffd.nix

View file

@ -6,9 +6,13 @@ let
cfg = config.services.mattermost-patched;
defaultConfig = builtins.fromJSON (builtins.replaceStrings [ "\\u0026" ] [ "&" ]
(readFile "${pkgs.mattermost}/config/config.json")
);
database = "postgres://${cfg.localDatabaseUser}:${cfg.localDatabasePassword}@localhost:5432/${cfg.localDatabaseName}?sslmode=disable&connect_timeout=10";
mattermostConf = foldl recursiveUpdate {}
mattermostConf = foldl recursiveUpdate defaultConfig
[ { ServiceSettings.SiteURL = cfg.siteUrl;
ServiceSettings.ListenAddress = cfg.listenAddress;
TeamSettings.SiteName = cfg.siteName;

View file

@ -23,7 +23,7 @@
"homepage": "https://mattermost.com",
"owner": "mattermost",
"repo": "mattermost-server",
"rev": "2ea14ef395fad8919b2f4137642a7f50b370ffba",
"rev": "90c635041053fc53905be5735b0399bfe135080e",
"sha256": "1k5zqnc4yqnad2cw1wpqk22mjra08jz9gf4v692kbrgx3x4d13kh",
"type": "tarball",
"url": "https://github.com/mattermost/mattermost-server/archive/refs/tags/v6.7.2.tar.gz",
@ -75,10 +75,10 @@
"homepage": "",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "eabc38219184cc3e04a974fe31857d8e0eac098d",
"sha256": "04ffwp2gzq0hhz7siskw6qh9ys8ragp7285vi1zh8xjksxn1msc5",
"rev": "4dbec24ea806d348dd8f8e8e80051bbda708726a",
"sha256": "0jjg6cr6jg16fy368p49vpq4al86084jhls135jqqvnf778q43cf",
"type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/eabc38219184cc3e04a974fe31857d8e0eac098d.tar.gz",
"url": "https://github.com/nixos/nixpkgs/archive/4dbec24ea806d348dd8f8e8e80051bbda708726a.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-unstable": {
@ -87,10 +87,10 @@
"homepage": "",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ae1dc133ea5f1538d035af41e5ddbc2ebcb67b90",
"sha256": "0dq22dagzk76x2ws4dz88w018i6byamd6rnzqizx68bzimg6g7xn",
"rev": "e0169d7a9d324afebf5679551407756c77af8930",
"sha256": "1nr7ih856ca2vl0blim4bz2yxz6cg7jfsx4z096hg0qa5i04zg95",
"type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/ae1dc133ea5f1538d035af41e5ddbc2ebcb67b90.tar.gz",
"url": "https://github.com/nixos/nixpkgs/archive/e0169d7a9d324afebf5679551407756c77af8930.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"workadventure": {

View file

@ -31,28 +31,8 @@ let
if spec ? branch then "refs/heads/${spec.branch}" else
if spec ? tag then "refs/tags/${spec.tag}" else
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
submodules = if spec ? submodules then spec.submodules else false;
submoduleArg =
let
nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
emptyArgWithWarning =
if submodules == true
then
builtins.trace
(
"The niv input \"${name}\" uses submodules "
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+ "does not support them"
)
{}
else {};
in
if nixSupportsSubmodules
then { inherit submodules; }
else emptyArgWithWarning;
in
builtins.fetchGit
({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
fetch_local = spec: spec.path;

View file

@ -0,0 +1,64 @@
{config, pkgs, lib, ...}:
{
services.gitlab-runner = {
enable = true;
concurrent = 4;
services = {
infra4future = {
buildsDir = "/persist/var/lib/gitlab-runner/builds";
dockerImage = "nixos/nix";
executor = "docker";
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
};
nix = {
limit = 1; # don't run multiple jobs
registrationConfigFile = "/persist/var/lib/gitlab-runner/gitlab-runner.env";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix.sh
${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
${pkgs.nix}/bin/nix-channel --update nixpkgs
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = [ "nix" ];
};
};
};
systemd.services.gitlab-runner.serviceConfig = {
DynamicUser = lib.mkForce false;
User = "gitlab-runner";
};
users.users.gitlab-runner = {
home = "/persist/var/lib/gitlab-runner";
extraGroups = [ "docker" ];
isSystemUser = true;
group = "nogroup";
};
virtualisation.docker.storageDriver = "zfs";
}

165
services/gitlab.nix Normal file
View file

@ -0,0 +1,165 @@
{config, pkgs, lib, profiles, modules, evalConfig, sources, ...}:
{
containers.gitlab = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.7";
bindMounts = {
"/persist" = {
hostPath = "/persist/containers/gitlab";
isReadOnly = false;
};
};
path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
imports = [
../modules/mattermost.nix
((import sources.nix-hexchen) {}).profiles.nopersist
];
nixpkgs.config.allowUnfree = true;
networking.firewall.enable = false;
networking.defaultGateway = {
address = "192.168.100.1";
interface = "eth0";
};
services.gitlab = {
enable = true;
databaseCreateLocally = true;
host = "gitlab.infra4future.de";
https = true;
port = 443;
statePath = "/persist/gitlab";
user = "git";
databaseUsername = "git";
initialRootPasswordFile = "/persist/secrets/gitlab-root";
secrets.secretFile = "/persist/secrets/gitlab-secret";
secrets.dbFile = "/persist/secrets/gitlab-db";
secrets.otpFile = "/persist/secrets/gitlab-otp";
secrets.jwsFile = "/persist/secrets/gitlab-jws";
smtp = {
enable = true;
address = "mail.hacc.space";
port = 587;
authentication = "plain";
domain = "gitlab.infra4future.de";
enableStartTLSAuto = true;
username = "noreply@infra4future.de";
passwordFile = "/persist/secrets/noreply-pass";
};
pagesExtraArgs = [ "-listen-proxy" "0.0.0.0:8090" ];
extraConfig = {
pages = {
enabled = true;
host = "4future.dev";
port = 443;
https = true;
};
omniauth = {
enabled = true;
auto_sign_in_with_provider = "oauth2_generic";
allow_single_sign_on = ["oauth2_generic"];
block_auto_created_users = false;
providers = [
{
name = "oauth2_generic";
label = "infra4future Login";
app_id = "gitlab";
app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; };
args = {
client_options = {
site = "https://login.infra4future.de";
user_info_url = "/oauth2/userinfo";
authorize_url = "/oauth2/authorize";
token_url = "/oauth2/token";
};
strategy_class ="OmniAuth::Strategies::OAuth2Generic";
};
}
];
};
};
};
services.redis.enable = true;
services.postgresql.package = pkgs.postgresql_13;
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."gitlab.infra4future.de" = {
default = true;
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
locations."/".extraConfig = ''
proxy_redirect off;
'';
};
};
services.openssh.enable = true;
services.openssh.passwordAuthentication = false;
users.users.git = {
isSystemUser = true;
group = "gitlab";
home = "/persist/gitlab/home";
uid = 165;
};
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
})).config.system.build.toplevel;
};
# hexchen.nftables.nat.forwardPorts = [{
# ports = [ 22 ];
# destination = "${config.containers.gitlab.localAddress}:22";
# proto = "tcp";
# }];
services.nginx.virtualHosts."gitlab.infra4future.de" = {
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:80";
locations."/".extraConfig = ''
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
'';
enableACME = true;
forceSSL = true;
};
services.nginx.virtualHosts."4future.dev" = {
locations."/".proxyPass = "http://${config.containers.gitlab.localAddress}:8090";
serverName = "~^((.*)\.)?4future\.dev$";
useACMEHost = "4future.dev";
forceSSL = true;
};
security.acme.certs."4future.dev" = {
dnsProvider = "cloudflare";
credentialsFile = "/var/lib/acme/cloudflare.pass";
extraDomainNames = [ "*.4future.dev" ];
group = config.services.nginx.group;
};
}

View file

@ -15,9 +15,28 @@
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
# the mumble cert has its own group so that both nginx and murmur can read it
# create ssl certs for all used domains
services.nginx.virtualHosts = let
vhost = {
enableACME = true;
forceSSL = true;
};
in {
"mumble.hacc.space" = vhost;
"mumble.infra4future.de" = vhost;
};
# create group to share the certs
users.groups.mumblecert = {};
security.acme.certs."mumble.hacc.space".group = "mumblecert";
users.users.nginx.extraGroups = [ "mumblecert" ];
users.users.murmur.extraGroups = [ "mumblecert" ];
# merge the certs into one and reload murmur on update
security.acme.certs."mumble.hacc.space" = {
group = "mumblecert";
extraDomainNames = [ "pad.infra4future.de" ];
reloadServices = [ "murmur" ];
};
}

View file

@ -349,7 +349,7 @@
<li>Regular meetings of the <a href="https://muc.hacc.earth">hacc e.V.</a>, usually every 1st and 3rd Wednesday 7:30 p.m. at <a href="https://muc.ccc.de/">muCCC</a>. At the moment we meet online on <a href="https://mumble.hacc.space/">mumble.hacc.space</a>.</li>
<li>Meetings of <a href="https://hacc.uber.space/HACC/Europe/DE/NRW/Siegen">Klimanotstandbündnis in Siegen</a>. See hacc group page.</li>
<li>
Propose changes to the hacc e.V. infrastructure. You can open an issue or open a merge request <a href="https://git.infra4future.de/hacc/haccfiles">on the nixfiles</a> which control a growing part of our infrastructure. Or just ask us via one of hacc e.V. channels above.
Propose changes to the hacc e.V. infrastructure. You can open an issue on our <a href="https://gitlab.infra4future.de/hacc/infra/meta">meta discussion repository</a> or (if you are familiar with Nix) open a merge request <a href="https://gitlab.infra4future.de/hacc/infra/haccfiles">on the nixfiles</a> which control a growing part of our infrastructure. Or just ask us via one of hacc e.V. channels above.
</li>
<li>
Add you or your project to the <a href="https://e2h.totalism.org/e2h.php?_=hacc-directory#---_PROJECTS">hacc directory</a>
@ -438,7 +438,7 @@ Unfortunately conflicts led to a split between the local chapter Munich and CHT
<h1>About this page<span class="blink"></span></h1>
<p>
The hacc e.V. runs this page (<a href="https://hacc.earth">hacc.earth</a>) but not necessarily the linked projects. You can find more about our activities and involvements on our <a href="https://muc.hacc.earth">own page</a>.<br>
Also the source of the page can be found <a href="https://git.infra4future.de/hacc/haccfiles/src/branch/main/websites/hacc.earth">here</a>. As with the hacc e.V. infrastructure in general you are invited to make change requests or just <a href="#contac">contact</a> us to ask for changes.
Also the source of the page can be found <a href="https://gitlab.infra4future.de/hacc/infra4future/hacc.earth">here</a>. As with the hacc e.V. infrastructure in general you are invited to make change requests or just <a href="#contac">contact</a> us to ask for changes.
</p>
<p>
The hacc logo was designed by <a href="https://creativesforfuture.de/">Creatives for Future</a>.
@ -451,7 +451,7 @@ The hacc logo was designed by <a href="https://creativesforfuture.de/">Creatives
</main>
<footer class="content" style="z-index: 200">
<div>
<a href="https://git.infra4future.de/hacc/haccfiles/src/branch/main/websites/hacc.earth">Source of hacc.earth</a> &bull;
<a href="https://gitlab.infra4future.de/hacc/infra4future/hacc.earth">Source of hacc.earth</a> &bull;
<a href="#contact">Contact</a> &bull;
<a href="https://infra4future.de/impressum.html">Imprint</a>
</div>

View file

@ -317,7 +317,8 @@
<li>Regelmäßige Treffen von <a href="https://hacc.uber.space/HACC/Europe/DE/BY/Munich">hacc in München</a>, normalerweise jeden ersten und dritten Mittwoch im Monat um 19:00 Uhr beim <a href="https://muc.ccc.de/">muCCC</a>. Im Moment treffen wir uns Online auf <a href="https://mumble.hacc.space/">mumble.hacc.space</a>.</li>
<li>Regelmäßige Treffen des <a href="https://hacc.uber.space/HACC/Europe/DE/NRW/Siegen">Klimanotstandbündnis in Siegen</a>. Jeden zweiten Sonntag, siehe hacc-Seite.</li>
<li>
Wenn du Vorschläge für Änderungen an unserer Infrastruktur hast, leg bitte einen Issue oder erstelle einen Merge Request <a href="https://git.infra4future.de/hacc/haccfiles">auf die nixfiles</a>, über die wir einen (größer werdenden) Teil unserer Server verwalten.
Wenn du Vorschläge für Änderungen an unserer Infrastruktur hast, leg bitte einen Issue <a href="https://gitlab.infra4future.de/hacc/infra/meta">in unserem Meta-Diskussions-Repo</a> an,
oder (falls du Nix kennst) erstelle einen Merge Request <a href="https://gitlab.infra4future.de/hacc/infra/haccfiles">auf die nixfiles</a>, über die wir einen (größer werdenden) Teil unserer Server verwalten.
</li>
</ul>

View file

@ -40,30 +40,5 @@ Falls das eure Bedürfnisse noch nicht abdeckt oder ihr andere coole Software ha
# Frequently Asked Questions
{% include faq.html question="Wo kann ich meinen Account bearbeiten?"
answer="Dein Passwort, deine Mailadresse und deinen Anzeigenamen kannst du
auf [login.infra4future.de](https://login.infra4future.de) bearbeiten." %}
{% include faq.html question="Wie füge ich Menschen zu meiner Gruppe hinzu?"
answer="Da alle Accounts zentral über
[login.infra4future.de](https://login.infra4future.de) verwaltet werden,
werden auch die Zugehörigkeiten zu einzelnen Gruppen dort verwaltet.
Natürlich gibt es auch Gruppen bzw. Teams in Mattermost und Nextcloud; diese
werden möglichst automatisch auf einem Stand mit login.infra4future.de gehalten.
Leider gilt das nicht anders herum — fügt also bitte neue Leute nicht direkt
in Mattermost zu eurem Team hinzu, sondern auf login.infra4future.de oder schickt
ihnen einen Einladungslink. Andernfalls kann es sein, dass sie automatisch
wieder entfernt werden.
" %}
{% include faq.html question="Wie erstelle ich Einladungslinks für meine Gruppe?"
answer="Wenn du Teil der Moderation deines Teams bist, kannst du Einladungslinks
unter [login.infra4future.de/invite](https://login.infra4future.de/invite)
erstellen. Diese können sowohl benutzt werden, um neue Accounts zu erstellen,
als auch, um mit einem bereits existierenden Account einer weiteren Gruppe
beizutreten.
" %}

View file

@ -16,7 +16,7 @@ title: Infra4future
1. Geltungsbereich der Nutzungsbedingungen
(1) Diese Nutzungsbedingungen gelten für das Online-Angebot Infra4future, das im Internet unter cloud.infra4future.de, talk.infra4future.de, mattermost.infra4future.de, login.infra4future.de, git.infra4future.de, 4future.dev und discuss.infra4future.de abrufbar ist. Hierbei handelt es sich um eine Plattform, auf der Nutzer Profile anlegen können.
(1) Diese Nutzungsbedingungen gelten für das Online-Angebot Infra4future, das im Internet unter cloud.infra4future.de, talk.infra4future.de, mattermost.infra4future.de, auth.infra4future.de, social.infra4future.de, gitlab.infra4future.de, survey.infra4future.de, live.infra4future.de, 4future.dev und discuss.infra4future.de abrufbar ist. Hierbei handelt es sich um eine Plattform, auf der Nutzer Profile anlegen können.
(2) Sie können die derzeit gültigen Nutzungsbedingungen unter infra4future.de/nutzungsbedingungen.html abrufen und ausdrucken.

View file

@ -300,11 +300,14 @@ Of course we also did and do support multiple events and groups in Munich and Ge
<ul>
<li>Regular meetings of the <a href="https://muc.hacc.earth">hacc e.V.</a>, usually every 1st and 3rd Wednesday 7:30 p.m. at <a href="https://muc.ccc.de/">muCCC</a>. At the moment we meet online on <a href="https://mumble.hacc.space/">mumble.hacc.space</a>.</li>
<li>Regular matinanence of the <a href="https://muc.hacc.earth">hacc e.V.</a> infrastrucutre, usually the Wednesday after the regular meeting sometime in the evening. Normally coordinated on <a href="https://mumble.hacc.space/">mumble.hacc.space</a>.</li>
<li>Help us running the hacc e.V. infrastructure like <a href="https://infra4future.de">infra4future.de</a>. You can open an issue or create a merge request <a href="https://git.infra4future.de/hacc/haccfiles">on the nixfiles</a> which control a growing part of our infrastructure. Or just ask us via one of hacc e.V. channels above.
<li>Help us running the hacc e.V. infrastructure like <a href="https://infra4future.de">infra4future.de</a>. You can open an issue on our <a href="https://gitlab.infra4future.de/hacc/infra/meta">meta discussion repository</a> or (if you are familiar with Nix) open a merge request <a href="https://gitlab.infra4future.de/hacc/infra/haccfiles">on the nixfiles</a> which control a growing part of our infrastructure. Or just ask us via one of hacc e.V. channels above.
</li>
<li>
Interested in streaming and recording? Get in <a href="#contact">contact with hacc-voc</a>
</li>
<li>
<a href="https://hacc.4future.dev/infra4future/blog-zola">The hacc blog</a> can always use input. It's based on <a href="https://getzola.org">zola</a>. The source of our blog is <a href="https://gitlab.infra4future.de/hacc/infra4future/blog-zola">here</a>.
</li>
<li>
Use the <a href="https://hacc.wiki">wiki</a> and add your project!
</li>
@ -400,11 +403,11 @@ registered at the local court Munich VR 208921
<li>raphael or rw</li>
<li>zauberberg</li>
<li>moira</li>
</ul>
</ul
</li>
<li><a href="https://git.infra4future.de/hacc/satzung">Satzung</a> (statutes)</li>
<li><a href="https://git.infra4future.de/hacc/mitgliedsantrag">Mitgliedsantrag</a> (membership application)</li>
<li><a href="https://git.infra4future.de/hacc/zuwendungen">Vereinfachter Spendennachweis</a> (simplified proof of donation)</li>
<li><a href="https://gitlab.infra4future.de/hacc/verein/satzung">Satzung</a> (statutes)</li>
<li><a href="https://gitlab.infra4future.de/hacc/verein/mitgliedsantrag">Mitgliedsantrag</a> (membership application)</li>
<li><a href="https://gitlab.infra4future.de/hacc/verein/zuwendungen">Vereinfachter Spendennachweis</a> (simplified proof of donation)</li>
</ul>
</p>
<p>
@ -427,7 +430,7 @@ Germany<br>
<div class="section">
<h1>About this page<span class="blink"></span></h1>
<p>
The source of the page can be found <a href="https://git.infra4future.de/hacc/haccfiles/src/branch/main/websites/muc.hacc.earth">here</a>. As with the hacc e.V. infrastructure in general you are invited to make change requests or just <a href="#contac">contact</a> us to ask for changes.
The source of the page can be found <a href="https://gitlab.infra4future.de/hacc/infra4future/muc.hacc.earth">here</a>. As with the hacc e.V. infrastructure in general you are invited to make change requests or just <a href="#contac">contact</a> us to ask for changes.
</p>
<p>
The hacc logo was designed by <a href="https://creativesforfuture.de/">Creatives for Future</a>.
@ -440,7 +443,7 @@ The hacc logo was designed by <a href="https://creativesforfuture.de/">Creatives
</main>
<footer class="content" style="z-index: 200">
<div>
<a href="https://git.infra4future.de/hacc/haccfiles/src/branch/main/websites/muc.hacc.earth">Source of muc.hacc.earth</a> &bull;
<a href="https://gitlab.infra4future.de/hacc/infra4future/muc.hacc.earth">Source of muc.hacc.earth</a> &bull;
<a href="#contact">Contact</a> &bull;
<a href="https://infra4future.de/impressum.html">Imprint</a>
</div>