Compare commits

..

476 commits

Author SHA1 Message Date
c6dc74b3b7 flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e2589a4d25269cfa6a22022d01cd740d8abaa82b' (2024-10-21)
  → 'github:NixOS/nixpkgs/ef498e16f8a10e92d559e1f6e01412444acefaff' (2024-10-27)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/a5e6a9e979367ee14f65d9c38119c30272f8455f' (2024-10-21)
  → 'github:NixOS/nixpkgs/e4735dbdda8288aef24141f3ae8848a14f06fe08' (2024-10-27)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/c504fd7ac946d7a1b17944d73b261ca0a0b226a5' (2024-10-20)
  → 'github:Mic92/sops-nix/1666d16426abe79af5c47b7c0efa82fd31bf4c56' (2024-10-27)
2024-10-28 11:23:30 +01:00
60acc52ec7 do not restart the uffd unused accounts notifier on each deploy 2024-10-28 11:22:17 +01:00
7be555013a uffd script: fix subject/from header 2024-10-28 00:30:43 +01:00
ca0c1192a0 pkgs/scripts: uffd-unused-accounts-notification.scm
this is a helper script to send emails to people who've not logged in
for a while (currently hard-coded to "since 2023-01-01"). It also sends
weekly reminders to admins giving the current number of unused accounts.

It is in $PATH for all normal users; for usage, invoke it with --help,
or just see the email it send to admin@.
2024-10-25 18:49:04 +02:00
0caa57a30e update inputs 2024-10-21 18:50:12 +02:00
60c661317c update inputs 2024-10-14 13:30:09 +02:00
a5dd06225b
parsons/nftables: don't log refused connections 2024-10-11 14:22:52 +02:00
1d92eb6de9
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/90fe4c0103687f9c6124b783762deee2561d335a' (2024-10-07)
  → 'github:NixOS/nixpkgs/c505ebf777526041d792a49d5f6dd4095ea391a7' (2024-10-11)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/dbddb7982786880db5849eef097107bceef1b165' (2024-10-07)
  → 'github:NixOS/nixpkgs/7045aa75c71e90ae3bbb486d35414b08add9c424' (2024-10-11)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/2750ed784e93e745a33fb55be7c2657adfb57c00' (2024-10-06)
  → 'github:Mic92/sops-nix/06535d0e3d0201e6a8080dd32dbfde339b94f01b' (2024-10-08)
2024-10-11 14:17:24 +02:00
2d99878838
mattermost: 9.11.2 → 9.11.3
this is a security release. announcement by upstream:
https://mattermost.com/blog/mattermost-security-updates-10-0-1-9-11-3-esr-9-5-11-esr-released/
2024-10-11 14:16:18 +02:00
da3795d35b update inputs 2024-10-07 15:54:27 +02:00
41670c996f
flake.lock: Update
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e91cee8db967c83f041119233779caa73ff5f328' (2024-09-29)
  → 'github:NixOS/nixpkgs/6adbd5b505bb0255c30c6e9b22b5f345601afc46' (2024-10-02)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/a6d0207fea9212d28cd3d487efe6bc699663b93a' (2024-09-30)
  → 'github:NixOS/nixpkgs/c98ddb920493f24dd57ea34a18dafdbd16eeace0' (2024-10-03)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/127a96f49ddc377be6ba76964411bab11ae27803' (2024-09-27)
  → 'github:Mic92/sops-nix/3198a242e547939c5e659353551b0668ec150268' (2024-09-30)
2024-10-03 12:50:20 +02:00
b409d603a9 update inputs 2024-09-30 14:47:42 +02:00
6cd10a640c mattermost: 9.11.1 → 9.11.2
this is a security release. announcement by upstream:
https://mattermost.com/blog/mattermost-security-updates-9-11-2-esr-9-10-3-9-5-10-esr-released/
2024-09-27 15:22:05 +02:00
cb7975e778 update inputs 2024-09-23 17:48:25 +02:00
697bbedd41 update inputs 2024-09-16 13:43:49 +02:00
2ef1aeca1b update inputs 2024-09-09 12:00:17 +02:00
d27d9e8722 update inputs 2024-09-02 20:39:22 +02:00
c295604a13 flake.nix: expose mattermost under packages.*
this makes it easier to update, e.g. by doing "nix-update -F
mattermost".
2024-08-30 17:56:10 +02:00
4dc9cdac91 flake.nix: move websites from packages.* to apps.*
this should not change their behaviour with "nix run", which was
the reason for putting them there in the first place (however, it does
remove the ability to build them with "nix build", but afaik this has
never been used by anyone).

This means the packages.* output is now left unused, so we can use it
instead for things that actually are programs which want to expose
(see the next commit after this one for an example).
2024-08-30 17:55:03 +02:00
67da5a7c8a mattermost 9.11.0 → 9.11.1
this is a security release. announcement by upstream:
https://mattermost.com/blog/mattermost-security-updates-9-11-1-9-10-2-9-9-3-9-5-9-esr-released/
2024-08-30 17:41:49 +02:00
272b3e6e51 update inputs 2024-08-28 13:31:50 +02:00
4d5e82a0d9 mattermost: disable the big blue buttom plugin
this has not been used for quite some time, and since the new mattermost
version displays the plugin's button more prominently it's now definitly
time to remove this.
2024-08-19 22:05:03 +02:00
1cc938a0b8 update inputs 2024-08-19 21:30:40 +02:00
c3c7fe44de mattermost: jump ESR versions (9.5.x → 9.11.x) 2024-08-17 22:01:18 +02:00
eaa25de128 mattermost: make it work with nix-update
this mirrors a change in the nixpkgs definition: the nix-update script
has a hardcoded list of attributes it will update. We can re-use one of
them to make it update mattermost's web frontend at the same time as it
updates mattermost itself.

The list of attribute names is here:
  https://github.com/Mic92/nix-update/tree/1.3.1?tab=readme-ov-file#features
original nixpkgs commit by numinit was
  1451a58a57e1bd1592460268bdde30cf72923010
  1451a58a57
2024-08-17 21:58:50 +02:00
5d598bafaa update inputs 2024-08-12 13:41:58 +02:00
79610d6adc update inputs 2024-08-04 19:15:48 +02:00
ea2500ff79 update inputs 2024-07-29 20:29:33 +02:00
34a27e9dc8 mattermost 9.5.7 → 9.5.8
this is a security release. announcement by upstream:
Link: https://mattermost.com/blog/mattermost-security-updates-9-10-1-9-9-2-9-8-3-9-5-8-esr-released/
2024-07-26 17:13:06 +02:00
960426f68f Revert "s4f-conference: another mattermost"
This reverts commit d933a6ef98.

The conference was held months ago, and as agreed beforehand, we would
delete this instance after two months, which is now.

This revert was partially done by hand, since sops does not play nice
with automated git merged (these lead to mac mismatches).
2024-07-26 15:06:04 +02:00
87b1f4a0eb nextcloud28 → nextcloud29 2024-07-25 18:37:43 +02:00
9e7f02ae7b update inputs 2024-07-22 22:28:22 +02:00
47ee7ac1ab update inputs 2024-07-15 15:26:10 +02:00
db2d353029 inputs: make sops-nix/nixpkgs follow nixpkgs-unstable
deduplicates our nixpkgs instances a little
2024-07-15 15:25:33 +02:00
84dddea096 mattermost 9.5.6 → 9.5.7
this is a security release. announcement & changelog by upstream:
  https://mattermost.com/blog/mattermost-security-updates-9-9-1-9-8-2-9-7-6-9-5-7-esr-released/
2024-07-14 22:45:56 +02:00
e88833120a update inputs 2024-07-08 21:34:27 +02:00
d1e5820166 tracktrain: update
this includes the jump to conftrack, a custom-written configuration
library that'll hopefully be less annoying to deal with than conferer.

It's very much unstable & somewhat incomplete software for now, but
should hopefully reach a stable state soon (this deployment is thus
basically part of testing it).

It also means we can finally write camelCase in config keys without
having the config library fail on us!
2024-07-05 23:12:20 +02:00
5fe7a12b74 forgejo: unbundle, use from nixos-unstable-small
this is almost a revert of 147fe172d9,
but we now use the forgejo package of nixos-unstable-small instead of
that from stable nixos.

we were never noticably faster than forgejo maintainance upstream (turns
out that unlike mattermost, some services actually get updated in time);
no update was ever more than just copying the latest upstream package
recipe.

As a side-effect, this also updates forgejo to 7.0.5, which is a
security release:
  https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#7-0-5
2024-07-05 13:24:13 +02:00
fbeaf68490 nextcloud: longer startup timeout
it sometimes takes a long while to boot & signal being ready to systemd,
which will kill it after the timeout is reached, after which it's rinse
and repeat and yay for a boot loop.
2024-07-02 15:11:38 +02:00
2de13398e6 update nixpkgs-unstable-small
this includes the fix for a remote code excecution as root
 https://github.com/NixOS/nixpkgs/pull/323761
 (probably CVE-2024-6387)

annoyingly it did not bump the version number (to check that the fix
is indeed there, one has to check wich patches are applied).

it also adds nextcloud to the permitteed insecure packages because we
again didn't update it in time (in fairness, it is also broken).

fun irony!
2024-07-01 14:47:37 +02:00
89dd5499a4 update inputs 2024-06-24 17:48:24 +02:00
cabc8706a3 hotfix: set monit onlyoffice (re)start to config 2024-06-19 21:01:03 +02:00
b314c296b2 update to nixos 24.05 2024-06-19 20:51:44 +02:00
8dcc83b017 update inputs 2024-06-17 17:27:51 +02:00
7a05ceb813 forgejo 7.0.2 → 7.0.4
copies the state of 7.0.3 on nixpkgs master, updates to 7.0.4
2024-06-13 21:03:56 +02:00
5f982dad47 update inputs 2024-06-10 01:24:54 +02:00
f045684f7a mattermost 9.5.5 → 9.5.6
this is a security release. announcement & information by upstream:
https://mattermost.com/blog/mattermost-security-updates-9-8-1-9-7-5-9-6-3-9-5-6-esr-released/
2024-06-04 22:02:39 +02:00
47869a3c8d update inputs 2024-05-27 21:17:42 +02:00
1f871af807 s4f-conference: increase MaxUsersPerTeam 2024-05-22 21:25:07 +02:00
cca5abe131 update tracktrain 2024-05-22 20:20:24 +02:00
83d800164c update inputs
note: tracktrain is now built on nixpkgs-unstable haskell packages;
using nixpkgs-stable with a newer version of haskellPackages.filepath is
unfortunately broken for now.

We can move back to nixpkgs-stable with it once the 24.05 release has
happened.
2024-05-21 17:44:15 +02:00
4ffedfe532 s4f-conference: allow larger uploads
they should probably be using nextcloud for this, but i can't be
bothered to make them a group there, so here we go 🤷
2024-05-21 17:38:34 +02:00
285a8e6a8e mattermost: switch to postgresql
this depends on a whole lot of imperative nonsense being done at the
same time, which i have done.

of special interest to anyone attempting to understand this is
 https://docs.mattermost.com/deploy/postgres-migration.html
for the general shape of incompetence at work,
 https://docs.mattermost.com/install/setting-up-socket-based-mattermost-database.html#with-unix-socket
for yet another interesting syntax for database connection strings, and
 https://github.com/dimitri/pgloader/issues/782#issuecomment-502323324
for a truly astonishing take on how to do database migrations, which
unfortunately i have followed.

As far as I can tell, everything has kept working. Downtime was mostly
spent understanding connection string syntax and their horribly buggy
parsers.

Note for people with server access:
 - i have kept the temporary files (including logs) around in
   /persist/migration inside the container should we ever need them
   again
 - there's a zfs snapshot @pre-postgres with the old state
2024-05-19 23:26:53 +02:00
ed667e15e9 mattermost: packages required for migration 2024-05-19 23:24:26 +02:00
75cc371c01 pkgs: add morph, a mattermost migration tool
this is preliminary work for migrating mattermost from mysql to
postgresql.

This tool is specific to mattermost, but at least it's easy enough to
build. I'm not sure if it makes sense to upstream, but I guess we can
keep it around here.
2024-05-19 23:23:30 +02:00
0a208223c8 update tracktrain
this is a small (temporary) bugfix
2024-05-19 18:08:16 +02:00
8b6ce305d7 mattermost: 9.5.4 → 9.5.5
this is a security release. upstream information:
https://mattermost.com/blog/mattermost-dot-releases-9-7-4-and-9-5-5-esr-released/
2024-05-17 21:08:24 +02:00
215bed6418 update tracktrain 2024-05-16 22:17:09 +02:00
147fe172d9 bundle forgejo @ v7.0.2
this bundles the current package recipe of forgejo in nixpkgs-unstable.
Implies updating forgejo, since nixpkgs-stable is still on 1.20.6 (v6 in
the new version scheme).

This'll mean we have to manually update it same as with mattermost, and
can potentially also help with upstream changes. If we get tired of
that, we can always decide to just use the nixpkgs-unstable version
directly.
2024-05-16 19:06:15 +02:00
2cd0de8eeb common: add sqlite-interactive to systemPackages
we have stuff stored in sqlite, might as well have the client available
by default, given how often we use it.

sqlite-interactive is an override on sqlite in nixpkgs which enables
support for readline & ncurses, which are off by default.
2024-05-15 22:42:18 +02:00
3e40d82579 common: *licks the infra*
Since Lix is now in nixpkgs-unstable-small, I think it's a good time to
use it. This does mean that we now pull in our nix implementation from
an unstable channel, but overall I'm more confident in the Lix team's
ability to not break things than I am in the Nix team's ability to
backport (& then actually release) security updates.

(once Lix is on a stable channel, we can switch back to using it from there)
2024-05-13 14:42:39 +02:00
f749f4ed48 update inputs 2024-05-13 14:39:43 +02:00
679df4d856 mattermost: remove outdated comment
this is misleading and incorrect, the option does work, and is not also
set in the secrets env file.
2024-05-08 14:33:14 +02:00
05af3ac4f8 mattermost: don't pretend we use postgresql
I have little idea what happened here, but this postgres is entirely
unused. The actual database is in mysql, and always has been — the
postgres does contain a mattermost database with the correct tables, but
these are empty.
2024-05-08 14:33:14 +02:00
efadc5ada9 monit: increase delay for deployed-commit-on-main
there's little point in having it alert while people are working on the
config & test-deploying things; it's meant to remind later, in case we
forget committing the result.
2024-05-08 14:33:14 +02:00
d933a6ef98 s4f-conference: another mattermost
this one's not connected to our SSO and intended for short-term use
only, after which it will be deleted again.

I've gone through at least some of mattermost's options to see how many
of these are actually relevant anymore. Some can be left out.

Unlike the other mattermost it also doesn't use any mysql.
2024-05-08 14:32:52 +02:00
6e84a9f9f8 tracktrain: bugfix update 2024-05-04 02:30:35 +02:00
8c3d3bf6db monitoring: warn if no deploy for 10 days
this is not entirely accurate — the lastModified attribute of a flake's
self-input gives the date of the last commit, not the last deploy. But I
figure it's close enough and less obscure to check than reading in the
last date via nix-env.

inspired by: we did no server updates for two weeks.
2024-05-02 22:33:47 +02:00
972a26163a update inputs 2024-05-02 22:33:40 +02:00
27b8ef6784 tracktrain: update
This is the initial version for this year's run of absurd train
operations. I won't dare to call it a release for at least another month
or so, so no version number.

Changes done in our nixfiles:
 - tracktrain now needs ntfy-sh so people (read: I) can get push
   notifications if things break or at least look a little weird
 - I removed the grafana instance; seems like somewhere in the last year
   they changed how to host it under a sub-path (ours was at /metrics),
   so it broke, and I'm not feeling any particular urge to fix it
 - last year's database contents have been yoten
 - also manually updated the gtfs (though I intend to implement logic
   for fetching it in tracktrain, I first need to drag Ilztalbahn into
   actually publishing up-to-date versions again first)
2024-05-02 00:33:39 +02:00
8662943183 mattermost 9.5.2 → 9.5.3 2024-04-28 10:53:52 +02:00
f9005dd4d0 forgejo/openssh: listen on all interfaces
this doesn't help us with anything yet, but it does at least mean that
this openssh now also listens on IPv6, which it didn't before.

(reaching the container from the outside still does not work)
2024-04-27 23:19:20 +02:00
f654b33a56 modules/containers: a hacc-specific containers module
this started with emily pointing out to me that it's possible to
generate IP addresses for containers in Nix (hence no need to worry
about ever having collisions, as we had before), but then I thought,
hey, while I'm at it, I can also write a little container module so we
have a little less repetition in our configs in general (and a more
reasonable place for our custom evalConfig than just keeping it around
in flake.nix).

See the option descriptions in modules/containers.nix for further
details.

Apart from giving all containers a new IP address (and also shiny new
IPv6 addresses), this should be a no-op for the actual built system.
2024-04-19 19:15:22 +02:00
3dc63acf52 modules/buildinfo: simplify implementation
turns out there is a string-slicing function, I just overlooked it when
writing this file (it's even a builtin). So let's use that instead.
2024-04-19 03:38:50 +02:00
208bcaa898 update inputs 2024-04-15 21:58:05 +02:00
d4d3f6e5d2 add m4dz 2024-04-09 20:14:29 +02:00
f75169ce0a switch to nixpkgs-small channels
these get more frequent updates, but we might (sometimes) wind up having
to build stuff ourselves that hydra hasn't gotten to yet.
2024-04-09 01:20:24 +02:00
d99408486a update inputs 2024-04-09 01:02:51 +02:00
d20acbfe58 monit: a couple new checks
move the monit config out of mail.nix, and add two checks:
 - has any systemd unit failed?
 - is the currently deployed commit the tip of the main branch of
   haccfiles?
2024-04-07 16:30:57 +02:00
281745d7a6 simplify nat on parsons 2024-04-07 16:25:08 +02:00
1ad0a7751c use networking.firewall instead of nftables.ruleset 2024-04-07 15:57:51 +02:00
5e51d5f252 docs: do not rebuild on each change
this does slight tweaking of paths to make the docs.hacc.space
derivation no longer depend on our entire flake, so we won't have to
rebuild it as often.
2024-04-06 23:16:43 +02:00
069236027c meta: add build info to motd / system label, remove /etc/haccfiles 2024-04-06 23:15:37 +02:00
283aba0c2c update inputs 2024-03-31 00:20:51 +01:00
faa83b6007 mattermost 9.5.2 → 9.5.3 2024-03-30 23:38:41 +01:00
e81472cb87 monit: restart onlyoffice if failed
this should hopefully help with our consistent onlyoffice-does-not-work-but-no-one-noticed
problems (yes, monit runs as root and can do that).

"then restart" will still send an alert if it restarted the unit (see monit's man page)
2024-03-26 17:06:36 +01:00
1cee814e04 update inputs 2024-03-23 22:42:41 +01:00
8da02ed645 update inputs
later than usual this week
2024-03-15 16:00:58 +01:00
8283162109 mattermost: remove flake inputs, copy nixpkgs package
this copies the current mattermost package definition from upstream
nixpkgs into our repo as-is (that definition itself being a modified
version of our definition that I upstreamed recently).

Since apparently no one else is maintaining the nixpkgs package and I am
apparently maintaining a mattermost package mostly on my own anyways,
this should make upstreaming future changes easier.
2024-03-11 00:13:18 +01:00
8f7f5448a3 mattermost: 9.5.1 → 9.5.2 2024-03-08 18:14:37 +01:00
319e5894e0 alps: hopefully fix the startup issue
alps frequently fails to start (e.g. during a system activation script)
since either its configured imap or smtp servers are not reachable
yet (i.e. their process has not yet opened the corresponding port).

This should hopefully fix that behaviour:
 - also set BindsTo, telling systemd to only start alps once the
   required units have entered "active" state (not just after it has
   started them)
 - also require postfix to be present, since that provides smtp
2024-03-05 17:03:09 +01:00
55b0b3558d update inputs 2024-03-05 16:45:24 +01:00
3fb25aa016 update inputs 2024-03-05 16:45:08 +01:00
7b9e423999 forgejo: final name changes gitea → forgejo
mostly just replacing strings to avoid confusion later on. Since our
containers are now ephemeral, renaming them is basically a non-issue
(though the files under /persist/containers & the uffd client name had
to be changed manually)
2024-02-25 23:24:07 +01:00
f29830ec93 format nftables.nix 2024-02-25 17:53:54 +01:00
e12cc7dbf5 mattermost: 8.1.10 → 9.5.1
This jumps Mattermost ESR Versions (see [1] for their release cycle). The
new version makes use of Go's workspace feature, which unfortunately the
buildGoModule function does not (yet?) support [2], and unfortunately this
breaks the previous build process for mattermost.

Further, the new release also makes use of private modules only included
in the (non-free) enterprise version of mattermost which makes it impossible
to build in the usual way even outside of nixpkgs's build abstractions [3].

Both issues can be solved by using Go 1.22, which has added support for
vendoring when using workspaces, and instructing it to ignore errors with
the -e flag. This requires overriding the go-modules derivation's buildPhase.

Finally, this now also build the commands/mmctl subpackage, which contains
a cli utility to administrate mattermost. This currently has its own nixpkgs
package for no reason i can see at all (it also has a version mismatch
between nixpkgs's mattermost and nixpkgs's mmctl).

[1] https://docs.mattermost.com/upgrade/extended-support-release.html
[2] https://github.com/NixOS/nixpkgs/issues/203039
[3] https://github.com/mattermost/mattermost/issues/26221
2024-02-25 17:22:39 +01:00
cbc7827cb9 make all nixos containers ephemeral 2024-02-22 21:15:41 +01:00
1042c90d8a update inputs 2024-02-20 16:33:43 +01:00
ea230c34b0 remove nix-hexchen from flake inputs
fun fact: this commit delets more lines (in flake.lock) than were
removed during the previous commits (to vendor nix-hexchen's modules
into our repo)
2024-02-18 13:47:54 +01:00
62917423e3 render nftables's ruleset
This does the same as the last commit did for the nftnat module, but for
the more general nftables module. Note the weird whatspace again.
2024-02-18 13:39:54 +01:00
0f678c5e80 render nftnat's extraConfig
this removes usage of the nftnat module by rendering it into a static
nftables config. It's a no-op (modulo /etc/haccfiles) as far as nix is
concerned, hence the slightly off-putting whitespace of the multi-line
string.

This seems to me to be a better approach than just bundling the module,
since we only use it for two things (giving the containers network
access & forwarding port 22 to forgejo), which to me doesn't press for
using a custom module we can't really maintain on our own.
2024-02-17 00:04:51 +00:00
0140b7a9fb bundle encboot
this does nothing but move the module & rename the hexchen.* options to hacc.*
2024-02-17 00:04:51 +00:00
39531f1c48 bundle hexchen's nopersist & bindmount moduls
the bind mount module has been tweaked in a couple ways:
 - rename hexchen.* to hacc.*
 - rename bindmount to bindMount to make it consistent with usage in
   the nixpkgs container module
 - add a hacc.bindToPersist option as shorthand for prepending /perist
   to a path via bind mount

the nopersist module has been shortened a little by moving
service-specific things which are used once out into the individual
service files, and removing those which we don't need at all (this also
means we get to loose a mkForce or two in case of mismatches between
hexchen's and our current config).
2024-02-17 00:04:51 +00:00
461cb01126 uncurse mattermost
thanks to emily for the secret nixpkgs knowledge!
2024-02-16 23:19:56 +01:00
2988939be0 mattermost 8.1.9 → 8.1.10 (cursed)
see the comment in pkgs/mattermost.nix
2024-02-16 19:44:22 +01:00
7427df5167 mattermost: firewall.allowedTCPPorts redundant
our containers profile already sets networking.firewall = false, so this
does exactly nothing except cause confusion.
2024-02-12 21:07:53 +01:00
1ccc0ccbca update inputs, mattermost 8.1.8 → 8.1.9 2024-02-07 22:53:34 +01:00
5dd817796f parsons/gitea.nix → parsons/forgejo.nix
forgot this last time ...
2024-02-01 00:10:00 +01:00
a36d2a7617 update inputs 2024-01-30 14:46:02 +01:00
c28a1f6e2e monit: check for onlyoffice status 2024-01-28 22:56:33 +01:00
c681bb413c gitea → forgejo 2024-01-28 16:07:18 +01:00
062e123046 common/users: add floppy & leah2 2024-01-28 15:57:07 +01:00
93cc8b8172 backups: psql dumps for mattermost & nextcloud 2024-01-28 15:48:13 +01:00
816e175b33 restic: move secrets into sops 2024-01-28 15:32:18 +01:00
a3c6479dbe update inputs 2024-01-23 20:05:36 +01:00
abfc5618e9 mattermost 8.1.7 → 8.1.8 2024-01-19 00:58:12 +01:00
c0f37da12f update inputs 2024-01-16 02:38:20 +01:00
12e4cba3e6 websites: better watch scripts
nix run .#\"<domain>\" will now actually listen for changes in the
source repository, and not first copy the entire thing into the nix
store.
2024-01-12 00:41:15 +01:00
68dc640257 fix docs.hacc.space
this is a slightly cursed work around; see the comment.

Alternatively, we could pass in the $src attribute of that derivation
via callPackage (passing it through all the way from flake.nix), but tbh
that sounds like too much effort rn.

Have fun with confusingly long paths in the nix store 🙃
2024-01-12 00:31:32 +01:00
41d82ae436 meta: new structure
we decided to:
 - get rid of unused packages
 - simpify the directory layout since we only have one host anyways
 - move our docs (such as they are) in-tree
2024-01-11 23:49:26 +01:00
c2022d9c60 add a .rgignore
to make Moira less annoyed when using ripgrep
2024-01-11 21:30:22 +01:00
990d48a1c7 update inputs; simple-nixos-mailserver now has a 23.11 branch 2024-01-08 22:25:55 +01:00
d011fcb56d update inputs
back to normal weekly updates now
2024-01-02 17:21:44 +01:00
b38e6a0ebc move the auamost.fish script into haccfiles
This is our script to synchronise groups between uffd and mattermost,
since there seems to be no better way to do that. It has long lived
under /persist/magic/auamost since it contained sensitive data (both
which groups are on our platform & access tokens to both uffd's and
mattermost's API with admin-level permissions).

This splits the script up into a non-sensitive part which lives in Nix,
and a small snippet that just sets all the sensitive stuff into env vars
in sops, so we can manage the entire thing with our usual setup.
2023-12-30 19:03:25 +01:00
a72f35de35 update inputs (smtp smuggling)
also hexchen's nixfiles now set the mysql data dir, so we now have
one more mkForce.
2023-12-27 16:56:52 +01:00
4e17d6034c update inputs 2023-12-23 03:56:55 +01:00
2008876dc6 !fixup: add a " also whitespace 2023-12-16 20:41:26 +01:00
910caf3485 servies/murmur: update some text 2023-12-16 18:49:29 +01:00
226508d4b0 tracktrain: use psql15 2023-12-12 00:10:35 +01:00
cb87d88a13 gitea: please use postgresql 15
whoops, forgot this one. why do modules bundle other modules, anyways?
2023-12-08 19:51:48 +01:00
658e9046c5 /persist is needed for boot & sops-activation 2023-12-08 19:46:07 +01:00
c3457207cd update mattermost hash
turns out you can't just re-use it across NixOS versions.
2023-12-08 01:12:24 +01:00
4d91e1f591 remove zroot/local/docker from fstab 2023-12-08 00:54:51 +01:00
01d972c9ed mattermost 8.1.6 → 8.1.7 2023-12-08 00:54:42 +01:00
9d187d212a initial work towards nixos 23.11
Note: this updates all postgres instances, since postgresql_11 no longer
exists.
2023-12-02 22:05:46 +01:00
17149be4bd update inputs 2023-11-21 15:44:28 +01:00
920ea9e8d4 flake updates & mattermost 8.1.5 → 8.1.6 2023-11-14 19:58:36 +01:00
f03a582345 updates: mattermost 8.1.4 → 8.1.5 2023-11-07 17:36:53 +01:00
641c59092c fix a mistake in flake outputs
`nix run ...` should run websites; I broke this earlier.
2023-11-04 18:21:07 +01:00
b5855fe379 unpin nix-hexchen
bug which broke things in 448ea1b831
got fixed upstream.
2023-11-04 18:20:30 +01:00
0f19d712cb Removed <del>-tag at #hacc:hackint.org link 2023-11-01 20:38:55 +00:00
448ea1b831 updates, but pin older nix-hexchen 2023-11-01 18:36:54 +01:00
ea5a77703e updates
general updates of flake input & mattermost minor version bump (8.1.3 → 8.1.4)
2023-10-27 18:41:39 +02:00
8186160c1b update nixpkgs 2023-10-16 20:56:08 +02:00
e03bf84d3a mattermost: jump ESR versions 7.8.x → 8.1.3
package definition adjusted by comparing to the current version in
Nixpkgs.
2023-10-07 22:27:23 +02:00
a4288d77ce update
(inputs & mattermost security release)
2023-10-07 20:02:02 +02:00
3ce4b83464 update inputs 2023-10-01 15:53:33 +00:00
9e7929ab5f fix auamost
????

fish doesn't find jq if it's not in environment.systemPackages, dunno why.
2023-09-28 01:11:02 +02:00
a8f7ee667d downgrade nextcloud module
whoops, forgot to commit this bit in the remove-unstable commit, and
lack energy to go back & amend & rebase
2023-09-28 01:11:02 +02:00
eae84263f5 less verbose container definitions
move some options (the nopersist & container profiles + allowUnfree
packages) into the evalConfig used for containers, so we don't have to
repeat ourselves as much.

also removed some no-longer-needed specialArgs.

also made thelounge work with nopersist, which for some reason it didn't
use before.
2023-09-28 01:11:02 +02:00
6586f0c552 remove unstable
this downgrades vaultwarden back to what's in stable; this was the last
thing we used from unstable, so remove that as well.
2023-09-28 01:11:02 +02:00
f9d7496af7 various absurd fixes 2023-09-28 01:11:02 +02:00
a17cd69a52 keep using the old uffd's pythonPackages, lol 2023-09-28 01:11:02 +02:00
54fe6bfce7 Revert "new uffd packaging"
This reverts commit 90f4971e88d22da6b2a213bbeb1790f456024b36, and resets
the uffd version to the one we are already using, in hopes of making the
update slightly less painfull (haha).
2023-09-28 01:11:02 +02:00
17ead057f4 update inputs 2023-09-28 01:11:02 +02:00
3407e873ef new uffd packaging 2023-09-28 01:11:02 +02:00
4b40d665fe update inputs
this now no longer needs to be built with allow_broken; tracktrain's
packaging now includes an override to remove the marked-broken state.
2023-09-28 01:11:02 +02:00
6529cb79a0 update inputs 2023-09-28 01:11:02 +02:00
72ca5b2888 initial work for 23.05
in theory this might be ready to deploy. Potential hazards & things to
know when actually doing so:

 1. the mysql version used by mattermost was updated (the old uses an
    openssl which is marked insecure). Might have to migrate a database
 2. lots of settings now use RFC 42-style settings, which might contain
    new typos
 3. this updates uffd (& changes the patches we apply). Since version
    dependencies of uffd are basically "whatever debian has" we have
    never bothered to match them, but afaik have also never updated uffd
    since the initial deploy some years ago. No guarantee it still
    works.
 4. tracktrain depends on haskellPackages.conferer-warp, which is
    currently marked broken. There is no reason for this (it builds
    fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1.
    cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a
    merge of haskell-updates into 23.05
2023-09-28 01:11:02 +02:00
74654f2fc0 websites: rooms on libera → hackint.org 2023-09-25 17:28:18 +02:00
4fb06c3e10 mattermost 7.8.10 → 7.8.11
(another security update)
2023-09-20 00:33:36 +02:00
d7d15f4b0b websites: chats are on raccoon.college for now 2023-09-12 22:28:53 +02:00
c18215f356 mattermost 7.8.8 → 7.8.10 2023-09-06 17:02:46 +02:00
6a4ff47443 mattermost 7.8.7 → 7.8.8 2023-07-19 22:20:45 +02:00
109aada070 mattermost 7.8.5 → 7.8.7 2023-07-08 00:33:11 +02:00
2d542e9167 remove auth.infra4future.de 2023-05-27 16:26:48 +02:00
d8e937a91d mattermost: 7.1.8 → 7.8.5 2023-05-19 23:06:15 +02:00
57b6eac7c2 tracktrain: upstream is slow in updating gtfs, use our own
note: I am author of both the file now under /persist/containers/tracktrain
& the upstream one at ilztalbahn.eu, but don't have direct access to the
wordpress instance running there, and no one who does has yet uploaded
the new file.
2023-05-17 17:49:56 +02:00
e5d57ebec9 sops/tracktrain: fix a missed non-declarative secret 2023-05-17 17:49:28 +02:00
6a51e74c73 enable receiving mail on mattermost@
otherwise we apparently cause feedback loops? pfft.
2023-05-05 16:28:37 +02:00
5bd2c5ab4c remove apparently unnecessary nextcloud config 2023-05-04 00:46:48 +02:00
3099798468 remove apparently unnessary mattermost lib.mkForce 2023-05-04 00:40:59 +02:00
b5d4f76a1d rotate octycs's ssh key 2023-05-04 00:40:44 +02:00
003f2f7e44 move all on-disk secrets into sops
this only concerns secrets which are in a raw file. Some of our
services (e.g. nextclouds) keeps secrets in its database; these remain
untouched.

Not yet deployed because of shitty train internet.
2023-05-03 23:04:13 +02:00
0d75469590 rotate zauberberg's ssh key 2023-05-03 22:33:12 +02:00
49fa2325f3 sops-nix proof of concept
this is currently deployed and appears to be working. please everyone
have a look at it & then decide if we want to use this for the other
secrets as well.
2023-04-19 20:08:45 +02:00
a3689d1c76 mattermost: 7.1.7 → 7.1.8
this is a security update, see
https://mattermost.com/blog/mattermost-security-updates-7-9-2-7-8-3-esr-7-7-4-7-1-8-esr-released/
for more.
2023-04-15 19:02:42 +02:00
eda184ee48 netbox: remove python override workaround
this is currently unused anyways, but in case we ever do need it again,
https://github.com/NixOS/nixpkgs/pull/223268 has removed the need for
the weird override workaround.
2023-04-05 23:04:59 +02:00
8d9df0e20e mattermost: 7.1.4 → 7.1.7
apparently the 7.1.x series is now old enough that even though it
does still get security fixes, the mattermost team no longer mentions
this on their blog, so we missed out on a couple. fun!
2023-03-24 03:49:37 +01:00
fb3c1b0a96 symlink haccfiles into /etc/haccfiles
upsides:
 - we will no longer get confused about which state is currently deployed
downsides:
 - deploys get slower, since it has to uploads the entire haccfiles each time
2023-03-23 15:29:29 +01:00
b30df7ea6d unbreak tracktrain css 2023-03-16 15:03:13 +01:00
26f3f98a9c update inputs 2023-03-15 21:50:48 +01:00
f91ea850bc
mail: reenable recieving mail on noreply@
because mail providers are sending out abuse mails for fbls they're
causing *shrung*
2023-03-15 19:06:36 +01:00
a6d21f4fd9 make working on websites nicer
(since every time we have to change anything on these I get annoyed at
having to remember how to build these. Now you can just use `nix run`!)
2023-02-24 17:33:48 +01:00
7fd1c9ff80 remove the default.nix file
(why did we keep this around? in any case, it's broken)
2023-02-24 16:11:43 +01:00
ba91526fc8
common/users: add new ssh-key for moira 2023-02-23 17:24:48 +01:00
72c16d9e1c nicer container configs
today i woke up to the realisation that there's an extremely obvious way
to make these nicer, & then i did exactly that. For some reason I did
not think of this when originally removing the dependency to nix-hexchen's
evalConfig.

unfortunately, this is not /quite/ a no-op. The only actual change is
different whitespace in some of the semantically-equivalent
coredns-configs that got unified.
2023-02-18 14:45:14 +01:00
aa62e616a3 common/users: remove an old ssh key 2023-02-16 01:40:14 +01:00
30510a3194 tracktrain: don't start before network.target
i hope this is the correct option; the last one apparently wasn't
enough.
2023-02-16 01:38:35 +01:00
dc1bdb2682 websites/infra4future.de: further edits
(also remove the link to hacc.wiki, that's kinda outdated)
2023-02-16 01:22:08 +01:00
5fee4c445d websites/infra: update group explanation 2023-02-16 01:22:08 +01:00
9ac7307672 update websites 2023-02-16 01:22:08 +01:00
26f91fac20 parsons: fix nix auto gc 2023-02-15 21:23:44 +01:00
9185f3e0ab update inputs 2023-02-13 20:43:09 +01:00
2e74ca9b35 tracktrain: remove cors header
this is almost certainly not needed anymore. i think.
2023-01-30 21:00:54 +01:00
4c456eae1c tracktrain: don't open firewall twice
just to cause less confusion down the line
2023-01-30 15:00:13 +01:00
7a3e65a3f5 working tracktrain + monitoring 2023-01-22 20:03:11 +01:00
9af819b4b8 init tracktrain 2023-01-22 02:25:07 +01:00
82e2831d3a
common/users: update terrus key 2023-01-10 19:20:47 +01:00
15c49c657f update inputs 2023-01-06 17:45:43 +01:00
87fd563ad3 remove netbox 2023-01-06 16:23:05 +01:00
eb7183ac54 services/mattermost: security update 7.1.4 → 7.1.5 2023-01-02 22:51:16 +01:00
1a54dbd191 alps: please don't start if there's no mailserver yet 2022-12-17 16:37:18 +01:00
015f66d749 netbox: fix uffd secret path
(turns out it's not a good idea to put it into a non-persistant directory)
2022-12-17 16:36:53 +01:00
hexchen
ba5bcf601c flake: update nix-hexchen and remove reference to deploy 2022-12-17 16:00:53 +01:00
9363c9e004 services/alps: use the nixos module
(since nixos 22.11 comes with one)
2022-12-17 15:56:06 +01:00
34a147afe6 python 3.9 -> python 3.10
(nixos 22.11 changed the default version, so some of our stuff broke)
2022-12-17 15:54:31 +01:00
1720b7bf81 update inputs 2022-12-16 22:56:28 +01:00
bb24ce8b87 nixos-22.11: fix module warnings
(also wow nextcloud encryption is apparently broken. colour me surprised!)
2022-12-16 22:56:28 +01:00
7e00264911 update inputs to nixos-22.11
(note that simple-nixos-mailserver is not updated since it doesn't
have a 22.11 release yet)
2022-12-16 22:56:28 +01:00
c5a0f13884
remove lantifa: apparently dead 2022-12-13 23:52:48 +01:00
bcc27eba11
netbox: add Media_Root 2022-12-13 23:47:28 +01:00
c28e533257
services/netbox: fix access to static directory 2022-12-10 13:18:02 +01:00
84dab162c1 don't vendor the netbox package definition
(because there's a simpler but also more cursed way of doing it instead)
2022-12-09 14:08:17 +01:00
f75429781d netbox uff(d) 2022-12-09 02:53:48 +01:00
5a28a55f01 netbox yolo 2022-12-08 23:30:02 +01:00
3df1ec0436 services/nextcloud: update to 25
(this has already been deployed for over a week, but apparently no one
thought to commit it)
2022-12-06 19:45:47 +01:00
b15f303107
mattermost: update to 7.1.4 2022-11-26 16:39:02 +01:00
0f4957d860 tell parsons it's called parsons
(i guess this was lost along with hexchen's nix deploy module?)
2022-11-26 00:08:53 +01:00
ea2d89fa84 make fish my default shell 2022-11-26 00:08:38 +01:00
7fa5939cf9 reduce lockfile size 2022-11-25 22:50:29 +01:00
12da955842 nix: enable 'experimental feature' flakes by default 2022-11-19 15:23:03 +01:00
0127b30566 add deploy-rs gc roots to .gitignore 2022-11-19 15:18:32 +01:00
5a0496a8f7
do unspeakable things to flake.lock 2022-11-15 15:34:59 +01:00
d11c388f31 deploy-rs: disable auto-rollback by default
(as per Moira's request)
2022-11-15 15:19:36 +01:00
79fb386395 flake-enabled readme 🎉 2022-11-14 18:42:33 +01:00
fe2fd2e0eb
cleanup input URLs in flake.nix 2022-11-14 18:29:53 +01:00
eb13717e28 fix acme-fixperms 2022-11-14 18:14:22 +01:00
7b145988d2 fix alps mail interface 2022-11-14 18:14:13 +01:00
1b09180b38 flake: add deploy-rs 2022-11-14 01:41:11 +01:00
c09337c973 shoehorn nix-hexchen-style config into flakes
this replaces niv with nix flakes, attempting to preserve the old
structure as much as possible. Notable caveats:
 - I'm not sure if flake inputs expose version information anywhere, so
   the version in pkgs/mattermost/default.nix is now hardcoded.
   Confusingly, this appears to trigger a rebuild. Maybe I've missed something.
 - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen
   does not work with flakes, and their newer replacements are not exposed
   by upstream; I've put basic imitations of the relevant parts in this repo
 - (in particular, directories in hosts/ won't become deployable configs
   automatically)
 - parts of the code are now probably more complicated than they'd have to be
 - old variables names were preserved; confusingly, this means the flake
   inputs are still called "sources"
2022-11-13 22:45:50 +01:00
025d17c487
common: enable mosh 2022-11-13 20:26:48 +01:00
319f827aa0
add new key for stuebinm 2022-11-13 20:22:23 +01:00
d6d45685c7
fix StateVersion for gitea 2022-11-13 20:18:26 +01:00
b1974aa2d0 solve some TODOs
(one of these has even been around for a while!)
2022-11-11 16:30:38 +01:00
de1e7366f3 remove desktop/* 2022-11-11 16:30:38 +01:00
401898b284 remove gitlab pipeline
(might as well clean up while we're at it)
2022-11-11 16:30:38 +01:00
380934299b niv: remove home-manager
(not used for anything atm)
2022-11-11 16:30:38 +01:00
13b81b37f4 users.nix: re-add hexchen's ssh keys
(these were previously defined via nix-hexchen)
2022-11-11 16:30:38 +01:00
f281c90da5 containers: set stateVersion to 21.05
(which is what parsons is on as well)
2022-11-11 16:30:38 +01:00
eb8807feff remove docker override
(hasn't been used for some while now)
2022-11-11 16:30:38 +01:00
a8b3f4b16c remove bottom from unstable packages
(is in stable now)
2022-11-11 16:30:38 +01:00
4bd1430f0a remove services/syncthing.nix
(apparently not used anymore)
2022-11-11 16:30:38 +01:00
daac7ebcb0 remove users/hexchen.nix 2022-11-11 16:30:38 +01:00
e29cd5f887 remove unused packages
(most of these were all for nixda)
2022-11-11 16:30:38 +01:00
39a1719188 remove apparently unneeded disabledModules
(i guess there's a historic reason why this was here?)
2022-11-11 16:30:38 +01:00
c12ae3231a remove unused modules 2022-11-11 16:30:38 +01:00
4969444bc4 remove nixda 2022-11-11 16:30:38 +01:00
25e9fb85a3 manuall update simple-nixos-mailserver
which is weird and didn't update with the rest of them
2022-11-11 16:30:38 +01:00
63cf62849b add stateVersion to all the containers
(set to 21.11 since that was what we had before)
2022-11-11 16:30:38 +01:00
acd051e4e0 make renamed options complain (less) 2022-11-11 16:30:38 +01:00
620c1a30e4 update a bunch of other stuff 2022-11-11 16:30:38 +01:00
55f17ad7c3 get rid of the nextcloud module fork 2022-11-11 16:30:38 +01:00
0e20c9ddfa remove hexchen home-manager 2022-11-11 16:30:38 +01:00
1291d3c9f6 move nextcloud.nix to a sane location 2022-11-11 16:30:38 +01:00
cde949ac5b remove workadventure 2022-11-11 16:30:38 +01:00
052e1ac126 environmentFiles are generally a good and reasonable idea 2022-11-11 16:28:50 +01:00
0686807690 fix the uncommited nextcloud state
(yay i successfully guessed what hexchen did, and turns out it had
nothing to do with the bind mount)
2022-11-10 20:15:00 +01:00
e8d36fc259
services/mumur: add creature comforts
murmur is now reloaded automagically after a cert update
also added mumble.infra4future.de as shared cert
2022-11-03 21:22:31 +01:00
2e92960390
services/mail: update vorstand and admin 2022-11-02 21:21:15 +01:00
e229538bde Change of board members 2022-10-22 20:24:10 +00:00
0fe3094853
services/mail: renable postfix logs 2022-10-16 14:37:07 +02:00
f64b1f9534
mattermost: don't read config from database
apparently the nixpkgs mattermost module simply ignores its own config
if mutableConfig is false, and reads whatever config is currently in the
database (in our case, old stuff involving auth.infra4future.de).

This overwrites that.
2022-10-16 14:32:04 +02:00
52f9f2d64c
get rid of mattermost-patched module
this does a couple things:
 - redo mattermost's secret config as an env file passed to systemd
 - get rid of modules/mattermost.nix and use upstream module instead
 - move some of the stuff in secret.json which don't need to be there
   into nix (e.g. smtp port)

Also, I set the log level to ERROR in the env file. Mattermost doesn't
seem to respect it otherwise *shrug*
2022-10-15 20:10:29 +02:00
714a8e5d73
websites: fix some typos. 2022-10-12 21:59:18 +02:00
55ffc7282e
services/lantifa: pin WikiDB version
resolves the issue with the nixfiles being unable to be built, because
of a hash mismatch. The previous URL always pointed to the newest
version instead of a static one.
Sadly static links only exist for previous, but not the current version.
2022-10-09 10:06:30 +02:00
5821a58d23
services/mail.nix: Adding an email for peter 2022-10-06 19:38:23 +02:00
86ff63683c
add a LICENSE-file 2022-10-06 19:31:59 +02:00
35853d56e2 re-add infra4future.de faq
(contains info about how groups work)
2022-09-25 19:20:20 +02:00
41c914991a
Merge remote-tracking branch 'origin/fix/mattermost' 2022-09-24 18:05:44 +02:00
f2c90e5601 websites: remove mentions of gitlab.infra4future.de
(one remains for now, will do that later once anyone from students
for future says what to do in that case)
2022-09-24 17:46:48 +02:00
77d7625315
remove gitlab 2022-09-24 17:29:42 +02:00
hexchen
04272968d0 update and fix mattermost 2022-09-24 14:59:52 +00:00
7e615e6daa
Merge branch 'infra4future.de-update' 2022-09-19 18:12:54 +02:00
82e70e0151
change name 2022-09-19 18:11:54 +02:00
6bba15faae
gitea: git protocol v2 over ssh
cf. https://docs.gitea.io/en-us/config-cheat-sheet/#git-git, entry for
option ENABLE_AUTO_GIT_WIRE_PROTOCOL
2022-09-19 18:11:54 +02:00
9bf75b9c3d
git ssh: switch to gitea (instead of gitlab) 2022-09-19 18:11:54 +02:00
83cda0f44a
gitea: save state under /persist 2022-09-19 18:11:54 +02:00
97459d8177
gitea: enable offline mode 2022-09-19 18:11:54 +02:00
6aa06aed18
gitea: fix uffd login
(note that this actually has to patch uffd)
2022-09-19 18:11:54 +02:00
639410011e
update lantifa source urls & hashes 2022-09-19 18:11:54 +02:00
schweby
7db9dbb4c2
!fixup add missing settings section 2022-09-19 18:11:53 +02:00
schweby
856cd79c37
init basic untested config 2022-09-19 18:11:53 +02:00
3ea537459b
change name 2022-09-12 19:29:51 +02:00
f53cb24d2e update infra4future.de index website 2022-09-07 22:08:36 +02:00
45ceeef189
gitea: git protocol v2 over ssh
cf. https://docs.gitea.io/en-us/config-cheat-sheet/#git-git, entry for
option ENABLE_AUTO_GIT_WIRE_PROTOCOL
2022-08-03 11:26:05 +02:00
e246563f57 git ssh: switch to gitea (instead of gitlab) 2022-08-01 20:54:17 +02:00
a1c5832a51 gitea: save state under /persist 2022-08-01 18:39:46 +02:00
c854e10980
gitea: enable offline mode 2022-07-27 23:26:13 +02:00
b5a68e09fd
gitea: fix uffd login
(note that this actually has to patch uffd)
2022-07-27 23:26:13 +02:00
f9f1eee6fd
update lantifa source urls & hashes 2022-07-27 23:26:13 +02:00
schweby
db5865fff2
!fixup add missing settings section 2022-07-27 23:26:13 +02:00
schweby
65ec0779b7
init basic untested config 2022-07-27 23:26:13 +02:00
4b53211130
mattermost: minor upgrade (6.7.0 -> 6.7.2) 2022-07-27 23:25:46 +02:00
schweby
86b9d3113c
parsons/mail: readd noreply@infra4ure 2022-07-17 19:36:42 +02:00
schweby
39aaf2e0bb
!fixup make virtual addresses actually work
also fix typo
2022-07-10 19:02:45 +02:00
schweby
8021685ec8
update mail config 2022-07-09 20:56:46 +02:00
8f413da05a services/nextcloud: remove mail & redis
(both of these have lots of options, which either do nothing at all or
are misconfigured in some way and don't work. If we want redis-caching,
we can re-add it later, but the current state suggest it's already
working, which it isn't, which is worse)
2022-07-09 20:27:46 +02:00
e9d2630ea9 fix auamost path 2022-07-09 19:11:30 +02:00
445a974f97 magic mattermost group sync 2022-07-09 11:00:57 +02:00
4eecd1bad4 update nextcloud to 24
(apparently we forget to commit this??)
2022-07-09 10:56:58 +02:00
schweby
430efbc0a5
update sources 2022-06-09 14:56:38 +02:00
schweby
3dc6b5e3e9
common/users: update schwebys ssh key 2022-05-22 15:08:42 +02:00
hexchen
507a144165 Add uffd application icons 2022-05-02 16:28:37 +00:00
hexchen
7015386cd6 Fix uffd brand icon 2022-05-02 15:53:27 +00:00
schweby
440076bae9
services/nextcloud: make login work reliably 2022-04-30 23:35:19 +02:00
hexchen
27cc65fb14 feat: new SSO!!!! 🎉 2022-04-30 20:43:12 +00:00
287cb84d82
services/mattermost: bump to 6.6.0 2022-04-16 20:31:58 +02:00
schweby
3ee3c37ccb
sources: updates
CVE-2022-1162
2022-04-06 09:05:25 +02:00
39bec9fbd0
services/mattermost: bump to 6.5.0 2022-03-18 19:28:43 +01:00
5c85431847
mattermost: bump to 6.4.2 (security update) 2022-03-11 14:01:53 +01:00
schweby
2cf0119ec1
sources: updates
update kernel to proteced against CVE-2022-0847
2022-03-07 20:44:33 +01:00
schweby
a92ae39d65
gitlab-ci.yml: disable nixda build
It's known broken. No need to waste time and resources.
Reenable when fixed.
2022-02-27 12:22:30 +01:00
schweby
f1c3a2d082
sources: updates 2022-02-27 12:19:36 +01:00
schweby
93c13debe6
services/mattermost: bump to 6.4.1 2022-02-27 11:57:52 +01:00
3e95d6c222
bump nix/sources.json 2022-02-17 19:49:53 +01:00
ca19774c9e
services/mattermost: bump to 6.4.0 2022-02-17 19:49:38 +01:00
032c49c375
comment out services/workadventure
(we're not using it and it's eating build times, so I've disabled it for
now)
2022-02-17 19:48:45 +01:00
4b71a216ba
services/mattermost: bump to 6.1.3
(another security update)
2022-02-05 01:08:46 +01:00
schweby
17d695c00b
common: add niv 2022-02-04 08:51:39 +01:00
schweby
7815e32f9f
services/mail: reduce logspam
reduce logspam by out mail services by seeting them to logleven 5
(notice) and 3 (error)
2022-02-01 17:07:52 +01:00
99811b6711 bump update nixos-mailserver to 21.11 2022-02-01 14:44:47 +01:00
1aebabe8a0 parsons/restics: s3CredentialsFile is deprecated
This is untested, but the documentation on the s3CredentialsFile option
seems to suggest this should be correct.
2022-02-01 14:03:40 +01:00
10942ca464 bump home manager to 21.11 2022-02-01 14:00:35 +01:00
schweby
2d429492fe
services/mail: stop postfix from dying by rspamd 2022-01-31 21:43:25 +01:00
schweby
4bf804c025
services/syncthing: add Vorstands share
currently the receiveencrypted type is not supported by the nixos module
so we have to set it via the webinterface
2022-01-27 22:53:17 +01:00
schweby
8716f2b308
services/syncthing: update config format 2022-01-27 22:52:49 +01:00
hexchen
6de0b91beb fixer tous les things 2022-01-27 20:20:25 +00:00
9937d5ff94
fixing pad.hacc.space (hopefully)
(I haven't tested this, since I don't want to try the upgrade-adventure
a second time today, but I think this should fix it)
2022-01-27 20:38:06 +01:00
4ff0bdf3ec
whoops, apparently some rebase went wrong
(fixing it back into a buildable state)
2022-01-27 20:38:04 +01:00
676ba4fc31
services/hedgedocs: use socket auth for postgres 2022-01-27 20:37:42 +01:00
schweby
569c5652f2
sources: update 2022-01-27 20:37:40 +01:00
schweby
238c1b2c92
mediawiki cleanup 2022-01-27 20:36:34 +01:00
c2c0bd366a
bump nixpkgs to 21.11
This simply updates nixpkgs to 21.11 (along with a general update of
other sources), then follows the hints given out in the build process
until everything (on parsons) ran through fine.

Some things to note:
 - syncthing's declarative config is gone. Instead, declarative and
   non-declarative configuration can now be mixed, but with
   `overrideDevices` set to true, it _should_ ignore non-declarative
   settings and basically behave the same as before (or at least that's
   how I understood the documentation on that)
 - some postfix options now require a lib.mkForce, since the mail module
   also wants to set them — we should probably look into if the mail
   module has nicer ways of handling our settings now (which I didn't
   do)
 - we no longer import the vaultwarden module from unstable, since it's
   included in nixos 21.11 as-is. We _do_ still import the vaultwarden
   package from unstable, since downgrading sounds like a bad idea.
 - nix build will print a warning that `literalExample` is now
   depricated, but we don't seem to use that — I guess at some point
   we'll have to search through our sources if it doesn't go away

This was not yet deployed, and should probably considered a
work-in-progress.

Building Nixda currently fails decklink seems to have disappeared.
2022-01-27 20:36:17 +01:00
68afbe01b3 services/mattermost: bump to 6.1.2 (security update)
cf. https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5-37-7-released/

this supposedly fixes a "medium-level security vulnerability", but
they're not telling us what it is (for now …) :rolls_eyes:

anyways, seems to run fine on parsons.
2022-01-25 02:08:40 +01:00
schweby
fa347008fa
common/default.nix: add vgrep 2022-01-19 22:11:10 +01:00
schweby
c21b1b8ddf
services/syncthing: cleanup clients
remove no longer needed clients due to "new" password sharing
2022-01-19 21:35:03 +01:00
schweby
02a64a6f31
services/hedgedoc: lower loglevel to warn 2022-01-19 21:22:32 +01:00
b9aa3050d7 fix mumble website
This does two things:
 - add a group "mumblecert" which is allowed to read the mumble.hacc.space
   cert, and add both nginx and murmur's users to it
 - remove the website's derivation from services/murmur.nix and instead
   add it to the websites/ dir and handle it the same as all our other sites
2022-01-18 09:08:27 +01:00
schweby
6f0d8a6af9
hotfix: disable mumble website
disable the mumble website because of cert permission issues causes by ad9c1f4481
nginx doesn't start because it can read the cert of the website
2022-01-17 22:37:43 +01:00
ad9c1f4481
security/acme: mumble cert readable by murmur group
the postRun thing doesn't seem to work at all anymore?
2022-01-12 23:51:31 +01:00
f800057478
services/hedgedocs: remove unused module imports 2022-01-12 19:31:31 +01:00
ae67b38304 add the rest of our stativ web pages
however, for some reason, ACME still fails. Hopefully it's just the
rate limit, but it does look suspicious; there' still a
"www.muc.hacc.space" in the log that oughtn't be there …
2022-01-10 23:45:21 +01:00
eb07f34672 modules/website.nix init
idea is to have a directory `websites/` which contains all our static
sites, with the name of each subdirectory also being their domain. Then
Nix can just read that directory during build-time and automatically
generate nginx virtualHosts for all of them (note that the
subdirectories have to contain a `default.nix` specifying how to build
the site for that to work).

Thus we could avoid the dependency on gitlab pages.
2022-01-10 22:57:09 +01:00
c08ca5f85f
update readme
its incompleteness annoys me
2022-01-07 18:16:31 +01:00
a7896e718f
services/workadventure: re-add the hacc assembly map as default map 2022-01-07 17:29:10 +01:00
16245e830f
remove truelove-specific workadventure
This removes the special configuration to make our workadventure useable
for the truelove event and reverts it to just run at void.hacc.space
without authentication etc.

Tbh, not sure if that's actually what we want — do we need a running
workadventure instance at all? Or should we just remove the entire container?
2022-01-01 20:03:32 +01:00
schweby
9b38e5fba1 update sources 2021-12-30 22:58:23 +01:00
schweby
8c527ea552 enable ssh for stream user 2021-12-30 22:30:25 +01:00
schweby
b96a026565 cleanup default apps 2021-12-30 22:30:17 +01:00
schweby
ba60e3cf76 pkgs/blackmagic-desktop-video: update to 12.2.2 2021-12-19 17:13:51 +01:00
schweby
2a1e692522 services/lantifa: set mediawiki-version from 21.11
due to a wikiDB issue the mediawiki version in unstable (37) is not
compatible.
switching to 21.05 would mean a downgrade, so this is the hack until we
fully upgrade to 21.11
2021-12-11 13:20:42 +01:00
schweby
af8b16117f sources: add 21.11 as nixpkgs-new 2021-12-11 13:20:15 +01:00
schweby
bde7afa9ca sources: update 2021-12-11 12:54:02 +01:00
928d44fb95 Added stuebinm@hacc.space to mitglieder@hacc.space 2021-12-01 21:25:27 +00:00
3ad6a0d2df raphael@hacc.space added to voc@hacc.space 2021-12-01 21:22:53 +00:00
schweby
277d4a1fa7 services/nextcloud: fix downloads >1GB
should also gernerally improve performance when large(r) amounts of data
are exchanged
2021-11-22 20:58:39 +01:00
schweby
668a3fa4ee replace stdenv.lib with lib because deprecated 2021-11-19 19:54:19 +01:00
fccb150d3c
bump mattermost: 5.39.2 → 6.1.0 2021-11-17 12:48:56 +01:00
schweby
e10545d1f8 update sources
did not update nixpkgs-unstabele due to a compliler version problem
vaultwarden 2.23 needs rustc 1.57, only rustc 1.56.1 is available
2021-11-16 17:42:52 +01:00
6563e0ccfa add services/workadventure for true-love event 2021-11-09 17:02:43 +00:00
schweby
5432503397 services/mattermost: set MaxUsersPerTeam to 250 2021-11-06 18:11:08 +01:00
6d6a2aff67
bump mattermost 5.39.0 → 5.39.1 (security update)
really, i probably should've just jumped straight to 6.0.2, but whatever 🤷
2021-11-04 17:01:45 +01:00
schweby
144bd0d5f5 remove services/unifi
no longer needed
2021-11-03 15:36:03 +01:00
1b94984486
unbreak vaultwarden backup 2021-10-31 22:22:48 +01:00
schweby
6a7e836d22 pkgs/companion: update hash 2021-10-31 21:37:50 +01:00
schweby
f78ae0e50a sources: updates 2021-10-31 19:40:30 +01:00
schweby
13567e0152 sources: remove pbb-nixfiles
no longer available, also unused
2021-10-31 19:39:32 +01:00
schweby
232a90aaf1 services/nextcloud: replace password with file 2021-10-31 09:19:45 +01:00
schweby
0652afa761 services/nextcloud: set defaultapp to apporder 2021-10-31 08:28:10 +01:00
schweby
34eb8651d8 modules/nextcloud: add option for defaultapp 2021-10-31 08:27:40 +01:00
hexchen
750b069420 services/nginx-pages: fix acme bullshit 2021-10-28 19:02:38 +00:00
schweby
939d7adbb6 pkgs/companion: fix hash
who needs consistent links anyway
should fix nixda not building on parsons
2021-10-27 09:20:20 +02:00
schweby
09d6d6838d service/lantifa: update intersection plugin 2021-10-15 22:27:22 +02:00
schweby
5138da6805 sources: update 2021-10-13 20:31:40 +02:00
schweby
ad5d21cba5 sources: updates 2021-10-01 19:32:27 +02:00
octycs
f125de8342 services/nginx-pages: readd help.studentsforfuture.info 2021-09-28 21:28:54 +02:00
56cbb7601b services/vaultwarden: init vaultwarden 2021-09-28 11:13:25 +00:00
schweby
2044b77401 sources: update 2021-09-19 16:45:18 +02:00
schweby
3c3e4c0c83 pkgs/companion: fix hash of nodeHeaders 2021-09-19 16:37:18 +02:00
schweby
dbf8d74a24 set timezones
default is UTC no need to force it
A desktop shoud be in the commonly used timezone.
Forcing UTC has caused trouble multiple times.
2021-09-19 16:35:38 +02:00
schweby
f4089803ff sources: update mattermost to 5.39 2021-09-18 21:53:25 +02:00
schweby
e63af3984c sources: update 2021-09-18 21:37:57 +02:00
schweby
35a563185d parsons/lantifa: update intersection plugin 2021-09-18 21:36:39 +02:00
schweby
982546f73a sources: update 2021-08-30 15:12:30 +02:00
schweby
b9eb988aa0 parsons/murmur: fix acme
credits for ${pkgs.acl} go to stuebinm
2021-08-30 15:12:30 +02:00
hexchen
a113c05025 pkgs: init bitfocus companion for streamdeck 2021-08-28 14:31:14 +00:00
System administrator
20398cf2c8 stuff 2021-08-25 16:23:34 +00:00
schweby
56ad0ed886 nixda/decklink: bump version of bmv to 12.1
bmv = blackmagicvideo
2021-08-23 19:54:18 +00:00
hexchen
fd9e8941c7 get rid of hainich. migration done. 2021-08-23 19:32:02 +00:00
schweby
95a0e9f04a parsons: init lantifa wiki 2021-08-23 19:32:02 +00:00
hexchen
41acbdd3e0 parsons: deploy unifi controller 2021-08-23 19:32:02 +00:00
hexchen
d367269e87 thelounge: foo 2021-08-23 19:32:02 +00:00
hexchen
7dbc22929b parsons/nginx-pages: add muc.hacc.earth hacc 2021-08-23 19:32:02 +00:00
hexchen
35cd963f8c services/gitlab-runner: init on parsons
also disable ci for hainich
2021-08-23 19:32:02 +00:00
hexchen
6121acabd7 maintenance: update sources, fix mattermost 2021-08-23 19:32:02 +00:00
hexchen
275d3a16f0 parsons: init lxc 2021-08-23 19:32:02 +00:00
hexchen
69e49a0020 services/gitlab: init ssh 2021-08-23 19:32:02 +00:00
hexchen
373926e33b services/gitlab: init on parsons 2021-08-23 19:32:02 +00:00
schweby
7881b444ba parsons: init syncthing 2021-08-23 19:32:02 +00:00
hexchen
cdeb52f808 services/mail: migrate to parsons 2021-08-23 19:32:02 +00:00
schweby
f5579bc98e parsons: config nginx 2021-08-23 19:32:02 +00:00
hexchen
a5063ae960 parsons: small fixes 2021-08-23 19:32:02 +00:00
schweby
632bf21200 parsons: fix hegedocs 2021-08-23 19:32:02 +00:00
schweby
76c9b07d56 parsons: init hegedocs 2021-08-23 19:32:02 +00:00
hexchen
172d0869b3 services/murmur: migrate to parsons 2021-08-23 19:32:02 +00:00
hexchen
4b11dbf1d4 services/thelounge: move to parsons 2021-08-23 19:32:02 +00:00
84ac81435e hainich: hacky version of thelounge as webchat
Intended for KontraIAA; requirements were that it should be a simple and
non-confusing as possible.

I tried both KiwiIRC and thelounge, and found both horrible to
package (a fact not helped by the somewhat opaque structure of
nixpkgs.nodePackages, which does contain a version of thelounge but
will apparently ignore overrides of the src attribute).

Instead, this now contains a very hacky version of thelounge, which
merely takes the already-built version from nixpkgs and glues some extra
css to it which hides potentially confusing fields.

Things hidden on the "connect" screen:
 - the "name" field (since thelounge offers "nick" "name" and "realname"
   by default, which seems too much for something embedded on a website)
 - the "I have a password" checkbox

Things hidden on the general view:
 - the button to open the side panel (the panel itself is not hidden,
   and will appear by itself on wider layouts), so that users will only
   see that one channel
 - the "channel options" menu (which includes a "leave channel" option
   which would effectively break the webchat)

Things not addressed:
 - thelounge has autocompletion for /join /leave, etc. Do we want to
   disable that as well?
 - It would probably useful to suppress all the "x joined the channel"
   messages. Thelounge supports this, but apparently doesn't support
   setting it as default?

Misc:
 - for now, users will be connected to #thelounge on libera.chat, which
   appears to be okay with being used as an experimental channel
 - I allowed prefetching link previews, but only on the server's side
   (i.e. users' browsers won't fetch content from arbitrary sites)
 - not yet tested on hainich, but should work (tested in a NixOS
   container)
 - currently assumes a "webchat.voc.hacc.space" domain (I think we had a
   voc domain? but I forgot where it is …)
2021-08-23 19:32:02 +00:00
schweby
b23582a52f services/mattermost: init on parsons 2021-08-23 19:32:02 +00:00
hexchen
1c65805589 parsons: init backups 2021-08-07 12:05:26 +00:00
hexchen
da7beff2fe services/nextcloud: init on parsons 2021-08-07 12:05:26 +00:00
hexchen
3541d14c76 parsons: add nftables 2021-08-07 12:05:26 +00:00
hexchen
479d119b8b ci: add parsons 2021-08-07 12:05:26 +00:00
hexchen
0b30d81d13 hosts/parsons: init minimal config 2021-08-07 12:05:25 +00:00
hexchen
cf5062adfd sources: update nixpkgs to 21.05
this caused various other changes related to nftables, we are now using
hexchen's fork of pbb's module.
2021-08-07 12:05:25 +00:00
hexchen
cbeb0e86c1 mail: emergency alias 2021-08-03 17:13:46 +00:00
schweby
d3e08e0247
sources: update packages 2021-07-28 22:31:23 +02:00
2d0a5b9c22
Merge branch 'mattermost-reply-threads' of https://gitlab.infra4future.de/hacc/infra/haccfiles into mattermost-reply-threads 2021-07-18 21:28:28 +02:00
20bafd66c5
mattermost: add recommended proxy settings
This unbreaks the keycloak login
2021-07-18 21:26:14 +02:00
schweby
2c0abd0cc4
sources: set template for mattermost-server 2021-07-16 23:45:43 +02:00
32e13edee1
fix hashes
apparently I changed the url but not the hash at some point while
fiddling with the sources.json file.

have I mentioned how much I like niv yet?
2021-07-16 18:14:22 +02:00
69f5448aa3
mattermost 5.34.3 → 5.37.0
Among other things, this contains the "collapsable reply threads" feature
which makes it behave similar to slack.

Also, after spending thirty minutes or so attempting to teach niv that
it should really only fetch the tag "5.37.0" from the mattermost-server
repository and not any other commit, branch, or similar (there is a
"release-5.37" branch, but that seems to be for active development), I
have temporarily given up on it and typed in the urls manually.

Unfortunately, this means that any kind of `niv update` will now break
things. If anyone knows how to use niv correctly for this please patch
this; otherwise I guess we can extract mattermost out from niv again.
2021-07-16 17:45:18 +02:00
schweby
bfaa6a54ab
sources: update packages 2021-07-14 22:36:17 +02:00
schweby
04375f8152
hainich: remove websites
websites are now back on gitlab again
2021-07-14 22:15:03 +02:00
schweby
725517a035
sources: pin hexchen repo 2021-07-01 18:55:12 +02:00
schweby
6a408db9c1
hotfix: add websites to hainich
because gitlab broke websites AGAIN, they are now running on hainich
directly
While this is only a temporary solution, I think it will be as permanent
as they come
2021-06-25 11:38:47 +02:00
schweby
776c4d2f0f
sources: update packages 2021-06-23 23:16:54 +02:00
schweby
f6bf8c7c00
hainich: remove A20 ghost 2021-06-23 23:06:49 +02:00
octycs
df6f0baa71 hainich/mediawiki: Fix broken URL to plugin 2021-06-11 19:08:22 +02:00
schweby
b092919a53 nixda:update desktopvideo to 12.0 2021-06-09 21:58:06 +00:00
schweby
ab68332e2b sources: update packages 2021-06-09 22:30:19 +02:00
schweby
d37899698c
hainich: remove minecraft
nixos and its concepts/service management/update mechanism don't play nice with minecraft
In general some things I wanted to do (e.g. a map) are to spikiely resource intensive to run on a server meant to provide other services consistently
A replacement will be provided soon™
2021-06-06 18:22:24 +02:00
schweby
fec87aa59d
sources: update packages 2021-06-03 17:25:47 +02:00
Lukas
378c79f93e hainich:add hedgedoc for i4f 2021-06-02 19:08:54 +00:00
schweby
e9eb76c2b5
update sources 2021-05-26 22:31:06 +02:00
schweby
8506265060
sources: update packages 2021-05-12 21:41:53 +02:00
schweby
644c433809 hainich: init ghost A20 2021-05-12 19:37:15 +00:00
7d2e5f7576 ci: split up pipelines by host
Rationale: if one build fails, the other one will still continue running.
Especially since we already have some (and will presumably add more)
proprietary software to nixda which may require manual intervention
using nix-prefetch-url, this seems like a good idea.

An alternative would be to just specifiy `--keep-going`, but this seems
likely to lead to unreadable output.

However, I'm not sure what exactly happens when we try to run builds for
both hosts at once on the same nix store — it may be that this isn't the
best idea, but I guess we can just make the pipelines sequential instead
if necessary.

pipeline: fix mistake in build command

(previous commit contained two builds for nixda, none for hainich)
2021-05-10 14:41:42 +00:00
hexchen
3b39b0f316 hainich/gitlab-runner: limit nix builds to 1
running concurrent builds might cause stuff to be redownloaded/rebuilt.
2021-05-10 14:39:51 +00:00
3d8db75c48
mail: add addresses for c3wooc
Assuming I've understood the format of this config correctly, this
should add two new addresses for the c3wooc (one for general contact,
one for patches); both forwarding to its members (currently only hxchn
and me).
2021-05-08 20:06:00 +02:00
schweby
1e57204b7a
sources: update packages 2021-05-01 18:48:15 +02:00
9e7a277b6a workadventure: fix turn ipv4 address
apparently I missed changing that; it still pointed to my own
server (flora.stuebinm.eu) instead of hainich.
2021-04-29 22:20:10 +00:00
schweby
ae8bf7c8f6
sources: manage mattermost with niv
also reenables mattermost
also updated to version 5.34.2
2021-04-28 22:29:31 +02:00
schweby
148741f4c3
sources: update packages 2021-04-28 22:01:02 +02:00
schweby
3067d1b8fb
hainich/mediawiki: set static URL for WikiDB 2021-04-27 11:09:42 +02:00
hexchen
bc684b1626 services/mail: clean up the config file 2021-04-26 17:08:34 +00:00
schweby
908d6df2da
sources: update sources
this also disables mattermost-beta because of a version mismatch with
the development branch
will be readded with MR
2021-04-20 21:52:18 +02:00
schweby
9770b4089a
sources.json: replace refs with branches
refs are the old way of referring to what niv tracks for updates
niv actively encourages to switch to branches or tags so this is done
here
2021-04-20 21:39:17 +02:00
schweby
df31a3da35
hainich/minecraft: get server.jar via sources.json 2021-04-17 17:19:52 +02:00
schweby
3473603f91
sources: add papermc 2021-04-17 17:16:04 +02:00
schweby
243d0bf14d
hainich/minecraft: fix & reorder config
fixes a formatting error in jvmOpts and slightly reoders the config
2021-04-17 17:15:49 +02:00
schweby
75ec36dda2
hainich/mumble: import website from sources.json 2021-04-16 15:54:25 +02:00
schweby
18ed88727f
sources: add mumble-website 2021-04-16 15:52:17 +02:00
6e36ff58e2 workadventure: update and manage sources with niv
Changes:
 - workadventure is now pulled from stuebinm.eu/git via niv, and
   should be updated automatically along with the other sources
 - the same is true for the default map, which gets pulled directly from
   its gitlab sources.
 - this setup may potentially break things if I decide to rename an
   option upstream, but I don't think that'll happen too often
 - made the code a little nicer
 - uses workadventure-xce now, since the tabascoeye version is now gone

Open for discussion:
 - afaik know, the current version of workadventure-xce now contains
   fediventure-specific patches. Do we want that, or should we switch
   to the unfederated version?
2021-04-15 20:12:32 +00:00
hexchen
c3c3bca114 hainich/mail: update mailing lists, remove unused 2021-04-15 20:09:49 +00:00
schweby
1c446bec8d
hainich/hedgedoc: redirect pad.hacc.earth to pad.hacc.space 2021-04-15 14:13:15 +02:00
schweby
25568db129
hainich/nginx: disable interest cohort globally 2021-04-15 10:16:20 +02:00
schweby
0c55ccb47b
hainich: reduce backup retention 2021-04-15 06:37:12 +02:00
schweby
ccb4469922
hainich: Set more sensible snapshot retention time 2021-04-15 06:35:31 +02:00
schweby
b136ca090f
hainich: remove hasenloch 2021-04-15 06:18:26 +02:00
schweby
1f40f1f142
hainich: disable workadventure 2021-04-14 22:47:25 +02:00
schweby
caa45759a1
hainich/minecraft: update to paper 1.16.5-592 2021-04-14 22:43:35 +02:00
schweby
289c82e529
sources: update sources 2021-04-14 22:43:19 +02:00
schweby
7c04319456
hainich/minecraft: update to paper 1.16.5-583 2021-04-07 09:38:09 +02:00
schweby
2112e6e40e
sources: update packages 2021-04-07 09:38:05 +02:00
L3D ワッフルマイスター
b2d2235d4d remove newline in murmur.nix 😉 2021-04-05 06:46:34 +00:00
schweby
ee53d85b94
hainich/mumble: switch to updated site 2021-04-05 08:39:34 +02:00
schweby
6f7c79f93e
sources: update packages 2021-04-04 12:37:40 +02:00
schweby
87b3518ebd
hainich/minecraft: update to paper 1.16.5-576 2021-04-03 21:17:21 +02:00
schweby
cfb0cd5013
hainich/minecraft: add optimised GC options 2021-04-03 21:17:21 +02:00
schweby
d48c7cdcac
pkgs: set jre_headless to jdk11_headless
this is a workaround to be able to use java 11 with the
minecraft-server module
minecraft calls for jre_headless, which is still java 8
newer java version don't ship jre, which now have to be custom built or
the jdk used
2021-04-03 21:07:02 +02:00
schweby
5b37fde996
Merge branch 'mattermost-upgrade' 2021-04-03 10:23:00 +02:00
schweby
6db58c4a01
hasenloch: add FAQ and Contact 2021-04-03 08:00:59 +02:00
schweby
2974b9688b
hasenloch: update to newer version 2021-04-02 16:38:31 +02:00
011196f875
mattermost: disable analytics & telemetry
note that this ALSO disables the security alert features of mattermost [1],
which would send us alerts in case of security updates for our current
mattermost version. I have disabled it since it would send information
about our instance (including e.g. the current number of active users) to
mattermost every 24 hours.

Since we now essentially maintain our own set of mattermost packages, I
recommend at least some of us subscribe to the mattermost release blog [2],
and manually update the mattermost sources in `/pkgs/mattermost` as required
(I have done so already). The release blog is also available as an rss feed [3].

[1] https://docs.mattermost.com/administration/telemetry.html#security-update-check-feature
[2] https://mattermost.com/blog/category/releases
[3] https://mattermost.com/blog/category/releases/rss
2021-03-25 15:51:01 +01:00
d3af36bd3c
mattermost: update to version 5.30.3
This should be compatible with the version we currently use, and also include all hot-fixes
etc. which we definitely want to have.
2021-03-25 15:32:47 +01:00
304 changed files with 19224 additions and 2318 deletions

1
.gitignore vendored
View file

@ -2,3 +2,4 @@ result
ecdsa_host
secrets/
.*.swp
.deploy-gc/*

View file

@ -1,9 +0,0 @@
stages:
- build
build:
tags:
- nix
stage: build
script:
- nix-build -A deploy.all

1
.rgignore Normal file
View file

@ -0,0 +1 @@
websites/*

23
.sops.yaml Normal file
View file

@ -0,0 +1,23 @@
keys:
- &parsons age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
- &hexchen-backup age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
- &stuebinm-ilex age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
- &stuebinm-surltesh-echer age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
- &stuebinm-abbenay age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
- &octycs-m age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
- &zauberberg-conway age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
- &moira-2022-06 age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
- &moira-openpgp age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
creation_rules:
- path_regex: secrets.yaml
key_groups:
- age:
- *parsons
- *hexchen-backup
- *stuebinm-ilex
- *stuebinm-surltesh-echer
- *stuebinm-abbenay
- *octycs-m
- *zauberberg-conway
- *moira-2022-06
- *moira-openpgp

24
LICENSE Normal file
View file

@ -0,0 +1,24 @@
This is free and unencumbered software released into the public domain.
Anyone is free to copy, modify, publish, use, compile, sell, or
distribute this software, either in source code form or as a compiled
binary, for any purpose, commercial or non-commercial, and by any
means.
In jurisdictions that recognize copyright laws, the author or authors
of this software dedicate any and all copyright interest in the
software to the public domain. We make this dedication for the benefit
of the public at large and to the detriment of our heirs and
successors. We intend this dedication to be an overt act of
relinquishment in perpetuity of all present and future rights to this
software under copyright law.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
For more information, please refer to <http://unlicense.org/>

View file

@ -1,32 +1,81 @@
# hacc nixfiles
welcome to hacc nixfiles (haccfiles). this is the code describing our nix-based infrastructure.
Welcome to the hacc nixfiles (haccfiles). This is how we configure (most of)
our infrastructure.
## structure
## General layout
- `default.nix`: Entrypoint to the config
- `common/`: configuration common to all hosts
- `desktop/`: desktop-relevant communication
- `flake.nix`: Entrypoint & dependencies
- `modules/`: home-grown modules for hacc-specific services
- `nix/`: sources files, managed with niv
- `pkgs/`: packages we built and don't want to upstream
- `pkgs/`: packages we need which aren't in nixpkgs
- `websites/`: static websites hosted by us
- `common/`: meta-level config, reusable across machines
- `parsons/`: our sole server, its config & the services it runs
## working with the haccfiles
Right now, we only have a single host. We might add more again in the future.
deploy:
``` shell
nix build -f . deploy.$hostname && ./result switch
## Working with this repo
You will need a flake-enabled nix installation, and have your ssh config set up
so that `ssh parsons` will connect to `parsons.hacc.space`.
### Deploying remotely
It's recommended to use [deploy_rs](https://github.com/serokell/deploy-rs):
~~~shell
deploy .#parsons -k [--dry-activate]
~~~
Alternatively, using just `nixos-rebuild`:
~~~shell
nixos-rebuild --flake .#parsons --target-host parsons \
--use-remote-sudo --use-substitutes [test|switch|dry-activate]
~~~
### Re-deploying on parsons itself
Simply do:
~~~shell
nixos-rebuild --flake .#parsons [test|switch|dry-activate]
~~~
## Working on websites
Websites are exposed as flake outputs: if you're working on a website & want to
check it in a browser, do e.g.
~~~shell
nix run .#\"muc.hacc.earth\"
~~~
to start a local http server (note that some of our websites need a directory
to be built in; these use `/tmp/hacc-website`).
To add a new website, add a new subdirectory to `websites`; nix will generate a
vhost config based on that directory's name. Add a `default.nix` in your directory
describing how to build the website, and give its derivation a `watch` attribute
to make the `nix run` setup work.
## I don't want to build this long dependency / want a cached version!
If it's still available on parsons from a previous deploy, do:
```shell
nix copy --from ssh://parsons /nix/store/...
```
`$hostname` can be replaced with any hostname or group
Note: don't just copy the .drv file (which Nix complains about if it can't
build something), that's just the description of how to build it! If you
don't know the actual outpath, look in the .drv file (should start with
`Derive([("out","[the path you want]"...`)
## committing to haccfiles
- Golden Rule: DO NOT COMMIT TO MAIN
- exceptions apply, if you are not sure where to commit, don't commit to main
- Things on `main` should always reflect the config that's actually deployed on
parsons, except during testing / debugging sessions
- split up commits, every commit is one atomic change
- e.g. no big "did some changes" but instead "updated service x", "updated service y", "update service z"
- follow the commit format: "$prefix$place: $change"
- prefix: one of fixup, nothing
- place: one of "modules/$module", "$hostname/service", "common/($place)", "pkgs/$pkgs" or "sources"
- change: describe your change, don't go over the character limit where git starts hiding/wrapping
- follow the commit format: "place: $change"
- place: e.g. `modules/$module`, `services/$service` ...
- change: describe your change. Please wrap your lines sensibly (or configure
your editor to do this for you)
- Exception: autogenerated messages (merge commits, reverts, etc)
- don't overuse merge commits, try to rebase things if possible with reasonable
effort

View file

@ -1,16 +1,12 @@
{ config, lib, pkgs, ... }:
{ config, lib, pkgs, modules, sources, ... }:
let
sources = import ../nix/sources.nix;
in {
{
imports = [
../modules
./users.nix
(sources.home-manager + "/nixos")
(sources.pbb-nixfiles + "/modules/nftables")
];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;
boot.kernelParams = [ "quiet" ];
networking.domain = lib.mkDefault "hacc.space";
@ -19,24 +15,31 @@ in {
SystemMaxUse=512M
MaxRetentionSec=48h
'';
nix.package = pkgs.lix;
nix.gc.automatic = lib.mkDefault true;
nix.gc.options = lib.mkDefault "--delete-older-than 1w";
nix.trustedUsers = [ "root" "@wheel" ];
nix.gc.options = lib.mkDefault "--delete-older-than 7d";
nix.settings.trusted-users = [ "root" "@wheel" ];
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
environment.variables.EDITOR = "vim";
services.openssh = {
enable = true;
ports = lib.mkDefault [ 62954 ];
passwordAuthentication = false;
challengeResponseAuthentication = false;
permitRootLogin = lib.mkDefault "prohibit-password";
extraConfig = "StreamLocalBindUnlink yes";
forwardX11 = true;
settings = {
X11Forwarding = true;
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
StreamLocalBindUnlink = true;
};
};
programs.mosh.enable = true;
programs.fish.enable = true;
security.sudo.wheelNeedsPassword = lib.mkDefault false;
i18n.defaultLocale = "en_IE.UTF-8";
time.timeZone = "UTC";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
@ -45,8 +48,8 @@ in {
environment.systemPackages = with pkgs; [
smartmontools lm_sensors htop tcpdump nload iftop
# bottom
ripgrep
bottom
ripgrep vgrep
git wget
kitty.terminfo
rsync pv progress
@ -58,11 +61,11 @@ in {
whois
iperf
fd
exa
eza
socat
tmux
gnupg
vim
vim neovim
patchelf
binutils
dnsutils
@ -70,14 +73,19 @@ in {
nmap
s-tui stress
ffmpeg-full
bat
niv
sqlite-interactive
hacc-scripts
];
security.acme.email = "info+acme@hacc.space";
security.acme.defaults.email = "info+acme@hacc.space";
security.acme.acceptTerms = true;
services.nginx.appendHttpConfig = ''
access_log off;
add_header Permissions-Policy "interest-cohort=()";
'';
petabyte.nftables.enable = true;
networking.nftables.enable = true;
}

View file

@ -1,9 +0,0 @@
{config, lib, pkgs, ...}:
let
sources = import ../nix/sources.nix;
in {
imports = [
(import sources.nix-hexchen {}).users.hexchen.base
];
}

View file

@ -1,11 +1,6 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hexchen.nix
];
home-manager.useGlobalPkgs = true;
users.users = {
root = {
@ -17,14 +12,10 @@
uid = lib.mkForce 1000;
isNormalUser = true;
extraGroups = [ "wheel" ];
};
stuebinm = {
uid = 1005;
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQtJQ8fUfwsC9Q39sNpZ41RRbW91QXDLKltsYK+TLidQ5IJj2KsG/lkd433Tod6PzSvB2PcfIfnvUz7GQuS1UwXHMdLEy0/kqeYrSi6QlAxFyFBSTsUZ4d+HHwBBoXhu1Iaoch/FJNI0FhfBciIii05UyYuPj5zGgvWhnfD53Ll8HA6XVXhSK09+9GRGq57Mix5N9AkzfEF83aRUF9Qfl7Jl16rOjIgtS8hbL0kXIKUeCxZA2xi/lNHEQRriCiriPmPGOhiPcNXzbekw7IbFfE3If1CHnj7KA4KnafHAd+uHvQAce5Y4v2vMOPfGVh1cm84VTzdSPEW5V1hFjOlSnnuCQtAzkQLv8zed2NLj73GgFlcUrYKERcH84wydD0gEednNKsW8T2NzgO2eNCBf0LrcFp17qmWLv51A3jofEX5tQ3PZ7zbtR4DMUmrizrsBWDYiHJOMVeMs/9TnmIc3PL17qvVvFI7OcYxl+SPPpPtaBzxXZAMIvGFppzYxRylBcBhNvE+bXXgLFXh5cbUcwgXjvrX0y8Gv/5S4E55+i2rQMqC55+O48snoSeNlQDZV+B9setXoC93K9fBurmCX8ObnNRvvghcwUl9OBSW5K9TBdl6FF3+Z3gOCIxOMGQQKJUS5/g/eLFJ+13Y5qAPS49XJzaBiTmDrRi8x22p7sU1Q== stuebinm@in.tum.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJ0tCxsEilAzV6LaNpUpcjzyEn4ptw8kFz3R+Z3YjEF hexchen@backup"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDI3T1eFS77URHZ/HVWkMOqx7W1U54zJtn9C7QWsHOtyH72i/4EVj8SxYqLllElh1kuKUXSUipPeEzVsipFVvfH0wEuTDgFffiSQ3a8lfUgdEBuoySwceEoPgc5deapkOmiDIDeeWlrRe3nqspLRrSWU1DirMxoFPbwqJXRvpl6qJPxRg+2IolDcXlZ6yxB4Vv48vzRfVzZNUz7Pjmy2ebU8PbDoFWL/S3m7yOzQpv3L7KYBz7+rkjuF3AU2vy6CAfIySkVpspZZLtkTGCIJF228ev0e8NvhuN6ZnjzXxVTQOy32HCdPdbBbicu0uHfZ5O7JX9DjGd8kk1r2dnZwwy/ hexchen@yubi5"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4CLJ+mFfq5XiBXROKewmN9WYmj+79bj/AoaR6Iud2pirulot3tkrrLe2cMjiNWFX8CGVqrsAELKUA8EyUTJfStlcTE0/QNESTRmdDaC+lZL41pWUO9KOiD6/0axAhHXrSJ0ScvbqtD0CtpnCKKxtuOflVPoUGZsH9cLKJNRKfEka0H0GgeKb5Tp618R/WNAQOwaCcXzg/nG4Bgv3gJW4Nm9IKy/MwRZqtILi8Mtd+2diTqpMwyNRmbenmRHCQ1vRw46joYkledVqrmSlfSMFgIHI1zRSBXb/JkG2IvIyB5TGbTkC4N2fqJNpH8wnCKuOvs46xmgdiRA26P48C2em3 hexchen@yubi5c"
];
};
@ -33,7 +24,7 @@
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDobGLrA6YQAKdJkZMpAsqjlk744G/pCJEvAUNJDuT1Sr59BFKDchPT03exb0o39mjH4iqvw4JDI10RfylKbR1736Ji2yRLlbCzUdgv2CfZc28TAO0rscyT49RHJmzEEE5QD4Ge7MgvFBEmZKXAxntA8M8EbxxEVfzhWp3751BYkzrCbJiHMXcTb+BG9P6rmrraINmgUJxywym5PsMYt2sfHlVus3hSpWnCR/cu0nxmW9E6Tm6CzSkWOXOTdjVuc0Kgh5GXaKDROzJ9K7cJAhd5t8Yzqtpm2xfSU5FVVUH9i7PbXOo8FL82Xi6kWMgdFNLvKimxGqW+bCv3ROlyKWF4I+HQdfdL181KaOQ40jAvjmldrB/ZiEbuWYSBZ/XhxFkKrtBYPDFHq/a5lnH3OvcDm7+/LhwIKUnyZyQ2dXOLOTOEDsO/69xwNveCB8of9o/erDbOeb+d44cXUFpPMUTz4bHXEP6y+zz8TB8/aleGbLQCPUzRZfvazN95jGUDqkumi9B3Lf+W/KpjVUgu3NQsUuJn6khMYW9VefnJvHwzbWpqIzbzNePL4iZFECv4NHPQHO/katajnMbkCie9rfnLk1EjJnrSnZUInEygkW/7Eu4EQM2h7lU4HYfwP1c4ubCFdES0ELGqSuJRwd/ORDbgxbuKOQ7gZ3/lgHdr9KGqJQ== markus.amaseder@amaseder.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQqFXSlqW+D4ZtVdCiN9IT461iwyqy2taBRD3qkvXqn m@octycs.eu"
];
hashedPassword = "$6$qQEbD8Ejx/y$6/nkX8CmFBtAlUP/UbFKVMVlA.ZvVbjQZRABqXQjU11tKpY25ww.MCGGMEKFv.7I/UH/126/q0S3ROTqePUEc.";
};
@ -43,20 +34,53 @@
isNormalUser = true;
extraGroups = [ "wheel" "cdrom" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt34ou3NYWoUayWrJa5ISzihAAhFiwolJPmm2fF9llPUUA8DP3BQRiKeqDlkDzhWLwztb+dNIUuregiFJdRN5Q2JZBKlM7Gqb1QtPhtK+xe2pyZPX2SWKIsKA6j3VAThhXsQdj3slXu3dG8FF7j+IFg/eTgpeQIFQQkMIc204ha8OP2ASYAJqgJVbXq8Xh3KkAc1HSrjYJLntryvK10wyU8p3ug370dMu3vRUn44FEyDzXFM9rfsgysQTzVgp+sXdRfMLeyvf+SUrE8hiPjzevF2nsUP0Xf/rIaK5VayChPLXJkulognINzvuVWAdwNPDLpgGwkjglF2681Ag88bLX allesmoeglicheundvielmehr@hotmail.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfxXSy22k2EZwz1EtvIMwQKGWsswEBeLn5ClhuiI4Ma lukas@Conway.lan"
];
packages = with pkgs; [ ffmpeg ];
};
schweby = {
moira = {
uid = 1004;
shell = pkgs.fish;
isNormalUser = true;
extraGroups = [ "wheel" "cdrom" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJrcJRF71+XM5YZj+SaSiGcdVZ0IDxGBXIWssDtHiTtr moira_2022_06"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUa7NLrRqQ3j4KSGIw0vSvLMTO0gSZeCypQnJ/Viqm8 openpgp:0xBE0BE8A3"
];
hashedPassword = "$6$zkAsaVdmIduqZxez$GY9aBlYeP41F0it/VbbZzLLLRQhHAbDdFsa3e/1GS9McTuSimMHODg6HqNVEH1zSqD3afhK/0UHfqbtF5qpi90";
};
stuebinm = {
uid = 1005;
isNormalUser = true;
extraGroups = [ "wheel" ];
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7J3peZGB4XGJKI1dV5PdpQS+TzmoJ7qL//ipCG7G5K stuebinm@surltesh-echer"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPB74xA2GBXnDwPEEaxWLONdQyBwjDoJHYagKRQXwO2 stuebinm@abbenay"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8e9WrHsknoFwBm/YaigOSz9VI8dXRRR5G9BX4kKt9/ stuebinm@ilex"
];
};
leah2 = {
uid = 1006;
shell = pkgs.fish;
isNormalUser = true;
extraGroups = [ "wheel" "cdrom" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK4o/ncaQUorp/BeZesPnVhzvfoqLJW3WZHtz+CWQvFU"
];
};
floppy = {
uid = 1007;
shell = pkgs.fish;
isNormalUser = true;
extraGroups = [ "wheel" "cdrom" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyVQhFDcoMnoYivQu1h8NCTWa+2WriZ1m5BilkuUk4u"
];
};
};
}

View file

@ -1,7 +0,0 @@
rec {
sources = import ./nix/sources.nix;
pkgs = import ./pkgs {};
inherit (pkgs) lib;
inherit (import (sources.nix-hexchen + "/lib/hosts.nix") { inherit pkgs; hostsDir = ./hosts; commonImports = [./common]; pkgsPath = ./pkgs; }) hosts groups;
deploy = import (sources.nix-hexchen + "/lib/deploy.nix") { inherit pkgs hosts groups; };
}

View file

@ -1,33 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.plymouth.enable = true;
nixpkgs.config = {
mumble.speechdSupport = true;
allowUnfree = true;
};
# boot.plymouth.splashBeforeUnlock = true;
environment.systemPackages = with pkgs; [
pulsemixer pavucontrol
firefox git kitty j4-dmenu-desktop bemenu
breeze-qt5 mako
mpv youtube-dl
wl-clipboard mumble
xdg_utils
slurp grim libnotify
_1password-gui
# gnome3.nautilus
] ++ (with pkgs; [ alacritty picom feh copyq polybar cinnamon.nemo rofi arandr notepadqq nomacs bat ]);
sound.enable = true;
hardware.pulseaudio = {
enable = true;
package = pkgs.pulseaudioFull;
};
networking.useDHCP = lib.mkDefault true;
hardware.opengl.enable = true;
services.xserver = {
windowManager.bspwm.enable = true;
layout = "de";
};
}

View file

@ -1,14 +0,0 @@
{config, lib, pkgs, ...}:
{
services.xserver.displayManager.lightdm = {
enable = true;
};
services.xserver = {
enable = true;
# videoDrivers = [ "nvidia" ];
};
# hardware.nvidia.modesetting.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
}

View file

@ -1,10 +0,0 @@
{ config, pkgs, ...}:
{
boot = {
extraModulePackages = with config.boot.kernelPackages; [ v4l2loopback ];
kernelModules = [ "v4l2loopback" ];
};
environment.systemPackages = with pkgs; [ obs-studio ];
}

7
docs/_index.md Normal file
View file

@ -0,0 +1,7 @@
+++
title = "hacc infra documentation"
page_template = "doc-page.html"
sort_by="title"
+++

10
docs/auth.md Normal file
View file

@ -0,0 +1,10 @@
+++
title = "Authentication"
categories = [ "services", "uffd" ]
+++
We use [uffd](https://git.cccv.de/uffd/uffd) for our SSO, for better or worse.
Mostly for worse.

20
docs/domains.md Normal file
View file

@ -0,0 +1,20 @@
+++
title = "Domains"
categories = [ "domains", "meta" ]
+++
Perhaps too many of them.
## Domains
| domain | mc | status | date | reseller | owner | custody |
| :------------------- | :-: | :-----: | :------: | :---------- | :--------- | :-----: |
| 4future.dev | yes | | | | | hacc e.V. |
| infra4future.de | yes | | | | | hacc e.V. |
| hacc.space | yes | | | | | hacc e.V. |
| hacc.earth | yes | | | | | hacc e.V. |
| hacc.media | yes | | | | | hacc e.V. |
| hacc.wiki | no | | | | | |
mc = managed by cloudflare
status = (renewl | autorenewl | expires)

16
docs/hostnames.md Normal file
View file

@ -0,0 +1,16 @@
+++
title = "Hostname schema"
+++
[Badass Anarchist Women](https://listverse.com/2018/09/27/10-absolutely-badass-anarchist-women-who-challenged-the-system/)
- keller
- deCleyre
- davidNeel
- leGuin
- [parsons](../parsons)
- ohair
- berneri
- michel
- sanger
- goldman

17
docs/lxc.md Normal file
View file

@ -0,0 +1,17 @@
+++
title = "LXC"
categories = [ "lxc" ]
+++
Some things don't easily run on NixOS. For these we have LXC containers running
debian.
Right now, only onlyoffice is left.
## Useful commands
- login to a container as root with a usable shell
`lxc-attach -n <name> -- /usr/bin/sudo -i`
- restarting the keycloak and ldap containers
`lxc-stop -n <name> && lxc-start -n <name>`
- restarting their network bridge:
`systemctl restart lxcbr0-netdev.services`

18
docs/rebooting.md Normal file
View file

@ -0,0 +1,18 @@
+++
title = "Rebooting Parsons"
categories = [ "nix" ]
+++
## Check integrity after unexpected shutdown
These steps are only required if the server shut down unexpectedly or you suspect tampering.
TODO
## Unlock full disk encryption
Connection to the server via the command listed in the shared password manager.
Only the Vorstand has access to it!
Enter the passwords for dpool and zroot.
If both are correct, you will be disconnected and the server continues the boot sequence.
The server should be up after about minute. Please check all services for availability.

21
docs/secrets.md Normal file
View file

@ -0,0 +1,21 @@
+++
title = "Secrets"
categories = [ "services", "sops" ]
+++
## Secret management
We use [sops-nix](https://github.com/Mic92/sops-nix) to manage secrets which we'd
like to have in Git but don't want to be public. Entries in `secrets.yaml` are
encrypted for each of the age keys listed in `.sops.yaml`, which are themselves
derived from ssh keys.
For the initial set up, please take a look at the sops-nix Readme file.
To edit the secrets file, run `sops secrets.yaml`, which will decrypt the
file & open it in your $EDITOR, then re-encrypt it when you're done.
To add a new key, use `ssh-to-age` to convert your ssh key to age, and add it to
`sops.yaml`. Then do `sops updatekeys secrets.yaml` to re-encrypt the file for
the new set of keys.

5
docs/services/_index.md Normal file
View file

@ -0,0 +1,5 @@
+++
title = "Services"
sort_by = "title"
page_template = "doc-page.html"
+++

19
docs/services/acme.md Normal file
View file

@ -0,0 +1,19 @@
+++
title = "ACME / letsencrypt"
categories = [ "domain", "https", "ssl", "tls", "Certificates" ]
+++
# Usage
We use the ACME module's nginx integration for basically everything. Beware of
rate limits when redeploying lots of things at once! Let's Encrypt is a little
picky about those.
## Workarounds & peculiar configuration choices
Certs live under `/var/lib/acme/`
If you need to remove a cert for whatever reason, be aware that there is a
hidden `.lego` folder, that contains state as well

68
docs/services/hedgedoc.md Normal file
View file

@ -0,0 +1,68 @@
+++
title = "hedgedoc"
taxonomies.categories = [ "services" ]
+++
hegedoc was once called codiMD, so container, config and users are still called codimd.
**Do NOT change this** unless you're sure what you're doing.
We have two instances:
- `pad-hacc`/pad.hacc.space is connected to our SSO/uffd
- `pad-i4f`/pad.infra4future.de is not connected to our SSO and meant to be more public
## Basic Troubleshooting
Usually if hedgedoc dies, it's because postgresql wasn't there yet. Just restart
hedgedoc.
## More Troubles
log into the container and take a look at the logs
~~~shell
sudo nixos-container root-login codimd
journalctl -e
~~~
### fixing failed database upgrades
see https://docs.hedgedoc.org/guides/migration-troubleshooting/ (copied below
for convenience?):
In some cases, HedgeDoc might apply migrations without correctly saving the
progress. It will then refuse to start with "already exists"-errors like
ERROR: type "enum_Notes_permission" already exists.
Get the name of the failing migration and append .js to it. For example, if
you encounter this error:
~~~
== 20180306150303-fix-enum: migrating =======
ERROR: type "enum_Notes_permission" already exists
~~~
the name of the failed migration would be 20180306150303-fix-enum.js.
The SQL-statement may look like this:
~~~
INSERT INTO "SequelizeMeta" (name) VALUES ('20180306150303-fix-enum.js');
~~~
Make sure HedgeDoc does not run and insert the name into the SequelizeMeta table.
Enter the container switch to the postgres user, open psql and commect to the
codimd database:
~~~shell
su postgres
psql
\l
\c codimd
UN adjusted SQL STAMEMENT from above ]
\q
~~~
Start HedgeDoc again and observe if it starts correctly. It may be necessary to
repeat this process and insert multiple migrations into the SequelizeMeta table.

65
docs/services/mail.md Normal file
View file

@ -0,0 +1,65 @@
+++
title = "mail"
taxonomies.categories = [ "services" ]
+++
Mail is not connected to our SSO!
## adding a mail account
- We use `@hacc.space` for our mails
- `@infra4future.de` is reserved for services, old user accounts will be
forwarded & logins disabled
- choose a name (no aliases or other names can be the same)
- generate a sha-512 password hash ```mkpasswd -m sha-512``` - **never add an
unhashed password!**
- add your account to `loginAccounts =` in `//parsons/mail.nix`
- build and redeploy parsons
**example:**
```
zwoelfontheshelf@hacc.space" = {
hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUEdxrxdtgvzuGOkBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
};
```
## adding to a forward address
- add the mail address to the corresponding `extraVirtualAliases =`
- build and redeploy parsons
## adding a forward address
- add the address to `extraVirtualAliases =`
- add the addresses it should forward to
- build and redeploy parsons
**example:**
```
"himmel@hacc.space" = [
"hexchen@hacc.space"
"zauberberg@hacc.space"
];
```
## sending & receiving mail
### as a user
- Your mail client should auto configure correctly
~~~
mailserver: mail.hacc.space (everywhere)
username: $your_mail_address
sending via smtp: port 587 or 465
recieving
imap: port 993
TLS and STARTTLS are supported
~~~
- You can send mail as you and any alias you receive mail from. Set a second Identity in your e-mail client
### as an application
- mailserver: `mail.hacc.space`
- Do **not** use port 25. It's for server to server communication only.
- Use smtp ports `587` or `465`
- enable TLS if possible
- only send mail from `noreply@infra4future.de`
- Password is somewhere (TODO!)

40
docs/services/mumble.md Normal file
View file

@ -0,0 +1,40 @@
+++
title = "mumble"
taxonomies.categories = [ "mumble" ]
+++
[offical Docmuentation](https://wiki.mumble.info/wiki/Main_Page)
Mumble's server is called murmur, but the naming is inconsistent. Sometimes
it's also just called mumble server.
# Usage
## registration
Users need to be registered to join any other channel than public.
An already registered user has to register them with the server.
1. right click on the username
2. choose register in the menu. Done.
## restricted channels
Every channel in the hacc category except for plenum can only be accessed by
members of the hacc group.
## adding users to a group
Only admins can edit groups, and only registered users can be added to groups.
1. right click on the Root channel
2. select Edit...
2. In Groups select $groupname
3. make the change you want to make
4. click "OK"
# Config details
- the server is not registered with mumble & not on the public server list
- the bitrate is set to 128kb/s; otherwise the client would complain that the
server bitrate is less then the configured (default) in its local settings
# Hacks
- murmur needs a TLS cert, which we get via the ACME module
- there's a funny group setup so that hopefully murmurd can read the cert
- this seems to work fine now, but was some source of trouble in the past

View file

@ -0,0 +1,18 @@
+++
title = "$Service Name"
draft = true ## Remove this line to make file appear on website
+++
<general information & pointers to official documentation>
# Usage
<usage from an admin's perspective>
# Config Notes
<what should one keep in mind when reading the nix file?>
## Updating
<anything to keep in mind?>
# Hacks
<ugly things which might break or cause general ???? states>

24
docs/snapshots.md Normal file
View file

@ -0,0 +1,24 @@
+++
title = "Use ZFS snapshot"
taxonomies.categories = [ "zfs", "snapshot", "filesystem", "backup", "update", "upgrade" ]
+++
## Make a ZFS snapshot
~~~shell
sudo zfs snapshot zroot/safe/persist@<name>
~~~
## Rollback
### single files
The snapshots can be accessed under `<mountpoint>/.zfs/snapshot/...`
### fully
~~~shell
sudo zfs rollback zroot/safe/persist@<name>
~~~
## Delete a ZFS snapshot
~~~shell
sudo zfs destroy zroot/safe/persist@<name>
~~~

223
flake.lock Normal file
View file

@ -0,0 +1,223 @@
{
"nodes": {
"blobs": {
"flake": false,
"locked": {
"lastModified": 1604995301,
"narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"repo": "blobs",
"type": "gitlab"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": [
"deploy-rs",
"flake-compat"
],
"nixpkgs": [
"nixpkgs-unstable"
],
"nixpkgs-24_05": [
"nixpkgs"
],
"utils": [
"deploy-rs",
"utils"
]
},
"locked": {
"lastModified": 1718084203,
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-24.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1730066105,
"narHash": "sha256-Amh10U62W2wUdJ+5B5uZlqOmz+McBEBgou11Q0ki+WI=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ef498e16f8a10e92d559e1f6e01412444acefaff",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.05-small",
"type": "indirect"
}
},
"nixpkgs-oldstable": {
"locked": {
"lastModified": 1678761643,
"narHash": "sha256-tapXZvg6Kg5Fm7Fm6i+7cRC5Exp2lX7cgMrqsfrGhuc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c4aec3c021620d98861639946123214207e98344",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c4aec3c021620d98861639946123214207e98344",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1730069753,
"narHash": "sha256-ekaRUJhg5cnsJCwHTEGXnuAU9eD0NP2d85AYJh3cy8I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e4735dbdda8288aef24141f3ae8848a14f06fe08",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-unstable-small",
"type": "indirect"
}
},
"root": {
"inputs": {
"deploy-rs": "deploy-rs",
"nixos-mailserver": "nixos-mailserver",
"nixpkgs": "nixpkgs",
"nixpkgs-oldstable": "nixpkgs-oldstable",
"nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix",
"tracktrain": "tracktrain"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs-unstable"
],
"nixpkgs-stable": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1729999681,
"narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tracktrain": {
"flake": false,
"locked": {
"lastModified": 1720213096,
"narHash": "sha256-GrSXD6WvyiXcHx1s+48PEZVn/MTtBJAXpgds+NdEL2g=",
"ref": "main",
"rev": "2943327863bfe5c6e793e5c40e473a2755d45642",
"revCount": 126,
"type": "git",
"url": "https://stuebinm.eu/git/tracktrain"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://stuebinm.eu/git/tracktrain"
}
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

92
flake.nix Normal file
View file

@ -0,0 +1,92 @@
{
description = "hacc infra stuff";
inputs = {
nixpkgs.url = "nixpkgs/nixos-24.05-small";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
tracktrain.flake = false;
deploy-rs.url = "github:serokell/deploy-rs";
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
# these exist mostly to make the flake.lock somewhat more human-friendly
# note that in theory doing this might break things, but it seems fairly unlikely
nixos-mailserver.inputs = {
"nixpkgs-24_05".follows = "nixpkgs";
nixpkgs.follows = "nixpkgs-unstable";
utils.follows = "/deploy-rs/utils";
flake-compat.follows = "/deploy-rs/flake-compat";
};
};
outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
let modules = {
bindMounts = import ./modules/bindmounts.nix;
nopersist = import ./modules/nopersist.nix;
encboot = import ./modules/encboot.nix;
};
profiles = {
container = import ./modules/container-profile.nix;
};
pkgs = import ./pkgs {
sources = inputs;
system = "x86_64-linux";
config.allowUnfree = true;
config.permittedInsecurePackages = [ "nextcloud-27.1.11" ];
};
in {
nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
./parsons/configuration.nix
./modules/buildinfo.nix
./modules/containers.nix
sops-nix.nixosModules.sops
{ nixpkgs.pkgs = pkgs; }
];
specialArgs = {
sources = inputs;
inherit modules profiles;
inherit (nixpkgs.lib) nixosSystem;
};
};
deploy.nodes.parsons = {
hostname = "parsons";
profiles.system = {
user = "root";
autoRollback = false;
path = deploy-rs.lib.x86_64-linux.activate.nixos
self.nixosConfigurations.parsons;
};
};
# This is highly advised, and will prevent many possible mistakes
checks = builtins.mapAttrs
(system: deployLib: deployLib.deployChecks self.deploy)
deploy-rs.lib;
apps.x86_64-linux =
let
mkApp = pkg: {
type = "app";
program = pkgs.lib.getExe pkg;
};
websites = pkgs.lib.mapAttrs (name: mkApp)
self.nixosConfigurations.parsons.config.hacc.websites.builders;
in
{ docs = websites."docs.hacc.space"; } // websites;
packages.x86_64-linux = {
inherit (pkgs) mattermost;
};
};
}

View file

@ -1,134 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
../../common
./encboot.nix
./hardware.nix
./services/murmur.nix
./services/mail.nix
./services/codimd.nix
../../common
# ./wireguard.nix
./services/nginx.nix
# ./k8s.nix
./services/docker.nix
./services/gitlab-runner.nix
./services/lantifa.nix
./services/hasenloch.nix
./services/syncthing.nix
./services/monitoring.nix
./services/workadventure.nix
./services/minecraft.nix
./services/mattermost.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
boot.supportedFilesystems = [ "zfs" ];
# stop *something* from loading ip_tables and breaking nftables
boot.blacklistedKernelModules = [ "ip_tables" "ip6_tables" "x_tables"];
# networking
networking.hostName = "hainich";
networking.hostId = "8a58cb2f";
networking.useDHCP = true;
networking.interfaces.enp6s0.ipv4.addresses = [
{
address = "46.4.63.148";
prefixLength = 27;
}
{
address = "46.4.63.158";
prefixLength = 27;
}
];
networking.interfaces.enp6s0.ipv6.addresses = [ {
address = "2a01:4f8:140:84c9::1";
prefixLength = 64;
} ];
networking.defaultGateway = "46.4.63.129";
networking.nameservers = [
"1.1.1.1" "1.0.0.1"
"2606:4700:4700::1111" "2606:4700:4700::1001"
];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp6s0";
};
hacc.nftables.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.internalIPs = [ "192.168.100.0/24" "172.17.0.0/16" ];
networking.nat.externalInterface = "enp6s0";
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# networking.firewall.enable = false;
# misc
time.timeZone = "UTC";
environment.systemPackages = with pkgs; [
wget vim git
];
services.openssh.enable = true;
services.openssh.ports = [ 22 62954 ];
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6JWi0MBDz0Zy4zjauQv28xYmHyapb8D4zeesq91LLE schweby@txsbcct"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvmrk3i04tXfrSlZtHFbG3o6lQgh3ODMWmGDING4TJ4ctidexmMNY15IjVjzXZgQSET1uKLDLITiaPsii8vaWERZfjm3jjub845mpKkKv48nYdM0eCbv7n604CA3lwoB5ebRgULg4oGTi60rQ4trFf3iTkJfmiLsieFBZz7l+DfgeDEjDNSJcrkOggGBrjE5vBXoDimdkNh8kBNwgMDj1kPR/FHDqybSd5hohCJ5FzQg9vzl/x/H1rzJJKYPO4svSgHkYNkeoL84IZNeHom+UEHX0rw2qAIEN6AiHvNUJR38relvQYxbVdDSlaGN3g26H2ehsmolf+U0uQlRAXTHo0NbXNVYOfijFKL/jWxNfH0aRycf09Lu60oY54gkqS/J0GoQe/OGNq1Zy72DI+zAwEzyCGfSDbAgVF7Y3mU2HqcqGqNzu7Ade5oCbLmkT7yzDM3x6IsmT1tO8dYiT8Qv+zFAECkRpw3yDkJkPOxNKg10oM318whMTtM3yqntE90hk= schweby@taxusbaccata"
];
initialHashedPassword = "$6$F316njEF2$GMF4OmPSF6QgZ3P/DblQ/UFMgoo98bztbdw7X0ygvBGC1UMMIc13Vtxjd/ZGRYW/pEHACZZ7sbRZ48t6xhvO7/";
# shell = pkgs.fish;
};
# storage stuffs!
services.zfs = {
autoSnapshot = {
enable = true;
};
autoScrub = {
enable = true;
};
};
boot.kernelPackages = pkgs.linuxPackages;
services.restic.backups.tardis = {
passwordFile = "/etc/restic/system";
s3CredentialsFile = "/etc/restic/system.s3creds";
paths = [
"/data"
"/home"
"/run/florinori"
"/var/lib/containers/codimd/var/lib/codimd"
"/var/lib/containers/codimd/var/backup/postgresql"
"/var/lib/containers/lantifa/var/lib/mediawiki"
"/var/lib/containers/lantifa/var/backup/mysql"
"/var/lib/murmur"
"/var/lib/syncthing"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
];
repository = "b2:tardis-hainich:system";
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.03"; # Did you read the comment?
}

View file

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.kernelModules = [ "r8169" ]; # add network card driver
boot.kernelParams = ["ip=:::::enp6s0:dhcp"]; # enable dhcp on primary network interface
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
# TODO: Modify system config so that this works
# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
hostKeys = [ /run/keys/ecdsa_host ];
};
# TODO: curl some webhook here to alert?
# possibly quite hard to do, we only have limited wget or netcat available
# how this all works:
# when someone logs in via ssh, they are prompted to unlock the zfs volume
# afterwards zfs is killed in order for the boot to progress
# timeout of 120s still applies afaik
postCommands = ''
zpool import zroot
zpool import dpool
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
'';
};
}

View file

@ -1,52 +0,0 @@
{ config, lib, pkgs, ... }:
{
boot.initrd.availableKernelModules = [ "uhci_hcd" "ahci" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zroot/root/nixos";
fsType = "zfs";
};
fileSystems."/nix" =
{ device = "zroot/root/nixos/nix";
fsType = "zfs";
};
fileSystems."/home" =
{ device = "dpool/home";
fsType = "zfs";
};
fileSystems."/var/lib/containers" =
{ device = "dpool/containers";
fsType = "zfs";
};
fileSystems."/var/lib/docker" =
{ device = "dpool/docker";
fsType = "zfs";
};
fileSystems."/var/lib/gitlab-runner" =
{ device = "dpool/gitlab-runner";
fsType = "zfs";
};
fileSystems."/data" =
{ device = "dpool/data";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/40125f55-7fe8-4850-902e-b4d6e22f0335";
fsType = "ext2";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 12;
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
}

View file

@ -1,125 +0,0 @@
{ config, pkgs, ... }:
{
services.etcd = {
advertiseClientUrls = [
"https://[2a0d:eb04:8:10::1]:2379"
];
listenClientUrls = [
"https://[2a0d:eb04:8:10::1]:2379"
];
listenPeerUrls = [
"https://[::1]:2380"
];
};
services.kubernetes = {
roles = [ "master" "node" ];
flannel.enable = false;
addons.dns = {
enable = true;
clusterIp = "2a0d:eb04:8:11::53";
reconcileMode = "EnsureExists";
};
pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ];
apiserver = {
advertiseAddress = "2a0d:eb04:8:10::1";
extraSANs = [
"2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space"
];
bindAddress = "::";
insecureBindAddress = "::1";
etcd = {
servers = [ "https://[2a0d:eb04:8:10::1]:2379" ];
};
serviceClusterIpRange = "2a0d:eb04:8:11::/120";
extraOpts = "--allow-privileged=true";
};
controllerManager = {
bindAddress = "::";
clusterCidr = "2a0d:eb04:8:12::/64";
};
kubelet = {
address = "::";
clusterDns = "2a0d:eb04:8:11::53";
};
proxy = {
bindAddress = "::";
};
scheduler = {
address = "::1" ;
};
apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443";
clusterCidr = "2a0d:eb04:8:12::/64";
easyCerts = true;
masterAddress = "hainich.hacc.space";
};
networking.firewall = {
allowedTCPPorts = [ 80 443 6443 ];
trustedInterfaces = [
"cbr0" "tunnat64"
];
extraCommands = ''
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
iptables -A FORWARD -i tunnat64 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
ip6tables -A INPUT -i tunnat64 -j ACCEPT
'';
extraStopCommands = ''
iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
iptables -D FORWARD -i tunnat64 -j ACCEPT
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
ip6tables -A INPUT -i tunnat64 -j ACCEPT
'';
};
systemd.services.tayga = (let
config = pkgs.writeText "tayga.conf" ''
tun-device tunnat64
ipv4-addr 10.255.255.254
prefix 2a0d:eb04:8:10:64::/96
dynamic-pool 10.255.255.0/24
map 10.255.255.1 2a0d:eb04:8:10::1
map 10.255.255.2 2a0d:eb04:8:11::2
strict-frag-hdr 1
'';
startScript = pkgs.writeScriptBin "tayga-start" ''
#! ${pkgs.runtimeShell} -e
${pkgs.iproute}/bin/ip link set up tunnat64 || true
${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true
${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true
${pkgs.tayga}/bin/tayga -d --config ${config}
'';
in {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = ''${startScript}/bin/tayga-start'';
};
});
networking.interfaces.cbr0.ipv6.routes = [{
address = "2a0d:eb04:8:10::";
prefixLength = 60;
}];
networking.interfaces.tunnat64 = {
virtual = true;
};
# openebs expects some stuff to be there.
system.activationScripts.openebs = ''
mkdir -p /usr/lib /usr/sbin
ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/
ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/
'';
}

View file

@ -1,85 +0,0 @@
{ config, lib, pkgs, ... }:
{
containers.codimd = {
privateNetwork = true;
hostAddress = "192.168.100.1";
localAddress = "192.168.100.3";
autoStart = true;
config = { config, lib, pkgs, ... }: {
networking.firewall.enable = false;
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
services.hedgedoc = {
enable = true;
configuration = {
allowAnonymous = true;
allowFreeURL = true;
allowGravatar = false;
allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
defaultPermission = "limited";
domain = "pad.hacc.space";
host = "0.0.0.0";
protocolUseSSL = true;
hsts.preload = false;
email = false;
oauth2 = {
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
clientID = "codimd";
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
};
};
};
systemd.services.hedgedoc.environment = {
"CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "codimd" ];
ensureUsers = [{
name = "codimd";
ensurePermissions = {
"DATABASE codimd" = "ALL PRIVILEGES";
};
}];
};
services.postgresqlBackup = {
enable = true;
databases = [ "codimd" ];
startAt = "*-*-* 23:45:00";
};
};
};
services.nginx.virtualHosts."pad.hacc.space" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.100.3:3000";
extraConfig = ''
proxy_pass_request_headers on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
add_header Access-Control-Allow-Origin "*";
proxy_buffering off;
'';
};
};
}

View file

@ -1,32 +0,0 @@
{ config, lib, pkgs, ... }:
{
virtualisation.oci-containers.containers."ghost-waszumfff" = {
autoStart = true;
environment = {
url = "https://waszumfff.4future.dev";
};
image = "ghost:alpine";
ports = [ "127.0.0.1:2368:2368" ];
volumes = [ "/run/florinori:/var/lib/ghost/content" ];
};
fileSystems."/run/florinori" =
{ device = "dpool/k8s/florinori";
fsType = "zfs";
};
services.nginx.virtualHosts."waszumfff.4future.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2368";
extraConfig = "
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
";
};
};
}

View file

@ -1,62 +0,0 @@
{config, pkgs, lib, ...}:
{
services.gitlab-runner = {
enable = true;
concurrent = 4;
services = {
infra4future = {
buildsDir = "/var/lib/gitlab-runner/builds";
dockerImage = "nixos/nix";
executor = "docker";
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
};
nix = {
registrationConfigFile = "/etc/gitlab-runner/gitlab-runner.env";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix.sh
${pkgs.nix}/bin/nix-env -i ${lib.concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
${pkgs.nix}/bin/nix-channel --update nixpkgs
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = [ "nix" ];
};
};
};
systemd.services.gitlab-runner.serviceConfig = {
DynamicUser = lib.mkForce false;
User = "gitlab-runner";
};
users.users.gitlab-runner = {
home = "/var/lib/gitlab-runner";
extraGroups = [ "docker" ];
isSystemUser = true;
};
virtualisation.docker.storageDriver = "zfs";
}

View file

@ -1,92 +0,0 @@
{ pkgs, config, ...}:
{
containers.hasenloch = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.5";
localAddress = "192.168.100.7";
config = { pkgs, config2, ...}: {
services.engelsystem = {
enable = true;
package = pkgs.engelsystem.overrideAttrs (oldAttrs: rec {
version = "3.1.1-r2r";
src = pkgs.fetchzip {
url = "https://schwe.by/files/engelsystem2.zip";
sha256 = "0kqididzlslzrcpx89pf57008lh040ghhhab83sz28zabsm9945q";
};
});
domain = "himmel.hacc.earth";
config = {
url = "https://himmel.hacc.earth";
trusted_proxies = [ "${config.containers.hasenloch.hostAddress}/31" ];
rewrite_urls = true;
app_name = "Hasenloch";
footer_items = {
FAQ = "TODO";
Contact = "TODO";
};
signup_requires_arrival = true;
enable_dect = true;
enable_pronoun = true;
enable_tshirt_size = false;
night_shifts.enabled = false;
autoarrive = true;
theme = 15;
database = {
database = "engelsystem";
host = "localhost";
username = "engelsystem";
};
email = {
driver = "smtp";
encryption = "tls";
from = {
address = "noreply@infra4future.de";
name = "divoc Hasenloch";
};
host = "mail.hacc.space";
password = {
_secret = "/var/keys/engelsystem/mail";
};
port = 587;
username = "noreply@infra4future.de";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.enable = false;
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
};
};
services.nginx.recommendedProxySettings = true;
services.nginx.virtualHosts."himmel.hacc.earth" = {
locations."/".proxyPass = "http://" + config.containers.hasenloch.localAddress;
forceSSL = true;
enableACME = true;
};
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-hasenloch"];
networking.nat.externalInterface = "enp6s0";
}

View file

@ -1,97 +0,0 @@
{ config, lib, pkgs, ... }:
let
unstable = import (import ../../../nix/sources.nix).nixpkgs-unstable {};
in {
containers.lantifa = {
autoStart = true;
privateNetwork = true;
hostAddress6 = "fd00::42:14";
localAddress6 = "fd00::42:15";
config = {config, pkgs, ... }: {
networking.hosts."::1" = [ "wiki.lantifa.org" ];
networking.firewall.enable = false;
users.users.mediawiki.extraGroups = [ "keys" ];
services.mediawiki = {
enable = true;
name = "LANtifa";
package = unstable.mediawiki;
database.createLocally = true;
passwordFile = "/var/lib/mediawiki/mediawiki-password";
extraConfig = let
wikidb = pkgs.fetchzip {
url = "http://www.kennel17.co.uk/uploads/testwiki/e/e9/WikiDB.zip";
sha256 = "0d4f2ygglz4w515a7lgw59500q3xmr92xxhsmh8p204yaa769x8v";
};
in ''
// Configure short URLs
$wgScriptPath = "";
$wgArticlePath = "/wiki/$1";
$wgUsePathInfo = true;
require_once('${wikidb}/WikiDB.php');
$wgExtraNamespaces = array( 100 => "Table", 101 => "Table_Talk",);
$wgWikiDBNamespaces = 100;
$wgGroupPermissions['user']['writeapi'] = true;
$wgDefaultUserOptions['visualeditor-enable'] = 1;
$wgLogo = "images/c/c5/LantifaLogoFem0.3.png";
// PageForms config
$wgGroupPermissions['*']['viewedittab'] = false;
$wgGroupPermissions['user']['viewedittab'] = true;
// Moderation setting
$wgModerationNotificationEnable = true;
$wgModerationEmail = "wiki_mod@lantifa.org";
$wgLogRestrictions["newusers"] = 'moderation';
// intersection / DynamicPageList config
$wgDLPMaxCacheTime = 5 * 60;
'';
extensions = {
TemplateData = null;
VisualEditor = null;
InputBox = null;
Moderation = pkgs.fetchzip {
url = "https://github.com/edwardspec/mediawiki-moderation/archive/v1.4.20.tar.gz";
sha256 = "1k0z44jfqsxzwy6jjz3yfibiq8wi845d5iwwh8j3yijn2854fj0i";
};
intersection = pkgs.fetchzip { # This is the DynamicPageList extension
url = "https://extdist.wmflabs.org/dist/extensions/intersection-REL1_35-f657385.tar.gz";
sha256 = "0f4bpxdfj5k4ll56s3i6cpgcpfalsff307shdhqhrbl0n3kbr3q0";
};
PageForms = pkgs.fetchzip {
url = "https://github.com/wikimedia/mediawiki-extensions-PageForms/archive/5.0.1.zip";
sha256 = "172m7p941fbkl29h5bhanx3dn42jfmzgyvgmgm2lgdbmkawwly96";
};
};
virtualHost = {
hostName = "wiki.lantifa.org";
listen = [ { port = 80; } ];
adminAddr = "admin@hacc.space";
extraConfig = ''
RewriteEngine On
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L]
'';
};
};
services.mysqlBackup = {
enable = true;
databases = [ "mediawiki" ];
calendar = "*-*-* 23:45:00";
};
};
};
services.nginx.virtualHosts."wiki.lantifa.org" = {
locations."/".proxyPass = "http://[" + config.containers.lantifa.localAddress6 + "]";
forceSSL = true;
enableACME = true;
};
}

View file

@ -1,171 +0,0 @@
{ config, pkgs, lib, ... }:
let
sources = import ../../../nix/sources.nix;
in {
imports = [
sources.nixos-mailserver.outPath
];
mailserver = {
mailDirectory = "/data/mail";
enable = true;
fqdn = "mail.hacc.space";
domains = [ "hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ];
loginAccounts = {
"hexchen@hacc.space" = {
hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
aliases = [
"postmaster@hacc.space"
"abuse@hacc.space"
];
};
"octycs@hacc.space" = {
hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
aliases = [
"markus@hacc.space"
];
};
"raphael@hacc.space" = {
hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
};
"engelsystem@hacc.space" = {
hashedPassword = "$6$5cIAEhJ7af7M$eJBPQc3ONd.N3HKPFpxfG7liZbUXPvWuSpWVgeG7rmsG7f7.Zdxtodvt5VaXoA3AEiv3GqcY.gKHISK/Gg0ib/";
};
"schweby@hacc.space" = {
hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
};
"zauberberg@hacc.space" = {
hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
aliases = [
"lukas@hacc.space"
];
};
"talx@hacc.space" = {
hashedPassword = "$6$0hIKRoMJS./JSE$tXizRgphhNM3ZYx216VdRv1OiyZoYXsjGqSudTDu8vB8eZb03Axi31VKV87RXiEGGixdvTsHEKpx032aOzzt31";
};
"unms@hacc.space" = {
hashedPassword = "$6$pYlNP37913$sGE3L722ceP.1Qm5lsffYUN919hPP1xRTrzco3ic3Op21iiknBkOY04eY2l3Um/Bpk/yV89aJD0eaB/5RCbWR1";
};
"noreply@hacc.space" = {
hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
};
"stuebinm@hacc.space" = {
hashedPassword = "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB.";
};
"newsletter@hacc.space" = {
hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1";
};
"lenny@hacc.space" = {
hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
aliases = [
"rinderhacc@hacc.space"
];
};
# service accounts
"gitlab@infra4future.de".hashedPassword = "$6$8vvkYuxv$9xV5WktsqfgM3cWSxonjtaohm7oqvDC5qsgJCJBATwesjTRxd/QTLa7t7teK8Nzyl.Py26xz.NvYowCZQ4aBE1";
"noreply@infra4future.de".hashedPassword = "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
"discuss@infra4future.de".hashedPassword = "$6$8x8/OlMFjq1$S54jdBh7WjrdC6UtbYAHHzMJak7Ai/CjwmWBBbqh7yRHuZt.mfZrsfBNiL3JKBHE7seQ7JYRU99lJKCU6Aujg/";
};
extraVirtualAliases = {
# address = forward address;
"info@hacc.space" = [
"hexchen@hacc.space"
"octycs@hacc.space"
"raphael@hacc.space"
"schweby@hacc.space"
"zauberberg@hacc.space"
"stuebinm@hacc.space"
"lenny@hacc.space"
];
"himmel@hacc.space" = [
"hexchen@hacc.space"
"schweby@hacc.space"
"zauberberg@hacc.space"
];
"admin@hacc.space" = [
"hexchen@hacc.space"
"schweby@hacc.space"
"zauberberg@hacc.space"
];
"voc@hacc.space" = [
"hexchen@hacc.space"
"schweby@hacc.space"
"octycs@hacc.space"
"stuebinm@hacc.space"
"zauberberg@hacc.space"
"lenny@hacc.space"
];
"vorstand@hacc.space" = [
"raphael@hacc.space"
"schweby@hacc.space"
"zauberberg@hacc.space"
];
"mitglieder@hacc.space" = [
"raphael@hacc.space"
"schweby@hacc.space"
"zauberberg@hacc.space"
"lenny@hacc.space"
"octycs@hacc.space"
];
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = 3;
# Enable IMAP and POP3
enableImap = true;
enablePop3 = true;
enableImapSsl = true;
enablePop3Ssl = true;
# Enable the ManageSieve protocol
enableManageSieve = true;
# whether to scan inbound emails for viruses (note that this requires at least
# 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
virusScanning = false;
};
services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
services.postfix.submissionsOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
services.postfix.virtual = ''
@4future.dev @hacc.space
@4futu.re @hacc.space
@hacc.earth @hacc.space
@discuss.infra4future.de discuss@infra4future.de
admin@infra4future.de admin@hacc.space
noreply@infra4future.de admin@hacc.space
lukas@infra4future.de zauberberg@hacc.space
info@infra4future.de admin@hacc.space
postmaster@infra4future.de admin@hacc.space
voc@infra4future.de admin@hacc.space
haccvoc@infra4future.de admin@hacc.space
contact@hacc.space info@hacc.space
'';
systemd.services.alps = {
enable = true;
script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465";
serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps";
};
services.nginx.virtualHosts."mail.hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:1323";
};
}

View file

@ -1,49 +0,0 @@
{pkgs, lib, config, ...}:
{
nixpkgs.config.allowUnfree = true;
networking.firewall.allowedTCPPorts = [ 25565 ];
services.minecraft-server = {
enable = true;
package = let
version = "16.5-567";
url = "https://papermc.io/api/v2/projects/paper/versions/1.16.5/builds/567/downloads/paper-1.16.5-567.jar";
sha256 = "0193fgxabyzhvidf05lswpgajkq4a0c4n0hcpigqhhsir949yaia";
in (pkgs.minecraft-server.overrideAttrs (old: rec {
name = "minecraft-server-${version}";
inherit version;
src = pkgs.fetchurl {
inherit url sha256;
};
}));
eula = true;
declarative = true;
jvmOpts = "-Xmx1536M -Xms512M";
serverProperties = {
server-port = "25565";
gamemode = "survival";
motd = "NixCraft4future";
max-players = "20";
whitelist = true;
force-gamemode = true;
difficulty = "easy";
allow-flight= false;
pvp = false;
enable-rcon = false;
};
whitelist = {
AaronPirt = "bbb8a319-a0fe-4b7a-bdcc-d7941a7fcfa8";
ACY2003 = "e6caedfb-95de-44b6-bea7-962e765f2b74";
Hexchen = "137ad280-856c-4f27-b258-b263d4e6863b";
laXDer = "98043845-8bac-4d38-a479-d116eea90356";
Naigh = "96dd9a77-2a65-415b-8d48-1f00e146dc42";
Schweby = "a5680c67-1a85-4a9b-81b6-a3a0b7b52467";
wolkenzebratopf = "34f47e5b-3f81-4639-ab6b-97be5e358054";
yan_min = "a2d1b6f2-1b58-4433-be67-f9872c4332f1";
Zauberberg = "4c59c4c3-f16b-4b7e-b707-9a176958e7cf";
};
};
}

View file

@ -1,42 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.prometheus = {
enable = true;
webExternalUrl = "https://stats.hacc.space";
exporters = {
dovecot = {
enable = true;
scopes = [ "user" "global" ];
socketPath = "/var/run/dovecot2/old-stats";
};
nginx.enable = true;
node.enable = true;
postfix = {
enable = true;
systemd.enable = true;
};
rspamd.enable = true;
};
scrapeConfigs = (lib.mapAttrsToList (name: val:
{
job_name = "${name}-${config.networking.hostName}";
static_configs = [{
targets = [ "localhost:${toString val.port}" ];
labels.host = config.networking.hostName;
}];
}
) (lib.filterAttrs (_: val: val.enable) config.services.prometheus.exporters));
};
services.dovecot2.extraConfig = ''
mail_plugins = $mail_plugins old_stats
service old-stats {
unix_listener old-stats {
user = dovecot-exporter
group = dovecot-exporter
}
}
'';
services.nginx.statusPage = true;
}

View file

@ -1,48 +0,0 @@
{ config, lib, pkgs, ... }:
let
mumblesite = pkgs.stdenv.mkDerivation {
name = "mumble.hacc.space-website";
src = pkgs.fetchgit {
url = "https://gitlab.infra4future.de/hacc/infra4future/mumble.infra4future.de";
rev = "597c4a2fa7a146f2fd58924cb2b181d530a2a866";
sha256 = "15vh0xqx0xcm09ij877jxkd6gb5nm2hbmyz47y5019xywa766s3h";
};
buildPhase = ''
${pkgs.jekyll.outPath}/bin/jekyll build
'';
installPhase = ''
mkdir -p $out
cp -r _site/* $out
'';
};
in
{
services.murmur = {
enable = true;
logDays = -1;
welcometext = "Welcome to mumble4future! Brought to you by infra4future. The server is now reachable under mumble.hacc.space, please update your bookmarks.";
sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
bandwidth = 128000;
};
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
services.nginx.virtualHosts =
let vhost = {
forceSSL = true;
enableACME = true;
root = mumblesite.outPath;
};
in {
"mumble.infra4future.de" = vhost;
"mumble.hacc.space" = vhost;
};
# set ACLs so that the murmur user can read the certificates
security.acme.certs."mumble.hacc.space".postRun = "setfacl -Rm u:murmur:rX /var/lib/acme/mumble.hacc.space";
}

View file

@ -1,51 +0,0 @@
{ config, lib, pkgs, ... }:
{
security.acme.acceptTerms = true;
security.acme.email = "info+acme@hacc.space";
services.nginx.enable = true;
services.nginx.package = pkgs.nginx.override {
modules = [ pkgs.nginxModules.rtmp ];
};
# services.nginx.recommendedProxySettings = true;
services.nginx.virtualHosts = let
in {
# let all empty subdomains pointing to hainich return 404
"hainich.hacc.space" = {
default = true;
locations."/".return = "404";
};
"hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/".return = "301 https://hacc.earth";
};
};
networking.firewall.allowedTCPPorts = [ 1935 ];
services.nginx.appendConfig = ''
rtmp {
server {
listen 1935;
application cutiestream {
live on;
allow publish all;
allow play all;
}
application ingest {
live on;
record all;
record_path /data/ingest;
record_unique on;
# include /var/secrets/ingest.conf;
}
}
}
'';
systemd.services.nginx.serviceConfig.ReadWriteDirectories = "/data/ingest /var/secrets";
}

View file

@ -1,53 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.syncthing = {
enable = true;
relay.enable = false;
openDefaultPorts = true;
declarative = {
devices = {
# schweby
txsbcct = {
addresses = []; # empty = dynamic
id = "AQHOPTO-X3LWJXZ-2SPLSEW-MCVMX3R-VSLPPYE-NIOTDMW-QOYRSDZ-2LR7RAD";
};
octycs = {
addresses = []; # empty = dynamic
id = "KIJVGWZ-GRXPAUX-ZOTZDLS-KUKANCC-A2IBZRM-BT3RZK7-5M43O6R-OZD5IQE";
};
stuebinm-desktop = {
addresses = []; # empty = dynamic
id = "CWZTKG7-F45LE2O-TIT6IBC-RQD6MLH-K5ECUGJ-LOHJXF3-I2F4R6I-JVMRLAJ";
};
raphael-laptop = {
addresses = []; # empty = dynamic
id = "72B3T74-NOMJV3X-EVJXTJF-5GGAEZB-ZDKBHXQ-VQNRYEU-YCPA2JP-L6NGAAG";
};
# zauberberg
conway = {
addresses = []; # empty = dynamic
id = "HV7IU2N-Q4W3A7F-BSASR43-OB575SM-47FY2UW-7N5GMFM-PX3LWRN-HXBXMQF";
};
# hexchen
storah = {
addresses = [ "tcp://46.4.62.95:22000" "quic://46.4.62.95:22000" ];
id = "SGHQ2JA-7FJ6CKM-N3I54R4-UOJC5KO-7W22O62-YLTF26F-S7DLZG4-ZLP7HAM";
};
};
folders = {
"/var/lib/syncthing/hacc" = {
id = "qt2ly-xvvvs";
devices = [ "txsbcct" "octycs" "stuebinm-desktop" "conway" "raphael-laptop" "storah" ];
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "10";
};
};
};
};
};
}

View file

@ -1,116 +0,0 @@
{pkgs, lib, config, ...}:
let
wa-container-ip = "fd00::42:16";
# this is a static "secret" that is also compiled into workadventure,
# so it seems ok to put it into the nix store
coturn-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
# domain on which workadventure is served
domain = "void.hacc.space";
# FUNFACT:
# the nixos-container module is sufficiently broken that if you move these
# fetchgits into the container config below, Nix will run into infinite recursion!
# contains the hacc assembly map
haccpkgssrc = pkgs.fetchgit {
url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
rev = "23a085b0386595f9e769ef3c182749cecc342ead";
sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd";
};
# contains the workadventure module
workadventurenix = pkgs.fetchgit {
url = "https://stuebinm.eu/git/workadventure-nix";
rev = "5d61d1bcb2fe11a3ff469a4f3a1be1885218472d";
sha256 = "0yd46n8vdyszb59rclq5p1m9z6hvrgpq258cic5glnqsnya8885v";
};
haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;};
in
{
# not the most intuitive of container names, but "workadventure" is too long
containers.wa-void = {
config = {config, pkgs, ...}: {
imports = [ workadventurenix.outPath ];
networking.firewall.allowedTCPPorts = [ 80 ];
services.workadventure."void.hacc.space" = {
packageset = (import "${workadventurenix.outPath}/wapkgs.nix" {inherit pkgs lib;}).workadventure-tabascoeye;
nginx = {
default = true;
inherit domain;
maps = {
serve = true;
path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
};
};
frontend.startRoomUrl = "/_/global/void.hacc.space/maps/main.json";
commonConfig = {
webrtc.stun.url = "stun:turn.hacc.space:3478";
webrtc.turn = {
url = "turn:95.217.159.23";
user = "turn";
password = coturn-auth-secret;
};
jitsi.url = "meet.ffmuc.net";
};
};
};
privateNetwork = true;
hostAddress6 = "fd00::42:14";
localAddress6 = wa-container-ip;
autoStart = true;
};
services.coturn = {
enable = true;
realm = "turn.hacc.space";
static-auth-secret = coturn-auth-secret;
use-auth-secret = true;
no-cli = true;
no-tcp-relay = true;
cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
};
services.nginx = {
virtualHosts."void.hacc.space" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[${wa-container-ip}]";
proxyWebsockets = true;
};
};
# this isn't actually needed, but acme requires a webserver to serve
# challanges, so I guess it's easier to just define a virtualHost here
virtualHosts."turn.hacc.space" = {
enableACME = true;
forceSSL = true;
};
};
networking.firewall = with config.services.coturn;
let
ports = [ listening-port tls-listening-port ];
in {
allowedTCPPorts = [ 80 ] ++ ports;
allowedUDPPorts = ports;
allowedUDPPortRanges = [
{ from = min-port; to = max-port; }
];
};
}

View file

@ -1,34 +0,0 @@
{ config, lib, pkgs, ... }:
{
systemd.services.wireguard-upstream = {
wants = [ "wg-upstream-key.service" ];
after = [ "wg-upstream-key.service" ];
};
networking.wireguard.interfaces.upstream = {
ips = [ "2a0d:eb04:8:ffff:2::2/128" ];
generatePrivateKeyFile = true;
privateKeyFile = "/etc/wireguard/upstream.key";
listenPort = 51820;
peers = [
{
allowedIPs = [ "::/0" ];
endpoint = "103.105.50.220:51823";
publicKey = "qL5xKnQ7xLbtTvu0VmLBwHExteJBhmCe5S/0ZoXBeXY=";
}
];
postSetup = ''
${pkgs.iproute}/bin/ip addr del dev upstream 2a0d:eb04:8:ffff:2::2/128
${pkgs.iproute}/bin/ip addr add dev upstream 2a0d:eb04:8:ffff:2::2/128 peer 2a0d:eb04:8:ffff:2::1/128
'';
};
networking.interfaces.lo.ipv6 = {
addresses = [{
address = "2a0d:eb04:8:10::1";
prefixLength = 128;
}];
};
networking.defaultGateway6 = {
address = "2a0d:eb04:8:ffff:2::1";
interface = "upstream";
};
}

View file

@ -1,65 +0,0 @@
{ config, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-config.nix
../../common
../../desktop
../../desktop/streaming.nix
../../desktop/gnome.nix
];
boot.loader.grub ={
enable = true;
version = 2;
efiSupport = true;
device = "nodev";
};
boot.loader.efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
hardware.decklink.enable = true;
networking.hostName = "nixda"; # Define your hostname.
environment.systemPackages = with pkgs; [ blackmagicDesktopVideo blender ];
networking.wg-quick.interfaces.cornbox = {
privateKeyFile = "/etc/wireguard/cornbox.key";
address = [ "195.39.247.67/28" "2a0f:4ac0:1337::12/64" ];
postUp = "ip link set dev cornbox mtu 1400";
peers = [
{
allowedIPs = [ "2a0f:4ac0:1337::/48" "195.39.247.64/27" ];
publicKey = "8IWyiQL3wKP9CD/4UdS9b8mcbL67mkUyeSPORgEPvV0=";
endpoint = "cornbox.hetzner.chaoswit.ch:51821";
}
];
};
services.xserver = {
enable = true;
videoDrivers = [ "nvidia" ];
};
hardware.nvidia.modesetting.enable = true;
boot.kernelPackages = pkgs.linuxPackages;
users.users.stream = {
isNormalUser = true;
password = "hacchacc";
extraGroups = [ "audio" "video" ];
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "20.09"; # Did you read the comment?
}

View file

@ -1,31 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/dfbfee26-c2c0-4c0c-b145-6362c7650ac9";
fsType = "btrfs";
options = [ "subvol=@nix" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/dfbfee26-c2c0-4c0c-b145-6362c7650ac9";
fsType = "btrfs";
options = [ "subvol=@home" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A358-97BC";
fsType = "vfat";
};
swapDevices = [ ];
}

28
modules/bindmounts.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.hacc;
in {
options.hacc.bindMounts = mkOption {
type = types.attrsOf types.str;
default = { };
example = { "/etc/asdf" = "/persist/asdf"; };
};
options.hacc.bindToPersist = mkOption {
type = types.listOf types.str;
default = [];
example = [ "postgres" ];
};
config.fileSystems = mapAttrs (_: device: {
inherit device;
options = [ "bind" ];
}) cfg.bindMounts;
config.hacc.bindMounts = listToAttrs
(map (name: { inherit name; value = "/persist${name}"; })
cfg.bindToPersist);
}

29
modules/buildinfo.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, sources, ... }:
let
self = sources.self;
formatDate = date: with lib.strings;
let
year = substring 0 4 date;
month = substring 4 2 date;
day = substring 6 2 date;
hour = substring 8 2 date;
minute = substring 10 2 date;
second = substring 12 2 date;
in
"${year}-${month}-${day} ${hour}:${minute}:${second} UTC";
in
{
system.nixos.label = "${config.system.nixos.release}-haccfiles-${self.shortRev or self.dirtyShortRev}";
users.motd = ''
Welcome to ${config.networking.hostName}, running NixOS ${config.system.nixos.release}!
Built from haccfiles ${self.rev or self.dirtyRev}.
Last commit was at ${formatDate self.lastModifiedDate}.
${if self ? dirtyRev then "\nPlease remember to commit your changes.\n" else ""}
'';
# used by monit
environment.etc."haccfiles-commit".text = self.rev or self.dirtyRev;
environment.etc."haccfiles-timestamp".text = builtins.toString self.lastModified;
}

View file

@ -0,0 +1,18 @@
{ lib, ...}:
{
boot.isContainer = true;
networking.useDHCP = false;
users.users.root.hashedPassword = "";
networking.firewall.enable = false;
services.coredns = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
};
system.stateVersion = lib.mkDefault "21.05";
}

95
modules/containers.nix Normal file
View file

@ -0,0 +1,95 @@
{ config, lib, pkgs, modules, profiles, sources, nixosSystem, ... }:
let
mkIPv4 = index: local:
"192.168.${if local then "100" else "101"}.${toString index}";
mkIPv6 = index: local:
"fd00::${if local then "100" else "101"}:${toString index}";
evalConfig = nixosConfig: (nixosSystem {
inherit (config.nixpkgs) system;
modules = [
nixosConfig
modules.nopersist
profiles.container
{ nixpkgs.pkgs = lib.mkForce pkgs; }
];
specialArgs = {
inherit modules sources;
};
}).config.system.build.toplevel;
in {
options.hacc.containers = with lib.options;
mkOption {
description = ''
hacc-specific containers. These are a thin wrapper around "normal" nixos containers:
- they automatically get an IPv4/IPv6 address assigned
(note that these are not guaranteed to be stable across config changes,
so please use {option}`containers.<name>.hostAddress` & friends to
reference them elsewhere)
- they set a couple default options (e.g. ephemeral, autoStart, privateNetwork)
- they are evaluated with our own version of {nix}`evalConfig`, which includes a
couple more modules by default, use our version of `nixpkgs`, and includes the
{nix}`profiles.containers` profile setting sane defaults for containers.
'';
default = { };
type = with lib.types;
types.attrsOf (types.submodule {
options = {
bindToPersist = mkOption {
default = true;
type = types.bool;
description =
"Wether to mount /persist/containers/<name> at /persist into this container.";
};
bindSecrets = mkOption {
default = false;
type = types.bool;
description =
"Whether to mount /run/secrets/<name> at /secrets into this container.";
};
config = mkOption {
type = types.unspecified;
description =
"The container's config, to be evaluated with our own {nix}`evalConfig`.";
};
};
});
};
# wrapped into imap1, which enumerates the containers; IP addresses are then
# simply assigned based on the order the containers are in the list.
config.containers = lib.mkMerge (lib.imap1
(index: { name, value }: let container = value; in {
${name} = {
hostAddress = mkIPv4 index false;
localAddress = mkIPv4 index true;
hostAddress6 = mkIPv6 index false;
localAddress6 = mkIPv6 index true;
privateNetwork = true;
autoStart = true;
ephemeral = true;
bindMounts = lib.mkMerge [
(lib.mkIf container.bindToPersist {
"/persist" = {
hostPath = "/persist/containers/${name}";
isReadOnly = false;
};
})
(lib.mkIf container.bindSecrets {
"/secrets" = {
hostPath = "/run/secrets/${name}";
isReadOnly = true;
};
})
];
path = evalConfig container.config;
};
}) (lib.attrsToList config.hacc.containers));
}

View file

@ -1,21 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hardware.decklink;
kernelPackages = config.boot.kernelPackages;
in
{
options.hardware.decklink.enable = mkEnableOption "Enable hardware support for the Blackmagic Design Decklink audio/video interfaces.";
config = mkIf cfg.enable {
boot.kernelModules = [ "blackmagic" "blackmagic-io" "snd_blackmagic-io" ];
boot.extraModulePackages = [ kernelPackages.decklink ];
systemd.services."DecklinkVideoHelper" = {
after = [ "syslog.target" "local-fs.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.blackmagicDesktopVideo}/bin/DesktopVideoHelper -n";
};
};
}

View file

@ -1,9 +1,7 @@
{ ... }:
let
sources = import ../nix/sources.nix;
in {
{
imports = [
./nftnat
./decklink.nix
./websites.nix
];
}

45
modules/encboot.nix Normal file
View file

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
with lib;
let cfg = config.hacc.encboot;
in {
options = {
hacc.encboot = {
enable = mkOption {
type = types.bool;
default = false;
};
networkDrivers = mkOption { type = with types; listOf str; };
dataset = mkOption {
type = types.str;
default = "zroot";
};
};
};
config = mkIf cfg.enable {
boot.initrd.kernelModules = cfg.networkDrivers;
boot.initrd.network = {
enable = true;
ssh = {
enable = true;
port = 2222;
authorizedKeys = with lib;
concatLists (mapAttrsToList (name: user:
if elem "wheel" user.extraGroups then
user.openssh.authorizedKeys.keys
else
[ ]) config.users.users);
hostKeys = [ /etc/ssh/encboot_host ];
};
postCommands = ''
zpool import ${cfg.dataset}
echo "zfs load-key -a; killall zfs && exit" >> /root/.profile
'';
};
};
}

View file

@ -1,257 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.mattermost-patched;
defaultConfig = builtins.fromJSON (builtins.replaceStrings [ "\\u0026" ] [ "&" ]
(readFile "${pkgs.mattermost}/config/config.json")
);
database = "postgres://${cfg.localDatabaseUser}:${cfg.localDatabasePassword}@localhost:5432/${cfg.localDatabaseName}?sslmode=disable&connect_timeout=10";
mattermostConf = foldl recursiveUpdate defaultConfig
[ { ServiceSettings.SiteURL = cfg.siteUrl;
ServiceSettings.ListenAddress = cfg.listenAddress;
TeamSettings.SiteName = cfg.siteName;
SqlSettings.DriverName = "postgres";
SqlSettings.DataSource = database;
}
cfg.extraConfig
];
mattermostConfJSON = pkgs.writeText "mattermost-config-raw.json" (builtins.toJSON mattermostConf);
in
{
options = {
services.mattermost-patched = {
enable = mkEnableOption "Mattermost chat server";
statePath = mkOption {
type = types.str;
default = "/var/lib/mattermost";
description = "Mattermost working directory";
};
siteUrl = mkOption {
type = types.str;
example = "https://chat.example.com";
description = ''
URL this Mattermost instance is reachable under, without trailing slash.
'';
};
siteName = mkOption {
type = types.str;
default = "Mattermost";
description = "Name of this Mattermost site.";
};
listenAddress = mkOption {
type = types.str;
default = ":8065";
example = "[::1]:8065";
description = ''
Address and port this Mattermost instance listens to.
'';
};
mutableConfig = mkOption {
type = types.bool;
default = false;
description = ''
Whether the Mattermost config.json is writeable by Mattermost.
Most of the settings can be edited in the system console of
Mattermost if this option is enabled. A template config using
the options specified in services.mattermost will be generated
but won't be overwritten on changes or rebuilds.
If this option is disabled, changes in the system console won't
be possible (default). If an config.json is present, it will be
overwritten!
'';
};
extraConfig = mkOption {
type = types.attrs;
default = { };
description = ''
Addtional configuration options as Nix attribute set in config.json schema.
'';
};
secretConfig = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
Path to a json file containing secret config values, which should
not be written into the Nix store. If it is not null (the default)
and mutableConfig is set to false, then the mattermost service will
join the file at this path into its config.
Note that this file cannot be used to overwrite values already
specified by the other options of this module.
'';
};
localDatabaseCreate = mkOption {
type = types.bool;
default = true;
description = ''
Create a local PostgreSQL database for Mattermost automatically.
'';
};
localDatabaseName = mkOption {
type = types.str;
default = "mattermost";
description = ''
Local Mattermost database name.
'';
};
localDatabaseUser = mkOption {
type = types.str;
default = "mattermost";
description = ''
Local Mattermost database username.
'';
};
localDatabasePassword = mkOption {
type = types.str;
default = "mmpgsecret";
description = ''
Password for local Mattermost database user.
'';
};
user = mkOption {
type = types.str;
default = "mattermost";
description = ''
User which runs the Mattermost service.
'';
};
group = mkOption {
type = types.str;
default = "mattermost";
description = ''
Group which runs the Mattermost service.
'';
};
matterircd = {
enable = mkEnableOption "Mattermost IRC bridge";
parameters = mkOption {
type = types.listOf types.str;
default = [ ];
example = [ "-mmserver chat.example.com" "-bind [::]:6667" ];
description = ''
Set commandline parameters to pass to matterircd. See
https://github.com/42wim/matterircd#usage for more information.
'';
};
};
};
};
config = mkMerge [
(mkIf cfg.enable {
users.users = optionalAttrs (cfg.user == "mattermost") {
mattermost = {
group = cfg.group;
uid = config.ids.uids.mattermost;
home = cfg.statePath;
};
};
users.groups = optionalAttrs (cfg.group == "mattermost") {
mattermost.gid = config.ids.gids.mattermost;
};
services.postgresql.enable = cfg.localDatabaseCreate;
# The systemd service will fail to execute the preStart hook
# if the WorkingDirectory does not exist
system.activationScripts.mattermost = ''
mkdir -p ${cfg.statePath}
'';
systemd.services.mattermost = {
description = "Mattermost chat service";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" ];
preStart = ''
mkdir -p ${cfg.statePath}/{data,config,logs}
ln -sf ${pkgs.mattermost}/{bin,fonts,i18n,templates,client} ${cfg.statePath}
'' + lib.optionalString (!cfg.mutableConfig) ''
rm -f ${cfg.statePath}/config/config.json
'' + (if cfg.secretConfig == null
then ''
cp ${mattermostConfJSON} ${cfg.statePath}/config/config.json
''
else ''
${pkgs.jq}/bin/jq -s ".[1] * .[0]" ${cfg.secretConfig} ${mattermostConfJSON} > ${cfg.statePath}/config/config.json
'')
+ ''
${pkgs.mattermost}/bin/mattermost config migrate ${cfg.statePath}/config/config.json ${database}
'' + lib.optionalString cfg.mutableConfig ''
if ! test -e "${cfg.statePath}/config/.initial-created"; then
rm -f ${cfg.statePath}/config/config.json
cp ${mattermostConfJSON} ${cfg.statePath}/config/config.json
touch ${cfg.statePath}/config/.initial-created
fi
'' + lib.optionalString cfg.localDatabaseCreate ''
if ! test -e "${cfg.statePath}/.db-created"; then
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \
${config.services.postgresql.package}/bin/psql postgres -c \
"CREATE ROLE ${cfg.localDatabaseUser} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.localDatabasePassword}'"
${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} \
${config.services.postgresql.package}/bin/createdb \
--owner ${cfg.localDatabaseUser} ${cfg.localDatabaseName}
touch ${cfg.statePath}/.db-created
fi
'' + ''
chown ${cfg.user}:${cfg.group} -R ${cfg.statePath}
chmod u+rw,g+r,o-rwx -R ${cfg.statePath}
'';
serviceConfig = {
PermissionsStartOnly = true;
User = cfg.user;
Group = cfg.group;
ExecStart = "${pkgs.mattermost}/bin/mattermost" +
(lib.optionalString (!cfg.mutableConfig) " -c ${database}");
WorkingDirectory = "${cfg.statePath}";
Restart = "always";
RestartSec = "10";
LimitNOFILE = "49152";
};
unitConfig.JoinsNamespaceOf = mkIf cfg.localDatabaseCreate "postgresql.service";
};
})
(mkIf cfg.matterircd.enable {
systemd.services.matterircd = {
description = "Mattermost IRC bridge service";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "nobody";
Group = "nogroup";
ExecStart = "${pkgs.matterircd}/bin/matterircd ${concatStringsSep " " cfg.matterircd.parameters}";
WorkingDirectory = "/tmp";
PrivateTmp = true;
Restart = "always";
RestartSec = "5";
};
};
})
];
}

View file

@ -1,62 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hacc.nftables.nat;
nats = config.networking.nat;
in {
options.hacc.nftables.nat = {
enable = mkEnableOption "Wrap NAT into nftables.";
forwardPorts = mkOption {
type = with types; listOf (submodule {
options = {
ports = mkOption {
type = types.listOf (types.either types.int (types.strMatching "[[:digit:]]+-[[:digit:]]+"));
};
destination = mkOption {
type = types.str;
example = "10.0.0.1";
};
proto = mkOption {
type = types.str;
default = "tcp";
example = "udp";
};
};
});
default = [];
example = [{ ports = [ 8080 "9100-9200" ]; destination = "192.168.100.2"; proto = "udp"; }];
};
};
config = mkIf cfg.enable {
networking.nat.enable = mkOverride 99 false;
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = mkOverride 98 true;
"net.ipv4.conf.default.forwarding" = mkOverride 98 true;
};
};
petabyte.nftables = {
enable = true;
extraConfig = ''
table ip nat {
chain prerouting {
type nat hook prerouting priority -100
${concatMapStringsSep "\n" (rule: "iif ${nats.externalInterface} ${rule.proto} dport { ${concatStringsSep ", " (map (x: toString x) rule.ports)} } dnat ${rule.destination}") cfg.forwardPorts}
}
chain postrouting {
type nat hook postrouting priority 100
${concatMapStringsSep "\n" (iface: "iifname ${replaceStrings ["+"] ["*"] iface} oifname ${nats.externalInterface} masquerade") nats.internalInterfaces}
${concatMapStringsSep "\n" (addr: "ip saddr ${addr} oifname ${nats.externalInterface} masquerade") nats.internalIPs}
}
}
'';
};
};
}

52
modules/nopersist.nix Normal file
View file

@ -0,0 +1,52 @@
{ config, lib, pkgs, modules, ... }:
with lib;
{
imports = [ modules.bindMounts ];
users.mutableUsers = false;
boot.initrd = mkIf (config.fileSystems."/".fsType == "zfs") {
network.ssh.hostKeys = mkIf config.hacc.encboot.enable
(mkForce [ /persist/ssh/encboot_host ]);
postDeviceCommands = mkIf (!config.boot.initrd.systemd.enable)
(mkAfter ''
zfs rollback -r ${config.fileSystems."/".device}@blank
'');
systemd = mkIf config.boot.initrd.systemd.enable {
storePaths = [ pkgs.zfs ];
services.rollback = {
description = "Rollback ZFS datasets to a pristine state";
wantedBy = [ "initrd.target" ];
after = [ "zfs-import-${head (splitString "/" config.fileSystems."/".device)}.service" ];
before = [ "sysroot.mount" ];
path = [ pkgs.zfs ];
unitConfig.DefaultDependencies = "no";
serviceConfig.Type = "oneshot";
script = ''
zfs rollback -r ${config.fileSystems."/".device}@blank && echo "rollback complete"
'';
};
};
};
services.openssh = {
hostKeys = [
{
path = "/persist/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
services.postgresql.dataDir =
"/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
}

62
modules/websites.nix Normal file
View file

@ -0,0 +1,62 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.hacc.websites;
in
{
options.hacc.websites = {
enable = mkOption {
type = types.bool;
default = false;
};
directory = mkOption {
type = types.path;
description = "all subdirectories of the given path are expected to contain a (static) website";
};
ignore = mkOption {
type = types.listOf types.str;
default = [];
description = "subdirectories that shouldn't be published";
};
builders = mkOption {
type = types.lazyAttrsOf types.package;
default = {};
description = "exposes website builders, for use with nix run";
};
};
config = let
subdirs =
let dirAttrs = filterAttrs
(n: v: v == "directory" || lists.elem n cfg.ignore)
(builtins.readDir cfg.directory);
in mapAttrsToList (n: v: n) dirAttrs;
mkWebsiteDrv = subdir:
pkgs.callPackage "${cfg.directory}/${subdir}" {};
mkWebsiteVHost = subdir: {
name = subdir;
# the nginx virtualhost config (for all sites) goes in here
value = {
enableACME = true;
forceSSL = true;
locations."/".root =
(mkWebsiteDrv subdir).outPath;
};
};
in mkIf cfg.enable {
services.nginx = {
enable = true;
virtualHosts =
listToAttrs (map mkWebsiteVHost subdirs);
};
hacc.websites.builders =
listToAttrs (map (subdir: {
name = subdir;
value = if (mkWebsiteDrv subdir) ? watch then (mkWebsiteDrv subdir).watch else null;
}) subdirs);
};
}

View file

@ -1,71 +0,0 @@
{
"home-manager": {
"branch": "release-20.09",
"description": "Manage a user environment using Nix [maintainer=@rycee] ",
"homepage": "https://nix-community.github.io/home-manager/",
"owner": "nix-community",
"repo": "home-manager",
"rev": "209566c752c4428c7692c134731971193f06b37c",
"sha256": "1canlfkm09ssbgm3hq0kb9d86bdh84jhidxv75g98zq5wgadk7jm",
"type": "tarball",
"url": "https://github.com/nix-community/home-manager/archive/209566c752c4428c7692c134731971193f06b37c.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"niv": {
"branch": "master",
"description": "Easy dependency management for Nix projects",
"homepage": "https://github.com/nmattia/niv",
"owner": "nmattia",
"repo": "niv",
"rev": "af958e8057f345ee1aca714c1247ef3ba1c15f5e",
"sha256": "1qjavxabbrsh73yck5dcq8jggvh3r2jkbr6b5nlz5d9yrqm9255n",
"type": "tarball",
"url": "https://github.com/nmattia/niv/archive/af958e8057f345ee1aca714c1247ef3ba1c15f5e.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nix-hexchen": {
"branch": "main",
"repo": "https://gitlab.com/hexchen/nixfiles.git",
"rev": "431512d85fb08b2e9e5a73f39e23c0d0c1b8bc06",
"type": "git"
},
"nixos-mailserver": {
"ref": "nixos-20.09",
"repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver",
"rev": "fb1cc04c0a517d4200237b02c3472bcaf9104afb",
"sha256": "0vsvgxxg5cgmzwj98171j7h5l028f1yq784alb3lxgbk8znfk51y",
"type": "tarball",
"url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/fb1cc04c0a517d4200237b02c3472bcaf9104afb/nixos-mailserver-fb1cc04c0a517d4200237b02c3472bcaf9104afb.tar.gz",
"url_template": "<repo>/-/archive/<rev>.tar.gz"
},
"nixpkgs": {
"branch": "nixos-20.09",
"description": "Nix Packages collection",
"homepage": "",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "34f85de51bbc74595e63b22ee089adbb31f7c7a2",
"sha256": "1k44md0l7glwvmf8wryw91i7qr0qq8wp7jfnbixdlyjzlxkfd26d",
"type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/34f85de51bbc74595e63b22ee089adbb31f7c7a2.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"nixpkgs-unstable": {
"branch": "nixos-unstable",
"description": "Nix Packages collection",
"homepage": "",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d3f7e969b9860fb80750147aeb56dab1c730e756",
"sha256": "13z5lsgfgpw2wisglicy7krjrhypcc2y7krzxn54ybcninyiwhsn",
"type": "tarball",
"url": "https://github.com/nixos/nixpkgs/archive/d3f7e969b9860fb80750147aeb56dab1c730e756.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
},
"pbb-nixfiles": {
"branch": "main",
"repo": "https://git.petabyte.dev/petabyteboy/nixfiles.git",
"rev": "de52bf8ed00f3857b2240e74dfb0244928890df0",
"type": "git"
}
}

View file

@ -1,174 +0,0 @@
# This file has been generated by Niv.
let
#
# The fetchers. fetch_<type> fetches specs of type <type>.
#
fetch_file = pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then
builtins_fetchurl { inherit (spec) url sha256; name = name'; }
else
pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
fetch_tarball = pkgs: name: spec:
let
name' = sanitizeName name + "-src";
in
if spec.builtin or true then
builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
else
pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
fetch_git = name: spec:
let
ref =
if spec ? ref then spec.ref else
if spec ? branch then "refs/heads/${spec.branch}" else
if spec ? tag then "refs/tags/${spec.tag}" else
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
in
builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
fetch_local = spec: spec.path;
fetch_builtin-tarball = name: throw
''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=tarball -a builtin=true'';
fetch_builtin-url = name: throw
''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
$ niv modify ${name} -a type=file -a builtin=true'';
#
# Various helpers
#
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
sanitizeName = name:
(
concatMapStrings (s: if builtins.isList s then "-" else s)
(
builtins.split "[^[:alnum:]+._?=-]+"
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
)
);
# The set of packages used when specs are fetched using non-builtins.
mkPkgs = sources: system:
let
sourcesNixpkgs =
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
in
if builtins.hasAttr "nixpkgs" sources
then sourcesNixpkgs
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
import <nixpkgs> {}
else
abort
''
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
add a package called "nixpkgs" to your sources.json.
'';
# The actual fetching function.
fetch = pkgs: name: spec:
if ! builtins.hasAttr "type" spec then
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
else if spec.type == "file" then fetch_file pkgs name spec
else if spec.type == "tarball" then fetch_tarball pkgs name spec
else if spec.type == "git" then fetch_git name spec
else if spec.type == "local" then fetch_local spec
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
else if spec.type == "builtin-url" then fetch_builtin-url name
else
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
# If the environment variable NIV_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
replace = name: drv:
let
saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
in
if ersatz == "" then drv else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
# Ports of functions for older nix versions
# a Nix version of mapAttrs if the built-in doesn't exist
mapAttrs = builtins.mapAttrs or (
f: set: with builtins;
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
optionalAttrs = cond: as: if cond then as else {};
# fetchTarball version that is compatible between all the versions of Nix
builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchTarball;
in
if lessThan nixVersion "1.12" then
fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
else
fetchTarball attrs;
# fetchurl version that is compatible between all the versions of Nix
builtins_fetchurl = { url, name ? null, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchurl;
in
if lessThan nixVersion "1.12" then
fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
else
fetchurl attrs;
# Create the final "sources" from the config
mkSources = config:
mapAttrs (
name: spec:
if builtins.hasAttr "outPath" spec
then abort
"The values in sources.json should not have an 'outPath' attribute"
else
spec // { outPath = replace name (fetch config.pkgs name spec); }
) config.sources;
# The "config" used by the fetchers
mkConfig =
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
, sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
, system ? builtins.currentSystem
, pkgs ? mkPkgs sources system
}: rec {
# The sources, i.e. the attribute set of spec name to spec
inherit sources;
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
inherit pkgs;
};
in
mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }

93
parsons/configuration.nix Normal file
View file

@ -0,0 +1,93 @@
{ config, lib, pkgs, sources, modules, ... }:
{
imports = [
../common
./hardware.nix
modules.encboot
modules.nopersist
./nftables.nix
./nextcloud.nix
./mattermost.nix
./murmur.nix
./hedgedoc-hacc.nix
./hedgedoc-i4f.nix
./mail.nix
./forgejo.nix
./nginx-pages.nix
./vaultwarden.nix
./tracktrain.nix
./uffd.nix
./lxc.nix
./monit.nix
];
hacc.bindToPersist = [ "/var/lib/acme" ];
hacc.encboot = {
enable = true;
dataset = "-a";
networkDrivers = [ "igb" ];
};
sops.defaultSopsFile = ../secrets.yaml;
sops.age.sshKeyPaths = [ "/persist/ssh/ssh_host_ed25519_key" ];
boot.loader.grub.enable = true;
boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
boot.supportedFilesystems = [ "zfs" ];
networking.hostId = "b2867696";
networking.useDHCP = true;
networking.nftables.enable = true;
networking.hostName = "parsons";
networking.interfaces.enp35s0.ipv6.addresses = [{
address = "2a01:4f9:3a:2ddb::1";
prefixLength = 64;
}];
networking.defaultGateway6 = {
address = "fe80::1";
interface = "enp35s0";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"parsons.hacc.space" = {
default = true;
locations."/".return = "404";
};
"hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/".return = "302 https://hacc.earth";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.restic.backups.tardis = {
passwordFile = "/run/secrets/restic/system";
environmentFile = "/run/secrets/restic/s3creds.env";
paths = [
"/home"
"/persist"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 3"
];
repository = "b2:tardis-parsons:system";
};
sops.secrets = {
"restic/system" = {};
"restic/s3creds.env" = {};
};
system.stateVersion = "21.05";
}

85
parsons/forgejo.nix Normal file
View file

@ -0,0 +1,85 @@
{ config, lib, pkgs, ... }:
{
hacc.containers.forgejo = {
config = { lib, pkgs, ... }: {
system.stateVersion = "21.11";
environment.systemPackages = [ pkgs.forgejo ];
hacc.bindMounts."/var/lib/forgejo" = "/persist/forgejo";
services.forgejo = {
enable = true;
lfs.enable = true;
database.type = "postgres";
settings = {
repository = {
DEFAULT_PRIVATE = "public";
PREFERRED_LICENSES = "Unlicense";
DEFAULT_BRANCH = "main";
};
oauth2_client = {
ACCOUNT_LINKING = "auto";
ENABLE_AUTO_REGISTRATION = true;
};
"repository.pull-requests" = {
DEFAULT_MERGE_STYLE = "merge";
DEFAULT_MERGE_MESSAGE_ALL_AUTHORS = true;
};
"repository.upload".FILE_MAX_SIZE = 1024;
server = {
LANDING_PAGE = "explore";
OFFLINE_MODE = true;
ROOT_URL = "https://git.infra4future.de";
HTTP_PORT = 3000;
HTTP_ADDR = "0.0.0.0";
};
security = { INSTALL_LOCK = true; };
other = {
SHOW_FOOTER_VERSION = false;
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false;
};
cron = {
ENABLED = true;
NOTICE_ON_SUCCESS = true;
};
"cron.update_mirrors" = {
SCHEDULE = "@every 12h";
PULL_LIMIT = "-1";
PUSH_LIMIT = "-1";
};
"cron.git_gc_repos".ENABLED = true;
"cron.delete_old_actions".ENABLED = true;
log.LEVEL = "Info";
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
default.APP_NAME = "0x0: git for all creatures";
};
};
services.postgresql.package = pkgs.postgresql_15;
services.postgresqlBackup = {
enable = true;
databases = [ "forgejo" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
AcceptEnv = "GIT_PROTOCOL";
};
};
};
};
services.nginx.virtualHosts."git.infra4future.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${config.containers.forgejo.localAddress}:3000";
};
};
}

61
parsons/hardware.nix Normal file
View file

@ -0,0 +1,61 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "zroot/local/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/daf2a731-952f-45c7-9c25-49e1a2f56062";
fsType = "ext4";
};
fileSystems."/nix" =
{ device = "zroot/local/nix";
fsType = "zfs";
};
fileSystems."/persist" =
{ device = "zroot/safe/persist";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/home" =
{ device = "zroot/safe/home";
fsType = "zfs";
};
fileSystems."/root" =
{ device = "zroot/safe/root";
fsType = "zfs";
};
fileSystems."/var/cache/restic-backups-tardis" =
{ device = "zroot/safe/restic-cache";
fsType = "zfs";
};
fileSystems."/tmp" =
{ device = "zroot/local/tmp";
fsType = "zfs";
};
fileSystems."/persist/data" =
{ device = "dpool/safe/data";
fsType = "zfs";
};
swapDevices = [ ];
}

91
parsons/hedgedoc-hacc.nix Normal file
View file

@ -0,0 +1,91 @@
{ config, lib, pkgs, ... }:
{
sops.secrets = {
"hedgedoc-hacc/env" = {};
};
containers.pad-hacc.bindMounts = {
"/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
};
hacc.containers.pad-hacc = {
config = { config, lib, ... }: {
services.hedgedoc = {
enable = true;
settings = {
allowAnonymous = true;
allowFreeURL = true;
allowGravatar = false;
allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
db = {
host = "/run/postgresql";
username = "codimd";
dialect = "postgres";
database = "codimd";
};
defaultPermission = "limited";
domain = "pad.hacc.space";
host = "0.0.0.0";
protocolUseSSL = true;
hsts.preload = false;
email = false;
oauth2 = {
authorizationURL = "https://login.infra4future.de/oauth2/authorize";
tokenURL = "https://login.infra4future.de/oauth2/token";
clientID = "hedgedoc";
# must be set to make the NixOS module happy, but env var takes precedence
clientSecret = "lol nope";
};
};
environmentFile = "/secrets/env";
};
systemd.services.hedgedoc.environment = {
"CMD_LOGLEVEL" = "warn";
"CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
};
services.postgresql = {
enable = true;
ensureDatabases = [ "codimd" ];
ensureUsers = [{
name = "codimd";
ensureDBOwnership = true;
}];
authentication = ''
local all all trust
host codimd codimd 127.0.0.1/32 trust
'';
package = pkgs.postgresql_15;
};
services.postgresqlBackup = {
enable = true;
databases = [ "codimd" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
};
};
services.nginx.virtualHosts."pad.hacc.earth" = {
enableACME = true;
forceSSL = true;
globalRedirect = "pad.hacc.space";
};
services.nginx.virtualHosts."pad.hacc.space" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
proxy_buffering off;
'';
};
};
}

63
parsons/hedgedoc-i4f.nix Normal file
View file

@ -0,0 +1,63 @@
{ config, lib, pkgs, ... }:
{
hacc.containers.pad-i4f = {
config = { config, lib, ... }: {
services.hedgedoc = {
enable = true;
settings = {
allowAnonymous = true;
allowFreeURL = true;
allowGravatar = false;
allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ];
db = {
host = "/run/postgresql";
dialect = "postgres";
database = "hedgedoc";
};
defaultPermission = "freely";
domain = "pad.infra4future.de";
host = "0.0.0.0";
protocolUseSSL = true;
hsts.preload = false;
email = false;
};
};
systemd.services.hedgedoc.environment = {
"CMD_LOGLEVEL" = "warn";
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
authentication = ''
local all all trust
host hedgedoc hedgedoc 127.0.0.1/32 trust
'';
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensureDBOwnership = true;
}];
};
services.postgresqlBackup = {
enable = true;
databases = [ "hedgedoc" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
};
};
services.nginx.virtualHosts."pad.infra4future.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${config.containers.pad-i4f.localAddress}:3000";
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
proxy_buffering off;
'';
};
};
}

29
parsons/lxc.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
{
networking.bridges.lxcbr0.interfaces = [];
networking.interfaces.lxcbr0.ipv4.addresses = [
{
address = "10.1.2.1";
prefixLength = 24;
}
];
virtualisation.lxc.enable = true;
virtualisation.lxc.systemConfig = ''
lxc.bdev.zfs.root = zroot/safe/containers/lxc
lxc.lxcpath = /persist/lxc
'';
users.users.root.subUidRanges = [{ count = 65536; startUid = 100000; }];
users.users.root.subGidRanges = [{ count = 65536; startGid = 100000; }];
environment.etc."lxc/share".source = "${pkgs.lxc}/share/lxc";
services.nginx.virtualHosts."onlyoffice.infra4future.de" = {
locations."/".proxyPass = "http://10.1.2.233:80";
enableACME = true;
forceSSL = true;
};
}

208
parsons/mail.nix Normal file
View file

@ -0,0 +1,208 @@
{ config, options, pkgs, lib, sources, ... }:
{
imports = [ sources.nixos-mailserver.outPath ];
# reduce log spam
systemd.services.rspamd.serviceConfig.LogLevelMax =
3; # this is set to error because rspamd regularly complains about not enough learns
systemd.services.dovecot2.serviceConfig.LogLevelMax = 5; # = notice
# stop postfix from dying if rspamd hiccups
systemd.services.postfix.unitConfig = {
Requires = lib.mkForce "dovecot2.service opendkim.service";
};
mailserver = {
mailDirectory = "/persist/mail";
enable = true;
fqdn = "mail.hacc.space";
monitoring = {
enable = true;
alertAddress = "admin@hacc.space";
};
domains = [
"hacc.space"
"muc.hacc.space"
"hacc.earth"
"4future.dev"
"4futu.re"
"infra4future.de"
];
loginAccounts = {
"hexchen@hacc.space".hashedPassword =
"$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
"octycs@hacc.space".hashedPassword =
"$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
"octycs@hacc.space".aliases = [ "markus@hacc.space" ];
"raphael@hacc.space".hashedPassword =
"$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";
"moira@hacc.space".hashedPassword =
"$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";
"zauberberg@hacc.space".hashedPassword =
"$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
"zauberberg@hacc.space".aliases = [ "lukas@hacc.space" ];
"stuebinm@hacc.space".hashedPassword =
"$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB.";
"lenny@hacc.space".hashedPassword =
"$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
"lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];
"peter@hacc.space".hashedPassword =
"$6$yvpfTC.7DDpqpsYy$7TrfmLvz/fRl.k5mSHhI67CNquJa3yEFbLuTJvpyJ8Dj7SaD2eoOHWqef.CNo.T08kYzaqMcM73whAxjXVEmc.";
"peter@hacc.space".aliases = [ "linmob@hacc.space" ];
"finance@muc.hacc.space".hashedPassword =
"$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";
"noreply@hacc.space" = {
hashedPassword =
"$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
};
"noreply@infra4future.de" = {
hashedPassword =
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
};
"mattermost@hacc.space" = {
hashedPassword =
"$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
};
};
extraVirtualAliases = {
# address = forward address;
# -- International --
# info/contact: main entrypoint, anyone can read or reply to this.
"info@hacc.space" = [
"hexchen@hacc.space"
"octycs@hacc.space"
"raphael@hacc.space"
"moira@hacc.space"
"zauberberg@hacc.space"
"stuebinm@hacc.space"
"lenny@hacc.space"
"peter@hacc.space"
];
# admin: current people with access to the mail server and knowledge on how to use it™
"admin@hacc.space" = [
"hexchen@hacc.space"
"moira@hacc.space"
"zauberberg@hacc.space"
"stuebinm@hacc.space"
];
# voc: hacc video operation center, various streaming-related things
"voc@hacc.space" = [
"hexchen@hacc.space"
"moira@hacc.space"
"octycs@hacc.space"
"stuebinm@hacc.space"
"zauberberg@hacc.space"
"lenny@hacc.space"
"raphael@hacc.space"
];
# -- Regional: Germany --
# board of hacc e.V.
"vorstand@hacc.space" =
[ "raphael@hacc.space" "moira@hacc.space" "peter@hacc.space" ];
# members of hacc e.V.
"mitglieder@hacc.space" = [
"hexchen@hacc.space"
"raphael@hacc.space"
"moira@hacc.space"
"zauberberg@hacc.space"
"lenny@hacc.space"
"octycs@hacc.space"
"stuebinm@hacc.space"
"peter@hacc.space"
];
# -- Regional: Munich --
"muc@hacc.space" = [
"hexchen@hacc.space"
"octycs@hacc.space"
"raphael@hacc.space"
"moira@hacc.space"
"zauberberg@hacc.space"
"stuebinm@hacc.space"
"lenny@hacc.space"
"peter@hacc.space"
];
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "acme-nginx";
# Only allow implict TLS
enableImap = false;
enablePop3 = false;
# Enable the ManageSieve protocol
enableManageSieve = true;
};
services.postfix.submissionOptions.smtpd_sender_restrictions =
lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
services.postfix.submissionsOptions.smtpd_sender_restrictions =
lib.mkForce "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
services.postfix.virtual = ''
postmaster@hacc.space admin@hacc.space
abuse@hacc.space admin@hacc.space
contact@hacc.space info@hacc.space
hello@hacc.space info@hacc.space
haccvoc@hacc.space voc@hacc.space
@4future.dev @hacc.space
@4futu.re @hacc.space
@hacc.earth @hacc.space
@infra4future.de @hacc.space
'';
services.alps = {
enable = true;
theme = "alps";
smtps = {
port = 465;
host = "mail.hacc.space";
};
imaps = {
port = 993;
host = "mail.hacc.space";
};
bindIP = "[::1]";
};
systemd.services.alps.after = [ "dovecot2.service" "postfix.service" ];
systemd.services.alps.bindsTo = [ "dovecot2.service" "postfix.service" ];
services.nginx.virtualHosts."mail.hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://[::1]:1323";
};
hacc.bindToPersist = [
"/var/lib/rspamd"
"/var/lib/opendkim"
"/var/lib/postfix"
"/var/lib/dovecot"
"/var/sieve"
"/var/lib/redis-rspamd"
"/var/dkim"
];
}

View file

@ -1,34 +1,27 @@
{config, pkgs, lib, ...}:
{ config, pkgs, lib, ...}:
{
containers.mattermost = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.30";
localAddress = "192.168.100.31";
bindMounts."/secrets" = {
hostPath = "/var/lib/mattermost/";
isReadOnly = true;
sops.secrets = {
"mattermost/env" = {};
};
config = {pkgs, config, ...}: {
hacc.containers.mattermost = {
bindSecrets = true;
# have to import these here, since container's dont
# inherit imports of their environment.
imports = [ ../../../modules/mattermost.nix ];
networking.firewall.enable = false;
config = { config, lib, pkgs, ... }: {
environment.systemPackages = [ pkgs.morph pkgs.pgloader ];
# couldn't figure out how to actually overwrite modules, so now
# there's two mattermost modules ...
services.mattermost-patched = {
systemd.services.mattermost.serviceConfig.EnvironmentFile =
lib.mkForce "/secrets/env";
services.mattermost = {
enable = true;
siteUrl = "https://mattermost-beta.infra4future.de";
siteName = "Mattermost - Blabla for Future";
siteUrl = "https://mattermost.infra4future.de";
siteName = "Mattermost for Future";
listenAddress = "0.0.0.0:3000";
mutableConfig = false;
secretConfig = "/secrets/secrets.json";
statePath = "/persist/mattermost";
extraConfig = {
ServiceSettings = {
@ -55,10 +48,13 @@
EnableSVGs = true;
EnableLaTeX = true;
ThreadAutoFollow = true;
EnableSecurityFixAlert = false;
CollapsedThreads = "default_on";
};
TeamSettings = {
EnableTeamCreation = true;
EnableUserCreation = true;
MaxUsersPerTeam = 250;
EnableOpenServer = false;
EnableUserDeactivation = true;
ExperimentalViewArchivedChannels = true;
@ -67,8 +63,8 @@
LogSettings = {
EnableConsole = true;
ConsoleLevel = "ERROR";
EnableDiagnostics = true;
EnableWebhookDebugging = true;
EnableDiagnostics = false;
EnableWebhookDebugging = false;
};
NotificationLogSettings = {
EnableConsole = true;
@ -86,7 +82,7 @@
EnableFileAttachments = true;
MaxFileSize = 52428800;
DriverName = "local";
Directory = "/var/lib/mattermost/uploads-storage";
Directory = "/persist/mattermost/upload-storage";
EnablePublicLink = true;
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
};
@ -102,12 +98,21 @@
EnableSMTPAuth = true;
SMTPUsername = "noreply@infra4future.de";
SMTPServer = "mail.hacc.space";
SMTPPort = "465";
SMTPServerTimeout = 10;
ConnectionSecurity = "TLS";
};
RateLimitSettings.Enable = false;
PrivacySettings = {
ShowEmailAddress = false;
ShowFullName = true;
};
# to disable the extra landing page advertising the app
NativeAppSettings = {
AppDownloadLink = "";
AndroidAppDownloadLink = "";
IosAppDownloadLink = "";
};
SupportSettings = {
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
@ -119,11 +124,11 @@
AnnouncementSettings.EnableBanner = false;
GitLabSettings = {
Enable = true;
Id = "mattermost-beta";
Id = "mattermost";
Scope = "";
AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
AuthEndpoint = "https://login.infra4future.de/oauth2/authorize";
TokenEndpoint = "https://login.infra4future.de/oauth2/token";
UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo";
};
# for some reason, these don't appear to be working; the startup
# process complaines and sets these back to en
@ -139,18 +144,12 @@
Enable = true;
EnableUploads = true;
Plugins = {
bigbluebutton = {
adminonly = false;
base_url = "https://bbb.infra4future.de/bigbluebutton/api";
salt = "zKCsNeaEniC115ynHOsZopgA4iTiJjzgeiPNoCEc";
};
"com.github.matterpoll.matterpoll" = {
experimentalui = true;
trigger = "poll";
};
};
PluginStates = {
bigbluebutton.Enable = true;
"com.github.matterpoll.matterpoll".Enable = true;
};
};
@ -158,6 +157,9 @@
ClusterSettings.Enable = false;
MetricsSettings.Enable = false;
GuestAccountsSettings.Enable = false;
FeatureFlags.CollapsedThreads = true;
SqlSettings.DriverName = "postgres";
SqlSettings.DataSource = "postgres:///mattermost?host=/run/postgresql";
};
# turn of the weirder parts of this module (which insist on passwords
@ -170,45 +172,40 @@
services.postgresql = {
enable = lib.mkForce true; # mattermost sets this to false. wtf.
package = pkgs.postgresql_15;
ensureDatabases = [ "mattermost" ];
ensureUsers = [ {
name = "mattermost";
ensurePermissions = { "DATABASE mattermost" = "ALL PRIVILEGES"; };
ensureDBOwnership = true;
} ];
authentication = lib.mkForce ''
# Generated file; do not edit!
local all all trust
host mattermost mattermost ::1/128 trust
'';
};
networking.firewall.allowedTCPPorts = [ 3000 ];
services.coredns = {
services.postgresqlBackup = {
enable = true;
config = ''
.:53 {
forward . 1.1.1.1
}
'';
databases = [ "mattermost" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
};
};
services.nginx.virtualHosts."mattermost-beta.infra4future.de" = {
services.nginx.virtualHosts."mattermost.infra4future.de" = {
locations."/" = {
proxyPass = "http://${config.containers.mattermost.localAddress}:3000";
proxyWebsockets = true;
extraConfig = ''
# Mattermost CSR Patch
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
proxy_redirect off;
'';
};
forceSSL = true;
enableACME = true;
};
networking.nat = {
enable = true;
internalInterfaces = [ "ve-mattermost" ];
externalInterface = "enp6s0";
};
}

64
parsons/monit.nix Normal file
View file

@ -0,0 +1,64 @@
{ config, options, lib, pkgs, ... }:
let
checkHash = pkgs.writeScriptBin "check-commit-hash" ''
#!${lib.getExe pkgs.fish}
set wanted (${lib.getExe pkgs.curl} -s https://git.infra4future.de/api/v1/repos/hacc/haccfiles/branches/main \
-H 'accept: application/json' | jq -r .commit.id)
if test $status != 0
echo "could not reach git.infra4future.de"
exit 2
end
set actual (cat /etc/haccfiles-commit)
if test $status != 0
echo "/etc/haccfiles-commit does not exist??"
exit 2
end
if test $actual != $wanted
echo "parsons was built on $actual, but commit on main is $wanted"
exit 1
end
'';
checkDeployAge = pkgs.writeScriptBin "check-deploy-age" ''
#!${lib.getExe pkgs.fish}
set date (date +%s)
# we do this indirection here so monit's config won't change on each deploy
set deploytimestamp (cat /etc/haccfiles-timestamp)
set age (expr $date - $deploytimestamp)
if test $age -ge (expr 3600 \* 24 \* 10)
echo "${config.networking.hostName} has not been deployed since 10 days, perhaps someone should do updates?"
exit 1
end
'';
in
{
mailserver.monitoring = {
enable = true;
alertAddress = "admin@hacc.space";
config = (lib.replaceStrings ["port 22"] ["port ${toString (lib.head config.services.openssh.ports)}"] options.mailserver.monitoring.config.default);
};
services.monit.config = ''
check host onlyoffice with address onlyoffice.infra4future.de
start program "/run/current-system/sw/bin/lxc-start -n onlyoffice -f /persist/lxc/onlyoffice/config"
stop program "/run/current-system/sw/bin/lxc-stop -n onlyoffice"
if failed port 443 protocol https status = 302
then restart
check program deployed-commit-on-main path ${lib.getExe checkHash}
if status == 1 for 64 cycles then alert
if status == 2 for 3 cycles then alert
check program is-system-running path ${pkgs.systemd}/bin/systemctl is-system-running
if status != 0 then alert
check program check-deploy-age path ${lib.getExe checkDeployAge}
if status == 1 then alert
'';
}

30
parsons/murmur.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }:
{
services.murmur = {
enable = true;
logDays = -1;
registerName = "hackers against climate change";
welcometext = ''
<br>Welcome to <b>mumble4future</b>!<br>Brought to you by <b style="color:red">infra4future</b>.<br>On <a href=https://mumble.hacc.space>mumble.hacc.space</a><br>Not confusing at all!
'';
sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
bandwidth = 128000;
};
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
# the mumble cert has its own group so that both nginx and murmur can read it
users.groups.mumblecert = { };
security.acme.certs."mumble.hacc.space" = {
group = "mumblecert";
extraDomainNames = [ "mumble.infra4future.de" ];
reloadServices = [ "murmur" ];
};
users.users.nginx.extraGroups = [ "mumblecert" ];
users.users.murmur.extraGroups = [ "mumblecert" ];
hacc.bindToPersist = [ "/var/lib/murmur" ];
}

89
parsons/nextcloud.nix Normal file
View file

@ -0,0 +1,89 @@
{ config, lib, pkgs, ... }:
{
containers.nextcloud.timeoutStartSec = "10 min";
hacc.containers.nextcloud = {
config = { config, lib, pkgs, ... }: {
environment.systemPackages = [ pkgs.htop ];
services.nextcloud = {
enable = true;
# must be set manually; may not be incremented by more than one at
# a time, otherwise nextcloud WILL break
package = pkgs.nextcloud29;
home = "/persist/nextcloud";
https = true;
hostName = "cloud.infra4future.de";
config = {
dbtype = "pgsql";
dbuser = "nextcloud";
dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself
dbname = "nextcloud";
# socket auth does not needs this, but the module insists it does
adminpassFile = "/persist/adminpassfile";
adminuser = "root";
};
# multiple pools may be doable using services.phpfpm.pools,
# but i have not tried this yet. The nextcloud module defines a
# pool "nextcloud"
poolSettings = {
pm = "dynamic";
"pm.max_children" = "32";
"pm.max_requests" = "500";
"pm.max_spare_servers" = "4";
"pm.min_spare_servers" = "2";
"pm.start_servers" = "2";
};
settings = {
instanceid = "ocxlphb7fbju";
datadirectory = "/persist/nextcloud/data";
loglevel = 0;
"overwrite.cli.url" = "https://cloud.infra4future.de";
};
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
ensureDatabases = [ "nextcloud" ];
ensureUsers = [
{ # by default, postgres has unix sockets enabled, and allows a
# system user `nextcloud` to log in without other authentication
name = "nextcloud";
ensureDBOwnership = true;
}
];
};
services.postgresqlBackup = {
enable = true;
databases = [ "nextcloud" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
# ensure that postgres is running *before* running the setup
systemd.services."nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
};
};
};
services.nginx.virtualHosts."cloud.infra4future.de" = {
locations."/".proxyPass = "http://${config.containers.nextcloud.localAddress}:80";
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_buffering off;
client_max_body_size 0;
add_header Cache-Control "no-store, no-cache, must-revalidate";
'';
};
}

23
parsons/nftables.nix Normal file
View file

@ -0,0 +1,23 @@
{ config, lib, pkgs, ... }:
{
networking.firewall.enable = true;
networking.firewall.logRefusedConnections = false;
networking.nat.enable = true;
networking.nftables.enable = true;
networking.nftables.tables.nat = {
family = "ip";
content = ''
chain prerouting {
type nat hook prerouting priority -100
iifname enp35s0 tcp dport { 22 } dnat ${config.containers.forgejo.localAddress}:22
}
chain postrouting {
type nat hook postrouting priority 100
iifname lxcbr0 oifname enp35s0 masquerade
iifname ve-* oifname enp35s0 masquerade
}
'';
};
}

16
parsons/nginx-pages.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, pkgs, ... }:
{
hacc.websites = {
enable = true;
directory = "${../.}/websites";
};
services.nginx.virtualHosts."parsons.hacc.space" = {
enableACME = true;
forceSSL = true;
locations."/~stuebinm/".root = "/persist/www/";
};
}

137
parsons/s4f-conference.nix Normal file
View file

@ -0,0 +1,137 @@
{ config, lib, pkgs, ... }:
{
sops.secrets = {
"s4f-conference/env" = {};
};
hacc.containers.s4f-conference = {
bindSecrets = true;
config = { config, lib, pkgs, ... }: {
systemd.services.mattermost.serviceConfig.EnvironmentFile =
lib.mkForce "/secrets/env";
services.mattermost = {
enable = true;
siteUrl = "https://s4f-conference.infra4future.de";
siteName = "Scientists for Future Chat";
listenAddress = "0.0.0.0:3000";
mutableConfig = false;
statePath = "/persist/mattermost";
extraConfig = {
ServiceSettings = {
TrustedProxyIPHeader = [ "X-Forwarded-For" "X-Real-Ip" ];
EnableEmailInvitations = true;
};
TeamSettings = {
EnableUserCreation = true;
MaxUsersPerTeam = 2500;
EnableUserDeactivation = true;
EnableOpenServer = false;
};
PasswordSettings = {
MinimumLength = 10;
};
FileSettings = {
EnableFileAttachments = true;
MaxFileSize = 52428800;
DriverName = "local";
Directory = "/persist/upload-storage";
EnablePublicLink = true;
PublicLinkSalt = "3k7p3yxdhz6798b3b9openfr9rn3ymwu";
};
EmailSettings = {
EnableSignUpWithEmail = true;
EnableSignInWithEmail = true;
EnableSignInWithUsername = true;
SendEmailNotifications = true;
FeedbackName = "mattermost";
FeedbackEmail = "mattermost@infra4future.de";
ReplyToAddress = "mattermost@infra4future.de";
FeedbackOrganization = "infra4future.de";
EnableSMTPAuth = true;
SMTPUsername = "noreply@infra4future.de";
SMTPServer = "mail.hacc.space";
SMTPPort = "465";
SMTPServerTimeout = 10;
ConnectionSecurity = "TLS";
};
RateLimitSettings.Enable = false;
PrivacySettings = {
ShowEmailAddress = false;
ShowFullName = true;
};
# to disable the extra landing page advertising the app
NativeAppSettings = {
AppDownloadLink = "";
AndroidAppDownloadLink = "";
IosAppDownloadLink = "";
};
LogSettings = {
EnableConsole = true;
ConsoleLevel = "ERROR";
EnableDiagnostics = false;
EnableWebhookDebugging = false;
};
SupportSettings = {
TermsOfServiceLink = "https://infra4future.de/nutzungsbedingungen.html";
PrivacyPolicyLink = "https://infra4future.de/nutzungsbedingungen.html";
AboutLink = "https://infra4future.de";
SupportEmail = "info@infra4future.de";
CustomTermsOfServiceEnabled = false;
EnableAskCommunityLink = true;
};
AnnouncementSettings.EnableBanner = false;
ComplianceSettings.Enable = false;
ClusterSettings.Enable = false;
MetricsSettings.Enable = false;
GuestAccountsSettings.Enable = true;
};
localDatabaseCreate = false;
};
services.postgresql = {
enable = lib.mkForce true; # mattermost sets this to false. wtf.
package = pkgs.postgresql_15;
ensureDatabases = [ "mattermost" ];
ensureUsers = [ {
name = "mattermost";
ensureDBOwnership = true;
} ];
authentication = lib.mkForce ''
# Generated file; do not edit!
local all all trust
host mattermost mattermost ::1/128 trust
'';
};
services.postgresqlBackup = {
enable = true;
databases = [ "mattermost" ];
startAt = "*-*-* 23:45:00";
location = "/persist/backups/postgres";
};
};
};
services.nginx.virtualHosts."s4f-conference.infra4future.de" = {
locations."/" = {
proxyPass = "http://${config.containers.s4f-conference.localAddress}:3000";
proxyWebsockets = true;
extraConfig = ''
# Mattermost CSR Patch
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
proxy_redirect off;
client_max_body_size 100M;
'';
};
forceSSL = true;
enableACME = true;
};
}

102
parsons/tracktrain.nix Normal file
View file

@ -0,0 +1,102 @@
{ config, lib, pkgs, ... }:
let
tracktrain-config = ''
dbstring: "dbname=tracktrain"
gtfs: /persist/gtfs.zip
assets: ${pkgs.tracktrain}/assets
warp:
port: 4000
login:
enable: true
url: https://login.infra4future.de
clientName: tracktrain
# clientSecret defined in env file
logging:
ntfyTopic: ping.stuebinm.eu/monit
name: ilztalbahn
'';
in
{
sops.secrets = {
"tracktrain/env" = {};
};
services.nginx.virtualHosts."tracktrain.ilztalbahn.eu" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${config.containers.tracktrain.localAddress}:4000";
proxyWebsockets = true;
};
# note: this shadows the /metrics endpoint of tracktrain
# in case you remove this, please consider putting something
# else here to keep it from being publicly scrapable
locations."/metrics/" = {
proxyPass = "http://${config.containers.tracktrain.localAddress}:2342";
proxyWebsockets = true;
extraConfig = ''
rewrite ^/metrics/(.*) /$1 break;
'';
};
};
hacc.containers.tracktrain = {
bindSecrets = true;
config = { config, lib, pkgs, ... }: {
systemd.services.tracktrain = {
enable = true;
description = "tracks trains, hopefully";
wantedBy = [ "multi-user.target" ];
requires = [ "network.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
EnvironmentFile = "/secrets/env";
DynamicUser = true;
};
path = [ pkgs.wget pkgs.ntfy-sh ];
script = ''
cd /tmp
ln -sf ${pkgs.writeText "tracktrain-config.yaml" tracktrain-config} config.yaml
${pkgs.tracktrain}/bin/tracktrain +RTS -T
'';
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
ensureDatabases = [ "tracktrain" ];
ensureUsers = [ {
name = "tracktrain";
ensureDBOwnership = true;
} ];
authentication = ''
local all all trust
'';
};
services.prometheus = {
enable = true;
port = 9001;
scrapeConfigs = [ {
job_name = "tracktrain";
static_configs = [{
targets = [ "0.0.0.0:4000" ];
}];
} ];
};
systemd.services.grafana.serviceConfig.EnvironmentFile =
"/secrets/env";
hacc.bindToPersist = [ "/var/lib/grafana" ];
};
};
}

120
parsons/uffd.nix Normal file
View file

@ -0,0 +1,120 @@
{ config, lib, pkgs, ... }:
{
hacc.containers.uffd = {
config = { config, lib, pkgs, ... }: {
services.uwsgi = {
enable = true;
plugins = [ "python3" ];
instance = {
type = "normal";
pythonPackages = _: [ pkgs.uffd ];
module = "uffd:create_app()";
# socket = "${config.services.uwsgi.runDir}/uwsgi.sock";
http = ":8080";
env = [
"CONFIG_PATH=/persist/uffd/uffd.conf"
];
hook-pre-app = "exec:FLASK_APP=${pkgs.uffd}/lib/python3.10/site-packages/uffd flask db upgrade";
};
};
};
};
services.nginx.virtualHosts."login.infra4future.de" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://${config.containers.uffd.localAddress}:8080";
"/static".root = "${pkgs.uffd}/lib/python3.10/site-packages/uffd";
"/static/hacc.png".return = "302 https://infra4future.de/assets/img/logo_vernetzung.png";
"/static/infra4future.svg".return = "302 https://infra4future.de/assets/img/infra4future.svg";
"/static/hedgedoc.svg".return = "302 https://infra4future.de/assets/img/icons/hedgedoc.svg";
"/static/mattermost.svg".return = "302 https://infra4future.de/assets/img/icons/mattermost.svg";
"/static/nextcloud.svg".return = "302 https://infra4future.de/assets/img/icons/nextcloud.svg";
"/static/hot_shit.svg".return = "302 https://infra4future.de/assets/img/icons/hot_shit.svg";
};
};
systemd.services.auamost = {
enable = true;
description = "mattermost aua gruppensync";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig.Type = "simple";
path = [ pkgs.fish pkgs.curl pkgs.jq ];
script = (pkgs.writeTextFile {
name = "auamost.fish";
executable = true;
checkPhase = ''
${lib.getExe pkgs.fish} -n $target
'';
text = ''
#!${lib.getExe pkgs.fish}
source /run/secrets/auamost/secrets.fish
for i in (seq 1 (count $groups))
set team $teams[$i]
set group $groups[$i]
set users (curl -u $uffd_token --basic https://login.infra4future.de/api/v1/getusers -d group="$group")
set usernames (echo "$users" | jq -c "[.[] | .loginname]")
for user in (echo "$users" | jq -c ".[]")
set id (echo "$user" | jq .id)
set username (echo "$user" | jq .loginname)
set email (echo "$user" | jq .email)
curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users \
-d '{"email": '"$email"', "username": '"$username"', "auth_service": "gitlab", "auth_data": "'"$id"'"}'
end
set userids (curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/usernames \
-d "$usernames" | jq '[.[] | {user_id: .id, team_id: "'$team'"} ]')
curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/batch \
-d "$userids"
if test "$group" = "hacc"
continue
end
set current_members (curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members | jq '[.[] | .user_id]')
# membership relations don't contain e.g. usernames, so fetch those, too
set current_users (curl -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/users/ids \
-d "$current_members" | jq -c '.[]')
set userids (echo "$userids" | jq -c ".[].user_id")
for member in $current_users
set id (echo $member | jq .id)
if not contains -i $id $userids > /dev/null then
set id_unquoted (echo $member | jq -r .id)
echo removing $id_unquoted (echo $member | jq '.email') from $team \($group\)
curl -X DELETE -H $mattermost_token \
-H "Content-Type: application/json" https://mattermost.infra4future.de/api/v4/teams/"$team"/members/"$id_unquoted"
end
end
end
'';
}).outPath;
startAt = "*:0/15";
};
systemd.services.uffd-account-expiry-notification = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig.Type = "simple";
path = [ pkgs.hacc-scripts pkgs.sqlite-interactive pkgs.postfix ];
script = ''
uffd-unused-accounts-notification.scm -v admin
'';
startAt = "weekly";
restartIfChanged = false;
};
sops.secrets."auamost/secrets.fish" = { };
environment.systemPackages = with pkgs; [ curl jq ];
}

55
parsons/vaultwarden.nix Normal file
View file

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
{
sops.secrets = {
"vaultwarden/env" = {};
};
services.vaultwarden = {
enable = true;
config = {
DATA_FOLDER="/persist/var/lib/vaultwarden/data";
LOG_LEVEL="error";
SIGNUPS_ALLOWED=false;
SIGNUPS_VERIFY=true;
SIGNUPS_DOMAINS_WHITELIST="hacc.space";
ORG_CREATION_USERS="admin@hacc.space";
INVITATIONS_ALLOWED=true;
INVITATION_ORG_NAME="haccwarden";
TRASH_AUTO_DELETE_DAYS=90;
DOMAIN="https://pw.hacc.space";
ROCKET_ADDRESS="127.0.0.1";
ROCKET_PORT=5354;
ROCKET_WORKERS=2;
SMTP_HOST="mail.hacc.space";
SMTP_FROM="vaultwarden@hacc.space";
SMTP_FROM_NAME="haccwarden";
SMTP_PORT=587;
SMTP_USERNAME="noreply@infra4future.de";
};
environmentFile = "/run/secrets/vaultwarden/env";
dbBackend = "sqlite";
backupDir = "/persist/data/vaultwarden_backups/";
};
#work around ProtectSystem=strict, cleanup
systemd.services.vaultwarden.serviceConfig = {
ReadWritePaths = [ "/persist/var/lib/vaultwarden" ];
StateDirectory = lib.mkForce "";
};
systemd.services.backup-vaultwarden.environment.DATA_FOLDER =
lib.mkForce "/persist/var/lib/vaultwarden/data";
services.nginx.virtualHosts."pw.hacc.space" = {
locations."/" = {
proxyPass = "http://127.0.0.1:5354";
proxyWebsockets = true;
};
forceSSL = true;
enableACME = true;
};
}

View file

@ -1,25 +0,0 @@
{ lib, buildGoModule }:
buildGoModule rec {
pname = "alps";
version = "0.0.1";
src = fetchGit {
url = "https://git.sr.ht/~migadu/alps";
rev = "51498a2dc37987f55b022efb961b68a282be17ed";
};
vendorSha256 = "0wc8fb03zlc1gl4nxlsh149gvpvrs3lc0smzrnam9smigg9gw4in";
subPackages = [ "cmd/alps" ];
postInstall = ''
mkdir -p $out/share/alps
cp -r $src/themes $out/share/alps/
'';
meta = with lib; {
description = "A simple and extensible webmail.";
homepage = "https://git.sr.ht/~migadu/alps";
};
}

View file

@ -1,49 +0,0 @@
{ stdenv, requireFile, lib,
libcxx, libcxxabi
}:
stdenv.mkDerivation rec {
pname = "blackmagic-desktop-video";
version = "11.6";
buildInputs = [
libcxx libcxxabi
];
src = requireFile {
name = "Blackmagic_Desktop_Video_Linux_11.6.tar.gz";
url = "https://www.blackmagicdesign.com/support/download/d399ada95c2b49ffad3031bda413acb5/Linux";
sha256 = "0qwm1b3gy0k7j1bimkxwwr77g8hrsybs9jp90b46kzcy06mcp380";
};
setSourceRoot = ''
tar xf Blackmagic_Desktop_Video_Linux_11.6/other/x86_64/desktopvideo-11.6a26-x86_64.tar.gz
sourceRoot=$NIX_BUILD_TOP/desktopvideo-11.6a26-x86_64
'';
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/doc,lib}
cp -r $sourceRoot/usr/share/doc/desktopvideo $out/share/doc
cp $sourceRoot/usr/lib/*.so $out/lib
ln -s ${libcxx}/lib/* ${libcxxabi}/lib/* $out/lib
cp $sourceRoot/usr/lib/blackmagic/DesktopVideo/libgcc_s.so.1 $out/lib/
cp $sourceRoot/usr/lib/blackmagic/DesktopVideo/DesktopVideoHelper $out/bin/
runHook postInstall
'';
postFixup = ''
patchelf --set-interpreter ${stdenv.cc.bintools.dynamicLinker} \
--set-rpath "$out/lib:${lib.makeLibraryPath [ libcxx libcxxabi ]}" \
$out/bin/DesktopVideoHelper
'';
meta = with stdenv.lib; {
homepage = "https://www.blackmagicdesign.com/support/family/capture-and-playback";
maintainers = [ maintainers.hexchen ];
license = licenses.unfree;
description = "Supporting applications for Blackmagic Decklink. Doesn't include the desktop applications, only the helper required to make the driver work.";
platforms = platforms.linux;
};
}

View file

@ -1,66 +0,0 @@
{ stdenv, requireFile, fetchpatch, kernel }:
stdenv.mkDerivation rec {
pname = "decklink";
version = "11.6";
src = requireFile {
name = "Blackmagic_Desktop_Video_Linux_11.6.tar.gz";
url = "https://www.blackmagicdesign.com/support/download/d399ada95c2b49ffad3031bda413acb5/Linux";
sha256 = "0qwm1b3gy0k7j1bimkxwwr77g8hrsybs9jp90b46kzcy06mcp380";
};
patches = [
(fetchpatch {
name = "01-fix-makefile.patch";
url = "https://aur.archlinux.org/cgit/aur.git/plain/01-fix-makefile.patch?h=decklink&id=8f19ef584c0603105415160d2ba4e8dfa47495ce";
sha256 = "1pk8zfi0clmysla25jmcqnq7sx2bnjflrarhqkqbkl8crigyspf5";
})
(fetchpatch {
name = "02-fix-get_user_pages-and-mmap_lock.patch";
url = "https://aur.archlinux.org/cgit/aur.git/plain/02-fix-get_user_pages-and-mmap_lock.patch?h=decklink&id=8f19ef584c0603105415160d2ba4e8dfa47495ce";
sha256 = "08m4qwrk0vg8rix59y591bjih95d2wp6bmm1p37nyfvhi2n9jw2m";
})
(fetchpatch {
name = "03-fix-have_unlocked_ioctl.patch";
url = "https://aur.archlinux.org/cgit/aur.git/plain/03-fix-have_unlocked_ioctl.patch?h=decklink&id=8f19ef584c0603105415160d2ba4e8dfa47495ce";
sha256 = "0j9p62qa4mc6ir2v4fzrdapdrvi1dabrjrx1c295pwa3vmsi1x4f";
})
];
KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
INSTALL_MOD_PATH = placeholder "out";
nativeBuildInputs = kernel.moduleBuildDependencies;
setSourceRoot = ''
tar xf Blackmagic_Desktop_Video_Linux_11.6/other/x86_64/desktopvideo-11.6a26-x86_64.tar.gz
sourceRoot=$NIX_BUILD_TOP/desktopvideo-11.6a26-x86_64/usr/src
'';
buildPhase = ''
runHook preBuild
make -C $sourceRoot/blackmagic-11.6a26 -j$NIX_BUILD_CORES
make -C $sourceRoot/blackmagic-io-11.6a26 -j$NIX_BUILD_CORES
runHook postBuild
'';
installPhase = ''
runHook preInstall
make -C $KERNELDIR M=$sourceRoot/blackmagic-11.6a26 modules_install
make -C $KERNELDIR M=$sourceRoot/blackmagic-io-11.6a26 modules_install
runHook postInstall
'';
meta = with stdenv.lib; {
homepage = "https://www.blackmagicdesign.com/support/family/capture-and-playback";
maintainers = [ maintainers.hexchen ];
license = licenses.unfree;
description = "Kernel module for the Blackmagic Design Decklink cards";
platforms = platforms.linux;
};
}

View file

@ -1,46 +1,37 @@
{ config ? {}, system ? builtins.currentSystem, ... }@args:
{ sources, ... }@args:
let
sources = import ../nix/sources.nix;
pkgs = import sources.nixpkgs args;
oldstable = import sources.nixpkgs-oldstable args;
unstable = import sources.nixpkgs-unstable args;
callPackage = pkgs.lib.callPackageWith (pkgs // newpkgs);
newpkgs = {
alps = callPackage ./alps {};
docker = (pkgs.callPackage (pkgs.path + "/pkgs/applications/virtualization/docker") {
iptables = pkgs.writeScriptBin "iptables" ''
#!${pkgs.runtimeShell}
echo docker tried to run the following iptables command: $@
exit 0
'';
}).docker_19_03.overrideAttrs (super: {
extraPath = super.extraPath + ":${pkgs.zfs}/bin";
});
mattermost = callPackage ./mattermost.nix {
buildGoModule = unstable.buildGo122Module;
};
linuxPackagesFor = kernel: (pkgs.linuxPackagesFor kernel).extend (_: ksuper: {
decklink = callPackage ./decklink { kernel = ksuper.kernel; };
});
morph = callPackage ./morph.nix {
buildGoModule = unstable.buildGo122Module;
};
blackmagicDesktopVideo = callPackage ./blackmagic-desktop-video { };
forgejo = unstable.forgejo;
obs-studio = unstable.obs-studio.overrideAttrs (_: rec {
wrapLibraries = with (pkgs // newpkgs); [
xorg.libX11.out
libvlc
blackmagicDesktopVideo
libcxx
libcxxabi
];
postInstall = ''
wrapProgram $out/bin/obs \
--prefix "LD_LIBRARY_PATH" : "${pkgs.lib.makeLibraryPath wrapLibraries}"
'';
});
tracktrain = import sources.tracktrain {
nixpkgs = unstable;
compiler = "default";
};
inherit (unstable) bottom;
uffd = oldstable.callPackage ./uffd { };
hacc-scripts = callPackage ./scripts {};
inherit (oldstable) uwsgi flask;
# TODO: once on nixos 24.05, remove this inherit
inherit (unstable) lix;
};
in pkgs.extend(_: _: newpkgs)

85
pkgs/mattermost.nix Normal file
View file

@ -0,0 +1,85 @@
{ lib
, buildGoModule
, fetchFromGitHub
, nix-update-script
, fetchurl
, nixosTests
}:
buildGoModule rec {
pname = "mattermost";
# ESR releases only.
# See https://docs.mattermost.com/upgrade/extended-support-release.html
# When a new ESR version is available (e.g. 8.1.x -> 9.5.x), update
# the version regex in passthru.updateScript as well.
version = "9.11.3";
src = fetchFromGitHub {
owner = "mattermost";
repo = "mattermost";
rev = "v${version}";
hash = "sha256-CuFkydl1ZZUAWmrDIV1Jp9S6jIKYmglAe5XW2lTRgtQ=";
};
# Needed because buildGoModule does not support go workspaces yet.
# We use go 1.22's workspace vendor command, which is not yet available
# in the default version of go used in nixpkgs, nor is it used by upstream:
# https://github.com/mattermost/mattermost/issues/26221#issuecomment-1945351597
overrideModAttrs = (_: {
buildPhase = ''
make setup-go-work
go work vendor -e
'';
});
webapp = fetchurl {
url = "https://releases.mattermost.com/${version}/mattermost-${version}-linux-amd64.tar.gz";
hash = "sha256-4JzhL2+G3T98pNFgKugs/eoSrbm7QSk5grVlprrIKEI=";
};
vendorHash = "sha256-Gwv6clnq7ihoFC8ox8iEM5xp/us9jWUrcmqA9/XbxBE=";
modRoot = "./server";
preBuild = ''
make setup-go-work
'';
subPackages = [ "cmd/mattermost" ];
offlineCache = webapp;
tags = [ "production" ];
ldflags = [
"-s"
"-w"
"-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
"-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
"-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
"-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
"-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
"-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
];
postInstall = ''
tar --strip 1 --directory $out -xf $webapp \
mattermost/{client,i18n,fonts,templates,config}
# For some reason a bunch of these files are executable
find $out/{client,i18n,fonts,templates,config} -type f -exec chmod -x {} \;
'';
passthru = {
updateScript = nix-update-script {
extraArgs = [ "--version-regex" "^v(9\.11\.([0-9.]+))" ];
};
tests.mattermost = nixosTests.mattermost;
};
meta = with lib; {
description = "Mattermost is an open source platform for secure collaboration across the entire software development lifecycle";
homepage = "https://www.mattermost.org";
license = with licenses; [ agpl3Only asl20 ];
maintainers = with maintainers; [ ryantm numinit kranzes mgdelacroix ];
mainProgram = "mattermost";
};
}

33
pkgs/morph.nix Normal file
View file

@ -0,0 +1,33 @@
{ buildGoModule
, fetchFromGitHub
}:
buildGoModule rec {
pname = "mattermost-morph";
version = "1.1.0";
src = fetchFromGitHub {
owner = "mattermost";
repo = "morph";
rev = "v${version}";
hash = "sha256-Orh/a9OlUVIlDdLXRpDAnHUmWRiM1N2oO+dijbuJzx8=";
};
vendorHash = null;
subPackages = [ "cmd/morph" ];
tags = [ "production" ];
ldflags = [
"-s"
"-w"
"-X github.com/mattermost/mattermost/server/public/model.Version=${version}"
"-X github.com/mattermost/mattermost/server/public/model.BuildNumber=${version}-nixpkgs"
"-X github.com/mattermost/mattermost/server/public/model.BuildDate=1970-01-01"
"-X github.com/mattermost/mattermost/server/public/model.BuildHash=v${version}"
"-X github.com/mattermost/mattermost/server/public/model.BuildHashEnterprise=none"
"-X github.com/mattermost/mattermost/server/public/model.BuildEnterpriseReady=false"
];
}

15
pkgs/scripts/default.nix Normal file
View file

@ -0,0 +1,15 @@
{ stdenvNoCC, gauche }:
stdenvNoCC.mkDerivation {
name = "hacc-utility-scripts";
src = ./.;
buildInputs = [ gauche ];
installPhase = ''
chmod +x *.scm
mkdir -p $out/bin
cp *.scm $out/bin
'';
}

View file

@ -0,0 +1,120 @@
#!/usr/bin/env gosh
(use gauche.process)
(use text.csv)
(use scheme.list)
(use gauche.parseopt)
(use util.match)
(define cutoff-date "2023-01-01")
(define sqlite-path "/persist/containers/uffd/uffd/db.sqlite")
(define sqlite-query
"select displayname, mail, max(expires) as last_login from oauth2token join user on user_id=user.id group by user_id having last_login < '2023-01-01'
union all select displayname, mail, '2022' from user where not exists (select * from oauth2token where user_id = user.id);")
(define dry #f)
(define verbose #f)
(define very-verbose #f)
(define (main args)
(let-args (cdr args)
((averbose "v|verbose")
(averyverbose "very-verbose")
(adry "n|dry-run")
(help "h|help" => (cut show-help (car args)))
. restargs
)
(set! dry adry)
(set! verbose averbose)
(when averyverbose
(set! verbose #t)
(set! very-verbose #t))
(match restargs
[("admin") (do-admin-mail)]
[("send-reminder") (send-reminder-mails)]
[("list-accounts") (do-list-accounts)]
[_ (display "unknown command") (exit 1)]))
0)
(define (do-admin-mail)
(send-email "admin@hacc.space" "unused accounts list" (mk-admin-mail unused-accounts))
(when verbose
(display "done")))
(define (do-list-accounts)
(display (string-join
(map
(lambda (row) (format "~a (~a)" (list-ref row 0) (list-ref row 1)))
unused-accounts)
"\n")))
(define (send-reminder-mails)
(map (lambda (row)
(send-email (list-ref row 1) "Unbenutzter infra4future.de Account" (mk-email (list-ref row 0) (list-ref row 2))))
unused-accounts)
(when verbose
(display "done")))
(define csv-reader
(make-csv-reader #\,))
(define unused-accounts
(map (lambda (str) (with-input-from-string str csv-reader))
;; (process-output->string-list `(cat example.csv))))
(process-output->string-list `(sqlite3 -csv ,sqlite-path ,sqlite-query))))
(define (mk-email displayname last-login)
#"
Hallo ~|displayname|!
Wir haben schon lange (seit über einem Jahr; dein letzter Login war um ~|last-login|)
nichts mehr von dir gehört und würden demnächst deinen Account löschen wollen.
Solltest du ihn noch benötigen logge dich bitte einfach auf https://login.infra4future.de ein.
Falls nicht, musst du weiter nichts tun und wir werden deine Account in ca. 3 Monaten löschen.
Viele Grüße,
das Infra4Future Team
")
(define (mk-admin-mail rows)
(format #"
Meow!
this is the uffd-unused-accounts-notification.scm script. There are currently
~~s accounts which have not logged in since ~|cutoff-date|. To mass-send account
expiry reminders, invoke this script with the \"send-reminder\" option. To see a
list of these accounts, invoke it with the \"list-accounts\" option.
(invoke me,, 🥺)
" (length unused-accounts)))
; utility definitions
(define (send-email address subject text)
(when verbose
(display (format "sending email to ~a\n" address)))
(let ([text (string-append "from: admin@hacc.space\n" "subject: " subject "\n" text "\n")])
(when very-verbose
(display text))
(call-with-output-process
(if dry '(cat) `(sendmail ,address))
(lambda (port) (display text port))
:on-abnormal-exit :ignore)))
(define (show-help progname)
(display #"
~|progname|: unused account expiry helper script.
Invoke as `~|progname| [options] admin' to send a list of unused accounts to administrators.
Invoke as `~|progname| [options] send-reminder' to send a reminder email to all
currently unused accounts.
Options:
-v --verbose show which emails are being sent
-n --dry-run print emails to stdout instead
-h --help show this help
"))

35
pkgs/uffd/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ stdenv, lib, python3Packages, fetchzip }:
python3Packages.buildPythonPackage rec {
pname = "uffd";
version = "2.0.1";
PACKAGE_VERSION = version;
src = fetchzip {
url = "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz";
hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4=";
};
patches = [ ./forgejo-magic.patch ./fix-setuppy.patch ./fix-userinfo.patch ];
propagatedBuildInputs = with python3Packages; [
flask
flask_sqlalchemy
flask_migrate
qrcode
fido2
oauthlib
flask-babel
argon2_cffi
itsdangerous
alembic
Mako
];
postPatch = ''
sed -i -e 's/==[0-9.]\+//g' setup.py
'';
doCheck = false;
doInstallCheck = false;
}

View file

@ -0,0 +1,34 @@
--- a/setup.py 2022-04-30 13:12:45.564651955 +0000
+++ b/setup.py 2022-04-30 13:17:02.545809513 +0000
@@ -41,31 +41,5 @@
'Flask-Babel==0.11.2',
'alembic==1.0.0',
'argon2-cffi==18.3.0',
-
- # The main dependencies on their own lead to version collisions and pip is
- # not very good at resolving them, so we pin the versions from Debian Buster
- # for all dependencies.
- 'certifi==2018.8.24',
- #cffi==1.12.2'
- 'cffi # v1.12.2 no longer works with python3.9. Newer versions seem to work fine.',
- 'chardet==3.0.4',
- 'click==7.0',
- 'cryptography==2.6.1',
- 'idna==2.6',
- 'itsdangerous==0.24',
- 'Jinja2==2.10',
- 'MarkupSafe==1.1.0',
- 'oauthlib==2.1.0',
- 'pyasn1==0.4.2',
- 'pycparser==2.19',
- 'requests==2.21.0',
- 'requests-oauthlib==1.0.0',
- 'six==1.12.0',
- 'SQLAlchemy==1.2.18',
- 'urllib3==1.24.1',
- 'Werkzeug==0.14.1',
- 'python-dateutil==2.7.3',
- #editor==1.0.3
- 'Mako==1.0.7',
],
)

View file

@ -0,0 +1,10 @@
--- a/uffd/oauth2/views.py 2022-04-30 20:39:53.825474990 +0000
+++ b/uffd/oauth2/views.py 2022-04-30 20:40:12.632389377 +0000
@@ -234,6 +234,7 @@
id=user.unix_uid,
name=user.displayname,
nickname=user.loginname,
+ username=user.loginname,
email=user.mail,
groups=[group.name for group in user.groups]
)

View file

@ -0,0 +1,32 @@
From e3c0995160a653ef6cd8784b255036585b273b82 Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Wed, 20 Jul 2022 18:02:15 +0200
Subject: [PATCH] magic gitea patch
---
uffd/oauth2/views.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/uffd/oauth2/views.py b/uffd/oauth2/views.py
index d13fd42..94352be 100644
--- a/uffd/oauth2/views.py
+++ b/uffd/oauth2/views.py
@@ -230,6 +230,15 @@ def oauth_required(*scopes):
@oauth_required('profile')
def userinfo():
user = request.oauth.user
+ client = request.oauth.client_id
+ if client == "forgejo":
+ return jsonify(
+ id=user.unix_uid,
+ full_name=user.displayname,
+ login=user.loginname,
+ email=user.mail,
+ groups=[group.name for group in user.groups]
+ )
return jsonify(
id=user.unix_uid,
name=user.displayname,
--
2.36.0

105
secrets.yaml Normal file
View file

@ -0,0 +1,105 @@
hedgedoc-hacc:
env: ENC[AES256_GCM,data:e2vSolxJNucya9QNs28gAVDBJQq5AJh7jS1nBh0UTkDnhNL8NPW1KTxcun4rM99EhiNZsz6Z9qHRMejmP4frQw==,iv:DqAGhGWYf/EpGnI79MxKmBlHMhK26zx50vXb1TbvESw=,tag:Xix499XAcAmxhNuGr2ApcA==,type:str]
mattermost:
env: ENC[AES256_GCM,data:ftWpGl6+sUMzJJKgfcPLvbFGGn16AKUPzPn8X6DNVMLrxZIkQ23Tk3ekKLKFpQEUtQfFjVlrTfFZezWKs4nVNLg2LmQqJNGMCCax5PRwAgoAsJ7pa9ewNmHT+EIXtZEjQgVfN5786Yno5n/6JJ1lz6EiGmdn7/0rF5TLGjzig17azazS1+lkIYY=,iv:SZvGGKpVRI/odHbmgY8M6t6zCk8RgM+7EQEgRiizglA=,tag:cInsVo/QD85m+LxldyRlnA==,type:str]
tracktrain:
env: ENC[AES256_GCM,data:W3+8qWomPgGJt5u50aAm9x/dilMpqKY11I2AdaIBTz5posc25ts0LB5S/Sxe1ROz4itpDK3QvjoFUTRhS39k4dwMr5lqXV8Ln4B+sPpvh7oBM8A5zydP8Jj1J1YqRt8++RTUmb4z41DIwb/yaZKMu6z0guXIu1yuYzcbCuk0xe/iOp6UUpfjOzzWTvxY54zY6kWcjHLiCSwD31Cd+MxMPfbUEkHt+0W+sBmYXGeEFI/6ULSB6FnGjNW6F9g=,iv:3ymah8HG+Yg6VYZZA/MRRjHDYvYJz01ezvhfQiftegg=,tag:trht+PRYfKgWJkg2wRwISQ==,type:str]
vaultwarden:
env: ENC[AES256_GCM,data:hdm91tI8WBd3es+IUbdBO69kh1pNZTNvZNFIdSZO8lm4yYMPE+Jm7EzVqwOaZRbpQaVDBg7uh5P4ODc=,iv:no7U0wQCwZOeL2pwXf2pUIgrEsEOYwqOT04LvpCl614=,tag:AGSu5M7H69x6pDM062bC6g==,type:str]
auamost:
secrets.fish: ENC[AES256_GCM,data:QBteJdVPSWa4cmu1BVWJ3AMWWH4zIv2+G83fK0QsbA/fYoIU5jobCT3USyujNz+jQaAAxA45jmQbCWNAFLl1q8hP4i9EIikVECx0VKVXPXILBND+w7zPSLldAbOugRYt2iAt1dDADZPtulKlkz7usdafbB+2igLXdyFRLfIxDTOrBuqQ+5yeofQe5k0XWRcmQQ/1AV0JrRrmLmr69VKsR932JWD8XxmI/HFyZPzWdExBSOmvnj+m4K+DV4cVmN4t6XOY0dM3gRQ95DglEuGlp/V2o3GqwY0mXCvhM1eh81u8mPALKp6Pv2i2yU35F01Puf5t1FHGDfzp0bW0xuKEywfGjAOifFkSE/3JFir434B6G0DiJNpOIl6QJ6DA8rSKfuPdccm6Or0zX8iJGRHDJmREQ05V9l0jHAAxLNuNdbsxg+8kCWVVnW+d1YDn9KW7LbFlP+sx4Ef5leUYft/lYhF4Z5Xp3arqVrlebWjWIBEuZeJTnkE3y+TdUUCs360zzWHqsipGmo1+/88CEqL52FfUOlJ4VCR45/7nYZ3RaRBWDGFW8RvwmWSFSstEcEXQ01U8lCwyn40+blfltme3KJ1f+pWMrZAKhPlOlMHCYfjd7esWI2sYcQbTZqxH49GnW6dsW/W+eiLs3zlD/Deb2CugHe63zRdlivmVPOz4zD1PXcCVpEZHoTTiJl7Om9K2mPYq9wQN41wsDUrNL9p8m9UlhWKbjBh5UU7p6F6OhF5rKH/Fs8fIaPi6B8uamTvEmiOGTUWl3vmQjBvhM8fJWoIkRB8hgCisr9OZ,iv:8jVAImjeXbXfiLKg9G0PyLMTV8cAyDmukeittqjKFpQ=,tag:fLIcsWKbdFQ/vPCgi/W3Zw==,type:str]
restic:
s3creds.env: ENC[AES256_GCM,data:9WNu5S4KmdMXdshSpawEjIexAKH6vZCPwb9xyq6xmerly1lxSfFZzgg60M0L3L+I4joLTVi23YBB8Eh6Xfx9GgxNww7w7BjMCQs/X16ecDWlb346TKf+,iv:Gu4CbXXJAlQYXRqOjIAUYmn8EU4mrvcOVc2eCh1Ikzs=,tag:1xpVIonHiAGHsXTY9liPQQ==,type:str]
system: ENC[AES256_GCM,data:RIgO0QHVjwp2D3LoU62vLzepASdsXxu0DqUTA6Voa3K1d4xFHX2u+UR8AcqR,iv:O0K8i5ivne7WU+ygDEUcrvKW6DIfXjVPY63gpfsxEFE=,tag:n/1atQ5qlyB0SMHrYiTCrA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1yql8qaf7upraqy4cq397tt4vgs046hq0v59qymla8t3x0ujqvu4sesgsvw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHd0Rrem03aWMwUGgwMlM2
dmRJdVYrRVNBTXZrVk5CdEFYcDRyN3VlcUhvCmE5L0lpbzdxanNBWFU1dEprUC9Y
eUZqdHVmWks2V1g0SHZRN1BsSU96OU0KLS0tIGl1ZUg2aDNtREZWeUE5UXlPeHNG
STcwOFgwK1lpWjdyTkd3c0dBTlAyK28KAKL7rPPH0DNRgL3qqCelAoUPnOy8MydL
t2ft9ZmzkoiSdSt0Ad1U5IImQt9ZzhPtYYnYbiEVNcfuFCnGcqdoPw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zgdegurzlr8cw9948wgf4q5qh3efltwhhzus5tt6az5xvvsux9us2v4tyd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvT0M2SmdwNmNyWWZ1V2o5
OHZ4RDlIbTZONXc5Z0FPMm03V3UzVWhaRnhBCjU5dzZlbkZHRkdacG1nUng4S0p6
Q1I5Vjg0Vk5wRzNGZTNONXdCMnpUTEEKLS0tIFo5K0tGdDZpLzNPb0llb0dJdk9u
c3p5UVBjZWlNVkxFMlVaQ3VMVFdhZVUKxcIL/JMBEojPRlDLHUIuxKcMPMEEsTkS
0zLjYVZL7YDS0dKdaZjaExHKrRzRpsY0qpDBHyhcyzRae1sWA4e5Kw==
-----END AGE ENCRYPTED FILE-----
- recipient: age18wkr3kjalalzrq9l05q32gnlaqr7t6rqqzde307m83rs9fp4xcfsdtj9gt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwUmFJc24xV2JGS3dzK25F
SVVXTjBaRUxJQ3hXZXlHYTRzaXZVNjVObEFZCmpPQUV1b0lySkUvcURObm1xNSt4
WVQrbnlvZkQrbzloQzc4NlJCWnlPeGMKLS0tIDBVa2lpUmcrWURwWW8rc3ZmUUU1
U0pGQjJackNhT0d4L2ZIOTdTUjBwcjQKCRWcpevMcv2HsWC4jyc/GzxxjkTEm+UF
4QdXjJAHh2QLxV9aXF/k/KogebCFkBTirmyOhRKtBRkt87d1D9FKUA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1q88az2y5hnx8naqsvrurllqj6y5gtehrpa9emmrxy5ghwsr7pvnqf7tfpx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWnZFOVFuTnFTMmpVMDFU
dkw4UFlUenZzNkRuNy90NWk4aVNEd2J2Ukc0Cm9mM2dpZEJpVVY4TVB0WUxmTjEw
VFJ3aHB6ZFh5YWptYTZ5cXVjTUNBVkEKLS0tIEx0dVRPVVVacHFCMDhFNE1NMnZy
cUxicklTUGtPeTlnSFV1TUZqR1VmRnMKtJ+Q80SgqW/Jad8aF7pViGANHCsTMNEM
7TbhITW+zWIhnviVS0xOqXrvQs4iBbMfiNnQbFS7tEX08AT2oAg6cw==
-----END AGE ENCRYPTED FILE-----
- recipient: age18nkru4pwvvapdw76nauv2xdtlj8cvyv3ugahe9kcxtvtsptx2eyqw7p0m6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT3ZNenJKWTZ3NjdqNWpR
Zk9Ya3lsT1Jqd0RIWm8xdm16UjFzcFV1aGlBCkRuMllGSFVIUCs4UEJEQVVGQUxK
L1FGNGJwYkFIdU4wOXdFQWt6RSsyR28KLS0tIEgya2xORURncHlvNHJNTnIrb2da
emRETSt4WGFYeXR5UmNSajNpUStKUzAKxgDME0M1ewNE/BrL/wFjF4Yj7GupjRPF
Fuxae5U3phphzOkflQtreM1ScbUGge8WeiSVWY3Pl1azsYo/yqg8Ew==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fm3e99tdyrsvztdchxxllt9nat35xzvd68d09y8scu9jfc7kvvuquhr49c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVEdpZmdSdnBaYnV2RWhT
MmMxQW9PUUJ4enRqNjFIZ25kUEkvdHBpOXdRCmJkSTJyWklhTU5neUlybzR1Nkp6
YlVHczNwRzl0d0hGalpvTFdEUlV3UHMKLS0tIGhQZXEvd2F0aTlna0FNL2wyaEdC
U1oyWXcza08rTG1DS0dUYkZOVWZ4L1kKgpt6jG0lNBMdk/isa1A/tfKYjprnnIo5
pi4t1c7CktFBkhMlOv6VPJCsQlP0YtZUh/uut70Kecv48+YH5gC/8A==
-----END AGE ENCRYPTED FILE-----
- recipient: age16fk0m26n0fr2vmuxm2mjsmrawclde2mlyj6wg3ee9jvzmu5ru3ustgs5jq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHRzc5WHAzcWhGSU1kdE1E
Z1B0aFhqYUQzQ2ptK09YMm9odWh3U0w3bmtvCi9IcWFhOFhvYU5ISlVpTURMY2hX
RG5mL1gvNkZ1SDdMZTR4QWxtRG1VUlkKLS0tIFl5UUdIR0JOSmF4OWx1OHBuaFJj
N0FDY2xYRlpmaTgxWURGZWxWWktPV00KAHNeeqhzql4LInlJoD9u7ptFWZBgktvp
tju4cZ/78VgdZIfEfnlzw8lsqpRx1z5Fw8K4CcXRJJLRVfHuj2CHTA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1l694a4xht7r0eza9r2vjncupmp6cxyk3k9x2ljwynnur4m2lc5jqmy3jut
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBscDFuL0ZsdWxoUFJBd2xr
ZXh3K0lSUnFmTVFTVHB5bGR2TC9lREdUczJrCnFSaGoyUnJjbXJ5d1lQd0RUcFJt
REkvdEY2NzcveHpQRWZ1STBSemx0SkkKLS0tIGtyN0svS3lYcmxUbVJiU1RaK21l
Ukh0VkVaeVBoOXQ1cmZ6WHNkYjQvTmsKG4914d+pSt1seoKiejoCvATOTaVFN4ih
Y74W+WXyaKoQP3Q9QrbSURpE+ICfblxHmkbsPB/agNzZVWrfyBaX1A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m374x78q9eykua32ldrqxh8rh36kz6jyre69a263krf28hcycsqsrmshl0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqR01XampvRE92VnZ3OTZs
YmJYaEN2eVJOVWt1OHE1bTdua1ArSC9oVm1ZClBsVFBSWWtLRUoyNDF0NlUwaUpo
b0kyazNwRUFhS0RYd1pGNHNENWxQb28KLS0tIDhzdHhRN1FYczZBMksrM09UWUtJ
bndBTXJhQVE2OVlKeGNTbzJlL0duUzAKIWdesesYvBIN/m36fhzxq30+IT8qp/pF
S6i7QqZF75y2BpEoupRCqNIAsHrouUE+U9ZQJZO8m9J591mWvbVJIw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-26T13:05:44Z"
mac: ENC[AES256_GCM,data:9A8nX155dpCC1cvdH1hgeNKh0tt5FMaOKU7vZQ33jfWbiXOsJbp5iHKXxWOexFc70acyhdweoHwq61oJm2mzVufJIPA55ZAUItQcDXJCCeu6KswHug0tQtKHoCRSwdTdMTRNom4XjrpA/j4WWpuhoilyknycXqTpGHHVSdL2lYg=,iv:N0zwzGtGzAxhbmLzslbkXSr/iKmq5FeyT/iWeE4x2hQ=,tag:yIoLXpqlU2SlVRK5+S/qaw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,44 @@
# Markdown docs with zola.
[Zola](https://www.getzola.org/) is a static site generated written in Rust
(which you'll notice since sometimes it panics).
To run the site locally:
```
zola serve
```
## Directory Layout
All the important stuff goes into `content`. If you create subdirectories, make
sure you remembered to also create an `_index.md` file for it (if in doubt, just
copy the one at `content/_index.md`); otherwise pages in there won't work.
`templates` is *not* for site templates, but specifies how markdown files should
be turned into html. If an autogenerated link broke, you'll probably have to
change something in there. `sass` and `static` do exactly what they sound like.
It usually shouldn't be necessary to change `config.toml`, but if it is, [here
is the list of all available options](https://www.getzola.org/documentation/getting-started/configuration/).
## File Layout
Markdown files start with a frontmatter that should look something like so:
```markdown
+++
title = "blåhaj"
taxonomies.categories = [ "flausch" ]
+++
[actual markdown goes here]
```
The frontmatter is TOML; the `taxonomies.*` keys are special and can be used to
aggregate posts if enabled in `config.toml` (currently that's only the case for
`categories`, though). See also the [list of all available keys](https://www.getzola.org/documentation/content/page/).
Please don't repeat the page's title in markdown, otherwise it'll appear twice
in the html.

View file

@ -0,0 +1,35 @@
# Zola's configuration file,
#
# see https://www.getzola.org/documentation/getting-started/configuration/
# for available keys.
# The URL the site will be built for
base_url = "https://docs.hacc.space"
compile_sass = true
default_language = "en"
# might be useful — this isn't a blog, obviously, but updates for new entries
# could still be nice, I guess
generate_feed = true
feed_filename = "atom.xml"
build_search_index = true
taxonomies = [
{ name = "categories", feed = false},
]
[markdown]
highlight_code = true
[extra] # user-defined keys
# site title text
main_title = "haccfiles documentation"
# navbar entries
main_menu = [
{url = "$BASE_URL", name = "Home"},
{url = "$BASE_URL/categories", name = "Categories"}
]

View file

@ -0,0 +1 @@
../../docs

View file

@ -0,0 +1,22 @@
{ copyPathToStore, stdenvNoCC, zola, writeShellScriptBin }:
stdenvNoCC.mkDerivation rec {
name = "docs.hacc.space-static";
src = ./.;
content = copyPathToStore ../../docs;
phases = [ "buildPhase" ];
buildInputs = [ zola ];
buildPhase = ''
cp -r $src/* .
rm content
ln -s $content content
zola build --output-dir $out
'';
watch = writeShellScriptBin "watch" ''
cd $(git rev-parse --show-toplevel)/websites/docs.hacc.space
${zola}/bin/zola serve --output-dir /tmp/hacc-docs "$@"
'';
}

View file

@ -0,0 +1,168 @@
@font-face {
font-family: 'share-tech';
src: url('ShareTech-Regular.ttf') format('truetype');
}
html {
overflow: hidden;
height: 100%;
}
body {
background-color: #000;
color: #fff;
overflow-y: auto;
overflow-x: hidden;
height: 100%;
}
#content {
font-family: 'share-tech';
margin-left: auto;
margin-right: auto;
max-width: 60em;
font-size: 16pt;
position: relative;
}
p.subtitle {
font-size: 14pt;
font-style: normal;
color: gray;
}
article {
margin-bottom: 4em;
}
#searchresults {
width: 90%;
text-align: right;
right: 0;
position: absolute;
background-color: black;
top: 5em;
color: gray;
}
#searchresults div {
padding: 0.5em;
border-top: 1px dashed gray;
}
#searchresults div:last-child {
border-bottom: 1px dashed gray;
}
.searchresultprevtext {
white-space: nowrap;
overflow: hidden;
text-overflow: ellipsis;
display: inline-block;
width: 40em;
float: left;
}
footer.content {
top: 50px;
color: #cccccc;
font-size: 14px;
margin-bottom: 4em;
}
footer a {
color: #cccccc;
}
.logo {
position: relative;
width: 100%;
}
.logo > img {
width: 300px;
max-width: 100%;
}
h1 {
font-size: 32pt;
}
#headernav {
text-align: right;
margin: 1em;
}
#headernav > a {
padding: 0.2em;
font-size: 20pt;
font-family: share-tech;
}
h1, h2, h3, h4, h5, h6{
font-weight: 600;
display: inline;
font-family: share-tech;
background: rgb(59,115,185);
background: linear-gradient(90deg, rgb(59, 115, 185) 0%, rgb(229, 35, 33) 100%);
background-clip: border-box;
color: transparent;
-webkit-background-clip: text;
background-clip: text;
}
/*
h4 {
//font-weight: 600;
//display: inline;
font-family: share-tech;
//background: rgb(59,115,185);
//background: linear-gradient(90deg, rgb(59, 115, 185) 0%, rgb(229, 35, 33) 100%);
//background-clip: border-box;
color: #fff;
//-webkit-background-clip: text;
//background-clip: text;
}
*/
a {
text-decoration: none;
color: #3b73b9;
transition: color .1s linear;
}
a:hover {
/*color: #e52321;*/
color: #4e9af9;
}
ul {
margin-top: 0;
}
pre {
padding: 1rem;
overflow: auto;
font-size: 16px;
}
// The line numbers already provide some kind of left/right padding
pre[data-linenos] {
padding: 1rem 0;
}
pre table td {
padding: 0;
}
// The line number cells
pre table td:nth-of-type(1) {
text-align: center;
user-select: none;
}
pre mark {
// If you want your highlights to take the full width.
display: block;
// The default background colour of a mark is bright yellow
background-color: rgba(254, 252, 232, 0.9);
}
pre table {
width: 100%;
border-collapse: collapse;
}

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.2 KiB

View file

@ -0,0 +1,52 @@
function mkDiv (res) {
let div = document.createElement("div");
let a = document.createElement("a");
a.innerText = res.doc.title;
a.href = res.ref;
let text = document.createElement("span");
text.innerText = res.doc.body.slice(0,400).replaceAll("\n", " ");
text.classList.add("searchresultprevtext");
div.appendChild(text);
div.appendChild(a);
return div;
}
window.onload = () => {
console.log("hello!")
let searchbox = document.getElementById("searchbox");
searchbox.innerHTML =
"<input id='searchinput' placeholder='search ...'></input> \
<div id='searchresults' style='display:none'></div>";
let searchinput = document.getElementById("searchinput");
let searchresults = document.getElementById("searchresults");
let index = elasticlunr.Index.load(window.searchIndex);
searchinput.addEventListener("keyup", () => {
let term = searchinput.value.trim();
let results = [];
if (term !== "") {
results = index.search(term, {});
console.log(results);
while (searchresults.lastChild) {
searchresults.removeChild(searchresults.lastChild)
}
if (results.length !== 0) {
let resultdivs = results.map(mkDiv);
resultdivs.map((div) => searchresults.appendChild(div));
} else {
searchresults.innerHTML =
term.length <= 4 ?
"<div>Need at least four characters to search.</div>"
: "<div>No results here.</div>";
}
searchresults.style.display = "initial";
} else {
searchresults.style.display = "none";
}
});
}

Some files were not shown because too many files have changed in this diff Show more