From f1e3d3074c6f62b0991af3655ace2c06dabeb9c0 Mon Sep 17 00:00:00 2001 From: Emile Date: Sun, 27 Jul 2025 11:11:14 +0200 Subject: a small commit for mankind, nah, a big one! MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - moved the oidc client secrets into age secrets (and rotated them) - changed stuff™ --- .vscode/settings.json | 3 + Makefile | 3 +- README.md | 13 + flake.lock | 221 +++- flake.nix | 161 ++- nix/hosts/caladan/aliases.nix | 1 + nix/hosts/caladan/darwin-configuration.nix | 19 +- nix/hosts/caladan/home_emile.nix | 35 +- nix/hosts/caladan/overlay.nix | 58 +- nix/hosts/corrino/configuration.nix | 202 ++-- nix/hosts/corrino/ports.nix | 13 +- .../corrino/secrets/goapp_oidc_client_secret.age | 7 + nix/hosts/corrino/secrets/goapp_oidc_secret.age | Bin 395 -> 395 bytes .../secrets/gotosocial_environment_file.age | Bin 765 -> 765 bytes .../secrets/gotosocial_oidc_client_secret.age | 7 + nix/hosts/corrino/secrets/grafana_env_vars.age | Bin 431 -> 431 bytes .../corrino/secrets/grafana_oidc_client_secret.age | 7 + .../secrets/hedgedoc_environment_variables.age | Bin 907 -> 911 bytes .../secrets/hedgedoc_oidc_client_secret.age | Bin 0 -> 454 bytes .../corrino/secrets/immich_oidc_client_secret.age | Bin 0 -> 454 bytes .../secrets/miniflux_oidc_client_secret.age | Bin 0 -> 454 bytes nix/hosts/corrino/secrets/miniflux_oidc_secret.age | Bin 395 -> 395 bytes .../corrino/secrets/tailscale-corrino-cert.age | Bin 3247 -> 3210 bytes .../corrino/secrets/tailscale-corrino-key.age | Bin 549 -> 549 bytes nix/hosts/corrino/www/ctf.emile.space.nix | 21 +- nix/hosts/corrino/www/git/cgit.nix | 6 + nix/hosts/corrino/www/git/git.nix | 106 -- nix/hosts/corrino/www/goapp.emile.space.nix | 8 +- nix/hosts/corrino/www/grafana.emile.space.nix | 256 +++-- nix/hosts/corrino/www/hydra.emile.space.nix | 7 +- nix/hosts/corrino/www/irc.emile.space.nix | 345 +++--- nix/hosts/corrino/www/loki.emile.space.nix | 64 -- nix/hosts/corrino/www/mc.emile.space.nix | 5 +- nix/hosts/corrino/www/md.emile.space.nix | 35 +- nix/hosts/corrino/www/miniflux.emile.space.nix | 80 +- nix/hosts/corrino/www/photo/immich.nix | 39 +- nix/hosts/corrino/www/prometheus.emile.space.nix | 36 +- nix/hosts/corrino/www/promtail.emile.space.nix | 114 -- nix/hosts/corrino/www/s3.emile.space.nix | 105 +- nix/hosts/corrino/www/sb.emile.space.nix | 114 -- nix/hosts/corrino/www/social.emile.space.nix | 25 +- nix/hosts/corrino/www/tickets.emile.space.nix | 2 +- nix/hosts/lampadas/configuration.nix | 13 - nix/lib/flake-helper.nix | 41 +- nix/modules/libvirtnix/a.xml | 259 +++++ nix/modules/libvirtnix/b.xml | 183 ++++ nix/modules/libvirtnix/config.nix | 524 ++++++++++ nix/modules/libvirtnix/domain.nix | 1106 ++++++++++++++++++-- nix/modules/libvirtnix/os.nix | 119 +++ nix/modules/libvirtnix/secret.nix | 174 +++ nix/modules/libvirtnix/xml.nix | 23 +- nix/pkgs/aarch64-darwin.nix | 5 +- nix/pkgs/glibc-all-in-one/default.nix | 15 +- nix/pkgs/libc-database/default.nix | 2 +- nix/pkgs/x86_64-linux.nix | 1 + secret_create.sh | 2 +- 56 files changed, 3432 insertions(+), 1153 deletions(-) create mode 100644 .vscode/settings.json create mode 100644 nix/hosts/corrino/secrets/goapp_oidc_client_secret.age create mode 100644 nix/hosts/corrino/secrets/gotosocial_oidc_client_secret.age create mode 100644 nix/hosts/corrino/secrets/grafana_oidc_client_secret.age create mode 100644 nix/hosts/corrino/secrets/hedgedoc_oidc_client_secret.age create mode 100644 nix/hosts/corrino/secrets/immich_oidc_client_secret.age create mode 100644 nix/hosts/corrino/secrets/miniflux_oidc_client_secret.age delete mode 100644 nix/hosts/corrino/www/git/git.nix delete mode 100644 nix/hosts/corrino/www/loki.emile.space.nix delete mode 100644 nix/hosts/corrino/www/promtail.emile.space.nix delete mode 100644 nix/hosts/corrino/www/sb.emile.space.nix create mode 100644 nix/modules/libvirtnix/a.xml create mode 100644 nix/modules/libvirtnix/b.xml create mode 100644 nix/modules/libvirtnix/os.nix create mode 100644 nix/modules/libvirtnix/secret.nix diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..6418298 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "makefile.configureOnOpen": false +} \ No newline at end of file diff --git a/Makefile b/Makefile index 6708a52..5a10aec 100644 --- a/Makefile +++ b/Makefile @@ -17,14 +17,13 @@ update: time nix flake update --commit-lock-file switch-caladan: - time nix run https://github.com/LnL7/nix-darwin/archive/master.tar.gz -- switch --flake .#caladan + time sudo nix run https://github.com/LnL7/nix-darwin/archive/master.tar.gz -- switch --flake .#caladan build-corrino: time nix run nixpkgs#nix-output-monitor build .#nixosConfigurations.${HOSTNAME}.config.system.build.toplevel deploy: # build time nix run -- nixpkgs#nixos-rebuild switch \ - -vvv \ --fast \ --build-host root@${BUILDHOST} \ --target-host root@${HOSTNAME} \ diff --git a/README.md b/README.md index a925db3..5ae3fda 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,14 @@ # hefe +## Buildhosts + +[hydra](https://hydra.emile.space) builds the packages, templates and hosts continously. + +- x86_64-linux: corrino (Hetzner AX41) +- x86_64-darwin: kaitain (Mac Mini) +- aarch64-linux: pi4 +- aarch64-darwin: caladan (m1 macbook air) + ## Secrets - Managed using agenix @@ -31,3 +40,7 @@ Print the generated secrets file as follows: ; make switch-caladan ``` +## Troubleshooting + +Weird `lock` issues? Try `sudo pkill -9 nix-daemon` on the build machine + diff --git a/flake.lock b/flake.lock index 851a6d8..8462510 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1736955230, - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "ref": "refs/heads/main", - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", - "revCount": 320, + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", + "revCount": 331, "type": "git", "url": "https://github.com/ryantm/agenix" }, @@ -31,11 +31,11 @@ ] }, "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", "type": "github" }, "original": { @@ -52,16 +52,16 @@ ] }, "locked": { - "lastModified": 1739553546, - "narHash": "sha256-L4ou3xfOr17EAe836djRoQ7auVkYOREMtiQa82wVGqU=", - "ref": "nix-darwin-24.11", - "rev": "353846417f985e74fdc060555f17939e4472ea2c", - "revCount": 2010, + "lastModified": 1749744770, + "narHash": "sha256-MEM9XXHgBF/Cyv1RES1t6gqAX7/tvayBC1r/KPyK1ls=", + "ref": "nix-darwin-25.05", + "rev": "536f951efb1ccda9b968e3c9dee39fbeb6d3fdeb", + "revCount": 2185, "type": "git", "url": "https://github.com/lnl7/nix-darwin" }, "original": { - "ref": "nix-darwin-24.11", + "ref": "nix-darwin-25.05", "type": "git", "url": "https://github.com/lnl7/nix-darwin" } @@ -75,11 +75,11 @@ "utils": "utils" }, "locked": { - "lastModified": 1727447169, - "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", + "lastModified": 1749105467, + "narHash": "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=", "ref": "master", - "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", - "revCount": 328, + "rev": "6bc76b872374845ba9d645a2f012b764fecd765f", + "revCount": 340, "type": "git", "url": "https://github.com/serokell/deploy-rs" }, @@ -92,11 +92,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -123,6 +123,21 @@ "url": "https://github.com/numtide/flake-utils" } }, + "hefe-internal": { + "locked": { + "lastModified": 1750711567, + "narHash": "sha256-nQzCB2k8YQrU+nMpo6Vvea/EZQ6mAu8EmxqXtsiwNAg=", + "ref": "refs/heads/main", + "rev": "3b86571ad3fe8da0c6c3a48c38b04f11c1ab3d8c", + "revCount": 150, + "type": "git", + "url": "file:///Users/emile/hefe-internal" + }, + "original": { + "type": "git", + "url": "file:///Users/emile/hefe-internal" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -131,11 +146,11 @@ ] }, "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", "owner": "nix-community", "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", "type": "github" }, "original": { @@ -151,16 +166,16 @@ ] }, "locked": { - "lastModified": 1739757849, - "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", - "ref": "release-24.11", - "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", - "revCount": 3881, + "lastModified": 1749154018, + "narHash": "sha256-gjN3j7joRvT3a8Zgcylnd4NFsnXeDBumqiu4HmY1RIg=", + "ref": "release-25.05", + "rev": "7aae0ee71a17b19708b93b3ed448a1a0952bf111", + "revCount": 4770, "type": "git", "url": "https://github.com/nix-community/home-manager" }, "original": { - "ref": "release-24.11", + "ref": "release-25.05", "type": "git", "url": "https://github.com/nix-community/home-manager" } @@ -172,11 +187,11 @@ ] }, "locked": { - "lastModified": 1739824009, - "narHash": "sha256-fcNrCMUWVLMG3gKC5M9CBqVOAnJtyRvGPxptQFl5mVg=", + "lastModified": 1745925850, + "narHash": "sha256-cyAAMal0aPrlb1NgzMxZqeN1mAJ2pJseDhm2m6Um8T0=", "ref": "refs/heads/master", - "rev": "e5130d37369bfa600144c2424270c96f0ef0e11d", - "revCount": 353, + "rev": "38bc60bbc157ae266d4a0c96671c6c742ee17a5f", + "revCount": 359, "type": "git", "url": "https://github.com/nix-community/naersk" }, @@ -187,16 +202,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1740603184, - "narHash": "sha256-t+VaahjQAWyA+Ctn2idyo1yxRIYpaDxMgHkgCNiMJa4=", - "ref": "nixos-24.11", - "rev": "f44bd8ca21e026135061a0a57dcf3d0775b67a49", + "lastModified": 1752620740, + "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=", + "ref": "nixos-25.05", + "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e", "shallow": true, "type": "git", "url": "ssh://git@github.com/nixos/nixpkgs.git" }, "original": { - "ref": "nixos-24.11", + "ref": "nixos-25.05", "shallow": true, "type": "git", "url": "ssh://git@github.com/nixos/nixpkgs.git" @@ -204,11 +219,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1740547748, - "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", + "lastModified": 1748856973, + "narHash": "sha256-RlTsJUvvr8ErjPBsiwrGbbHYW8XbB/oek0Gi78XdWKg=", "ref": "nixpkgs-unstable", - "rev": "3a05eebede89661660945da1f151959900903b6a", - "revCount": 759303, + "rev": "e4b09e47ace7d87de083786b404bf232eb6c89d8", + "revCount": 809757, "type": "git", "url": "https://github.com/nixos/nixpkgs" }, @@ -218,16 +233,105 @@ "url": "https://github.com/nixos/nixpkgs" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1743259260, + "narHash": "sha256-ArWLUgRm1tKHiqlhnymyVqi5kLNCK5ghvm06mfCl4QY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "eb0e0f21f15c559d2ac7633dc81d079d1caf5f5f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "pwndbg": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "uv2nix": "uv2nix" + }, + "locked": { + "lastModified": 1750271240, + "narHash": "sha256-mDT83XFhJaAQA7l1/t3TrjsiHzyW4BCWb5lXfe6Qlb8=", + "ref": "refs/heads/dev", + "rev": "1de6e8e2723f3d89952ca47fd4c8dab78af574b5", + "revCount": 2497, + "type": "git", + "url": "ssh://git@github.com/pwndbg/pwndbg" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/pwndbg/pwndbg" + } + }, + "pyproject-build-systems": { + "inputs": { + "nixpkgs": [ + "pwndbg", + "nixpkgs" + ], + "pyproject-nix": [ + "pwndbg", + "pyproject-nix" + ], + "uv2nix": [ + "pwndbg", + "uv2nix" + ] + }, + "locked": { + "lastModified": 1742689179, + "narHash": "sha256-kDXV6r6pQp6sxBKKxXqcTGPdiH63m8WA+IvzHhdZlEg=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "5c2a1faadc4015d50eb9919a8e20c112f3765fc2", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "pwndbg", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1743085397, + "narHash": "sha256-mCJgxAltNx9uzYTpaSNr6yQtDMXnRykXL87L2bLmsPo=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "af4c3ccf8cffcd49626b0455defb0f6b22cc1910", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "type": "github" + } + }, "root": { "inputs": { "agenix": "agenix", "darwin": "darwin_2", "deploy-rs": "deploy-rs", "flake-utils": "flake-utils", + "hefe-internal": "hefe-internal", "home-manager": "home-manager_2", "naersk": "naersk", "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable" + "nixpkgs-unstable": "nixpkgs-unstable", + "pwndbg": "pwndbg" } }, "systems": { @@ -280,11 +384,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -292,6 +396,31 @@ "repo": "flake-utils", "type": "github" } + }, + "uv2nix": { + "inputs": { + "nixpkgs": [ + "pwndbg", + "nixpkgs" + ], + "pyproject-nix": [ + "pwndbg", + "pyproject-nix" + ] + }, + "locked": { + "lastModified": 1743267007, + "narHash": "sha256-A5lFzCjO3kBnpUewPaHoM1f6qgubDqw7bgIGSi5i0JE=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "ede084fd69a0b656acb1ac20e6609385a3f967ba", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "uv2nix", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index cad6ed4..426c52b 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,14 @@ { inputs = { - nixpkgs.url = "git+ssh://git@github.com/nixos/nixpkgs.git?shallow=1&ref=nixos-24.11"; + # nixpkgs.url = "git+ssh://git@github.com/nixos/nixpkgs.git?shallow=1&ref=nixos-24.11"; + nixpkgs.url = "git+ssh://git@github.com/nixos/nixpkgs.git?shallow=1&ref=nixos-25.05"; nixpkgs-unstable.url = "git+https://github.com/nixos/nixpkgs?ref=nixpkgs-unstable"; # nix darwin version must match nixpkgs version: # nixpkgs: nixos-xx.yy - # nix-darwin: nix-darwin-xx.yy + # darwin: nix-darwin-xx.yy # with xx.yy being the same - darwin.url = "git+https://github.com/lnl7/nix-darwin?ref=nix-darwin-24.11"; + darwin.url = "git+https://github.com/lnl7/nix-darwin?ref=nix-darwin-25.05"; darwin.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.url = "git+https://github.com/serokell/deploy-rs?ref=master"; @@ -16,7 +17,7 @@ agenix.url = "git+https://github.com/ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; - home-manager.url = "git+https://github.com/nix-community/home-manager?ref=release-24.11"; + home-manager.url = "git+https://github.com/nix-community/home-manager?ref=release-25.05"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; naersk.url = "git+https://github.com/nix-community/naersk"; @@ -24,7 +25,9 @@ flake-utils.url = "git+https://github.com/numtide/flake-utils"; - # hefe-internal.url = "git+file:///Users/emile/hefe-internal"; + pwndbg.url = "git+ssh://git@github.com/pwndbg/pwndbg"; + + hefe-internal.url = "git+file:///Users/emile/hefe-internal"; # hefe-internal.url = "git+ssh://git@git.emile.space/hefe-internal"; # nix registry add flake:mylocalrepo git+file:///path/to/local/repo @@ -43,42 +46,13 @@ home-manager, # manage my home envs naersk, # build rust stuff flake-utils, # common flake utils - # hefe-internal, # internal tooling + pwndbg, # fancy gdbinit + hefe-internal, # internal tooling ... }@inputs: let lib = import ./nix/lib inputs; helper = lib.flake-helper; - - # TODO(emile): move all these functions into the helper, keeping the flake.nix clean - - # A function taking an attribute set of flake templates, importing their - # flake.nix/output/packages (if there are any) and returning an attribute set - # of their packages (if the template has one or more) - template-packages = - builtins.mapAttrs (name: value: - (((import ./nix/templates/${name}/flake.nix).outputs) - { inherit nixpkgs flake-utils; }) - .packages or { } - ); - - # apply the above function to the templates - templates = template-packages self.templates; - - # Merge template packages into root packages with template prefix - merged-template-packages = - system: - let - lib = nixpkgs.lib; - in - lib.foldl ( - acc: tplName: - let - tplPkgs = templates.${tplName}.${system} or { }; - prefixed = lib.mapAttrs' (pkgName: pkg: lib.nameValuePair "${tplName}-${pkgName}" pkg) tplPkgs; - in - acc // prefixed - ) { } (builtins.attrNames templates); in { hosts = { @@ -109,16 +83,16 @@ ip = "corrino"; description = "Hetzner AX41 dual 512GB NVME"; modules = [ - # hefe-internal.nixosModules.corrino + hefe-internal.nixosModules.corrino ( { self, ... }: { nixpkgs.overlays = [ - (final: prev: { - inherit (self.packages.x86_64-linux) - goapp-frontend - ; - }) + # (final: prev: { + # inherit (self.packages.x86_64-linux) + # goapp-frontend + # ; + # }) ]; } ) @@ -168,8 +142,16 @@ # description = "lankiveil bmc"; # }; - # kaitain = {}; - # ecaz = {}; + # kaitain = { + # system = "x86_64-darwin"; + # description = "mac mini"; + # }; + + # ecaz = { + # system = "x86_64-linux"; + # description = "pi4"; + # }; + # gamont = {}; # futher names: https://neoencyclopedia.fandom.com/wiki/List_of_Dune_planets @@ -211,12 +193,11 @@ # no clue why, but when rebuilding corrino and this not being commented, # something in the hardware.bluetooth module breaks - # # unstable-darwin = final: prev: { - # unstable-darwin = import nixpkgs-unstable { - # system = "aarch64-darwin"; - # config.allowUnfree = true; - # }; + unstable-darwin = import nixpkgs-unstable { + system = "aarch64-darwin"; + config.allowUnfree = true; + }; # }; }; @@ -236,12 +217,13 @@ inherit system; overlays = [ ( - if system == "x86_64-linux" then - self.overlays.x86_64-linux - else if system == "aarch64-darwin" then - self.overlays.aarch64-darwin - else - null + self.overlays.${system} + # if system == "x86_64-linux" then + # self.overlays.x86_64-linux + # else if system == "aarch64-darwin" then + # self.overlays.aarch64-darwin + # else + # null ) # some arguments for packages (_: _: { inherit naersk; }) @@ -250,44 +232,53 @@ in # take all the packages exposed from templates and add them to # the packages exposed by this flake - merged-template-packages system - // { - inherit (pkgs) vokobe r2wars-web remarvin; + + # TODO(emile): templates + #helper.merged-template-packages system + # // + { + inherit (pkgs) + vokobe + r2wars-web + # remarvin + # glibc-all-in-one + ; } ); hydraJobs = { inherit (self) packages; - nixosConfigurations = helper.buildHosts self.nixosConfigurations; - templates = template-packages self.templates; + # nixosConfigurations = helper.buildHosts self.nixosConfigurations; + # templates = helper.template-packages self.templates; }; - templates = { - # ; nix nix registry add hefe /Users/emile/Documents/hefe - # ; nix flake init -t hefe#ctf - ctf = { - description = "A basic ctf env with pwn, rev, ... tools"; - path = ./nix/templates/ctf; - welcomeText = '' - # CTF flake template - - Run `nix develop` to get a shell with pwntools, pwndbg, pycryptodome, ... - - Add packages in the flake as you like. - ''; - }; - goapp = { - description = "A basic golang service"; - path = ./nix/templates/goapp; - welcomeText = '' - # A basic golang service + # TODO(emile): templates + # templates = { + # # ; nix nix registry add hefe /Users/emile/Documents/hefe + # # ; nix flake init -t hefe#ctf + # ctf = { + # description = "A basic ctf env with pwn, rev, ... tools"; + # path = ./nix/templates/ctf; + # welcomeText = '' + # # CTF flake template + + # Run `nix develop` to get a shell with pwntools, pwndbg, pycryptodome, ... + + # Add packages in the flake as you like. + # ''; + # }; + # goapp = { + # description = "A basic golang service"; + # path = ./nix/templates/goapp; + # welcomeText = '' + # # A basic golang service - - using gorilla/mux - ''; - }; + # - using gorilla/mux + # ''; + # }; - # checks = builtins.mapAttrs (system: deployLib: - # deployLib.deployChecks self.deploy) deploy-rs.lib; - }; + # # checks = builtins.mapAttrs (system: deployLib: + # # deployLib.deployChecks self.deploy) deploy-rs.lib; + # }; }; } diff --git a/nix/hosts/caladan/aliases.nix b/nix/hosts/caladan/aliases.nix index d65bc14..6738589 100644 --- a/nix/hosts/caladan/aliases.nix +++ b/nix/hosts/caladan/aliases.nix @@ -4,6 +4,7 @@ # short forms tf = "terraform"; + m = "multipass"; r2help = ''r2 -qq -c "?*~..." --''; mosh = "mosh --no-init"; diff --git a/nix/hosts/caladan/darwin-configuration.nix b/nix/hosts/caladan/darwin-configuration.nix index 6fdbdaa..e581cb8 100644 --- a/nix/hosts/caladan/darwin-configuration.nix +++ b/nix/hosts/caladan/darwin-configuration.nix @@ -1,7 +1,9 @@ { pkgs, lib, ... }: { - imports = [ ./overlay.nix ]; + imports = [ + ./overlay.nix + ]; system.stateVersion = 5; @@ -27,9 +29,17 @@ # users.users."_nixbld3".uid = 307; # users.users."_nixbld4".uid = 308; # users.users."_nixbld5".uid = 309; + + # virtualisation.multipass = { + # enable = true; + # package = pkgs.multipass; + # logLevel = "debug"; + # }; + + ids.gids.nixbld = 30000; nix = { - useDaemon = true; + # useDaemon = true; # package = pkgs.nixFlakes; extraOptions = '' @@ -115,10 +125,11 @@ allowUnsupportedSystem = true; }; - services.nix-daemon.enable = true; + # services.nix-daemon.enable = true; # <3 - security.pam.enableSudoTouchIdAuth = true; + # security.pam.enableSudoTouchIdAuth = true; + security.pam.services.sudo_local.touchIdAuth = true; environment = { systemPackages = [ ]; # set via home-manager diff --git a/nix/hosts/caladan/home_emile.nix b/nix/hosts/caladan/home_emile.nix index 545c4d5..704b73b 100644 --- a/nix/hosts/caladan/home_emile.nix +++ b/nix/hosts/caladan/home_emile.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ pkgs, lib, ... }: { home = { @@ -50,7 +50,7 @@ fi ''; - initExtraBeforeCompInit = '' + initContent = lib.mkOrder 550 '' ${builtins.readFile ./session_variables.zsh} ${builtins.readFile ./functions.zsh} @@ -88,10 +88,8 @@ kitty = { enable = true; - # package = pkgs.kitty; - font = { - name = "Iosevka Nerd Font"; + name = "Berkeley Mono"; size = 13; }; @@ -104,9 +102,6 @@ tab_bar_edge = "top"; tab_bar_style = "slant"; tab_bar_min_tabs = 1; - - # tab_title_template = "{index}[{layout_name[0:2]}]: {title.replace('emile', 'e')[title.rfind('/')+1:]}"; - # tab_title_template = "{index}[{layout_name[0:2]}]: {title.replace('emile', 'e')}"; tab_title_template = "{index} {title.replace('emile', 'e')}"; editor = "/Users/emile/.cargo/bin/hx"; @@ -186,7 +181,7 @@ nixos-rebuild # editor - unstable-darwin.helix + unstable.helix ## formatter nixfmt-rfc-style # official formatter for nix code @@ -194,9 +189,9 @@ ## language server # nodePackages_latest.typescript-language-server # js / typescript nil # nix - nodePackages.yaml-language-server # yaml + # nodePackages.yaml-language-server # yaml python312Packages.python-lsp-server # python - gopls # golang + # gopls # golang # binary foo radare2 @@ -211,8 +206,8 @@ # go foo go - delve - gotools + # delve + # gotools # c foo cmake @@ -260,13 +255,23 @@ taskwarrior3 - drawio + # drawio # cargo rustup cargo + utm + + #nmap ffuf + #typst + #age + #ffmpeg + #exiftool + # custom - libc-database + # libc-database + + # unstable.duckdb # blender diff --git a/nix/hosts/caladan/overlay.nix b/nix/hosts/caladan/overlay.nix index 8f3b810..8295339 100644 --- a/nix/hosts/caladan/overlay.nix +++ b/nix/hosts/caladan/overlay.nix @@ -3,37 +3,37 @@ { nixpkgs = { overlays = [ - (self: super: { - kitty = super.kitty.overrideAttrs (old: { - preCheck = '' - # skip failing tests due to darwin sandbox - substituteInPlace kitty_tests/file_transmission.py \ - --replace test_file_get dont_test_file_get \ - --replace test_path_mapping_receive dont_test_path_mapping_receive \ - --replace test_transfer_send dont_test_transfer_send - substituteInPlace kitty_tests/shell_integration.py \ - --replace test_fish_integration dont_test_fish_integration - substituteInPlace kitty_tests/shell_integration.py \ - --replace test_bash_integration dont_test_bash_integration - substituteInPlace kitty_tests/open_actions.py \ - --replace test_parsing_of_open_actions dont_test_parsing_of_open_actions - substituteInPlace kitty_tests/ssh.py \ - --replace test_ssh_connection_data dont_test_ssh_connection_data - substituteInPlace kitty_tests/fonts.py \ - --replace 'class Rendering(BaseTest)' 'class Rendering' + #(self: super: { + # kitty = super.kitty.overrideAttrs (old: { + # preCheck = '' + # # skip failing tests due to darwin sandbox + # substituteInPlace kitty_tests/file_transmission.py \ + # --replace test_file_get dont_test_file_get \ + # --replace test_path_mapping_receive dont_test_path_mapping_receive \ + # --replace test_transfer_send dont_test_transfer_send + # substituteInPlace kitty_tests/shell_integration.py \ + # --replace test_fish_integration dont_test_fish_integration + # substituteInPlace kitty_tests/shell_integration.py \ + # --replace test_bash_integration dont_test_bash_integration + # substituteInPlace kitty_tests/open_actions.py \ + # --replace test_parsing_of_open_actions dont_test_parsing_of_open_actions + # substituteInPlace kitty_tests/ssh.py \ + # --replace test_ssh_connection_data dont_test_ssh_connection_data + # substituteInPlace kitty_tests/fonts.py \ + # --replace 'class Rendering(BaseTest)' 'class Rendering' - # TODO(emile): figure out why this test is failing and activate it - # again. - substituteInPlace kittens/hyperlinked_grep/main_test.go \ - --replace TestRgArgParsing DontTestRgArgParsing \ + # # TODO(emile): figure out why this test is failing and activate it + # # again. + # substituteInPlace kittens/hyperlinked_grep/main_test.go \ + # --replace TestRgArgParsing DontTestRgArgParsing \ - # theme collection test starts an http server - rm tools/themes/collection_test.go - # passwd_test tries to exec /usr/bin/dscl - rm tools/utils/passwd_test.go - ''; - }); - }) + # # theme collection test starts an http server + # rm tools/themes/collection_test.go + # # passwd_test tries to exec /usr/bin/dscl + # rm tools/utils/passwd_test.go + # ''; + # }); + #}) ]; config = { allowUnfree = true; diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index 2f8954b..9ce6bf1 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -25,9 +25,11 @@ in # ./vm.nix ./www/git - ./www/nix-cache + #./www/nix-cache - ./www/goapp.emile.space.nix + # doesn't find the goapp-frontend package, some issue with the overlay being applied, at least + # thats what I think the problem is + # ./www/goapp.emile.space.nix # screego @@ -35,12 +37,10 @@ in ./www/emile.space.nix ./www/tmp.emile.space.nix ./www/hydra.emile.space.nix - ./www/netbox.emile.space.nix + # ./www/netbox.emile.space.nix ./www/stats.emile.space.nix - # ./www/grafana.emile.space.nix + ./www/grafana.emile.space.nix # ./www/prometheus.emile.space.nix - # ./www/loki.emile.space.nix - # ./www/promtail.emile.space.nix ./www/photo @@ -51,16 +51,19 @@ in ./www/md.emile.space.nix ./www/social.emile.space.nix ./www/sso.emile.space.nix - ./www/s3.emile.space.nix + # ./www/s3.emile.space.nix # ./www/cs.emile.space.nix - ./www/irc.emile.space.nix + # ./www/irc.emile.space.nix + # ./www/cl.emile.space.nix # ./www/db.emile.space.nix - # ./www/ctf.emile.space.nix + #./www/ctf.emile.space.nix # ./www/magic-hash.emile.space.nix + ./www/mc.emile.space.nix + # gemini - ./gemini/emile.space.nix + # ./gemini/emile.space.nix # general purpose modules @@ -160,9 +163,7 @@ in ''; }; - supportedFilesystems = { - "cifs" = true; - }; + supportedFilesystems = [ "cifs" ]; }; time.timeZone = "Europe/Berlin"; @@ -221,40 +222,40 @@ in }; # create a oneshot job to authenticate to Tailscale - systemd.services.tailscale-autoconnect = { - description = "Automatic connection to Tailscale"; - - # make sure tailscale is running before trying to connect to tailscale - after = [ - "network-pre.target" - "tailscale.service" - ]; - wants = [ - "network-pre.target" - "tailscale.service" - ]; - wantedBy = [ "multi-user.target" ]; - - # set this service as a oneshot job - serviceConfig.Type = "oneshot"; - - # have the job run this shell script - script = with pkgs; '' - # wait for tailscaled to settle - sleep 2 - - # check if we are already authenticated to tailscale - status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" - if [ $status = "Running" ]; then # if so, then do nothing - exit 0 - fi - - # otherwise authenticate with tailscale - ${tailscale}/bin/tailscale up \ - --advertise-exit-node --exit-node - ''; - # -authkey ${config.age.secrets.tailscale_authkey} - }; + # systemd.services.tailscale-autoconnect = { + # description = "Automatic connection to Tailscale"; + + # # make sure tailscale is running before trying to connect to tailscale + # after = [ + # "network-pre.target" + # "tailscale.service" + # ]; + # wants = [ + # "network-pre.target" + # "tailscale.service" + # ]; + # wantedBy = [ "multi-user.target" ]; + + # # set this service as a oneshot job + # serviceConfig.Type = "oneshot"; + + # # have the job run this shell script + # script = with pkgs; '' + # # wait for tailscaled to settle + # sleep 2 + + # # check if we are already authenticated to tailscale + # status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + # if [ $status = "Running" ]; then # if so, then do nothing + # exit 0 + # fi + + # # otherwise authenticate with tailscale + # ${tailscale}/bin/tailscale up \ + # --advertise-exit-node --exit-node + # ''; + # # -authkey ${config.age.secrets.tailscale_authkey} + # }; networking = { hostName = "corrino"; @@ -315,6 +316,7 @@ in 80 443 # normal web config.emile.ports.gitDaemon + 8085 ]; allowedUDPPorts = [ # 51820 # wireguard @@ -406,6 +408,9 @@ in "docker" "libvirtd" ]; + packages = with pkgs; [ + docker + ]; }; tmpuser1 = { @@ -441,6 +446,27 @@ in # use corrino as a subnet router and an exit node useRoutingFeatures = "both"; }; + + restic.backups."corrino" = { + repository = "/mnt/storagebox-bx11/corrino"; + passwordFile = config.age.secrets.restic_password.path; + initialize = true; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + # restic.server = { + # enable = true; + # prometheus = true; + # package = pkgs.restic-rest-server; + # extraFlags = [ "--no-auth" ]; + # listenAddress = "127.0.0.1:${toString config.emile.ports.restic}"; + # dataDir = "/var/lib/restic"; + # appendOnly = true; + # }; }; nix = { @@ -470,38 +496,38 @@ in allowed-uris = https://github.com/ https://git.emile.space/ git+https://github.com/ ''; - buildMachines = [ - { - hostName = "localhost"; - system = "x86_64-linux"; - protocol = "ssh-ng"; - maxJobs = 8; - supportedFeatures = [ - "nixos-test" - "benchmark" - "big-parallel" - "kvm" - ]; - } - { - hostName = "caladan.pinto-pike.ts.net"; - sshUser = "hydra"; - sshKey = "/var/lib/hydra/.ssh/id_ed25519"; - system = "aarch64-darwin"; - protocol = "ssh-ng"; - maxJobs = 1; - speedFactor = 2; - supportedFeatures = [ - "nixos-test" - "benchmark" - "big-parallel" - "kvm" - ]; - mandatoryFeatures = [ ]; - } - ]; + # buildMachines = [ + # { + # hostName = "localhost"; + # system = "x86_64-linux"; + # protocol = "ssh-ng"; + # maxJobs = 8; + # supportedFeatures = [ + # "nixos-test" + # "benchmark" + # "big-parallel" + # "kvm" + # ]; + # } + # { + # hostName = "caladan.pinto-pike.ts.net"; + # sshUser = "hydra"; + # sshKey = "/var/lib/hydra/.ssh/id_ed25519"; + # system = "aarch64-darwin"; + # protocol = "ssh-ng"; + # maxJobs = 1; + # speedFactor = 2; + # supportedFeatures = [ + # "nixos-test" + # "benchmark" + # "big-parallel" + # "kvm" + # ]; + # mandatoryFeatures = [ ]; + # } + # ]; - distributedBuilds = true; + # distributedBuilds = true; }; nixpkgs.config = { @@ -519,22 +545,22 @@ in }; virtualisation = { - # docker.enable = true; + docker.enable = true; libvirtd = { enable = true; qemu = { package = pkgs.qemu_kvm; runAsRoot = true; swtpm.enable = true; - ovmf = { - enable = true; - packages = [ - (pkgs.unstable.OVMF.override { - secureBoot = true; - tpmSupport = true; - }).fd - ]; - }; + # ovmf = { + # enable = true; + # packages = [ + # (pkgs.unstable.OVMF.override { + # secureBoot = true; + # tpmSupport = true; + # }).fd + # ]; + # }; }; }; podman = { diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix index bb64934..483ab7f 100644 --- a/nix/hosts/corrino/ports.nix +++ b/nix/hosts/corrino/ports.nix @@ -5,16 +5,24 @@ photo = { photoprism = 2342; immich = 2343; + immich-public-proxy = 2344; }; git = 3000; hydra = 3001; grafana = 3002; md = 3003; gotosocial = 3004; - immich = 3005; monica = 3006; + miniflux = 3007; harmonia = 5000; + garage = { + s3 = 6001; + web = 6002; + rpc = 6003; + admin = 6004; + }; irc = { + bouncer = 6666; clear = 6667; ssl = 6697; }; @@ -34,8 +42,6 @@ s3 = 9000; web = 9001; }; - promtail = 9033; - loki = 9034; authelia = 9091; gitDaemon = 9418; prometheus = { @@ -45,6 +51,7 @@ nginx = 9913; systemd = 9558; smartctl = 9633; + restic = 9634; }; }; }; diff --git a/nix/hosts/corrino/secrets/goapp_oidc_client_secret.age b/nix/hosts/corrino/secrets/goapp_oidc_client_secret.age new file mode 100644 index 0000000..1477d56 --- /dev/null +++ b/nix/hosts/corrino/secrets/goapp_oidc_client_secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q wi3/W2UnB/8kCTeJ8shGpBQ21uvSQlbtZBAbocbQ+zY +6RQGQss6B6uvq4yFXGVQtbHgDKGzMVO2xDgUDlBV5Es +-> ssh-ed25519 m8VklA oFBut6nQ5Er9YQWpCb+2j3JKsNIjBRjwuQ7ERVekVyM +ccR/5J5g1D11iNieF/BXtzxcusF1Zaq04iifOFk6Q/U +--- r2E/KdtXa9/j5ecWhjzLsztBG8W+if2MeOPya6KJDxY +C7p}Vj4|EW ].k~Xe:(r2:$}~w0ƻP`+ Xg@PFX/i%;!$ "Ii_#*|Od;ZtwDFldF6дJa4q2y 8T \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/goapp_oidc_secret.age b/nix/hosts/corrino/secrets/goapp_oidc_secret.age index ca96981..4ca657b 100644 Binary files a/nix/hosts/corrino/secrets/goapp_oidc_secret.age and b/nix/hosts/corrino/secrets/goapp_oidc_secret.age differ diff --git a/nix/hosts/corrino/secrets/gotosocial_environment_file.age b/nix/hosts/corrino/secrets/gotosocial_environment_file.age index 7211c12..d2b6b90 100644 Binary files a/nix/hosts/corrino/secrets/gotosocial_environment_file.age and b/nix/hosts/corrino/secrets/gotosocial_environment_file.age differ diff --git a/nix/hosts/corrino/secrets/gotosocial_oidc_client_secret.age b/nix/hosts/corrino/secrets/gotosocial_oidc_client_secret.age new file mode 100644 index 0000000..bd6a14a --- /dev/null +++ b/nix/hosts/corrino/secrets/gotosocial_oidc_client_secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q PoCUbJ4Pg2ZCYy3HCI4w7J/vu5gh6d257Q/PlOBEEG4 +Hisdtymy8i3cN0LVuXpY8duCBMLlTT8QoOEYVmLy+n8 +-> ssh-ed25519 m8VklA i01UwKFor55UM6dL7glsMP6PQM9fcoa9EV3RRXPwRnE +9fJ9nWhhwyEXclzaYAszUTLTNH/xkM3u9uw0BgY8FOg +--- 8MUr5xLS5Rt1yXNPfIQwfF6ZGJwNOe/RVtlX0MaGMZ8 +Y^h#2NtغBFXƭo.eCv%1/O%.G×Ϥ%f]_2eo~p {bݚSH݆Rnkcjm ssh-ed25519 gvwQ2Q YdFGe2zYgdQDdW9tZG/VPlV6ZnWCv1u2hIg3AiBVwU0 +7PXZNJR5HszD2IqVJX3Rw2VfI1Anf3fuOQTFNq58raU +-> ssh-ed25519 m8VklA LP+D7xz1SbSPT+6lEfaRjxNPSsBfyN7pE2LAe7ErVCA +wQeekB+chF01SCX8+BNcKk7o6jN8sT5uic+Oe/od9yc +--- ZG36Lj4tUALxjMb1+86Y3tdH1KMEw+Teeks0UbB2Zvk +. i0.XN)`uP&4pHTDBaC>}qQQ㓴>T<ه+'ze{S؃ Ix$mO֨yč PvyAUgf4$oWg \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/hedgedoc_environment_variables.age b/nix/hosts/corrino/secrets/hedgedoc_environment_variables.age index cf3cac2..45df125 100644 Binary files a/nix/hosts/corrino/secrets/hedgedoc_environment_variables.age and b/nix/hosts/corrino/secrets/hedgedoc_environment_variables.age differ diff --git a/nix/hosts/corrino/secrets/hedgedoc_oidc_client_secret.age b/nix/hosts/corrino/secrets/hedgedoc_oidc_client_secret.age new file mode 100644 index 0000000..6afe5e8 Binary files /dev/null and b/nix/hosts/corrino/secrets/hedgedoc_oidc_client_secret.age differ diff --git a/nix/hosts/corrino/secrets/immich_oidc_client_secret.age b/nix/hosts/corrino/secrets/immich_oidc_client_secret.age new file mode 100644 index 0000000..be7429d Binary files /dev/null and b/nix/hosts/corrino/secrets/immich_oidc_client_secret.age differ diff --git a/nix/hosts/corrino/secrets/miniflux_oidc_client_secret.age b/nix/hosts/corrino/secrets/miniflux_oidc_client_secret.age new file mode 100644 index 0000000..85879a9 Binary files /dev/null and b/nix/hosts/corrino/secrets/miniflux_oidc_client_secret.age differ diff --git a/nix/hosts/corrino/secrets/miniflux_oidc_secret.age b/nix/hosts/corrino/secrets/miniflux_oidc_secret.age index c16754e..668c429 100644 Binary files a/nix/hosts/corrino/secrets/miniflux_oidc_secret.age and b/nix/hosts/corrino/secrets/miniflux_oidc_secret.age differ diff --git a/nix/hosts/corrino/secrets/tailscale-corrino-cert.age b/nix/hosts/corrino/secrets/tailscale-corrino-cert.age index 07252cc..ecb9e6e 100644 Binary files a/nix/hosts/corrino/secrets/tailscale-corrino-cert.age and b/nix/hosts/corrino/secrets/tailscale-corrino-cert.age differ diff --git a/nix/hosts/corrino/secrets/tailscale-corrino-key.age b/nix/hosts/corrino/secrets/tailscale-corrino-key.age index 36c132e..5226883 100644 Binary files a/nix/hosts/corrino/secrets/tailscale-corrino-key.age and b/nix/hosts/corrino/secrets/tailscale-corrino-key.age differ diff --git a/nix/hosts/corrino/www/ctf.emile.space.nix b/nix/hosts/corrino/www/ctf.emile.space.nix index 28c9419..a6ebd05 100644 --- a/nix/hosts/corrino/www/ctf.emile.space.nix +++ b/nix/hosts/corrino/www/ctf.emile.space.nix @@ -7,18 +7,19 @@ locations = { "/" = { - proxyPass = "http://127.0.0.1:${toString config.emile.ports.ctf}"; + # proxyPass = "http://127.0.0.1:${toString config.emile.ports.ctf}"; + proxyPass = "http://138.199.213.51"; }; }; }; - virtualisation.oci-containers = { - # backend = "docker"; - containers = { - "ctfd" = { - image = "ctfd/ctfd"; - ports = [ "${toString config.emile.ports.ctf}:8000" ]; - }; - }; - }; + # virtualisation.oci-containers = { + # # backend = "docker"; + # containers = { + # "ctfd" = { + # image = "ctfd/ctfd"; + # ports = [ "${toString config.emile.ports.ctf}:8000" ]; + # }; + # }; + # }; } diff --git a/nix/hosts/corrino/www/git/cgit.nix b/nix/hosts/corrino/www/git/cgit.nix index 68304db..44f5996 100644 --- a/nix/hosts/corrino/www/git/cgit.nix +++ b/nix/hosts/corrino/www/git/cgit.nix @@ -630,7 +630,13 @@ in extraGroups = [ "gitea" ]; home = "/var/lib/git"; uid = lib.mkForce 127; + # shell = "${pkgs.git}/bin/git-shell"; + # openssh.authorizedKeys.keys = [ + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan + # " + # ]; }; + users.groups.git = { gid = lib.mkForce 127; }; diff --git a/nix/hosts/corrino/www/git/git.nix b/nix/hosts/corrino/www/git/git.nix deleted file mode 100644 index 3a2b9da..0000000 --- a/nix/hosts/corrino/www/git/git.nix +++ /dev/null @@ -1,106 +0,0 @@ -{ - lib, - pkgs, - config, - ... -}: - -let - cfg = config.services.gitea; -in -{ - services.nginx.virtualHosts."git.emile.space" = { - forceSSL = true; - enableACME = true; - - # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia - # extraConfig = authelia-location; - - locations = { - "/" = { - # proxyPass = "http://127.0.0.1:3000"; - proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"; - - # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia - # extraConfig = authelia-authrequest; - }; - }; - }; - - # auth via authelia - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "git"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://git.emile.space/user/oauth2/authelia/callback" ]; - scopes = [ - "openid" - "email" - "profile" - ]; - } - ]; - - services.gitea = rec { - enable = true; - - appName = "git.emile.space"; - - # unstable in order to use the 1.20... version - #package = pkgs.forgejo; - package = pkgs.unstable.forgejo; - - stateDir = "/var/lib/gitea"; - repositoryRoot = "${stateDir}/repositories"; - - settings = { - service.DISABLE_REGISTRATION = true; - - DEFAULT = { - WORK_PATH = "/var/lib/gitea"; - }; - - server = { - DOMAIN = pkgs.lib.mkForce "git.emile.space"; - ROOT_URL = pkgs.lib.mkForce "https://git.emile.space"; - HTTP_PORT = config.emile.ports.git; - - #START_SSH_SERVER = true; - BUILTIN_SSH_SERVER_USER = "git"; - SSH_USER = "gitea"; - SSH_DOMAIN = "git.emile.space"; - - REPO_INDEXER_ENABLED = true; - }; - - indexer = { - REPO_INDEXER_ENABLED = true; - ISSUE_INDEXER_PATH = "${stateDir}/indexers/issues.bleve"; - REPO_INDEXER_PATH = "${stateDir}/indexers/repos.bleve"; - MAX_FILE_SIZE = 1048576; - REPO_INDEXER_INCLUDE = ""; - REPO_INDEXER_EXCLUDE = "resources/bin/**"; - }; - - #federation = { - # enable = true; - # share_user_statistics = true; - # max_size = 4; - #}; - }; - }; - - users.users.git = { - isSystemUser = true; - useDefaultShell = true; - group = "git"; - extraGroups = [ "gitea" ]; - home = cfg.stateDir; - uid = 127; - }; - users.groups.git = { }; -} diff --git a/nix/hosts/corrino/www/goapp.emile.space.nix b/nix/hosts/corrino/www/goapp.emile.space.nix index 361e95a..e31079e 100644 --- a/nix/hosts/corrino/www/goapp.emile.space.nix +++ b/nix/hosts/corrino/www/goapp.emile.space.nix @@ -12,12 +12,16 @@ }; }; + age.secrets.goapp_oidc_client_secret.owner = "authelia-main"; + age.secrets.goapp_oidc_client_secret.group = "authelia-main"; + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ { - id = "goapp"; + client_id = "goapp"; # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$LPXJRoGR9RyTcaT6cADljg$FK8RV5CnKj5ano4fXmRzzvXcX/00F7k/G6nd67t.8iewpwyq8FntV4JgYZSV8AynYMxz1qnL4j3BzITLCM0KgQ"; + client_secret = "{{ secret \"${config.age.secrets.goapp_oidc_client_secret.path}\" }}"; + public = false; authorization_policy = "two_factor"; redirect_uris = [ diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index f8674a2..2caa4d4 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -3,145 +3,143 @@ { systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana_env_vars.path; - services = { - nginx.virtualHosts = { - "grafana.emile.space" = { - addSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; - proxyWebsockets = true; - }; + + services.nginx.virtualHosts = { + "grafana.emile.space" = { + addSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; + proxyWebsockets = true; }; }; + }; - authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "Grafana"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$S.RE0jcmr7Sn/tjJDNxV/A$1tsYhQ/YEcVfE4JyzszHemrcUqy.84Fb6xVSmz87if5C9N46Mz2lRWB5l8s4EIrLsiumPnt4HQMkYZ4MoovJzA"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://grafana.emile.space/login/generic_oauth" ]; - scopes = [ - "openid" - "email" - "profile" - "groups" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ "code" ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - } - ]; - - grafana = { - enable = true; - settings = { - server = { - http_addr = "127.0.0.1"; - http_port = config.emile.ports.grafana; - domain = "grafana.emile.space"; - root_url = "https://grafana.emile.space/"; - }; + age.secrets.grafana_oidc_client_secret.owner = "authelia-main"; + age.secrets.grafana_oidc_client_secret.group = "authelia-main"; - "auth.generic_oauth" = - let - sso = "https://sso.emile.space/api/oidc"; - in - { - enabled = true; - client_id = "Grafana"; - - # [auth.generic_oauth] - # client_secret = ... - # set in env var as - # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET - client_secret = "set in env var this is just a placeholder"; - - use_refresh_token = true; - token_url = "${sso}/token"; - auth_url = "${sso}/authorization"; - api_url = "${sso}/userinfo"; - - scopes = [ - "openid" - "email" - "profile" - "groups" - ]; - - email_attribute_path = "email"; - login_attribute_path = "preferred_username"; - name_attribute_path = "name"; - - role_attribute_path = "contains(groups[*], 'grafana_server_admin') && 'GrafanaAdmin' || contains(groups[*], 'grafana_admin') && 'Admin' || contains(groups[*], 'grafana_editor') && 'Editor' || 'Viewer'"; - - }; + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + client_id = "Grafana"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + client_secret = "{{ secret \"${config.age.secrets.grafana_oidc_client_secret.path}\" }}"; + + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://grafana.emile.space/login/generic_oauth" ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + } + ]; + + services.grafana = { + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = config.emile.ports.grafana; + domain = "grafana.emile.space"; + root_url = "https://grafana.emile.space/"; }; - provision = { - dashboards.settings = { }; - datasources.settings = { - deleteDatasources = [ - { name = "Prometheus"; orgId = 1; } - { name = "Lampadas"; orgId = 1; } - ]; - datasources = [ - { - url = "http://localhost:${toString config.services.prometheus.port}"; - type = "prometheus"; - name = "Prometheus Corrino"; - editable = false; - access = "proxy"; # server = "proxy", browser = "direct" - } - { - url = "http://lampadas:9009"; - type = "prometheus"; - name = "Prometheus Lampadas"; - editable = false; - access = "proxy"; # server = "proxy", browser = "direct" - } - # { - # name = "loki"; - # url = "http://${config.services.loki.configuration.common.instance_addr}:${toString config.services.loki.configuration.server.http_listen_port}"; - # type = "loki"; - # } + "auth.generic_oauth" = + let + sso = "https://sso.emile.space/api/oidc"; + in + { + enabled = true; + client_id = "Grafana"; + + # [auth.generic_oauth] + # client_secret = ... + # set in env var as + # GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + client_secret = "set in env var this is just a placeholder"; + + use_refresh_token = true; + token_url = "${sso}/token"; + auth_url = "${sso}/authorization"; + api_url = "${sso}/userinfo"; + + scopes = [ + "openid" + "email" + "profile" + "groups" ]; + + email_attribute_path = "email"; + login_attribute_path = "preferred_username"; + name_attribute_path = "name"; + + role_attribute_path = "contains(groups[*], 'grafana_server_admin') && 'GrafanaAdmin' || contains(groups[*], 'grafana_admin') && 'Admin' || contains(groups[*], 'grafana_editor') && 'Editor' || 'Viewer'"; + }; + }; - # TODO(emile): finish setting up the grafana notifier filling out the settings section - # notifiers = [ - # { - # uid = "2ad1c1d1-bcd9-4cb8-8897-c89c5820ffb1"; - # type = "email"; - # settings = {}; - # org_name = "Main Org."; - # org_id = 1; - # name = "email"; - # id_default = true; - # frequency = "5m"; - # disable_resolve_message = false; - # } - # ]; - - # TODO(emile): finish setting up the alerting stuff within here - # alerting = { - # templates.settings = { }; - # rules.settings = {}; - # policies.settings = {}; - # muteTimings.settings = {}; - # contactPoints.settings = {}; - # }; + provision = { + dashboards.settings = { }; + datasources.settings = { + deleteDatasources = [ + { name = "Prometheus"; orgId = 1; } + { name = "Lampadas"; orgId = 1; } + ]; + datasources = [ + { + url = "http://localhost:${toString config.services.prometheus.port}"; + type = "prometheus"; + name = "Prometheus Corrino"; + editable = false; + access = "proxy"; # server = "proxy", browser = "direct" + } + { + url = "http://lampadas:9009"; + type = "prometheus"; + name = "Prometheus Lampadas"; + editable = false; + access = "proxy"; # server = "proxy", browser = "direct" + } + ]; }; + + # TODO(emile): finish setting up the grafana notifier filling out the settings section + # notifiers = [ + # { + # uid = "2ad1c1d1-bcd9-4cb8-8897-c89c5820ffb1"; + # type = "email"; + # settings = {}; + # org_name = "Main Org."; + # org_id = 1; + # name = "email"; + # id_default = true; + # frequency = "5m"; + # disable_resolve_message = false; + # } + # ]; + + # TODO(emile): finish setting up the alerting stuff within here + # alerting = { + # templates.settings = { }; + # rules.settings = {}; + # policies.settings = {}; + # muteTimings.settings = {}; + # contactPoints.settings = {}; + # }; }; }; } diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix index a5cdb53..fe70bf4 100644 --- a/nix/hosts/corrino/www/hydra.emile.space.nix +++ b/nix/hosts/corrino/www/hydra.emile.space.nix @@ -21,9 +21,10 @@ services.hydra = { enable = true; - package = pkgs.hydra_unstable.overrideAttrs (old: { - patches = (if old ? patches then old.patches else [ ]) ++ [ ./hydra.patch ]; - }); + #package = pkgs.hydra_unstable.overrideAttrs (old: { + # patches = (if old ? patches then old.patches else [ ]) ++ [ ./hydra.patch ]; + #}); + package = pkgs.hydra; listenHost = "*"; port = config.emile.ports.hydra; diff --git a/nix/hosts/corrino/www/irc.emile.space.nix b/nix/hosts/corrino/www/irc.emile.space.nix index ac00445..7653cb4 100644 --- a/nix/hosts/corrino/www/irc.emile.space.nix +++ b/nix/hosts/corrino/www/irc.emile.space.nix @@ -1,155 +1,198 @@ -{ config, ... }: +{ config, pkgs, ... }: { + ############################################################################## + # Client + ############################################################################## + # gamja web client + # https://codeberg.org/emersion/gamja + # + # nah, let's just use the commaond line "senpai" client, from the same person + + ############################################################################## + # Bouncer + ############################################################################## + # soju bouncer + # https://soju.im + + # services.soju = { + # enable = true; + # listen = [ "127.0.0.1:${toString config.emile.ports.irc.bouncer}" ]; + + # hostName = "irc.emile.space"; + # httpOrigins = [ "127.0.0.1" "irc.emile.space" ]; + + # # tlsCertificateKey = "/var/lib/acme/irc.emile.space/key.pem"; + # # tlsCertificate = "/var/lib/acme/irc.emile.space/cert.pem"; + # }; + + # services.soju = { + # enable = true; + # package = pkgs.soju; + # listen = [ "127.0.0.1:${toString config.emile.ports.irc.bouncer}" ]; + # adminSocket.enable = true; + # # tlsCertificateKey = "/var/lib/acme/irc.emile.space/key.pem"; + # # tlsCertificate = "/var/lib/acme/irc.emile.space/cert.pem"; + # httpOrigins = [ "127.0.0.1" "irc.emile.space" ]; + # hostName = "irc.emile.space"; + # extraConfig = ""; + # enableMessageLogging = true; + # acceptProxyIP = []; + # }; + + ############################################################################## + # Server + ############################################################################## + # Create a tls cert for the irc server - security.acme.certs = { - "irc.emile.space" = { - webroot = "/var/lib/acme/acme-challenge/"; - email = "acme@emile.space"; - postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service"; - }; - }; - - # Allow ergo to access the created cert - # The systemd server runs using a dynamic user, so the below inserts the .pem files - # into "/run/credentials/ergochat.service/key.pem" - systemd.services.ergochat.serviceConfig = { - LoadCredential = [ - "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem" - "key.pem:/var/lib/acme/irc.emile.space/key.pem" - ]; - }; - - # allow connections to the port from the "outside" - networking.firewall.allowedTCPPorts = [ config.emile.ports.irc.ssl ]; - - services.ergochat = { - enable = true; - - # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml - settings = { - accounts = { - authentication-enabled = true; - multiclient = { - allowed-by-default = true; - always-on = "opt-out"; - auto-away = "opt-out"; - enabled = true; - }; - registration = { - enabled = true; - allow-before-connect = true; - bcrypt-cost = 4; - email-verification = { - enabled = false; - }; - throttling = { - duration = "10m"; - enabled = true; - max-attempts = 30; - }; - }; - }; - channels = { - default-modes = "+ntC"; - registration = { - enabled = true; - }; - }; - datastore = { - autoupgrade = true; - path = "/var/lib/ergo/ircd.db"; - }; - history = { - enabled = true; - autoreplay-on-join = 0; - autoresize-window = "3d"; - channel-length = 2048; - chathistory-maxmessages = 100; - client-length = 256; - restrictions = { - expire-time = "1w"; - grace-period = "1h"; - query-cutoff = "none"; - }; - retention = { - allow-individual-delete = false; - enable-account-indexing = false; - }; - tagmsg-storage = { - default = false; - whitelist = [ - "+draft/react" - "+react" - ]; - }; - znc-maxmessages = 2048; - }; - limits = { - awaylen = 390; - channellen = 64; - identlen = 20; - kicklen = 390; - nicklen = 32; - topiclen = 390; - }; - network = { - name = "emilespace"; - }; - server = { - casemapping = "permissive"; - check-ident = false; - enforce-utf = true; - forward-confirm-hostnames = false; - ip-cloaking = { - enabled = false; - }; - ip-limits = { - count = false; - throttle = false; - }; - listeners = { - # sts only port - ":6667".sts-only = true; - - # loopback listeners - # "127.0.0.1:6668" = {}; - # "[::]:6668" = {}; - - ":${toString config.emile.ports.irc.ssl}" = { - tls = { - cert = "/run/credentials/ergochat.service/fullchain.pem"; - key = "/run/credentials/ergochat.service/key.pem"; - }; - - # for cloud load balancers setting a PROXY header, NOT reverse proxies... - proxy = false; - - min-tls-version = 1.2; - }; - }; - lookup-hostnames = false; - max-sendq = "1M"; - name = "emile.space"; - relaymsg = { - enabled = false; - }; - sts = { - enabled = true; # redirect from plain to tls if supported - - # how long clients should be forced to use TLS for. - # (Emile): no clue why, can I set something like \infty here? - duration = "12m"; - - }; - }; - logging = [ - { - method = "stderr"; - type = "* -userinput -useroutput"; - level = "debug"; - } - ]; - }; - }; + # security.acme.certs = { + # "irc.emile.space" = { + # webroot = "/var/lib/acme/acme-challenge/"; + # email = "acme@emile.space"; + # # postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service"; + # }; + # }; + + # # Allow ergo to access the created cert + # # The systemd server runs using a dynamic user, so the below inserts the .pem files + # # into "/run/credentials/ergochat.service/key.pem" + # systemd.services.ergochat.serviceConfig = { + # LoadCredential = [ + # "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem" + # "key.pem:/var/lib/acme/irc.emile.space/key.pem" + # ]; + # }; + + # # allow connections to the port from the "outside" + # networking.firewall.allowedTCPPorts = [ config.emile.ports.irc.ssl ]; + + # services.ergochat = { + # enable = true; + + # # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml + # settings = { + # accounts = { + # authentication-enabled = true; + # multiclient = { + # allowed-by-default = true; + # always-on = "opt-out"; + # auto-away = "opt-out"; + # enabled = true; + # }; + # registration = { + # enabled = true; + # allow-before-connect = true; + # bcrypt-cost = 4; + # email-verification = { + # enabled = false; + # }; + # throttling = { + # duration = "10m"; + # enabled = true; + # max-attempts = 30; + # }; + # }; + # }; + # channels = { + # default-modes = "+ntC"; + # registration = { + # enabled = true; + # }; + # }; + # datastore = { + # autoupgrade = true; + # path = "/var/lib/ergo/ircd.db"; + # }; + # history = { + # enabled = true; + # autoreplay-on-join = 0; + # autoresize-window = "3d"; + # channel-length = 2048; + # chathistory-maxmessages = 100; + # client-length = 256; + # restrictions = { + # expire-time = "1w"; + # grace-period = "1h"; + # query-cutoff = "none"; + # }; + # retention = { + # allow-individual-delete = false; + # enable-account-indexing = false; + # }; + # tagmsg-storage = { + # default = false; + # whitelist = [ + # "+draft/react" + # "+react" + # ]; + # }; + # znc-maxmessages = 2048; + # }; + # limits = { + # awaylen = 390; + # channellen = 64; + # identlen = 20; + # kicklen = 390; + # nicklen = 32; + # topiclen = 390; + # }; + # network = { + # name = "emilespace"; + # }; + # server = { + # casemapping = "permissive"; + # check-ident = false; + # enforce-utf = true; + # forward-confirm-hostnames = false; + # ip-cloaking = { + # enabled = false; + # }; + # ip-limits = { + # count = false; + # throttle = false; + # }; + # listeners = { + # # sts only port + # ":6667".sts-only = true; + + # # loopback listeners + # # "127.0.0.1:6668" = {}; + # # "[::]:6668" = {}; + + # ":${toString config.emile.ports.irc.ssl}" = { + # tls = { + # cert = "/run/credentials/ergochat.service/fullchain.pem"; + # key = "/run/credentials/ergochat.service/key.pem"; + # }; + + # # for cloud load balancers setting a PROXY header, NOT reverse proxies... + # proxy = false; + + # min-tls-version = 1.2; + # }; + # }; + # lookup-hostnames = false; + # max-sendq = "1M"; + # name = "emile.space"; + # relaymsg = { + # enabled = false; + # }; + # sts = { + # enabled = true; # redirect from plain to tls if supported + + # # how long clients should be forced to use TLS for. + # # (Emile): no clue why, can I set something like \infty here? + # duration = "12m"; + + # }; + # }; + # logging = [ + # { + # method = "stderr"; + # type = "* -userinput -useroutput"; + # level = "debug"; + # } + # ]; + # }; + # }; } diff --git a/nix/hosts/corrino/www/loki.emile.space.nix b/nix/hosts/corrino/www/loki.emile.space.nix deleted file mode 100644 index e5bfe24..0000000 --- a/nix/hosts/corrino/www/loki.emile.space.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ config, ... }: - -{ - services = { - loki = { - enable = false; - configuration = { - auth_enabled = false; - server = { - http_listen_port = config.emile.ports.loki; - }; - - limits_config = { - reject_old_samples = false; - reject_old_samples_max_age = "7d"; - max_global_streams_per_user = 100000; - max_streams_per_user = 100000; - - retention_period = "10m"; - }; - - compactor = { - retention_enabled = true; - delete_request_store = "tsdb"; - }; - - common = { - instance_addr = "127.0.0.1"; - ring = { - instance_addr = "127.0.0.1"; - kvstore.store = "inmemory"; - }; - replication_factor = 1; - path_prefix = "/tmp/loki"; - }; - - # limits_config.allow_structured_metadata = false; - - schema_config.configs = [ - { - from = "2023-05-09"; - store = "tsdb"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - { - from = "2024-10-18"; - store = "tsdb"; - object_store = "filesystem"; - schema = "v13"; - index = { - prefix = "index_"; - period = "24h"; - }; - } - ]; - }; - }; - }; -} diff --git a/nix/hosts/corrino/www/mc.emile.space.nix b/nix/hosts/corrino/www/mc.emile.space.nix index 8250a1d..1a081bc 100644 --- a/nix/hosts/corrino/www/mc.emile.space.nix +++ b/nix/hosts/corrino/www/mc.emile.space.nix @@ -134,10 +134,13 @@ addons = {}; }; + services.restic.backups."corrino" = { + paths = [ "/var/lib/minecraft" ]; + }; + services.restic.backups."minecraft" = { repository = "/mnt/storagebox-bx11/minecraft"; paths = [ "/var/lib/minecraft" ]; - timerConfig = null; passwordFile = config.age.secrets.restic_password.path; initialize = true; pruneOpts = [ diff --git a/nix/hosts/corrino/www/md.emile.space.nix b/nix/hosts/corrino/www/md.emile.space.nix index d94c06c..1ee46fd 100644 --- a/nix/hosts/corrino/www/md.emile.space.nix +++ b/nix/hosts/corrino/www/md.emile.space.nix @@ -11,13 +11,16 @@ }; }; + age.secrets.hedgedoc_oidc_client_secret.owner = "authelia-main"; + age.secrets.hedgedoc_oidc_client_secret.group = "authelia-main"; + # auth via authelia services.authelia.instances.main.settings.identity_providers.oidc.clients = [ { client_id = "HedgeDoc"; # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - client_secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; + client_secret = "{{ secret \"${config.age.secrets.hedgedoc_oidc_client_secret.path}\" }}"; public = false; authorization_policy = "two_factor"; redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ]; @@ -85,10 +88,13 @@ }; }; + services.restic.backups."corrino" = { + paths = [ "/var/lib/hedgedoc" ]; + }; + services.restic.backups."hedgedoc" = { repository = "/mnt/storagebox-bx11/hedgedoc"; paths = [ "/var/lib/hedgedoc" ]; - timerConfig = null; passwordFile = config.age.secrets.restic_password.path; initialize = true; pruneOpts = [ @@ -98,29 +104,4 @@ "--keep-yearly 75" ]; }; - - # backups - # services.restic.backups."hedgedoc" = { - # user = "u331921"; - # timerConfig = { - # OnCalendar = "daily"; - # Persistent = true; - # }; - # # repository = "stfp:u331921@u331921.your-storagebox-de:23/restic"; - # repository = "/mnt/storagebox-bx11/backup/hedgedoc"; - # initialize = true; # initializes the repo, don't set if you want manual control - # passwordFile = config.age.secrets.restic_password.path; - # paths = [ "/var/lib/hedgedoc/" ]; - # pruneOpts = [ - # "--keep-daily 7" - # "--keep-weekly 5" - # "--keep-monthly 12" - # "--keep-yearly 75" - # ]; - - # # extraOpts = [ - # # "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" - # # ]; - # }; - } diff --git a/nix/hosts/corrino/www/miniflux.emile.space.nix b/nix/hosts/corrino/www/miniflux.emile.space.nix index f5b9817..90cb8f2 100644 --- a/nix/hosts/corrino/www/miniflux.emile.space.nix +++ b/nix/hosts/corrino/www/miniflux.emile.space.nix @@ -11,39 +11,48 @@ }; }; + # oidc not working and I can't bother to continue debugging it now + # + # Apr 12 15:37:38 corrino authelia[3693799]: {"level":"error","method":"POST","msg":"Access Request failed with error: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The request was determined to be using 'token_endpoint_auth_method' method 'none', however the OAuth 2.0 client registration does not allow this method. The registered client with id 'miniflux' is configured to only support 'token_endpoint_auth_method' method 'client_secret_basic'. Either the Authorization Server client registration will need to have the 'token_endpoint_auth_method' updated to 'none' or the Relying Party will need to be configured to use 'client_secret_basic'. + # + # age.secrets.miniflux_oidc_client_secret.owner = "authelia-main"; + # age.secrets.miniflux_oidc_client_secret.group = "authelia-main"; + # # auth via authelia - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "miniflux"; + # services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + # { + # client_id = "miniflux"; - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$rlOuqUDGc/kl3bw7JgcSpg$4COyNudsu/7L8qhnxfcQld5Fy.ru/JUp7RCI7dCHZMtzxRnhckW8A7uz3Xeuc7.BjCIwc4GdWusPt6.TiH6Kpw"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://miniflux.emile.space/oauth2/oidc/callback" ]; - scopes = [ - "openid" - "email" - "profile" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ "code" ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - token_endpoint_auth_method = "client_secret_post"; - } - ]; + # # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + # client_secret = "{{ secret \"${config.age.secrets.miniflux_oidc_client_secret.path}\" }}"; + # public = false; + # authorization_policy = "two_factor"; + # redirect_uris = [ "https://miniflux.emile.space/oauth2/oidc/callback" ]; + # scopes = [ + # "openid" + # "email" + # "profile" + # ]; + # # grant_types = [ + # # "refresh_token" + # # "authorization_code" + # # ]; + # # response_types = [ "code" ]; + # # response_modes = [ + # # "form_post" + # # "query" + # # "fragment" + # # ]; + # # token_endpoint_auth_method = "client_secret_post"; + # # token_endpoint_auth_method = "none"; + # } + # ]; services.miniflux = { enable = true; package = pkgs.miniflux; config = { + LISTEN_ADDR = "[::1]:${toString config.emile.ports.miniflux}"; BASE_URL = "https://miniflux.emile.space"; # Cleanup job frequency to remove old sessions and archive entries. @@ -53,21 +62,20 @@ # MAINTENANCE_MODE = 1; # MAINTENANCE_MESSAGE = "updating foo"; - OAUTH2_CLIENT_ID = "miniflux"; - OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux_oidc_secret.path; - OAUTH2_OIDC_DISCOVERY_ENDPOINT = "sso.emile.space"; - OAUTH2_OIDC_PROVIDER_NAME = "authelia"; - OAUTH2_PROVIDER = "oidc"; - OAUTH2_REDIRECT_URL = "https://miniflux.emile.space/oauth2/oidc/callback"; + # DISABLE_LOCAL_AUTH = "true"; + # OAUTH2_CLIENT_ID = "miniflux"; + # OAUTH2_USER_CREATION = 1; + # OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux_oidc_secret.path; + # OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://sso.emile.space"; + # OAUTH2_OIDC_PROVIDER_NAME = "authelia"; + # OAUTH2_PROVIDER = "oidc"; + # OAUTH2_REDIRECT_URL = "https://miniflux.emile.space/oauth2/oidc/callback"; - LISTEN_ADDR = "[::1]:${toString config.emile.ports.miniflux}"; + LOG_LEVEL = "debug"; }; createDatabaseLocally = true; # File containing the ADMIN_USERNAME and ADMIN_PASSWORD (length >= 6) in the format of an EnvironmentFile=, as described by systemd.exec(5). adminCredentialsFile = config.age.secrets.miniflux_admin_file.path; }; - - - } diff --git a/nix/hosts/corrino/www/photo/immich.nix b/nix/hosts/corrino/www/photo/immich.nix index 92a3a64..3e1bf48 100644 --- a/nix/hosts/corrino/www/photo/immich.nix +++ b/nix/hosts/corrino/www/photo/immich.nix @@ -6,6 +6,15 @@ forceSSL = true; enableACME = true; locations = { + # # immich private proxy + # "/share" = { + # proxyPass = "http://${config.services.immich.host}:${toString config.services.immich-public-proxy.port}"; + # }; + # "/share/*" = { + # proxyPass = "http://${config.services.immich.host}:${toString config.services.immich-public-proxy.port}"; + # }; + + # immich "/" = { proxyPass = "http://${config.services.immich.host}:${toString config.services.immich.port}"; proxyWebsockets = true; @@ -13,13 +22,17 @@ }; }; + age.secrets.immich_oidc_client_secret.owner = "authelia-main"; + age.secrets.immich_oidc_client_secret.group = "authelia-main"; + # auth via authelia services.authelia.instances.main.settings.identity_providers.oidc.clients = [ { - id = "Immich"; + client_id = "Immich"; # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$iCgyAKjoYH9UKADProvbgw$LjrYkX1MjjtSXWDkxDjyp3NkLLuLVvKVwy3o8/Rw.8Z8b6yCkPWdBCothuCMlaGcgfG/zLWM6lRV4BrXVZpkig"; + client_secret = "{{ secret \"${config.age.secrets.immich_oidc_client_secret.path}\" }}"; + public = false; authorization_policy = "two_factor"; redirect_uris = [ @@ -43,15 +56,14 @@ # "fragment" #]; - token_endpoint_auth_method = "client_secret_basic"; + # token_endpoint_auth_method = "client_secret_basic"; # might be needed since the upgrade to nixos-24.11 and the resulting # 4.37.5 -> 4.38.17 upgrade - # token_endpoint_auth_method = "client_secret_post"; + token_endpoint_auth_method = "client_secret_post"; } ]; - services.immich = { enable = true; package = pkgs.immich; @@ -59,7 +71,7 @@ secretsFile = config.age.secrets.immich_secrets_file.path; host = "127.0.0.1"; - port = config.emile.ports.immich; + port = config.emile.ports.photo.immich; machine-learning = { enable = false; @@ -68,4 +80,19 @@ }; }; }; + + # services.immich-public-proxy = { + # enable = true; + # package = pkgs.immich-public-proxy; + # settings = { + # downloadOriginalPhoto = true; + # showGalleryTitle = true; + # allowDownloadAll = 1; + # showHomePage = true; + # showMetadata = true; + # }; + # port = config.emile.ports.photo.immich-public-proxy; + # openFirewall = false; + # immichUrl = "photo.emile.space"; + # }; } diff --git a/nix/hosts/corrino/www/prometheus.emile.space.nix b/nix/hosts/corrino/www/prometheus.emile.space.nix index 898f3b2..ec13dfa 100644 --- a/nix/hosts/corrino/www/prometheus.emile.space.nix +++ b/nix/hosts/corrino/www/prometheus.emile.space.nix @@ -38,15 +38,43 @@ enable = true; port = config.emile.ports.prometheus.exporter.nginx; }; + restic = { + enable = true; + # repository = "sftp:u331921@u331921.your-storagebox.de:/home/backup"; + repository = "/mnt/storagebox-bx11/corrino"; + port = config.emile.ports.prometheus.exporter.restic; + passwordFile = config.age.secrets.restic_password.path; + }; }; scrapeConfigs = [ { job_name = "corrino"; static_configs = [ - { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } - { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.systemd.port}" ]; } - { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}" ]; } - { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" ]; } + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" + ]; + } + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.systemd.port}" + ]; + } + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}" + ]; + } + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.nginx.port}" + ]; + } + { + targets = [ + "127.0.0.1:${toString config.services.prometheus.exporters.restic.port}" + ]; + } ]; } { diff --git a/nix/hosts/corrino/www/promtail.emile.space.nix b/nix/hosts/corrino/www/promtail.emile.space.nix deleted file mode 100644 index 654414c..0000000 --- a/nix/hosts/corrino/www/promtail.emile.space.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ config, ... }: - -{ - # allow the promtail user to read the nginx access files - users.users.promtail.extraGroups = [ "nginx" ]; - - services = { - promtail = { - enable = true; - configuration = { - server = { - http_listen_port = config.emile.ports.promtail; - grpc_listen_port = 0; - }; - positions.filename = "/tmp/positions.yml"; - clients = [{ - url = "http://localhost:${toString config.services.loki.configuration.server.http_listen_port}/loki/api/v1/push"; - }]; - scrape_configs = [ - - # systemd - { - job_name = "journal"; - journal = { - max_age = "12h"; - labels = { - job = "systemd-journal"; - host = config.networking.hostName; - }; - }; - relabel_configs = [ - { - source_labels = [ "__journal__systemd_unit" ]; - target_label = "unit"; - } - ]; - } - - # nginx error log - { - job_name = "nginx-error-logs"; - static_configs = [{ - targets = [ "localhost" ]; - labels = { - job = "nginx-error-logs"; - host = "corrino"; - __path__ = "/var/log/nginx/*error.log"; - }; - }]; - } - - # nginx - { - job_name = "nginx"; - static_configs = [ - { - targets = [ "localhost" ]; - labels = { - job = "nginx"; - host = "corrino"; - __path__ = "/var/log/nginx/*access.log"; - }; - } - ]; - pipeline_stages = [ - # { - # regex = { - # expression = "(?:[0-9]{1,3}\.){3}([0-9]{1,3})"; - # replace = "***"; - # }; - # } - { - regex = { - expression = ''(?P.+) - - \[(?P.+)\] "(?P.+) (?P.+) (HTTP\/(?P\d.\d))" (?P\d{3}) (?P\d+) (["](?P(\-)|(.+))["]) (["](?P.+)["])''; - }; - } - { - labels = { - remote_addr = null; - time_local = null; - method = null; - url = null; - status = null; - body_bytes_sent = null; - http_referer = null; - http_user_agent = null; - }; - } - { - timestamp = { - source = "time_local"; - format = "02/Jan/2006:15:04:05 -0700"; - }; - } - { - drop = { - source = "url"; - expression = ''/(_matrix|.well-known|notifications|api|identity).*''; - }; - } - { - drop = { - source = "url"; - expression = ''grafana.*''; - }; - } - ]; - } - - ]; - }; - }; - }; -} diff --git a/nix/hosts/corrino/www/s3.emile.space.nix b/nix/hosts/corrino/www/s3.emile.space.nix index b4646ad..ae33542 100644 --- a/nix/hosts/corrino/www/s3.emile.space.nix +++ b/nix/hosts/corrino/www/s3.emile.space.nix @@ -1,12 +1,21 @@ -{ config, ... }: +{ config, pkgs, ... }: { + security.acme.certs."s3.emile.space" = { + group = "nginx"; + domain = "s3.emile.space"; + extraDomainNames = [ + "*.s3.emile.space" + "*.s3-web.emile.space" + ]; + }; + services.nginx.virtualHosts."s3.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { - proxyPass = "http://[::1]:${toString config.emile.ports.minio.s3}"; + proxyPass = "http://[::1]:${toString config.emile.ports.garage.s3}"; }; }; }; @@ -16,24 +25,96 @@ enableACME = true; locations = { "/" = { - proxyPass = "http://[::1]:${toString config.emile.ports.minio.web}"; + proxyPass = "http://[::1]:${toString config.emile.ports.garage.web}"; }; }; }; - services.minio = { + services.garage = { enable = true; - region = "eu-north-1-hel-1a"; # corrino is in the helsinki hetzner dc + package = pkgs.garage_1_x; + settings = { + data_dir = [ + { capacity = "50G"; path = "/var/lib/garage/data"; } + ]; - listenAddress = "[::1]:${toString config.emile.ports.minio.s3}"; + db_engine = "sqlite"; + replication_factor = 3; - browser = true; - consoleAddress = "[::1]:${toString config.emile.ports.minio.web}"; + s3_api = { + s3_region = "garage"; + api_bind_addr = "[::]:${toString config.emile.ports.garage.s3}"; + root_domain = "s3.emile.space"; + }; + s3_web = { + bind_addr = "[::]:${toString config.emile.ports.garage.web}"; + root_domain = "s3-web.emile.space"; + index = "index.html"; + }; + admin = { + api_bind_addr = "[::]:${toString config.emile.ports.garage.admin}"; + # metrics_token = config.age.secrets.garage_admin_metrics_secret.path; + # admin_token = config.age.secrets.garage_admin_token_secret.path; + }; - dataDir = [ "/minio/data" ]; - configDir = "/minio/config"; + # rpc_secret_file = config.age.secrets.garage_rpc_secret.path; + rpc_bind_addr = "[::]:${toString config.emile.ports.garage.rpc}"; + rpc_bind_outgoing = false; + rpc_public_addr = "[fc00:1::1]:${toString config.emile.ports.garage.rpc}"; + }; - rootCredentialsFile = config.age.secrets.minio_root_credz.path; - # accessKey + environmentFile = config.age.secrets.garage_env.path; }; +# metrics_token = config.age.secrets.garage_admin_metrics_secret.path; +# admin_token = config.age.secrets.garage_admin_token_secret.path; +# rpc_secret_file = config.age.secrets.garage_rpc_secret.path; + +# nix/hosts/corrino/secrets/garage_admin_metrics_secret.age +# nix/hosts/corrino/secrets/garage_admin_token_secret.age +# nix/hosts/corrino/secrets/garage_admin_token.age +# nix/hosts/corrino/secrets/garage_metrics_token.age +# nix/hosts/corrino/secrets/garage_rpc_secret.age + + # services.garage = { + # enable = true; + # package = pkgs.garage_1_x; + # settings = { + # db_engine = "sqlite"; + # replication_factor = 2; + + # data_dir = [ + # { capacity = "50G"; path = dataDir; } + # ]; + + # compression_level = 1; + + # rpc_secret_file = config.age.secrets.garage_rpc_secret.path; + # rpc_bind_addr = "[::]:${toString config.emile.ports.garage.rpc}"; + # rpc_bind_outgoing = false; + # rpc_public_addr = "[fc00:1::1]:${toString config.emile.ports.garage.rpc}"; + + # allow_world_readable_secrets = false; + + # s3_api = { + # api_bind_addr = "[::]:${toString config.emile.ports.garage.s3}"; + # s3_region = "garage"; + # root_domain = "s3.emile.space"; + # }; + + # s3_web = { + # bind_addr = "[::]:${toString config.emile.ports.garage.web}"; + # root_domain = "s3-web.emile.space"; + # add_host_to_metrics = true; + # }; + + # admin = { + # api_bind_addr = "[::]:${toString config.emile.ports.garage.admin}"; + # metrics_token = config.age.secrets.garage_admin_metrics_secret.path; + # admin_token = config.age.secrets.garage_admin_token_secret.path; + # trace_sink = "http://localhost:4317"; + # }; + + # }; + # logLevel = "trace"; # info + # }; } diff --git a/nix/hosts/corrino/www/sb.emile.space.nix b/nix/hosts/corrino/www/sb.emile.space.nix deleted file mode 100644 index 0522e25..0000000 --- a/nix/hosts/corrino/www/sb.emile.space.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.nginx.virtualHosts."sb.emile.space" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://${config.services.silverbullet.listenAddress}:${toString config.services.silverbullet.listenPort}"; - extraConfig = '' - ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. - auth_request /internal/authelia/authz; - - ## Save the upstream metadata response headers from Authelia to variables. - auth_request_set $user $upstream_http_remote_user; - auth_request_set $groups $upstream_http_remote_groups; - auth_request_set $name $upstream_http_remote_name; - auth_request_set $email $upstream_http_remote_email; - - ## Inject the metadata response headers from the variables into the request made to the backend. - proxy_set_header Remote-User $user; - proxy_set_header Remote-Groups $groups; - proxy_set_header Remote-Email $email; - proxy_set_header Remote-Name $name; - - ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' - ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url - ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily. - - ## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint. - auth_request_set $redirection_url $upstream_http_location; - - ## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url. - error_page 401 =302 $redirection_url; - - ## Legacy Method: Set $target_url to the original requested URL. - ## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module. - # set $target_url $scheme://$http_host$request_uri; - - ## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd' - ## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL. - # error_page 401 =302 https://sso.emile.space/?rd=$target_url; - ''; - }; - "/internal/authelia/authz" = { - extraConfig = '' - ## Essential Proxy Configuration - internal; - proxy_pass https://sso.emile.space/api/authz/auth-request; - - ## Headers - ## The headers starting with X-* are required. - proxy_set_header X-Original-Method $request_method; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Content-Length ""; - proxy_set_header Connection ""; - - ## Basic Proxy Configuration - proxy_pass_request_body off; - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 4 32k; - client_body_buffer_size 128k; - - ## Advanced Proxy Configuration - send_timeout 5m; - proxy_read_timeout 240; - proxy_send_timeout 240; - proxy_connect_timeout 240; - ''; - }; - }; - }; - - # auth via authelia - # services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - # { - # id = "silverbullet"; - - # # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - # secret = "$pbkdf2-sha512$310000$mxk7uITQOZNYEqeinigQnw$wsF2S6RPL2zVRg1X0bAuINh8Lu5PuA/2/FYJSy3i/Ig5vtCzaIFb0xYEcus4jkqTIgyp3aBxtgSzAKjQKC.QKg"; - # public = false; - # authorization_policy = "two_factor"; - # redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ]; - # scopes = [ - # "openid" - # "email" - # "profile" - # ]; - # grant_types = [ - # "refresh_token" - # "authorization_code" - # ]; - # response_types = [ "code" ]; - # response_modes = [ - # "form_post" - # "query" - # "fragment" - # ]; - # token_endpoint_auth_method = "client_secret_post"; - # } - # ]; - - services.silverbullet = { - enable = true; - spaceDir = "/var/lib/silverbullet"; - listenPort = 3000; - listenAddress = "[::1]"; - }; -} diff --git a/nix/hosts/corrino/www/social.emile.space.nix b/nix/hosts/corrino/www/social.emile.space.nix index 210f0be..d9d30f7 100644 --- a/nix/hosts/corrino/www/social.emile.space.nix +++ b/nix/hosts/corrino/www/social.emile.space.nix @@ -38,13 +38,17 @@ }; }; + age.secrets.gotosocial_oidc_client_secret.owner = "authelia-main"; + age.secrets.gotosocial_oidc_client_secret.group = "authelia-main"; + # auth via authelia services.authelia.instances.main.settings.identity_providers.oidc.clients = [ { - id = "gotosocial"; + client_id = "gotosocial"; # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg"; + client_secret = "{{ secret \"${config.age.secrets.gotosocial_oidc_client_secret.path}\" }}"; + public = false; authorization_policy = "two_factor"; redirect_uris = [ "https://social.emile.space/auth/callback" ]; @@ -93,4 +97,21 @@ Restart = "on-failure"; }; }; + + services.restic.backups."corrino" = { + paths = [ "/var/lib/gotosocial" ]; + }; + + services.restic.backups."gotosocial" = { + repository = "/mnt/storagebox-bx11/gotosocial"; + paths = [ "/var/lib/gotosocial" ]; + passwordFile = config.age.secrets.restic_password.path; + initialize = true; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; } diff --git a/nix/hosts/corrino/www/tickets.emile.space.nix b/nix/hosts/corrino/www/tickets.emile.space.nix index fb12961..08f23d3 100644 --- a/nix/hosts/corrino/www/tickets.emile.space.nix +++ b/nix/hosts/corrino/www/tickets.emile.space.nix @@ -18,7 +18,7 @@ enable = true; package = pkgs.pretix; plugins = with config.services.pretix.package.plugins; [ - passbook + # passbook pages ]; user = "pretix"; diff --git a/nix/hosts/lampadas/configuration.nix b/nix/hosts/lampadas/configuration.nix index 007f8a1..d2630a8 100644 --- a/nix/hosts/lampadas/configuration.nix +++ b/nix/hosts/lampadas/configuration.nix @@ -230,7 +230,6 @@ in openFirewall = true; settings = { global = { - ## Browsing/Identification ### "workgroup" = "Pacific"; "server string" = "lampadas"; @@ -322,18 +321,6 @@ in "force user" = "emile"; "guest ok" = "no"; "read only" = "no"; - - # "fruit:aapl" = "yes"; - # "fruit:copyfile" = "yes"; - # "fruit:delete_empty_adfiles" = "yes"; - # "fruit:metadata" = "stream"; - # "fruit:posix_rename" = "yes"; - # "fruit:time machine" = "yes"; - # "fruit:veto_appledouble" = "no"; - # "fruit:wipe_intentionally_left_blank_rfork" = "yes"; - # "fruit:nfs_aces" = "no"; - # "fruit:zero_file_id" = "yes"; - # "fruit:encoding" = "native"; }; public = { diff --git a/nix/lib/flake-helper.nix b/nix/lib/flake-helper.nix index f841fa5..e58e8b1 100644 --- a/nix/lib/flake-helper.nix +++ b/nix/lib/flake-helper.nix @@ -6,6 +6,8 @@ deploy-rs, home-manager, darwin, + flake-utils, + pwndbg, ... }@inputs: @@ -65,7 +67,7 @@ rec { if system == "x86_64-linux" then self.nixosModules.x86_64-linux else if system == "aarch64-darwin" then - ({ }) + { } else null ) @@ -88,6 +90,8 @@ rec { self.overlays.x86_64-linux else if system == "aarch64-darwin" then self.overlays.aarch64-darwin + # // self.overlays.unstable-darwin + # {} else null ) @@ -95,7 +99,9 @@ rec { # no clue why, but when rebuilding corrino and this not being commented, # something in the hardware.bluetooth module breaks # - # (if system == "aarch64-darwin" then self.overlays.unstable-darwin else null) + # (if system == "aarch64-darwin" + # then self.overlays.unstable-darwin + # else null) (_: _: { inherit (agenix.packages."x86_64-linux") agenix; }) @@ -240,4 +246,35 @@ rec { # don't build hosts that start with an underscore (nixpkgs.lib.filterAttrs (name: host: (builtins.substring 0 1 name) != "_") hosts); + + # A function taking an attribute set of flake templates, importing their + # flake.nix/output/packages (if there are any) and returning an attribute set + # of their packages (if the template has one or more) + template-packages = + builtins.mapAttrs (name: value: + (((import ../../nix/templates/${name}/flake.nix).outputs) + { inherit nixpkgs flake-utils pwndbg; }) + .packages or { } + ); + + # TODO(emile): templates + # apply the above function to the templates + # templates = template-packages self.templates; + + # TODO(emile): templates + # Merge template packages into root packages with template prefix + # merged-template-packages = + # system: + # let + # lib = nixpkgs.lib; + # in + # lib.foldl ( + # acc: tplName: + # let + # tplPkgs = templates.${tplName}.${system} or { }; + # prefixed = lib.mapAttrs' (pkgName: pkg: lib.nameValuePair "${tplName}-${pkgName}" pkg) tplPkgs; + # in + # acc // prefixed + # ) { } (builtins.attrNames templates); + } diff --git a/nix/modules/libvirtnix/a.xml b/nix/modules/libvirtnix/a.xml new file mode 100644 index 0000000..1255ad4 --- /dev/null +++ b/nix/modules/libvirtnix/a.xml @@ -0,0 +1,259 @@ + + fileserver2 + d62e0276-d474-452b-80f4-c951c39bcf74 + + + + + + 2097152 + 2097152 + 3 + + /machine + + + hvm + /usr/share/OVMF/OVMF_CODE.fd + /var/lib/libvirt/qemu/nvram/fileserver2_VARS.fd + + + + + + + + + + + + + + destroy + restart + destroy + + + + + + /usr/bin/qemu-system-x86_64 + + + + + + +
+ + + + + + + +
+ + + + + + + +
+ + + +
+ + + + + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + + +
+ + + + +
+ + + +
+ + + +
+ + + +
+ + + + + + + +
+ + + + + + + + + + + + + + + + + +
+ + + + +
+ + + +
+ + + + + + + + + + + + +
+ +