diff --git a/.gitea/workflows/eval-hydra-jobs.yml b/.gitea/workflows/eval-hydra-jobs.yml deleted file mode 100644 index 6a6d5ee4..00000000 --- a/.gitea/workflows/eval-hydra-jobs.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: "Evaluate Hydra Jobs" -on: - pull_request: - push: -jobs: - eval-hydra-jobs: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: Install dependencies for Nix setup action - run: | - apt update -y - apt install sudo -y - - uses: cachix/install-nix-action@v27 - - run: nix eval --no-update-lock-file --accept-flake-config .\#hydraJobs diff --git a/.gitea/workflows/flake-check.yml b/.gitea/workflows/flake-check.yml index 2685715c..4357cb5d 100644 --- a/.gitea/workflows/flake-check.yml +++ b/.gitea/workflows/flake-check.yml @@ -1,6 +1,5 @@ name: "Check flake syntax" on: - pull_request: push: jobs: flake-check: @@ -11,5 +10,5 @@ jobs: run: | apt update -y apt install sudo -y - - uses: cachix/install-nix-action@v27 + - uses: cachix/install-nix-action@v30 - run: nix flake check --no-update-lock-file --accept-flake-config . diff --git a/doc/src/Index.md b/doc/src/Index.md index 8b013d6a..104fd5b7 100644 --- a/doc/src/Index.md +++ b/doc/src/Index.md @@ -1 +1,82 @@ -# Index +# malobeo infrastructure + +this repository nxios configurations of the digital malobeo infrastructure. it should be used to setup, test, build and deploy different hosts in a reproducible manner. + +the file structure is based on this [blog post](https://samleathers.com/posts/2022-02-03-my-new-network-and-deploy-rs.html) + +### deploying configuration +#### local deployment +``` shell +nixos-rebuild switch --use-remote-sudo +``` + +#### remote deployment +you need the hostname and ip address of the host: +``` shell + nixos-rebuild switch --flake .# --target-host root@ --build-host localhost +``` + +in this case 'localhost' is used as buildhost which can be usefull if the target host is low systemresources + + +## development + +### requirements +we use flake based configurations for our hosts. if you want to build configurations on you own machine you have to enable flakes first by adding the following to your *configuration.nix* or *nix.conf* +``` nix +nix.extraOptions = '' + experimental-features = nix-command flakes +''; +``` + +More information about flakes can be found [here](https://nixos.wiki/wiki/Flakes) + +### dev shell +a development shell with the correct environment can be created by running ```nix develop ``` + +If you're using direnv you can add flake support by following those steps: [link](https://nixos.wiki/wiki/Flakes#Direnv_integration) + +### build a configuration + +to build a configuration run the following command (replace `````` with the actual hostname): + +``` shell +nix build .#nixosConfigurations..config.system.build.toplevel +``` + +### building raspberry image + +for the raspberry it is possible to build the whole configuration as an sd-card image which then can be flashed directly. more information about building arm on nixos can be found [here](https://nixos.wiki/wiki/NixOS_on_ARM). + +to be able to build the image you need to enable qemu emulation on the machine you are building with. therefore it is necessary to add the following to your configuration.nix: + +``` nix +boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; +``` + +then you can build the image with: + +``` shell +nix build .#nixosConfigurations.rpi1_base_image.config.system.build.sdImage +``` + +### run a configuration as vm + +to run a vm we have to build it first using the following command (replace `````` with the actual hostname): + +``` shell +nix build .#nixosConfigurations..config.system.build.vm +``` + +afterwards run the following command to start the vm: + +``` shell +./result/bin/run--vm +``` + +### documentation + +for documentation we currently just use README.md files. + +the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser. +the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```. diff --git a/flake.lock b/flake.lock index 2204f3f5..5e4e10da 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1730135292, - "narHash": "sha256-CI27qHAbc3/tIe8sb37kiHNaeCqGxNimckCMj0lW5kg=", + "lastModified": 1736864502, + "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=", "owner": "nix-community", "repo": "disko", - "rev": "ab58501b2341bc5e0fc88f2f5983a679b075ddf5", + "rev": "0141aabed359f063de7413f80d906e1d98c0c123", "type": "github" }, "original": { @@ -67,11 +67,11 @@ ] }, "locked": { - "lastModified": 1733951536, - "narHash": "sha256-Zb5ZCa7Xj+0gy5XVXINTSr71fCfAv+IKtmIXNrykT54=", + "lastModified": 1736373539, + "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", "owner": "nix-community", "repo": "home-manager", - "rev": "1318c3f3b068cdcea922fa7c1a0a1f0c96c22f5f", + "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", "type": "github" }, "original": { @@ -109,11 +109,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1734041466, - "narHash": "sha256-51bhaMe8BZuNAStUHvo07nDO72wmw8PAqkSYH4U31Yo=", + "lastModified": 1736905611, + "narHash": "sha256-eW6SfZRaOnOybBzhvEzu3iRL8IhwE0ETxUpnkErlqkE=", "owner": "astro", "repo": "microvm.nix", - "rev": "3910e65c3d92c82ea41ab295c66df4c0b4f9e7b3", + "rev": "a18d7ba1bb7fd4841191044ca7a7f895ef2adf3b", "type": "github" }, "original": { @@ -124,11 +124,11 @@ }, "nixlib": { "locked": { - "lastModified": 1733620091, - "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=", + "lastModified": 1736643958, + "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b", + "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", "type": "github" }, "original": { @@ -145,11 +145,11 @@ ] }, "locked": { - "lastModified": 1733965598, - "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=", + "lastModified": 1737057290, + "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f", + "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453", "type": "github" }, "original": { @@ -160,11 +160,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1733861262, - "narHash": "sha256-+jjPup/ByS0LEVIrBbt7FnGugJgLeG9oc+ivFASYn2U=", + "lastModified": 1736978406, + "narHash": "sha256-oMr3PVIQ8XPDI8/x6BHxsWEPBRU98Pam6KGVwUh8MPk=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "cf737e2eba82b603f54f71b10cb8fd09d22ce3f5", + "rev": "b678606690027913f3434dea3864e712b862dde5", "type": "github" }, "original": { @@ -192,11 +192,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1733759999, - "narHash": "sha256-463SNPWmz46iLzJKRzO3Q2b0Aurff3U1n0nYItxq7jU=", + "lastModified": 1737062831, + "narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a73246e2eef4c6ed172979932bc80e1404ba2d56", + "rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c", "type": "github" }, "original": { @@ -208,11 +208,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1733808091, - "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=", + "lastModified": 1736916166, + "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e", + "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a", "type": "github" }, "original": { @@ -245,11 +245,11 @@ ] }, "locked": { - "lastModified": 1733965552, - "narHash": "sha256-GZ4YtqkfyTjJFVCub5yAFWsHknG1nS/zfk7MuHht4Fs=", + "lastModified": 1737107480, + "narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=", "owner": "Mic92", "repo": "sops-nix", - "rev": "2d73fc6ac4eba4b9a83d3cb8275096fbb7ab4004", + "rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6", "type": "github" }, "original": { diff --git a/machines/.sops.yaml b/machines/.sops.yaml index 704e5fed..ece6ddf4 100644 --- a/machines/.sops.yaml +++ b/machines/.sops.yaml @@ -73,3 +73,12 @@ creation_rules: - *admin_kalipso_dsktp age: - *admin_atlan + + - path_regex: nextcloud/secrets.yaml$ + key_groups: + - pgp: + - *admin_kalipso + - *admin_kalipso_dsktp + - *machine_durruti + age: + - *admin_atlan \ No newline at end of file diff --git a/machines/configuration.nix b/machines/configuration.nix index d176016d..3fb5a049 100644 --- a/machines/configuration.nix +++ b/machines/configuration.nix @@ -170,10 +170,20 @@ in ]; }; + nextcloud = nixosSystem { + system = "x86_64-linux"; + specialArgs.inputs = inputs; + specialArgs.self = self; + modules = makeMicroVM "nextcloud" "10.0.0.13" "D0:E5:CA:F0:D7:E9" [ + ./nextcloud/configuration.nix + ]; + }; + testvm = nixosSystem { system = "x86_64-linux"; specialArgs.inputs = inputs; specialArgs.self = self; modules = defaultModules ++ [ ./testvm ]; }; + } diff --git a/machines/fanny/configuration.nix b/machines/fanny/configuration.nix index 946d25e5..2eb0c6b3 100644 --- a/machines/fanny/configuration.nix +++ b/machines/fanny/configuration.nix @@ -53,7 +53,7 @@ in }; services.malobeo.microvm.enableHostBridge = true; - services.malobeo.microvm.deployHosts = [ "infradocs" ]; + services.malobeo.microvm.deployHosts = [ "infradocs" "nextcloud" ]; networking = { firewall = { @@ -70,6 +70,14 @@ in ''; }; }; + + virtualHosts."cloud.malobeo.org" = { + locations."/" = { + proxyPass = "http://10.0.0.13"; + extraConfig = '' + ''; + }; + }; }; services.tor = { diff --git a/machines/nextcloud/configuration.nix b/machines/nextcloud/configuration.nix new file mode 100644 index 00000000..2c6c0501 --- /dev/null +++ b/machines/nextcloud/configuration.nix @@ -0,0 +1,57 @@ +{ config, lib, pkgs, ... }: + +with lib; + +{ + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + nextcloudAdminPass = { + owner = "nextcloud"; + group = "nextcloud"; + }; + }; + + networking = { + hostName = mkDefault "nextcloud"; + useDHCP = false; + }; + + imports = [ + ../modules/malobeo_user.nix + ../modules/sshd.nix + ../modules/minimal_tools.nix + ../modules/autoupdate.nix + ]; + + services.nextcloud = { + enable = true; + package = pkgs.nextcloud30; + hostName = "cloud.malobeo.org"; + config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path; + #https = true; #disable for testing + database.createLocally = true; + config.dbtype = "pgsql"; + configureRedis = true; + caching = { + redis = true; + apcu = true; + }; + extraAppsEnable = true; + extraApps = { + inherit (config.services.nextcloud.package.packages.apps) contacts calendar; + collectives = pkgs.fetchNextcloudApp { + sha256 = "sha256-cj/8FhzxOACJaUEu0eG9r7iAQmnOG62yFHeyUICalFY="; + url = "https://github.com/nextcloud/collectives/releases/download/v2.15.2/collectives-2.15.2.tar.gz"; + license = "agpl3Plus"; + }; + }; + settings = { + trusted_domains = ["10.0.0.13"]; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + system.stateVersion = "22.11"; # Did you read the comment? +} + diff --git a/machines/nextcloud/secrets.yaml b/machines/nextcloud/secrets.yaml new file mode 100644 index 00000000..84f38cfa --- /dev/null +++ b/machines/nextcloud/secrets.yaml @@ -0,0 +1,79 @@ +nextcloudAdminPass: ENC[AES256_GCM,data:es9hhtCcqBqPbV2L,iv:Kyq5kqao0uaMPs0GeRkJT9OWYSZfImBXngg51k0uQ0M=,tag:zN/u90/j4rmdo0HtY+cF9w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVGxsNmZ3Z0RIYmMyL0Mr + UUpaMEZLTCtQaGFrL1YwOVBicEtNRTVaVGhRCmhDSUgxYXpRcldaMngvOWJDdnNo + b2ZFbUdmcE9EV2E3SkMvZ1RpKzZmeU0KLS0tIE5hNmVFTXpBZFZ3bHYwQlJQaUtw + UFJmTVFaOTJXN09QLzY4emh5Z3hqRjAKXk1PSwR2x0H2cMN06fyigiusz8v2IRIg + S4ZTq/JX39U4QQHgWA1dFPfC636LNBo+QKdl/2mjwnXW7duqDJ+5kA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-26T20:00:50Z" + mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str] + pgp: + - created_at: "2024-11-26T19:59:36Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQGMA5HdvEwzh/H7AQv+KkX46UGQzLvhrk/VUCnnMdLEcNbYfk4h+sZJzs1riOGA + LAKYNeaeN6iLLeZX+T2/s5OT4WkIEKGg8/gziurdx01BR70M96Faubp6EVtdK44+ + 6F5BLLrDhlEKDNOx48qPwJdFjbYW4wZLWmv5nzwPmmRCKO7MoI9UHKq69msCor1i + ralbjlVHyKSuRfvflKAlxFoEqeB6H+ryc54g3stk1j2eFiMNuF/oKDJZT+XI5LHZ + Ai80DAWoUBYgpP4aWiNC075GPutdPlZ3mrGf5+7QnNm7GmNUdJN5VAWmI2NUGr1J + BLopnPFo4juWNsZkLMj2aAuKvGTkhz2PuFKfLj6Erpu82RAjadpFWx239n+i4Ryq + wSquYshpuiecLEejntTBKLEacwp+aPx8IHKnOOKBTdJj+YYaISiznQAlkF7WS+lg + MTZR85BvCxiPogujL7uhYSx1wM5FVkuAIPf1JOJCRvQt30eRRrR0VMrmqQ1Kl5OT + VMzZRIGIoC5vrKGeIIjJ0lgBWQ3bYFh/LGrwKetku6TRAH29mp/XwQqBC97RsUYb + EOxft5sUWaYrXK+z2yzCxOQBWKJISPgcyhdoKfYGnRkHXHi2Uay84oQP4co72eVF + cAhEJOxMw36e + =bSaN + -----END PGP MESSAGE----- + fp: c4639370c41133a738f643a591ddbc4c3387f1fb + - created_at: "2024-11-26T19:59:36Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA98TrrsQEbXUARAAmG88ZDt43zj6dCJkYYVj7MGIhIviJzilTvX4+EfNobtA + tll60GYfRotKnwbuqzSVaaIcV+6cDQ5I1hG5WNFJSXm7DpJ0W1Ir1x2hpxektXFa + fQ+9HiCOfEqUu5PEynCAD1jN6CQLdl87hLQx9TqbZnHuUYPSH1o9Y6kbA/Vp3bpy + evJc8qa66WHYH1kjdEw+qneD5HzZQOLOtXZ7xkxjGbyMcYex9JfyGHohO5dpLg6B + 3XrLlIWWERVz04MlnzlaMKfzhoMCU9ByqJSQ3VBm9kblQqu54fOZD2sN8j9ACEfL + YNC7Jm2rasVSqv09G1kso9/VNDw3kNCLvjnpE5rJRP7Ckfj+4FxQN/zPVUwQ1e1k + upoQ8MHyf1bJr8vspm/prm9zp+PRRTUwY1Yyts/ffj+CF5ec9M3jr/RSeEAdswsL + 6dLKBL1LuLAjKXOuVnQ7E6gN940Y994sDFkbqEmzzCUHGcfxSF3IDn/qpkQlqerU + B/D43Yef+rtsUDyTA5RUpxKleGORcS4sV0BhQrNXeFclaMTyMr+AbOei4Y77qlD1 + x/fHB3IT4Intvp9k4m6jJ86RtLpVhEoA4cHEdCCiXHzUpA6aVtNHVAOqT/aBykrf + uSm1wu/nl6yKbIwTJueli1OfQYKEYcUdjOrEOwXb+UDQKSohWZrMg0sj7/S6Pl/S + WAG1BZ20HXD2ZrVqESV87Pl04nKMqswrio+BINfAT9X3ya7L3DF69MR18bDt+ZIB + 0F3+9WUREGI5in4S3hXNxrgfLNFl1YLklfWLYcx0HXJN3z6F2eJOUvM= + =aT3U + -----END PGP MESSAGE----- + fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4 + - created_at: "2024-11-26T19:59:36Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1kR3vWkIYVnARAAqFyuCtvu6AidWg/9+btEcjWv0sBZaIRpYfX3p2QECwCu + UYAtssvSHgHdBEQzU27MA/5CGmEreB3NhWrjGquv88RojLO1JuhNHGYPZKeIcBKr + I2oS79RKuYs+d2Qu0KUYDaVoY9M5YJsfkju2FOXqMNYlbqX+lDuWnisigj3n2N4e + OEBnVIpfPBQE6c1Z9DaQJE7MyBbKfg5YeWjlwwh+fCf1dV/nGp+QdD88F3dzWMoK + xNGt69TwZ8JUVmElAIJqLJTpyDI5xHQUw2A6ddPSTk/u363eHhOnZZUNAAm3FdO5 + 0x+4QhcBaH59S8WDZhw4MVmZN7v4+3l3mf7Rx/TXSz4oJg+U7RMgvc291/gowNVm + /cVhBlMYz4Ogx/OYR/t+nzq35r+eBungTB+dRXw7qTTfkCtNgp34JMCkGAq5WWnY + 57H2HtssGiMF0qN4SfWxw7317oUmqHI2XvG0yWt42G++jNgIGbDOtuc/7wATEbhK + SBX2aLqDIB1OUwLHQeawyKkB0qGmRSVPkPg8JLwRp43ICETH1WPkY5m/a2slVlDj + qgdw00clTI5Fgu/5G5QBD4Ds9f9ZwjrMD4v+NYfGxa0ajisXl1X6CL1+YvQ6Uicf + QmIRJYxyVd0VoXScZnsk0T/XTKjJB/fRLRalA2PmlZ1v+gisCUz2dhM+OHtSjGTS + WAG5znRbP8UMVt02O0PgbzHYtIUAtQLCuBnzfEKJn721rqCXf7DXU3jrR73Ys6ce + VJzkVBMnBszF71GN56t0PaUYIDOnaGvgjMtHHtOCLQHSK7asnm/Bc+E= + =Znii + -----END PGP MESSAGE----- + fp: 4095412245b6efc14cf92ca25911def5a4218567 + unencrypted_suffix: _unencrypted + version: 3.8.1