kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:82695ad5372c22eb8c1ca99341ccdbca4b2351cb
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:fileserver
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

4 Commits
82695ad537 ... fileserver

Author SHA1 Message Date
ahtlon
9a667c8bdc kleine fehler behoben
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m48s
Details
2024-10-26 20:16:19 +02:00
ahtlon
705d895f0e erstmal statisches mounten --es fehlt die disk uuid
All checks were successful
Evaluate Hydra Jobs / eval-hydra-jobs (push) Successful in 2m24s
Details
2024-10-26 19:56:46 +02:00
ahtlon
cfc023f9b1 erstelle nfs user 2024-10-26 19:33:49 +02:00
ahtlon
1201f0fc53 erstelle exports ordner 2024-10-26 19:08:14 +02:00
39 changed files with 439 additions and 874 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -4,4 +4,3 @@
result
*.qcow2
.direnv/
book/

33
README.md
View File

@@ -8,7 +8,7 @@ the file structure is based on this [blog post](https://samleathers.com/posts/20
#### durruti
- nixos-container running on dedicated hetzner server
- login via ```ssh -p 222 malobeo@dynamicdiscord.de```
- login via ```ssh -p 222 malobeo@5.9.153.217```
- if rebuild switch fails due to biglock do ```mount -o remount,rw /nix/var/nix/db```
- currently is running tasklist in detached tmux session
- [x] make module with systemd service out of that
@@ -98,3 +98,34 @@ for documentation we currently just use README.md files.
the devshell provides the python package ['grip'](https://github.com/joeyespo/grip) which can be used to preview different README.md files in the browser.
the usage is simple, just run ```grip``` in the same folder as the README.md you wanna preview. then open your browser at ```http://localhost:6419 ```.
## todos...
#### infrastructure
* [ ] host a local wiki with public available information about the space, for example:
* [ ] how to use coffe machine
* [ ] how to turn on/off electricity
* [ ] how to use beamer
* [ ] how to buecher ausleihen
* ...
* [x] host some pad (codimd aka hedgedoc)
* [ ] some network fileshare for storing the movies and streaming them within the network
* [x] malobeo network infrastructure rework
* [x] request mulvad acc
* [x] remove freifunk, use openwrt with mulvad configured
* [ ] evaluate imposing solutions
* [ ] pdfarranger
#### external services
we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
- [x] analyse best way to include our stuff into external nixOs server
- [x] writing some module that is included by the server
- [x] directly use nixOs container on host
- [x] combination of both (module that manages nginx blabla + nixOs container for the services
#### bots&progrmaming
* [ ] create telegram bot automatically posting tuesday events
* [x] create webapp/interface replacing current task list pad
* could be a simple form for every tuesday
* [x] element bot should send updates if some tasks are not filled out

1
doc/.gitignore vendored
View File

@@ -1 +0,0 @@
book

6
doc/book.toml
View File

@@ -1,6 +0,0 @@
[book]
authors = ["ahtlon"]
language = "de"
multilingual = false
src = "src"
title = "Malobeo Infrastruktur Dokumentation"

1
doc/src/Index.md
View File

@@ -1 +0,0 @@
# Index

18
doc/src/SUMMARY.md
View File

@@ -1,18 +0,0 @@
# Summary
- [Index](./Index.md)
- [Info]()
- [Aktuelle Server]()
- [Durruti](./server/durruti.md)
- [Lucia](./server/lucia.md)
- [Hardware]()
- [Netzwerk]()
- [Seiten]()
- [Website](./server/website.md)
- [musik](./projekte/musik.md)
- [TODO](./todo.md)
- [How-to]()
- [Sops](./anleitung/sops.md)
- [Updates](./anleitung/updates.md)
- [Rollbacks](./anleitung/rollback.md)
- [MicroVM](./anleitung/microvm.md)

52
doc/src/anleitung/microvm.md
View File

@@ -1,52 +0,0 @@
### Declaring a MicroVM
The hosts nixosSystems modules should be declared using the ```makeMicroVM``` helper function.
Use durruti as orientation:
``` nix
modules = makeMicroVM "durruti" "10.0.0.5" [
./durruti/configuration.nix
];
```
"durruti" is the hostname.
"10.0.0.5" is the IP assigned to its tap interface.
### Testing MicroVMs locally
MicroVMs can be built and run easily on your local host.
For durruti this is done by:
``` bash
sudo nix run .\#nixosConfigurations.durruti.config.microvm.declaredRunner
```
It seems to be necessary to run this as root so that the according tap interface can be created.
To be able to ping the VM or give Internet Access to the VM your host needs to be setup as described below.
### Host Setup
#### Network Bridge
To provide network access to the VMs a bridge interface needs to be created on your host.
For that:
- Add the infrastructure flake as input to your hosts flake
- Add ```inputs.malobeo.nixosModules.malobeo``` to your hosts imports
- enable the host bridge: ```services.malobeo.microvm.enableHostBridge = true;```
If you want to provide Internet access to the VM it is necessary to create a nat.
This could be done like this:
``` nix
networking.nat = {
enable = true;
internalInterfaces = [ "microvm" ];
externalInterface = "eth0"; #change to your interface name
};
```
#### Auto Deploy VMs
By default no MicroVMs will be initialized on the host - this should be done using the microvm commandline tool.
But since we want to always deploy certain VMs it can be configured using the ```malobeo.microvm.deployHosts``` option.
VMs configured using this option will be initialized and autostarted at boot.
Updating still needs to be done imperative, or by enabling autoupdates.nix
The following example would init and autostart durruti and gitea:
``` nix
malobeo.microvm.deployHosts = [ "durruti" "gitea" ];
```

1
doc/src/anleitung/rollback.md
View File

@@ -1 +0,0 @@
# Rollbacks

25
doc/src/anleitung/sops.md
View File

@@ -1,25 +0,0 @@
# Sops
## How to add admin keys
- Git:
- Generate gpg key
- Add public key to `./machines/secrets/keys/users/`
- Write the fingerprint of the gpg key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $FINGERPRINT`
- Age:
- Generate age key for Sops:
```
$ mkdir -p ~/.config/sops/age
$ age-keygen -o ~/.config/sops/age/keys.txt
```
or to convert an ssh ed25519 key to an age key
```
$ mkdir -p ~/.config/sops/age
$ nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"
```
- Get public key using `$ age-keygen -y ~/.config/sops/age/keys.txt`
- Write public key in `.sops.yaml` under `keys:` in the format `- &admin_$USER $PUBKEY`
- Write `- *admin_$USER` under the apropriate `key_grups:` of the secrets the user should have access to
- `cd machines/` and reencrypt existing secrets for the new key with `sops updatekeys $path/to/secrets.yaml`

1
doc/src/anleitung/updates.md
View File

@@ -1 +0,0 @@
# Updates

1
doc/src/projekte/musik.md
View File

@@ -1 +0,0 @@
# musik

2
doc/src/server/durruti.md
View File

@@ -1,2 +0,0 @@
# Durruti
Hetzner Server

2
doc/src/server/lucia.md
View File

@@ -1,2 +0,0 @@
# Lucia
Lokaler Raspberry Pi 3

7
doc/src/server/website.md
View File

@@ -1,7 +0,0 @@
#Website
hosted on uberspace
runs malobeo.org(wordpress) and forum.malobeo.org(phpbb)
access via ssh with public key or password
Files under /var/www/virtual/malobeo/html

32
doc/src/todo.md
View File

@@ -1,32 +0,0 @@
# TODO
- [ ] Dieses wiki schreiben
#### infrastructure
* [ ] host a local wiki with public available information about the space, for example:
* [ ] how to use coffe machine
* [ ] how to turn on/off electricity
* [ ] how to use beamer
* [ ] how to buecher ausleihen
* ...
- [x] host a local wiki with infrastructure information
* [x] host some pad (codimd aka hedgedoc)
* [ ] some network fileshare for storing the movies and streaming them within the network
- Currently developed in the 'fileserver' branch
- NFSV4 based
* [x] malobeo network infrastructure rework
* [x] request mulvad acc
* [x] remove freifunk, use openwrt with mulvad configured
* [ ] evaluate imposing solutions
* [ ] pdfarranger
#### external services
we want to host two services that need a bit more resources, this is a booking system for the room itself and a library system.
- [x] analyse best way to include our stuff into external nixOs server
- [x] writing some module that is included by the server
- [x] directly use nixOs container on host
- [x] combination of both (module that manages nginx blabla + nixOs container for the services
#### bots&progrmaming
* [ ] create telegram bot automatically posting tuesday events
* [x] create webapp/interface replacing current task list pad
* could be a simple form for every tuesday
* [x] element bot should send updates if some tasks are not filled out

137
flake.lock generated
View File

@@ -21,24 +21,6 @@
"url": "https://git.dynamicdiscord.de/kalipso/ep3-bs.nix"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@@ -79,35 +61,13 @@
"type": "github"
}
},
"microvm": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1732122592,
"narHash": "sha256-lF54irx92m8ddNDQDtOUjKsZAnsGyPL3QTO7byjlxNg=",
"owner": "astro",
"repo": "microvm.nix",
"rev": "19650774c23df84d0b8f315d2527274563497cad",
"type": "github"
},
"original": {
"owner": "astro",
"repo": "microvm.nix",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1731805462,
"narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=",
"lastModified": 1729386149,
"narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734",
"rev": "cce4521b6df014e79a7b7afc58c703ed683c916e",
"type": "github"
},
"original": {
@@ -124,11 +84,11 @@
]
},
"locked": {
"lastModified": 1732151224,
"narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=",
"lastModified": 1729472750,
"narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
"rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565",
"type": "github"
},
"original": {
@@ -139,11 +99,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1731797098,
"narHash": "sha256-UhWmEZhwJZmVZ1jfHZFzCg+ZLO9Tb/v3Y6LC0UNyeTo=",
"lastModified": 1729742320,
"narHash": "sha256-u3Of8xRkN//me8PU+RucKA59/6RNy4B2jcGAF36P4jI=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "672ac2ac86f7dff2f6f3406405bddecf960e0db6",
"rev": "e8a2f6d5513fe7b7d15701b2d05404ffdc3b6dda",
"type": "github"
},
"original": {
@@ -169,13 +129,29 @@
"type": "github"
}
},
"nixpkgs-unstable": {
"nixpkgs-stable": {
"locked": {
"lastModified": 1732014248,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
"lastModified": 1729357638,
"narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
"rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1729665710,
"narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d",
"type": "github"
},
"original": {
@@ -187,11 +163,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1731797254,
"narHash": "sha256-df3dJApLPhd11AlueuoN0Q4fHo/hagP75LlM5K1sz9g=",
"lastModified": 1729449015,
"narHash": "sha256-Gf04dXB0n4q0A9G5nTGH3zuMGr6jtJppqdeljxua1fo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e8c38b73aeb218e27163376a2d617e61a2ad9b59",
"rev": "89172919243df199fe237ba0f776c3e3e3d72367",
"type": "github"
},
"original": {
@@ -206,7 +182,6 @@
"ep3-bs": "ep3-bs",
"home-manager": "home-manager",
"mfsync": "mfsync",
"microvm": "microvm",
"nixos-generators": "nixos-generators",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_2",
@@ -220,14 +195,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1732186149,
"narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
"lastModified": 1729695320,
"narHash": "sha256-Fm4cGAlaDwekQvYX0e6t0VjT6YJs3fRXtkyuE4/NzzU=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
"rev": "d089e742fb79259b9c4dd9f18e9de1dd4fa3c1ec",
"type": "github"
},
"original": {
@@ -236,22 +212,6 @@
"type": "github"
}
},
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1729945407,
"narHash": "sha256-iGNMamNOAnVTETnIVqDWd6fl74J8fLEi1ejdZiNjEtY=",
"ref": "refs/heads/main",
"rev": "f1d94ee7029af18637dbd5fdf4749621533693fa",
"revCount": 764,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
@@ -297,21 +257,6 @@
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tasklist": {
"inputs": {
"nixpkgs": [
@@ -370,14 +315,14 @@
},
"utils_3": {
"inputs": {
"systems": "systems_4"
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {

2
flake.nix
View File

@@ -8,8 +8,6 @@
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
mfsync.url = "github:k4lipso/mfsync";
microvm.url = "github:astro/microvm.nix";
microvm.inputs.nixpkgs.follows = "nixpkgs";
utils = {
url = "github:numtide/flake-utils";

25
machines/.sops.yaml
View File

@@ -5,7 +5,6 @@
keys:
- &admin_kalipso c4639370c41133a738f643a591ddbc4c3387f1fb
- &admin_kalipso_dsktp aef8d6c7e4761fc297cda833df13aebb1011b5d4
- &admin_atlan age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
- &machine_moderatio 3b7027ab1933c4c5e0eb935f8f9b3c058aa6d4c2
- &machine_lucia 3474196f3adf27cfb70f8f56bcd52d1ed55033db
- &machine_durruti 4095412245b6efc14cf92ca25911def5a4218567
@@ -16,39 +15,15 @@ creation_rules:
- *admin_kalipso
- *admin_kalipso_dsktp
- *machine_moderatio
age:
- *admin_atlan
- path_regex: lucia/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
- *machine_lucia
age:
- *admin_atlan
- path_regex: durruti/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
- *machine_durruti
age:
- *admin_atlan
- path_regex: discourse/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
- *machine_durruti
age:
- *admin_atlan
- path_regex: nextcloud/secrets.yaml$
key_groups:
- pgp:
- *admin_kalipso
- *admin_kalipso_dsktp
- *machine_durruti
age:
- *admin_atlan

62
machines/configuration.nix
View File

@@ -40,41 +40,16 @@ let
}
];
defaultModules = baseModules;
makeMicroVM = hostName: ipv4Addr: modules: [
inputs.microvm.nixosModules.microvm
{
microvm = {
hypervisor = "qemu";
shares = [ {
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
} ];
interfaces = [
{
type = "tap";
id = "vm-${hostName}";
mac = "02:00:00:00:00:01";
}
];
};
systemd.network.enable = true;
systemd.network.networks."20-lan" = {
matchConfig.Type = "ether";
networkConfig = {
Address = [ "${ipv4Addr}/24" ];
Gateway = "10.0.0.1";
DNS = ["1.1.1.1"];
DHCP = "no";
};
};
}
] ++ defaultModules ++ modules;
in
{
moderatio = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
modules = defaultModules ++ [
./moderatio/configuration.nix
];
};
louise = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
@@ -86,8 +61,7 @@ in
durruti = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "durruti" "10.0.0.5" [
modules = defaultModules ++ [
./durruti/configuration.nix
];
};
@@ -100,22 +74,4 @@ in
./lucia/hardware_configuration.nix
];
};
discourse = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "discourse" "10.0.0.7" [
./discourse/configuration.nix
];
};
nextcloud = nixosSystem {
system = "x86_64-linux";
specialArgs.inputs = inputs;
specialArgs.self = self;
modules = makeMicroVM "nextcloud" "10.0.0.11" [
./nextcloud/configuration.nix
];
};
}

47
machines/discourse/configuration.nix
View File

@@ -1,47 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
discourseAdminPasswordFile = {};
discourseSecretKeyBaseFile = {};
};
networking = {
hostName = mkDefault "discourse";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
];
services.discourse = {
enable = true;
hostname = "forum.malobeol.org";
admin = {
email = "admin@example.org";
username = "admin";
fullName = "Admin";
passwordFile = config.sops.secrets.discourseAdminPasswordFile.path;
};
secretKeyBaseFile = config.sops.secrets.discourseSecretKeyBaseFile.path;
database.createLocally = true;
enableACME = false;
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_13;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
system.stateVersion = "22.11"; # Did you read the comment?
}

81
machines/discourse/secrets.yaml
View File

@@ -1,81 +0,0 @@
discourseSecretKeyBaseFile: ENC[AES256_GCM,data:XKjcm+sOt4HazADjcJ6MilYNZMbO5IVMGnfdUXyx+9OjmEfk/zb0dhIjpZ2t6P1UfQUFI7NT2BMKgEjb2EG+5Kjxsq4mN+zoBxZAZI0WM6/WoF3ydwuqVamr1rIXfGN/W58UAink8K4SW7B6sbb76yQOWoP/GRHEaIxNvdnsGyE=,iv:LaoFS0O1qIpL/w1Gp98Em14hRohNR/FNqir38hBbCac=,tag:2zV5XRSkL6zYxylJoJ/OLQ==,type:str]
#ENC[AES256_GCM,data:sCvaoU2W7sc=,iv:iZdeM7YEkyOhkQUrHoRFJEnWw47OmBvi5AJ3ZEXck8k=,tag:wnh19onScSBPkyZw8PLQiA==,type:comment]
discourseAdminPasswordFile: ENC[AES256_GCM,data:01pJVQ==,iv:FjU8sM0n1YDhywUoaWHnvBcsNMFeqqxp+eYyAKByT1E=,tag:LR70T8ywo80PQHNHj6aJEA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVG1UYmZyWk8vZXJPdFBm
bHlwMUJ0ZjJQS3A0ZytLbXRCbGxyREZKajJjClI3NEt3c0RyOVZrZzh4ZGFsQ1Ft
NFdJd3hhRTNaV0ZGRHdBdEVOdm4wR0EKLS0tIDlvcFB0Z1VtRUVQVFBKRVRuN3Jn
RmI4OWI3YU5PUkFpeUROMEJHbXU1MjAKOOt7LCeH4mJtm+ngT9A2Ubzdje435RK+
PomvgpBQ3t3ry+mBMz25DdgIYgBsnDS2ji5mavd3Zx2dbah0q4Cdrw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-26T17:23:55Z"
mac: ENC[AES256_GCM,data:axeHNSEsXZu4LCaQoy8FzDd7yBjy5nrjDmEF5pEwxmCw4bp1Gssdy2CVs0oDqU0UbOQ8D5Q8tevhdhxSTx19JF9HnaD4b3NL6+bmObx+d67zVqtyv1E0hHDgfsQBuoMQOou2ht6hhkz/VRUmbBICOZERc7o87uzXNXG2pP34vNY=,iv:jaBiGbxC62rnhotquYZ6id0f94+crve7Cnn8dFnzdC4=,tag:7lCHK6HvqDmOEfCA+wHtIg==,type:str]
pgp:
- created_at: "2024-11-26T17:23:19Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv9EDScYMdx0QPqz9ipgvsZTBOqsrLUvGOYcwod9412bMzO
Oic5VkkiCSDPARP2JRGlS1Qvr3Oecdvo/TBpThWrWgaxS6THHPUyiaZGQhQXUnHo
d6u+OPMH4eZ3Vmn5pzbRwTg1mpKKwtvtMo+xCEaygPFGoIMMlmDr/q3agsJ07YBI
Ip9764gqBS6N+J3KN6j3XM/LHEu3e/qwp049BCslfWqVKZB7lQ7NbVkyGCM37aL9
/GQSUvD+MU6WeIGd4Hr73pbc+MrB/KbSbufuwOVIUdZU/n6znusa1LjMuFgg9iOU
jsUmsdt7EhVpz7aQ1obFIcDVa7HFNF+Lp+78QgAInMK9QNWzH4OJumhrqovtbajg
xGfe0AJnkctYMOA3a6SHT2YZv3/iLqMkz/ioEVInlB9BAfNFK9UZWadVLEYyzJQR
1rs54kbtm71/eTi3eadS3yRfEHoSgHrrPuRN2tzSCi1w2QK0a724v5Jtr/epzycT
oA4ha42dC4z1n66b7NAb0lYBSqZhcVm6wStypBGtCd0B08bFDzXng3PtfeVrD1jg
b37smpXoQNe6vvG6M9yr2qg6V21SZWw3a4K93qDn+mihbOsnpZj24L0fJctIZSC3
la3aPsVYQg==
=G43o
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-11-26T17:23:19Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAlFNovLVBXXDUSMxBYsZll4UZ7+sPAdLZ+kDu49JlX4rJ
zNo3NiNrVMfUUZpWx3q5mYGUR5Ys441kwhDlUhj5Jv7X7PkTl2KU+pZZBr5DBnD0
8Nzm8CeI+3gphujX7CGjUcRUKjOMSa8nhIvz919TW1KCmr1xLDQw8yZGWn+VVBe1
g3ut0OEDFHBcU4T3DcFq7UMUCPpwo1Eas2tcLg4N18YCZanL34ziVlHlzocvE4Jz
1Y/tWvYj/OytktRDITi9/OIdS4hmSSPe8Qzb5abSCz20CzojVaDwEFGgwv9IRkBQ
C7RmPyd3u8Y/13tMORKz65LExmolhQyW4GVozDdEFQckwBYxMmaY9q7JVgKi5WD+
8s3r4vcIdISKlWH0E3qmJhkHxpoDmAS7NLXb8ROpCjKZKTK+XE0AEK8S3CFNgbvA
yKAnr7MVMJJBjbgxKJaoIjwNwkXQWCvm1f2s+xJTGQGHG+2hMgVoYb6dlpir08jR
yDHYxtpz/tRSXkjM7C6+r3SzZub/xowtWNUeZJqhsBhpP7cVT/dkd9cKvL+LTYM5
nQpczoNfBSn/wt87rCV6lFRyUsqhqUfMIR4T8mpa+2weneqX8olb8CT4312E9eEw
mqVX+fGETWpUN/cEpnFFcXS/MPAJCHyedov5MgdmBL/XEVKbWAPk22CGgFv8GHTS
VgEKUaeKWKThwCYl8ylTpgO7eZ+retflRpoVUddWyAiTe/rTvrBfR9hayZPYp2Lf
vmQLDfcHAH/DmazB7CAlomaLS/1ab1zHltvSw4HFKFy9lxl692Fk
=BnOX
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
- created_at: "2024-11-26T17:23:19Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1kR3vWkIYVnARAAm1JETHrYuQ282GaaCLC9ZRjtskt3Tt9sAveKoltS6PgG
zDE1L5XFgWMg+IrxISqw4a6dIoJcJVlSIaojPkAENqjeHWEFdI6QoQ2P3yNgU8Fd
MzTukSmPZwP/XMLE73SIWU7+23qlnnCQrHzqNHZh6vijz6fIjQ4xfvGnV2n0MD/V
BVjPZJv3BbV+Xaf43hwEsFfn90h8wyd1Ls3Q7PlQA9lL952B9IAm3koN/LWAbYqo
oxSXb13kQuvtL6TwsHc1QGlHWaEdJRgTLnYxroqgOC6PXKqoTSmX4adeExWCMg7E
HGe/S/PG6xBJlWhZcDS2ldZjFCHojy43NsJj/0ir4onBqehvb/Bw2RiVrRW9ZCNx
Ydk1UXdk/2bFeHSTaSNEgXEsU6GQNFRKS+PkxLst5xT2GLnPAQu1vCxVsYOze8BX
AwySIEEZikqb9ycP0eJGOYRPW1Vw43xUaexClLa6zFi+o45jxbzCOChpAobjIQ4t
kOdtEnKYTg9jWuK57zCD8/EmY98kfSSRas119fJ/8eeFib2I4WT9WwAbD4+8Ld4c
GzUg00mim2Xz6LPJkqX3SNL9/ZHqlirJMoMcltIro14dT+BsgBL/8OnHXQ0SMRhg
wz+Dx7fUcP+rkN8tSG/wXQ3CAMv8lfOw1XqKzx4mMqjaVoqbhKNPUtYRUAWWPx/S
VgEmV0aoiD0ar/QxZRUZwWawTPsJOCxZptvvsW22jWq/G7VyX6OR56XmI+jPUCFm
1WN8TkplHFtFqUTyQL8lI66iQiaYMmpjjVU6TKqNGShHSj65cB/n
=38qM
-----END PGP MESSAGE-----
fp: 4095412245b6efc14cf92ca25911def5a4218567
unencrypted_suffix: _unencrypted
version: 3.8.1

46
machines/durruti/configuration.nix
View File

@@ -5,6 +5,7 @@ with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
boot.isContainer = true;
networking = {
hostName = mkDefault "durruti";
useDHCP = false;
@@ -22,16 +23,55 @@ with lib;
imports = [
inputs.ep3-bs.nixosModules.ep3-bs
inputs.tasklist.nixosModules.malobeo-tasklist
./documentation.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
];
malobeo.autoUpdate = {
enable = true;
url = "https://hydra.dynamicdiscord.de";
project = "malobeo";
jobset = "infrastructure";
cacheurl = "https://cache.dynamicdiscord.de";
};
services.malobeo-tasklist.enable = true;
services.ep3-bs = {
enable = true;
in_production = true;
favicon = ./circle-a.png;
logo = ./malobeo.png;
mail = {
type = "smtp-tls";
address = "dynamicdiscorddresden@systemli.org";
host = "mail.systemli.org";
user = "dynamicdiscorddresden@systemli.org";
passwordFile = config.sops.secrets.ep3bsMail.path;
auth = "plain";
};
database = {
user = "malodbuser";
passwordFile = config.sops.secrets.ep3bsDb.path;
};
};
sops.secrets.ep3bsDb = {
owner = config.services.ep3-bs.user;
key = "ep3bsDb";
};
sops.secrets.ep3bsMail = {
owner = config.services.ep3-bs.user;
key = "ep3bsMail";
};
system.stateVersion = "22.11"; # Did you read the comment?
}

15
machines/durruti/documentation.nix
View File

@@ -1,15 +0,0 @@
{ config, self, ... }:
{
services.nginx = {
enable = true;
virtualHosts."_" = {
listen = [
{ addr = "0.0.0.0"; port = 9000; }
];
root = "${self.packages.x86_64-linux.docs}/share/doc";
};
};
networking.firewall.allowedTCPPorts = [ 9000 ];
}

7
machines/durruti/host_config.nix
View File

@@ -33,12 +33,6 @@ in
}
];
services.nginx.virtualHosts."docs.malobeo.org" = {
forceSSL = true;
enableACME= true;
locations."/".proxyPass = "http://${cfg.host_ip}:9000";
};
services.nginx.virtualHosts."tasklist.malobeo.org" = {
forceSSL = true;
enableACME= true;
@@ -50,5 +44,6 @@ in
enableACME= true;
locations."/".proxyPass = "http://${cfg.host_ip}:80";
};
};
}

97
machines/durruti/secrets.yaml
View File

@@ -6,75 +6,66 @@ sops:
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOTV0VC92aGo0ZFU1RE84
LzJxWUh0MzYrSWJZYldVMTdsMlJ6RkI2WURNCmFVT1ZtMitOSzYySW1RMkE5aDUw
bEI2Z3ZhbUdaM2R5eVpkYVlrZks3dW8KLS0tIHFEdWZ2UmREeFl2Q0d0c0lVTGxm
SnZxRUcyaUY0QnRtVmdnYW9acmxTWmMKfLb2wgBcQC0Ay34wBvTenZW1jVvDH7aV
45+5NzmkhIQRNkKWgRfpT9EQ9cRJz3l7ZYoVgJe8qBhwH64lBqUiqw==
-----END AGE ENCRYPTED FILE-----
age: []
lastmodified: "2024-06-26T10:07:26Z"
mac: ENC[AES256_GCM,data:TfN80Hffm+Lf/5Cz7T37bBxMgJCAnk2aBxxW1/lr89N2p3cckcSOGAKoLWNIsdOkqOjAs4kft0nQ+xyfdLehG1WPo6OlOwZhJexfUUcS7GJ0QGNEVntkehQiHGw9TIv08/WHRbjnKTOGHLn1vuJAIJmSyff0hncGR7nxcwghZUU=,iv:TfidjsiqDx4SCbtb6ksNYOSz/EwzwnYieeWOaBrvA7Y=,tag:e8Vaycv9bxrVBn2QjRyfSw==,type:str]
pgp:
- created_at: "2024-11-14T13:03:00Z"
- created_at: "2024-06-26T10:06:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQwAhcsRc3mCqKgUFym0W5lTN6j5xg+o0PF31ZQ3qqkO3b5+
nIPH8Ee7nrcfRCM2AV+TReaZ2qfP4TdU5j00F5977H5UM+UULFM+FSGcY63rkp80
1U1ZzxbzTwV5mil8dx3dmENMgFpKy0J2MatPdR5bu/z0o7sLty1DUq9hiQOTfM3F
u1mfmY37YewMBmxlzDJ3Z5+lslRJUqa3Ho9atjYhwxZTYgh9QQtnm8kRjNM/HKpQ
sDAWu9JXit33WwHayxUFWZ5syiwsbFxAelrZnluW3KiKu3v+9VO7X6dJsrrIB6Xt
j/mJhwkwJ39xHD/eQqMJsdAum8Pgxi40XjD6wJvmIhYz1y8Lbymanb+6U+fJk71V
ZLsbk+sR1Jkh+L3NV+UGlMusgQuxcE2xQjNMEbpzk1xXsFFz+QxVxx6HZp8xRh4v
M8L2LkiZp5w8iij+uJ+k0ovu4XH2Bf/2myhabfRrk5bPZbweH/bJOxChIgf/b/ZP
FdfHGP0KlJe+jMGY3j7c0lgB9k2vyvYTHaAOcQoe/HdKNvueMMYDIzxLZ6sXsn+z
jhdW9FxM9g2ZOStq1Mwjzvb8rJCAFQH0s/3yHZY7rveaI88Z3G11i97D3OME2yAx
bxCHPCFfvmX/
=3wBJ
hQGMA5HdvEwzh/H7AQv8D3vncBeC4Kq+Vzk6XOMV6gRRGOZp+w2e/055sZ40IUu+
43Yi5giVL0I7PZkZD787LNiKy6kTcI6D9tJIp9YSMRVJb4x8oDJWS8NbVZZOUCwT
d9KYaMO6hN8VobhUKsu7uAKCrgVzPWrWPNmZPvwZ6pxL+cBFK2W/GEvQsXvaELUc
5mNlB4k5S9oG4ZMli3WWhVJRMZgdjGWDKiFVGCSenEkhua/5TUUefV8urf1IBjoN
MB8TPwsm3PBEG6/zrfXls/7Zhbv7mtl1uB9nWBC9M4EL9euzC83X+IiFAlThpoPu
eylOhEkAq60tQglk2SRsdFpHvEwaijqSKL0ieDQjvLxLNCdtCQS3yM21S4SkfRvv
pDGQROqjhtgZSF7MZqD67mA9tMwYGlZLfkzjpYrErbG6G4xYGO2ZODPNZ4FH/2Zf
Yf9xpAd0/m4mmg+py041nas8lgJzOXn5mKIxX/kLkV1U/ccrZXB9DTsWbuRVxh3W
CZTzgT0VdZWd88cUcYIR0lgBz0vCxDRgyPhc3B3ivoOHBisoBWbYURv+6rYE84Qs
6nDtCt4fUqrfKqnw1b++L1II+QjEBkhawOWNbqE9AxESOLAVwkn4cCOqeWDP8DBq
OBN3luBRDDAj
=+dua
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-11-14T13:03:00Z"
- created_at: "2024-06-26T10:06:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUAQ//eBqaTG6/KiQFfEMog839q+nukWh3SHSnhCDyCAhdqKA3
Q9FSroIYEOMwE9SYkNC9T0/pf/ZmRuPBpx09b+q+1df4FLdajgpEbg1CyWnw7fyR
731vYt5hvN7PVtBGs842BcEvYwKVG33HTadi53l+pjDURpHGLWLbURiqchGrXpPn
o6rih4ueE0TmLHGugGKIr7n/XgH4xpsr/wFLQCnCaVATXdS1Tk86bTeu0HybmPlG
dw4TZrTSO7uq2GyczIC81HnLPisZ1w+7R0m58kV0FGFoDZIwczW46J/h3NLsjO0t
4zKV1oJUpCANalDCRBhf5RRatw/OzTgVHnpuGyaoAtWGyZpeQi2ntoEvFb3eWAc3
NMjc2bqamZEdfnBOmPILqRKINm60DkpiI7behY3oV178bWcp3iWsyA4biL0O0pf4
FXbW29zHnEr86wTlJmJIC5sGkNNtu0dNFAKuzKjAel9sVor183WkJk8NAgaaI/pD
pQV+l0ClexXGIW7p931Sn7u2JmXeNJM+yqRz5lDWMLakxygW2h4HDI8NOIS7xvP1
Ip3a5bGctGEVmAK9MEhcRIGcP7Aoacj7iZVg9bnac4HCX3wnnGjLDNL+XDzfmfUB
M48YUoDS1CSjlcTbgIaL3HeX84EYcoQdRjwRcI3pVpPkJTpi/t2I+/2tOP92sm7S
WAHfIeh3niCzrQa//nwdAEQq+7YrDCDia7SSxDDrRM+/LTaQacoo9SuaHuEANZ/P
+x7rrZsnQq8UBpnd+dQCyxipQvwmjtp9N5xKcragt1LdH4M+Q/qoSIo=
=4vnh
hQIMA98TrrsQEbXUARAAmj8h6g8Knwg5c/Ugfxcb4nuWuLydyzNZpKJ9YcQ4VTAo
HA38lHH79JbnIoZ9kvxHzUONBLfnW3KekomUdmj1a2DjWllnsIOH8/16JCpFPXbx
hcWQFLxXzJcUEbVfONih4Zmb/2OTzSYoDjNzGaBJUx6x3AwJ0jTzCTxF9WIU1ieh
9u+ovry7bcHPTn3RS0gQPGRx9gN0A8OSPScKpvz2CRtUA2Uzs0/fIe3NbKQSj6g3
rZYityYC7uFoE792dkJ3rG9GZneIwWB8sp1remHyRhxaRN4YNPKmje/Pe/fe7sxQ
lWPmW4wa2uSI7/2PAkIjafoDmnpaLxQ+qY9hXobpL7OlyAuA+Sy8Ns2z6nXfPSSj
fQE4OS3hhUStv7PdVVvlH6JVGZK/cJOjOX0lF69A5R5XKQlasRq/t5CKBjxDWnb1
2bb3YavIUKWbf/DdlGNb9aKeiYX4RsaMbdc6vU5EOp69S66dF5l5W6+EDLICQEdl
TRNxzofVqjroeQeK9xFd+SXHVwnU9FGPr9cN7803/r17hONDxfL7o7cL1sKfX1tC
3nRqV3fxSfosz19jmIDu/6lqvJhBBQ8zQeKz/yWxUKowP6WUNAWsMWC7w89Ie1vA
UOy+xO0epIGLJSRU5YBNr9z7854NATnxRWRTya+CyFAgPVoBUxd/+2CjlkUeQWnS
WAELWSqQ4zsAryLhEqSWVg6nwSDCIvF/U56/vIacXwoKMqLYra5gxV78cCU6gcMt
08O8qM7cxHy5tGzTm6LQZvXTb8W6ybcPvPw695TirUjq9zYVnaT2lmQ=
=7OG0
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
- created_at: "2024-11-14T13:03:00Z"
- created_at: "2024-06-26T10:06:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1kR3vWkIYVnAQ//UfsG62+53p9PyXN+c6hoMg+MqWxjvia9kHvjE3Q3bcO+
KVYqD8CszyTwiTV0RoTWddyiZwZHKkH/ymTtnNafG6NVo3XrYpRmO7SxmVMm1BIt
HrBCdQkLDQOzqbeKBV9bGqO3xHKLEu0vwFkEdpWpNrjkKZfYQ8SjE/6vTJRPeBxx
Z++g8540vZtB0V2YzKStJJ8LcsU+3j1/+NlUJZamXUGT4AnxH3atWuKqC39CZAU6
0iHxKEcHcQYPAmvTqtxTH0ELIaRYBIRlzCs0MVjmmfVyaeJOZGyd32vikQMUCrf/
EvThUCnq3+qCNjLlp1tQbLJV4B6ptAuj6uns2Z9Xmj1j4nFgUKvsc1MPnuSQsOnM
tLF0qsVvunvLbHXhb/Z4uDaNMst8jWEGhk52QYCZ6pgq1zoN63tOAxD+HK12KSYQ
emcDTjGqLTxe2dTiFMHlOkmTk/unEJXI1rJEalBaLqzDFg2tS6I1swQKG115wUfv
COHQtmbWmwIMtcl0q/QHfSyc+jPVHoadj6ZZFS1iL9Er/zx1nuD5ybkHntQdO0Gb
YwfyLzhFQ4gKgDiXwHdjYmHeDnXI9mrH3Cypcc/I8WV96cMnuKQBrD7V3NKpjFMS
CaLMVDQqwMoGi+Xi8Ve5oRCa/qt5UEpL1CZZUxNNE11ggPYI22ecKjegdIlGuWHS
WAE4FsZZNLt+RWZxIW0iTP0BzDuCMQFkismL0YyDI18g1dG/sl43+ecd6F9yoWYP
sXjR3gwbASdHHXeYFAxbPX3Q/XT+SQzOAFigPhD0LUFRX2Cf/Q2yu34=
=FLuF
hQIMA1kR3vWkIYVnAQ//RZM4ifHThNFNV6pTCGKHdkF7BMHB4gv7BBkXT9cWTGcf
XxH3tH/kFPBSoWWfmtmHbN1bw77vpKda2lLHyOETGCusOFwuFe0+cz7sWStnf/T6
GVoaCRljhRxlXS2PY9gSG5fLi1uUjmCn9EshdCQdz1ix46kgSe17I+UJYRxi9r4U
e1R0ky4md8tLGGXg2cz1z48+kS7QX6TA1L5jjrW6MEa5ld2wywXD1g7UKpaP6QAc
B5xo4G+6zZNYk6x5i0NJ4EJalyyEXBvJDgsFzW4luqBGjMU2zLkq5VTQjssCbp6l
aE1ZZtMJYDa3IdEV/gEIF7/WmODMopO2hfTWFCx9fZ2cp0gK2d6ffo7vum4WkAMv
FjsbRLCmoZrlwD+/y38Hru2Ok/2cDF+QiEHq0cx+XMjgRrV6vCYrg67kOGjXZ+0v
eZMPGo5506cp/0cbo6eIoG9XzdNirp9mXQHMBb47/dETr+mBAyVzImuHJVmUgXlK
0nScCjrE2BPfsphMlQKMV007znA8QB65wEuoQ9QWTfgUfxVqzqJxdnFHKSSKAciU
fxAJTGN2RnbBDcehvch+QZAnIHznz3c+2WKetmFMpymqL1OKQKjhnEFewOK8rXKM
cEFRo1BOMkaccBBFHt/A/IQJt2+RuADbkxI9rPqPU9iPi3Ts4jFqfNzZp+m+ADHS
WAGHQuVbo0oQ5RLEOMPheNbr2eL+uyuMLMNsv41G4Mr+lSjN2/KvBoMQEQvpPasG
HDYyoe7JdYbVs+08h465+L+cbi0LzaBUxTm44GliJXVbrz6eqy6lRto=
=GiUe
-----END PGP MESSAGE-----
fp: 4095412245b6efc14cf92ca25911def5a4218567
unencrypted_suffix: _unencrypted

5
machines/lucia/configuration.nix
View File

@@ -7,6 +7,7 @@ in
imports =
[ # Include the results of the hardware scan.
../modules/malobeo_user.nix
./file_server.nix
];
sops.defaultSopsFile = ./secrets.yaml;
@@ -14,7 +15,7 @@ in
services.openssh.enable = true;
services.openssh.ports = [ 22 ];
services.openssh.settings.PasswordAuthentication = false;
services.openssh.passwordAuthentication = false;
services.openssh.settings.PermitRootLogin = "prohibit-password";
users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
@@ -198,7 +199,7 @@ in
services.avahi = {
enable = true;
nssmdns4 = true;
nssmdns = true;
publish = {
enable = true;
addresses = true;

36
machines/lucia/file_server.nix Normal file
View File

@@ -0,0 +1,36 @@
{
#automount mit udisks2
#siehe udevadm monitor
#bash-script?
#user-oder root mount
#systemd-automount villeicht
fileSystems = {
"/mnt/extHdd0" = { #statisches mounten ist am einfachsten aber kein hotplug möglich
device = "/dev/disk/by-uuid/"; #noch ausfüllen
fsType = "ext4"; #zfs wäre hier cool
options = [ "users" "nofail" ];
};
"/exports/extHdd0" = {
device = "/mnt/extHdd0";
fsType = "none";
};
};
users.groups = { nfs = {gid = 1003; }; }; #erstelle nfs user und gruppe für isolation
users.users.nfs = {
isSystemUser = true;
group = "nfs";
uid = 1003;
};
users.users.malobeo.extraGroups = [ "nfs" ];
systemd.tmpfiles.rules = [ "d /export 0775 nfs nfs -" ]; #erstelle nfs ordner
services.nfs.server = {
enable = true;
exports = ''
/export 192.168.1.0/24(ro, nohide, no_subtree_check, async, all_squash, anonuid=1003, anongid=1003)
'';
};
networking.firewall.allowedTCPPorts = [ 2049 ]; #wir benutzen NfsV4 hoffentlich
}

103
machines/lucia/secrets.yaml
View File

@@ -5,75 +5,66 @@ sops:
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaVZQT1U3cXp4NHVSb2lh
RWRUcjlGY1RtNVNFT3dMSWFaZHJGcC8ybzFFClhhT2RPRHZwbWNSQzdSay8wc0h5
NHVUN082U0lhcWF2MnNTaXQ2Q0trRk0KLS0tIHJrNmdEdUI5YVRqck8vejRrVHZ4
aVFGZjk4UjVJa3FoMDJiaXR2MmdiQ2cKSVgIdxPBNTbNFQbdI5ECNGQrDUK9dQI3
f3mHj+XAPmEtjUXLyxUI1gQ+8toctnU6cgJ+HdGLX01lgTHwz7uieQ==
-----END AGE ENCRYPTED FILE-----
age: []
lastmodified: "2023-10-24T15:09:51Z"
mac: ENC[AES256_GCM,data:f/wf0EuNmy+ic/k+fHg3IJ8p4I8BftFn6QwGJsXJgTBDspe7Plnwh+kGEqdPg8OEbWy/1niRfCXJa/vKoquWsxL7LUP2lGYT7lj7QYuj2F8fo2WIe2qhCikuxO6Q1asKyBcebYv5KAY/yQlVBYs9X9tcU6Fu4IU2AmJhjYB6m3s=,iv:K3DCEV4/FocdnEulNM9snH4uym8pAZRSmsYbM+rghe4=,tag:429oJE1du0IRl4aDuLzoZA==,type:str]
pgp:
- created_at: "2024-11-14T13:02:46Z"
enc: |-
- created_at: "2023-10-24T14:42:18Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv/QepkThVCOMoRZRtHSHEjEriFfp9QS2ZrlgM0p67TtzU3
edAPqxNq8jGeW7/1FRAwIHGTit9FueL/GRUOVsepbryJMt4ndhybuPdpuEaKeQYv
aZLw3XA5FB7maMKFOl59wqoWNrY+d02lXIbLEafUjrL94/p1IEqQd5a/Ze244yXI
V1ty93i6Wmu5N5uf67bfiY00ObAEU+L4QepLHuJvcP2lWU0zvxnPdDqwv+47R1xB
aJX2G3Vv6QRnpUYL81a8R4E9u9GGH0TwJdaFqQwsVgW1XJdCsAaB5wriqEWX5HOJ
513plEpkBSSlZo/9/lUSHK79jP92DfKvGMxw4t35UULzsJVbCIkM/TzBK0Ruq7Bf
2rQO1nkF9lqXqPK7ORAkdXX3foHcM474f3w5nCSSlPia5jn7y58Npd9m1za4lOPF
rQxHCJ7OSJ6KOsXhDi7cmMfjIfn6cUj5wT685LbjrftYPh95R2lK/ViwfhMQkJb9
lCUqJj/7N6UuSDdnHXKg0lgBV5k+ARqh904rR7GTpSdDuSVMVdy9mUGni5V6xTNn
2IyJzWlvxbUumdh7SVBV5HRjG/sOcmlQtsw2fT21CCFg/n6AdCMgRbtYDoX5OOJc
qkz9uKEGrGjb
=wPkW
hQGMA5HdvEwzh/H7AQwAqFy6FthlG4of1IYE42baCy6AHhnCxTKN5i0/ZYXtxz/T
xWTAKEXPlbhT4AMGdIvIbEf7od4Pr7xxrxERkHVn1rkHxqjF+bjFw9J2xRXJvilw
L4pWMKXoJOiuGeNwJfzOVMx2yar6NiFmA3HvFyCASIQeCh3v+cyEDvbdnJoUyHRJ
/f/VnQFSIM4YXvLMqkKXgE0ZnbZc+vNnZkAG2qbz65fB/zdOPQZkVYCbnVKLwiBd
eoDth5WbuPnYbK5Vp9wkOPr6KqjM1KN+Kx/ErZ36Ldd2ePk11dCf9O4cE1HcCOmb
mdnFleX4hbMH2bFCpt7HoJql7QsTodx2bX1wnLA+uUVrV5QcT74C/0yAYHhBELez
cE0gZ+th9l2tOCaCBBMQUa8EfoQD3hEnOmebOMcWoUQdkyKk5SlLeCVsuWKvbidh
3Vvw7jINCTH06jPCWSewSBuTdPiAPJ+4CQ8DWXC7A4luFvJM09HX8h859VDEHA9a
FCou1ZTWmQEHbDw1DPw70lgBv35pPduQjSfgM71YwgHFtHDdTfWTbzCBoaDfKvj2
XWSevuyOKiinaiYd4jPK6srFyX3Horg1QvVzl3dvNC3o29lrzETSTFoUx75KdluT
WxGMHNWqN7NS
=XZkW
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-11-14T13:02:46Z"
enc: |-
- created_at: "2023-10-24T14:42:18Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAArYZZpOEC9sZ4Bgbtie8snwYjhcJiLxcmaODcx0ai24vC
FOdxKrgxlHeiBV3e+xD0Mdc51waXpRW7Ah6ctyqRreDXXCsYx9RTjkxqbGQTKexU
OAzvi7qPkmZBzDagNeJXjAMc3Z9uPFTxO0c1degnv0S40dns4sZ50sjGz8Dg6DmX
HC1ZANIpCmJVd+BFC9MxWQFSP1oswzwIxAmM/8d3aXGJLUQsfFbZXTPaKB5+Llmu
Y/yGK4zwcq0PR+YNw9d1lfQD01coLcqNh0cnxW3/DzSnKdpLnr/HeH7K6NivUNOs
58E4iKJgopZZofbIKrHTPik/ZfovCTwPHo0o/m9G2sDB5Y++OJBDcjyD9BC5OEzg
JW+4rG3dir5cUxJhgM8ZNZUiLcKWSfVo+Xh1RI12Huz4PpZ6dWSpuPxWFBQUZSfp
epIUII1u1cKiep8JK5ZUF3k6LzET6ORzzYpY5qGtSEVMLMxLvPK+ECOI1BTHc53Y
GoBPVRdp2Bs0QZuvwiNSd3wKRMoVh8v/8+RSCGRR6pzCfvTp3X4zGfnCUVO9krzG
ukZJ+eQVUnmywewmYuFH/USN34mqRk6UTkVmw4sgy4bqcV26xSeMCbLAVBoV7dR8
a35kyxrs2MIsu9/SuW8zSdfZd0sBhDIEgzQqT7fO1KQQCDJyjBTzjloVSoE4TSXS
WAE7lEhifj43H/jshtyaIgM8UpdFmBtEj9BmsX2jeS5XiZsIbIJbCsmPWYdd4XQ0
m5M8KCUEMDXeVCygKieefCyboUSNOk1gdRmnIRcqJ/r8fxmHqZgn2ko=
=DC78
hQIMA98TrrsQEbXUAQ//XRoesGtcKw0RNs30FfKgpG/qNVRh4eJTeb1AP7YO9nKA
WWuZnomu8aDDKiP+why4Cl4raSb2LqTaDAIbeTzw902BeOlIXl6VO5oIWpgC4IQT
iOMUOTQ6XG4O8xcphItIthc71kpUl34xfWU/Gz67cRj/BSlws26sJ09lH5zZIpcW
1NNPLQKF6KiJ1MY9rTkq9I6EHbaIh6AcBW4buq9x+qASoU1Blp1OgA9m6O9HjQcH
X/PKnYv1bm6OxYsMBujXnFnde3c+qfL5w1e4a7pyMu8EthAYLPbm+WT2+H1RJooN
0+M3tBBjtK6emm7qgNt2vyeIYa5L5XSFYAyPfteKZ7tsT1IHgg3cY/3trchq7w7q
D10fGzfw1rP79yI9vY3oQLi4APhAq/RYpFywZJ+qyE+KiDaIzBdhU14NKRdOluaF
apw5ZpNwD77E6lU5lLdjO4TjaMXjEuytzhmOHF+CrZJN/4c21K3PflnzRRLmcXIf
OY+TPWPBKqg9aXIhx+5tGu3OTmrvRuBsoforZrhHqzYZJygliD4w/D0HpcMfxrJ/
y/iFzwqikikvfkF3FTiTwiFSLOo8G+rCA2TiSLqM6eklAGtzqgrgggnNVDstgiHz
DuXHOdzt9pn3DQHb3Z+kEd8p9TEykQrVr6mcW8scvW3iZ6XBbSoxUDY2W14gNMHS
WAFbpyIyM0JV36DifyFLFuPNF+ZFexnD1/2rzSw5dmDh8Pou9KZnoRGirXbOIFBf
MwFQRonyDxw8zcMFGhXRmNbfqOE9ImnvkW2pNjYJSuBW4LSGaG8OHx0=
=2A7P
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
- created_at: "2024-11-14T13:02:46Z"
enc: |-
- created_at: "2023-10-24T14:42:18Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA7zVLR7VUDPbAQ//S/8UshLDL5DW0+DXMGL7u/ug/sgCbSM60PvzT3hwAvyL
3mR6CycERSeXuYM67fLIa66WiSFGB1aqEsI1oqPL6W8AwjtGHDKSPhJC8W+9NosB
OypoV6VppHiDxB2uJvQl7VNnT8d2x6IWdG0bq9NKxCg+6lorw8bky0907qQ/6+hg
2eWI0wPcJR2zIEm5JdNvuyK5k03QPKbTd8aVTeYHZq3JiXF3NZmQHCngdI0iH7SN
+QI/p1d/aiyCc+5Ow+Zy5YzPWb22PIROLIH+wJsGxbiJtQJmiKMNQg/YJ/SsCrMI
ViI80R6bkZ/J9hCN2reTTJXl9uc7PgptLAfMlT2N+DHLRoKQOR+e3xMX3vZO9CK0
R8v0wXPs3NGCBdITu+EPT4twtkjJz31PhqL7crFzm/x4BLiKuNzep+Na4TLMBv3J
pVdjc6yen8bYvVickLP/hrVIvflkaMdUncWmS2lNZKP9G2BuGMna9Dp4jC1kWWYW
608MXgORINmwog2lovxFJGOtq500gcbeYO+LrluULk00/nw27DPkGeD8wkmFMF+m
c3dhA6zn62nLsUmiU4Bfo92uhxBW/hAF5Fp+RVwA9ptvDdBO7gY6FEZitEXs/rGl
64RAmFuDmv/WDE87pfBQdlZ7Y1HkO6CLwtfg50Ka8eoemX6sP0GSYHUqbs8M4jnS
WAEnR1KMQNVdTqhFzBa/TqnUm+oVtZSVrAPSIEgEjhA4WesmGqmcJwJFaQW39Omu
8zLfZcfdVUuFKyIijXNliG0ryq1uxmWcEl8ePRzjAAzVTRAILNtZzVY=
=8HBK
hQIMA7zVLR7VUDPbAQ/+O/+BPNT3PxzN85kpL6xXfyCf337Ay5gwhJOg5k3JyEwO
2L1eZncGZHkdeExxgfqWF1yAPvE7vXltikTVp3V+htHoNL8kck8obII/HptVUCrU
VjFm41kEoWQ9DLXIhmppqBC0hWVkLjCDEXcD5HqtAxt2yKENSFr3pEnFl3vgoHTA
2TpzC/l2kC24hzk+es54I0sCd3N1LEXC/mBUmptnsZfIcgGdVOWZSGabHg5Mo464
qc02MYa2Tjuo5svlHGv8bgpQgsIfuB0CcirLMH3FYwKkYHZ7a6KBZj9DwNlM1BYL
m9eIC6+R57utfV+zgvIaQVDVJgFT74/ffgEYNiX2FRWi0ri6gb4ybf8qX+/m8ZOi
KDgpATMIr0Lw85lQ2mQmvt7aeULJTl85pE1ihXLu6+pGEQR/48WeRu8OVMU/QHQF
rRWoJu2kabdlBkYXBBGPN2qGRe/TWWHRm0G7mTnXkoN2idRkodJcVwM8Mvstc5Yx
3AAb4asl+4xusXNqe+V4ZrkzdnVoFs8RRZyH1QyoqJ79S5uZqOkYObiiJ+wWtahZ
emvN8nhNIr9+WdDFSZYNx+TQTUTFMefcEaTXpPzmUn/nENrvkbXiaVSSmIYQ4YZh
1vyiW1W6IZwjXI/aR6P2C1Jrj42WCm+cDXCwKZC1sMRqgkxQBIVukQzAHkyFJknS
WAF/TWfXG2S6mnWFKn3cixifUI3pBp+EtYy/CjL7uNBIUQ3EHEbvS5AboSCmgRC7
wLzHshawAMmJ/bD/jT4wWD0w+NGDzSF8D4b/Ee0LP7R70noS61+s6xo=
=NnkE
-----END PGP MESSAGE-----
fp: 3474196f3adf27cfb70f8f56bcd52d1ed55033db
unencrypted_suffix: _unencrypted

92
machines/moderatio/configuration.nix Normal file
View File

@@ -0,0 +1,92 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
services.acpid.enable = true;
boot.kernelPackages = pkgs.linuxPackages_5_4;
services.xserver.videoDrivers = [ "intel" ];
services.xserver.deviceSection = ''
Option "DRI" "2"
Option "TearFree" "true"
'';
zramSwap.enable = true;
zramSwap.memoryPercent = 150;
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./zfs.nix
../modules/xserver.nix
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
];
users.users.malobeo = {
packages = with pkgs; [
firefox
thunderbird
];
};
networking.hostName = "moderatio"; # Define your hostname.
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
# };
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
sound.enable = true;
hardware.pulseaudio.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment?
}

53
machines/moderatio/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,53 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "ums_realtek" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "rpool/nixos/root";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/home" =
{ device = "rpool/nixos/home";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot" =
{ device = "bpool/nixos/root";
fsType = "zfs"; options = [ "zfsutil" "X-mount.mkdir" ];
};
fileSystems."/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1" =
{ device = "/dev/disk/by-uuid/A0D1-00C1";
fsType = "vfat";
};
fileSystems."/boot/efi" =
{ device = "/boot/efis/ata-ST250LT003-9YG14C_W041QXCA-part1";
fsType = "none";
options = [ "bind" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

34
machines/moderatio/zfs.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, pkgs, ... }:
{ boot.supportedFilesystems = [ "zfs" ];
networking.hostId = "ae749b82";
#boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
boot.loader.efi.efiSysMountPoint = "/boot/efi";
boot.loader.efi.canTouchEfiVariables = false;
boot.loader.generationsDir.copyKernels = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.copyKernels = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.zfsSupport = true;
boot.loader.grub.extraPrepareConfig = ''
mkdir -p /boot/efis
for i in /boot/efis/*; do mount $i ; done
mkdir -p /boot/efi
mount /boot/efi
'';
boot.loader.grub.extraInstallCommands = ''
ESP_MIRROR=$(mktemp -d)
cp -r /boot/efi/EFI $ESP_MIRROR
for i in /boot/efis/*; do
cp -r $ESP_MIRROR/EFI $i
done
rm -rf $ESP_MIRROR
'';
boot.loader.grub.devices = [
"/dev/disk/by-id/ata-ST250LT003-9YG14C_W041QXCA"
];
users.users.root.initialHashedPassword = "$6$PmoyhSlGGT6SI0t0$.cFsLyhtO1ks1LUDhLjG0vT44/NjuWCBrv5vUSXqwrU5WpaBvvthnLp0Dfwfyd6Zcdx/4izDcjQAgEWs4QdzW0";
}

120
machines/modules/malobeo/microvm_host.nix
View File

@@ -1,120 +0,0 @@
{ config, self, lib, inputs, options, pkgs, ... }:
with lib;
let
cfg = config.services.malobeo.microvm;
in
{
options = {
services.malobeo.microvm = {
enableHostBridge = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc "Setup bridge device for microvms.";
};
enableHostBridgeUnstable = mkOption {
default = false;
type = types.bool;
description = lib.mdDoc "Setup bridge device for microvms.";
};
deployHosts = mkOption {
default = [];
type = types.listOf types.str;
description = ''
List hostnames of MicroVMs that should be automatically initializes and autostart
'';
};
};
};
imports = [
inputs.microvm.nixosModules.host
];
config = {
assertions = [
{
assertion = !(cfg.enableHostBridgeUnstable && cfg.enableHostBridge);
message = ''
Only enableHostBridge or enableHostBridgeUnstable! Not Both!
'';
}
];
systemd.network = mkIf (cfg.enableHostBridge || cfg.enableHostBridgeUnstable) {
enable = true;
# create a bride device that all the microvms will be connected to
netdevs."10-microvm".netdevConfig = {
Kind = "bridge";
Name = "microvm";
};
networks."10-microvm" = {
matchConfig.Name = "microvm";
networkConfig = {
DHCPServer = true;
IPv6SendRA = true;
};
addresses = if cfg.enableHostBridgeUnstable then [
{ Address = "10.0.0.1/24"; }
] else [
{ addressConfig.Address = "10.0.0.1/24"; }
];
};
# connect the vms to the bridge
networks."11-microvm" = {
matchConfig.Name = "vm-*";
networkConfig.Bridge = "microvm";
};
};
microvm.vms =
let
# Map the values to each hostname to then generate a Attrs using listToAttrs
mapperFunc = name: { inherit name; value = {
# Host build-time reference to where the MicroVM NixOS is defined
# under nixosConfigurations
flake = inputs.malobeo;
# Specify from where to let `microvm -u` update later on
updateFlake = "git+https://git.dynamicdiscord.de/kalipso/infrastructure";
}; };
in
builtins.listToAttrs (map mapperFunc cfg.deployHosts);
systemd.services = builtins.foldl' (services: name: services // {
"microvm-update@${name}" = {
description = "Update MicroVMs automatically";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
unitConfig.ConditionPathExists = "/var/lib/microvms/${name}";
serviceConfig = {
LimitNOFILE = "1048576";
Type = "oneshot";
};
path = with pkgs; [ nix git ];
environment.HOME = config.users.users.root.home;
scriptArgs = "%i";
script = ''
/run/current-system/sw/bin/microvm -Ru ${name}
'';
};
}) {} (cfg.deployHosts);
systemd.timers = builtins.foldl' (timers: name: timers // {
"microvm-update-${name}" = {
wantedBy = [ "timers.target" ];
timerConfig = {
Unit = "microvm-update@${name}.service";
# three times per hour
OnCalendar = "*:0,20,40:00";
Persistent = true;
};
};
}) {} (cfg.deployHosts);
};
}

2
machines/modules/sshd.nix
View File

@@ -6,7 +6,7 @@ in
{
services.openssh.enable = true;
services.openssh.ports = [ 22 ];
services.openssh.settings.PasswordAuthentication = false;
services.openssh.passwordAuthentication = false;
services.openssh.settings.PermitRootLogin = "no";
users.users.root.openssh.authorizedKeys.keys = sshKeys.admins;
}

3
machines/modules/xserver.nix
View File

@@ -7,6 +7,7 @@
xterm.enable = false;
cinnamon.enable = true;
};
displayManager.defaultSession = "cinnamon";
};
services.displayManager.defaultSession = "cinnamon";
}

46
machines/nextcloud/configuration.nix
View File

@@ -1,46 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
{
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets = {
nextcloudAdminPass = {};
};
networking = {
hostName = mkDefault "nextcloud";
useDHCP = false;
nameservers = [ "1.1.1.1" ];
};
imports = [
../modules/malobeo_user.nix
../modules/sshd.nix
../modules/minimal_tools.nix
../modules/autoupdate.nix
];
environment.etc."nextcloud-admin-pass".text = "hXz5vspPsFPY";
services.nextcloud = {
enable = true;
package = pkgs.nextcloud30;
hostName = "10.0.0.11";
#config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
config.adminpassFile = "/etc/nextcloud-admin-pass"; #user=root
extraAppsEnable = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar;
collectives = pkgs.fetchNextcloudApp {
sha256 = "sha256-ErCWmQCI+ym9Pvsf84Z9yq4CyYJ1uVhyhhlS2bVSJ54=";
url = "https://github.com/nextcloud/collectives/releases/download/v2.15.1/collectives-2.15.1.tar.gz";
license = "agpl3Plus";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
system.stateVersion = "22.11"; # Did you read the comment?
}

79
machines/nextcloud/secrets.yaml
View File

@@ -1,79 +0,0 @@
nextcloudAdminPass: ENC[AES256_GCM,data:es9hhtCcqBqPbV2L,iv:Kyq5kqao0uaMPs0GeRkJT9OWYSZfImBXngg51k0uQ0M=,tag:zN/u90/j4rmdo0HtY+cF9w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVGxsNmZ3Z0RIYmMyL0Mr
UUpaMEZLTCtQaGFrL1YwOVBicEtNRTVaVGhRCmhDSUgxYXpRcldaMngvOWJDdnNo
b2ZFbUdmcE9EV2E3SkMvZ1RpKzZmeU0KLS0tIE5hNmVFTXpBZFZ3bHYwQlJQaUtw
UFJmTVFaOTJXN09QLzY4emh5Z3hqRjAKXk1PSwR2x0H2cMN06fyigiusz8v2IRIg
S4ZTq/JX39U4QQHgWA1dFPfC636LNBo+QKdl/2mjwnXW7duqDJ+5kA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-26T20:00:50Z"
mac: ENC[AES256_GCM,data:qoY9SfpoU+8HfvD5v/1S6BOkbnZUmHIbtwr0tTSuPETjnFNgr1VVw9mnRatJKPYYFb9/rMZQWIqTY+iUIEkcTVyVXhd6ki5CHW+uxCeBIyMzq33rtEa/btkEUoii4iPieamBCIY21W0znE+edxfR04yRJtLxMICEbuW4Hjf6bwk=,iv:nG42fRgjpuIjPMYnn/6egEdzYolcUBsspaZ8zMv4888=,tag:C6apGoAvVLsWdLWSCwrx6w==,type:str]
pgp:
- created_at: "2024-11-26T19:59:36Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQGMA5HdvEwzh/H7AQv+KkX46UGQzLvhrk/VUCnnMdLEcNbYfk4h+sZJzs1riOGA
LAKYNeaeN6iLLeZX+T2/s5OT4WkIEKGg8/gziurdx01BR70M96Faubp6EVtdK44+
6F5BLLrDhlEKDNOx48qPwJdFjbYW4wZLWmv5nzwPmmRCKO7MoI9UHKq69msCor1i
ralbjlVHyKSuRfvflKAlxFoEqeB6H+ryc54g3stk1j2eFiMNuF/oKDJZT+XI5LHZ
Ai80DAWoUBYgpP4aWiNC075GPutdPlZ3mrGf5+7QnNm7GmNUdJN5VAWmI2NUGr1J
BLopnPFo4juWNsZkLMj2aAuKvGTkhz2PuFKfLj6Erpu82RAjadpFWx239n+i4Ryq
wSquYshpuiecLEejntTBKLEacwp+aPx8IHKnOOKBTdJj+YYaISiznQAlkF7WS+lg
MTZR85BvCxiPogujL7uhYSx1wM5FVkuAIPf1JOJCRvQt30eRRrR0VMrmqQ1Kl5OT
VMzZRIGIoC5vrKGeIIjJ0lgBWQ3bYFh/LGrwKetku6TRAH29mp/XwQqBC97RsUYb
EOxft5sUWaYrXK+z2yzCxOQBWKJISPgcyhdoKfYGnRkHXHi2Uay84oQP4co72eVF
cAhEJOxMw36e
=bSaN
-----END PGP MESSAGE-----
fp: c4639370c41133a738f643a591ddbc4c3387f1fb
- created_at: "2024-11-26T19:59:36Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA98TrrsQEbXUARAAmG88ZDt43zj6dCJkYYVj7MGIhIviJzilTvX4+EfNobtA
tll60GYfRotKnwbuqzSVaaIcV+6cDQ5I1hG5WNFJSXm7DpJ0W1Ir1x2hpxektXFa
fQ+9HiCOfEqUu5PEynCAD1jN6CQLdl87hLQx9TqbZnHuUYPSH1o9Y6kbA/Vp3bpy
evJc8qa66WHYH1kjdEw+qneD5HzZQOLOtXZ7xkxjGbyMcYex9JfyGHohO5dpLg6B
3XrLlIWWERVz04MlnzlaMKfzhoMCU9ByqJSQ3VBm9kblQqu54fOZD2sN8j9ACEfL
YNC7Jm2rasVSqv09G1kso9/VNDw3kNCLvjnpE5rJRP7Ckfj+4FxQN/zPVUwQ1e1k
upoQ8MHyf1bJr8vspm/prm9zp+PRRTUwY1Yyts/ffj+CF5ec9M3jr/RSeEAdswsL
6dLKBL1LuLAjKXOuVnQ7E6gN940Y994sDFkbqEmzzCUHGcfxSF3IDn/qpkQlqerU
B/D43Yef+rtsUDyTA5RUpxKleGORcS4sV0BhQrNXeFclaMTyMr+AbOei4Y77qlD1
x/fHB3IT4Intvp9k4m6jJ86RtLpVhEoA4cHEdCCiXHzUpA6aVtNHVAOqT/aBykrf
uSm1wu/nl6yKbIwTJueli1OfQYKEYcUdjOrEOwXb+UDQKSohWZrMg0sj7/S6Pl/S
WAG1BZ20HXD2ZrVqESV87Pl04nKMqswrio+BINfAT9X3ya7L3DF69MR18bDt+ZIB
0F3+9WUREGI5in4S3hXNxrgfLNFl1YLklfWLYcx0HXJN3z6F2eJOUvM=
=aT3U
-----END PGP MESSAGE-----
fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
- created_at: "2024-11-26T19:59:36Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1kR3vWkIYVnARAAqFyuCtvu6AidWg/9+btEcjWv0sBZaIRpYfX3p2QECwCu
UYAtssvSHgHdBEQzU27MA/5CGmEreB3NhWrjGquv88RojLO1JuhNHGYPZKeIcBKr
I2oS79RKuYs+d2Qu0KUYDaVoY9M5YJsfkju2FOXqMNYlbqX+lDuWnisigj3n2N4e
OEBnVIpfPBQE6c1Z9DaQJE7MyBbKfg5YeWjlwwh+fCf1dV/nGp+QdD88F3dzWMoK
xNGt69TwZ8JUVmElAIJqLJTpyDI5xHQUw2A6ddPSTk/u363eHhOnZZUNAAm3FdO5
0x+4QhcBaH59S8WDZhw4MVmZN7v4+3l3mf7Rx/TXSz4oJg+U7RMgvc291/gowNVm
/cVhBlMYz4Ogx/OYR/t+nzq35r+eBungTB+dRXw7qTTfkCtNgp34JMCkGAq5WWnY
57H2HtssGiMF0qN4SfWxw7317oUmqHI2XvG0yWt42G++jNgIGbDOtuc/7wATEbhK
SBX2aLqDIB1OUwLHQeawyKkB0qGmRSVPkPg8JLwRp43ICETH1WPkY5m/a2slVlDj
qgdw00clTI5Fgu/5G5QBD4Ds9f9ZwjrMD4v+NYfGxa0ajisXl1X6CL1+YvQ6Uicf
QmIRJYxyVd0VoXScZnsk0T/XTKjJB/fRLRalA2PmlZ1v+gisCUz2dhM+OHtSjGTS
WAG5znRbP8UMVt02O0PgbzHYtIUAtQLCuBnzfEKJn721rqCXf7DXU3jrR73Ys6ce
VJzkVBMnBszF71GN56t0PaUYIDOnaGvgjMtHHtOCLQHSK7asnm/Bc+E=
=Znii
-----END PGP MESSAGE-----
fp: 4095412245b6efc14cf92ca25911def5a4218567
unencrypted_suffix: _unencrypted
version: 3.8.1

1
machines/ssh_keys.nix
View File

@@ -3,6 +3,5 @@
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfDz5teTvRorVtpMj7i3pffD8W4Dn3Aiqre5L4WZq8Wc4bh2OjabGnIcDWpeToKf38n5m0d95OkIbARJwFN7KlbuQbmnIJ5n6pUj/zzRQ3dQTeSsUjkvdbSXVvTcDczMWwLixc/UKP1DMbiLHz5ZSywPTSH2l40lg74q7tSFGBwMy8uy4tsdp2d2sUIDfpvgGj3Pq+zkQHWyFR5BYyCLDfJMTQvGO0bEsbRIDOjkH8YVni46ds6sQKMgc+L2vPo8S3neFZBQRlERVRvIAzdLiBWqGkiw4YgWQA8ocTfWp9DVzW+BZiatc34+AX3KtLEF1Oz76YsKjBttSQL4myUucuskz2Bs7UYvAsDFlWyiJ43ayZNzvG63m1UVsAoq84IhNYsdkPhd+G1rtnG0KxPVAtn7RkAGt8t7ObU+6xWayHcpSteNeE+QyH9nNmJcXNNKfoOeP4vHUBrBTeURafw527yuZDOYknJmg3O+nkeGseIgBYgq/As4+dD6vhp03Y5chjU4/FC6nEjsGPRdfe2RZx+0cqJkLgdd1paGByUfPfaUKykw4TsCUAiDucRwBjU32MLslUbyzeEkjzOJzOD5Frif3jZZLxaNP2QcHRbTiiKkdn+WFJmjr3BdC60pm7hqvmDxl0UZcz9hDv3wZUALUc92TQXnWc8GicKdpQgRYDRQ== kalipso@c3d2.de"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCxgcjNOYbza3+RfANFDXy7HXNRFlkpDOAcGyB7MKshiVlbPByWRSjfZa0BeRNjpeCd8QkIodKUzqYOCOrc8ad3kiNbdLRcDz57A5xSLD3ynakoWJo0AmJjT3Ta1JJj8inNwwykR0ig5//SrtsZb9HkWJDAF017MokM2r8AWPE1QzcQdh93kojXcgTHrJHzEqgKbEGDEk37f1RvZG4umEFeqdK2FvS5isPa7P9X7hyyoDC8bvEy7xfaDrToJAoXon6r79taxH8UWIvy//xsU0NBLYK2eE4RQe2AjF6Ri+CybI6y1SsHOvyh4nNKWlfUOEL6UnIulRn/LXFOKCJi7xuoTeJXS0+w1DNEuiGosVNXPSKbUm/eDBVnb8Iyep9wmygSZayN82xL5lRlG3Mn45ttecqfm2SJkmduBA5qXcTdDPe/lXTZaVO9tbiIcJfUgd3ttEu2+6YjLn74D965PlovzvR6EhbVUZ8IkOAt4VmuTkXIdm8SCS7jzhsiKeUXoZ4rfa375zi79SIPuIkoMasj6d16wcYOeFIUIMFFccfQ9jQjr9NTSXC2dd7sfbI9I9mF7eRQSsUdSwpP8WH1b+M1MxTbdhEUdPwpOLviTTIuk8E8K8DQDZIcOOh38mCDpyoh02nwfRxlyoYVsKAHIQH02dHTvYEa3/pMsRwGc9W1Ow== kalipso@desktop"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQg6a2EGmq+i9lfwU+SRMQ8MGN3is3VS6janzl9qOHo quaseb67@hzdr.de"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKaEcGaSKU0xC5qCwzj2oCLLG4PYjWHZ7/CXHw4urVk atlan@nixos"
];
}

35
outputs.nix
View File

@@ -18,45 +18,12 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
devShells.default = pkgs.callPackage ./shell.nix {
inherit (sops-nix.packages."${pkgs.system}") sops-import-keys-hook ssh-to-pgp sops-init-gpg-key;
};
packages = {
docs = pkgs.stdenv.mkDerivation {
name = "malobeo-docs";
phases = [ "buildPhase" ];
buildInputs = [ pkgs.mdbook ];
inputs = pkgs.lib.sourceFilesBySuffices ./doc/. [ ".md" ".toml" ];
buildPhase = ''
dest=$out/share/doc
mkdir -p $dest
cp -r --no-preserve=all $inputs/* ./
mdbook build
ls
cp -r ./book/* $dest
'';
};
};
apps = {
docs = {
type = "app";
program = builtins.toString (pkgs.writeShellScript "docs" ''
${pkgs.mdbook}/bin/mdbook serve --open ./doc
'');
};
};
})) // rec {
nixosConfigurations = import ./machines/configuration.nix (inputs // {
inherit inputs;
self = self;
});
nixosModules.malobeo.imports = [
./machines/durruti/host_config.nix
./machines/modules/malobeo/microvm_host.nix
];
nixosModules.malobeo = import ./machines/durruti/host_config.nix;
hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (
let

2
shell.nix
View File

@@ -17,8 +17,6 @@ mkShell {
sops-import-keys-hook
sops-init-gpg-key
sops
pkgs.age
pkgs.python310Packages.grip
pkgs.mdbook
];
}