kalipso/infrastructure
1
1
Fork 1
Code Issues 42 Pull Requests 2 Actions Projects 2 Releases Wiki Activity

Compare commits

base: kalipso:script
Branches Tags
kalipso:master kalipso:vaultwarden kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver
..
compare: kalipso:master
Branches Tags
kalipso:vaultwarden kalipso:master kalipso:staging kalipso:script kalipso:zineshop kalipso:nextcloud_upgrade_31 kalipso:printer-module kalipso:microvm-dirs kalipso:sanoid kalipso:issue77 kalipso:reproducible-deployments kalipso:reproducible-deployments-filestructure kalipso:issue31 kalipso:microvm-module kalipso:issue47 kalipso:hostbuilder kalipso:better-workflows kalipso:issue51 kalipso:local-testing-v2 kalipso:gitea kalipso:fileserver

24 Commits
script ... master

Author SHA1 Message Date
ahtlon
2fda92f712 Merge branch 'staging'
All checks were successful
Check flake syntax / flake-check (push) Successful in 22m9s
Details
2025-12-23 19:14:25 +01:00
ahtlon
6e6448eeca [nextcloud] fix hash for xustom deck32 app
All checks were successful
Check flake syntax / flake-check (push) Successful in 12m51s
Details
2025-12-23 19:13:22 +01:00
kalipso
530c0cc5f3 [zineshop] re-enable 2025-12-23 19:13:22 +01:00
ahtlon
633b2f4dc7 Fix nix check; Also i disabled the zineshop temporairly 2025-12-23 19:13:22 +01:00
kalipso
af9253b91c [nixpkgs] 25.05 -> 25.11 2025-12-23 19:13:22 +01:00
kalipso
a2f8d84d96 [nixpkgs] update 2025-12-23 19:13:22 +01:00
kalipso
9899889924 [nextcloud] adjust nginx for large fileuploads
All checks were successful
Check flake syntax / flake-check (push) Successful in 11m51s
Details
2025-12-22 19:37:13 +01:00
kalipso
b3e93349d1 [nextcloud] use fix body size in external code
All checks were successful
Check flake syntax / flake-check (push) Successful in 5m53s
Details
2025-12-10 12:07:15 +01:00
kalipso
f7d00246e8 [nextcloud] set max_body_size in nginx proxy chain
All checks were successful
Check flake syntax / flake-check (push) Successful in 12m0s
Details
2025-12-10 10:55:38 +01:00
kalipso
a79afe7dea [nextcloud] enable postgresql backup
All checks were successful
Check flake syntax / flake-check (push) Successful in 8m7s
Details 
if we need to restore from backup this is necessary since db state from
zfs snapshots might be corrupted
 2025-12-10 10:38:27 +01:00
ahtlon
b94574c640 [fanny] fix flushing init vpn
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m46s
Details
2025-11-15 18:02:20 +01:00
kalipso
a97de389e5 [fanny] fix typo
Some checks failed
Check flake syntax / flake-check (push) Failing after 2m48s
Details
2025-11-15 17:21:45 +01:00
kalipso
845379ac86 [fanny] flush wg-initd
Some checks failed
Check flake syntax / flake-check (push) Failing after 2m52s
Details
2025-11-15 17:17:40 +01:00
kalipso
e91481c405 [initssh] network.flushBeforeStage2
All checks were successful
Check flake syntax / flake-check (push) Successful in 10m17s
Details
2025-11-15 16:50:07 +01:00
kalipso
d3312c870a [fanny] remove zfs-remote-unlock
All checks were successful
Check flake syntax / flake-check (push) Successful in 5m19s
Details
2025-11-15 16:37:11 +01:00
kalipso
eee561b650 [fanny] set /24 for wg ip
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m51s
Details
2025-11-15 16:22:03 +01:00
ahtlon
a612221e2a change script to first import storage before unlocking root
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m49s
Details
2025-11-15 16:12:32 +01:00
kalipso
73c482ece0 [fanny] set vpn pubkey
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m53s
Details
2025-11-15 16:07:17 +01:00
kalipso
4d4e9d980b [initssh] add iproute2
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m55s
Details
2025-11-15 15:48:40 +01:00
kalipso
beb3839a6b [initssh] add wireguard-tools 2025-11-15 15:47:38 +01:00
kalipso
0df32bf47c [initssh] fix busybox 2025-11-15 15:47:02 +01:00
kalipso
f6bbbdec3e [initssh] add pkgs.busybox to initrd
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m47s
Details
2025-11-15 15:11:47 +01:00
kalipso
2a5539c204 [fanny] import storage in systemd script
All checks were successful
Check flake syntax / flake-check (push) Successful in 8m51s
Details
2025-11-15 14:51:51 +01:00
kalipso
9588103e67 [fanny] import storage on boot
All checks were successful
Check flake syntax / flake-check (push) Successful in 4m52s
Details
2025-11-15 14:30:57 +01:00
9 changed files with 89 additions and 61 deletions
Expand all files Collapse all files

60
flake.lock generated
View File

@@ -67,11 +67,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748226808, "lastModified": 1763992789,
"narHash": "sha256-GaBRgxjWO1bAQa8P2+FDxG4ANBVhjnSjBms096qQdxo=", "narHash": "sha256-WHkdBlw6oyxXIra/vQPYLtqY+3G8dUVZM8bEXk0t8x4=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "83665c39fa688bd6a1f7c43cf7997a70f6a109f9", "rev": "44831a7eaba4360fb81f2acc5ea6de5fde90aaa3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -109,11 +109,11 @@
"spectrum": "spectrum" "spectrum": "spectrum"
}, },
"locked": { "locked": {
"lastModified": 1748260747, "lastModified": 1764549796,
"narHash": "sha256-V3ONd70wm55JxcUa1rE0JU3zD+Cz7KK/iSVhRD7lq68=", "narHash": "sha256-Mswg665P92EoHkBwCwPr/7bdnj04g2Qfb+t02ZEYTHA=",
"owner": "astro", "owner": "astro",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "b6c5dfc2a1c7614c94fd2c5d2e8578fd52396f3b", "rev": "030d055e877cc13d7525b39f434150226d5e4482",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -145,11 +145,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747663185, "lastModified": 1764234087,
"narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", "rev": "032a1878682fafe829edfcf5fdfad635a2efe748",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -160,11 +160,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1747900541, "lastModified": 1764440730,
"narHash": "sha256-dn64Pg9xLETjblwZs9Euu/SsjW80pd6lr5qSiyLY1pg=", "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "11f2d9ea49c3e964315215d6baa73a8d42672f06", "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -192,11 +192,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1748190013, "lastModified": 1764517877,
"narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=", "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "62b852f6c6742134ade1abdd2a21685fd617a291", "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -208,16 +208,16 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1748162331, "lastModified": 1764522689,
"narHash": "sha256-rqc2RKYTxP3tbjA+PB3VMRQNnjesrT0pEofXQTrMsS8=", "narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7c43f080a7f28b2774f3b3f43234ca11661bf334", "rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.05", "ref": "nixos-25.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -246,11 +246,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747603214, "lastModified": 1764483358,
"narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -262,11 +262,11 @@
"spectrum": { "spectrum": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1746869549, "lastModified": 1759482047,
"narHash": "sha256-BKZ/yZO/qeLKh9YqVkKB6wJiDQJAZNN5rk5NsMImsWs=", "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "d927e78530892ec8ed389e8fae5f38abee00ad87", "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
"revCount": 862, "revCount": 996,
"type": "git", "type": "git",
"url": "https://spectrum-os.org/git/spectrum" "url": "https://spectrum-os.org/git/spectrum"
}, },
@@ -450,11 +450,11 @@
"utils": "utils_4" "utils": "utils_4"
}, },
"locked": { "locked": {
"lastModified": 1751462005, "lastModified": 1764942243,
"narHash": "sha256-vhr2GORiXij3mL+QIfnL0sKSbbBIglw1wnHWNmFejiA=", "narHash": "sha256-P02Zm0VAON9SqRxqe6h5vfxgpCBYeiz5JPWGIn6KFFg=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "f505fb17bf1882cc3683e1e252ce44583cbe58ce", "rev": "f56b7eb6887b7e0fecae4a1f4c1311392eebad8d",
"revCount": 155, "revCount": 156,
"type": "git", "type": "git",
"url": "https://git.dynamicdiscord.de/kalipso/zineshop" "url": "https://git.dynamicdiscord.de/kalipso/zineshop"
}, },

2
flake.nix
View File

@@ -3,7 +3,7 @@
inputs = { inputs = {
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";

2
machines/bakunin/configuration.nix
View File

@@ -48,7 +48,7 @@ in
firefox firefox
thunderbird thunderbird
telegram-desktop telegram-desktop
tor-browser-bundle-bin tor-browser
keepassxc keepassxc
libreoffice libreoffice
gimp gimp

4
machines/durruti/host_config.nix
View File

@@ -49,6 +49,10 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://10.0.0.10"; proxyPass = "http://10.0.0.10";
extraConfig = '' extraConfig = ''
client_max_body_size 10G;
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
''; '';
}; };
}; };

16
machines/fanny/configuration.nix
View File

@@ -86,10 +86,15 @@ in
enable = true; enable = true;
authorizedKeys = sshKeys.admins; authorizedKeys = sshKeys.admins;
ethernetDrivers = ["r8169"]; ethernetDrivers = ["r8169"];
zfsExtraPools = [ "storage" ];
}; };
boot.initrd = { boot.initrd = {
availableKernelModules = [ "wireguard" ]; availableKernelModules = [ "wireguard" ];
# postMountCommands = ''
# ip address flush dev wg-initrd
# ip link set dev wg-initrd down
# '';
systemd = { systemd = {
enable = true; enable = true;
network = { network = {
@@ -101,15 +106,15 @@ in
}; };
wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; }; wireguardConfig = { PrivateKeyFile = "/etc/secrets/30-wg-initrd.key"; };
wireguardPeers = [{ wireguardPeers = [{
AllowedIPs = peers.fanny-initrd.allowedIPs; AllowedIPs = peers.vpn.allowedIPs;
PublicKey = peers.fanny-initrd.publicKey; PublicKey = peers.vpn.publicKey;
Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}"; Endpoint = "${peers.vpn.publicIp}:${builtins.toString(peers.vpn.listenPort)}";
PersistentKeepalive = 25; PersistentKeepalive = 25;
}]; }];
}; };
networks."30-wg-initrd" = { networks."30-wg-initrd" = {
name = "wg-initrd"; name = "wg-initrd";
addresses = [{ Address = peers.fanny-initrd.address; }]; addresses = [{ Address = "${peers.fanny-initrd.address}/24"; }];
}; };
}; };
}; };
@@ -160,7 +165,10 @@ in
proxyPass = "http://10.0.0.13"; proxyPass = "http://10.0.0.13";
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
client_max_body_size 10G; client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
''; '';
}; };
}; };

2
machines/louise/configuration.nix
View File

@@ -31,7 +31,7 @@
firefox firefox
thunderbird thunderbird
telegram-desktop telegram-desktop
tor-browser-bundle-bin tor-browser
keepassxc keepassxc
libreoffice libreoffice
gimp gimp

45
machines/modules/malobeo/initssh.nix
View File

@@ -22,6 +22,11 @@ in
description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`"; description = "Ethernet drivers to load: run `lspci -k | grep -iA4 ethernet`";
example = "r8169"; example = "r8169";
}; };
zfsExtraPools = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = "Name or GUID of extra ZFS pools that you wish to import during boot.";
};
}; };
config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) { config = lib.mkIf (cfg.enable && config.malobeo.disks.encryption) {
@@ -32,33 +37,41 @@ in
zfs = { zfs = {
forceImportAll = true; forceImportAll = true;
requestEncryptionCredentials = true; requestEncryptionCredentials = true;
extraPools = cfg.zfsExtraPools;
}; };
initrd = { initrd = {
availableKernelModules = cfg.ethernetDrivers; availableKernelModules = cfg.ethernetDrivers;
systemd = { systemd = {
initrdBin = [ pkgs.busybox pkgs.wireguard-tools pkgs.iproute2 ];
enable = true; enable = true;
network.enable = true; network.enable = true;
services."stopInitVpn" = {
description = "stop init vpn";
wantedBy = [
"initrd.target"
];
after = [
"zfs.target"
];
serviceConfig.StandardOutput = "journal+console";
script = ''
networkctl down wg-initrd
'';
serviceConfig.Type = "oneshot";
};
}; };
network.ssh = { network = {
enable = true; flushBeforeStage2 = true;
port = 222; ssh = {
authorizedKeys = cfg.authorizedKeys; enable = true;
hostKeys = [ "/etc/ssh/initrd" ]; port = 222;
authorizedKeys = cfg.authorizedKeys;
hostKeys = [ "/etc/ssh/initrd" ];
};
}; };
secrets = { secrets = {
"/etc/ssh/initrd" = "/etc/ssh/initrd"; "/etc/ssh/initrd" = "/etc/ssh/initrd";
}; };
systemd.services.zfs-remote-unlock = {
description = "Prepare for ZFS remote unlock";
wantedBy = ["initrd.target"];
after = ["systemd-networkd.service"];
path = with pkgs; [ zfs ];
serviceConfig.Type = "oneshot";
script = ''
echo "zfs load-key -a; killall zfs; systemctl default" >> /var/empty/.profile
'';
};
}; };
kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ]; kernelParams = [ "ip=::::${hostName}-initrd::dhcp" ];
}; };

15
machines/nextcloud/configuration.nix
View File

@@ -31,9 +31,13 @@ with lib;
lokiHost = "10.0.0.14"; lokiHost = "10.0.0.14";
}; };
services.postgresqlBackup = {
enable = true;
};
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud31; package = pkgs.nextcloud32;
hostName = "cloud.malobeo.org"; hostName = "cloud.malobeo.org";
config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path; config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
maxUploadSize = "10G"; maxUploadSize = "10G";
@@ -48,14 +52,9 @@ with lib;
extraAppsEnable = true; extraAppsEnable = true;
extraApps = { extraApps = {
inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms; inherit (config.services.nextcloud.package.packages.apps) contacts calendar polls registration collectives forms;
appointments = pkgs.fetchNextcloudApp {
sha256 = "sha256-ls1rLnsX7U9wo2WkEtzhrvliTcWUl6LWXolE/9etJ78=";
url = "https://github.com/SergeyMosin/Appointments/raw/refs/tags/v2.4.3/build/artifacts/appstore/appointments.tar.gz";
license = "agpl3Plus";
};
deck = pkgs.fetchNextcloudApp { deck = pkgs.fetchNextcloudApp {
sha256 = "sha256-1sqDmJpM9SffMY2aaxwzqntdjdcUaRySyaUDv9VHuiE="; sha256 = "sha256-epjwIANb6vTNx9KqaG6jZc14YPoFMBTCj+/c9JHcWkA=";
url = "https://link.storjshare.io/raw/jw7pf6gct34j3pcqvlq6ddasvdwq/mal/deck.tar.gz"; url = "https://link.storjshare.io/raw/jvrl62dakd6htpyxohjkiiqiw5ma/mal/deck32.tar.gz";
license = "agpl3Plus"; license = "agpl3Plus";
}; };
}; };

4
machines/vpn/configuration.nix
View File

@@ -45,6 +45,10 @@ with lib;
proxyPass = "http://10.100.0.101"; proxyPass = "http://10.100.0.101";
extraConfig = '' extraConfig = ''
proxy_set_header Host $host; proxy_set_header Host $host;
client_max_body_size ${inputs.self.nixosConfigurations.nextcloud.config.services.nextcloud.maxUploadSize};
client_body_timeout 3600s;
send_timeout 3600s;
fastcgi_buffers 64 4K;
''; '';
}; };
}; };