forked from wurzel/fruitbasket
Compare commits
121 commits
purgetunus
...
main
Author | SHA1 | Date | |
---|---|---|---|
7aa9df065d | |||
29c702b2e5 | |||
ff4df0aae0 | |||
d252ec452f | |||
3fc5565c6b | |||
22608b8ec0 | |||
![]() |
d997cf3106 | ||
44549dddbe | |||
87e50986bf | |||
d9dec34e3a | |||
bc46330abe | |||
9577f93dae | |||
57f52c9958 | |||
![]() |
469da0ec41 | ||
d5617bea3f | |||
8c6282c4fa | |||
c85492d896 | |||
01ad4cf730 | |||
786038cae3 | |||
810d878dfc | |||
cd1519e3e8 | |||
![]() |
0e984c8e97 | ||
943e208e3a | |||
e3dd58a1f9 | |||
7d7d60c189 | |||
faf2607319 | |||
fe8c721f45 | |||
37f9447a38 | |||
1a1b3ad0f2 | |||
bef4f24477 | |||
db4eab1c0d | |||
62e4ac6368 | |||
1875088472 | |||
bd90107f91 | |||
451c099d3f | |||
48c04ce61e | |||
d075afaac5 | |||
8e3a5b0ff3 | |||
06281a1432 | |||
97cb91d703 | |||
c442ea54a4 | |||
ae4fcb60cc | |||
e8e71eda7c | |||
4d5e2ae3eb | |||
![]() |
2fa18c816d | ||
dd9aaba3ef | |||
37bf91a57a | |||
6fa82f7453 | |||
f518bd545d | |||
3d0f3cfa21 | |||
fb0b36b200 | |||
7d69600115 | |||
efc38dac8f | |||
ea8efc298d | |||
7c86415c50 | |||
9662b35f42 | |||
161a4ae838 | |||
fcffa5f79c | |||
0d9bd777c8 | |||
e80eb649ca | |||
af3c401cf6 | |||
c25d9d3f9e | |||
d4ae4d1743 | |||
4e99931626 | |||
f6cda1a4fc | |||
74f8e85f51 | |||
f5cf94d257 | |||
ec5f15946e | |||
c2149ec639 | |||
d2c543fc07 | |||
ed3e8de2cb | |||
6e2b0d262f | |||
f83abbfe8d | |||
e10b491cdf | |||
![]() |
ddecabc25f | ||
![]() |
776f860a92 | ||
e84a83e305 | |||
643f92dfc5 | |||
805484dd0b | |||
173d5e693d | |||
fc01acbc46 | |||
096a04e00c | |||
8177e8407a | |||
46b0bfaa8d | |||
c98206231c | |||
f54d5fd867 | |||
5286041789 | |||
![]() |
703002d148 | ||
![]() |
382bbc6601 | ||
![]() |
6416be37f5 | ||
![]() |
23a5062f7b | ||
![]() |
a6ada675df | ||
e470b83cb6 | |||
![]() |
c1a0b67261 | ||
0d0512a539 | |||
c4d2b5fd08 | |||
c5cc3bd8b8 | |||
923d8a8697 | |||
a506e7d550 | |||
62b344a2c2 | |||
72566b656a | |||
![]() |
ab1e4d10ee | ||
![]() |
f268507d85 | ||
df82b2e35b | |||
7d1cf705ee | |||
697df17b33 | |||
530570699a | |||
3fae2321f3 | |||
00104e593c | |||
33497714db | |||
d7389d41da | |||
42b3613b95 | |||
799c9a67ff | |||
6d6e00f5bf | |||
49d48dc8d4 | |||
7a9e841a5f | |||
85f8932908 | |||
21a1000dad | |||
fe5836b8c9 | |||
340781cafd | |||
2fc48b6708 |
40 changed files with 1281 additions and 221 deletions
101
flake.lock
generated
101
flake.lock
generated
|
@ -7,11 +7,11 @@
|
|||
"poetry2nix": "poetry2nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1714117615,
|
||||
"narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
|
||||
"lastModified": 1730751072,
|
||||
"narHash": "sha256-+FQjzCNV3k8U4BfNcFmoZTRf8aO9ufn3s7kkzHj/b7s=",
|
||||
"owner": "fsr",
|
||||
"repo": "course-management",
|
||||
"rev": "9e5ab11788b926a9a26d2aaa0e0958c3c5865cc9",
|
||||
"rev": "60b7062ce47ee9f0609e701ad5eb5e3e0a857ff2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -27,11 +27,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1698049587,
|
||||
"narHash": "sha256-gNxpJdxSrpWMTBSGFO4HfXgr+FiAGtwEXCvxd6W8IUQ=",
|
||||
"lastModified": 1730889586,
|
||||
"narHash": "sha256-SLgo7UjWLaFaaUPFqzKbr9DLAGzm5kparfxuJHEpK3w=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "2d05abcd2b4e59db421c86fa9adaffa3dccb1086",
|
||||
"revCount": 7,
|
||||
"rev": "a111147ce5eaea4f1d691afe1203e7529d68522d",
|
||||
"revCount": 9,
|
||||
"type": "git",
|
||||
"url": "https://git.ifsr.de/ese/manual-website"
|
||||
},
|
||||
|
@ -45,11 +45,11 @@
|
|||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694529238,
|
||||
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||
"lastModified": 1726560853,
|
||||
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -63,11 +63,11 @@
|
|||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1694529238,
|
||||
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
|
||||
"lastModified": 1726560853,
|
||||
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
|
||||
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -101,11 +101,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1708628927,
|
||||
"narHash": "sha256-1ObvmmEzbW2YjY/jJyfOoxhxIe54zcsOBMzgehnclRg=",
|
||||
"lastModified": 1732530918,
|
||||
"narHash": "sha256-O5cmb7xeIq1luKn9FbS3UP4aziP2UuBKARsq/w7CGqs=",
|
||||
"owner": "fsr",
|
||||
"repo": "kpp",
|
||||
"rev": "05e370097af21ddb776bec907942c60e6aebc394",
|
||||
"rev": "b867b6b3d4c604c177e1866d2babc7ae5c0f6a9d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -123,11 +123,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1698974481,
|
||||
"narHash": "sha256-yPncV9Ohdz1zPZxYHQf47S8S0VrnhV7nNhCawY46hDA=",
|
||||
"lastModified": 1729742964,
|
||||
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-github-actions",
|
||||
"rev": "4bb5e752616262457bc7ca5882192a564c0472d2",
|
||||
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -143,11 +143,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720334033,
|
||||
"narHash": "sha256-X9pEvvHTVWJphhbUYqXvlLedOndNqGB7rvhSvL2CIgU=",
|
||||
"lastModified": 1737861961,
|
||||
"narHash": "sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf+TpE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-index-database",
|
||||
"rev": "685e40e1348007d2cf76747a201bab43d86b38cb",
|
||||
"rev": "79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -158,11 +158,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1701253981,
|
||||
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
|
||||
"lastModified": 1730531603,
|
||||
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
|
||||
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -172,34 +172,18 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1720282526,
|
||||
"narHash": "sha256-dudRkHPRivMNOhd04YI+v4sWvn2SnN5ODSPIu5IVbco=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "550ac3e955c30fe96dd8b2223e37e0f5d225c927",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-24.05",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1720244366,
|
||||
"narHash": "sha256-WrDV0FPMVd2Sq9hkR5LNHudS3OSMmUrs90JUTN+MXpA=",
|
||||
"lastModified": 1738023785,
|
||||
"narHash": "sha256-BPHmb3fUwdHkonHyHi1+x89eXB3kA1jffIpwPVJIVys=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "49ee0e94463abada1de470c9c07bfc12b36dcf40",
|
||||
"rev": "2b4230bf03deb33103947e2528cac2ed516c5c89",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "nixos-24.05",
|
||||
"ref": "nixos-24.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
|
@ -230,11 +214,11 @@
|
|||
"treefmt-nix": "treefmt-nix"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1701399357,
|
||||
"narHash": "sha256-QSGP2J73HQ4gF5yh+MnClv2KUKzcpTmikdmV8ULfq2E=",
|
||||
"lastModified": 1730284601,
|
||||
"narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "poetry2nix",
|
||||
"rev": "7acb78166a659d6afe9b043bb6fe5cb5e86bb75e",
|
||||
"rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -279,15 +263,14 @@
|
|||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1720321395,
|
||||
"narHash": "sha256-kcI8q9Nh8/CSj0ygfWq1DLckHl8IHhFarL8ie6g7OEk=",
|
||||
"lastModified": 1737411508,
|
||||
"narHash": "sha256-j9IdflJwRtqo9WpM0OfAZml47eBblUHGNQTe62OUqTw=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "c184aca4db5d71c3db0c8cbfcaaec337a5d065ea",
|
||||
"rev": "015d461c16678fc02a2f405eb453abb509d4e1d4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -364,11 +347,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1699786194,
|
||||
"narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
|
||||
"lastModified": 1730120726,
|
||||
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
|
||||
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -383,11 +366,11 @@
|
|||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1713958148,
|
||||
"narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
|
||||
"lastModified": 1729422940,
|
||||
"narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixos-vscode-server",
|
||||
"rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
|
||||
"rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
14
flake.nix
14
flake.nix
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
inputs = {
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
|
||||
sops-nix.url = "github:Mic92/sops-nix";
|
||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
nix-index-database.url = "github:nix-community/nix-index-database";
|
||||
|
@ -36,6 +36,7 @@
|
|||
supportedSystems = [ "x86_64-linux" ];
|
||||
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
|
||||
pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
|
||||
|
||||
in
|
||||
{
|
||||
packages = forAllSystems (system: rec {
|
||||
|
@ -77,21 +78,24 @@
|
|||
./modules/courses
|
||||
./modules/wiki
|
||||
./modules/matrix
|
||||
./modules/keycloak
|
||||
./modules/monitoring
|
||||
|
||||
./modules/nix-serve.nix
|
||||
./modules/hedgedoc.nix
|
||||
./modules/padlist.nix
|
||||
./modules/nextcloud.nix
|
||||
./modules/keycloak.nix
|
||||
./modules/monitoring.nix
|
||||
./modules/vaultwarden.nix
|
||||
./modules/forgejo
|
||||
./modules/kanboard.nix
|
||||
./modules/zammad.nix
|
||||
./modules/decisions.nix
|
||||
# ./modules/decisions.nix
|
||||
./modules/stream.nix
|
||||
# ./modules/struktur-bot.nix
|
||||
{
|
||||
nixpkgs.overlays = [ self.overlays.default ];
|
||||
nixpkgs.overlays = [
|
||||
self.overlays.default
|
||||
];
|
||||
sops.defaultSopsFile = ./secrets/quitte.yaml;
|
||||
}
|
||||
];
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ pkgs, ... }:
|
||||
|
||||
{
|
||||
imports =
|
||||
|
@ -16,7 +16,6 @@
|
|||
# boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
boot.supportedFilesystems = [ "zfs" ];
|
||||
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
||||
|
||||
services.zfs = {
|
||||
trim.enable = true;
|
||||
|
@ -27,6 +26,17 @@
|
|||
time.timeZone = "Europe/Berlin";
|
||||
i18n.defaultLocale = "en_US.UTF-8";
|
||||
|
||||
security.sudo.extraRules = [
|
||||
{
|
||||
commands = [
|
||||
{
|
||||
command = "ALL";
|
||||
options = [ "NOPASSWD" ];
|
||||
}
|
||||
];
|
||||
groups = [ "admins" ];
|
||||
}
|
||||
];
|
||||
# prevent fork bombs
|
||||
security.pam.loginLimits = [
|
||||
{
|
||||
|
|
|
@ -31,14 +31,26 @@
|
|||
networks."10-wired-default" = {
|
||||
matchConfig.Name = "enp65s0f0np0";
|
||||
|
||||
address = [ "141.30.30.169/25" ];
|
||||
address = [
|
||||
|
||||
"141.30.30.194/26"
|
||||
"2a13:dd85:b23:1::1337/64"
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig.Gateway = "141.30.30.129";
|
||||
Gateway = "141.30.30.193";
|
||||
}
|
||||
{
|
||||
Gateway = "fe80::7a24:59ff:fe5e:6e2f";
|
||||
}
|
||||
];
|
||||
networkConfig = {
|
||||
DNS = "141.30.1.1";
|
||||
DNS = [
|
||||
"9.9.9.9"
|
||||
"149.112.112.112"
|
||||
"2620:fe::fe"
|
||||
"2620:fe::9"
|
||||
];
|
||||
LLDP = true;
|
||||
EmitLLDP = "nearest-bridge";
|
||||
};
|
||||
|
|
|
@ -106,7 +106,6 @@
|
|||
};
|
||||
|
||||
# Enable sound with pipewire.
|
||||
sound.enable = true;
|
||||
hardware.pulseaudio.enable = false;
|
||||
security.rtkit.enable = true;
|
||||
services.pipewire = {
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
address = [ "141.30.86.196/26" ];
|
||||
routes = [
|
||||
{
|
||||
routeConfig.Gateway = "141.30.86.193";
|
||||
Gateway = "141.30.86.193";
|
||||
}
|
||||
];
|
||||
networkConfig = {
|
||||
|
|
|
@ -14,8 +14,9 @@
|
|||
enable = true;
|
||||
name = "ifsr-quitte";
|
||||
extraClientConfig = ''
|
||||
Comm Compression = no
|
||||
Maximum Concurrent Jobs = 20
|
||||
FDAddress = 141.30.30.169
|
||||
FDAddress = 141.30.30.194
|
||||
PKI Signatures = Yes
|
||||
PKI Encryption = Yes
|
||||
PKI Keypair = ${config.sops.secrets."bacula/keypair".path}
|
||||
|
|
|
@ -73,6 +73,7 @@
|
|||
time.timeZone = "Europe/Berlin";
|
||||
|
||||
# basic shell & editor
|
||||
programs.vim.enable = true;
|
||||
programs.vim.defaultEditor = true;
|
||||
|
||||
# List packages installed in system profile. To search, run:
|
||||
|
@ -104,6 +105,7 @@
|
|||
ltrace
|
||||
strace
|
||||
mtr
|
||||
nix-output-monitor
|
||||
traceroute
|
||||
smartmontools
|
||||
sysstat
|
||||
|
@ -112,6 +114,7 @@
|
|||
eza
|
||||
zsh
|
||||
unzip
|
||||
yazi
|
||||
];
|
||||
}
|
||||
|
||||
|
|
|
@ -15,13 +15,14 @@
|
|||
enabled = true
|
||||
# aggressive mode to add blocking for aborted connections
|
||||
filter = dovecot[mode=aggressive]
|
||||
maxretry = 3
|
||||
maxretry = 15
|
||||
'';
|
||||
postfix = ''
|
||||
enabled = true
|
||||
filter = postfix[mode=aggressive]
|
||||
maxretry = 3
|
||||
maxretry = 15
|
||||
'';
|
||||
sshd.settings.maxretry = 15;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,7 +3,9 @@
|
|||
services.rsyslogd = {
|
||||
enable = true;
|
||||
defaultConfig = ''
|
||||
$FileCreateMode 0640
|
||||
:programname, isequal, "postfix" /var/log/postfix.log
|
||||
:programname, isequal, "portunus" /var/log/portunus.log
|
||||
|
||||
auth.* -/var/log/auth.log
|
||||
'';
|
||||
|
|
|
@ -7,10 +7,14 @@
|
|||
({ name, ... }: {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
# enable http3 for all hosts
|
||||
quic = true;
|
||||
http3 = true;
|
||||
# split up nginx access logs per vhost
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/${name}_access.log;
|
||||
error_log /var/log/nginx/${name}_error.log;
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
'';
|
||||
})
|
||||
);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
# From: https://nixos.wiki/wiki/Podman
|
||||
virtualisation.containers.enable = true;
|
||||
|
@ -23,4 +23,4 @@
|
|||
#docker-compose # start group of containers for dev
|
||||
#podman-compose # start group of containers for dev
|
||||
];
|
||||
}
|
||||
}
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
enable = true;
|
||||
location = "/var/lib/backup/postgresql";
|
||||
databases = [
|
||||
"directus_ese"
|
||||
"course-management"
|
||||
"git"
|
||||
"grafana"
|
||||
|
|
|
@ -3,7 +3,6 @@ let
|
|||
hostName = "kurse.${config.networking.domain}";
|
||||
in
|
||||
{
|
||||
imports = [ ./phil.nix ];
|
||||
sops.secrets =
|
||||
let inherit (config.services.course-management) user;
|
||||
in
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, ... }:
|
||||
let
|
||||
domain = "decisions.${config.networking.domain}";
|
||||
in
|
||||
|
|
30
modules/forgejo/actions.nix
Normal file
30
modules/forgejo/actions.nix
Normal file
|
@ -0,0 +1,30 @@
|
|||
{ config, pkgs, ... }:
|
||||
{
|
||||
sops.secrets."forgejo/runner-token" = { };
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances."quitte" = {
|
||||
enable = true;
|
||||
labels = [
|
||||
# provide a debian base with nodejs for actions
|
||||
"debian-latest:docker://node:18-bullseye"
|
||||
# fake the ubuntu name, because node provides no ubuntu builds
|
||||
"ubuntu-latest:docker://node:18-bullseye"
|
||||
# provide native execution on the host
|
||||
# "native:host"
|
||||
];
|
||||
tokenFile = config.sops.secrets."forgejo/runner-token".path;
|
||||
url = "https://git.ifsr.de";
|
||||
name = "quitte";
|
||||
settings = {
|
||||
container = {
|
||||
# use podman's default network, otherwise dns was not working for some reason
|
||||
network = "podman";
|
||||
# don't mount the docker socket into the build containers,
|
||||
# this would basically mean root on the host...
|
||||
docker_host = "-";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -4,9 +4,9 @@ let
|
|||
gitUser = "git";
|
||||
in
|
||||
{
|
||||
# imports = [
|
||||
# ./actions.nix
|
||||
# ];
|
||||
imports = [
|
||||
./actions.nix
|
||||
];
|
||||
sops.secrets.gitea_ldap_search = {
|
||||
key = "portunus/search-password";
|
||||
owner = config.services.forgejo.user;
|
||||
|
@ -22,17 +22,9 @@ in
|
|||
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
# package = pkgs.forgejo.overrideAttrs (_old: {
|
||||
# # patches = [
|
||||
# # # migration fix
|
||||
# # (pkgs.fetchpatch {
|
||||
# # url = "https://codeberg.org/forgejo/forgejo/commit/ae463c7c559e02975ce5e758d8780def978eebee.patch";
|
||||
# # hash = "sha256-cOXPvkLS0n+ynSBTrmEtumZ2PYBeCZmxPpFktqkw6Fo=";
|
||||
# # })
|
||||
# # ];
|
||||
# });
|
||||
user = gitUser;
|
||||
group = gitUser;
|
||||
package = pkgs.forgejo;
|
||||
lfs.enable = true;
|
||||
|
||||
database = {
|
||||
|
@ -79,6 +71,8 @@ in
|
|||
PROVIDER = "db";
|
||||
};
|
||||
actions.ENABLED = true;
|
||||
# federation.ENABLED = true;
|
||||
webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -49,6 +49,7 @@ in
|
|||
# allow anonymous editing, but not creation of pads
|
||||
allowAnonymous = false;
|
||||
allowAnonymousEdits = true;
|
||||
allowAnonymousUploads = false;
|
||||
defaultPermission = "limited";
|
||||
defaultNotePath = builtins.toString template;
|
||||
# ldap auth
|
||||
|
|
|
@ -5,10 +5,10 @@ let
|
|||
in
|
||||
{
|
||||
sops.secrets."kanboard_env" = { };
|
||||
|
||||
|
||||
virtualisation.oci-containers = {
|
||||
containers.kanboard = {
|
||||
image = "ghcr.io/kanboard/kanboard:v1.2.36";
|
||||
image = "ghcr.io/kanboard/kanboard:v1.2.43";
|
||||
volumes = [
|
||||
"kanboard_data:/var/www/app/data"
|
||||
"kanboard_plugins:/var/www/app/plugins"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
domain = "sso.${config.networking.domain}";
|
||||
in
|
||||
|
@ -12,7 +12,9 @@ in
|
|||
http-port = 8086;
|
||||
https-port = 19000;
|
||||
hostname = domain;
|
||||
proxy = "edge";
|
||||
proxy-headers = "xforwarded";
|
||||
http-enabled = true;
|
||||
hostname-strict-https = false;
|
||||
};
|
||||
# The module requires a password for the DB and works best with its own DB config
|
||||
# Does an automatic Postgresql configuration
|
||||
|
@ -20,6 +22,9 @@ in
|
|||
passwordFile = config.sops.secrets."keycloak/db".path;
|
||||
};
|
||||
initialAdminPassword = "plschangeme";
|
||||
themes = with pkgs ; {
|
||||
ifsr = keycloak_ifsr_theme;
|
||||
};
|
||||
};
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
locations."/" = {
|
15
modules/keycloak/theme.nix
Normal file
15
modules/keycloak/theme.nix
Normal file
|
@ -0,0 +1,15 @@
|
|||
{ stdenv }:
|
||||
stdenv.mkDerivation rec {
|
||||
name = "keycloak_ifsr_theme";
|
||||
version = "1.1";
|
||||
|
||||
src = ./theme;
|
||||
|
||||
nativeBuildInputs = [ ];
|
||||
buildInputs = [ ];
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
cp -a login $out
|
||||
'';
|
||||
}
|
772
modules/keycloak/theme/login/resources/css/login.css
Normal file
772
modules/keycloak/theme/login/resources/css/login.css
Normal file
|
@ -0,0 +1,772 @@
|
|||
.login-pf {
|
||||
background: none;
|
||||
}
|
||||
|
||||
.login-pf body {
|
||||
background: url(../img/background.jpg) no-repeat center center fixed;
|
||||
background-size: cover;
|
||||
height: 100%;
|
||||
}
|
||||
|
||||
/*IE compatibility*/
|
||||
.pf-c-form-control {
|
||||
font-size: 14px;
|
||||
font-size: var(--pf-global--FontSize--sm);
|
||||
border-width: 1px;
|
||||
border-width: var(--pf-global--BorderWidth--sm);;
|
||||
border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
|
||||
border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
|
||||
background-color: #FFFFFF;
|
||||
background-color: var(--pf-global--BackgroundColor--100);
|
||||
height: 36px;
|
||||
height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
|
||||
padding: 5px 0.5rem;
|
||||
padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
|
||||
}
|
||||
|
||||
textarea.pf-c-form-control {
|
||||
height: auto;
|
||||
}
|
||||
|
||||
.pf-c-form-control:hover, .pf-c-form-control:focus {
|
||||
border-bottom-color: #0066CC;
|
||||
border-bottom-color: var(--pf-global--primary-color--100);
|
||||
border-bottom-width: 2px;
|
||||
border-bottom-width: var(--pf-global--BorderWidth--md);
|
||||
}
|
||||
|
||||
.pf-c-form-control[aria-invalid=true] {
|
||||
border-bottom-color: #C9190B;
|
||||
border-bottom-color: var(--pf-global--danger-color--100);
|
||||
border-bottom-width: 2px;
|
||||
border-bottom-width: var(--pf-global--BorderWidth--md);
|
||||
}
|
||||
|
||||
.pf-c-check__label, .pf-c-radio__label {
|
||||
font-size: 14px;
|
||||
font-size: var(--pf-global--FontSize--sm);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-inline {
|
||||
margin-bottom: 0.5rem; /* default - IE compatibility */
|
||||
margin-bottom: var(--pf-global--spacer--sm);
|
||||
padding: 0.25rem;
|
||||
padding: var(--pf-global--spacer--xs);
|
||||
border: solid #ededed;
|
||||
border: solid var(--pf-global--BorderColor--300);
|
||||
border-width: 1px;
|
||||
border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
|
||||
display: -ms-flexbox;
|
||||
display: grid;
|
||||
-ms-grid-columns: max-content 1fr max-content;
|
||||
grid-template-columns:max-content 1fr max-content;
|
||||
grid-template-columns: var(--pf-c-alert--grid-template-columns);
|
||||
grid-template-rows: 1fr auto;
|
||||
grid-template-rows: var(--pf-c-alert--grid-template-rows);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-inline::before {
|
||||
position: absolute;
|
||||
top: -1px;
|
||||
top: var(--pf-c-alert--m-inline--before--Top);
|
||||
bottom: -1px;
|
||||
bottom: var(--pf-c-alert--m-inline--before--Bottom);
|
||||
left: 0;
|
||||
width: 3px;
|
||||
width: var(--pf-c-alert--m-inline--before--Width);
|
||||
content: ;
|
||||
background-color: #FFFFFF;
|
||||
background-color: var(--pf-global--BackgroundColor--100);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-inline.pf-m-success::before {
|
||||
background-color: #92D400;
|
||||
background-color: var(--pf-global--success-color--100);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-inline.pf-m-danger::before {
|
||||
background-color: #C9190B;
|
||||
background-color: var(--pf-global--danger-color--100);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-inline.pf-m-warning::before {
|
||||
background-color: #F0AB00;
|
||||
background-color: var(--pf-global--warning-color--100);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-inline .pf-c-alert__icon {
|
||||
padding: 1rem 0.5rem 1rem 1rem;
|
||||
padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
|
||||
font-size: 16px;
|
||||
font-size: var(--pf-c-alert--m-inline__icon--FontSize);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-success .pf-c-alert__icon {
|
||||
color: #92D400;
|
||||
color: var(--pf-global--success-color--100);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-success .pf-c-alert__title {
|
||||
color: #486B00;
|
||||
color: var(--pf-global--success-color--200);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-danger .pf-c-alert__icon {
|
||||
color: #C9190B;
|
||||
color: var(--pf-global--danger-color--100);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-danger .pf-c-alert__title {
|
||||
color: #A30000;
|
||||
color: var(--pf-global--danger-color--200);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-warning .pf-c-alert__icon {
|
||||
color: #F0AB00;
|
||||
color: var(--pf-global--warning-color--100);
|
||||
}
|
||||
|
||||
.pf-c-alert.pf-m-warning .pf-c-alert__title {
|
||||
color: #795600;
|
||||
color: var(--pf-global--warning-color--200);
|
||||
}
|
||||
|
||||
.pf-c-alert__title {
|
||||
font-size: 14px; /* default - IE compatibility */
|
||||
font-size: var(--pf-global--FontSize--sm);
|
||||
padding: 5px 8px;
|
||||
padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
|
||||
}
|
||||
|
||||
.pf-c-button{
|
||||
padding:0.375rem 1rem;
|
||||
padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
|
||||
}
|
||||
|
||||
/* default - IE compatibility */
|
||||
.pf-m-primary {
|
||||
color: #FFFFFF;
|
||||
background-color: #0066CC;
|
||||
background-color: var(--pf-global--primary-color--100);
|
||||
}
|
||||
|
||||
/* default - IE compatibility */
|
||||
.pf-m-primary:hover {
|
||||
background-color: #004080;
|
||||
background-color: var(--pf-global--primary-color--200);
|
||||
}
|
||||
|
||||
/* default - IE compatibility */
|
||||
.pf-c-button.pf-m-control {
|
||||
border: solid 1px;
|
||||
border: solid var(--pf-global--BorderWidth--sm);
|
||||
border-color: rgba(230, 230, 230, 0.5);
|
||||
}
|
||||
/*End of IE compatibility*/
|
||||
h1#kc-page-title {
|
||||
margin-top: 10px;
|
||||
}
|
||||
|
||||
#kc-locale ul {
|
||||
background-color: #FFF;
|
||||
background-color: var(--pf-global--BackgroundColor--100);
|
||||
display: none;
|
||||
top: 20px;
|
||||
min-width: 100px;
|
||||
padding: 0;
|
||||
}
|
||||
|
||||
#kc-locale-dropdown{
|
||||
display: inline-block;
|
||||
}
|
||||
|
||||
#kc-locale-dropdown:hover ul {
|
||||
display:block;
|
||||
}
|
||||
|
||||
/* IE compatibility */
|
||||
#kc-locale-dropdown a {
|
||||
color: #6A6E73;
|
||||
color: var(--pf-global--Color--200);
|
||||
text-align: right;
|
||||
font-size: 14px;
|
||||
font-size: var(--pf-global--FontSize--sm);
|
||||
}
|
||||
|
||||
/* IE compatibility */
|
||||
a#kc-current-locale-link::after {
|
||||
content: 2c5;
|
||||
margin-left: 4px;
|
||||
margin-left: var(--pf-global--spacer--xs)
|
||||
}
|
||||
|
||||
.login-pf .container {
|
||||
padding-top: 40px;
|
||||
}
|
||||
|
||||
.login-pf a:hover {
|
||||
color: #0099d3;
|
||||
}
|
||||
|
||||
#kc-logo {
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
div.kc-logo-text {
|
||||
background-image: url(../img/agdsn_logo.png);
|
||||
background-repeat: no-repeat;
|
||||
background-size: auto;
|
||||
position: relative;
|
||||
top: 0%;
|
||||
left: 25%;
|
||||
width: 950px;
|
||||
height: 250px;
|
||||
|
||||
|
||||
}
|
||||
|
||||
div.kc-logo-text span {
|
||||
display: none;
|
||||
}
|
||||
|
||||
#kc-header {
|
||||
color: #ededed;
|
||||
overflow: visible;
|
||||
white-space: nowrap;
|
||||
}
|
||||
|
||||
#kc-header-wrapper {
|
||||
font-size: 29px;
|
||||
text-transform: uppercase;
|
||||
letter-spacing: 3px;
|
||||
line-height: 1.2em;
|
||||
padding: 62px 10px 20px;
|
||||
white-space: normal;
|
||||
}
|
||||
|
||||
#kc-content {
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
#kc-attempted-username {
|
||||
font-size: 20px;
|
||||
font-family: inherit;
|
||||
font-weight: normal;
|
||||
padding-right: 10px;
|
||||
}
|
||||
|
||||
#kc-username {
|
||||
text-align: center;
|
||||
margin-bottom:-10px;
|
||||
}
|
||||
|
||||
#kc-webauthn-settings-form {
|
||||
padding-top: 8px;
|
||||
}
|
||||
|
||||
#kc-form-webauthn .select-auth-box-parent {
|
||||
pointer-events: none;
|
||||
}
|
||||
|
||||
#kc-form-webauthn .select-auth-box-desc {
|
||||
color: var(--pf-global--palette--black-600);
|
||||
}
|
||||
|
||||
#kc-form-webauthn .select-auth-box-headline {
|
||||
color: var(--pf-global--Color--300);
|
||||
}
|
||||
|
||||
#kc-form-webauthn .select-auth-box-icon {
|
||||
flex: 0 0 3em;
|
||||
}
|
||||
|
||||
#kc-form-webauthn .select-auth-box-icon-properties {
|
||||
margin-top: 10px;
|
||||
font-size: 1.8em;
|
||||
}
|
||||
|
||||
#kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
|
||||
margin-top: 3px;
|
||||
}
|
||||
|
||||
#kc-form-webauthn .pf-l-stack__item {
|
||||
margin: -1px 0;
|
||||
}
|
||||
|
||||
#kc-content-wrapper {
|
||||
margin-top: 20px;
|
||||
}
|
||||
|
||||
#kc-form-wrapper {
|
||||
margin-top: 10px;
|
||||
}
|
||||
|
||||
#kc-info {
|
||||
margin: 20px -40px -30px;
|
||||
}
|
||||
|
||||
#kc-info-wrapper {
|
||||
font-size: 13px;
|
||||
padding: 15px 35px;
|
||||
background-color: #F0F0F0;
|
||||
}
|
||||
|
||||
#kc-form-options span {
|
||||
display: block;
|
||||
}
|
||||
|
||||
#kc-form-options .checkbox {
|
||||
margin-top: 0;
|
||||
color: #72767b;
|
||||
}
|
||||
|
||||
#kc-terms-text {
|
||||
margin-bottom: 20px;
|
||||
}
|
||||
|
||||
#kc-registration {
|
||||
margin-bottom: 0;
|
||||
}
|
||||
|
||||
/* TOTP */
|
||||
|
||||
.subtitle {
|
||||
text-align: right;
|
||||
margin-top: 30px;
|
||||
color: #909090;
|
||||
}
|
||||
|
||||
.required {
|
||||
color: #A30000; /* default - IE compatibility */
|
||||
color: var(--pf-global--danger-color--200);
|
||||
}
|
||||
|
||||
ol#kc-totp-settings {
|
||||
margin: 0;
|
||||
padding-left: 20px;
|
||||
}
|
||||
|
||||
ul#kc-totp-supported-apps {
|
||||
margin-bottom: 10px;
|
||||
}
|
||||
|
||||
#kc-totp-secret-qr-code {
|
||||
max-width:150px;
|
||||
max-height:150px;
|
||||
}
|
||||
|
||||
#kc-totp-secret-key {
|
||||
background-color: #fff;
|
||||
color: #333333;
|
||||
font-size: 16px;
|
||||
padding: 10px 0;
|
||||
}
|
||||
|
||||
/* OAuth */
|
||||
|
||||
#kc-oauth h3 {
|
||||
margin-top: 0;
|
||||
}
|
||||
|
||||
#kc-oauth ul {
|
||||
list-style: none;
|
||||
padding: 0;
|
||||
margin: 0;
|
||||
}
|
||||
|
||||
#kc-oauth ul li {
|
||||
border-top: 1px solid rgba(255, 255, 255, 0.1);
|
||||
font-size: 12px;
|
||||
padding: 10px 0;
|
||||
}
|
||||
|
||||
#kc-oauth ul li:first-of-type {
|
||||
border-top: 0;
|
||||
}
|
||||
|
||||
#kc-oauth .kc-role {
|
||||
display: inline-block;
|
||||
width: 50%;
|
||||
}
|
||||
|
||||
/* Code */
|
||||
#kc-code textarea {
|
||||
width: 100%;
|
||||
height: 8em;
|
||||
}
|
||||
|
||||
/* Social */
|
||||
.kc-social-links {
|
||||
margin-top: 20px;
|
||||
}
|
||||
|
||||
.kc-social-provider-logo {
|
||||
font-size: 23px;
|
||||
width: 30px;
|
||||
height: 25px;
|
||||
float: left;
|
||||
}
|
||||
|
||||
.kc-social-gray {
|
||||
color: #737679; /* default - IE compatibility */
|
||||
color: var(--pf-global--Color--200);
|
||||
}
|
||||
|
||||
.kc-social-item {
|
||||
margin-bottom: 0.5rem; /* default - IE compatibility */
|
||||
margin-bottom: var(--pf-global--spacer--sm);
|
||||
font-size: 15px;
|
||||
text-align: center;
|
||||
}
|
||||
|
||||
.kc-social-provider-name {
|
||||
position: relative;
|
||||
top: 3px;
|
||||
}
|
||||
|
||||
.kc-social-icon-text {
|
||||
left: -15px;
|
||||
}
|
||||
|
||||
.kc-social-grid {
|
||||
display:grid;
|
||||
grid-column-gap: 10px;
|
||||
grid-row-gap: 5px;
|
||||
grid-column-end: span 6;
|
||||
--pf-l-grid__item--GridColumnEnd: span 6;
|
||||
}
|
||||
|
||||
.kc-social-grid .kc-social-icon-text {
|
||||
left: -10px;
|
||||
}
|
||||
|
||||
.kc-login-tooltip {
|
||||
position: relative;
|
||||
display: inline-block;
|
||||
}
|
||||
|
||||
.kc-social-section {
|
||||
text-align: center;
|
||||
}
|
||||
|
||||
.kc-social-section hr{
|
||||
margin-bottom: 10px
|
||||
}
|
||||
|
||||
.kc-login-tooltip .kc-tooltip-text{
|
||||
top:-3px;
|
||||
left:160%;
|
||||
background-color: black;
|
||||
visibility: hidden;
|
||||
color: #fff;
|
||||
|
||||
min-width:130px;
|
||||
text-align: center;
|
||||
border-radius: 2px;
|
||||
box-shadow:0 1px 8px rgba(0,0,0,0.6);
|
||||
padding: 5px;
|
||||
|
||||
position: absolute;
|
||||
opacity:0;
|
||||
transition:opacity 0.5s;
|
||||
}
|
||||
|
||||
/* Show tooltip */
|
||||
.kc-login-tooltip:hover .kc-tooltip-text {
|
||||
visibility: visible;
|
||||
opacity:0.7;
|
||||
}
|
||||
|
||||
/* Arrow for tooltip */
|
||||
.kc-login-tooltip .kc-tooltip-text::after {
|
||||
content: ;
|
||||
position: absolute;
|
||||
top: 15px;
|
||||
right: 100%;
|
||||
margin-top: -5px;
|
||||
border-width: 5px;
|
||||
border-style: solid;
|
||||
border-color: transparent black transparent transparent;
|
||||
}
|
||||
|
||||
@media (min-width: 768px) {
|
||||
#kc-container-wrapper {
|
||||
position: absolute;
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
.login-pf .container {
|
||||
padding-right: 80px;
|
||||
}
|
||||
|
||||
#kc-locale {
|
||||
position: relative;
|
||||
text-align: right;
|
||||
z-index: 9999;
|
||||
}
|
||||
}
|
||||
|
||||
@media (max-width: 767px) {
|
||||
|
||||
.login-pf body {
|
||||
background: white;
|
||||
}
|
||||
|
||||
#kc-header {
|
||||
padding-left: 15px;
|
||||
padding-right: 15px;
|
||||
float: none;
|
||||
text-align: left;
|
||||
}
|
||||
|
||||
#kc-header-wrapper {
|
||||
font-size: 16px;
|
||||
font-weight: bold;
|
||||
padding: 20px 60px 0 0;
|
||||
color: #72767b;
|
||||
letter-spacing: 0;
|
||||
}
|
||||
|
||||
div.kc-logo-text {
|
||||
margin: 0;
|
||||
width: 150px;
|
||||
height: 32px;
|
||||
background-size: 100%;
|
||||
}
|
||||
|
||||
#kc-form {
|
||||
float: none;
|
||||
}
|
||||
|
||||
#kc-info-wrapper {
|
||||
border-top: 1px solid rgba(255, 255, 255, 0.1);
|
||||
background-color: transparent;
|
||||
}
|
||||
|
||||
.login-pf .container {
|
||||
padding-top: 15px;
|
||||
padding-bottom: 15px;
|
||||
}
|
||||
|
||||
#kc-locale {
|
||||
position: absolute;
|
||||
width: 200px;
|
||||
top: 20px;
|
||||
right: 20px;
|
||||
text-align: right;
|
||||
z-index: 9999;
|
||||
}
|
||||
}
|
||||
|
||||
@media (min-height: 646px) {
|
||||
#kc-container-wrapper {
|
||||
bottom: 12%;
|
||||
}
|
||||
}
|
||||
|
||||
@media (max-height: 645px) {
|
||||
#kc-container-wrapper {
|
||||
padding-top: 50px;
|
||||
top: 20%;
|
||||
}
|
||||
}
|
||||
|
||||
.card-pf form.form-actions .btn {
|
||||
float: right;
|
||||
margin-left: 10px;
|
||||
}
|
||||
|
||||
#kc-form-buttons {
|
||||
margin-top: 20px;
|
||||
}
|
||||
|
||||
.login-pf-page .login-pf-brand {
|
||||
margin-top: 20px;
|
||||
max-width: 360px;
|
||||
width: 40%;
|
||||
}
|
||||
|
||||
/* Internet Explorer 11 compatibility workaround for select-authenticator screen */
|
||||
@media all and (-ms-high-contrast: none),
|
||||
(-ms-high-contrast: active) {
|
||||
.select-auth-box-parent {
|
||||
border-top: 1px solid #f0f0f0;
|
||||
padding-top: 1rem;
|
||||
padding-bottom: 1rem;
|
||||
cursor: pointer;
|
||||
}
|
||||
|
||||
.select-auth-box-headline {
|
||||
font-size: 16px;
|
||||
color: #06c;
|
||||
font-weight: bold;
|
||||
}
|
||||
|
||||
.select-auth-box-desc {
|
||||
font-size: 14px;
|
||||
}
|
||||
|
||||
.pf-l-stack {
|
||||
flex-basis: 100%;
|
||||
}
|
||||
}
|
||||
/* End of IE11 workaround for select-authenticator screen */
|
||||
|
||||
.select-auth-box-arrow{
|
||||
display: flex;
|
||||
align-items: center;
|
||||
margin-right: 2rem;
|
||||
}
|
||||
|
||||
.select-auth-box-icon{
|
||||
display: flex;
|
||||
flex: 0 0 2em;
|
||||
justify-content: center;
|
||||
margin-right: 1rem;
|
||||
margin-left: 3rem;
|
||||
}
|
||||
|
||||
.select-auth-box-parent{
|
||||
border-top: 1px solid var(--pf-global--palette--black-200);
|
||||
padding-top: 1rem;
|
||||
padding-bottom: 1rem;
|
||||
cursor: pointer;
|
||||
}
|
||||
|
||||
.select-auth-box-parent:hover{
|
||||
background-color: #f7f8f8;
|
||||
}
|
||||
|
||||
.select-auth-container {
|
||||
}
|
||||
|
||||
.select-auth-box-headline {
|
||||
font-size: var(--pf-global--FontSize--md);
|
||||
color: var(--pf-global--primary-color--100);
|
||||
font-weight: bold;
|
||||
}
|
||||
|
||||
.select-auth-box-desc {
|
||||
font-size: var(--pf-global--FontSize--sm);
|
||||
}
|
||||
|
||||
.select-auth-box-paragraph {
|
||||
text-align: center;
|
||||
font-size: var(--pf-global--FontSize--md);
|
||||
margin-bottom: 5px;
|
||||
}
|
||||
|
||||
.card-pf {
|
||||
margin: 0 auto;
|
||||
box-shadow: var(--pf-global--BoxShadow--lg);
|
||||
padding: 0 20px;
|
||||
max-width: 500px;
|
||||
border-top: 4px solid;
|
||||
border-color: #0066CC; /* default - IE compatibility */
|
||||
border-color: var(--pf-global--primary-color--100);
|
||||
}
|
||||
|
||||
/*phone*/
|
||||
@media (max-width: 767px) {
|
||||
.login-pf-page .card-pf {
|
||||
max-width: none;
|
||||
margin-left: 0;
|
||||
margin-right: 0;
|
||||
padding-top: 0;
|
||||
border-top: 0;
|
||||
box-shadow: 0 0;
|
||||
}
|
||||
|
||||
.kc-social-grid {
|
||||
grid-column-end: 12;
|
||||
--pf-l-grid__item--GridColumnEnd: span 12;
|
||||
}
|
||||
|
||||
.kc-social-grid .kc-social-icon-text {
|
||||
left: -15px;
|
||||
}
|
||||
}
|
||||
|
||||
.login-pf-page .login-pf-signup {
|
||||
font-size: 15px;
|
||||
color: #72767b;
|
||||
}
|
||||
#kc-content-wrapper .row {
|
||||
margin-left: 0;
|
||||
margin-right: 0;
|
||||
}
|
||||
|
||||
.login-pf-page.login-pf-page-accounts {
|
||||
margin-left: auto;
|
||||
margin-right: auto;
|
||||
}
|
||||
|
||||
.login-pf-page .btn-primary {
|
||||
margin-top: 0;
|
||||
}
|
||||
|
||||
.login-pf-page .list-view-pf .list-group-item {
|
||||
border-bottom: 1px solid #ededed;
|
||||
}
|
||||
|
||||
.login-pf-page .list-view-pf-description {
|
||||
width: 100%;
|
||||
}
|
||||
|
||||
#kc-form-login div.form-group:last-of-type,
|
||||
#kc-register-form div.form-group:last-of-type,
|
||||
#kc-update-profile-form div.form-group:last-of-type {
|
||||
margin-bottom: 0px;
|
||||
}
|
||||
|
||||
.no-bottom-margin {
|
||||
margin-bottom: 0;
|
||||
}
|
||||
|
||||
#kc-back {
|
||||
margin-top: 5px;
|
||||
}
|
||||
|
||||
/* Recovery codes */
|
||||
.kc-recovery-codes-warning {
|
||||
margin-bottom: 32px;
|
||||
}
|
||||
.kc-recovery-codes-warning .pf-c-alert__description p {
|
||||
font-size: 0.875rem;
|
||||
}
|
||||
.kc-recovery-codes-list {
|
||||
list-style: none;
|
||||
columns: 2;
|
||||
margin: 16px 0;
|
||||
padding: 16px 16px 8px 16px;
|
||||
border: 1px solid #D2D2D2;
|
||||
}
|
||||
.kc-recovery-codes-list li {
|
||||
margin-bottom: 8px;
|
||||
font-size: 11px;
|
||||
}
|
||||
.kc-recovery-codes-list li span {
|
||||
color: #6A6E73;
|
||||
width: 16px;
|
||||
text-align: right;
|
||||
display: inline-block;
|
||||
margin-right: 1px;
|
||||
}
|
||||
|
||||
.kc-recovery-codes-actions {
|
||||
margin-bottom: 24px;
|
||||
}
|
||||
.kc-recovery-codes-actions button {
|
||||
padding-left: 0;
|
||||
}
|
||||
.kc-recovery-codes-actions button i {
|
||||
margin-right: 8px;
|
||||
}
|
||||
|
||||
.kc-recovery-codes-confirmation {
|
||||
align-items: baseline;
|
||||
margin-bottom: 16px;
|
||||
}
|
||||
/* End Recovery codes */
|
||||
|
||||
|
BIN
modules/keycloak/theme/login/resources/img/background.jpg
Normal file
BIN
modules/keycloak/theme/login/resources/img/background.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 MiB |
4
modules/keycloak/theme/login/theme.properties
Normal file
4
modules/keycloak/theme/login/theme.properties
Normal file
|
@ -0,0 +1,4 @@
|
|||
parent=keycloak
|
||||
import=common/keycloak
|
||||
|
||||
styles=css/login.css
|
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, system, ... }:
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
domain = "auth.${config.networking.domain}";
|
||||
seedSettings = {
|
||||
|
@ -84,7 +84,7 @@ in
|
|||
};
|
||||
networking.firewall = {
|
||||
extraInputRules = ''
|
||||
ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
|
||||
ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
|
|
@ -44,11 +44,9 @@ in
|
|||
# hostname used in helo command. It is recommended to have this match the reverse dns entry
|
||||
smtp_helo_name = config.networking.rDNS;
|
||||
smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
|
||||
smtp_use_tls = true;
|
||||
# smtp_tls_security_level = "encrypt";
|
||||
smtpd_use_tls = true;
|
||||
# smtpd_tls_security_level = lib.mkForce "encrypt";
|
||||
# smtpd_tls_auth_only = true;
|
||||
smtp_tls_security_level = "may";
|
||||
smtpd_tls_security_level = "may";
|
||||
smtpd_tls_auth_only = true;
|
||||
smtpd_tls_protocols = [
|
||||
"!SSLv2"
|
||||
"!SSLv3"
|
||||
|
|
|
@ -141,22 +141,26 @@ in
|
|||
filter = "email:domain";
|
||||
map = "/var/lib/rspamd/whitelist.sender.domain.map";
|
||||
action = "accept";
|
||||
regexp = true;
|
||||
}
|
||||
WHITELIST_SENDER_EMAIL {
|
||||
type = "from";
|
||||
map = "/var/lib/rspamd/whitelist.sender.email.map";
|
||||
action = "accept";
|
||||
regexp = true;
|
||||
}
|
||||
BLACKLIST_SENDER_DOMAIN {
|
||||
type = "from";
|
||||
filter = "email:domain";
|
||||
map = "/var/lib/rspamd/blacklist.sender.domain.map";
|
||||
action = "reject";
|
||||
regexp = true;
|
||||
}
|
||||
BLACKLIST_SENDER_EMAIL {
|
||||
type = "from";
|
||||
map = "/var/lib/rspamd/blacklist.sender.email.map";
|
||||
action = "reject";
|
||||
regexp = true;
|
||||
}
|
||||
BLACKLIST_SUBJECT_KEYWORDS {
|
||||
type = "header";
|
||||
|
@ -189,6 +193,11 @@ in
|
|||
"/" = {
|
||||
proxyPass = "http://127.0.0.1:11334";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
allow 141.30.0.0/16;
|
||||
allow 141.76.0.0/16;
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -27,6 +27,9 @@ in
|
|||
key = "portunus/search-password";
|
||||
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
||||
};
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"olm-3.2.16"
|
||||
];
|
||||
|
||||
services = {
|
||||
postgresql = {
|
||||
|
|
|
@ -37,12 +37,8 @@ in
|
|||
token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token";
|
||||
api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo";
|
||||
role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
|
@ -65,10 +61,6 @@ in
|
|||
enabledCollectors = [ "systemd" ];
|
||||
port = 9002;
|
||||
};
|
||||
postfix = {
|
||||
enable = true;
|
||||
port = 9003;
|
||||
};
|
||||
};
|
||||
scrapeConfigs = [
|
||||
{
|
||||
|
@ -78,13 +70,6 @@ in
|
|||
}];
|
||||
scrape_interval = "15s";
|
||||
}
|
||||
{
|
||||
job_name = "postfix";
|
||||
static_configs = [{
|
||||
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ];
|
||||
}];
|
||||
# scrape_interval = "60s";
|
||||
}
|
||||
{
|
||||
job_name = "rspamd";
|
||||
static_configs = [{
|
||||
|
@ -92,6 +77,13 @@ in
|
|||
}];
|
||||
scrape_interval = "15s";
|
||||
}
|
||||
{
|
||||
job_name = "fabric";
|
||||
static_configs = [{
|
||||
targets = [ "127.0.0.1:25585" ];
|
||||
}];
|
||||
scrape_interval = "60s";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
|
@ -15,7 +15,7 @@ in
|
|||
nextcloud = {
|
||||
enable = true;
|
||||
configureRedis = true;
|
||||
package = pkgs.nextcloud29;
|
||||
package = pkgs.nextcloud30;
|
||||
hostName = domain;
|
||||
https = true; # Use https for all urls
|
||||
phpExtraExtensions = all: [
|
||||
|
|
|
@ -43,6 +43,7 @@ in
|
|||
'';
|
||||
};
|
||||
"/vendor".return = "403";
|
||||
"/.git".return = "403";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -11,5 +11,6 @@
|
|||
./sharepic.nix
|
||||
./userdir.nix
|
||||
./ftp.nix
|
||||
./hyperilo.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -1,80 +1,33 @@
|
|||
{ config, pkgs, ... }:
|
||||
let
|
||||
domain = "ese.${config.networking.domain}";
|
||||
cms-domain = "directus-ese.${config.networking.domain}";
|
||||
webRoot = "/srv/web/ese";
|
||||
in
|
||||
{
|
||||
sops.secrets."directus_env" = { };
|
||||
environment.systemPackages = [ pkgs.nodejs_22 ];
|
||||
virtualisation.oci-containers = {
|
||||
containers.directus-ese = {
|
||||
image = "directus/directus:latest";
|
||||
volumes = [
|
||||
"/srv/web/directus-ese/uploads:/directus/uploads"
|
||||
"/srv/web/directus-ese/database:/directus/database"
|
||||
];
|
||||
extraOptions = [ "--network=host" ];
|
||||
environment = {
|
||||
"DB_CLIENT" = "pg";
|
||||
"DB_HOST" = "localhost";
|
||||
"DB_PORT" = "5432";
|
||||
"DB_DATABASE" = "directus_ese";
|
||||
"DB_USER" = "directus_ese";
|
||||
"PUBLIC_URL" = "https://directus-ese.ifsr.de";
|
||||
"AUTH_PROVIDERS" = "keycloak";
|
||||
"AUTH_KEYCLOAK_DRIVER" = "openid";
|
||||
"AUTH_KEYCLOAK_CLIENT_ID" = "directus-ese";
|
||||
"AUTH_KEYCLOAK_ISSUER_URL" = "https://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
|
||||
"AUTH_KEYCLOAK_IDENTIFIER_KEY" = "email";
|
||||
"AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION" = "true";
|
||||
"AUTH_KEYCLOAK_DEFAULT_ROLE_ID" = "a6b7a1b6-a6fa-442c-87fd-e37c2a16424b";
|
||||
};
|
||||
environmentFiles = [
|
||||
config.sops.secrets."directus_env".path
|
||||
];
|
||||
|
||||
};
|
||||
};
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "directus_ese";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
ensureDatabases = [ "directus_ese" ];
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
virtualHosts."${cms-domain}" = {
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
|
||||
add_header 'Access-Control-Max-Age' 1728000;
|
||||
add_header 'Content-Type' 'text/plain; charset=utf-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
|
||||
'';
|
||||
proxyPass = "http://127.0.0.1:8055";
|
||||
};
|
||||
};
|
||||
virtualHosts."${domain}" = {
|
||||
locations."= /" = {
|
||||
return = "301 /2024/";
|
||||
return = "302 /2025/";
|
||||
};
|
||||
locations."/" = {
|
||||
root = "/srv/web/ese/served";
|
||||
root = webRoot;
|
||||
tryFiles = "$uri $uri/ =404";
|
||||
};
|
||||
# cache static assets
|
||||
locations."~* \.(?:css|svg|webp|jpg|jpeg|gif|png|ico|mp4|mp3|ogg|ogv|webm|ttf|woff2|woff)$" = {
|
||||
root = webRoot;
|
||||
extraConfig = ''
|
||||
expires 1y;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
users.users."ese-deploy" = {
|
||||
isNormalUser = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWGdTdobZN2oSLsTQmHOahdc9vqyuwUBS0PSk5IQhGV''
|
||||
];
|
||||
};
|
||||
|
||||
}
|
||||
|
|
|
@ -22,15 +22,137 @@ in
|
|||
'';
|
||||
locations."=/403.html" = {
|
||||
root = pkgs.writeTextDir "403.html" ''
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<title>403 Forbidden</title>
|
||||
</head>
|
||||
<body>
|
||||
<center><h1>403 Forbidden</h1></center>
|
||||
<center>Dieser Ordner ist nur aus dem Uni-Netz zugänglich.</center>
|
||||
<center>This directory is only accessible from the TUD network.</center>
|
||||
</body>
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<title>403 Forbidden - iFSR</title>
|
||||
<style>
|
||||
body {
|
||||
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
|
||||
background-color: #f8f9fa;
|
||||
margin: 0;
|
||||
padding: 1rem;
|
||||
min-height: 100vh;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: center;
|
||||
}
|
||||
.container {
|
||||
background: white;
|
||||
padding: 2rem;
|
||||
border-radius: 12px;
|
||||
box-shadow: 0 2px 15px rgba(0, 0, 0, 0.1);
|
||||
text-align: center;
|
||||
max-width: 600px;
|
||||
width: 100%;
|
||||
}
|
||||
.error-code {
|
||||
font-size: 3.5rem;
|
||||
font-weight: bold;
|
||||
color: #dc3545;
|
||||
margin: 0;
|
||||
line-height: 1;
|
||||
}
|
||||
.error-title {
|
||||
font-size: 1.5rem;
|
||||
color: #343a40;
|
||||
margin: 1rem 0;
|
||||
}
|
||||
.error-message {
|
||||
color: #495057;
|
||||
margin: 1rem 0;
|
||||
line-height: 1.6;
|
||||
}
|
||||
.language-section {
|
||||
padding: 1.5rem;
|
||||
margin: 1rem 0;
|
||||
background: #f8f9fa;
|
||||
border-radius: 8px;
|
||||
text-align: left;
|
||||
}
|
||||
.language-header {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
gap: 0.5rem;
|
||||
font-weight: bold;
|
||||
margin-bottom: 1rem;
|
||||
color: #343a40;
|
||||
}
|
||||
.help-list {
|
||||
margin: 0;
|
||||
padding-left: 1.2rem;
|
||||
list-style-type: none;
|
||||
}
|
||||
.help-list li {
|
||||
margin: 0.5rem 0;
|
||||
position: relative;
|
||||
}
|
||||
.help-list li:before {
|
||||
content: "•";
|
||||
position: absolute;
|
||||
left: -1.2rem;
|
||||
color: #6c757d;
|
||||
}
|
||||
.logo {
|
||||
width: 180px;
|
||||
height: auto;
|
||||
margin-bottom: 1.5rem;
|
||||
}
|
||||
@media (max-width: 480px) {
|
||||
.container {
|
||||
padding: 1.5rem;
|
||||
}
|
||||
.language-section {
|
||||
padding: 1rem;
|
||||
margin: 0.5rem 0;
|
||||
}
|
||||
.error-code {
|
||||
font-size: 3rem;
|
||||
}
|
||||
.error-title {
|
||||
font-size: 1.25rem;
|
||||
}
|
||||
.logo {
|
||||
width: 150px;
|
||||
}
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<div class="container">
|
||||
<img src="https://ifsr.de/user/themes/ifsr/images/logo.svg" alt="iFSR Logo" class="logo">
|
||||
<h1 class="error-code">403</h1>
|
||||
<h2 class="error-title">Zugriff verweigert / Access Forbidden</h2>
|
||||
|
||||
<div class="language-section">
|
||||
<div class="language-header">
|
||||
🇩🇪 Deutsch
|
||||
</div>
|
||||
<p class="error-message">
|
||||
Dieser Ordner ist nur aus dem Uni-Netz zugänglich.
|
||||
</p>
|
||||
<ul class="help-list">
|
||||
<li>Stellen Sie sicher, dass Sie mit dem TUD-Netzwerk verbunden sind</li>
|
||||
<li>Oder wählen Sie sich über VPN ein</li>
|
||||
</ul>
|
||||
</div>
|
||||
|
||||
<div class="language-section">
|
||||
<div class="language-header">
|
||||
🇬🇧 English
|
||||
</div>
|
||||
<p class="error-message">
|
||||
This directory is only accessible from the TUD network.
|
||||
</p>
|
||||
<ul class="help-list">
|
||||
<li>Make sure you are connected to the TUD network</li>
|
||||
<li>Or connect via VPN</li>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
'';
|
||||
};
|
||||
|
|
34
modules/web/hyperilo.nix
Normal file
34
modules/web/hyperilo.nix
Normal file
|
@ -0,0 +1,34 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
# provide access to iLO of colocated server
|
||||
# in case of questions, contact @bennofs
|
||||
services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
|
||||
forceSSL = true;
|
||||
locations."/".proxyPass = "https://192.168.0.120:443";
|
||||
locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
|
||||
locations."/".extraConfig = ''
|
||||
proxy_ssl_verify off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade_capitalized;
|
||||
'';
|
||||
};
|
||||
|
||||
# HP iLO requires uppercase Upgrade, not lowercase "upgrade"
|
||||
services.nginx.commonHttpConfig = ''
|
||||
map $http_upgrade $connection_upgrade_capitalized {
|
||||
default Upgrade;
|
||||
''' close;
|
||||
}
|
||||
'';
|
||||
|
||||
systemd.network.networks."20-hyperilo" = {
|
||||
matchConfig.Name = "eno8303";
|
||||
address = [ "192.168.0.1/24" ];
|
||||
networkConfig.LLDP = true;
|
||||
networkConfig.EmitLLDP = "nearest-bridge";
|
||||
};
|
||||
|
||||
sops.secrets."hyperilo_htaccess".owner = "nginx";
|
||||
}
|
|
@ -64,7 +64,8 @@ in
|
|||
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
|
||||
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
|
||||
$wgOpenIDConnect_MigrateUsersByEmail = true;
|
||||
$wgPluggableAuth_EnableLocalLogin = true;
|
||||
//$wgOpenIDConnect_MigrateUsersByUserName = true;
|
||||
$wgPluggableAuth_EnableLocalLogin = false;
|
||||
$wgPluggableAuth_Config["iFSR Login"] = [
|
||||
"plugin" => "OpenIDConnect",
|
||||
"data" => [
|
||||
|
@ -76,21 +77,18 @@ in
|
|||
'';
|
||||
|
||||
extensions = {
|
||||
# some extensions are included and can enabled by passing null
|
||||
VisualEditor = null;
|
||||
# the dir in the mediawiki-1.42.3.tar.gz inside of the extension folder is called "SyntaxHighlight_GeSHi" not "SyntaxHighlight"
|
||||
SyntaxHighlight_GeSHi = null;
|
||||
|
||||
PluggableAuth = pkgs.fetchzip {
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_40-3689731.tar.gz";
|
||||
hash = "sha256-BMA0qV+x+iQt/P9tbl9csEUni9jiQcBtZeuwdjx2QPk=";
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_42-1da98f4.tar.gz";
|
||||
hash = "sha256-5uBUy7lrr86ApASYPWgF6Wa09mxxP0o+lXLt1gVswlA=";
|
||||
};
|
||||
OpenIDConnect = pkgs.fetchzip {
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_40-b354cdb.tar.gz";
|
||||
hash = "sha256-gLHaveEzfmpqU9fWATZsUU377FJj2yq//raHZUR/VWk=";
|
||||
};
|
||||
VisualEditor = pkgs.fetchzip {
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_40-8970b62.tar.gz";
|
||||
hash = "sha256-G+qvKVuF6OCnwS5q2cKfij1/aH1I6lOw84K6fED980s=";
|
||||
};
|
||||
SyntaxHighlight = pkgs.fetchzip {
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_40-1170e8f.tar.gz";
|
||||
hash = "sha256-75+wwTvHhwPBP1jVLK2fQWBi7vznOvPVgNpY3kzWJtg=";
|
||||
url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_42-6c28c16.tar.gz";
|
||||
hash = "sha256-X5kUuvxINbuXaLMKRcLOl2L3qbnMT72lg2NA3A9Daj8=";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
_final: prev:
|
||||
let
|
||||
inherit (prev) fetchurl;
|
||||
inherit (prev) fetchFromGitHub;
|
||||
inherit (prev) callPackage;
|
||||
in
|
||||
{
|
||||
# AGDSN is running an outdated version that we have to comply to
|
||||
|
@ -12,17 +12,32 @@ in
|
|||
sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
|
||||
};
|
||||
}));
|
||||
# (hopefully) fix systemd journal reading
|
||||
prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
|
||||
patches = [
|
||||
./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
|
||||
];
|
||||
src = fetchFromGitHub {
|
||||
owner = "adangel";
|
||||
repo = "postfix_exporter";
|
||||
rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
|
||||
hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
|
||||
};
|
||||
});
|
||||
# Mailman internal server error fix
|
||||
# https://gitlab.com/mailman/mailman/-/issues/1137
|
||||
# https://github.com/NixOS/nixpkgs/pull/321136
|
||||
pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
|
||||
(_python-final: python-prev: {
|
||||
readme-renderer = python-prev.readme-renderer.overridePythonAttrs (_oldAttrs: {
|
||||
propagatedBuildInputs = [ python-prev.cmarkgfm ];
|
||||
});
|
||||
})
|
||||
];
|
||||
|
||||
keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix { };
|
||||
portunus = callPackage ./portunus.nix { };
|
||||
mediawiki = (prev.mediawiki.overrideAttrs (_old: rec {
|
||||
version = "1.43.0";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://releases.wikimedia.org/mediawiki/${prev.lib.versions.majorMinor version}/mediawiki-${version}.tar.gz";
|
||||
hash = "sha256-VuCn/i/3jlC5yHs9WJ8tjfW8qwAY5FSypKI5yFhr2O4=";
|
||||
};
|
||||
|
||||
}));
|
||||
|
||||
hedgedoc = prev.hedgedoc.overrideAttrs ({ patches ? [ ], ... }: {
|
||||
patches = patches ++ [
|
||||
./hedgedoc/0001-anonymous-uploads.patch
|
||||
];
|
||||
});
|
||||
}
|
||||
|
|
62
overlays/hedgedoc/0001-anonymous-uploads.patch
Normal file
62
overlays/hedgedoc/0001-anonymous-uploads.patch
Normal file
|
@ -0,0 +1,62 @@
|
|||
diff --git a/app.js b/app.js
|
||||
index d41dbfbd7..faf686cfa 100644
|
||||
--- a/app.js
|
||||
+++ b/app.js
|
||||
@@ -203,6 +203,7 @@ app.locals.serverURL = config.serverURL
|
||||
app.locals.sourceURL = config.sourceURL
|
||||
app.locals.allowAnonymous = config.allowAnonymous
|
||||
app.locals.allowAnonymousEdits = config.allowAnonymousEdits
|
||||
+app.locals.allowAnonymousUploads = config.allowAnonymousUploads
|
||||
app.locals.disableNoteCreation = config.disableNoteCreation
|
||||
app.locals.authProviders = {
|
||||
facebook: config.isFacebookEnable,
|
||||
diff --git a/lib/config/default.js b/lib/config/default.js
|
||||
index d038e5311..9ab9a6bb1 100644
|
||||
--- a/lib/config/default.js
|
||||
+++ b/lib/config/default.js
|
||||
@@ -33,6 +33,7 @@ module.exports = {
|
||||
protocolUseSSL: false,
|
||||
allowAnonymous: true,
|
||||
allowAnonymousEdits: false,
|
||||
+ allowAnonymousUploads: false,
|
||||
allowFreeURL: false,
|
||||
requireFreeURLAuthentication: false,
|
||||
disableNoteCreation: false,
|
||||
diff --git a/lib/config/environment.js b/lib/config/environment.js
|
||||
index da50a660d..b74d122f4 100644
|
||||
--- a/lib/config/environment.js
|
||||
+++ b/lib/config/environment.js
|
||||
@@ -31,6 +31,7 @@ module.exports = {
|
||||
allowOrigin: toArrayConfig(process.env.CMD_ALLOW_ORIGIN),
|
||||
allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS),
|
||||
allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS),
|
||||
+ allowAnonymousUploads: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_UPLOADS),
|
||||
allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL),
|
||||
requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION),
|
||||
disableNoteCreation: toBooleanConfig(process.env.CMD_DISABLE_NOTE_CREATION),
|
||||
diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js
|
||||
index c40ffc961..20c2da83b 100644
|
||||
--- a/lib/config/hackmdEnvironment.js
|
||||
+++ b/lib/config/hackmdEnvironment.js
|
||||
@@ -22,6 +22,7 @@ module.exports = {
|
||||
allowOrigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN),
|
||||
allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS),
|
||||
allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS),
|
||||
+ allowAnonymousUploads: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_UPLOADS),
|
||||
allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
|
||||
defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
|
||||
dbURL: process.env.HMD_DB_URL,
|
||||
diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
|
||||
index d9964827b..7321bc805 100644
|
||||
--- a/lib/web/imageRouter/index.js
|
||||
+++ b/lib/web/imageRouter/index.js
|
||||
@@ -59,8 +59,7 @@ async function checkUploadType (filePath) {
|
||||
imageRouter.post('/uploadimage', function (req, res) {
|
||||
if (
|
||||
!req.isAuthenticated() &&
|
||||
- !config.allowAnonymous &&
|
||||
- !config.allowAnonymousEdits
|
||||
+ !config.allowAnonymousUploads
|
||||
) {
|
||||
logger.error(
|
||||
'Image upload error: Anonymous edits and therefore uploads are not allowed'
|
32
overlays/portunus.nix
Normal file
32
overlays/portunus.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ lib
|
||||
, buildGoModule
|
||||
, fetchFromGitHub
|
||||
, libxcrypt-legacy
|
||||
, nixosTests
|
||||
}:
|
||||
|
||||
buildGoModule rec {
|
||||
pname = "portunus";
|
||||
version = "2.1.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "majewsky";
|
||||
repo = "portunus";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-+pMMIutj+OWKZmOYH5NuA4a7aS5CD+33vAEC9bJmyfM=";
|
||||
};
|
||||
|
||||
buildInputs = [ libxcrypt-legacy ];
|
||||
|
||||
vendorHash = null;
|
||||
|
||||
passthru.tests = { inherit (nixosTests) portunus; };
|
||||
|
||||
meta = with lib; {
|
||||
description = "Self-contained user/group management and authentication service";
|
||||
homepage = "https://github.com/majewsky/portunus";
|
||||
license = licenses.gpl3Plus;
|
||||
platforms = platforms.linux;
|
||||
maintainers = with maintainers; [ majewsky ] ++ teams.c3d2.members;
|
||||
};
|
||||
}
|
File diff suppressed because one or more lines are too long
Loading…
Add table
Reference in a new issue