From c534e2a8e1e2c4eb0e43a29e2a16fae520f33110 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Fri, 12 Apr 2024 11:21:52 +0200
Subject: [PATCH 01/67] nix-serve: use nix-serve-ng
---
modules/nix-serve.nix | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/nix-serve.nix b/modules/nix-serve.nix
index 3b10282..643ceb0 100644
--- a/modules/nix-serve.nix
+++ b/modules/nix-serve.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
let
domain = "cache.${config.networking.domain}";
in
@@ -6,6 +6,7 @@ in
sops.secrets."nix-serve/key" = { };
services.nix-serve = {
enable = true;
+ package = pkgs.nix-serve-ng;
secretKeyFile = config.sops.secrets."nix-serve/key".path;
port = 5002;
};
From be638b274dd2897bbe34ce098f250d98295f0451 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Sun, 14 Apr 2024 11:35:47 +0200
Subject: [PATCH 02/67] systemd-boot: copy the entire bootloader to the second
disc on every switch
---
hosts/quitte/configuration.nix | 9 +++++++--
hosts/quitte/hardware-configuration.nix | 5 +++++
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix
index f86ad6e..8b05df1 100644
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
{
imports =
@@ -7,7 +7,12 @@
./network.nix
];
- boot.loader.systemd-boot.enable = true;
+ boot.loader.systemd-boot = {
+ enable = true;
+ extraInstallCommands = ''
+ ${pkgs.coreutils}/bin/cp -r /boot/* /boot2
+ '';
+ };
# boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ];
diff --git a/hosts/quitte/hardware-configuration.nix b/hosts/quitte/hardware-configuration.nix
index 52d637e..d8afd10 100644
--- a/hosts/quitte/hardware-configuration.nix
+++ b/hosts/quitte/hardware-configuration.nix
@@ -45,6 +45,11 @@
device = "/dev/disk/by-uuid/3278-8D00";
fsType = "vfat";
};
+ fileSystems."/boot2" =
+ {
+ device = "/dev/disk/by-uuid/3366-F71E";
+ fsType = "vfat";
+ };
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
From 4b173581dc2680cba2f7d14217a0ff7423e50a3d Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Sun, 14 Apr 2024 11:39:11 +0200
Subject: [PATCH 03/67] mount boot drives with the `nofail` option
One drive failure shouldn't block the entire boot
---
hosts/quitte/hardware-configuration.nix | 2 ++
1 file changed, 2 insertions(+)
diff --git a/hosts/quitte/hardware-configuration.nix b/hosts/quitte/hardware-configuration.nix
index d8afd10..c5b5add 100644
--- a/hosts/quitte/hardware-configuration.nix
+++ b/hosts/quitte/hardware-configuration.nix
@@ -44,11 +44,13 @@
{
device = "/dev/disk/by-uuid/3278-8D00";
fsType = "vfat";
+ options = [ "nofail" ];
};
fileSystems."/boot2" =
{
device = "/dev/disk/by-uuid/3366-F71E";
fsType = "vfat";
+ options = [ "nofail" ];
};
swapDevices = [ ];
From 83db5399d7f3cd172a0bd43545b98e6c6a08f25d Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Sun, 14 Apr 2024 11:40:00 +0200
Subject: [PATCH 04/67] quitte: format hardware config
---
hosts/quitte/hardware-configuration.nix | 67 +++++++++++--------------
1 file changed, 30 insertions(+), 37 deletions(-)
diff --git a/hosts/quitte/hardware-configuration.nix b/hosts/quitte/hardware-configuration.nix
index c5b5add..5dad929 100644
--- a/hosts/quitte/hardware-configuration.nix
+++ b/hosts/quitte/hardware-configuration.nix
@@ -10,48 +10,41 @@
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
- fileSystems."/" =
- {
- device = "rpool/nixos/root";
- fsType = "zfs";
- };
+ fileSystems."/" = {
+ device = "rpool/nixos/root";
+ fsType = "zfs";
+ };
- fileSystems."/home" =
- {
- device = "rpool/nixos/home";
- fsType = "zfs";
- };
+ fileSystems."/home" = {
+ device = "rpool/nixos/home";
+ fsType = "zfs";
+ };
- fileSystems."/nix" =
- {
- device = "rpool/nixos/nixnew";
- fsType = "zfs";
- };
+ fileSystems."/nix" = {
+ device = "rpool/nixos/nixnew";
+ fsType = "zfs";
+ };
- fileSystems."/var/lib" =
- {
- device = "rpool/nixos/var/lib";
- fsType = "zfs";
- };
+ fileSystems."/var/lib" = {
+ device = "rpool/nixos/var/lib";
+ fsType = "zfs";
+ };
- fileSystems."/var/log" =
- {
- device = "rpool/nixos/var/log";
- fsType = "zfs";
- };
+ fileSystems."/var/log" = {
+ device = "rpool/nixos/var/log";
+ fsType = "zfs";
+ };
- fileSystems."/boot" =
- {
- device = "/dev/disk/by-uuid/3278-8D00";
- fsType = "vfat";
- options = [ "nofail" ];
- };
- fileSystems."/boot2" =
- {
- device = "/dev/disk/by-uuid/3366-F71E";
- fsType = "vfat";
- options = [ "nofail" ];
- };
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/3278-8D00";
+ fsType = "vfat";
+ options = [ "nofail" ];
+ };
+ fileSystems."/boot2" = {
+ device = "/dev/disk/by-uuid/3366-F71E";
+ fsType = "vfat";
+ options = [ "nofail" ];
+ };
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
From 5b95918c299b5c9648762e1f66298f12053903a6 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 10:58:35 +0200
Subject: [PATCH 05/67] tomate: configure ifsr-apb network
---
hosts/tomate/configuration.nix | 5 +----
hosts/tomate/network.nix | 40 ++++++++++++++++++++++++++++++++++
secrets/tomate.yaml | 5 +++--
3 files changed, 44 insertions(+), 6 deletions(-)
create mode 100644 hosts/tomate/network.nix
diff --git a/hosts/tomate/configuration.nix b/hosts/tomate/configuration.nix
index f3f3ceb..58a4c85 100644
--- a/hosts/tomate/configuration.nix
+++ b/hosts/tomate/configuration.nix
@@ -8,6 +8,7 @@
imports =
[
# Include the results of the hardware scan.
+ ./network.nix
./hardware-configuration.nix
];
@@ -15,8 +16,6 @@
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
- networking.hostName = "tomate"; # Define your hostname.
- networking.nftables.enable = true;
nix = {
settings = {
@@ -29,8 +28,6 @@
};
};
- # Enable networking
- networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Berlin";
diff --git a/hosts/tomate/network.nix b/hosts/tomate/network.nix
new file mode 100644
index 0000000..32e98ca
--- /dev/null
+++ b/hosts/tomate/network.nix
@@ -0,0 +1,40 @@
+{ config, ... }:
+{
+ sops.secrets.ifsr-apb-auth = { };
+ networking = {
+ domain = "ifsr.de";
+ hostName = "tomate";
+ useNetworkd = true;
+ nftables.enable = true;
+ # Radius authentification
+ supplicant."enp3s0" = {
+ driver = "wired";
+ configFile.path = config.sops.secrets.ifsr-apb-auth.path;
+ };
+ };
+
+ services.resolved = {
+ enable = true;
+ fallbackDns = [ "9.9.9.9" ];
+ };
+
+ systemd.network = {
+ enable = true;
+
+ networks."10-wired-default" = {
+ matchConfig.Name = "enp3s0";
+
+ address = [ "141.30.86.196/26" ];
+ routes = [
+ {
+ routeConfig.Gateway = "141.30.86.193";
+ }
+ ];
+ networkConfig = {
+ DNS = "141.30.1.1";
+ LLDP = true;
+ EmitLLDP = "nearest-bridge";
+ };
+ };
+ };
+}
diff --git a/secrets/tomate.yaml b/secrets/tomate.yaml
index ae1f78c..01caa04 100644
--- a/secrets/tomate.yaml
+++ b/secrets/tomate.yaml
@@ -4,6 +4,7 @@ print:
smtp-password: ENC[AES256_GCM,data:XoaLiEpqAdKapeS9YoBfh2w7HFuTCV9rHIciH+qUbhHcdsgVpnPMsSlC,iv:WxfP5d2K9soJPoRPuS6O6PbNvo4TBQjPGiV0e+a501Q=,tag:ZsTdR+b/oYFAYz/MN73PFg==,type:str]
sssd:
env: ENC[AES256_GCM,data:9IbU7uaElmemQHVUvsM88hcyNl3WFehgQeLZPtUxt2Sd0IECm8qNkQhWJ4kuvoBnQsdsUrFm/0QuW7AfDFOeE7FxMxg0,iv:dyzsYHlqClWbfzsoJ36iYjaXWpidB1ZqHXI7RP7js2Y=,tag:97FMOeVwAEy8Ka79uZKC8Q==,type:str]
+ifsr-apb-auth: ENC[AES256_GCM,data:hxJOvRbgjB//YU3wy04P7yrQbV0Ggoi18wQxwy4hHgbXizTHbmlfiZ/MstITrZQ6qEPVBEW41/iGU3DO2Cg2ofpWvFU5Gr8FM1AC9DKq8SppLGqzel1mEejPfrh4RbQUMe0zZlc/YfhCah5sM0oPnBQNg8bPpveEO+5/bRq5S24jkkv7w6/AAS8tGvjALVf/g95jsCrQO2MYg9jCCEkdhORU0bowGD8cjTr6wnPkNhwzn5tiKoPn6eH6TFBkqNC+Q/5E+os10i9F1c3z/sv8Snrcl7V5higqrQekhEvGRDmax/4lE8Yb3AoxC/2M4/+9x+OPi0JUkkhC6rghETXpmYkuaD7E8+eEtLeSbiJPlPijq2HTtbtsHcSoMUdoGO8644TVe/jDxaEe54p9OWEFjRRpONijQKsfH3wENlUXmqDQDLfMSpoANxIHMh+RmRzktGIvTgvs6rlKXsWp7/gggFVxdM/5QPbE3pUvGr+JPWz4,iv:6c1HxYGrItPwKzAnQ0zUvO3TSejVZ/aWF9zs99ufzl4=,tag:fELOskceJWKmkm74MCsfoA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -19,8 +20,8 @@ sops:
TXVrMHZCNU5zOG5hVnNkdEoxcTZqWXMKA9eG1zM6HeLAAOpIo8Z5+5KD4Z5P3rdc
kE8sUXHD3d8SMmSKcTYe6gGVzFuw0xxnMb/AmjAQosvDFTQsWy1sTw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-01-29T13:36:12Z"
- mac: ENC[AES256_GCM,data:CnoH4KmYy72E0L+X7SHYXrFH6z0KhRhfYXmIO8HnPlkYnwKXDeAYezv4kL3ItZG+8pnmbFdoyHxxVMT6rWtV//x16YPMI0zhwIEBs67ZxM+gzeei4fniktolydKmlXUgbtWw3/y3OtxzAn9Dne2LPz7CwN/imGOTgrWFYGWRhtU=,iv:gcurHYWPSijYRlt9FoutrGInWDOfSkjrNqwU6jxiHDk=,tag:qWhpQ9vLuuihOzJeOGYEog==,type:str]
+ lastmodified: "2024-04-16T08:58:21Z"
+ mac: ENC[AES256_GCM,data:2aOOVZK7kshJFBWphvW/BqRUXht4p80Q15nGJNA1EbjT05f3tYdrr8QuM5Xd1vJO07rgmokWv4XwbzodRIwqidEXD5xuJ1v+kHC/jJnO3yrBKY7kVMHkia2Wq00bcN/iwdW6G6AP5D4HQbmFNo+rLHyjIVwPvtu9jutKpz12NH0=,iv:YCBX2gSEmiUa6HrHi0VEcRGWDJrXGajD8ZbOZcppFnM=,tag:FK2E4hukl8oL5aZNTCQESA==,type:str]
pgp:
- created_at: "2024-02-29T15:23:28Z"
enc: |-
From f24793bbb69963dcd268c3b9a564a7a0ebcbce35 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 13:58:32 +0200
Subject: [PATCH 06/67] nix: update course-management
---
flake.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/flake.lock b/flake.lock
index 7550cf5..97be6a0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,11 +9,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
- "lastModified": 1710843969,
- "narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
+ "lastModified": 1713268687,
+ "narHash": "sha256-rC8f3dFiCl7LFFmselEo9qIiGdRiCbkJCCjMu/nTHzg=",
"owner": "fsr",
"repo": "course-management",
- "rev": "07b173b4ea458e5a08b3aa9ec677153c08657c98",
+ "rev": "820cbb8eb16237d75902202bdbee012aced29f8d",
"type": "github"
},
"original": {
From 3a47c43741c1f286e3c7a01f5dc23d4c108195c3 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 18:50:51 +0200
Subject: [PATCH 07/67] tomate: use zsh as default shell
---
hosts/tomate/configuration.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/hosts/tomate/configuration.nix b/hosts/tomate/configuration.nix
index 58a4c85..72d7514 100644
--- a/hosts/tomate/configuration.nix
+++ b/hosts/tomate/configuration.nix
@@ -27,6 +27,7 @@
];
};
};
+ users.users.root.shell = pkgs.zsh;
# Set your time zone.
From ceca1b3798c21852e051779fc5f6e3e4cdd4d74e Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 20:21:16 +0200
Subject: [PATCH 08/67] tomate: remove fail2ban
- Not really needed any more
---
flake.nix | 1 -
1 file changed, 1 deletion(-)
diff --git a/flake.nix b/flake.nix
index 4624be8..827b6d0 100755
--- a/flake.nix
+++ b/flake.nix
@@ -106,7 +106,6 @@
./hosts/tomate/configuration.nix
./modules/core/base.nix
./modules/core/zsh.nix
- ./modules/core/fail2ban.nix
./modules/core/sssd.nix
{
sops.defaultSopsFile = ./secrets/tomate.yaml;
From 0d4283f10955926f6d10ad0a98e93ad8617ce760 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 20:32:29 +0200
Subject: [PATCH 09/67] Revert "nginx: disable http3 to prevent wordpress
error"
This reverts commit 8606e89c031ce5433806cafa519184b28174bbab.
---
modules/core/nginx.nix | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modules/core/nginx.nix b/modules/core/nginx.nix
index 477663c..36e596e 100644
--- a/modules/core/nginx.nix
+++ b/modules/core/nginx.nix
@@ -7,10 +7,14 @@
({ name, ... }: {
enableACME = true;
forceSSL = true;
+ # enable http3 for all hosts
+ quic = true;
+ http3 = true;
# split up nginx access logs per vhost
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
+ add_header Alt-Svc 'h3=":443"; ma=86400';
'';
})
);
@@ -22,6 +26,7 @@
networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = {
enable = true;
+ package = pkgs.nginxQuic;
additionalModules = [ pkgs.nginxModules.pam ];
recommendedProxySettings = true;
recommendedGzipSettings = true;
From 08893439e7caf040c14f2b98c6ce82369d9afc26 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 20:36:44 +0200
Subject: [PATCH 10/67] http3: attempt a fix for wordpress sites
---
modules/web/fsrewsp.nix | 1 +
modules/web/nightline.nix | 1 +
2 files changed, 2 insertions(+)
diff --git a/modules/web/fsrewsp.nix b/modules/web/fsrewsp.nix
index 57ad6bb..f8f0799 100644
--- a/modules/web/fsrewsp.nix
+++ b/modules/web/fsrewsp.nix
@@ -43,6 +43,7 @@ in
root = "/srv/web/fsrewsp";
extraConfig = ''
index index.php index.html;
+ fastcgi_param HTTP_HOST $host;
'';
locations = {
diff --git a/modules/web/nightline.nix b/modules/web/nightline.nix
index 9cff390..0e264a4 100644
--- a/modules/web/nightline.nix
+++ b/modules/web/nightline.nix
@@ -40,6 +40,7 @@ in
root = "/srv/web/nightline";
extraConfig = ''
index index.php index.html;
+ fastcgi_param HTTP_HOST $host;
'';
locations = {
From 6cd1ba6aa5cd9f75f8bce367674b1b865e3df035 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 20:38:07 +0200
Subject: [PATCH 11/67] Revert "nix: update course-management"
This reverts commit f24793bbb69963dcd268c3b9a564a7a0ebcbce35.
---
flake.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/flake.lock b/flake.lock
index 97be6a0..7550cf5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,11 +9,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
- "lastModified": 1713268687,
- "narHash": "sha256-rC8f3dFiCl7LFFmselEo9qIiGdRiCbkJCCjMu/nTHzg=",
+ "lastModified": 1710843969,
+ "narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
"owner": "fsr",
"repo": "course-management",
- "rev": "820cbb8eb16237d75902202bdbee012aced29f8d",
+ "rev": "07b173b4ea458e5a08b3aa9ec677153c08657c98",
"type": "github"
},
"original": {
From 375674b1b40c9dc3196800ce211109abb731ef32 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 20:51:16 +0200
Subject: [PATCH 12/67] nginx: fix the http3 wordpress fix
---
modules/web/fsrewsp.nix | 2 +-
modules/web/nightline.nix | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/web/fsrewsp.nix b/modules/web/fsrewsp.nix
index f8f0799..5fe4cd3 100644
--- a/modules/web/fsrewsp.nix
+++ b/modules/web/fsrewsp.nix
@@ -43,7 +43,6 @@ in
root = "/srv/web/fsrewsp";
extraConfig = ''
index index.php index.html;
- fastcgi_param HTTP_HOST $host;
'';
locations = {
@@ -59,6 +58,7 @@ in
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+ fastcgi_param HTTP_HOST $host;
'';
};
"~ \.log$".return = "403";
diff --git a/modules/web/nightline.nix b/modules/web/nightline.nix
index 0e264a4..8abd76d 100644
--- a/modules/web/nightline.nix
+++ b/modules/web/nightline.nix
@@ -40,7 +40,6 @@ in
root = "/srv/web/nightline";
extraConfig = ''
index index.php index.html;
- fastcgi_param HTTP_HOST $host;
'';
locations = {
@@ -56,6 +55,7 @@ in
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+ fastcgi_param HTTP_HOST $host;
'';
};
"~ \.log$".return = "403";
From d5ab09207a0a78e1c144a6bcb074e8bffb634010 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 16 Apr 2024 21:44:48 +0200
Subject: [PATCH 13/67] core: set zsh as default shell for the root user
---
hosts/tomate/configuration.nix | 2 --
modules/core/zsh.nix | 1 +
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/hosts/tomate/configuration.nix b/hosts/tomate/configuration.nix
index 72d7514..7ac0b3a 100644
--- a/hosts/tomate/configuration.nix
+++ b/hosts/tomate/configuration.nix
@@ -27,8 +27,6 @@
];
};
};
- users.users.root.shell = pkgs.zsh;
-
# Set your time zone.
time.timeZone = "Europe/Berlin";
diff --git a/modules/core/zsh.nix b/modules/core/zsh.nix
index 2412e4a..349f3dd 100644
--- a/modules/core/zsh.nix
+++ b/modules/core/zsh.nix
@@ -1,5 +1,6 @@
{ lib, pkgs, ... }:
{
+ users.users.root.shell = pkgs.zsh;
programs.command-not-found.enable = false;
programs.nix-index-database.comma.enable = true;
environment.systemPackages = with pkgs; [
From 15299bcb99df0efba81eef6c6205fcae749487e8 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Fri, 26 Apr 2024 09:40:21 +0200
Subject: [PATCH 14/67] nix: flake update
---
flake.lock | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/flake.lock b/flake.lock
index 7550cf5..fbdaeb2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,11 +9,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
- "lastModified": 1710843969,
- "narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
+ "lastModified": 1713268687,
+ "narHash": "sha256-rC8f3dFiCl7LFFmselEo9qIiGdRiCbkJCCjMu/nTHzg=",
"owner": "fsr",
"repo": "course-management",
- "rev": "07b173b4ea458e5a08b3aa9ec677153c08657c98",
+ "rev": "820cbb8eb16237d75902202bdbee012aced29f8d",
"type": "github"
},
"original": {
@@ -145,11 +145,11 @@
]
},
"locked": {
- "lastModified": 1711854532,
- "narHash": "sha256-JPStavwlT7TfxxiXHk6Q7sbNxtnXAIjXQJMLO0KB6M0=",
+ "lastModified": 1713869268,
+ "narHash": "sha256-o3CMQeu/S8/4zU0pMtYg51rd1FWdJsI2Xohzng1Ysdg=",
"owner": "nix-community",
"repo": "nix-index-database",
- "rev": "2844b5f3ad3b478468151bd101370b9d8ef8a3a7",
+ "rev": "dcb6ac44922858ce3a5b46f77a36d6030181460c",
"type": "github"
},
"original": {
@@ -160,11 +160,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1712168706,
- "narHash": "sha256-XP24tOobf6GGElMd0ux90FEBalUtw6NkBSVh/RlA6ik=",
+ "lastModified": 1713995372,
+ "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "1487bdea619e4a7a53a4590c475deabb5a9d1bfb",
+ "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
"type": "github"
},
"original": {
@@ -176,11 +176,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1711819797,
- "narHash": "sha256-tNeB6emxj74Y6ctwmsjtMlzUMn458sBmwnD35U5KIM4=",
+ "lastModified": 1713638189,
+ "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "2b4e3ca0091049c6fbb4908c66b05b77eaef9f0c",
+ "rev": "74574c38577914733b4f7a775dd77d24245081dd",
"type": "github"
},
"original": {
@@ -192,11 +192,11 @@
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1712163089,
- "narHash": "sha256-Um+8kTIrC19vD4/lUCN9/cU9kcOsD1O1m+axJqQPyMM=",
+ "lastModified": 1713895582,
+ "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "fd281bd6b7d3e32ddfa399853946f782553163b5",
+ "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
"type": "github"
},
"original": {
@@ -286,11 +286,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1711855048,
- "narHash": "sha256-HxegAPnQJSC4cbEbF4Iq3YTlFHZKLiNTk8147EbLdGg=",
+ "lastModified": 1713892811,
+ "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "99b1e37f9fc0960d064a7862eb7adfb92e64fa10",
+ "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
"type": "github"
},
"original": {
@@ -386,11 +386,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
- "lastModified": 1709622318,
- "narHash": "sha256-bTscF0366xtoIXgH7Zq+Mn0mpX3w4h/2xKpHiYMyLNc=",
+ "lastModified": 1713958148,
+ "narHash": "sha256-8PDNi/dgoI2kyM7uSiU4eoLBqUKoA+3TXuz+VWmuCOc=",
"owner": "nix-community",
"repo": "nixos-vscode-server",
- "rev": "d0ed9b8cf1f0a71f110df9119489ab047e0726bd",
+ "rev": "fc900c16efc6a5ed972fb6be87df018bcf3035bc",
"type": "github"
},
"original": {
From 579ad274d5b5d475d4f033754c14414e095371b2 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Fri, 26 Apr 2024 09:47:36 +0200
Subject: [PATCH 15/67] nix: flake update
---
flake.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/flake.lock b/flake.lock
index fbdaeb2..e65c2f6 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,11 +9,11 @@
"poetry2nix": "poetry2nix"
},
"locked": {
- "lastModified": 1713268687,
- "narHash": "sha256-rC8f3dFiCl7LFFmselEo9qIiGdRiCbkJCCjMu/nTHzg=",
+ "lastModified": 1714117615,
+ "narHash": "sha256-Ilu7j7tihFI0jtnsQS+7H0SZX4C61NZHaV/7fJ39t/E=",
"owner": "fsr",
"repo": "course-management",
- "rev": "820cbb8eb16237d75902202bdbee012aced29f8d",
+ "rev": "9e5ab11788b926a9a26d2aaa0e0958c3c5865cc9",
"type": "github"
},
"original": {
From ebe977672a5665fe8d25138032db1ca791e9aae0 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Fri, 26 Apr 2024 22:40:18 +0200
Subject: [PATCH 16/67] mailman: restrict registration to tud nets
---
modules/mail/mailman.nix | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/modules/mail/mailman.nix b/modules/mail/mailman.nix
index f9a9354..23d36a9 100644
--- a/modules/mail/mailman.nix
+++ b/modules/mail/mailman.nix
@@ -66,6 +66,14 @@
ensureDatabases = [ "mailman" "mailman-web" ];
};
services.nginx.virtualHosts."lists.${config.networking.domain}" = {
+ locations."/accounts/signup" = {
+ extraConfig = ''
+ allow 141.30.0.0/16;
+ allow 141.76.0.0/16;
+ deny all;
+ uwsgi_pass unix:/run/mailman-web.socket;
+ '';
+ };
locations."/robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
From d03f4c6fb13ed27245a48b1ea681ccd21e40312b Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Fri, 26 Apr 2024 22:40:30 +0200
Subject: [PATCH 17/67] initrd: try loading network modules in stage 1
---
modules/core/initrd-ssh.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/core/initrd-ssh.nix b/modules/core/initrd-ssh.nix
index 6b7a1a9..9fc5824 100644
--- a/modules/core/initrd-ssh.nix
+++ b/modules/core/initrd-ssh.nix
@@ -6,6 +6,7 @@
{ config, ... }:
{
boot.initrd = {
+ availableKernelModules = ["mlx5_core"];
systemd = {
enable = true;
network = {
From 9327314ec9b61b6b3a8a2a23f7e5c73ce9148435 Mon Sep 17 00:00:00 2001
From: tenksom <joachim@stramke.com>
Date: Mon, 29 Apr 2024 14:21:58 +0200
Subject: [PATCH 18/67] create grafana and prometheus setup
---
modules/monitoring.nix | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
create mode 100644 modules/monitoring.nix
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
new file mode 100644
index 0000000..d3cdb3e
--- /dev/null
+++ b/modules/monitoring.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+ let
+ domain = "monitoring.${config.networking.domain}";
+ in {
+ # grafana configuration
+ services.grafana = {
+ enable = true;
+ port = 2342;
+ };
+
+ services.prometheus = {
+ enable = true;
+ port = 9001;
+ };
+
+ # nginx reverse proxy
+ services.nginx.virtualHosts.${domain} = {
+ locations."/" = {
+ proxyPass = "http://localhost:${toString config.services.grafana.port}";
+ proxyWebsockets = true;
+ };
+ };
+}
From 126cff2263bfafbd749dc009bcd808b9f4ead020 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 29 Apr 2024 14:26:49 +0200
Subject: [PATCH 19/67] quitte: pin kernel to 6.6.27 6.6.28 broke the network
driver
---
hosts/quitte/configuration.nix | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix
index 8b05df1..0e2d288 100644
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@@ -16,7 +16,18 @@
# boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.supportedFilesystems = [ "zfs" ];
- boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+ # boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+ # Pin Kernel Version as 6.6.28 has a broken networking driver
+ boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_6.override {
+ argsOverride = rec {
+ src = pkgs.fetchurl {
+ url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
+ sha256 = "sha256-Y55QBg48jyPtAXyxDP6sxrqI/1WDgSu3aFm0zGoSgpE=";
+ };
+ version = "6.6.27";
+ modDirVersion = "6.6.27";
+ };
+ });
services.zfs = {
trim.enable = true;
From 7526b9273bd167c5d1ed40abdc84336172399eea Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Mon, 29 Apr 2024 15:09:56 +0200
Subject: [PATCH 20/67] making grafana work
---
flake.nix | 1 +
modules/monitoring.nix | 64 ++++++++++++++++++++++++++++++------------
2 files changed, 47 insertions(+), 18 deletions(-)
diff --git a/flake.nix b/flake.nix
index 827b6d0..6159bc2 100755
--- a/flake.nix
+++ b/flake.nix
@@ -83,6 +83,7 @@
./modules/hedgedoc.nix
./modules/padlist.nix
./modules/nextcloud.nix
+ ./modules/monitoring.nix
./modules/vaultwarden.nix
./modules/forgejo
./modules/kanboard.nix
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index d3cdb3e..ff8dc58 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -1,23 +1,51 @@
{ config, pkgs, ... }:
- let
- domain = "monitoring.${config.networking.domain}";
- in {
- # grafana configuration
- services.grafana = {
- enable = true;
- port = 2342;
- };
-
- services.prometheus = {
- enable = true;
- port = 9001;
+let
+ domain = "monitoring.${config.networking.domain}";
+in
+{
+ # grafana configuration
+ services.grafana = {
+ enable = true;
+ settings = {
+ server = {
+ inherit domain;
+ http_addr = "127.0.0.1";
+ http_port = 2342;
+ };
+ database = {
+ type = "postgres";
+ user = "grafana";
+ host = "/run/postgresql";
+ };
+
};
- # nginx reverse proxy
- services.nginx.virtualHosts.${domain} = {
- locations."/" = {
- proxyPass = "http://localhost:${toString config.services.grafana.port}";
- proxyWebsockets = true;
- };
+
+ };
+
+ services.postgresql = {
+ enable = true;
+ ensureUsers = [
+ {
+ name = "grafana";
+ ensurePermissions = {
+ "DATABASE grafana" = "ALL PRIVILEGES";
+ };
+ }
+ ];
+ ensureDatabases = [ "grafana" ];
+ };
+
+ services.prometheus = {
+ enable = true;
+ port = 9001;
+ };
+
+ # nginx reverse proxy
+ services.nginx.virtualHosts.${domain} = {
+ locations."/" = {
+ proxyPass = "http://localhost:${toString config.services.grafana.port}";
+ proxyWebsockets = true;
};
+ };
}
From 3f47b32983b7f12cc3985196897dd061048f42c5 Mon Sep 17 00:00:00 2001
From: Joachim Stramke <joachim.stramke@ifsr.de>
Date: Mon, 29 Apr 2024 15:12:52 +0200
Subject: [PATCH 21/67] add first node
---
modules/monitoring.nix | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index ff8dc58..b25204d 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -39,6 +39,21 @@ in
services.prometheus = {
enable = true;
port = 9001;
+ exporters = {
+ node = {
+ enable = true;
+ enabledCollectors = [ "systemd" ];
+ port = 9002;
+ };
+ };
+ scrapeConfigs = [
+ {
+ job_name = "node";
+ static_configs = [{
+ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
+ }];
+ }
+ ];
};
# nginx reverse proxy
From d1147621e147c5af70bcc2dd406d99f794cc6f64 Mon Sep 17 00:00:00 2001
From: Joachim Stramke <joachim.stramke@ifsr.de>
Date: Mon, 29 Apr 2024 17:09:37 +0200
Subject: [PATCH 22/67] changing scrape intervall
---
modules/monitoring.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index b25204d..321c0f9 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -52,6 +52,7 @@ in
static_configs = [{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
}];
+ scrape_interval = "15s";
}
];
};
From d92eff80ce109096c5b6adc94e6f03008f79e7ac Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Mon, 29 Apr 2024 17:10:35 +0200
Subject: [PATCH 23/67] fixing postgres warning
---
modules/monitoring.nix | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index b25204d..71ecc4e 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -28,9 +28,7 @@ in
ensureUsers = [
{
name = "grafana";
- ensurePermissions = {
- "DATABASE grafana" = "ALL PRIVILEGES";
- };
+ ensureDBOwnership = true;
}
];
ensureDatabases = [ "grafana" ];
From cf7ff37367f559d311ea4cf3e161c1ace16d5288 Mon Sep 17 00:00:00 2001
From: Joachim Stramke <joachim.stramke@ifsr.de>
Date: Tue, 30 Apr 2024 14:22:50 +0200
Subject: [PATCH 24/67] adding postfix to monitoring
---
modules/monitoring.nix | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index 321c0f9..3d20541 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -45,6 +45,11 @@ in
enabledCollectors = [ "systemd" ];
port = 9002;
};
+ postfix = {
+ enable = true;
+ port = 25;
+ user = config.serivces.postfix.user;
+ };
};
scrapeConfigs = [
{
From 1f4e9a620b4840bfde65c6ff59ac408f32210e06 Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Thu, 2 May 2024 10:48:26 +0200
Subject: [PATCH 25/67] trying to get postfix running
---
modules/monitoring.nix | 12 +++++++++---
overlays/default.nix | 10 ++++++++++
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index 14af2d8..5aa664a 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -45,8 +45,7 @@ in
};
postfix = {
enable = true;
- port = 25;
- user = config.serivces.postfix.user;
+ port = 9003;
};
};
scrapeConfigs = [
@@ -57,13 +56,20 @@ in
}];
scrape_interval = "15s";
}
+ {
+ job_name = "postfix";
+ static_configs = [{
+ targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.postfix.port}" ];
+ }];
+ # scrape_interval = "60s";
+ }
];
};
# nginx reverse proxy
services.nginx.virtualHosts.${domain} = {
locations."/" = {
- proxyPass = "http://localhost:${toString config.services.grafana.port}";
+ proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
proxyWebsockets = true;
};
};
diff --git a/overlays/default.nix b/overlays/default.nix
index 52de42e..d5b5aae 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -1,6 +1,7 @@
_final: prev:
let
inherit (prev) fetchurl;
+ inherit (prev) fetchFromGitHub;
in
{
# AGDSN is running an outdated version that we have to comply to
@@ -11,5 +12,14 @@ in
sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
};
}));
+ # (hopefully) fix systemd journal reading
+ prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (old: rec {
+ src = fetchFromGitHub {
+ owner = "adangel";
+ repo = "postfix_exporter";
+ rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
+ hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
+ };
+ });
}
From 197956ea9002b78ec28074fd00fbca56625be0db Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 2 May 2024 11:23:13 +0200
Subject: [PATCH 26/67] prometheus: patch the postfix exporter to catch rspamd
rejects
---
overlays/default.nix | 5 +++-
...001-cleanup-also-catch-milter-reject.patch | 25 +++++++++++++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
create mode 100644 overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
diff --git a/overlays/default.nix b/overlays/default.nix
index d5b5aae..d5d37e5 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -13,7 +13,10 @@ in
};
}));
# (hopefully) fix systemd journal reading
- prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (old: rec {
+ prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (old: {
+ patches = [
+ ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
+ ];
src = fetchFromGitHub {
owner = "adangel";
repo = "postfix_exporter";
diff --git a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
new file mode 100644
index 0000000..2b60316
--- /dev/null
+++ b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
@@ -0,0 +1,25 @@
+From f4c5dd5628c873981b2d6d6b8f3bbf036b9fd724 Mon Sep 17 00:00:00 2001
+From: Rouven Seifert <rouven.seifert@ifsr.de>
+Date: Thu, 2 May 2024 11:20:27 +0200
+Subject: [PATCH] cleanup: also catch milter-reject
+
+---
+ postfix_exporter.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/postfix_exporter.go b/postfix_exporter.go
+index f20d99c..676d767 100644
+--- a/postfix_exporter.go
++++ b/postfix_exporter.go
+@@ -335,6 +335,8 @@ func (e *PostfixExporter) CollectFromLogLine(line string) {
+ e.cleanupProcesses.Inc()
+ } else if strings.Contains(remainder, ": reject: ") {
+ e.cleanupRejects.Inc()
++ } else if strings.Contains(remainder, ": milter-reject: ") {
++ e.cleanupRejects.Inc()
+ } else {
+ e.addToUnsupportedLine(line, subprocess, level)
+ }
+--
+2.44.0
+
From bdc6185fce20f73d9eb92ca5342d3e8feaa94504 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 2 May 2024 19:33:50 +0200
Subject: [PATCH 27/67] grafana: fix root_url
---
modules/monitoring.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index 5aa664a..af28b88 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -11,6 +11,7 @@ in
inherit domain;
http_addr = "127.0.0.1";
http_port = 2342;
+ root_url = "https://monitoring.ifsr.de";
};
database = {
type = "postgres";
From 993a5543963a5a465beb2247724ae41c7078c578 Mon Sep 17 00:00:00 2001
From: Jonas Gaffke <jonas@jonasga.io>
Date: Sun, 5 May 2024 09:40:31 +0200
Subject: [PATCH 28/67] sops: decisions env
---
secrets/quitte.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index a8aa30d..f8b8d4d 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -19,7 +19,7 @@ postfix_ldap_aliases: ENC[AES256_GCM,data:beJTXpJYlAz4vyv2rAyuMtU2gkwf4JNnsFAG0o
vaultwarden_env: ENC[AES256_GCM,data:JFySiTHahlUFsM+FcuSJPnGYMijphrnZpFFdoNe7DYxWjIgPRWdfH9WC/a5GsK2xCJXllXAASHNxgkYRrdPw2KaCiUR/QhAjtUmyv2NsIBcMYStafDUEK9emddR+ACedScsgS0FtP8f3cz1enTBi+DkYgL8lMAoCw5p8vMRyE9mVOLpTUDOO7T4=,iv:992REuXzHAxxhy2BbeCGNhTZkn8eSi8N2RyBXqqy7U0=,tag:iP5AFQqzoR66AkTGfYAUZg==,type:str]
directus_env: ENC[AES256_GCM,data:TzZhYDS+ix2kY6gVZj98E2W7IbqWBpwUCz4n9UUyLI2jnySnjD+AJZ8WM/r6LEGFYAdBAsuynRqui2k5OuaZhDhjm9acaH7DdCiuslvL0V7vJS70GDjBFzAQglqM3w2uqsfqDSs89FpuuvkGRBLrLeXIg5wmkx21wQA=,iv:jcLNwjbgFbgAXBlnjoLV9EXFI+il/hRpd+Cc/D/wUMo=,tag:Vp5uEqnZC6L+CfNFbxNw/w==,type:str]
strukturbot_env: ENC[AES256_GCM,data:klTFgdNvdMYA++GsmqEHdhklZ5JUreP2Lh+5E0mj5iH7F8Run6/gAdHBJpCWEe2Q3o6RdZduy+kCXzJWznkLbEASxgJNcAWdFq2CU4ov0Z6rGS6i/X376Yc6I7oYLfQSd58r8Q/rhFl2qXkCiSGJYNvo6vGh6+b/TdTABwAnvj/k81n2SsSpoMOu9/1Pyop7QNVMuAtXaE/sca1KPtU/Yg3DrKczxKzKppReafIs7ICI/760N/H0Wwh6rtw51mfQxxOW9UpPXmnEFI8b+07pVsgNoSbzPCMaAoxf6LFnTnqtFRNS0N7rX3DrP6GSv2A8Bwm5of0sLhIm3gAAQ2iXp2di+BOi7uRqFVtNZ18XGPil8FVEkeIFdmhjCJAOJRyuANl3JsaqRk4lT1qMglyjHtCodP5rvVe+pALzpihNPIQPy0Tes2GOM4Q6ww4UxZrgevNHz7CnEMSEPU8Hjb63UkZTZbj2HxF8,iv:a2NyivM34Z/V/ir+NzsXNm73sp6uASYDiqDOG2ix2JE=,tag:buP1Hcvt3dEW249BWNBKkw==,type:str]
-decisions_env: ENC[AES256_GCM,data:yuxfgdEGYGAqrKqQ6TIKcRXMBluOKeCz8hMXeLxFRXKx1cKn11fGvS7LCtRoFTeHUvBjzb5VLdQkjb6OFYT35Ck7GKk5ZceN,iv:B7brAFVed1Ck5jCqp0VvnYHD/rtDbyYv9/gWx8Kwfpw=,tag:ki/dhuiK4QWxfRqOQR7Otw==,type:str]
+decisions_env: ENC[AES256_GCM,data:JOi4V3TOH/qcDwcEeyrFrmfQlQpTOhX6syXOZv2K3Qo3poRLTLgNVEX0bWMIsSr5ACIvfoi8yMYOePJj2wOZoewqJw/Tr+4reGwHmMfgAxfZhD/ykFOBIGGdqEstAT335q8+T/xOkv7+9M8wWbmzFeQC7M9XdmoVBIVkTEuZb9OpCp91WEY8h1/2LTwf9+hGKNVZ4LkfbrLRed1RyWLjW0JD5kJebRJvSC5qnOhv4nz4iGAECl+1DokNWHrvFJGOm47f1uXtXoBXVnaXhhrkZ2j9r7nUpZpCITeJH5x8beJc7drmaoQs3PlLTcaKEeujNtwknYnBC4eUXx+78phYfA==,iv:pqIMRbNOIlK3ddUMpn8qDKz4tGFyAU6DyIzfuIkxSwc=,tag:ZterxIhIxeYLPiYsewVzBg==,type:str]
course-management:
secret-key: ENC[AES256_GCM,data:zMoIj8gjNmLdSbQmFo8n1pDIKaUUMzPfVoKkPlqNtm4=,iv:AM5wwvAFXKVss4N2/lK6bKYHV/4Bv5EOz2MVTxAPF1w=,tag:ARzQUVVjz+HhUT+JAISHkA==,type:str]
adminpass: ENC[AES256_GCM,data:EariUHHtWirIXuRARj7lEneAOlKcjca9T+J0oH2xPv99w4ac1cRrvEVD,iv:cjC/+AnZdwWXkJOIAE36Hk/if4fqofVFf0H8WkHkRY8=,tag:M+s4hPzSp8eR76M/7TKXPg==,type:str]
@@ -48,8 +48,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-03-21T14:49:39Z"
- mac: ENC[AES256_GCM,data:UOSGdgzqdp8G9e0SfzUxUDWPfv5a6YXhPy2//4njeFQwBmBFs/2d1jtn7CWr7y/1WcbuCjr03SudfO/yquNiELZqfIi41b0Qu6PplQE5khQR4RT7jpJ8b7HGmAnvAxhM5X835cXntU7FXna+1QWwzIKpPGVtKQ7m36CbgSgY2Gw=,iv:sRCLtoxeYaNS0Ga+ncUWxPh0MsqJUfHpamHQpGrm7lY=,tag:vLsJYdmKCNqOr5y5ZYVaDg==,type:str]
+ lastmodified: "2024-05-05T07:39:57Z"
+ mac: ENC[AES256_GCM,data:N4xRSkLgkdGRqHQVALMPM1n7P0je6l32ek7h0hYDanNQL9lurjA3SNCb0HUl/nWBSWdYqWgSYosnuzLuaq/6zDaE7T+3gUazXZ8A2qeBuzLUbGiH53lql3OwKZPtme1+ZMtM1EG+2wgGOdT2CXjlVWEY+9a3GaL/d0lHyJWwHjE=,iv:LCd1Xi8AE+7LVkBP9W+mfp4nfbsQ3fH4dsWKN3qw7uk=,tag:yVE1nCjvboApqDoMboRHng==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From 7630dc44949fd7ddfcad74abe6d140aad8b61314 Mon Sep 17 00:00:00 2001
From: Jonas Gaffke <jonas.gaffke@ifsr.de>
Date: Mon, 6 May 2024 11:08:41 +0200
Subject: [PATCH 29/67] decisions: use newer image
---
modules/decisions.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/decisions.nix b/modules/decisions.nix
index 8427375..29ebeb3 100644
--- a/modules/decisions.nix
+++ b/modules/decisions.nix
@@ -6,7 +6,7 @@ in
sops.secrets."decisions_env" = { };
virtualisation.oci-containers = {
containers.decisions = {
- image = "decisions";
+ image = "ghcr.io/fsr/decisions";
volumes = [
"/var/lib/nextcloud/data/root/files/FSR/protokolle:/protokolle:ro"
];
From 81ac3b4c0d45713a28dfcea842b334e3e52adf30 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 6 May 2024 11:12:19 +0200
Subject: [PATCH 30/67] ssh: disable password login
---
hosts/quitte/configuration.nix | 9 +++------
modules/core/base.nix | 8 +++++++-
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix
index 0e2d288..2d7faa1 100644
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@@ -21,12 +21,12 @@
boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_6.override {
argsOverride = rec {
src = pkgs.fetchurl {
- url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
- sha256 = "sha256-Y55QBg48jyPtAXyxDP6sxrqI/1WDgSu3aFm0zGoSgpE=";
+ url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
+ sha256 = "sha256-Y55QBg48jyPtAXyxDP6sxrqI/1WDgSu3aFm0zGoSgpE=";
};
version = "6.6.27";
modDirVersion = "6.6.27";
- };
+ };
});
services.zfs = {
@@ -53,9 +53,6 @@
value = "10000";
}
];
- # Enable the OpenSSH daemon.
- services.openssh.enable = true;
- services.openssh.settings.PermitRootLogin = "yes";
systemd = {
services.nix-daemon.serviceConfig = {
diff --git a/modules/core/base.nix b/modules/core/base.nix
index 53a5d38..b3f19c0 100755
--- a/modules/core/base.nix
+++ b/modules/core/base.nix
@@ -29,7 +29,13 @@
};
# Enable the OpenSSH daemon.
- services.openssh.enable = true;
+ services.openssh = {
+ enable = true;
+ settings = {
+ PermitRootLogin = "yes";
+ PasswordAuthentication = "no";
+ };
+ };
programs.mosh.enable = true;
# vs code server
From 5930da6bdfee3c475d13f39b38ddf4d8975c9835 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 6 May 2024 11:13:49 +0200
Subject: [PATCH 31/67] ssh: fix type
---
modules/core/base.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/core/base.nix b/modules/core/base.nix
index b3f19c0..5f4e7b7 100755
--- a/modules/core/base.nix
+++ b/modules/core/base.nix
@@ -33,7 +33,7 @@
enable = true;
settings = {
PermitRootLogin = "yes";
- PasswordAuthentication = "no";
+ PasswordAuthentication = false;
};
};
programs.mosh.enable = true;
From 4fa9a2fe7de8f8750ac00b2917e376343f3c518b Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 6 May 2024 11:21:12 +0200
Subject: [PATCH 32/67] treewide: cleanup with deadnix
---
hosts/quitte/configuration.nix | 2 +-
modules/monitoring.nix | 2 +-
overlays/default.nix | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix
index 2d7faa1..6f18e21 100644
--- a/hosts/quitte/configuration.nix
+++ b/hosts/quitte/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
{
imports =
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index af28b88..ed68e37 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, ... }:
let
domain = "monitoring.${config.networking.domain}";
in
diff --git a/overlays/default.nix b/overlays/default.nix
index d5d37e5..7240ef2 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -13,7 +13,7 @@ in
};
}));
# (hopefully) fix systemd journal reading
- prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (old: {
+ prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
patches = [
./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
];
From 5294cd68f86369fa07ee260afc1c8e74b9938a3a Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 2 May 2024 13:21:16 +0200
Subject: [PATCH 33/67] keycloak: init
---
modules/keycloak.nix | 27 +++++++++++++++++++++++++++
secrets/quitte.yaml | 8 +++++---
2 files changed, 32 insertions(+), 3 deletions(-)
create mode 100644 modules/keycloak.nix
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
new file mode 100644
index 0000000..9073914
--- /dev/null
+++ b/modules/keycloak.nix
@@ -0,0 +1,27 @@
+{ config, ... }:
+let
+ domain = "sso.${config.networking.domain}";
+in
+{
+ sops.secrets."keykloak/db" = { };
+ services.keycloak = {
+ enable = true;
+ settings = {
+ http-port = 8086;
+ https-port = 19000;
+ hostname = domain;
+ proxy = "edge";
+ };
+ # The module requires a password for the DB and works best with its own DB config
+ # Does an automatic Postgresql configuration
+ database = {
+ passwordFile = config.sops.secrets."keycloak/db".path;
+ };
+ initialAdminPassword = "plschangeme";
+ };
+ services.nginx.virtualHosts."${domain}" = {
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
+ };
+ };
+}
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index f8b8d4d..de196f8 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -1,7 +1,9 @@
nextcloud_adminpass: ENC[AES256_GCM,data:v6FYsO/RklPSz5uf6aYQDhdudHb0962I1WxJM3VGc0af6s/fEz2j+UTu,iv:WzS+jU7qmNQbd1RWDempdu4nv0ytWeybF/PKoc4mvTc=,tag:1CF3ZnQNDLv11j7UoyYsjg==,type:str]
-hedgedoc_session_secret: ENC[AES256_GCM,data:WFbqr6VX12rpiPuIPlQnwOMdHM1B0yk2PYuuanbqREE=,iv:Iih4/GNs9qN+AM6fdaTJLmmPQIzxIwXHUZttP1Up6qs=,tag:IVZQId4yxbePVQqJB9+3iw==,type:str]
+hedgedoc_session_secret: ENC[AES256_GCM,data:WO3j/Sp0LHyNC51jdzChKB46KLU7l57TBVNL3v92sjs=,iv:HVizKMCd+d9cTQEzRncRpv9scldg5Nn2fBRz0D58OOg=,tag:8HZttVgZs4Ah8JWTDaTySA==,type:str]
nix-serve:
key: ENC[AES256_GCM,data:GptsUgeXOOrwJctoMZ+mWXcw9DwJ0f0LOlLyMlH/877N4uA5/NtNKIaFHl3z2GWPRBnDLBzDEO1Q6EDuWbakr+Uq4zTJm2MOV6Qf4kM0BlNpXGIdjvh7tD2La7GV4ID+CT8U6p0E,iv:3A/Yy4PHsq9VdhW4SKIYdpd1enQ5cDiKLk5S9VrH0b4=,tag:WZzbct7LZmOhEvx9KVQ8WA==,type:str]
+keycloak:
+ db: ENC[AES256_GCM,data:DVf/pVCHHUed2cQleECk0paBTZ/6Q3NE,iv:j3sWWNL0dqPJBLUx10+jJ7QvdAHvGM55KKDwG2aQEs0=,tag:6VTeE+Prsm+LPemzbEtVYg==,type:str]
dex:
environment: ENC[AES256_GCM,data:XpwG/q68wEis4lfrO9wKmKhXDAqzUaMSQHc0lA+Q5TDOzCdseQms9Y51qHD/IxVIcpx14W/hJxuD9jXas8/arD3ZUJ/sUYWDBqAVJGclMz9UjlmJip8Auoro4KIHjOfbO5asGJvStQZ2/pEwcjwwXOp27pMIIrJY6FiKy8ak+QWCLgRYYcosbohUOk9B15i0GvBUbeOX3SypHdNGg59yRnDBl5n9Jf4R0pugaL27zVCCTtFQIv2gQekkGOy62sx5DEocHM/IAHpD36/UerfIeAMZXYqFwIVWlcW4E7NsU/+QTFhtGrK3SdgBdZwFTxBDErh7PfzRS+eRB9eePO5G+Ow27PBOH/JLdy+N6zVB4tOjiNcBCIIzifpWozcxiHHqATUzN6cA85Pnb6icaAXA+pUk5Y7KTRvDqtZnRGraXkvfy+3fNgWFsErphLNIrHrVfOKxZHnF1myDltlre6BPoKoTH0T43CUriv8u7Z3sw/HziU991u72ZxqwBzWNEc6cYsSidKgVMWYcGyXX9zOl+nsRnIuEX5sZFB2z/VXqiuJoP8+agaUgKIU4eLtltOk=,iv:/it0Kg0+2BpdiJFI2GBiC2VJgeHC/GbjniDKVqL1xSo=,tag:Y06ICn5wHGV3jUZTRt1k4w==,type:str]
portunus:
@@ -48,8 +50,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-05T07:39:57Z"
- mac: ENC[AES256_GCM,data:N4xRSkLgkdGRqHQVALMPM1n7P0je6l32ek7h0hYDanNQL9lurjA3SNCb0HUl/nWBSWdYqWgSYosnuzLuaq/6zDaE7T+3gUazXZ8A2qeBuzLUbGiH53lql3OwKZPtme1+ZMtM1EG+2wgGOdT2CXjlVWEY+9a3GaL/d0lHyJWwHjE=,iv:LCd1Xi8AE+7LVkBP9W+mfp4nfbsQ3fH4dsWKN3qw7uk=,tag:yVE1nCjvboApqDoMboRHng==,type:str]
+ lastmodified: "2024-05-06T09:24:11Z"
+ mac: ENC[AES256_GCM,data:yfIPRbPOMLbO70u4+/BENICJL2w1PSfWTEwYx4d807ZoKJFp/urHetRgSpkZuRy+MgooetNaHqQdR9y7+hv2L4rUqn8BXRvZCLSbrsUhoeszyYUgzbWFprDDJGpkpOc5RfBjOKCFckr05gc0Gdfh0Fg77dzOOzJ15B3TflGiLqY=,iv:J5q2kGzAQoHc0fcJgyeBY+LXudW9HS5Kc59IVf1w7As=,tag:aVFQxKXi6sdwmw+P3qvY+A==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From a832b8d2a585b4b78bf2ab89d4e17bbfd17064ea Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 6 May 2024 17:05:22 +0200
Subject: [PATCH 34/67] keycloak: fix things
---
flake.nix | 1 +
modules/keycloak.nix | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/flake.nix b/flake.nix
index 6159bc2..23cd7e0 100755
--- a/flake.nix
+++ b/flake.nix
@@ -83,6 +83,7 @@
./modules/hedgedoc.nix
./modules/padlist.nix
./modules/nextcloud.nix
+ ./modules/keycloak.nix
./modules/monitoring.nix
./modules/vaultwarden.nix
./modules/forgejo
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
index 9073914..78a2abd 100644
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@@ -3,7 +3,7 @@ let
domain = "sso.${config.networking.domain}";
in
{
- sops.secrets."keykloak/db" = { };
+ sops.secrets."keycloak/db" = { };
services.keycloak = {
enable = true;
settings = {
From 6a2bcecb5e6bfbffd1e9fe76e954e1f1b32fb955 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 6 May 2024 22:59:48 +0200
Subject: [PATCH 35/67] ifsr.de: add sso redirect
---
modules/web/ifsrde.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/web/ifsrde.nix b/modules/web/ifsrde.nix
index 7f5996f..0db4396 100644
--- a/modules/web/ifsrde.nix
+++ b/modules/web/ifsrde.nix
@@ -60,6 +60,7 @@ in
"~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
"/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
"/kpp".return = "301 https://kpp.ifsr.de";
+ "/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
# security
"~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
# deny running scripts inside core system folders
From 395ca48ac023fc08e4b93f6945cd55ccf8d9855d Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 6 May 2024 23:51:28 +0200
Subject: [PATCH 36/67] padlist: remove dex configuration
---
modules/padlist.nix | 6 ------
secrets/quitte.yaml | 6 +++---
2 files changed, 3 insertions(+), 9 deletions(-)
diff --git a/modules/padlist.nix b/modules/padlist.nix
index 83900eb..8a5f440 100644
--- a/modules/padlist.nix
+++ b/modules/padlist.nix
@@ -46,10 +46,4 @@ in
};
};
};
-
- services.portunus.dex.oidcClients = [{
- id = "padlist";
- callbackURL = "https://list.pad.ifsr.de/callback.php";
- }];
-
}
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index de196f8..c21cf22 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -5,7 +5,7 @@ nix-serve:
keycloak:
db: ENC[AES256_GCM,data:DVf/pVCHHUed2cQleECk0paBTZ/6Q3NE,iv:j3sWWNL0dqPJBLUx10+jJ7QvdAHvGM55KKDwG2aQEs0=,tag:6VTeE+Prsm+LPemzbEtVYg==,type:str]
dex:
- environment: ENC[AES256_GCM,data:XpwG/q68wEis4lfrO9wKmKhXDAqzUaMSQHc0lA+Q5TDOzCdseQms9Y51qHD/IxVIcpx14W/hJxuD9jXas8/arD3ZUJ/sUYWDBqAVJGclMz9UjlmJip8Auoro4KIHjOfbO5asGJvStQZ2/pEwcjwwXOp27pMIIrJY6FiKy8ak+QWCLgRYYcosbohUOk9B15i0GvBUbeOX3SypHdNGg59yRnDBl5n9Jf4R0pugaL27zVCCTtFQIv2gQekkGOy62sx5DEocHM/IAHpD36/UerfIeAMZXYqFwIVWlcW4E7NsU/+QTFhtGrK3SdgBdZwFTxBDErh7PfzRS+eRB9eePO5G+Ow27PBOH/JLdy+N6zVB4tOjiNcBCIIzifpWozcxiHHqATUzN6cA85Pnb6icaAXA+pUk5Y7KTRvDqtZnRGraXkvfy+3fNgWFsErphLNIrHrVfOKxZHnF1myDltlre6BPoKoTH0T43CUriv8u7Z3sw/HziU991u72ZxqwBzWNEc6cYsSidKgVMWYcGyXX9zOl+nsRnIuEX5sZFB2z/VXqiuJoP8+agaUgKIU4eLtltOk=,iv:/it0Kg0+2BpdiJFI2GBiC2VJgeHC/GbjniDKVqL1xSo=,tag:Y06ICn5wHGV3jUZTRt1k4w==,type:str]
+ environment: ENC[AES256_GCM,data:M3fTrCJt8ncFRkZ77QPrDstoU/pO2r8AeYVu+VMWxnHT6VTtqVSQfgfb8LEryjInt8xbsSjGbsMqA4wbIkf8p2P5hvcKeZYSnmR+N3hz/NZamdzW4VqpBah7Yoe7wO0mi5ECDtp6xVZObzaS0E23N79vhXHWR63w4DalLQGNPJQVmgoib0wvGbVoCEIOBGHVb42nuyrtYInOoLYH58NVt/iU8HlKBUXWXtWa7M540RulahRxq44JxR9qg4TqhqlI0HPXJqMGRvHT80sq0fkA+TLi5O//4evKsYDJSajd4dp3QRPc8IpckE/YgIuj+6q3HMll5brOx2UKXu1nNLOoZbmx0XjXwgnh7+mun71dTM3C7DnM+vBYX671dukoeJ3vWTLRJn7bmlFET2NbxK5utGvGTUElzTqoS038GLjlkLOmalD+uEhQ6aoEVo2adNa5anRgwJkVcBxojuCMSLstTY/29lAQhk3ShG9kok6C52Ks1/YQz1rkfdUx3Tb0,iv:beNf5wvPTv7d7IzGZKTlLJUTaeFM43zzoBi8517pC+A=,tag:2kIM93eW8HFLVztzXSyo1w==,type:str]
portunus:
admin-password: ENC[AES256_GCM,data:fESE6vrKhtslQO6ZJGv0T9t+leOSrgkY291orkwY+HPnOh26g2PSMX3j,iv:qmbCmjg0WsbOzfv6LsKcY3S1ssVXmaRB3lE6ZWzKSww=,tag:t8cP8XRTtto3EnNLEdz0yw==,type:str]
search-password: ENC[AES256_GCM,data:xtbWS98IkQbnBu67sN413VNHZLg6eedbStE2uZ2pljS30uoM3coO2d32,iv:lKMTNnQJJfjAG7aX+G0eNnL36Cxmn+cWMRAlTovMJ4Y=,tag:FQGRBqsmY2c9VVIdBvGwCw==,type:str]
@@ -50,8 +50,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-06T09:24:11Z"
- mac: ENC[AES256_GCM,data:yfIPRbPOMLbO70u4+/BENICJL2w1PSfWTEwYx4d807ZoKJFp/urHetRgSpkZuRy+MgooetNaHqQdR9y7+hv2L4rUqn8BXRvZCLSbrsUhoeszyYUgzbWFprDDJGpkpOc5RfBjOKCFckr05gc0Gdfh0Fg77dzOOzJ15B3TflGiLqY=,iv:J5q2kGzAQoHc0fcJgyeBY+LXudW9HS5Kc59IVf1w7As=,tag:aVFQxKXi6sdwmw+P3qvY+A==,type:str]
+ lastmodified: "2024-05-06T21:51:18Z"
+ mac: ENC[AES256_GCM,data:6Zh2p/3l8Ts/vvmc8XYjwa1yUYT/U1YVJ7sJ2teRk5ZV3GrvziNmt/Sg3UNSotovJEi2EXdZTHReTOeM0ANPbNPtfVGdV7a69Oh2nax6UT0xmpO27hPG1HnlgPzsBX1SCCrb0nBBcD+uiBk0vmqlDy2SEN6KUgM9htBJSffvIs4=,iv:LdIOpwoGnno7lHirg4aLwLnwb8mXfYHVDvCur1cujWY=,tag:slQDKBSCGsKhN0MOi773CA==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From 6abc1e75b92d509ae66e050b7d380e9709838931 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 7 May 2024 11:10:59 +0200
Subject: [PATCH 37/67] directus: configure openid connect
---
modules/web/ese.nix | 4 ++++
secrets/quitte.yaml | 6 +++---
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/modules/web/ese.nix b/modules/web/ese.nix
index 0f696de..85f922e 100644
--- a/modules/web/ese.nix
+++ b/modules/web/ese.nix
@@ -22,6 +22,10 @@ in
"DB_PORT" = "5432";
"DB_DATABASE" = "directus_ese";
"DB_USER" = "directus_ese";
+ "AUTH_KEYCLOAK_DRIVER" = "openid";
+ "AUTH_KEYCLOAK_CLIENT_ID" = "directus-ese";
+ "AUTH_KEYCLOAK_ISSUER_URL" = "http://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
+ "AUTH_KEYCLOAK_IDENTIFIER_KEY" = "email";
};
environmentFiles = [
config.sops.secrets."directus_env".path
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index c21cf22..ebf220e 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -19,7 +19,7 @@ mediawiki:
mautrix-telegram_env: ENC[AES256_GCM,data:FyMtJChtir8Ip8S7zlBSvKccjt+7Hl0StHzxmKO7VdwNNA650HHfni9o7akIY52+r86tvP3D/bqHaBZqkq61ZNICnFJuYIkROvt1035uej1cdjlHeCrZBttI2w3ZkkKT/RZq5BOLt52o/fnw5Jlt+3yr6Kzd5mvcz6a2e5V96kFjaib6mMdg/Y6axiXvOSeFOHCjs6Js+ab7MDe90KUM3aLtBezXx9YTeU7RiqEiZl21dxzPIwilj8bhEB0RRIb1,iv:1ojF2NyQfaZbKwlHQND7LEOLWT1SWCpGPQTm2+0Y+xo=,tag:RavBAv49Ldm4rH+2DDGstQ==,type:str]
postfix_ldap_aliases: ENC[AES256_GCM,data:beJTXpJYlAz4vyv2rAyuMtU2gkwf4JNnsFAG0oKLWuKQZnX/EyqyGTFK7hOs12qye26H9Ysl5vP12iDyVXU4cyYmBOMSOiIS4opPVs7yjp/FH0u6DXHExzd8qs5vwa+D+c9j05kLVZ85EGneDma4ITNBjo/JMjyXCHB0e8EZTFyfR8+fq+qvuyOUmLBfJSO5BK96u370DJ7EmIPLDiCUSO2MCD86yfFEq5J++ljeuKLxUtisqFWDPNeNq3YGjz0EHUgcqqDwzLwEEXyvn5FEI00nR0qBgSBTSWRDrndo5O2k3JMfZWW9UhXXS4kPwCYEkQSM240cwLNV/Rb9XceH2wxzL8PcfTNiy2vd,iv:lb9u3ryu1+G95OIizX17ft+fGK2CA2xt9DhYhtKda1c=,tag:CsS2Q32AgAyS5eZ7Z/Kf8g==,type:str]
vaultwarden_env: ENC[AES256_GCM,data:JFySiTHahlUFsM+FcuSJPnGYMijphrnZpFFdoNe7DYxWjIgPRWdfH9WC/a5GsK2xCJXllXAASHNxgkYRrdPw2KaCiUR/QhAjtUmyv2NsIBcMYStafDUEK9emddR+ACedScsgS0FtP8f3cz1enTBi+DkYgL8lMAoCw5p8vMRyE9mVOLpTUDOO7T4=,iv:992REuXzHAxxhy2BbeCGNhTZkn8eSi8N2RyBXqqy7U0=,tag:iP5AFQqzoR66AkTGfYAUZg==,type:str]
-directus_env: ENC[AES256_GCM,data:TzZhYDS+ix2kY6gVZj98E2W7IbqWBpwUCz4n9UUyLI2jnySnjD+AJZ8WM/r6LEGFYAdBAsuynRqui2k5OuaZhDhjm9acaH7DdCiuslvL0V7vJS70GDjBFzAQglqM3w2uqsfqDSs89FpuuvkGRBLrLeXIg5wmkx21wQA=,iv:jcLNwjbgFbgAXBlnjoLV9EXFI+il/hRpd+Cc/D/wUMo=,tag:Vp5uEqnZC6L+CfNFbxNw/w==,type:str]
+directus_env: ENC[AES256_GCM,data:Q8mQYpwsMbv8NHIzTjxlbS528uZoFkzB0WDZITiYdbq6Y5a+12IEuXXRU+/v7vonpSWFH0ROqfrGy5yd3VhTR2eFvg8OsnlanFnnF4DYIDVMWLEOf4XoOoh/9tYPqoPYFtvwYnlCZFaEky4BKdcIFuqSuqrV9GSabBRuNJ1RbPyRXA6Nwr25uWYr70/1iIEb1tfffqR1YfycZ1JW4kL7OcjxNb6CwoPQ00Z/0t3YYG5Rc9rj7qTc6qw=,iv:yswA2oUhllYoAflK4BbxUMlCWaEfrFi/6g1r6wWZxHA=,tag:36xbdXho+lqKQt9ZaqS/Mw==,type:str]
strukturbot_env: ENC[AES256_GCM,data:klTFgdNvdMYA++GsmqEHdhklZ5JUreP2Lh+5E0mj5iH7F8Run6/gAdHBJpCWEe2Q3o6RdZduy+kCXzJWznkLbEASxgJNcAWdFq2CU4ov0Z6rGS6i/X376Yc6I7oYLfQSd58r8Q/rhFl2qXkCiSGJYNvo6vGh6+b/TdTABwAnvj/k81n2SsSpoMOu9/1Pyop7QNVMuAtXaE/sca1KPtU/Yg3DrKczxKzKppReafIs7ICI/760N/H0Wwh6rtw51mfQxxOW9UpPXmnEFI8b+07pVsgNoSbzPCMaAoxf6LFnTnqtFRNS0N7rX3DrP6GSv2A8Bwm5of0sLhIm3gAAQ2iXp2di+BOi7uRqFVtNZ18XGPil8FVEkeIFdmhjCJAOJRyuANl3JsaqRk4lT1qMglyjHtCodP5rvVe+pALzpihNPIQPy0Tes2GOM4Q6ww4UxZrgevNHz7CnEMSEPU8Hjb63UkZTZbj2HxF8,iv:a2NyivM34Z/V/ir+NzsXNm73sp6uASYDiqDOG2ix2JE=,tag:buP1Hcvt3dEW249BWNBKkw==,type:str]
decisions_env: ENC[AES256_GCM,data:JOi4V3TOH/qcDwcEeyrFrmfQlQpTOhX6syXOZv2K3Qo3poRLTLgNVEX0bWMIsSr5ACIvfoi8yMYOePJj2wOZoewqJw/Tr+4reGwHmMfgAxfZhD/ykFOBIGGdqEstAT335q8+T/xOkv7+9M8wWbmzFeQC7M9XdmoVBIVkTEuZb9OpCp91WEY8h1/2LTwf9+hGKNVZ4LkfbrLRed1RyWLjW0JD5kJebRJvSC5qnOhv4nz4iGAECl+1DokNWHrvFJGOm47f1uXtXoBXVnaXhhrkZ2j9r7nUpZpCITeJH5x8beJc7drmaoQs3PlLTcaKEeujNtwknYnBC4eUXx+78phYfA==,iv:pqIMRbNOIlK3ddUMpn8qDKz4tGFyAU6DyIzfuIkxSwc=,tag:ZterxIhIxeYLPiYsewVzBg==,type:str]
course-management:
@@ -50,8 +50,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-06T21:51:18Z"
- mac: ENC[AES256_GCM,data:6Zh2p/3l8Ts/vvmc8XYjwa1yUYT/U1YVJ7sJ2teRk5ZV3GrvziNmt/Sg3UNSotovJEi2EXdZTHReTOeM0ANPbNPtfVGdV7a69Oh2nax6UT0xmpO27hPG1HnlgPzsBX1SCCrb0nBBcD+uiBk0vmqlDy2SEN6KUgM9htBJSffvIs4=,iv:LdIOpwoGnno7lHirg4aLwLnwb8mXfYHVDvCur1cujWY=,tag:slQDKBSCGsKhN0MOi773CA==,type:str]
+ lastmodified: "2024-05-07T09:10:56Z"
+ mac: ENC[AES256_GCM,data:Q4N0aaBVYGBEUsUePd8WvrCA3Kb6F1iaVXQQYPTLCVHcw9WCTtDHsUxUEeVZkpxwhKsX+yMjc1S4ATNbTXoOf6tfEadAw/0PPrQatkxPZyz26u8EgSykAGj3tRiUKU9YQg3ieiiIDQokqqaCq+Bjcrg/7BLsQT/u+kowzhPIHH0=,iv:Ez3jSVakc46JQfE1FsH4RVuhtX27gAQ3AeFG735W4p4=,tag:Njbi0+11j0ZGLskP8aX7XA==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From 5384918ce637ecc40d0f1b76061f2cc9b2352135 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 7 May 2024 11:57:15 +0200
Subject: [PATCH 38/67] directus: fix sso
---
modules/keycloak.nix | 5 +++++
modules/web/ese.nix | 6 +++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
index 78a2abd..6465019 100644
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@@ -22,6 +22,11 @@ in
services.nginx.virtualHosts."${domain}" = {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
+ extraConfig = ''
+ proxy_buffer_size 128k;
+ proxy_buffers 4 256k;
+ proxy_busy_buffers_size 256k;
+ '';
};
};
}
diff --git a/modules/web/ese.nix b/modules/web/ese.nix
index 85f922e..31ca66c 100644
--- a/modules/web/ese.nix
+++ b/modules/web/ese.nix
@@ -22,10 +22,14 @@ in
"DB_PORT" = "5432";
"DB_DATABASE" = "directus_ese";
"DB_USER" = "directus_ese";
+ "PUBLIC_URL" = "https://directus-ese.ifsr.de";
+ "AUTH_PROVIDERS"="keycloak";
"AUTH_KEYCLOAK_DRIVER" = "openid";
"AUTH_KEYCLOAK_CLIENT_ID" = "directus-ese";
- "AUTH_KEYCLOAK_ISSUER_URL" = "http://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
+ "AUTH_KEYCLOAK_ISSUER_URL" = "https://sso.ifsr.de/realms/internal/.well-known/openid-configuration";
"AUTH_KEYCLOAK_IDENTIFIER_KEY" = "email";
+ "AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION"="true";
+ "AUTH_KEYCLOAK_DEFAULT_ROLE_ID"="a6b7a1b6-a6fa-442c-87fd-e37c2a16424b";
};
environmentFiles = [
config.sops.secrets."directus_env".path
From 02535cca089ef6b2d84756d6c9061d68963d3f88 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 00:09:40 +0200
Subject: [PATCH 39/67] grafana: configure oidc
---
modules/monitoring.nix | 21 +++++++++++++++++++++
secrets/quitte.yaml | 6 ++++--
2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/modules/monitoring.nix b/modules/monitoring.nix
index ed68e37..e277876 100644
--- a/modules/monitoring.nix
+++ b/modules/monitoring.nix
@@ -3,6 +3,9 @@ let
domain = "monitoring.${config.networking.domain}";
in
{
+ sops.secrets."grafana/oidc_secret" = {
+ owner = "grafana";
+ };
# grafana configuration
services.grafana = {
enable = true;
@@ -18,6 +21,24 @@ in
user = "grafana";
host = "/run/postgresql";
};
+ "auth.generic_oauth" = {
+ enabled = true;
+ name = "iFSR";
+ allow_sign_up = true;
+ client_id = "grafana";
+ client_secret = "$__file{${config.sops.secrets."grafana/oidc_secret".path}}";
+ scopes = "openid email profile offline_access roles";
+
+ email_attribute_path = "email";
+ login_attribute_path = "username";
+ name_attribute_path = "full_name";
+
+ auth_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/auth";
+ token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token";
+ api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo";
+ role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
+
+ };
};
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index ebf220e..6f26813 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -13,6 +13,8 @@ sssd:
env: ENC[AES256_GCM,data:ng189+ulH79xCZKOn9N5kN3KqED9dWqLM8dErukJH3a3ivxhUjyy3Tpa+uSnJDh8tAyOesT1j71mlTgKQKb3phylVEdL,iv:i8NEGR+eQ42q5be4gJdNMf/9DCCcjr3gwkEW/+hrgxs=,tag:16EvtkTu+0M5bIlgxC2j9Q==,type:str]
dovecot_ldap_search: ENC[AES256_GCM,data:xip5KREy8oqH+58DOtw9QLcVdDlO5Nr0IHki8X0i9J1rrI/BreH2tVPC8aRTDHFPRgpBxiL6,iv:98PSXajEis7sSJ4+IkPuBC05y8w7/XRYQVFH1cripEU=,tag:LcId5rlzz3JjjZIHwoh+AA==,type:str]
rspamd-password: ENC[AES256_GCM,data:UEJEPSQDGa4lewyqQ4fZH//li6KMfE9Jb/BzbLUM9o02qZuuAUDw17gTTTTPdl8WoBS02nN9r0s=,iv:2TFoMv0LAFTQDEf6ekjzS1Q1P+Z47V8kUnluQpTHWug=,tag:QOKDbVDZLmBymplJPHfrfQ==,type:str]
+grafana:
+ oidc_secret: ENC[AES256_GCM,data:oH+VCL4e4wve6RyVwlTXPSmirbf+STD5FxUj9OjGDLs=,iv:PhVVCy5JyRa+fOrYAsnjDL+97zYASmKcBzB8t9ZVWIU=,tag:JzGO/FeKem4vd7ApvZ2Zcg==,type:str]
mediawiki:
initial_admin: ENC[AES256_GCM,data:JzW2rgXQHXxj1e3vFhkXVkWSgrA3Y88KWlQ81hqUHw2UvnBH4GWtMXbZ,iv:zqKUyEaIOa/7hpwzjJPwk5gfqbEYJrE7Oc1Zqcqm3vo=,tag:T1gObIGtI4uVdpONvIXofA==,type:str]
oidc_secret: ENC[AES256_GCM,data:xK5XSAwa1NOLx+hQqcgrCdQZ/zXErkRL+UV7HCBqF/0=,iv:Vbdus4jzJPAyG4ymIPVjudeHofyqNpIStecVnbyYA6s=,tag:+8xYpJbWWAbswitDHMGCCA==,type:str]
@@ -50,8 +52,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-07T09:10:56Z"
- mac: ENC[AES256_GCM,data:Q4N0aaBVYGBEUsUePd8WvrCA3Kb6F1iaVXQQYPTLCVHcw9WCTtDHsUxUEeVZkpxwhKsX+yMjc1S4ATNbTXoOf6tfEadAw/0PPrQatkxPZyz26u8EgSykAGj3tRiUKU9YQg3ieiiIDQokqqaCq+Bjcrg/7BLsQT/u+kowzhPIHH0=,iv:Ez3jSVakc46JQfE1FsH4RVuhtX27gAQ3AeFG735W4p4=,tag:Njbi0+11j0ZGLskP8aX7XA==,type:str]
+ lastmodified: "2024-05-07T22:01:28Z"
+ mac: ENC[AES256_GCM,data:zL8TYp7ivjwjMpjC8FizCxq/OmdiD1hcKn8dnrrx/Lm07e/cjBf6MweJWBYLKwpigMOPeY7CvmCBW8EXvVao38n0zzNIoj1zFZRhnaxDoa961OkJ2WHduM9DCwvSN03wL8lOhT8dgBjsjR3Jzennfx5Mn2Q5cosfBBDWpaLl9sY=,iv:K5OKJSoXagU5CIzvJ37ikj3haTjMtQG0LBTCXqH4FYc=,tag:1n/MHnQCBlOIjNAXQJGanw==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From a339235b337da86c2994dd484ebb254b7074a06b Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 11:41:47 +0200
Subject: [PATCH 40/67] postgres: add more databases to the backup
---
modules/core/postgres.nix | 2 ++
1 file changed, 2 insertions(+)
diff --git a/modules/core/postgres.nix b/modules/core/postgres.nix
index 297a1ea..2342765 100644
--- a/modules/core/postgres.nix
+++ b/modules/core/postgres.nix
@@ -8,7 +8,9 @@
"directus_ese"
"course-management"
"git"
+ "grafana"
"hedgedoc"
+ "keycloak"
"matrix-synapse"
"mautrix-telegram"
"mediawiki"
From 8ea250e38715764dc15fdc83ea865672135ce863 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 11:47:07 +0200
Subject: [PATCH 41/67] mediawiki: enable keycloak
---
modules/wiki/fsr.nix | 7 +------
secrets/quitte.yaml | 8 ++++----
2 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/modules/wiki/fsr.nix b/modules/wiki/fsr.nix
index 59c4da8..2ce0100 100644
--- a/modules/wiki/fsr.nix
+++ b/modules/wiki/fsr.nix
@@ -67,7 +67,7 @@ in
$wgPluggableAuth_Config["iFSR Login"] = [
"plugin" => "OpenIDConnect",
"data" => [
- "providerURL" => "${config.services.portunus.domain}/dex",
+ "providerURL" => "https://sso.ifsr.de/realms/internal",
"clientID" => "wiki",
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
],
@@ -94,11 +94,6 @@ in
};
};
- portunus.dex.oidcClients = [{
- id = "wiki";
- callbackURL = "https://${domain}/Spezial:PluggableAuthLogin";
- }];
-
nginx = {
recommendedProxySettings = true;
virtualHosts.${domain} = {
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 6f26813..efe9ca9 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -5,7 +5,7 @@ nix-serve:
keycloak:
db: ENC[AES256_GCM,data:DVf/pVCHHUed2cQleECk0paBTZ/6Q3NE,iv:j3sWWNL0dqPJBLUx10+jJ7QvdAHvGM55KKDwG2aQEs0=,tag:6VTeE+Prsm+LPemzbEtVYg==,type:str]
dex:
- environment: ENC[AES256_GCM,data:M3fTrCJt8ncFRkZ77QPrDstoU/pO2r8AeYVu+VMWxnHT6VTtqVSQfgfb8LEryjInt8xbsSjGbsMqA4wbIkf8p2P5hvcKeZYSnmR+N3hz/NZamdzW4VqpBah7Yoe7wO0mi5ECDtp6xVZObzaS0E23N79vhXHWR63w4DalLQGNPJQVmgoib0wvGbVoCEIOBGHVb42nuyrtYInOoLYH58NVt/iU8HlKBUXWXtWa7M540RulahRxq44JxR9qg4TqhqlI0HPXJqMGRvHT80sq0fkA+TLi5O//4evKsYDJSajd4dp3QRPc8IpckE/YgIuj+6q3HMll5brOx2UKXu1nNLOoZbmx0XjXwgnh7+mun71dTM3C7DnM+vBYX671dukoeJ3vWTLRJn7bmlFET2NbxK5utGvGTUElzTqoS038GLjlkLOmalD+uEhQ6aoEVo2adNa5anRgwJkVcBxojuCMSLstTY/29lAQhk3ShG9kok6C52Ks1/YQz1rkfdUx3Tb0,iv:beNf5wvPTv7d7IzGZKTlLJUTaeFM43zzoBi8517pC+A=,tag:2kIM93eW8HFLVztzXSyo1w==,type:str]
+ environment: ENC[AES256_GCM,data:cF7LKrMRBn1ZGSgN3mWw6ecZdonoRd2Ac+pIOYJ9KAvsapB4qDA1lJwMeFkZ9eJJLn8wj5k+DUfgfzxB7KPBpUzuMIvvN2mD3mlqrfMhi2yJVW1uwDLwV7urFCw6BZl9hsCGBfQ6/yC0KN8tC2k2K++E6rTZ5DOYRMWFJ5P/33BFqs0KuRA3Zduqf/u6mFyE3IgXukK0bGlMfbEwq46XGF1OQHJnCREMnL+UxM+9ah2ndXjCGHw3MP/BKt3DmJn/FqPywOB7/X/75z/K2o7M10GzoR3C0UPxK9eqiNPtZNCbbEmJ06N6oubxsq3w9HCk6/Dn31QYSpcOp6KJ89DE1DMklrJ8/C35HVnmUm0KILGv1FY8hjx+ZS5TVwW+uR8NEPM83rW4d4cebFf+QIoOUl/YHarSrUp9YfD1YnR3a8kb2Gb1cVkCVUAfuIU=,iv:1SuFyGIbag1q5bdqBdVS1KEuc4WhOaOhAvNll2tk3b8=,tag:Xg+rq+U7+6cfTgLrtRtPeg==,type:str]
portunus:
admin-password: ENC[AES256_GCM,data:fESE6vrKhtslQO6ZJGv0T9t+leOSrgkY291orkwY+HPnOh26g2PSMX3j,iv:qmbCmjg0WsbOzfv6LsKcY3S1ssVXmaRB3lE6ZWzKSww=,tag:t8cP8XRTtto3EnNLEdz0yw==,type:str]
search-password: ENC[AES256_GCM,data:xtbWS98IkQbnBu67sN413VNHZLg6eedbStE2uZ2pljS30uoM3coO2d32,iv:lKMTNnQJJfjAG7aX+G0eNnL36Cxmn+cWMRAlTovMJ4Y=,tag:FQGRBqsmY2c9VVIdBvGwCw==,type:str]
@@ -17,7 +17,7 @@ grafana:
oidc_secret: ENC[AES256_GCM,data:oH+VCL4e4wve6RyVwlTXPSmirbf+STD5FxUj9OjGDLs=,iv:PhVVCy5JyRa+fOrYAsnjDL+97zYASmKcBzB8t9ZVWIU=,tag:JzGO/FeKem4vd7ApvZ2Zcg==,type:str]
mediawiki:
initial_admin: ENC[AES256_GCM,data:JzW2rgXQHXxj1e3vFhkXVkWSgrA3Y88KWlQ81hqUHw2UvnBH4GWtMXbZ,iv:zqKUyEaIOa/7hpwzjJPwk5gfqbEYJrE7Oc1Zqcqm3vo=,tag:T1gObIGtI4uVdpONvIXofA==,type:str]
- oidc_secret: ENC[AES256_GCM,data:xK5XSAwa1NOLx+hQqcgrCdQZ/zXErkRL+UV7HCBqF/0=,iv:Vbdus4jzJPAyG4ymIPVjudeHofyqNpIStecVnbyYA6s=,tag:+8xYpJbWWAbswitDHMGCCA==,type:str]
+ oidc_secret: ENC[AES256_GCM,data:dVycm0FcwfD0xJof58kIOkx77F6dIbpD1EHoF+CKuSM=,iv:zI6mmI4ZO2MJqzi7w+MUSOsiDkubX1GwOYdIRz3TpNo=,tag:A1Qd8ESakLjJki2epj8+Vg==,type:str]
mautrix-telegram_env: ENC[AES256_GCM,data:FyMtJChtir8Ip8S7zlBSvKccjt+7Hl0StHzxmKO7VdwNNA650HHfni9o7akIY52+r86tvP3D/bqHaBZqkq61ZNICnFJuYIkROvt1035uej1cdjlHeCrZBttI2w3ZkkKT/RZq5BOLt52o/fnw5Jlt+3yr6Kzd5mvcz6a2e5V96kFjaib6mMdg/Y6axiXvOSeFOHCjs6Js+ab7MDe90KUM3aLtBezXx9YTeU7RiqEiZl21dxzPIwilj8bhEB0RRIb1,iv:1ojF2NyQfaZbKwlHQND7LEOLWT1SWCpGPQTm2+0Y+xo=,tag:RavBAv49Ldm4rH+2DDGstQ==,type:str]
postfix_ldap_aliases: ENC[AES256_GCM,data:beJTXpJYlAz4vyv2rAyuMtU2gkwf4JNnsFAG0oKLWuKQZnX/EyqyGTFK7hOs12qye26H9Ysl5vP12iDyVXU4cyYmBOMSOiIS4opPVs7yjp/FH0u6DXHExzd8qs5vwa+D+c9j05kLVZ85EGneDma4ITNBjo/JMjyXCHB0e8EZTFyfR8+fq+qvuyOUmLBfJSO5BK96u370DJ7EmIPLDiCUSO2MCD86yfFEq5J++ljeuKLxUtisqFWDPNeNq3YGjz0EHUgcqqDwzLwEEXyvn5FEI00nR0qBgSBTSWRDrndo5O2k3JMfZWW9UhXXS4kPwCYEkQSM240cwLNV/Rb9XceH2wxzL8PcfTNiy2vd,iv:lb9u3ryu1+G95OIizX17ft+fGK2CA2xt9DhYhtKda1c=,tag:CsS2Q32AgAyS5eZ7Z/Kf8g==,type:str]
vaultwarden_env: ENC[AES256_GCM,data:JFySiTHahlUFsM+FcuSJPnGYMijphrnZpFFdoNe7DYxWjIgPRWdfH9WC/a5GsK2xCJXllXAASHNxgkYRrdPw2KaCiUR/QhAjtUmyv2NsIBcMYStafDUEK9emddR+ACedScsgS0FtP8f3cz1enTBi+DkYgL8lMAoCw5p8vMRyE9mVOLpTUDOO7T4=,iv:992REuXzHAxxhy2BbeCGNhTZkn8eSi8N2RyBXqqy7U0=,tag:iP5AFQqzoR66AkTGfYAUZg==,type:str]
@@ -52,8 +52,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-07T22:01:28Z"
- mac: ENC[AES256_GCM,data:zL8TYp7ivjwjMpjC8FizCxq/OmdiD1hcKn8dnrrx/Lm07e/cjBf6MweJWBYLKwpigMOPeY7CvmCBW8EXvVao38n0zzNIoj1zFZRhnaxDoa961OkJ2WHduM9DCwvSN03wL8lOhT8dgBjsjR3Jzennfx5Mn2Q5cosfBBDWpaLl9sY=,iv:K5OKJSoXagU5CIzvJ37ikj3haTjMtQG0LBTCXqH4FYc=,tag:1n/MHnQCBlOIjNAXQJGanw==,type:str]
+ lastmodified: "2024-05-08T09:47:03Z"
+ mac: ENC[AES256_GCM,data:G5aVpO+IYdJH7i4RJWS/2Etb52iC0mj9EpTIsIys8LBrCd5x8aEh/ugDaO9J3ksZb92qBjr/mX84XGJJPdM3ZRoD6q1ECmz7/wtWQTibodzKPXK4xdnB/IfAWYSvxpwedvlt655qeJ0wYFj5iWC1hAGhm5XHsExE/C/U7VKBMVg=,iv:B07ncx34lrhaIN/1fseuJOBjYDXIeIvUQKgdqhxIkj8=,tag:dFMGZS/uxQ8s9+9KDrhjmQ==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From 7c87808bc1755b807d88c38c636a0833c5ce8d66 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 11:54:11 +0200
Subject: [PATCH 42/67] mediawiki: update secret
---
secrets/quitte.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index efe9ca9..9e9f6bf 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -17,7 +17,7 @@ grafana:
oidc_secret: ENC[AES256_GCM,data:oH+VCL4e4wve6RyVwlTXPSmirbf+STD5FxUj9OjGDLs=,iv:PhVVCy5JyRa+fOrYAsnjDL+97zYASmKcBzB8t9ZVWIU=,tag:JzGO/FeKem4vd7ApvZ2Zcg==,type:str]
mediawiki:
initial_admin: ENC[AES256_GCM,data:JzW2rgXQHXxj1e3vFhkXVkWSgrA3Y88KWlQ81hqUHw2UvnBH4GWtMXbZ,iv:zqKUyEaIOa/7hpwzjJPwk5gfqbEYJrE7Oc1Zqcqm3vo=,tag:T1gObIGtI4uVdpONvIXofA==,type:str]
- oidc_secret: ENC[AES256_GCM,data:dVycm0FcwfD0xJof58kIOkx77F6dIbpD1EHoF+CKuSM=,iv:zI6mmI4ZO2MJqzi7w+MUSOsiDkubX1GwOYdIRz3TpNo=,tag:A1Qd8ESakLjJki2epj8+Vg==,type:str]
+ oidc_secret: ENC[AES256_GCM,data:XNbpKd42PLV+orXY/HqnYKOpt+HD4EmVMtAR+lRw+x8=,iv:XtmVdArhYmp0E1xL5lD1LMjJt+vyQPv/lG3g6fnsD00=,tag:onxncWUsG3QuvUebgVpLnQ==,type:str]
mautrix-telegram_env: ENC[AES256_GCM,data:FyMtJChtir8Ip8S7zlBSvKccjt+7Hl0StHzxmKO7VdwNNA650HHfni9o7akIY52+r86tvP3D/bqHaBZqkq61ZNICnFJuYIkROvt1035uej1cdjlHeCrZBttI2w3ZkkKT/RZq5BOLt52o/fnw5Jlt+3yr6Kzd5mvcz6a2e5V96kFjaib6mMdg/Y6axiXvOSeFOHCjs6Js+ab7MDe90KUM3aLtBezXx9YTeU7RiqEiZl21dxzPIwilj8bhEB0RRIb1,iv:1ojF2NyQfaZbKwlHQND7LEOLWT1SWCpGPQTm2+0Y+xo=,tag:RavBAv49Ldm4rH+2DDGstQ==,type:str]
postfix_ldap_aliases: ENC[AES256_GCM,data:beJTXpJYlAz4vyv2rAyuMtU2gkwf4JNnsFAG0oKLWuKQZnX/EyqyGTFK7hOs12qye26H9Ysl5vP12iDyVXU4cyYmBOMSOiIS4opPVs7yjp/FH0u6DXHExzd8qs5vwa+D+c9j05kLVZ85EGneDma4ITNBjo/JMjyXCHB0e8EZTFyfR8+fq+qvuyOUmLBfJSO5BK96u370DJ7EmIPLDiCUSO2MCD86yfFEq5J++ljeuKLxUtisqFWDPNeNq3YGjz0EHUgcqqDwzLwEEXyvn5FEI00nR0qBgSBTSWRDrndo5O2k3JMfZWW9UhXXS4kPwCYEkQSM240cwLNV/Rb9XceH2wxzL8PcfTNiy2vd,iv:lb9u3ryu1+G95OIizX17ft+fGK2CA2xt9DhYhtKda1c=,tag:CsS2Q32AgAyS5eZ7Z/Kf8g==,type:str]
vaultwarden_env: ENC[AES256_GCM,data:JFySiTHahlUFsM+FcuSJPnGYMijphrnZpFFdoNe7DYxWjIgPRWdfH9WC/a5GsK2xCJXllXAASHNxgkYRrdPw2KaCiUR/QhAjtUmyv2NsIBcMYStafDUEK9emddR+ACedScsgS0FtP8f3cz1enTBi+DkYgL8lMAoCw5p8vMRyE9mVOLpTUDOO7T4=,iv:992REuXzHAxxhy2BbeCGNhTZkn8eSi8N2RyBXqqy7U0=,tag:iP5AFQqzoR66AkTGfYAUZg==,type:str]
@@ -52,8 +52,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-08T09:47:03Z"
- mac: ENC[AES256_GCM,data:G5aVpO+IYdJH7i4RJWS/2Etb52iC0mj9EpTIsIys8LBrCd5x8aEh/ugDaO9J3ksZb92qBjr/mX84XGJJPdM3ZRoD6q1ECmz7/wtWQTibodzKPXK4xdnB/IfAWYSvxpwedvlt655qeJ0wYFj5iWC1hAGhm5XHsExE/C/U7VKBMVg=,iv:B07ncx34lrhaIN/1fseuJOBjYDXIeIvUQKgdqhxIkj8=,tag:dFMGZS/uxQ8s9+9KDrhjmQ==,type:str]
+ lastmodified: "2024-05-08T09:54:07Z"
+ mac: ENC[AES256_GCM,data:5tidoqP3gNX8nq8oMRCEkSxn+iGlle+9s7DpeUdBZdJQstNKrTFjVn25Xo00bq6CAYxcNPPV11qGkznARns3HVMHnsByx0kVbkoSImfqCwr/NJjsWs2TuGKBaj3nHrBkPd+3bE/zgl/yzYeKLT9qHeXiNKz6SEXdVLM0jSBM1vA=,iv:BnrAQ4RFf7BWtb7Y21hk8WIgCgvO7qvg3MqKhLIcacw=,tag:HyJuy5wrS/IMHVh9CY30hA==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From f40e47f87172f0b8b8be0c0404c93018852a6e77 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 12:29:07 +0200
Subject: [PATCH 43/67] mediawiki: fix account migration
---
modules/wiki/fsr.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/wiki/fsr.nix b/modules/wiki/fsr.nix
index 2ce0100..9f82869 100644
--- a/modules/wiki/fsr.nix
+++ b/modules/wiki/fsr.nix
@@ -63,6 +63,7 @@ in
# Auth
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
+ $wgOpenIDConnect_MigrateUsersByEmail = true;
$wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_Config["iFSR Login"] = [
"plugin" => "OpenIDConnect",
From 7b7e8858cfff0e943d9651ba6fe215fa0af22946 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 14:08:05 +0200
Subject: [PATCH 44/67] secrets: cleanup
---
secrets/quitte.yaml | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 9e9f6bf..ba7826d 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -30,8 +30,6 @@ course-management:
course-management-phil:
secret-key: ENC[AES256_GCM,data:YxANlc3+BVkrDSRuaO1xtzJLnprK6vXpHD+o9dtTu4Q=,iv:FVnRAa7YEfHC7x4K4fkjIp4n4sCiI+OFwMIHu5KHRXQ=,tag:zneVoFMCK41ph1eRpWhdaQ==,type:str]
adminpass: ENC[AES256_GCM,data:akLU2/5wBHgbhy83Agfe5SNFUpfgCB19DV3SMSj8wORgTgSEhlZnrWKt,iv:9BInYkjKIsi+nPaSoOEkcKcoK/9bxACYpaKcaEd5Fd0=,tag:UxBUMj1xIL6xlXQpGrjHVA==,type:str]
-padlist:
- oidc_secret: ENC[AES256_GCM,data:xExKbcpuHLcbs0RozjVRZYKJo/RensfguPzHysA/,iv:a4wWRUqPwxlytXPXeuVIzAWm7s6KH/eOxs5xCCRtmV8=,tag:BeYnUJzWhom6sbVf0BJeag==,type:str]
bacula:
password: ENC[AES256_GCM,data:MrmA++fEUNNJojl9xAHlaWjhMrpAWjqi2X+6x2dWd1NZU7gDpLR16hDwyj3cfTsK,iv:iVN0pOx4/VrlcUxeHtMuavM/Z0/iZSGE+oY3idCKjtU=,tag:QiWT1xT8ntcyAjOU5SQLGA==,type:str]
keypair: ENC[AES256_GCM,data:d+ogqLfdUGiUnyL8nhlVO3JQUX065hx0Om8mSX2zE701MLPhM7riCkpW3DiKcKgiPSMWBWrEqYtMJzr3rJmwqOEp52M+Oj/meR9o4lepJ9tfYoXOft8TIz7lslBS/YCnIV/3PO9B6fjBPxoSEU8cWoq0KExU3UM8NdsRK07SdgzO6cOkVdkGGpplDCAzKX31tgDDcryjbvgaxbIKIL89OepdAcep9gOOEeJx4w4ACiwE+BP4e5ZzCfxiObx+D9SdzUl5dmyg5eTER/DstCpociEis/FQK6dlAk2+njnrDJKl1cis3rlH09w2GSCmfej9f2Ecm2zPfgKQLv8Rj6Yo95aCRisqoseJJo8L/hqbfrMOKMGuiynEh6lP4PMHGSrfqTTS4et7OeDit2mw9O+n5qbfFclB9BxVURcbrB/K1PZwFHmbBm4K3rSo7mKLnRssTno3lWLgL2txTcNnWn3s2r1pbaU57g4SubU75rgoUJVALL/EA9OaOqSLyvns8XEXZUPMzxSy9tUladnr7bqB6EDbZ3r7QflCWBQ79ZrDKCxax4v6je8wCvo16xjfHpqjEi5+kH+B0OsuQ/HwvIcKWImN69c9Y6Zjhr12tkhH9wM5W1BVb8qyRaxiR9xIlHSOKWqeojubu7TsF9oSCwMv5xutlYa6mnJ0Da5V7yPeW4L6VXdYLEwAgGucDDqIvkIVnn7CT/cJ9tcQ1EDk8Wbdi1D/iM3X01TQX7aX4516yAwQQWcDXVHENRNm4AAO1uxYzVGWO7HhgqZzCmKcX1kD1pC69o+d2obZhiymNFJfAyvoAuUh+pD11eGGbKqmXtiVXC5PxxKUfq+zwnYpe9FWFXlOoNaY/xq6PxHr+Xq/5PnZYjTKa2jEEFX851LMW+JIomVlctWsHqVYknnHiJVC/huIuyUgDKZwCWOrsQlD9+gMK7uwVV/g5lTG6NRLLGsFq22wKmJbdyXBj/sRKtAepuS6JWBm7OLOqWFHP9ggFIw0EWtL2UcSLTajGKXXx6nu9uuloiVuHGGwkBEwJwXWvFlSHbErBr9KEWMCmPYwthQfX7EhawqaUmtJ14442G/9zF79PV96SV55IlicMHa7Mj0P7q/WMtwSAZuZcAb09XFEwayWHLvc4m8LxV08cKkft8H27EJDbc9cqspunu0rtlKsPpFXXi3Nj2S6ytLWLK8OON4ZTuBxrE1Od78nMLkuqJboxTE40bM5PAJbHWD1cLALf7LOMOkPuhnEl9R5pbJoM+U/+PsArufHb3qHbDdCS49ythxdzRqLU7teX/9DGeIDknmzuqZx4KIt/F5hlfFRflS2GpJnc8a4s/6nGNFKAiOail9uI0LWLxYz1pjXNoL3z9YflBUrp5rkiqbsXhihA3RYfaqiQQbvkFYcsYfVpHFkI8fkhMQ/lCJG2OORZAoafE4GI+w3m6uFN58V0OIqgyaMYna11CZWzsx8zAurHH7TcRvXSV2/sdk5gRk/EyWzrClGbajMluBbedIEPkOyAb+y0jtMSGMV73hFspqvgzNKueikcQ9azZ0pl/D4JuIFXGVlwfXPjJJ9Y/Cdk3N4JIpvEMeLs39YARFW6v+TdrvRL/AzUcUiWQsjhvyUYkE1k02nXLLdv9vkMWh7pIO0t9meMucxVCJBE7OgSf5f224m2Wnwwfp+yxsTktQBobydtzlnphzxo/wcxRJ+nGBfSA1wJj90qc0uSUrmNZ1KG3QNpwiLmYdFElKZZByByc8oD/p1VEZZAxVGKFmORLEWDU6bLz32NNiQr/zJLbTCdp9+oFbbTbQnUnvLY/L6B4UkNfRwI8peNGS6cnzm5lPMph4p6tFjju1yNpVfcrkpDTMBZMW2HvR1TJgaEpj4mR2+wYMIEXE1lj6lh6YmJdVdat8w3TX+ZXbrs4TxFYkJ99stb1b1nyVDAVDmVHWdtlxUDnwplCpv1joxoCkEhZSoNG38JaYvqsr+eESgDXF4g+coZlkrO9Bbur94KE6jS820BzdmgE7AZCoIkPHKMRTid5gYY7tvrE1oq0SZIloijLiMH4XyhoM4nYHsp2QpHl3pvglV3n6cXDN2ewVHcuQee06U3GbvPSC4Jvao2nF5LWG23ILJ0PwB7r0lfszLGy9wnprgldCp/w05Se5kIB66jDnQv+mz5rVDXoEGyDxGs+XPyzTpp7KmhxU4z3mmTRFFQSOSVf1ygzqYNLLU5Apx3UNKSbVNwdiA0TzH5LzlBY5eukoPjjyzMVqhLyrstqTpjSgWEcw3is2Y2OG1V/zDr5X6oRNGmjbvGAt0x+ApWLW7ycGPX6yUYNyjN/J3zO32rmOl3Q/Y3SzM7jnnRaw3qy3HFrVg+FLwsvhnyVWKePlzmOBFeufAPNBvqe2X659cM1N+3xQVbg41+DDK7OqerU2k7jm7AX2w1cZsLp1wLxMrXoGqTNGvwrzX7IjHoyNAggCjLwTzCC7IfkJi9SfYV4YTku3HFQa47hxpQbK7DkZyFE7BAeoIbxUohDgPjf8zGrZIsGZ+2E1dFSK7P8gmv3gxBMDLWFM5ZgIOcpj/3vMgdcKbObAWQQyY8UQqSkMDwbVRBF3nj6gFz1zoC7ZVTITyAxfG/TZeK8mpnNW/dVaCC5Sg3JXsOGj90L53BdSRkz8k8ONZIjRv14zNPI74uadiyo2P56Cc8hAptoQZlETzd41xajHYYn/E3eXBSy1eh2w2bLsqCmsqd1PwEWgaiPKAO+Np7/gWPRh5qaJ67mUeuRs2B+XfEEw/FiYk2/2zt0kMlbA0Nc8iMRzoPsOK7fKVQ+mxV188nOOtkuujPMLFliSiCkMoMhxgzntaEmRZx8f206EG3QgicJf9Pbtk8elCzO038uxki559zZkSx5TLVUHiClSI6+mHHfvjpLxfnGITrorFCOOuSvg+eiM2sxmXrHRAFT/SYzdzskjTmqWSrMMAMUY/N9KPE5fYylwPQETruV6+VuB1I0x0qxLdFE8HZEWj5+JvjrHl1Si2MGLNCbdLtotsWqju6G1djoY4KAWLohxiuwd9776kJk0iv/QzN6mt9eh2WWkvk7KiW7YyUnyfIjhcZi6ZAkmdMynEj7dGlJRy2jZMdafaz10PPJYMNsKnUs6iHTJ9lE+fOnEhEPXj6LxDTrBerXv3pI8XH6A4gSTjuEi1S6gz9Tp2O/jFnAMoZV9audf8CKraYuTcttaM32X2JDsFmZ4+RJAC6n1glsdL4cGMeDWIk1uxb+mRlpuTxDm62ObmA2GzGrrXz+Zd6EuNgy2A3hQpyoUUMZhiUUGQG058XuHh4+YtP201MhvkRK5DsHV1ugbooIazy1ESAGgo37Gu4RbTkJ37XPSXdwx1i4igQLJcM5oRP9TuuBWv/gRIcmU8amJMAINTZ2SbTd4FsOxTFRk1cukv9L6vveh7DGM42tz8yclmlKwkqv4PdVN8pkhUiCCeoyP4Ti8Ao/Ox1fk+4T0/mXWMywDi1tb9fZ+P+Zdv9xRpa6SwwOyVMdxWl5OHmNLZWwnSU9aeafk1LPX+jgQnGZedZB/0Iwiken4jg/sSf2ucT3wp5IKwBPl1qnqbFXWsnMytsS+DtVXkCk/RhyFv02ucbn95oEIudDp4fZH108mFsMHPxBahJWqCmSwWS9yq3dM0Smce8MUxXbgLGM1vM2nIxFG84HU7RJEqnc4zQQMMuMNV0ehm+ffLiBuvxN0RzssNWhDRk9iMIrXX2taFofUdW5vqoLvSbyvovmbFN6sAwYh1q1IW8OKn1yQtLFm00+C6bjbrhTK7xLPQZ50lOs2QbbFtGRAj6Es9H+waHoUXExwA+KtTyOCJuBlox77VfJ6MEalQi/rmOPx0tkP1/zUHsZbF3RzlewuarHnHiXsTrMbl39vl3j7hN1weNsCfqIBD5gDWVwkWZhrphiT3YYU6JgOYF8/vzbN81f/CddYybW+A8vGUm+zTTyDqXMJRlH2T2oZUduaEeowTukduPmz0pvSeiRZbWjEvxAfO93QA9dEssR6kS4ZwxW+q5N3ECr7wbo3ttHDJqSrEg9jOuQTLFxsRvNWzFufR+H1/p324/RJEj6RLvlwWT0UcSZHVdyFRJlXMLp3rIeIVJIr/eAVNwqAMRs5Zw9J2nE2d5hgZvWLEPZnNrIbnAi5XDa2ia3s6Lkqrgdn6PvITyWVFk9ecxou/2SzWjKVQYTe9XZsocI4aME7wVHz3Z1/jnAOaV/xAxFkfs6YBe/GoyDctUNh9FQsrfmnn9vSpv88GKe5pzUgx1rOP8ujbN92E/VTqpUOYPBS+p8ARiO3VogXufZ+lro69g9YDHs9xQDqUtWOdKd3fb6oLdCdArFZa8/ke5aUyYFxORTbxUgCqgSbk7LhtvfCMustqpLLN3dU1nVIv0H6Xp01KqArJKwtOFnAt3xJ0Ir/XT/0XVd8fjZAkXc/Wb1Tj4UeS0Ae0aC5Xq7BKdxWy8PB/7NEHC+tzxuYbgcIATWkARnWDgwtnIaByItH/eJjO/1K1xozd+Hh/+7IfhLoJG5gru556s6O2mlQOYEHixGBmOaAkPCayfYxjI4hQv9xIVPg2RV/zDl1nK0ewohizPgEaaz5N3zUkvbPp7USufj9+xVhdSFqSqjms70qYoUYixaSN+CJRsb95UQjg7/aKLIE6XqPDEGZxAFEU/P1AJaWBF2NGMV9NCdTfZCrWqoNVvM7Vnt+qpiEcmUqtSqZjCdSNSl/C5MUm2Lp+5VNfJMv4tiZmOLh6iJ//ii6+cha5+r8em2RpIte9R0bZZXX0TshUVpHOxnuVcswrb8b37ijIxfn5ssRgU9yJptT1PZD/P/65UEVTVvgi9bv314wBRJtZDJJR1sYEEf+GGOIIprIpiOrwOE5ede/liUMJa/vwAwWEiIsAWvU8S4EEpVIbgoZOGQHKQpA1grcpgGj+p81UZY/GWkFvLK4D256a/5spUmr6fvpEStRDARmi2BGLuPviUiyNvXFYzOMqGfx8VxlpX9vQcvwTWAMwtgk4SS7S9Q711BLcCMpF230SZbiz+OD7eyfKOfa+JlxY6orPY1Xt46zmC8FyVV8Kq5cnlAMNGBmmdC9FS05LSO0ZWkna8eBM+ul4licjWFv10qq8nG3t8ghwsTTiFQ2Bpz9+3k74TKbcOcH1+qSknsN7gCA+XijCq5DraTrIJCCibvQGeNnf+CwGVadtCJKV+qUhB84clWwVKHd72pdrAw4IjdJQafocPd5PwQf27ZmdnmGFIOG7IRQCMNWu2c//wulypupM5e2ZnRrUTxr+Kg5p8Bm9qivVrUuJIFeK8lzN8E/YoCR1OGQ+cKOZRxfe8sEpwxtGJmi4htQINZ8KEtjZ9OkrqtetrWpUnSZ3nrirkvOOY9cDvZL9I4u4v4eYGKlD3ewbHwmoGKK/UPq5F5Mc9Wms71aGdk5Pqtrnunlw6eeeleHC7XScaUdt66fllfNg0uort6qE5Ern1x04v88l76dAHLAGH3ycHQUNuNo/keddkUcGA/mOiuNUlPg+loDezqo2BxIrsGD5lcFBcy7Fvq6KfcvWbMQiHWwOSgNk6W26M2FB55MtyP5HOsP8+2t/s5eHy0LW/eotsCNOSAvin6LVp+bUt4vub5JqGw5/zJ7imSERo8TbnkNBG5VJMN4yqVIMqdZ2xsRbiYNdKgj5QSUJ5rj1fw5JK/OBIecjMr4scSOXxNQKkMyb/7du3kjEa2l/slsqkLssqqXxQEkaaVvcqF9I9cj2Pf+/D7H8BwxrMjpDkbu2cB4Bde/bAgznJSW4IZebPbOd6QBR6TbNrf/iZva3a8zBNZ7nlVchqcexJtSS5M8NEPEvYSNMfhCXBgpqz8MRUvfGtO8BjVqC9zV6L2t1wInUsdr7UbImUfZpudyX3p9Nfe6bUI7m39pljg5mbhEtfhzgfwdkM/X1rd+ofQa15pg3HW38fwicIWpTk0iKuw0HIxlbz2PZfWjn4r/l9xlHoDfsC1kxkyaAKRJTh5R0MLYmpBHKT3ERE+gXmN4h+S74B0M9OeLu1lcAy57541ZOkfCTOWAIofYPhnVmnmYL3hE17mzFPkOr0u4ZVcdo9ZqGowowVVV5X8nQKJfrS+eWfwpq7m+MLszHvDy91DQaGmUfbgKynq8yceRLXfhqAEEtgLR3QUOXpJVXb/AVIf1M6kSMx3pMLMNZPQfgEYwi4/uZ+i9bb1OyrIjMs2cBv6w2K0NyRe6X2erVnRKdlhhYHM4Farj9Xz4dWoVujU1NofUexu5R3mryQBg4IW/ShDJ9DckMaFATI7/cMEy7ZCJyEsNTDVd7urGUG50+eU6NlyHylUNCU0t/B4DDK18ZAazsBHuWgrRCR14OMztaWsku6NankTU0CK1EXeo6zxLwg7OMV2UrRWXHSkDvdehF5Y3TyhtIIKW/49411lVFuxqITy9IlrwtwD0MAE6dr+URd9Tsmw18kHPUBVUaxnG74Bg97pIKLOkEgBez1Yr34wIvntgkxqu+9ZAaVJhLsx5eoZVpQoMIjN0VLnBTI1oFfK7ckFzRaiK//37eFvGIPKUOqgavZ/+SlCJmjrXx3kwZUMo4lzsu1TyLdGYDd2yKjLH1fyFvDAqABdRgDNjLuIqJFEITjfYXi0fMO5DLHvNyHcKBMDNY7j7ODkwRGVrVViC9j65GxC4wPZ/fWqEQ6MsOrsn3mLW602edd0bgrwuv6xOPcwCajRCkKNkXCkX+T/RZ+h7wneDZum7OJzUIWcb+R5kQvXcu+lJKnA7o1QRkPGb3wbfwiuZhIV0SNshtDRndcFVghcX+/CGD8nZzccts8MQ3/ximHecVvP2fs7p0QBuqhCsoUATwsZOlCZs0BhdRxQZQrEYf1BwNoYEuh0Us0EkjnhRmbI9NiPyI64e2qT7UYpCQW5JsUAI6av8+vAa/qlWf/V17epb/UAWh4EhwuFIdns6jCRqoaif8papTjtZrzBZVNNz+0FJsacAW6v03CQ+D3tWF7dH3VW8w2AZU1f5JKyzeHih6ytlv4iHos4fumoPSjE5Of2E9flKg/+ADQGSAS2JNPD11yZGdM+YO1+fW5iszD20NfPUBfpQt/ohwxNzdIgX/PZsfwf27Oam0qP9OBueLT8cKakY2ilSnzTLYzGqxJWhg6MJxA+pzqow4,iv:pxhCdbDA0jZLRFLg/2cXy9j18nvWOgIHMHrgkAfYSbo=,tag:4Z73qrehEkiLca2HO1MhKA==,type:str]
@@ -52,8 +50,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-08T09:54:07Z"
- mac: ENC[AES256_GCM,data:5tidoqP3gNX8nq8oMRCEkSxn+iGlle+9s7DpeUdBZdJQstNKrTFjVn25Xo00bq6CAYxcNPPV11qGkznARns3HVMHnsByx0kVbkoSImfqCwr/NJjsWs2TuGKBaj3nHrBkPd+3bE/zgl/yzYeKLT9qHeXiNKz6SEXdVLM0jSBM1vA=,iv:BnrAQ4RFf7BWtb7Y21hk8WIgCgvO7qvg3MqKhLIcacw=,tag:HyJuy5wrS/IMHVh9CY30hA==,type:str]
+ lastmodified: "2024-05-08T12:07:54Z"
+ mac: ENC[AES256_GCM,data:E7hpJx2tAfbnV5Af365T2n8zh0LlEow1JPSGpZ/9Y5EkY8ytGASnjcLUVJIHuBafTx/8Rv5Dr13BnQsj4Iv3UQYU8NlltO6es6uZqG+2tGRInLdoPgiLLjQs9+zw5lUqzUTllQWRdsWwqR+Dve6oDxH+7jfehGNBOhVnjFIDfKc=,iv:CnR1G3pUAGdwBUTO0blBXOvHl/nvL9DDyufVQnONGuc=,tag:hHh6pp7fx34K8vPZs4961A==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From cb828a2188d518056b344a85ea76482764ca33d0 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 14:10:46 +0200
Subject: [PATCH 45/67] decision: move to keycloak
---
modules/decisions.nix | 5 -----
secrets/quitte.yaml | 8 ++++----
2 files changed, 4 insertions(+), 9 deletions(-)
diff --git a/modules/decisions.nix b/modules/decisions.nix
index 29ebeb3..a235f9d 100644
--- a/modules/decisions.nix
+++ b/modules/decisions.nix
@@ -25,11 +25,6 @@ in
};
};
- services.portunus.dex.oidcClients = [{
- id = "decisions";
- callbackURL = "https://decisions.ifsr.de/auth";
- }];
-
systemd.timers."decisions-to-db" = {
wantedBy = [ "timers.target" ];
timerConfig = {
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index ba7826d..0911f3e 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -5,7 +5,7 @@ nix-serve:
keycloak:
db: ENC[AES256_GCM,data:DVf/pVCHHUed2cQleECk0paBTZ/6Q3NE,iv:j3sWWNL0dqPJBLUx10+jJ7QvdAHvGM55KKDwG2aQEs0=,tag:6VTeE+Prsm+LPemzbEtVYg==,type:str]
dex:
- environment: ENC[AES256_GCM,data:cF7LKrMRBn1ZGSgN3mWw6ecZdonoRd2Ac+pIOYJ9KAvsapB4qDA1lJwMeFkZ9eJJLn8wj5k+DUfgfzxB7KPBpUzuMIvvN2mD3mlqrfMhi2yJVW1uwDLwV7urFCw6BZl9hsCGBfQ6/yC0KN8tC2k2K++E6rTZ5DOYRMWFJ5P/33BFqs0KuRA3Zduqf/u6mFyE3IgXukK0bGlMfbEwq46XGF1OQHJnCREMnL+UxM+9ah2ndXjCGHw3MP/BKt3DmJn/FqPywOB7/X/75z/K2o7M10GzoR3C0UPxK9eqiNPtZNCbbEmJ06N6oubxsq3w9HCk6/Dn31QYSpcOp6KJ89DE1DMklrJ8/C35HVnmUm0KILGv1FY8hjx+ZS5TVwW+uR8NEPM83rW4d4cebFf+QIoOUl/YHarSrUp9YfD1YnR3a8kb2Gb1cVkCVUAfuIU=,iv:1SuFyGIbag1q5bdqBdVS1KEuc4WhOaOhAvNll2tk3b8=,tag:Xg+rq+U7+6cfTgLrtRtPeg==,type:str]
+ environment: ENC[AES256_GCM,data:6UgcIV8PBUHj+AKk300IcY4QaR1AcMdkojx9EvXWlCeI6vuR6qh19FZ4OP2FrYr7165S8iXXV4vKbxgQSzXa7ulhXUgUVVs6RQFGIdl8zrbgOpLo0iO959DEmt60CQAWUOLKdnbjF0SxZNFo8+kgl63j01jQasBL11IkxEfD76K+j5OvrTG/2sJWgWPpD2+E0kKGDn2Go/BMFpBBI68xuZiN0KgJqP90WC3O4mE1Ez79onuuAq3DbGICEHGr5N8TPKmV6jPLmsVuYZs/neV8nJMDiJy+0B+KZ/KqwN+PoJTja2Qh1HFZJFrSFVFW5hGarHL7xZYQ59kOW66zLn3KvcOxqm8+tBxreC55TgOQq4qY/z+fOs+FSA==,iv:Oc7jzKz6ki6oBd2Ce/pmJH8GcGz+8IM9bHv7SLN38xI=,tag:m/kuri7s4RCkudjWBIfo5g==,type:str]
portunus:
admin-password: ENC[AES256_GCM,data:fESE6vrKhtslQO6ZJGv0T9t+leOSrgkY291orkwY+HPnOh26g2PSMX3j,iv:qmbCmjg0WsbOzfv6LsKcY3S1ssVXmaRB3lE6ZWzKSww=,tag:t8cP8XRTtto3EnNLEdz0yw==,type:str]
search-password: ENC[AES256_GCM,data:xtbWS98IkQbnBu67sN413VNHZLg6eedbStE2uZ2pljS30uoM3coO2d32,iv:lKMTNnQJJfjAG7aX+G0eNnL36Cxmn+cWMRAlTovMJ4Y=,tag:FQGRBqsmY2c9VVIdBvGwCw==,type:str]
@@ -23,7 +23,7 @@ postfix_ldap_aliases: ENC[AES256_GCM,data:beJTXpJYlAz4vyv2rAyuMtU2gkwf4JNnsFAG0o
vaultwarden_env: ENC[AES256_GCM,data:JFySiTHahlUFsM+FcuSJPnGYMijphrnZpFFdoNe7DYxWjIgPRWdfH9WC/a5GsK2xCJXllXAASHNxgkYRrdPw2KaCiUR/QhAjtUmyv2NsIBcMYStafDUEK9emddR+ACedScsgS0FtP8f3cz1enTBi+DkYgL8lMAoCw5p8vMRyE9mVOLpTUDOO7T4=,iv:992REuXzHAxxhy2BbeCGNhTZkn8eSi8N2RyBXqqy7U0=,tag:iP5AFQqzoR66AkTGfYAUZg==,type:str]
directus_env: ENC[AES256_GCM,data:Q8mQYpwsMbv8NHIzTjxlbS528uZoFkzB0WDZITiYdbq6Y5a+12IEuXXRU+/v7vonpSWFH0ROqfrGy5yd3VhTR2eFvg8OsnlanFnnF4DYIDVMWLEOf4XoOoh/9tYPqoPYFtvwYnlCZFaEky4BKdcIFuqSuqrV9GSabBRuNJ1RbPyRXA6Nwr25uWYr70/1iIEb1tfffqR1YfycZ1JW4kL7OcjxNb6CwoPQ00Z/0t3YYG5Rc9rj7qTc6qw=,iv:yswA2oUhllYoAflK4BbxUMlCWaEfrFi/6g1r6wWZxHA=,tag:36xbdXho+lqKQt9ZaqS/Mw==,type:str]
strukturbot_env: ENC[AES256_GCM,data:klTFgdNvdMYA++GsmqEHdhklZ5JUreP2Lh+5E0mj5iH7F8Run6/gAdHBJpCWEe2Q3o6RdZduy+kCXzJWznkLbEASxgJNcAWdFq2CU4ov0Z6rGS6i/X376Yc6I7oYLfQSd58r8Q/rhFl2qXkCiSGJYNvo6vGh6+b/TdTABwAnvj/k81n2SsSpoMOu9/1Pyop7QNVMuAtXaE/sca1KPtU/Yg3DrKczxKzKppReafIs7ICI/760N/H0Wwh6rtw51mfQxxOW9UpPXmnEFI8b+07pVsgNoSbzPCMaAoxf6LFnTnqtFRNS0N7rX3DrP6GSv2A8Bwm5of0sLhIm3gAAQ2iXp2di+BOi7uRqFVtNZ18XGPil8FVEkeIFdmhjCJAOJRyuANl3JsaqRk4lT1qMglyjHtCodP5rvVe+pALzpihNPIQPy0Tes2GOM4Q6ww4UxZrgevNHz7CnEMSEPU8Hjb63UkZTZbj2HxF8,iv:a2NyivM34Z/V/ir+NzsXNm73sp6uASYDiqDOG2ix2JE=,tag:buP1Hcvt3dEW249BWNBKkw==,type:str]
-decisions_env: ENC[AES256_GCM,data:JOi4V3TOH/qcDwcEeyrFrmfQlQpTOhX6syXOZv2K3Qo3poRLTLgNVEX0bWMIsSr5ACIvfoi8yMYOePJj2wOZoewqJw/Tr+4reGwHmMfgAxfZhD/ykFOBIGGdqEstAT335q8+T/xOkv7+9M8wWbmzFeQC7M9XdmoVBIVkTEuZb9OpCp91WEY8h1/2LTwf9+hGKNVZ4LkfbrLRed1RyWLjW0JD5kJebRJvSC5qnOhv4nz4iGAECl+1DokNWHrvFJGOm47f1uXtXoBXVnaXhhrkZ2j9r7nUpZpCITeJH5x8beJc7drmaoQs3PlLTcaKEeujNtwknYnBC4eUXx+78phYfA==,iv:pqIMRbNOIlK3ddUMpn8qDKz4tGFyAU6DyIzfuIkxSwc=,tag:ZterxIhIxeYLPiYsewVzBg==,type:str]
+decisions_env: ENC[AES256_GCM,data:fUoBTkceqbabZcR3Rmf2iSUd45T/oQ+6K4ReznhyJ/P3yzlgW17eG615o5v42PmLerpkABXZuVIkQSpkJsnn/Z2cSnv7vNvkeZcRambDWnEtz39Gu0uZR1um4Nl9hfJrp+otj3tTdzoh06MADQegWSbFLhJm6Qa71Fqh+dbGPZ8rbQAGDs0T6I2BFF1khND0COAQPO+5/gtRigngLaFgAJ/EClaRcUVF2BE7N7Za8ZMMDH7NOYSOSG/TTHZCownFeWbh3d7H89wG5Qw4jgXMz6Wd3y9QzEjjmhSubRi0hbSTZ+t4yiSjeODAVQLYlZ4DCjZECl+yvUndugdr1L1b5EpgjeFJTAsWjZtnu64=,iv:vcToub6JCQ9END3cuqCA7h0KC9drG0VIK52EyV8xQHM=,tag:PhzRofrNi67RFNP444GWBw==,type:str]
course-management:
secret-key: ENC[AES256_GCM,data:zMoIj8gjNmLdSbQmFo8n1pDIKaUUMzPfVoKkPlqNtm4=,iv:AM5wwvAFXKVss4N2/lK6bKYHV/4Bv5EOz2MVTxAPF1w=,tag:ARzQUVVjz+HhUT+JAISHkA==,type:str]
adminpass: ENC[AES256_GCM,data:EariUHHtWirIXuRARj7lEneAOlKcjca9T+J0oH2xPv99w4ac1cRrvEVD,iv:cjC/+AnZdwWXkJOIAE36Hk/if4fqofVFf0H8WkHkRY8=,tag:M+s4hPzSp8eR76M/7TKXPg==,type:str]
@@ -50,8 +50,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-08T12:07:54Z"
- mac: ENC[AES256_GCM,data:E7hpJx2tAfbnV5Af365T2n8zh0LlEow1JPSGpZ/9Y5EkY8ytGASnjcLUVJIHuBafTx/8Rv5Dr13BnQsj4Iv3UQYU8NlltO6es6uZqG+2tGRInLdoPgiLLjQs9+zw5lUqzUTllQWRdsWwqR+Dve6oDxH+7jfehGNBOhVnjFIDfKc=,iv:CnR1G3pUAGdwBUTO0blBXOvHl/nvL9DDyufVQnONGuc=,tag:hHh6pp7fx34K8vPZs4961A==,type:str]
+ lastmodified: "2024-05-08T12:10:42Z"
+ mac: ENC[AES256_GCM,data:lrTOJPidvYSfnk5HqI7J/LTA08FZIEpam5GCA7JV/TnvEf+L+sZOnEPJtfl9V3oZnUV1GzA1BRZCSxpvq8qWLC+R8F05KnDcUpwfxYFWoSFJginDRckh5YWFFK1nzwslbMKJ1u80tc8d9OU0Yqi5fuWECTVAz8Mq06u2dcqDSv4=,iv:/I5EqCcUhehDYle8DrWcROabSgIQj5RtqB4UvGT1/z8=,tag:eRmYUPqpallvWIZcqgMRnw==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From 077138401e3bcf83163e245ba238c478bb75b07d Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 15:37:19 +0200
Subject: [PATCH 46/67] dex: deconfigure
---
modules/ldap/default.nix | 30 +-----------------------------
modules/web/ifsrde.nix | 5 -----
secrets/quitte.yaml | 6 ++----
3 files changed, 3 insertions(+), 38 deletions(-)
diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix
index bc400ad..1701831 100644
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, nixpkgs-unstable, system, ... }:
+{ config, pkgs, nixpkgs-unstable, system, ... }:
let
domain = "auth.${config.networking.domain}";
seedSettings = {
@@ -55,7 +55,6 @@ in
sops.secrets = {
"portunus/admin-password".owner = config.services.portunus.user;
"portunus/search-password".owner = config.services.portunus.user;
- "dex/environment".owner = config.systemd.services.dex.serviceConfig.User;
};
services.portunus = {
@@ -72,8 +71,6 @@ in
inherit domain seedSettings;
port = 8681;
- dex.enable = true;
-
ldap = {
suffix = "dc=ifsr,dc=de";
searchUserName = "search";
@@ -84,30 +81,6 @@ in
};
};
- services.dex.settings = {
- oauth2.skipApprovalScreen = true;
- frontend = {
- issuer = "iFSR Schliboleth";
- logoURL = "https://wiki.ifsr.de/images/3/3b/LogoiFSR.png";
- theme = "dark";
- };
- };
-
- systemd.services.dex.serviceConfig = {
- DynamicUser = lib.mkForce false;
- EnvironmentFile = config.sops.secrets."dex/environment".path;
- StateDirectory = "dex";
- User = "dex";
- };
-
- users = {
- users.dex = {
- group = "dex";
- isSystemUser = true;
- };
- groups.dex = { };
- };
-
security.pam.services.sshd.makeHomeDir = true;
services.nginx = {
@@ -115,7 +88,6 @@ in
virtualHosts."${config.services.portunus.domain}" = {
locations = {
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
- "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
};
};
};
diff --git a/modules/web/ifsrde.nix b/modules/web/ifsrde.nix
index 0db4396..694abc7 100644
--- a/modules/web/ifsrde.nix
+++ b/modules/web/ifsrde.nix
@@ -73,9 +73,4 @@ in
};
};
};
-
- services.portunus.dex.oidcClients = [{
- id = "grav";
- callbackURL = "https://ifsr.de/admin/task:callback.oauth2";
- }];
}
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 0911f3e..6e39843 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -4,8 +4,6 @@ nix-serve:
key: ENC[AES256_GCM,data:GptsUgeXOOrwJctoMZ+mWXcw9DwJ0f0LOlLyMlH/877N4uA5/NtNKIaFHl3z2GWPRBnDLBzDEO1Q6EDuWbakr+Uq4zTJm2MOV6Qf4kM0BlNpXGIdjvh7tD2La7GV4ID+CT8U6p0E,iv:3A/Yy4PHsq9VdhW4SKIYdpd1enQ5cDiKLk5S9VrH0b4=,tag:WZzbct7LZmOhEvx9KVQ8WA==,type:str]
keycloak:
db: ENC[AES256_GCM,data:DVf/pVCHHUed2cQleECk0paBTZ/6Q3NE,iv:j3sWWNL0dqPJBLUx10+jJ7QvdAHvGM55KKDwG2aQEs0=,tag:6VTeE+Prsm+LPemzbEtVYg==,type:str]
-dex:
- environment: ENC[AES256_GCM,data:6UgcIV8PBUHj+AKk300IcY4QaR1AcMdkojx9EvXWlCeI6vuR6qh19FZ4OP2FrYr7165S8iXXV4vKbxgQSzXa7ulhXUgUVVs6RQFGIdl8zrbgOpLo0iO959DEmt60CQAWUOLKdnbjF0SxZNFo8+kgl63j01jQasBL11IkxEfD76K+j5OvrTG/2sJWgWPpD2+E0kKGDn2Go/BMFpBBI68xuZiN0KgJqP90WC3O4mE1Ez79onuuAq3DbGICEHGr5N8TPKmV6jPLmsVuYZs/neV8nJMDiJy+0B+KZ/KqwN+PoJTja2Qh1HFZJFrSFVFW5hGarHL7xZYQ59kOW66zLn3KvcOxqm8+tBxreC55TgOQq4qY/z+fOs+FSA==,iv:Oc7jzKz6ki6oBd2Ce/pmJH8GcGz+8IM9bHv7SLN38xI=,tag:m/kuri7s4RCkudjWBIfo5g==,type:str]
portunus:
admin-password: ENC[AES256_GCM,data:fESE6vrKhtslQO6ZJGv0T9t+leOSrgkY291orkwY+HPnOh26g2PSMX3j,iv:qmbCmjg0WsbOzfv6LsKcY3S1ssVXmaRB3lE6ZWzKSww=,tag:t8cP8XRTtto3EnNLEdz0yw==,type:str]
search-password: ENC[AES256_GCM,data:xtbWS98IkQbnBu67sN413VNHZLg6eedbStE2uZ2pljS30uoM3coO2d32,iv:lKMTNnQJJfjAG7aX+G0eNnL36Cxmn+cWMRAlTovMJ4Y=,tag:FQGRBqsmY2c9VVIdBvGwCw==,type:str]
@@ -50,8 +48,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-08T12:10:42Z"
- mac: ENC[AES256_GCM,data:lrTOJPidvYSfnk5HqI7J/LTA08FZIEpam5GCA7JV/TnvEf+L+sZOnEPJtfl9V3oZnUV1GzA1BRZCSxpvq8qWLC+R8F05KnDcUpwfxYFWoSFJginDRckh5YWFFK1nzwslbMKJ1u80tc8d9OU0Yqi5fuWECTVAz8Mq06u2dcqDSv4=,iv:/I5EqCcUhehDYle8DrWcROabSgIQj5RtqB4UvGT1/z8=,tag:eRmYUPqpallvWIZcqgMRnw==,type:str]
+ lastmodified: "2024-05-08T13:35:15Z"
+ mac: ENC[AES256_GCM,data:zlhjtcRQgGkF8c9dME27YR1ueYnV3z7ITu0znyx3/IqP8ibm+G/UgJQhWoijCyeYqzzOktYK0KX8a258GYb44iFXN4JCmX8A1VSXDBGbqUZk0N23PiN69MVDJDZYalkKG4Vt/WflVJ+Xn+ZvGe4pf9m3uFRs89jfQH/cpTH71aM=,iv:FTQYissXSdHYMnqOcTUFfmB1hL7tPmYvbq+gRap5iBY=,tag:DjKxTF4rB9DpKD9W4C16tw==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From c595af81e720ddef94250644a2ab223d3ba61b9e Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 8 May 2024 16:12:10 +0200
Subject: [PATCH 47/67] nix: flake update
---
flake.lock | 30 +++++++++++++++---------------
modules/ldap/default.nix | 1 +
2 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/flake.lock b/flake.lock
index e65c2f6..6fa51c0 100644
--- a/flake.lock
+++ b/flake.lock
@@ -145,11 +145,11 @@
]
},
"locked": {
- "lastModified": 1713869268,
- "narHash": "sha256-o3CMQeu/S8/4zU0pMtYg51rd1FWdJsI2Xohzng1Ysdg=",
+ "lastModified": 1714878592,
+ "narHash": "sha256-E68C03sYRsYFsK7wiGHUIJm8IsyPRALOrFoTL0glXnI=",
"owner": "nix-community",
"repo": "nix-index-database",
- "rev": "dcb6ac44922858ce3a5b46f77a36d6030181460c",
+ "rev": "a362555e9dbd4ecff3bb98969bbdb8f79fe87f10",
"type": "github"
},
"original": {
@@ -160,11 +160,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1713995372,
- "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
+ "lastModified": 1714971268,
+ "narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
+ "rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c",
"type": "github"
},
"original": {
@@ -176,11 +176,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1713638189,
- "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=",
+ "lastModified": 1714858427,
+ "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "74574c38577914733b4f7a775dd77d24245081dd",
+ "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
"type": "github"
},
"original": {
@@ -192,11 +192,11 @@
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1713895582,
- "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
+ "lastModified": 1714906307,
+ "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
+ "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588",
"type": "github"
},
"original": {
@@ -286,11 +286,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1713892811,
- "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
+ "lastModified": 1715035358,
+ "narHash": "sha256-RY6kqhpCPa/q3vbqt3iYRyjO3hJz9KZnshMjbpPon8o=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
+ "rev": "893e3df091f6838f4f9d71c61ab079d5c5dedbd1",
"type": "github"
},
"original": {
diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix
index 1701831..0a61635 100644
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@@ -83,6 +83,7 @@ in
security.pam.services.sshd.makeHomeDir = true;
+ systemd.services.dex = null;
services.nginx = {
enable = true;
virtualHosts."${config.services.portunus.domain}" = {
From 071c0aa464b075932a02a9133d0daa3c687d84e6 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 13 May 2024 15:50:34 +0200
Subject: [PATCH 48/67] ldap: fix dex line
---
modules/ldap/default.nix | 1 -
1 file changed, 1 deletion(-)
diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix
index 0a61635..1701831 100644
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@@ -83,7 +83,6 @@ in
security.pam.services.sshd.makeHomeDir = true;
- systemd.services.dex = null;
services.nginx = {
enable = true;
virtualHosts."${config.services.portunus.domain}" = {
From 763a71c93f72637c3676bbc4c8dcdf19130ffc2d Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 14 May 2024 14:08:21 +0200
Subject: [PATCH 49/67] initrd-ssh: fix shell
---
modules/core/initrd-ssh.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/core/initrd-ssh.nix b/modules/core/initrd-ssh.nix
index 9fc5824..a244b21 100644
--- a/modules/core/initrd-ssh.nix
+++ b/modules/core/initrd-ssh.nix
@@ -6,14 +6,14 @@
{ config, ... }:
{
boot.initrd = {
- availableKernelModules = ["mlx5_core"];
+ availableKernelModules = [ "mlx5_core" ];
systemd = {
enable = true;
network = {
enable = true;
networks."10-wired-default" = config.systemd.network.networks."10-wired-default";
};
- users.root.shell = "/bin/zfs load-key rpool/nixos";
+ users.root.shell = "/bin/systemd-tty-ask-password-agent";
};
network = {
enable = true;
From b70c5b14b3077bc1fee99f4abe1d1bb870a5fc42 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 14 May 2024 18:35:01 +0200
Subject: [PATCH 50/67] nix: flake update
---
flake.lock | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/flake.lock b/flake.lock
index 6fa51c0..2b193ba 100644
--- a/flake.lock
+++ b/flake.lock
@@ -145,11 +145,11 @@
]
},
"locked": {
- "lastModified": 1714878592,
- "narHash": "sha256-E68C03sYRsYFsK7wiGHUIJm8IsyPRALOrFoTL0glXnI=",
+ "lastModified": 1715483403,
+ "narHash": "sha256-WMDuQj7J5jbpXI/X/E6FZRKgBFGcaSTvYyVxPnKE6KU=",
"owner": "nix-community",
"repo": "nix-index-database",
- "rev": "a362555e9dbd4ecff3bb98969bbdb8f79fe87f10",
+ "rev": "f9027322f48b427da23746aa359a6510dfcd0228",
"type": "github"
},
"original": {
@@ -160,11 +160,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1714971268,
- "narHash": "sha256-IKwMSwHj9+ec660l+I4tki/1NRoeGpyA2GdtdYpAgEw=",
+ "lastModified": 1715542476,
+ "narHash": "sha256-FF593AtlzQqa8JpzrXyRws4CeKbc5W86o8tHt4nRfIg=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "27c13997bf450a01219899f5a83bd6ffbfc70d3c",
+ "rev": "44072e24566c5bcc0b7aa9178a0104f4cfffab19",
"type": "github"
},
"original": {
@@ -176,11 +176,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1714858427,
- "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=",
+ "lastModified": 1715458492,
+ "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76",
+ "rev": "8e47858badee5594292921c2668c11004c3b0142",
"type": "github"
},
"original": {
@@ -192,11 +192,11 @@
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1714906307,
- "narHash": "sha256-UlRZtrCnhPFSJlDQE7M0eyhgvuuHBTe1eJ9N9AQlJQ0=",
+ "lastModified": 1715534503,
+ "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "25865a40d14b3f9cf19f19b924e2ab4069b09588",
+ "rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
"type": "github"
},
"original": {
@@ -286,11 +286,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1715035358,
- "narHash": "sha256-RY6kqhpCPa/q3vbqt3iYRyjO3hJz9KZnshMjbpPon8o=",
+ "lastModified": 1715482972,
+ "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "893e3df091f6838f4f9d71c61ab079d5c5dedbd1",
+ "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
"type": "github"
},
"original": {
From f5f4bf1b24ca3f9837c148043711ee3c985fc159 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 14 May 2024 18:57:23 +0200
Subject: [PATCH 51/67] keycloak: use from unstable
---
modules/keycloak.nix | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
index 6465019..8c101f0 100644
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, nixpkgs-unstable, ... }:
let
domain = "sso.${config.networking.domain}";
in
@@ -6,6 +6,7 @@ in
sops.secrets."keycloak/db" = { };
services.keycloak = {
enable = true;
+ package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
settings = {
http-port = 8086;
https-port = 19000;
From 727f5464ae65b36967872821b6236953768af16a Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Tue, 14 May 2024 18:59:43 +0200
Subject: [PATCH 52/67] keycloak: explain things
---
modules/keycloak.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
index 8c101f0..08d5d2d 100644
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@@ -6,6 +6,7 @@ in
sops.secrets."keycloak/db" = { };
services.keycloak = {
enable = true;
+ # we use unstable as the release in stable is insecure
package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
settings = {
http-port = 8086;
From fa964bf9503322aa23b61d9242dc99e388144fe0 Mon Sep 17 00:00:00 2001
From: Jonas Gaffke <jonas@jonasga.io>
Date: Sat, 18 May 2024 10:28:15 +0200
Subject: [PATCH 53/67] sops: add kanboard conf
---
secrets/quitte.yaml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 6e39843..f3f3837 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -22,6 +22,7 @@ vaultwarden_env: ENC[AES256_GCM,data:JFySiTHahlUFsM+FcuSJPnGYMijphrnZpFFdoNe7DYx
directus_env: ENC[AES256_GCM,data:Q8mQYpwsMbv8NHIzTjxlbS528uZoFkzB0WDZITiYdbq6Y5a+12IEuXXRU+/v7vonpSWFH0ROqfrGy5yd3VhTR2eFvg8OsnlanFnnF4DYIDVMWLEOf4XoOoh/9tYPqoPYFtvwYnlCZFaEky4BKdcIFuqSuqrV9GSabBRuNJ1RbPyRXA6Nwr25uWYr70/1iIEb1tfffqR1YfycZ1JW4kL7OcjxNb6CwoPQ00Z/0t3YYG5Rc9rj7qTc6qw=,iv:yswA2oUhllYoAflK4BbxUMlCWaEfrFi/6g1r6wWZxHA=,tag:36xbdXho+lqKQt9ZaqS/Mw==,type:str]
strukturbot_env: ENC[AES256_GCM,data:klTFgdNvdMYA++GsmqEHdhklZ5JUreP2Lh+5E0mj5iH7F8Run6/gAdHBJpCWEe2Q3o6RdZduy+kCXzJWznkLbEASxgJNcAWdFq2CU4ov0Z6rGS6i/X376Yc6I7oYLfQSd58r8Q/rhFl2qXkCiSGJYNvo6vGh6+b/TdTABwAnvj/k81n2SsSpoMOu9/1Pyop7QNVMuAtXaE/sca1KPtU/Yg3DrKczxKzKppReafIs7ICI/760N/H0Wwh6rtw51mfQxxOW9UpPXmnEFI8b+07pVsgNoSbzPCMaAoxf6LFnTnqtFRNS0N7rX3DrP6GSv2A8Bwm5of0sLhIm3gAAQ2iXp2di+BOi7uRqFVtNZ18XGPil8FVEkeIFdmhjCJAOJRyuANl3JsaqRk4lT1qMglyjHtCodP5rvVe+pALzpihNPIQPy0Tes2GOM4Q6ww4UxZrgevNHz7CnEMSEPU8Hjb63UkZTZbj2HxF8,iv:a2NyivM34Z/V/ir+NzsXNm73sp6uASYDiqDOG2ix2JE=,tag:buP1Hcvt3dEW249BWNBKkw==,type:str]
decisions_env: ENC[AES256_GCM,data:fUoBTkceqbabZcR3Rmf2iSUd45T/oQ+6K4ReznhyJ/P3yzlgW17eG615o5v42PmLerpkABXZuVIkQSpkJsnn/Z2cSnv7vNvkeZcRambDWnEtz39Gu0uZR1um4Nl9hfJrp+otj3tTdzoh06MADQegWSbFLhJm6Qa71Fqh+dbGPZ8rbQAGDs0T6I2BFF1khND0COAQPO+5/gtRigngLaFgAJ/EClaRcUVF2BE7N7Za8ZMMDH7NOYSOSG/TTHZCownFeWbh3d7H89wG5Qw4jgXMz6Wd3y9QzEjjmhSubRi0hbSTZ+t4yiSjeODAVQLYlZ4DCjZECl+yvUndugdr1L1b5EpgjeFJTAsWjZtnu64=,iv:vcToub6JCQ9END3cuqCA7h0KC9drG0VIK52EyV8xQHM=,tag:PhzRofrNi67RFNP444GWBw==,type:str]
+kanboard_env: ENC[AES256_GCM,data:cecjmv1ZcrnMfjMvlTIwftu5Ibs1lSwfRLwEm1SbSn3kOH2aW97XFOpls52WDUkc9PI3a9TOGj/I2IQnRRy7JsORN8bSURMa6NA6KcLnKgnH4kLCB2qE5uWEIgLAHqFvadGFWkyExPUrwUAtkgkKEJyrhPLcAklXHBFpHN0LmECkGX148Ghgih1sm1jFS30skoUFDg/z4AAlfydM97qXsHD/uhWPMVEUP7UZ1k5+o+UPGtV4N/1vIcf8ipHtS6VwTR+UVmpuhhu8Jsu8Rg3NRJSAN0eDmImeR7QaMmk3hAQ7lx6SWVV/v5CNPo4p21mN142xUW0o39Yq3JA2LfW6RA63mFTlHq7KnjwESG5pl5A+HG/xD2ArybM9hs2EWjqCjMFUx4qTjr8oaBAeeErgwkfvD16HXWTqL3n+wWQEEoxVHJbFZpbfggP3lMYorAsjntxC6ExZTdm33cT2tBR+uM/D9yixrjjWS0RKhoF3XLgwREf4LnKbePbW6eU0xMeZCxkSo+arXFnre19NcwT9bIfgnzh9nvrGAZ91xIWBk0TpbdATrYEQyaa2Ou+BVYd4d31Dlry7RpcDRK9liroxy+YHcZORf7/85gBc0jTYYZwT5Fjfm02unFD7zzOP9TLaWSlMgCF08hLGcI9aYe4t7Nt07832suulLm9tVWU3M55u12SqSt+jObjwq0qlsW7G3EEsI+wEAdXuZxv+0WYodc8wjhEaK4uPhs6bI2l/g0YnNSBb1898gm7xotvgulkEMJrl3NzLOyyfk2AOtMsW/Wa3Rtt1UFgvA2iR9r7cjpfnDkkeQ7+O6PoTMV19BHrUwgyHO8ROdISJQxxIqk3GOBzmKIYx8q+xhn8b1viyMY6ayKXzbP1lacTYDsFsk18p1VFUFqjXGI1LpBQ9eb9PlR60O+tDiwMcEa5hyrW/oaSqKciWXJ6d6XKNpKkSUuJ8ES0GqKXxH2q5XjNoP8G+BoE4kggiuECzkuG0fSGXgCLTxjR+rvGi8Gog4igB2Wbl1BmQapBlHzMe/dX3oWG79a0WLMzOdU+UsTRa86GPMauXnh0FUuf/aGdZQYo9oF+gRjQ90YrpfFvHal+RKC5e6aHbt5xcAOBu9NtcZHxXgymclcy0OjC4zjs/urNd4hThYmUTU5kkxSf0WPyWg5iCku2mGNdgZ2wyl/+jWmQV5jeOMIunb2Zy+CXW2SS88GRvaU/zg8vfmdpFT5HFePIwvQ8S4h1Qsv9XYgGlDkjikI8IUL6lypDb5Z5VJsKzNohxeaQLESF3w/GoEFhlsKi1DmooIZJCwvmqxKjge7j8ZFZq8hGXRvco4i1KkJ0EeJ96pZ+ue3DfgQxrhRlun3ifaUM6vAaLYWrQlb1RsNB1zISwnELwoP61HCNHeDp5VbTKcoypbL6L5ZL4VX4jUqncS1fvbTzFgfT1rcHFUyhrFpp/wIOiDcVusdeIZ8EBe0IxRxLvm266UA1x+mB1dV2dveqi9Cg5APv4Cuhe8pFO+HtKDpa9k0L6scAgGJNykgCwTsp6EB0vYRwSRGP/TFXQZF8RNg9HM3wA,iv:V5lRQaGFaf6VEZieGSWrB9M1cfyhGkHvv6Gpx3rjNWE=,tag:SnN3DRK7lIPMMGAnc/ZMag==,type:str]
course-management:
secret-key: ENC[AES256_GCM,data:zMoIj8gjNmLdSbQmFo8n1pDIKaUUMzPfVoKkPlqNtm4=,iv:AM5wwvAFXKVss4N2/lK6bKYHV/4Bv5EOz2MVTxAPF1w=,tag:ARzQUVVjz+HhUT+JAISHkA==,type:str]
adminpass: ENC[AES256_GCM,data:EariUHHtWirIXuRARj7lEneAOlKcjca9T+J0oH2xPv99w4ac1cRrvEVD,iv:cjC/+AnZdwWXkJOIAE36Hk/if4fqofVFf0H8WkHkRY8=,tag:M+s4hPzSp8eR76M/7TKXPg==,type:str]
@@ -48,8 +49,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-08T13:35:15Z"
- mac: ENC[AES256_GCM,data:zlhjtcRQgGkF8c9dME27YR1ueYnV3z7ITu0znyx3/IqP8ibm+G/UgJQhWoijCyeYqzzOktYK0KX8a258GYb44iFXN4JCmX8A1VSXDBGbqUZk0N23PiN69MVDJDZYalkKG4Vt/WflVJ+Xn+ZvGe4pf9m3uFRs89jfQH/cpTH71aM=,iv:FTQYissXSdHYMnqOcTUFfmB1hL7tPmYvbq+gRap5iBY=,tag:DjKxTF4rB9DpKD9W4C16tw==,type:str]
+ lastmodified: "2024-05-18T08:27:50Z"
+ mac: ENC[AES256_GCM,data:mQWvd56PPqQrFWIq5mn4TYJSFoJQOovNsaYg3b0SjK61Jly5Fhdl56BPb5ehlMO8goq9m7v4uxOckKzb2Byps3YqBloszLylJ8ggp4NZvuYpaUs+BAb7Fp1mY++9qf/aUcORqJ6NNn3PbrkzYZpczpjUdruuvrB1i6gu310XHDw=,iv:eSRR8ZR8BiWlLfFjWAwgED4BCLdfsxTbq8gVmSCdvdc=,tag:2jgtZZCVMRjxHaa5Co4EVA==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From 0c19d4e5659dbdace3282dae16ed070febea941c Mon Sep 17 00:00:00 2001
From: Jonas Gaffke <jonas@jonasga.io>
Date: Sun, 19 May 2024 11:14:27 +0200
Subject: [PATCH 54/67] sops: fix kanboard conf
---
secrets/quitte.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index f3f3837..fe5cb67 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -22,7 +22,7 @@ vaultwarden_env: ENC[AES256_GCM,data:JFySiTHahlUFsM+FcuSJPnGYMijphrnZpFFdoNe7DYx
directus_env: ENC[AES256_GCM,data:Q8mQYpwsMbv8NHIzTjxlbS528uZoFkzB0WDZITiYdbq6Y5a+12IEuXXRU+/v7vonpSWFH0ROqfrGy5yd3VhTR2eFvg8OsnlanFnnF4DYIDVMWLEOf4XoOoh/9tYPqoPYFtvwYnlCZFaEky4BKdcIFuqSuqrV9GSabBRuNJ1RbPyRXA6Nwr25uWYr70/1iIEb1tfffqR1YfycZ1JW4kL7OcjxNb6CwoPQ00Z/0t3YYG5Rc9rj7qTc6qw=,iv:yswA2oUhllYoAflK4BbxUMlCWaEfrFi/6g1r6wWZxHA=,tag:36xbdXho+lqKQt9ZaqS/Mw==,type:str]
strukturbot_env: ENC[AES256_GCM,data:klTFgdNvdMYA++GsmqEHdhklZ5JUreP2Lh+5E0mj5iH7F8Run6/gAdHBJpCWEe2Q3o6RdZduy+kCXzJWznkLbEASxgJNcAWdFq2CU4ov0Z6rGS6i/X376Yc6I7oYLfQSd58r8Q/rhFl2qXkCiSGJYNvo6vGh6+b/TdTABwAnvj/k81n2SsSpoMOu9/1Pyop7QNVMuAtXaE/sca1KPtU/Yg3DrKczxKzKppReafIs7ICI/760N/H0Wwh6rtw51mfQxxOW9UpPXmnEFI8b+07pVsgNoSbzPCMaAoxf6LFnTnqtFRNS0N7rX3DrP6GSv2A8Bwm5of0sLhIm3gAAQ2iXp2di+BOi7uRqFVtNZ18XGPil8FVEkeIFdmhjCJAOJRyuANl3JsaqRk4lT1qMglyjHtCodP5rvVe+pALzpihNPIQPy0Tes2GOM4Q6ww4UxZrgevNHz7CnEMSEPU8Hjb63UkZTZbj2HxF8,iv:a2NyivM34Z/V/ir+NzsXNm73sp6uASYDiqDOG2ix2JE=,tag:buP1Hcvt3dEW249BWNBKkw==,type:str]
decisions_env: ENC[AES256_GCM,data:fUoBTkceqbabZcR3Rmf2iSUd45T/oQ+6K4ReznhyJ/P3yzlgW17eG615o5v42PmLerpkABXZuVIkQSpkJsnn/Z2cSnv7vNvkeZcRambDWnEtz39Gu0uZR1um4Nl9hfJrp+otj3tTdzoh06MADQegWSbFLhJm6Qa71Fqh+dbGPZ8rbQAGDs0T6I2BFF1khND0COAQPO+5/gtRigngLaFgAJ/EClaRcUVF2BE7N7Za8ZMMDH7NOYSOSG/TTHZCownFeWbh3d7H89wG5Qw4jgXMz6Wd3y9QzEjjmhSubRi0hbSTZ+t4yiSjeODAVQLYlZ4DCjZECl+yvUndugdr1L1b5EpgjeFJTAsWjZtnu64=,iv:vcToub6JCQ9END3cuqCA7h0KC9drG0VIK52EyV8xQHM=,tag:PhzRofrNi67RFNP444GWBw==,type:str]
-kanboard_env: ENC[AES256_GCM,data:cecjmv1ZcrnMfjMvlTIwftu5Ibs1lSwfRLwEm1SbSn3kOH2aW97XFOpls52WDUkc9PI3a9TOGj/I2IQnRRy7JsORN8bSURMa6NA6KcLnKgnH4kLCB2qE5uWEIgLAHqFvadGFWkyExPUrwUAtkgkKEJyrhPLcAklXHBFpHN0LmECkGX148Ghgih1sm1jFS30skoUFDg/z4AAlfydM97qXsHD/uhWPMVEUP7UZ1k5+o+UPGtV4N/1vIcf8ipHtS6VwTR+UVmpuhhu8Jsu8Rg3NRJSAN0eDmImeR7QaMmk3hAQ7lx6SWVV/v5CNPo4p21mN142xUW0o39Yq3JA2LfW6RA63mFTlHq7KnjwESG5pl5A+HG/xD2ArybM9hs2EWjqCjMFUx4qTjr8oaBAeeErgwkfvD16HXWTqL3n+wWQEEoxVHJbFZpbfggP3lMYorAsjntxC6ExZTdm33cT2tBR+uM/D9yixrjjWS0RKhoF3XLgwREf4LnKbePbW6eU0xMeZCxkSo+arXFnre19NcwT9bIfgnzh9nvrGAZ91xIWBk0TpbdATrYEQyaa2Ou+BVYd4d31Dlry7RpcDRK9liroxy+YHcZORf7/85gBc0jTYYZwT5Fjfm02unFD7zzOP9TLaWSlMgCF08hLGcI9aYe4t7Nt07832suulLm9tVWU3M55u12SqSt+jObjwq0qlsW7G3EEsI+wEAdXuZxv+0WYodc8wjhEaK4uPhs6bI2l/g0YnNSBb1898gm7xotvgulkEMJrl3NzLOyyfk2AOtMsW/Wa3Rtt1UFgvA2iR9r7cjpfnDkkeQ7+O6PoTMV19BHrUwgyHO8ROdISJQxxIqk3GOBzmKIYx8q+xhn8b1viyMY6ayKXzbP1lacTYDsFsk18p1VFUFqjXGI1LpBQ9eb9PlR60O+tDiwMcEa5hyrW/oaSqKciWXJ6d6XKNpKkSUuJ8ES0GqKXxH2q5XjNoP8G+BoE4kggiuECzkuG0fSGXgCLTxjR+rvGi8Gog4igB2Wbl1BmQapBlHzMe/dX3oWG79a0WLMzOdU+UsTRa86GPMauXnh0FUuf/aGdZQYo9oF+gRjQ90YrpfFvHal+RKC5e6aHbt5xcAOBu9NtcZHxXgymclcy0OjC4zjs/urNd4hThYmUTU5kkxSf0WPyWg5iCku2mGNdgZ2wyl/+jWmQV5jeOMIunb2Zy+CXW2SS88GRvaU/zg8vfmdpFT5HFePIwvQ8S4h1Qsv9XYgGlDkjikI8IUL6lypDb5Z5VJsKzNohxeaQLESF3w/GoEFhlsKi1DmooIZJCwvmqxKjge7j8ZFZq8hGXRvco4i1KkJ0EeJ96pZ+ue3DfgQxrhRlun3ifaUM6vAaLYWrQlb1RsNB1zISwnELwoP61HCNHeDp5VbTKcoypbL6L5ZL4VX4jUqncS1fvbTzFgfT1rcHFUyhrFpp/wIOiDcVusdeIZ8EBe0IxRxLvm266UA1x+mB1dV2dveqi9Cg5APv4Cuhe8pFO+HtKDpa9k0L6scAgGJNykgCwTsp6EB0vYRwSRGP/TFXQZF8RNg9HM3wA,iv:V5lRQaGFaf6VEZieGSWrB9M1cfyhGkHvv6Gpx3rjNWE=,tag:SnN3DRK7lIPMMGAnc/ZMag==,type:str]
+kanboard_env: ENC[AES256_GCM,data:AQ3jU78hi8YGzfWXTo2wnS9Q9hucgtKBrB/xiIyrZl/j6QpQmr/HS6gEizgY7Du8ZhkRmRTZ8ks99EOpPUdN0LXhegZB0loCWEozkPCn+N0UZXqKDVAz2UsyQu04Eu4FPRqw9VMIS30qJarqZGjvAJmBWNd8znW9ggtg8bMxqwWuErdyMhCCbXeAsw4O8XasGR27e4SGRJNWR5QH7VX7GqOb0Q2AFr9BQhNyO9MgczmqwldqirqaIACIaSVvOOByh56M+rbWyiaAL2O7BqcHS0dtV+XG2uVpxb02b456iArRyKco41bVC1sSRfi2ewCNLma+yNgR7t1WYZeA8537gMX9LaU5ORnn+L0toM8j2yUnfW9RYA3dqp50Yt2UKH/jjLwW5wKLrOF1G2Pb5TAl12ghPLfTfJiuv1SLgahLK5lP/I/x3dJ/n3gm7/lqu2EPDnaPtPDotV0VWfBLwQoXAjSFvSZVfxwYIon/ErxsACtxgT1Ss4L88Ggc33ae1BFyURX7p7738eizsqUV8WWqa74Jt+uT32nU45B2DyyzFQWfy4mGsgBssuZzgFbzLyYDiXfcq500K16950cWPH9s5Sx1XooCcHeTJYyVHklCJ/0r3Iz2g1TtKktpr5XW7EEcCLKQ86UqpKwg9PwEHVnYgFKe8IuSeAAGzZczeUFvERrRJs8qZqPE1IaufozSr5bGBh4eRdv/kVDFyh7wJ62xStVb7IV+sXogA13m/emfxdy1RBWftHcsgZ03r4pdp7mHzNqRvYYscx4UzB237GNzG82PJ/zLk73XGRCv4iE11KWZs9oyoOI4RFFvGwNS8jV3wWh4I7Is3SWO0cy+41qeuL0oNeRVseVENZ5zqxC1sPIP+z16XiTlGWUefTYinFjKmjojF2+uSS6bGZteB70iynB28FUUEqU4Wa0RwGDOck21cw8PnIMpiP+LWdnaH6sKS+EMl9IXcraH31wNK76dcUy3dPqU257bp1e1OJ0Y/fO/1ZTT4Usm7CrXCon0gcDWFAB+c57c+omfYW3kZ4F99Y2ht5QZEvjK20rEXLQb5e1SqIC0ssjP+7vpc+SfNQ6jQ6B6Vye9cyaNkgzGoWZFwHME7cgehs+2FkCOVgPlJ8hDupSTc1BgFzT3JJtejsflbMeoa13nvTYWZopW5M6Ym81TQGv/awPimMh17sDx9r38bU+kiVs5Y6MVuSQZIRICOtg6cxh5Q+fDzTyirsrctVGdcI96WyW90IwBL2wYI7ntWdNwaAPoTu8OFw0kKW2+JsaNHeXQfGmWZfUtKWIJetnUn22SLAe86J71hFBveVlokehQ7Fcg0MFt2r9mlR0/eP1aWyrN54tyEv5uOekmKE00FN/8PpzgH7qasvRPuuXkotj1gazJYk7Tz0oO9OTM4M/yplrL8fLOwP75Uc5PGGVu3pHmwkfrjhh72V993Su0V3us4p+whv2ItZ/A4O0np9CSvFEJXOS4esCmsXLqr4BbBy2veoxnIiF3MEmEqbkMtgkslnVwM1RVNPCKESxFzu0oU5phyWn0a4JW46g5lx1tm/GWXlHQWa4=,iv:x3+PuXdpZ+SEuqHo7icQVyzGEI3IdEyYjjOFkKbzq2o=,tag:pWoe2PC/tEODmz7o6wcVPQ==,type:str]
course-management:
secret-key: ENC[AES256_GCM,data:zMoIj8gjNmLdSbQmFo8n1pDIKaUUMzPfVoKkPlqNtm4=,iv:AM5wwvAFXKVss4N2/lK6bKYHV/4Bv5EOz2MVTxAPF1w=,tag:ARzQUVVjz+HhUT+JAISHkA==,type:str]
adminpass: ENC[AES256_GCM,data:EariUHHtWirIXuRARj7lEneAOlKcjca9T+J0oH2xPv99w4ac1cRrvEVD,iv:cjC/+AnZdwWXkJOIAE36Hk/if4fqofVFf0H8WkHkRY8=,tag:M+s4hPzSp8eR76M/7TKXPg==,type:str]
@@ -49,8 +49,8 @@ sops:
c2lzVGV6WnVQT1pOTTVwRUxlMWZobWsK0CrDl2ELoYOTrMt3uN3mgBSyaYqOQY4I
vBK12PV9FR9GFpKN4kGB03PZ0gV0N1zlcCHpnPCUuHwbCvvF2+vCag==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2024-05-18T08:27:50Z"
- mac: ENC[AES256_GCM,data:mQWvd56PPqQrFWIq5mn4TYJSFoJQOovNsaYg3b0SjK61Jly5Fhdl56BPb5ehlMO8goq9m7v4uxOckKzb2Byps3YqBloszLylJ8ggp4NZvuYpaUs+BAb7Fp1mY++9qf/aUcORqJ6NNn3PbrkzYZpczpjUdruuvrB1i6gu310XHDw=,iv:eSRR8ZR8BiWlLfFjWAwgED4BCLdfsxTbq8gVmSCdvdc=,tag:2jgtZZCVMRjxHaa5Co4EVA==,type:str]
+ lastmodified: "2024-05-19T09:13:57Z"
+ mac: ENC[AES256_GCM,data:LqmR0jd8pD+l45o7cdxnuoDZUSBfPqL6o7AFtEsWeqEYi/Lbv+LLIBXIlUgG2BnOk2d78kmCFGqAl0F8Hi8qohG8Zki4FsHFDnrfXDlRZX+7J3TCvk/TIQ7NHqA1DjPf37WFuJWxUaW7oeeZVyOQ9KFgaenQMBt/eehiHpgBfW0=,iv:z5nD7ntEF3+Op9Dvg2h4jf2MPtfXsgRoH6B8MMi8Ius=,tag:4BmArd9jw1v/6HU7tat4VA==,type:str]
pgp:
- created_at: "2024-02-29T15:23:23Z"
enc: |-
From 7f00d6746ab19d545e5a4d5804689aa21cbe3fec Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:15:07 +0200
Subject: [PATCH 55/67] disable struktur-bot
---
flake.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/flake.nix b/flake.nix
index 23cd7e0..422d82c 100755
--- a/flake.nix
+++ b/flake.nix
@@ -90,7 +90,7 @@
./modules/kanboard.nix
./modules/zammad.nix
./modules/decisions.nix
- ./modules/struktur-bot.nix
+ # ./modules/struktur-bot.nix
{
nixpkgs.overlays = [ self.overlays.default ];
sops.defaultSopsFile = ./secrets/quitte.yaml;
From 16f8ec19f987a74903b59d703da8a57c6a5fe644 Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:15:58 +0200
Subject: [PATCH 56/67] firewall: allow ldaps from podman
---
modules/ldap/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix
index 1701831..b5d1cf7 100644
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@@ -93,7 +93,7 @@ in
};
networking.firewall = {
extraInputRules = ''
- ip saddr { 141.30.86.192/26, 141.76.100.128/25 } tcp dport 636 accept comment "Allow ldaps access from office nets"
+ ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
'';
};
}
From c8afe482905ef6ffbdde9cd6c5e6da98d4b339a5 Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:16:49 +0200
Subject: [PATCH 57/67] use podman and kanboard with podman
---
modules/kanboard.nix | 78 ++++++++++++++++------------------------
modules/struktur-bot.nix | 2 +-
modules/web/ese.nix | 2 +-
3 files changed, 33 insertions(+), 49 deletions(-)
diff --git a/modules/kanboard.nix b/modules/kanboard.nix
index 5eb155c..01afbe6 100644
--- a/modules/kanboard.nix
+++ b/modules/kanboard.nix
@@ -1,65 +1,49 @@
-{ pkgs, config, lib, ... }:
+{ config, pkgs, ... }:
let
domain = "kanboard.${config.networking.domain}";
domain_short = "kb.${config.networking.domain}";
- user = "kanboard";
- group = "kanboard";
in
{
- users.users.${user} = {
- group = group;
- isSystemUser = true;
- };
- users.groups.${group} = { };
+ sops.secrets."kanboard_env" = { };
- services.phpfpm.pools.kanboard = {
- user = "kanboard";
- group = "kanboard";
- settings = {
- "listen.owner" = config.services.nginx.user;
- "pm" = "dynamic";
- "pm.max_children" = 32;
- "pm.max_requests" = 500;
- "pm.start_servers" = 2;
- "pm.min_spare_servers" = 2;
- "pm.max_spare_servers" = 5;
- "php_admin_value[error_log]" = "stderr";
- "php_admin_flag[log_errors]" = true;
- "catch_workers_output" = true;
+
+ # Podman
+ virtualisation.containers.enable = true;
+ virtualisation = {
+ podman = {
+ enable = true;
+
+ # Create a `docker` alias for podman, to use it as a drop-in replacement
+ dockerCompat = true;
+
+ # Required for containers under podman-compose to be able to talk to each other.
+ defaultNetwork.settings.dns_enabled = true;
+ };
+ };
+ virtualisation.oci-containers.backend = "podman";
+
+ virtualisation.oci-containers = {
+ containers.kanboard = {
+ image = "ghcr.io/kanboard/kanboard:v1.2.35";
+ volumes = [
+ "kanboard_data:/var/www/app/data"
+ "kanboard_plugins:/var/www/app/plugins"
+ ];
+ ports = [ "127.0.0.1:8045:80" ];
+ environmentFiles = [
+ config.sops.secrets."kanboard_env".path
+ ];
};
- phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
-
-
- services.nginx.enable = true;
services.nginx = {
virtualHosts."${domain_short}" = {
locations."/".return = "301 $scheme://${domain}$request_uri";
};
virtualHosts."${domain}" = {
- root = "/srv/web/kanboard";
- extraConfig = ''
- index index.html index.php;
- '';
-
- locations = {
- "/" = {
- tryFiles = "$uri $uri/ =404";
- };
- "~ \.php$" = {
- extraConfig = ''
- try_files $uri =404;
- fastcgi_pass unix:${config.services.phpfpm.pools.kanboard.socket};
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
- fastcgi_index index.php;
- include ${pkgs.nginx}/conf/fastcgi_params;
- include ${pkgs.nginx}/conf/fastcgi.conf;
- fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
- '';
- };
- "/data".return = "403";
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:8045";
};
};
};
diff --git a/modules/struktur-bot.nix b/modules/struktur-bot.nix
index 4361dd4..9773474 100644
--- a/modules/struktur-bot.nix
+++ b/modules/struktur-bot.nix
@@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
sops.secrets."strukturbot_env" = { };
- virtualisation.docker.daemon.settings.dns = [ "141.30.1.1" "141.76.14.1" ];
+ # virtualisation.docker.daemon.settings.dns = [ "141.30.1.1" "141.76.14.1" ];
virtualisation.oci-containers = {
containers.struktur-bot = {
image = "struktur-bot";
diff --git a/modules/web/ese.nix b/modules/web/ese.nix
index 31ca66c..f55430c 100644
--- a/modules/web/ese.nix
+++ b/modules/web/ese.nix
@@ -7,7 +7,7 @@ in
sops.secrets."directus_env" = { };
environment.systemPackages = [ pkgs.nodejs_21 ];
virtualisation.oci-containers = {
- backend = "docker";
+ # backend = "docker";
containers.directus-ese = {
image = "directus/directus:latest";
volumes = [
From b34c53ddf8db360acf161e43f6c9b0d949b5859f Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:21:30 +0200
Subject: [PATCH 58/67] podman: conf in extra file
---
modules/core/default.nix | 1 +
modules/core/podman.nix | 17 +++++++++++++++++
modules/kanboard.nix | 18 +-----------------
3 files changed, 19 insertions(+), 17 deletions(-)
create mode 100644 modules/core/podman.nix
diff --git a/modules/core/default.nix b/modules/core/default.nix
index 8fb9099..de763c0 100755
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@@ -7,6 +7,7 @@
./initrd-ssh.nix
./mysql.nix
./nginx.nix
+ ./podman.nix
./postgres.nix
./sssd.nix
./zsh.nix
diff --git a/modules/core/podman.nix b/modules/core/podman.nix
new file mode 100644
index 0000000..ecf0443
--- /dev/null
+++ b/modules/core/podman.nix
@@ -0,0 +1,17 @@
+{ config, pkgs, ... }:
+{
+ # From: https://nixos.wiki/wiki/Podman
+ virtualisation.containers.enable = true;
+ virtualisation = {
+ podman = {
+ enable = true;
+
+ # Create a `docker` alias for podman, to use it as a drop-in replacement
+ dockerCompat = true;
+
+ # Required for containers under podman-compose to be able to talk to each other.
+ defaultNetwork.settings.dns_enabled = true;
+ };
+ };
+ virtualisation.oci-containers.backend = "podman";
+}
\ No newline at end of file
diff --git a/modules/kanboard.nix b/modules/kanboard.nix
index 01afbe6..e80cb69 100644
--- a/modules/kanboard.nix
+++ b/modules/kanboard.nix
@@ -5,23 +5,7 @@ let
in
{
sops.secrets."kanboard_env" = { };
-
-
- # Podman
- virtualisation.containers.enable = true;
- virtualisation = {
- podman = {
- enable = true;
-
- # Create a `docker` alias for podman, to use it as a drop-in replacement
- dockerCompat = true;
-
- # Required for containers under podman-compose to be able to talk to each other.
- defaultNetwork.settings.dns_enabled = true;
- };
- };
- virtualisation.oci-containers.backend = "podman";
-
+
virtualisation.oci-containers = {
containers.kanboard = {
image = "ghcr.io/kanboard/kanboard:v1.2.35";
From bb697f3a50f6d2ec89f7def913a2b2fbe9c36181 Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:25:03 +0200
Subject: [PATCH 59/67] decisions: use port mapping insted of network mode=host
---
modules/decisions.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/decisions.nix b/modules/decisions.nix
index a235f9d..75c9c27 100644
--- a/modules/decisions.nix
+++ b/modules/decisions.nix
@@ -10,10 +10,10 @@ in
volumes = [
"/var/lib/nextcloud/data/root/files/FSR/protokolle:/protokolle:ro"
];
+ ports = [ "127.0.0.1:5055:5055" ];
environmentFiles = [
config.sops.secrets."decisions_env".path
];
- extraOptions = [ "--network=host" ];
};
};
From 616b3c64f76fbd01d71bf7770f0c4403471de845 Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:25:15 +0200
Subject: [PATCH 60/67] ese directus: use port mapping insted of network
mode=host
---
modules/web/ese.nix | 2 --
1 file changed, 2 deletions(-)
diff --git a/modules/web/ese.nix b/modules/web/ese.nix
index f55430c..9398b48 100644
--- a/modules/web/ese.nix
+++ b/modules/web/ese.nix
@@ -7,7 +7,6 @@ in
sops.secrets."directus_env" = { };
environment.systemPackages = [ pkgs.nodejs_21 ];
virtualisation.oci-containers = {
- # backend = "docker";
containers.directus-ese = {
image = "directus/directus:latest";
volumes = [
@@ -15,7 +14,6 @@ in
"/srv/web/directus-ese/database:/directus/database"
];
ports = [ "127.0.0.1:8055:8055" ];
- extraOptions = [ "--network=host" ];
environment = {
"DB_CLIENT" = "pg";
"DB_HOST" = "localhost";
From c7f3120c9d76b81bb4d80a77098f5a1b484b80f1 Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:29:25 +0200
Subject: [PATCH 61/67] kanboard: update
---
modules/kanboard.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/kanboard.nix b/modules/kanboard.nix
index e80cb69..9edc86a 100644
--- a/modules/kanboard.nix
+++ b/modules/kanboard.nix
@@ -8,7 +8,7 @@ in
virtualisation.oci-containers = {
containers.kanboard = {
- image = "ghcr.io/kanboard/kanboard:v1.2.35";
+ image = "ghcr.io/kanboard/kanboard:v1.2.36";
volumes = [
"kanboard_data:/var/www/app/data"
"kanboard_plugins:/var/www/app/plugins"
From 68138c0a31c886e4979bba4b14008fe5b7640f00 Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:34:46 +0200
Subject: [PATCH 62/67] podman: add dive and podman-tui
---
modules/core/podman.nix | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/modules/core/podman.nix b/modules/core/podman.nix
index ecf0443..ad47b5b 100644
--- a/modules/core/podman.nix
+++ b/modules/core/podman.nix
@@ -14,4 +14,13 @@
};
};
virtualisation.oci-containers.backend = "podman";
+
+
+ # Useful otherdevelopment tools
+ environment.systemPackages = with pkgs; [
+ dive # look into docker image layers
+ podman-tui # status of containers in the terminal
+ #docker-compose # start group of containers for dev
+ #podman-compose # start group of containers for dev
+ ];
}
\ No newline at end of file
From 1c8fe9ec6634c671c2f1bd581ce65abf186cba2f Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:38:58 +0200
Subject: [PATCH 63/67] directus: undo network port mapping: for host db access
network mode host required
---
modules/web/ese.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/web/ese.nix b/modules/web/ese.nix
index 9398b48..780ad13 100644
--- a/modules/web/ese.nix
+++ b/modules/web/ese.nix
@@ -13,7 +13,7 @@ in
"/srv/web/directus-ese/uploads:/directus/uploads"
"/srv/web/directus-ese/database:/directus/database"
];
- ports = [ "127.0.0.1:8055:8055" ];
+ extraOptions = [ "--network=host" ];
environment = {
"DB_CLIENT" = "pg";
"DB_HOST" = "localhost";
From 66519d8196771855eac47ac591680f2517e7915f Mon Sep 17 00:00:00 2001
From: quitte <root@quitte>
Date: Sun, 19 May 2024 11:41:38 +0200
Subject: [PATCH 64/67] decisions: set network mode host
---
modules/decisions.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/decisions.nix b/modules/decisions.nix
index 75c9c27..a95bd85 100644
--- a/modules/decisions.nix
+++ b/modules/decisions.nix
@@ -10,7 +10,7 @@ in
volumes = [
"/var/lib/nextcloud/data/root/files/FSR/protokolle:/protokolle:ro"
];
- ports = [ "127.0.0.1:5055:5055" ];
+ extraOptions = [ "--network=host" ];
environmentFiles = [
config.sops.secrets."decisions_env".path
];
From 6a8559fb33d21a44199c886f7f3911c2915f55c6 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Sat, 25 May 2024 15:35:35 +0200
Subject: [PATCH 65/67] nix: flake update
---
flake.lock | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/flake.lock b/flake.lock
index 2b193ba..37b4e24 100644
--- a/flake.lock
+++ b/flake.lock
@@ -145,11 +145,11 @@
]
},
"locked": {
- "lastModified": 1715483403,
- "narHash": "sha256-WMDuQj7J5jbpXI/X/E6FZRKgBFGcaSTvYyVxPnKE6KU=",
+ "lastModified": 1716170277,
+ "narHash": "sha256-fCAiox/TuzWGVaAz16PxrR4Jtf9lN5dwWL2W74DS0yI=",
"owner": "nix-community",
"repo": "nix-index-database",
- "rev": "f9027322f48b427da23746aa359a6510dfcd0228",
+ "rev": "e0638db3db43b582512a7de8c0f8363a162842b9",
"type": "github"
},
"original": {
@@ -160,11 +160,11 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1715542476,
- "narHash": "sha256-FF593AtlzQqa8JpzrXyRws4CeKbc5W86o8tHt4nRfIg=",
+ "lastModified": 1716361217,
+ "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "44072e24566c5bcc0b7aa9178a0104f4cfffab19",
+ "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
"type": "github"
},
"original": {
@@ -176,11 +176,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1715458492,
- "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
+ "lastModified": 1716061101,
+ "narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "8e47858badee5594292921c2668c11004c3b0142",
+ "rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
"type": "github"
},
"original": {
@@ -192,11 +192,11 @@
},
"nixpkgs-unstable": {
"locked": {
- "lastModified": 1715534503,
- "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
+ "lastModified": 1716509168,
+ "narHash": "sha256-4zSIhSRRIoEBwjbPm3YiGtbd8HDWzFxJjw5DYSDy1n8=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
+ "rev": "bfb7a882678e518398ce9a31a881538679f6f092",
"type": "github"
},
"original": {
@@ -286,11 +286,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1715482972,
- "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
+ "lastModified": 1716400300,
+ "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
"owner": "Mic92",
"repo": "sops-nix",
- "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
+ "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
"type": "github"
},
"original": {
From 05152b6db431b398b5317db5cf0e9a519ee19b30 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Sat, 25 May 2024 15:36:33 +0200
Subject: [PATCH 66/67] web: init crimecampus
---
modules/web/crimecampus.nix | 7 +++++++
modules/web/default.nix | 1 +
2 files changed, 8 insertions(+)
create mode 100644 modules/web/crimecampus.nix
diff --git a/modules/web/crimecampus.nix b/modules/web/crimecampus.nix
new file mode 100644
index 0000000..9f9e3ba
--- /dev/null
+++ b/modules/web/crimecampus.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... }:
+let
+ domain = "cc.${config.networking.domain}";
+in
+{
+ services.nginx.virtualHosts."${domain}".root = "/srv/web/regex";
+}
diff --git a/modules/web/default.nix b/modules/web/default.nix
index 262ea0b..c50add9 100644
--- a/modules/web/default.nix
+++ b/modules/web/default.nix
@@ -1,6 +1,7 @@
{ ... }:
{
imports = [
+ ./crimecampus.nix
./ifsrde.nix
./ese.nix
./infoscreen.nix
From df66ad38705dabae7234b7b23e1619160013f841 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Thu, 11 Apr 2024 15:31:31 +0200
Subject: [PATCH 67/67] forgejo: initial runner configuration
---
modules/forgejo/actions.nix | 19 +++++++++++++++++++
modules/forgejo/default.nix | 6 +++---
2 files changed, 22 insertions(+), 3 deletions(-)
create mode 100644 modules/forgejo/actions.nix
diff --git a/modules/forgejo/actions.nix b/modules/forgejo/actions.nix
new file mode 100644
index 0000000..84caf32
--- /dev/null
+++ b/modules/forgejo/actions.nix
@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+ services.gitea-actions-runner = {
+ package = pkgs.forgejo-actions-runner;
+ instances."quitte" = {
+ enable = true;
+ labels = [
+ # provide a debian base with nodejs for actions
+ "debian-latest:docker://node:18-bullseye"
+ # fake the ubuntu name, because node provides no ubuntu builds
+ "ubuntu-latest:docker://node:18-bullseye"
+ # provide native execution on the host
+ "native:host"
+ ];
+ #TODO get a token from git.ifsr.de and use it
+ # tokenfile = /"dev/null";
+ };
+ };
+}
diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix
index c28f2a5..4e55c9b 100644
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@@ -4,9 +4,9 @@ let
gitUser = "git";
in
{
- # imports = [
- # ./actions.nix
- # ];
+ imports = [
+ ./actions.nix
+ ];
sops.secrets.gitea_ldap_search = {
key = "portunus/search-password";
owner = config.services.forgejo.user;