Compare commits
428 commits
nix-remote
...
main
Author | SHA1 | Date | |
---|---|---|---|
Rouven Seifert | 48c04ce61e | ||
Rouven Seifert | d075afaac5 | ||
Rouven Seifert | 8e3a5b0ff3 | ||
Rouven Seifert | 06281a1432 | ||
Lyn Fugmann | 97cb91d703 | ||
Rouven Seifert | c442ea54a4 | ||
Rouven Seifert | ae4fcb60cc | ||
Jonas Gaffke | e8e71eda7c | ||
Rouven Seifert | 4d5e2ae3eb | ||
2fa18c816d | |||
Rouven Seifert | dd9aaba3ef | ||
Rouven Seifert | 37bf91a57a | ||
Rouven Seifert | 6fa82f7453 | ||
Rouven Seifert | f518bd545d | ||
Rouven Seifert | 3d0f3cfa21 | ||
Rouven Seifert | fb0b36b200 | ||
Rouven Seifert | 7d69600115 | ||
Rouven Seifert | efc38dac8f | ||
Lyn Fugmann | ea8efc298d | ||
Lyn Fugmann | 7c86415c50 | ||
Lyn Fugmann | 9662b35f42 | ||
Lyn Fugmann | 161a4ae838 | ||
Rouven Seifert | fcffa5f79c | ||
Rouven Seifert | 0d9bd777c8 | ||
Rouven Seifert | e80eb649ca | ||
Rouven Seifert | af3c401cf6 | ||
Rouven Seifert | c25d9d3f9e | ||
Jonas Gaffke | d4ae4d1743 | ||
Rouven Seifert | 4e99931626 | ||
Rouven Seifert | f6cda1a4fc | ||
Rouven Seifert | 74f8e85f51 | ||
Rouven Seifert | f5cf94d257 | ||
Rouven Seifert | ec5f15946e | ||
Rouven Seifert | c2149ec639 | ||
Rouven Seifert | d2c543fc07 | ||
Rouven Seifert | ed3e8de2cb | ||
Rouven Seifert | 6e2b0d262f | ||
Rouven Seifert | f83abbfe8d | ||
Rouven Seifert | e10b491cdf | ||
ddecabc25f | |||
776f860a92 | |||
Jonas Gaffke | e84a83e305 | ||
Rouven Seifert | 643f92dfc5 | ||
Rouven Seifert | 805484dd0b | ||
Rouven Seifert | 173d5e693d | ||
Rouven Seifert | fc01acbc46 | ||
Lyn Fugmann | 096a04e00c | ||
Rouven Seifert | 8177e8407a | ||
Rouven Seifert | 46b0bfaa8d | ||
Jonas Gaffke | c98206231c | ||
Rouven Seifert | f54d5fd867 | ||
Rouven Seifert | 5286041789 | ||
703002d148 | |||
382bbc6601 | |||
6416be37f5 | |||
23a5062f7b | |||
a6ada675df | |||
Rouven Seifert | e470b83cb6 | ||
c1a0b67261 | |||
Rouven Seifert | 0d0512a539 | ||
Rouven Seifert | c4d2b5fd08 | ||
Rouven Seifert | c5cc3bd8b8 | ||
Jonas Gaffke | 923d8a8697 | ||
Rouven Seifert | a506e7d550 | ||
Rouven Seifert | 62b344a2c2 | ||
Rouven Seifert | 72566b656a | ||
ab1e4d10ee | |||
f268507d85 | |||
Rouven Seifert | df82b2e35b | ||
Rouven Seifert | 7d1cf705ee | ||
Rouven Seifert | 697df17b33 | ||
Rouven Seifert | 530570699a | ||
Rouven Seifert | 3fae2321f3 | ||
Rouven Seifert | 00104e593c | ||
Rouven Seifert | 33497714db | ||
Rouven Seifert | d7389d41da | ||
Lyn Fugmann | 42b3613b95 | ||
Rouven Seifert | 799c9a67ff | ||
Rouven Seifert | 6d6e00f5bf | ||
Rouven Seifert | 49d48dc8d4 | ||
Rouven Seifert | 7a9e841a5f | ||
Rouven Seifert | 85f8932908 | ||
Rouven Seifert | 21a1000dad | ||
Rouven Seifert | fe5836b8c9 | ||
Rouven Seifert | 340781cafd | ||
Rouven Seifert | 2fc48b6708 | ||
Rouven Seifert | 3480be73ef | ||
Rouven Seifert | e027043637 | ||
Rouven Seifert | 4a2984115f | ||
Rouven Seifert | 8426ca4c6a | ||
Rouven Seifert | d2e06a075e | ||
Rouven Seifert | 4df70a68cc | ||
Rouven Seifert | b8c52bf8f4 | ||
Rouven Seifert | 6814cd7485 | ||
Rouven Seifert | 5a3fdbb77e | ||
Rouven Seifert | 033e1fad2d | ||
Rouven Seifert | a971e3f100 | ||
Rouven Seifert | a0cb59cd48 | ||
Rouven Seifert | d01694587a | ||
Rouven Seifert | fe1add7e9d | ||
Rouven Seifert | ef50b987a4 | ||
Rouven Seifert | 97de6f6489 | ||
Rouven Seifert | 54a86b59ed | ||
Rouven Seifert | 121f077fd0 | ||
Rouven Seifert | f1c3ecffe2 | ||
Rouven Seifert | 059a4ebf0e | ||
Rouven Seifert | 05152b6db4 | ||
Rouven Seifert | 6a8559fb33 | ||
66519d8196 | |||
1c8fe9ec66 | |||
68138c0a31 | |||
c7f3120c9d | |||
616b3c64f7 | |||
bb697f3a50 | |||
b34c53ddf8 | |||
c8afe48290 | |||
16f8ec19f9 | |||
7f00d6746a | |||
Jonas Gaffke | 0c19d4e565 | ||
Jonas Gaffke | fa964bf950 | ||
Rouven Seifert | 727f5464ae | ||
Rouven Seifert | f5f4bf1b24 | ||
Rouven Seifert | b70c5b14b3 | ||
Rouven Seifert | 763a71c93f | ||
Rouven Seifert | 071c0aa464 | ||
Rouven Seifert | c595af81e7 | ||
Rouven Seifert | 077138401e | ||
Rouven Seifert | cb828a2188 | ||
Rouven Seifert | 7b7e8858cf | ||
Rouven Seifert | f40e47f871 | ||
Rouven Seifert | 7c87808bc1 | ||
Rouven Seifert | 8ea250e387 | ||
Rouven Seifert | a339235b33 | ||
Rouven Seifert | 02535cca08 | ||
Rouven Seifert | 5384918ce6 | ||
Rouven Seifert | 6abc1e75b9 | ||
Rouven Seifert | 395ca48ac0 | ||
Rouven Seifert | 6a2bcecb5e | ||
Rouven Seifert | a832b8d2a5 | ||
Rouven Seifert | 2c4be79f32 | ||
Rouven Seifert | 5294cd68f8 | ||
Rouven Seifert | 4fa9a2fe7d | ||
Rouven Seifert | 5930da6bdf | ||
Rouven Seifert | 81ac3b4c0d | ||
Jonas Gaffke | 7630dc4494 | ||
Jonas Gaffke | 993a554396 | ||
Rouven Seifert | bdc6185fce | ||
Rouven Seifert | 197956ea90 | ||
1f4e9a620b | |||
ab5df354ff | |||
cf7ff37367 | |||
f0c73a1763 | |||
d92eff80ce | |||
d1147621e1 | |||
3f47b32983 | |||
7526b9273b | |||
795e3db47f | |||
Rouven Seifert | 126cff2263 | ||
9327314ec9 | |||
Rouven Seifert | d03f4c6fb1 | ||
Rouven Seifert | ebe977672a | ||
Rouven Seifert | 579ad274d5 | ||
Rouven Seifert | 15299bcb99 | ||
Rouven Seifert | d5ab09207a | ||
Rouven Seifert | 375674b1b4 | ||
Rouven Seifert | 6cd1ba6aa5 | ||
Rouven Seifert | 08893439e7 | ||
Rouven Seifert | 0d4283f109 | ||
Rouven Seifert | ceca1b3798 | ||
Rouven Seifert | 3a47c43741 | ||
Rouven Seifert | f24793bbb6 | ||
Rouven Seifert | 5b95918c29 | ||
Rouven Seifert | 83db5399d7 | ||
Rouven Seifert | 4b173581dc | ||
Rouven Seifert | be638b274d | ||
Rouven Seifert | c534e2a8e1 | ||
Rouven Seifert | c04bef7173 | ||
Rouven Seifert | 65253342a6 | ||
Lyn Fugmann | cc98ba62b3 | ||
Rouven Seifert | 5edc459dba | ||
Jonas Gaffke | 8606e89c03 | ||
Rouven Seifert | 31901ddffe | ||
Rouven Seifert | a87ecffa6b | ||
Rouven Seifert | 3b48a937c8 | ||
Rouven Seifert | 9dd71f8b8c | ||
Rouven Seifert | 913f410813 | ||
Rouven Seifert | a0132fa7cf | ||
Rouven Seifert | b12ed4b803 | ||
Rouven Seifert | 2d03a3dffd | ||
Rouven Seifert | 58e9794dff | ||
Rouven Seifert | 7e03d4574f | ||
Rouven Seifert | aa86572079 | ||
Rouven Seifert | 6bfd7c8e9c | ||
Rouven Seifert | d482e15bcb | ||
Rouven Seifert | 4334b5ef50 | ||
Rouven Seifert | f2af8d0a75 | ||
e18a99c452 | |||
Rouven Seifert | 4a33da7ec2 | ||
Rouven Seifert | 4f1f88a779 | ||
Rouven Seifert | bedee4f90c | ||
Rouven Seifert | d086eed901 | ||
Rouven Seifert | 3be5380c58 | ||
Rouven Seifert | ddd2514cdb | ||
Rouven Seifert | 632578f5b5 | ||
Jonas Gaffke | ba2f0fb86b | ||
Rouven Seifert | cf49b8dd13 | ||
30b4bf9540 | |||
Rouven Seifert | 1e689b6c40 | ||
Rouven Seifert | da871679f4 | ||
Rouven Seifert | d3da0eab79 | ||
Rouven Seifert | 66a554a13b | ||
Rouven Seifert | d1c2ece3ea | ||
Rouven Seifert | 7023c328d9 | ||
Rouven Seifert | 39320d987c | ||
Rouven Seifert | fea01b0b2e | ||
Rouven Seifert | 527651706e | ||
Rouven Seifert | 01bcc9ecad | ||
Rouven Seifert | b429e6468f | ||
Rouven Seifert | 71fdea75be | ||
Rouven Seifert | 3979e9b2b9 | ||
Rouven Seifert | 736c84cce9 | ||
Rouven Seifert | 05a5e085d8 | ||
Rouven Seifert | d1fca836b9 | ||
Rouven Seifert | 8fe2173040 | ||
Rouven Seifert | b9559cf5ce | ||
Rouven Seifert | c04e11a958 | ||
Lyn Fugmann | 71cb425527 | ||
Rouven Seifert | 08e43cf903 | ||
Rouven Seifert | 1955aa3cb2 | ||
Rouven Seifert | c36a242b35 | ||
Lyn Fugmann | 2d7ed61384 | ||
Rouven Seifert | 71bc8234a2 | ||
Rouven Seifert | 8e8cc54f75 | ||
Rouven Seifert | a1bfa3f7e1 | ||
Rouven Seifert | b454ad2437 | ||
Rouven Seifert | a3e15cc105 | ||
Rouven Seifert | 4e1cf47b7b | ||
Rouven Seifert | 1e47c01032 | ||
Rouven Seifert | d611cc5a26 | ||
Rouven Seifert | 017a807a7c | ||
Rouven Seifert | 02e661890a | ||
Lyn Fugmann | 0cf95c4c34 | ||
Lyn Fugmann | 4f5148fbf4 | ||
Lyn Fugmann | 7f70ae990c | ||
Rouven Seifert | b3ee1d8e23 | ||
Rouven Seifert | ae74749c28 | ||
Rouven Seifert | 794b565e07 | ||
Rouven Seifert | a364e28bb8 | ||
Rouven Seifert | e4bb60adff | ||
Rouven Seifert | 522351905c | ||
Rouven Seifert | be6fbd9d67 | ||
Rouven Seifert | f9fca746f7 | ||
Rouven Seifert | 7b37644a5b | ||
Rouven Seifert | d84ad31126 | ||
Rouven Seifert | 22ca2010a0 | ||
Rouven Seifert | 813628aea4 | ||
Rouven Seifert | fecff52804 | ||
8846096ce7 | |||
a97f94e4b1 | |||
Rouven Seifert | ca6c2f81d0 | ||
Rouven Seifert | 8d081ce157 | ||
Rouven Seifert | f3585fcc97 | ||
Jonas Gaffke | b9a216ad59 | ||
ef42822101 | |||
bf6585a833 | |||
594e672df4 | |||
Rouven Seifert | 6d6585c78f | ||
Jonas Gaffke | 81a83d7989 | ||
Rouven Seifert | 826758e138 | ||
Jonas Gaffke | cd10890f1b | ||
Rouven Seifert | 7e2dc399bb | ||
Rouven Seifert | 175e2750ce | ||
Rouven Seifert | 948570032b | ||
Rouven Seifert | 2e5f4fbe23 | ||
Rouven Seifert | e198002d60 | ||
Rouven Seifert | e70b57490e | ||
Jonas Gaffke | 5b2ca5141c | ||
Rouven Seifert | c0c9249e5a | ||
Rouven Seifert | e1325a329a | ||
Jonas Gaffke | 454394981e | ||
Rouven Seifert | dbe12fbfeb | ||
Jonas Gaffke | cc09c14143 | ||
Rouven Seifert | 4177a2ba0a | ||
Rouven Seifert | b8c31b4e4a | ||
Rouven Seifert | ccd6290fb7 | ||
Rouven Seifert | 48683c6b2f | ||
Rouven Seifert | 6b541c0fac | ||
Rouven Seifert | a9f6bc3ed0 | ||
Rouven Seifert | 0e2d68fb26 | ||
Rouven Seifert | 583990556e | ||
Lyn Fugmann | 316ffbb9e0 | ||
Rouven Seifert | 4d0edc7280 | ||
Rouven Seifert | 69553c0645 | ||
Rouven Seifert | ffeb47cd5e | ||
Rouven Seifert | 93baff94f1 | ||
Rouven Seifert | 01f5df464f | ||
Rouven Seifert | d30e35cd8f | ||
Rouven Seifert | 1d4da79c16 | ||
Rouven Seifert | 94c2a2de5d | ||
Rouven Seifert | d6571ac695 | ||
Rouven Seifert | 0084a02568 | ||
Rouven Seifert | bde7d0b3d4 | ||
Jonas Gaffke | 9f465f4f66 | ||
693154fe1a | |||
Rouven Seifert | dd99021da1 | ||
Rouven Seifert | 98f0e6e491 | ||
Jonas Gaffke | 2ed00fb4c0 | ||
Jonas Gaffke | a336061b1d | ||
Rouven Seifert | 83a668b9f0 | ||
Rouven Seifert | 68202e2d64 | ||
Rouven Seifert | 86cd033cba | ||
Rouven Seifert | 665c69ca20 | ||
Jonas Gaffke | eb3eb02a53 | ||
Rouven Seifert | 3f4c304bc9 | ||
Rouven Seifert | 0330129ec2 | ||
Rouven Seifert | b8e950d5d0 | ||
Rouven Seifert | 956ce2fb35 | ||
Rouven Seifert | 12fd11d18e | ||
Rouven Seifert | 11bdb6b8f7 | ||
Jonas Gaffke | cc39b86e78 | ||
Jonas Gaffke | 956908e981 | ||
Jonas Gaffke | 9607dd1b54 | ||
Jonas Gaffke | 3aeec71dd4 | ||
Jonas Gaffke | 5ce0b2d4ec | ||
Rouven Seifert | 7022528b62 | ||
Rouven Seifert | 02de2df6d3 | ||
Rouven Seifert | f57babf97c | ||
Rouven Seifert | 8acfe6ee0c | ||
Rouven Seifert | 42c2cce513 | ||
Rouven Seifert | 63551dd42a | ||
Rouven Seifert | 0809f266fc | ||
Rouven Seifert | 4e569a8f7b | ||
Rouven Seifert | 2eb832c8a9 | ||
Rouven Seifert | 1789ac741d | ||
Rouven Seifert | 220136af25 | ||
Rouven Seifert | 3ee4380328 | ||
Rouven Seifert | a16337f84f | ||
Rouven Seifert | 7d4a6e08ef | ||
Rouven Seifert | 2b5706b987 | ||
Rouven Seifert | fd5e0108f6 | ||
Rouven Seifert | 2d73376a60 | ||
Lyn Fugmann | 964183a0e7 | ||
Rouven Seifert | 549fffcab2 | ||
Rouven Seifert | 8b9099fe04 | ||
Rouven Seifert | 7197d6b2e2 | ||
Rouven Seifert | 71f197c2f5 | ||
Rouven Seifert | e86fdf1819 | ||
Rouven Seifert | e04914e30d | ||
Lyn Fugmann | b972d22997 | ||
8a8af52ec7 | |||
Rouven Seifert | 65b2bff6b1 | ||
Rouven Seifert | 127ab9d92e | ||
Rouven Seifert | 4324dceddc | ||
Rouven Seifert | 7ad0c7d98e | ||
Rouven Seifert | 121a9f001e | ||
Lyn Fugmann | fe946150d7 | ||
Rouven Seifert | 87a5486114 | ||
Rouven Seifert | 075bc2b6fa | ||
Lyn Fugmann | 3e70f7a0fc | ||
Rouven Seifert | fd9e9c8b0b | ||
Rouven Seifert | 2496192efc | ||
Jonas Gaffke | 5de01790c4 | ||
Jonas Gaffke | 0dab62ebff | ||
Lyn Fugmann | 7e17d77b1d | ||
Rouven Seifert | faddb9ea87 | ||
Rouven Seifert | 0eeac8391d | ||
Rouven Seifert | 85e6ebbc29 | ||
Rouven Seifert | a9d4543da7 | ||
Rouven Seifert | c038ea7ed9 | ||
Rouven Seifert | dd50175c58 | ||
Rouven Seifert | 245d5bc498 | ||
Rouven Seifert | 9a5d048676 | ||
Rouven Seifert | 7b3925deca | ||
Rouven Seifert | 6e269d8dc7 | ||
Rouven Seifert | 8eaf733126 | ||
Rouven Seifert | 0899143b8c | ||
Rouven Seifert | 303888dfd9 | ||
Rouven Seifert | 75be7e22a3 | ||
Rouven Seifert | 5171b2f443 | ||
5270ab09e6 | |||
Rouven Seifert | 3763b8b106 | ||
Rouven Seifert | a8d1444ef9 | ||
Rouven Seifert | 0712f02d40 | ||
2058b8f955 | |||
Rouven Seifert | c360abe7d9 | ||
Rouven Seifert | 5d01d02db4 | ||
Rouven Seifert | ddc7179312 | ||
94c9be356c | |||
5bdd64666f | |||
Rouven Seifert | 58acf5b98a | ||
8c7ffab70e | |||
Rouven Seifert | e5b9d8b944 | ||
Rouven Seifert | 3d18969471 | ||
Rouven Seifert | 5820741dd2 | ||
Lyn Fugmann | d48fb6c13a | ||
Rouven Seifert | 23fb7747fb | ||
a9c8c03f08 | |||
Rouven Seifert | 39db962a2c | ||
Rouven Seifert | 0f0b183f5a | ||
6d277b6814 | |||
Rouven Seifert | a2f49374e7 | ||
Rouven Seifert | 55d7d67668 | ||
3c17c0ad6a | |||
Rouven Seifert | a5d29c3338 | ||
Lyn Fugmann | 7d7ac6c571 | ||
Rouven Seifert | 8908b3bbff | ||
Rouven Seifert | e4b26a640b | ||
Rouven Seifert | aa1f91c5b4 | ||
Rouven Seifert | 201fef3084 | ||
Rouven Seifert | 71f4c64022 | ||
Rouven Seifert | 84faec16f3 | ||
Rouven Seifert | 1b36010ad9 | ||
Rouven Seifert | 92efae76ed | ||
Rouven Seifert | 7c15108f3d | ||
Rouven Seifert | 3b59947673 | ||
b35703040b | |||
bed0f24e94 | |||
e739a60e66 | |||
Rouven Seifert | 7043532749 | ||
Rouven Seifert | d1da869558 | ||
Rouven Seifert | 06ec7d6e32 | ||
Rouven Seifert | 0197610e3f | ||
Rouven Seifert | dc65c4c5c7 | ||
Rouven Seifert | e4e1cfd3d6 | ||
da97f9e750 | |||
77c2248eee | |||
Rouven Seifert | 3f9998c46d | ||
Rouven Seifert | 9393915efe |
27
.github/workflows/fmt.yaml
vendored
27
.github/workflows/fmt.yaml
vendored
|
@ -1,27 +0,0 @@
|
||||||
name: main
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check-flake:
|
|
||||||
name: Nixpkgs Formatting
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Install Nix
|
|
||||||
uses: cachix/install-nix-action@v18
|
|
||||||
with:
|
|
||||||
extra_nix_config: |
|
|
||||||
experimental-features = nix-command flakes
|
|
||||||
|
|
||||||
- run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos
|
|
||||||
- run: nix-channel --update
|
|
||||||
- run: nix shell nixpkgs#nixpkgs-fmt -c nixpkgs-fmt . --check
|
|
34
.github/workflows/main.yml
vendored
34
.github/workflows/main.yml
vendored
|
@ -1,34 +0,0 @@
|
||||||
name: main
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check-flake:
|
|
||||||
name: Check Flake
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v3
|
|
||||||
|
|
||||||
- name: Install Nix
|
|
||||||
uses: cachix/install-nix-action@v18
|
|
||||||
with:
|
|
||||||
install_url: https://releases.nixos.org/nix/nix-2.13.3/install
|
|
||||||
extra_nix_config: |
|
|
||||||
experimental-features = nix-command flakes
|
|
||||||
|
|
||||||
- uses: cachix/cachix-action@v12
|
|
||||||
with:
|
|
||||||
name: fruitbasket
|
|
||||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
|
||||||
extraPullNames: nix-community
|
|
||||||
|
|
||||||
- run: nix build
|
|
||||||
|
|
||||||
- run: nix flake check
|
|
23
.sops.yaml
23
.sops.yaml
|
@ -7,9 +7,11 @@ keys:
|
||||||
- &helene B43C3A8A92CA28486AC6C4E2F115100C787C1C19
|
- &helene B43C3A8A92CA28486AC6C4E2F115100C787C1C19
|
||||||
- &fugi BF37903AE6FD294C4C674EE24472A20091BFA792
|
- &fugi BF37903AE6FD294C4C674EE24472A20091BFA792
|
||||||
- &emmanuel E83F398E6423179FE4F63D4FF085CAD394DE329D
|
- &emmanuel E83F398E6423179FE4F63D4FF085CAD394DE329D
|
||||||
- &jonas A4F92BC7B792108A463995827C1F2DA2BC929412
|
|
||||||
- &joachim B1A16011B86BACB56ADB713DB712039D23133661
|
- &joachim B1A16011B86BACB56ADB713DB712039D23133661
|
||||||
|
- &jonasga FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB
|
||||||
|
- &hendrik FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D
|
||||||
- &quitte age1wvdnprpnq2rcc4se3zpx2p267n0apxg2jucvlm93e3pfj439ephqh2506t
|
- &quitte age1wvdnprpnq2rcc4se3zpx2p267n0apxg2jucvlm93e3pfj439ephqh2506t
|
||||||
|
- &tomate age18lwgjazaxujqgcc5j0gjllnykhtjn6p0q44jzrsk4au2a5k6nd9s77kd6d
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets/quitte\.yaml$
|
- path_regex: secrets/quitte\.yaml$
|
||||||
|
@ -21,9 +23,23 @@ creation_rules:
|
||||||
- *rouven
|
- *rouven
|
||||||
- *fugi
|
- *fugi
|
||||||
- *joachim
|
- *joachim
|
||||||
- *jonas
|
- *jonasga
|
||||||
|
- *hendrik
|
||||||
age:
|
age:
|
||||||
- *quitte
|
- *quitte
|
||||||
|
- path_regex: secrets/tomate\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *bennofs
|
||||||
|
- *revol-xut
|
||||||
|
- *felix
|
||||||
|
- *rouven
|
||||||
|
- *fugi
|
||||||
|
- *joachim
|
||||||
|
- *jonasga
|
||||||
|
- *hendrik
|
||||||
|
age:
|
||||||
|
- *tomate
|
||||||
- path_regex: secrets/admin\.yaml$
|
- path_regex: secrets/admin\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
|
@ -33,4 +49,5 @@ creation_rules:
|
||||||
- *rouven
|
- *rouven
|
||||||
- *fugi
|
- *fugi
|
||||||
- *joachim
|
- *joachim
|
||||||
- *jonas
|
- *jonasga
|
||||||
|
- *hendrik
|
||||||
|
|
319
flake.lock
319
flake.lock
|
@ -9,11 +9,11 @@
|
||||||
"poetry2nix": "poetry2nix"
|
"poetry2nix": "poetry2nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1694358978,
|
"lastModified": 1730751072,
|
||||||
"narHash": "sha256-gHWIIYJZepq1/3oFVkUkl0n52bRJWnNgmGaiZ2aGEwc=",
|
"narHash": "sha256-+FQjzCNV3k8U4BfNcFmoZTRf8aO9ufn3s7kkzHj/b7s=",
|
||||||
"owner": "fsr",
|
"owner": "fsr",
|
||||||
"repo": "course-management",
|
"repo": "course-management",
|
||||||
"rev": "5ccbee8151c5caa519ebdb2ce2b8ec52b7749949",
|
"rev": "60b7062ce47ee9f0609e701ad5eb5e3e0a857ff2",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -22,16 +22,52 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"ese-manual": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730889586,
|
||||||
|
"narHash": "sha256-SLgo7UjWLaFaaUPFqzKbr9DLAGzm5kparfxuJHEpK3w=",
|
||||||
|
"ref": "refs/heads/main",
|
||||||
|
"rev": "a111147ce5eaea4f1d691afe1203e7529d68522d",
|
||||||
|
"revCount": 9,
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.ifsr.de/ese/manual-website"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"type": "git",
|
||||||
|
"url": "https://git.ifsr.de/ese/manual-website"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-compat": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1673956053,
|
||||||
|
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"flake-utils": {
|
"flake-utils": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"systems": "systems"
|
"systems": "systems"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687709756,
|
"lastModified": 1726560853,
|
||||||
"narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
|
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
|
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -45,11 +81,47 @@
|
||||||
"systems": "systems_2"
|
"systems": "systems_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1687709756,
|
"lastModified": 1726560853,
|
||||||
"narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=",
|
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||||
"owner": "numtide",
|
"owner": "numtide",
|
||||||
"repo": "flake-utils",
|
"repo": "flake-utils",
|
||||||
"rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7",
|
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-utils_3": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems_4"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681202837,
|
||||||
|
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-utils_4": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems_5"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681202837,
|
||||||
|
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -65,11 +137,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693305731,
|
"lastModified": 1724255946,
|
||||||
"narHash": "sha256-ku0FU1pn6eXGdoEx0Tg0Kp8c8wmd6TF7IrdOnX0Uco0=",
|
"narHash": "sha256-YVT/QE2PCDzx4eq1i3PqOOpQVXJstN18e0sFB/UbAY0=",
|
||||||
"owner": "fsr",
|
"owner": "fsr",
|
||||||
"repo": "kpp",
|
"repo": "kpp",
|
||||||
"rev": "7c04f958bb652de680ae3311b6eab080ac64b3ad",
|
"rev": "ce98b985201a5453aee708a3fc13bbccf2357f8e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -78,52 +150,133 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nix-github-actions": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"course-management",
|
||||||
|
"poetry2nix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1729742964,
|
||||||
|
"narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-github-actions",
|
||||||
|
"rev": "e04df33f62cdcf93d73e9a04142464753a16db67",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-github-actions",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-index-database": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1731209121,
|
||||||
|
"narHash": "sha256-BF7FBh1hIYPDihdUlImHGsQzaJZVLLfYqfDx41wjuF0=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-index-database",
|
||||||
|
"rev": "896019f04b22ce5db4c0ee4f89978694f44345c3",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nix-index-database",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nix-minecraft": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-compat": "flake-compat",
|
||||||
|
"flake-utils": "flake-utils_3",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1731375802,
|
||||||
|
"narHash": "sha256-CvWPEzrl2EA3xrtg9X6K8aqV7T5r0SaDz6PLpGA0yIY=",
|
||||||
|
"owner": "Infinidoge",
|
||||||
|
"repo": "nix-minecraft",
|
||||||
|
"rev": "b873a123366b9a62f9262414ada8d83b03f1f0bf",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "Infinidoge",
|
||||||
|
"repo": "nix-minecraft",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1694499547,
|
"lastModified": 1731239293,
|
||||||
"narHash": "sha256-R7xMz1Iia6JthWRHDn36s/E248WB1/je62ovC/dUVKI=",
|
"narHash": "sha256-q2yjIWFFcTzp5REWQUOU9L6kHdCDmFDpqeix86SOvDc=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "e5f018cf150e29aac26c61dac0790ea023c46b24",
|
"rev": "9256f7c71a195ebe7a218043d9f93390d49e6884",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"ref": "nixos-23.05",
|
"ref": "nixos-24.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1693675694,
|
"lastModified": 1730602179,
|
||||||
"narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=",
|
"narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d",
|
"rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "release-23.05",
|
"ref": "release-24.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixpkgs_2": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1682134069,
|
||||||
|
"narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
|
||||||
|
"owner": "NixOS",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "fd901ef4bf93499374c5af385b2943f5801c0833",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "nixpkgs",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
"poetry2nix": {
|
"poetry2nix": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-utils": "flake-utils_2",
|
"flake-utils": "flake-utils_2",
|
||||||
|
"nix-github-actions": "nix-github-actions",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"course-management",
|
"course-management",
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
]
|
],
|
||||||
|
"systems": "systems_3",
|
||||||
|
"treefmt-nix": "treefmt-nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1688440303,
|
"lastModified": 1730284601,
|
||||||
"narHash": "sha256-hFfOyityHdVFI0HNM+sqZfpi9Fbvjvy0N9O7FjuqPWY=",
|
"narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "poetry2nix",
|
"repo": "poetry2nix",
|
||||||
"rev": "04714155bae013fb9b207e54d1faf9f0c3d08706",
|
"rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -132,12 +285,37 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"print-interface": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1706540741,
|
||||||
|
"narHash": "sha256-4/JI3xhw76Z1oa8Ivn3AzR6zNqXkmSEgHl+v0PRGnTc=",
|
||||||
|
"owner": "fsr",
|
||||||
|
"repo": "print-interface",
|
||||||
|
"rev": "ca830bc64ee92ec24562e707ddf36c19a5607a94",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "fsr",
|
||||||
|
"repo": "print-interface",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"root": {
|
"root": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"course-management": "course-management",
|
"course-management": "course-management",
|
||||||
|
"ese-manual": "ese-manual",
|
||||||
"kpp": "kpp",
|
"kpp": "kpp",
|
||||||
|
"nix-index-database": "nix-index-database",
|
||||||
|
"nix-minecraft": "nix-minecraft",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"sops-nix": "sops-nix"
|
"print-interface": "print-interface",
|
||||||
|
"sops-nix": "sops-nix",
|
||||||
|
"vscode-server": "vscode-server"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"sops-nix": {
|
"sops-nix": {
|
||||||
|
@ -148,11 +326,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable"
|
"nixpkgs-stable": "nixpkgs-stable"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1694495315,
|
"lastModified": 1731364708,
|
||||||
"narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=",
|
"narHash": "sha256-HC0anOL+KmUQ2hdRl0AtunbAckasxrkn4VLmxbW/WaA=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415",
|
"rev": "4c91d52db103e757fc25b58998b0576ae702d659",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -190,6 +368,91 @@
|
||||||
"repo": "default",
|
"repo": "default",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
"systems_3": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "systems",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"systems_4": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"systems_5": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"treefmt-nix": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"course-management",
|
||||||
|
"poetry2nix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730120726,
|
||||||
|
"narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"rev": "9ef337e492a5555d8e17a51c911ff1f02635be15",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"vscode-server": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-utils": "flake-utils_4",
|
||||||
|
"nixpkgs": "nixpkgs_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1729422940,
|
||||||
|
"narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixos-vscode-server",
|
||||||
|
"rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "nixos-vscode-server",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"root": "root",
|
"root": "root",
|
||||||
|
|
125
flake.nix
125
flake.nix
|
@ -1,61 +1,128 @@
|
||||||
{
|
{
|
||||||
inputs = {
|
inputs = {
|
||||||
nixpkgs.url = github:nixos/nixpkgs/nixos-23.05;
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
|
||||||
sops-nix.url = github:Mic92/sops-nix;
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
nix-index-database.url = "github:nix-community/nix-index-database";
|
||||||
|
nix-index-database.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
kpp.url = "github:fsr/kpp";
|
kpp.url = "github:fsr/kpp";
|
||||||
kpp.inputs.nixpkgs.follows = "nixpkgs";
|
kpp.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
print-interface = {
|
||||||
|
url = "github:fsr/print-interface";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
ese-manual.url = "git+https://git.ifsr.de/ese/manual-website";
|
||||||
|
ese-manual.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
vscode-server.url = "github:nix-community/nixos-vscode-server";
|
||||||
|
|
||||||
course-management = {
|
course-management = {
|
||||||
url = "github:fsr/course-management";
|
url = "github:fsr/course-management";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
|
||||||
|
nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
outputs = { self, nixpkgs, sops-nix, kpp, course-management, ... }@inputs:
|
outputs =
|
||||||
{
|
{ self
|
||||||
packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.toplevel;
|
, nixpkgs
|
||||||
packages."x86_64-linux".default = self.packages."x86_64-linux".quitte;
|
, sops-nix
|
||||||
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
|
, nix-index-database
|
||||||
hydraJobs."x86-64-linux".quitte = self.packages."x86_64-linux".quitte;
|
, kpp
|
||||||
|
, ese-manual
|
||||||
|
, vscode-server
|
||||||
|
, course-management
|
||||||
|
, print-interface
|
||||||
|
, nix-minecraft
|
||||||
|
, ...
|
||||||
|
}@inputs:
|
||||||
|
let
|
||||||
|
supportedSystems = [ "x86_64-linux" ];
|
||||||
|
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
|
||||||
|
pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
|
||||||
|
|
||||||
|
in
|
||||||
|
{
|
||||||
|
packages = forAllSystems (system: rec {
|
||||||
|
default = quitte;
|
||||||
|
quitte = self.nixosConfigurations.quitte.config.system.build.toplevel;
|
||||||
|
tomate = self.nixosConfigurations.tomate.config.system.build.toplevel;
|
||||||
|
});
|
||||||
|
formatter = forAllSystems (system: pkgs.${system}.nixpkgs-fmt);
|
||||||
|
hydraJobs = forAllSystems (system: {
|
||||||
|
quitte = self.packages.${system}.quitte;
|
||||||
|
});
|
||||||
|
|
||||||
|
devShells = forAllSystems (system: {
|
||||||
|
default = pkgs.${system}.mkShell {
|
||||||
|
packages = with pkgs.${system}; [
|
||||||
|
sops
|
||||||
|
];
|
||||||
|
};
|
||||||
|
});
|
||||||
|
overlays.default = import ./overlays;
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
quitte = nixpkgs.lib.nixosSystem {
|
quitte = nixpkgs.lib.nixosSystem rec {
|
||||||
system = "x86_64-linux";
|
system = "x86_64-linux";
|
||||||
|
specialArgs = inputs // { inherit system; };
|
||||||
modules = [
|
modules = [
|
||||||
inputs.sops-nix.nixosModules.sops
|
inputs.sops-nix.nixosModules.sops
|
||||||
inputs.kpp.nixosModules.default
|
inputs.kpp.nixosModules.default
|
||||||
|
inputs.nix-index-database.nixosModules.nix-index
|
||||||
|
ese-manual.nixosModules.default
|
||||||
course-management.nixosModules.default
|
course-management.nixosModules.default
|
||||||
|
vscode-server.nixosModules.default
|
||||||
|
nix-minecraft.nixosModules.minecraft-servers
|
||||||
./hosts/quitte/configuration.nix
|
./hosts/quitte/configuration.nix
|
||||||
./modules/bacula.nix
|
./options
|
||||||
./modules/options.nix
|
|
||||||
./modules/base.nix
|
./modules/core
|
||||||
./modules/sops.nix
|
|
||||||
./modules/kpp.nix
|
|
||||||
./modules/ldap
|
./modules/ldap
|
||||||
./modules/mail
|
./modules/mail
|
||||||
./modules/mailman.nix
|
./modules/web
|
||||||
./modules/nginx.nix
|
./modules/courses
|
||||||
./modules/hydra.nix
|
./modules/wiki
|
||||||
./modules/userdir.nix
|
./modules/matrix
|
||||||
|
./modules/minecraft
|
||||||
|
./modules/keycloak
|
||||||
|
./modules/monitoring
|
||||||
|
|
||||||
|
./modules/nix-serve.nix
|
||||||
./modules/hedgedoc.nix
|
./modules/hedgedoc.nix
|
||||||
./modules/padlist.nix
|
./modules/padlist.nix
|
||||||
./modules/postgres.nix
|
|
||||||
./modules/wiki.nix
|
|
||||||
./modules/ftp.nix
|
|
||||||
./modules/stream.nix
|
|
||||||
./modules/nextcloud.nix
|
./modules/nextcloud.nix
|
||||||
./modules/matrix.nix
|
|
||||||
./modules/mautrix-telegram.nix
|
|
||||||
./modules/sogo.nix
|
|
||||||
./modules/vaultwarden.nix
|
./modules/vaultwarden.nix
|
||||||
./modules/website.nix
|
./modules/forgejo
|
||||||
./modules/zsh.nix
|
./modules/kanboard.nix
|
||||||
./modules/course-management.nix
|
./modules/zammad.nix
|
||||||
./modules/gitea.nix
|
# ./modules/decisions.nix
|
||||||
|
./modules/stream.nix
|
||||||
|
# ./modules/struktur-bot.nix
|
||||||
{
|
{
|
||||||
|
nixpkgs.overlays = [
|
||||||
|
self.overlays.default
|
||||||
|
nix-minecraft.overlay
|
||||||
|
];
|
||||||
sops.defaultSopsFile = ./secrets/quitte.yaml;
|
sops.defaultSopsFile = ./secrets/quitte.yaml;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
tomate = nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
specialArgs = inputs;
|
||||||
|
modules = [
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
|
inputs.nix-index-database.nixosModules.nix-index
|
||||||
|
vscode-server.nixosModules.default
|
||||||
|
print-interface.nixosModules.default
|
||||||
|
./hosts/tomate/configuration.nix
|
||||||
|
./modules/core/base.nix
|
||||||
|
./modules/core/zsh.nix
|
||||||
|
./modules/core/sssd.nix
|
||||||
|
{
|
||||||
|
sops.defaultSopsFile = ./secrets/tomate.yaml;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,41 +7,61 @@
|
||||||
./network.nix
|
./network.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# Use the systemd-boot EFI boot loader.
|
boot.loader.systemd-boot = {
|
||||||
boot.loader.systemd-boot.enable = true;
|
enable = true;
|
||||||
#boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
extraInstallCommands = ''
|
||||||
|
${pkgs.coreutils}/bin/cp -r /boot/* /boot2
|
||||||
|
'';
|
||||||
|
};
|
||||||
# boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
|
# boot.kernelParams = [ "video=VGA-1:1024x768@30" ];
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
#boot.supportedFilesystems = [ "zfs" ];
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
#boot.zfs.devNodes = "/dev/";
|
|
||||||
|
|
||||||
services.qemuGuest.enable = true;
|
services.zfs = {
|
||||||
|
trim.enable = true;
|
||||||
|
autoScrub.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
# Set your time zone.
|
# Set your time zone.
|
||||||
time.timeZone = "Europe/Berlin";
|
time.timeZone = "Europe/Berlin";
|
||||||
|
i18n.defaultLocale = "en_US.UTF-8";
|
||||||
|
|
||||||
# List packages installed in system profile. To search, run:
|
security.sudo.extraRules = [
|
||||||
# $ nix search wget
|
{
|
||||||
environment.systemPackages = with pkgs; [
|
commands = [
|
||||||
vim
|
{
|
||||||
wget
|
command = "ALL";
|
||||||
git
|
options = [ "NOPASSWD" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
groups = [ "admins" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
# prevent fork bombs
|
||||||
|
security.pam.loginLimits = [
|
||||||
|
{
|
||||||
|
domain = "@users";
|
||||||
|
item = "nproc";
|
||||||
|
type = "hard";
|
||||||
|
value = "2000";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
domain = "@nixbld";
|
||||||
|
item = "nproc";
|
||||||
|
type = "hard";
|
||||||
|
value = "10000";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
# Enable the OpenSSH daemon.
|
systemd = {
|
||||||
services.openssh.enable = true;
|
services.nix-daemon.serviceConfig = {
|
||||||
services.openssh.settings.PermitRootLogin = "yes";
|
MemoryMax = "32G";
|
||||||
|
};
|
||||||
# Open ports in the firewall.
|
# all users together may not use more than $MemoryMax of RAM
|
||||||
networking.firewall.allowedTCPPorts = [ 443 80 ];
|
slices."user".sliceConfig = {
|
||||||
# networking.firewall.allowedUDPPorts = [ ... ];
|
MemoryMax = "32G";
|
||||||
# Or disable the firewall altogether.
|
};
|
||||||
# networking.firewall.enable = false;
|
};
|
||||||
|
|
||||||
# Copy the NixOS configuration file and link it from the resulting system
|
|
||||||
# (/run/current-system/configuration.nix). This is useful in case you
|
|
||||||
# accidentally delete configuration.nix.
|
|
||||||
# system.copySystemConfiguration = true;
|
|
||||||
|
|
||||||
# This value determines the NixOS release from which the default
|
# This value determines the NixOS release from which the default
|
||||||
# settings for stateful data, like file locations and database versions
|
# settings for stateful data, like file locations and database versions
|
||||||
|
|
|
@ -1,42 +1,52 @@
|
||||||
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
|
||||||
# and may be overwritten by future invocations. Please make changes
|
|
||||||
# to /etc/nixos/configuration.nix instead.
|
|
||||||
{ config, lib, modulesPath, ... }:
|
{ config, lib, modulesPath, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
imports =
|
imports = [
|
||||||
[
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
(modulesPath + "/profiles/qemu-guest.nix")
|
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
boot.initrd.availableKernelModules = [ "megaraid_sas" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
|
||||||
boot.initrd.kernelModules = [ ];
|
boot.initrd.kernelModules = [ ];
|
||||||
boot.kernelModules = [ ];
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
boot.extraModulePackages = [ ];
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" = {
|
||||||
{
|
device = "rpool/nixos/root";
|
||||||
device = "/dev/disk/by-uuid/4d57c7c1-ed70-4fb1-af4c-4ba027b75248";
|
fsType = "zfs";
|
||||||
fsType = "ext4";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
boot.initrd.luks.devices."luksroot".device = "/dev/disk/by-uuid/cfb9b37e-152d-45e9-b75d-88d71471be45";
|
fileSystems."/home" = {
|
||||||
|
device = "rpool/nixos/home";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
fileSystems."/boot" =
|
fileSystems."/nix" = {
|
||||||
{
|
device = "rpool/nixos/nixnew";
|
||||||
device = "/dev/disk/by-uuid/06C4-1FDB";
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/lib" = {
|
||||||
|
device = "rpool/nixos/var/lib";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/var/log" = {
|
||||||
|
device = "rpool/nixos/var/log";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" = {
|
||||||
|
device = "/dev/disk/by-uuid/3278-8D00";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
|
options = [ "nofail" ];
|
||||||
|
};
|
||||||
|
fileSystems."/boot2" = {
|
||||||
|
device = "/dev/disk/by-uuid/3366-F71E";
|
||||||
|
fsType = "vfat";
|
||||||
|
options = [ "nofail" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
swapDevices = [ ];
|
swapDevices = [ ];
|
||||||
|
|
||||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
|
||||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
|
||||||
# still possible to use this option, but it's recommended to use it in conjunction
|
|
||||||
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
|
||||||
networking.useDHCP = lib.mkDefault true;
|
|
||||||
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
|
|
||||||
|
|
||||||
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,46 +1,35 @@
|
||||||
{ config, ... }:
|
{ config, lib, ... }:
|
||||||
let
|
|
||||||
wireguard_port = 51820;
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
sops.secrets = {
|
|
||||||
"wg-fsr" = {
|
|
||||||
owner = config.users.users.systemd-network.name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
|
# portunus module does weird things to this, so we force it to some sane values
|
||||||
|
hosts = {
|
||||||
|
"127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
|
||||||
|
"::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ];
|
||||||
|
};
|
||||||
hostId = "a71c81fc";
|
hostId = "a71c81fc";
|
||||||
domain = "ifsr.de";
|
domain = "ifsr.de";
|
||||||
hostName = "quitte";
|
hostName = "quitte";
|
||||||
rDNS = config.networking.fqdn;
|
rDNS = config.networking.fqdn;
|
||||||
enableIPv6 = true;
|
|
||||||
useDHCP = true;
|
|
||||||
interfaces.ens18.useDHCP = true;
|
|
||||||
useNetworkd = true;
|
useNetworkd = true;
|
||||||
|
nftables.enable = true;
|
||||||
|
|
||||||
firewall.allowedUDPPorts = [ wireguard_port ];
|
firewall = {
|
||||||
wireguard.enable = true;
|
logRefusedConnections = false;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.resolved = {
|
services.resolved = {
|
||||||
enable = true;
|
enable = true;
|
||||||
#dnssec = "false";
|
fallbackDns = [ "9.9.9.9" ];
|
||||||
fallbackDns = [ "1.1.1.1" ];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# workaround for networkd waiting for shit
|
|
||||||
systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [
|
|
||||||
"" # clear old command
|
|
||||||
"${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any"
|
|
||||||
];
|
|
||||||
|
|
||||||
systemd.network = {
|
systemd.network = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
wait-online.anyInterface = true;
|
||||||
|
|
||||||
# Interfaces on the machine
|
# Interfaces on the machine
|
||||||
networks."10-ether-bond" = {
|
networks."10-wired-default" = {
|
||||||
matchConfig.Name = "ens18";
|
matchConfig.Name = "enp65s0f0np0";
|
||||||
|
|
||||||
address = [ "141.30.30.169/25" ];
|
address = [ "141.30.30.169/25" ];
|
||||||
routes = [
|
routes = [
|
||||||
|
@ -50,39 +39,8 @@ in
|
||||||
];
|
];
|
||||||
networkConfig = {
|
networkConfig = {
|
||||||
DNS = "141.30.1.1";
|
DNS = "141.30.1.1";
|
||||||
#IPv6AcceptRA = true;
|
LLDP = true;
|
||||||
};
|
EmitLLDP = "nearest-bridge";
|
||||||
};
|
|
||||||
|
|
||||||
# defining network device for wireguard connections
|
|
||||||
netdevs."fsr-wg" = {
|
|
||||||
netdevConfig = {
|
|
||||||
Kind = "wireguard";
|
|
||||||
Name = "fsr-wg";
|
|
||||||
Description = "fsr enterprise wireguard";
|
|
||||||
};
|
|
||||||
wireguardConfig = {
|
|
||||||
PrivateKeyFile = config.sops.secrets."wg-fsr".path;
|
|
||||||
ListenPort = wireguard_port;
|
|
||||||
};
|
|
||||||
wireguardPeers = [
|
|
||||||
{
|
|
||||||
# tassilo
|
|
||||||
wireguardPeerConfig = {
|
|
||||||
PublicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y=";
|
|
||||||
AllowedIPs = [ "10.66.66.100/32" ];
|
|
||||||
PersistentKeepalive = 25;
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# fsr wireguard server
|
|
||||||
networks."fsr-wg" = {
|
|
||||||
matchConfig.Name = "fsr-wg";
|
|
||||||
networkConfig = {
|
|
||||||
Address = "10.66.66.1/24";
|
|
||||||
IPForward = "ipv4";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
177
hosts/tomate/configuration.nix
Normal file
177
hosts/tomate/configuration.nix
Normal file
|
@ -0,0 +1,177 @@
|
||||||
|
# Edit this configuration file to define what should be installed on
|
||||||
|
# your system. Help is available in the configuration.nix(5) man page
|
||||||
|
# and in the NixOS manual (accessible by running ‘nixos-help’).
|
||||||
|
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
# Include the results of the hardware scan.
|
||||||
|
./network.nix
|
||||||
|
./hardware-configuration.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# Bootloader.
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
settings = {
|
||||||
|
substituters = [
|
||||||
|
"https://cache.ifsr.de"
|
||||||
|
];
|
||||||
|
trusted-public-keys = [
|
||||||
|
"cache.ifsr.de:y55KBAMF4YkjIzXwYOKVk9fcQS+CZ9RM1zAAMYQJtsg="
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Set your time zone.
|
||||||
|
time.timeZone = "Europe/Berlin";
|
||||||
|
|
||||||
|
# Select internationalisation properties.
|
||||||
|
i18n.defaultLocale = "de_DE.UTF-8";
|
||||||
|
|
||||||
|
i18n.extraLocaleSettings = {
|
||||||
|
LC_ADDRESS = "de_DE.UTF-8";
|
||||||
|
LC_IDENTIFICATION = "de_DE.UTF-8";
|
||||||
|
LC_MEASUREMENT = "de_DE.UTF-8";
|
||||||
|
LC_MONETARY = "de_DE.UTF-8";
|
||||||
|
LC_NAME = "de_DE.UTF-8";
|
||||||
|
LC_NUMERIC = "de_DE.UTF-8";
|
||||||
|
LC_PAPER = "de_DE.UTF-8";
|
||||||
|
LC_TELEPHONE = "de_DE.UTF-8";
|
||||||
|
LC_TIME = "de_DE.UTF-8";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Enable the X11 windowing system.
|
||||||
|
services.xserver.enable = true;
|
||||||
|
|
||||||
|
# Enable the KDE Plasma Desktop Environment.
|
||||||
|
services.displayManager.sddm.enable = true;
|
||||||
|
services.xserver.desktopManager.plasma5.enable = true;
|
||||||
|
|
||||||
|
# Configure keymap in X11
|
||||||
|
services.xserver = {
|
||||||
|
xkb.layout = "de";
|
||||||
|
xkb.variant = "";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Configure console keymap
|
||||||
|
console.keyMap = "de";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
services.printing = {
|
||||||
|
enable = true;
|
||||||
|
stateless = true;
|
||||||
|
drivers = with pkgs; [ cups-kyocera ];
|
||||||
|
browsing = true;
|
||||||
|
defaultShared = true;
|
||||||
|
# todo fix
|
||||||
|
allowFrom = [ "all" ];
|
||||||
|
listenAddresses = [ "0.0.0.0:631" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."print/smtp-password" = {
|
||||||
|
owner = config.services.print-interface.user;
|
||||||
|
group = config.services.print-interface.group;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.print-interface = {
|
||||||
|
enable = true;
|
||||||
|
smtp = {
|
||||||
|
username = "print";
|
||||||
|
passwordFile = config.sops.secrets."print/smtp-password".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.avahi = {
|
||||||
|
enable = true;
|
||||||
|
nssmdns4 = true;
|
||||||
|
openFirewall = true;
|
||||||
|
publish = {
|
||||||
|
enable = true;
|
||||||
|
userServices = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networking.firewall = {
|
||||||
|
allowedTCPPorts = [
|
||||||
|
631
|
||||||
|
config.services.print-interface.listenPort
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [ 631 ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Enable sound with pipewire.
|
||||||
|
sound.enable = true;
|
||||||
|
hardware.pulseaudio.enable = false;
|
||||||
|
security.rtkit.enable = true;
|
||||||
|
services.pipewire = {
|
||||||
|
enable = true;
|
||||||
|
alsa.enable = true;
|
||||||
|
alsa.support32Bit = true;
|
||||||
|
pulse.enable = true;
|
||||||
|
# If you want to use JACK applications, uncomment this
|
||||||
|
#jack.enable = true;
|
||||||
|
|
||||||
|
# use the example session manager (no others are packaged yet so this is enabled by default,
|
||||||
|
# no need to redefine it in your config for now)
|
||||||
|
#media-session.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Enable touchpad support (enabled default in most desktopManager).
|
||||||
|
# services.xserver.libinput.enable = true;
|
||||||
|
|
||||||
|
# Allow unfree packages
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
|
# List packages installed in system profile. To search, run:
|
||||||
|
# $ nix search wget
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
||||||
|
# wget
|
||||||
|
];
|
||||||
|
security = {
|
||||||
|
pam = {
|
||||||
|
u2f = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
services = {
|
||||||
|
login.u2fAuth = true;
|
||||||
|
sudo.u2fAuth = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
# Some programs need SUID wrappers, can be configured further or are
|
||||||
|
# started in user sessions.
|
||||||
|
# programs.mtr.enable = true;
|
||||||
|
# programs.gnupg.agent = {
|
||||||
|
# enable = true;
|
||||||
|
# enableSSHSupport = true;
|
||||||
|
# };
|
||||||
|
|
||||||
|
# List services that you want to enable:
|
||||||
|
|
||||||
|
# Enable the OpenSSH daemon.
|
||||||
|
services.openssh.enable = true;
|
||||||
|
|
||||||
|
# Open ports in the firewall.
|
||||||
|
# networking.firewall.allowedTCPPorts = [ ... ];
|
||||||
|
# networking.firewall.allowedUDPPorts = [ ... ];
|
||||||
|
# Or disable the firewall altogether.
|
||||||
|
# networking.firewall.enable = false;
|
||||||
|
|
||||||
|
# This value determines the NixOS release from which the default
|
||||||
|
# settings for stateful data, like file locations and database versions
|
||||||
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||||||
|
# this value at the release version of the first install of this system.
|
||||||
|
# Before changing this value read the documentation for this option
|
||||||
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||||||
|
system.stateVersion = "23.05"; # Did you read the comment?
|
||||||
|
|
||||||
|
}
|
42
hosts/tomate/hardware-configuration.nix
Normal file
42
hosts/tomate/hardware-configuration.nix
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-amd" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-uuid/618e281f-a8bf-4129-bfc1-aa47f86a8c54";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-uuid/0844-2A73";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[{ device = "/dev/disk/by-uuid/8bdeb0c1-8f1e-43a7-b4b9-c06e27a94460"; }];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
|
||||||
|
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
}
|
40
hosts/tomate/network.nix
Normal file
40
hosts/tomate/network.nix
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
sops.secrets.ifsr-apb-auth = { };
|
||||||
|
networking = {
|
||||||
|
domain = "ifsr.de";
|
||||||
|
hostName = "tomate";
|
||||||
|
useNetworkd = true;
|
||||||
|
nftables.enable = true;
|
||||||
|
# Radius authentification
|
||||||
|
supplicant."enp3s0" = {
|
||||||
|
driver = "wired";
|
||||||
|
configFile.path = config.sops.secrets.ifsr-apb-auth.path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.resolved = {
|
||||||
|
enable = true;
|
||||||
|
fallbackDns = [ "9.9.9.9" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
networks."10-wired-default" = {
|
||||||
|
matchConfig.Name = "enp3s0";
|
||||||
|
|
||||||
|
address = [ "141.30.86.196/26" ];
|
||||||
|
routes = [
|
||||||
|
{
|
||||||
|
routeConfig.Gateway = "141.30.86.193";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
networkConfig = {
|
||||||
|
DNS = "141.30.1.1";
|
||||||
|
LLDP = true;
|
||||||
|
EmitLLDP = "nearest-bridge";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
23
keys/pgp/hendrik.asc
Normal file
23
keys/pgp/hendrik.asc
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mDMEZNJqYBYJKwYBBAHaRw8BAQdAKncDaEdOUQGOqVBQuEsJ42wCcyLB7x1XcNDZ
|
||||||
|
VEQpVyO0JkhlbmRyaWsgV29sZmYgPGhlbmRyaWsud29sZmZAYWdkc24ubWU+iJAE
|
||||||
|
ExYIADgWIQT7v6wmDZKD0e8jl908pl6d1usxnQUCZNJqYAIbAwULCQgHAgYVCgkI
|
||||||
|
CwIEFgIDAQIeAQIXgAAKCRA8pl6d1usxnX6zAP9Rut+Yg31zBAiRdQxV4tlK+hko
|
||||||
|
wCq9WIKtIbBvrqv5/AEAujkRCgBpFeHzhId55QmvK0FXZgFgfy9wm/QtXb4+lQ64
|
||||||
|
MwRk0mrEFgkrBgEEAdpHDwEBB0AidcMADt+W+eSbrInHeCPZThyd1V7NKEMhk3sL
|
||||||
|
xJApx4j1BBgWCAAmFiEE+7+sJg2Sg9HvI5fdPKZendbrMZ0FAmTSasQCGwIFCQeE
|
||||||
|
zgAAgQkQPKZendbrMZ12IAQZFggAHRYhBEK0YmsN4JpCoNWvKp5LZR/BVBjgBQJk
|
||||||
|
0mrEAAoJEJ5LZR/BVBjg6ogBAOcFh/S99L/aN6bQu9bYRPomakbNqypHA1YbodjG
|
||||||
|
1IQgAPwLj19BXNnQmTgYzY3bWmtcAc8lsGWTNkDDTZMRRTP+BSS1AP9qBuCeU/fj
|
||||||
|
2hpa17LiV6sjdRquxWQXjKxTlBRV8oKj1gD/WarlxiHt8nMn527FXuBrGZC+mZq2
|
||||||
|
NvvoTb+uvZNliAq4OARk0mtEEgorBgEEAZdVAQUBAQdAkK0jBo/37NbRHMOYCal0
|
||||||
|
9vGuK3KaxU3Cl9No+VbZDEYDAQgHiH4EGBYIACYWIQT7v6wmDZKD0e8jl908pl6d
|
||||||
|
1usxnQUCZNJrRAIbDAUJB4TOAAAKCRA8pl6d1usxnbaqAP9abTf+DibaAR6hdU9y
|
||||||
|
CEE5TD32EB+ySw/v45yCi28B8AEA5PcpwMD6emVrNQGeVChkOlwauwA3HkE6DDTO
|
||||||
|
yeebAwi4MwRk0mvNFgkrBgEEAdpHDwEBB0DSYGCNq15sOLj1wDJjoKoCRMGH8I/y
|
||||||
|
ARMUws7PQ4KPkYh+BBgWCAAmFiEE+7+sJg2Sg9HvI5fdPKZendbrMZ0FAmTSa80C
|
||||||
|
GyAFCQeEzgAACgkQPKZendbrMZ1HggEAxSBYuJ4BTr9GCl8e79HTSwg8iIIJx8Nc
|
||||||
|
REFvro0BrnEA/3AbyQYBQVAhqIwSSza5dr4+FiLbbVhPFcxU98TLBTQJ
|
||||||
|
=sA2V
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -1,77 +0,0 @@
|
||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
||||||
|
|
||||||
mQINBGNunVEBEADRAqVGhtK60adwuY6MsrULGr56R1rqnA0tH+pgvDLly7Tbravx
|
|
||||||
vtgdcQmA4ZublaGGKbOo/ECa3AASlaPT7Tan0TssYJ6gw8MxYvad5WW6gW9tYvJB
|
|
||||||
ajDklWg/TS1rBZ64W4Jiuin08cE6Jx+l7l1JDK7U2TUwMVJ1UW1hBwnXVE353dBm
|
|
||||||
HZBYwrMnCYupXdm9PY1tSY9DeoZPEBSDP4v8qHEMnm0YzW2HPaYv/gjAEYfSM/R0
|
|
||||||
PVOyItG4K8p2D3dl23L9i+BzSKyG5P0SXMygCuE1Ua6pXPHYDdkxJFx6Kf5SyEZB
|
|
||||||
8dVflxPTgMLKZ8nlG5AaYicw4sLdC8TmiGIQDZlo6iGGjAwzykugm+B3DEG4yf43
|
|
||||||
1VPrVJTzDyf2LImRYNKDwhZRMchY65/4RCAj5ItvQAKj6BsDgRXoZ6ml+VkCKYFC
|
|
||||||
sbUNzBq9fpAPmdhBrlZgKn0dwAO91R2QWBskqkkS1+A01EJ6Ys5fHFx1yTYtgucv
|
|
||||||
qJWnVklMHrYmeKErnfN2pttZjQLeWmigKfjx9dWgJhCWsgcSVovRFrJcAX1jF7wL
|
|
||||||
CtEwgrK/P2sJ6lYVYoId4lhbu2pncN9fDdfepzlhvtePHJGoQ1gWwCIBXTMHn9gK
|
|
||||||
qhEvAWIx1r4gXHNmBla+BXtt/1vGdWb5/WZKqwqYcuVWZI4eKUOfml7lfwARAQAB
|
|
||||||
tDNoYWxjeW9uIDw1NTMxNzU3MytoeGxjeXhuQHVzZXJzLm5vcmVwbHkuZ2l0aHVi
|
|
||||||
LmNvbT6JAk4EEwEIADgWIQSk+SvHt5IQikY5lYJ8Hy2ivJKUEgUCY26hYgIbAwUL
|
|
||||||
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB8Hy2ivJKUEhxeD/44LyEiR9LUpiqZ
|
|
||||||
YoUjvEJm1/WnR1g46tGPcjzpeAa11ZUK4ByES4yFT+1DMjmywloLOmvPxFj4pR5S
|
|
||||||
N17wohLYaqIQ+RjmR/73UpZo7aB1oFwzzBNnYzCrU8MvcYkmHu6WhsioO39zmLDp
|
|
||||||
s8RpyUchfWQIQQKqnwsOuZVnW1QXKCGPowaZoqcYzubcKI8LAx/OI7bcyss6Z8hV
|
|
||||||
HnNX+MkFYVjrz8tAiJDjwvlPaWEJ+5hMdavunVtgDi+K6zK+YpbSweTD0E3Z1hOI
|
|
||||||
YaLGlrpHL1Jj+4OpcYUwfaoXOIe8jYmYe87Dq2ygT3b6zxEG7KRdDCCLN6YRTDqr
|
|
||||||
CGyWYyktLClphINzTsyEpKMjqBauntahvtoiBySKwujNNr1KOGSJXTjs9RK9IZEu
|
|
||||||
F/6Fg7pnjgsarOR+nLyqGTJvbgCJGQhM76iT6KJ8Z/FoLHDgLxLUygM1ZwuoHmHK
|
|
||||||
Df7zhdNZQ1cGcJjdh4MWFsB65DA8NWHu01BIiGryB2EbM0hWSIw+OQGmo7UMK74p
|
|
||||||
57obRz+gXiHoSEmlgJ7f9EJVY21XOqKxVTmCrYLBgiAHnqlAxCiJ3Yq5CzVnllWW
|
|
||||||
8EFZbSeiMJLDreFxiM5iwlIz7hAL7UgC/QMaJSPLLnau0dfkEFh0yyo/rDFW/IBV
|
|
||||||
Sswxu0WrY1XR971JgvD2KSZpgGA5WLQHaGFsY3lvbokCTgQTAQgAOBYhBKT5K8e3
|
|
||||||
khCKRjmVgnwfLaK8kpQSBQJjbp1RAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
|
|
||||||
AAoJEHwfLaK8kpQSbUIP+gKqWF4TkqDdP3QWOY3xJ5p7DsNOc1pO3uobFkLzlFd/
|
|
||||||
bZdg3W1puC7WL1yeLsiuic0OnZukBqSQkXMRRc14TwmjYuebQAqGzXd1nfHcGdxb
|
|
||||||
bKIOUvWdn86rXpXLDL22LLZpmlel5uB2OcagSlGnzzrSx5KsK/9S4ryml+47b1eU
|
|
||||||
KRir5HtcR1gyKepLl0qGXNCYjn2ItOhYTqf6YehXiu9x6XfMOHHloGE+ttDvUkBX
|
|
||||||
NL8Twrd0n2N4UTP/WlzaNo1Mg5k5nM2lEOVqlTi5269cXsuJDHeap/fSMT74sdWU
|
|
||||||
k/3ZnCOM9oztQXZopeOHqlmkL7IxPXThBK3a8h16G8dkdkkwJdbbha3ygRcd2Hc4
|
|
||||||
OqBi7o7q0PoRqxN+FQisPi8PrSxjDqKCS0H7Fzy2bb5Zg7dDPSS1ki7nwOp20VAy
|
|
||||||
0jnPW6HHqsP1Ik+JS4Rv/YaRDprn9UsK1HgfjagpEZxHf2sm5zm4yZ4Y8OgF4NnK
|
|
||||||
u2CRLA1eNv53hbexgNgqgLh5KgzgrIPHZZkob3E5rmw5w15fxLkXg3tHeDU++fSK
|
|
||||||
RjrCjM1FovbXbUd9BgPJqBSj3s1N2iQ+sVGAuHYPtTDuKkhtTHxlqcfvUq5LCYfv
|
|
||||||
qWjwhNAUhwACSchG5y5+MrShRnCvt4Cjx//fK7/fnH1DSDHiMET4XV55mqxoSJ/5
|
|
||||||
tCNoYWxjeW9uIDxqb25hcy5zZWlmZXJ0MDRAZ21haWwuY29tPokCTgQTAQgAOBYh
|
|
||||||
BKT5K8e3khCKRjmVgnwfLaK8kpQSBQJjbqH+AhsDBQsJCAcCBhUKCQgLAgQWAgMB
|
|
||||||
Ah4BAheAAAoJEHwfLaK8kpQSwoEQAJJx8JNeiJeUJc9uQJWjlPwlcx6YgR4UAegf
|
|
||||||
8J9HUPu1SQVttJQEWsbOYUxGX3OVPDMlgGY8nsTmtAGHKEqwsgxgo5wI38XQVss3
|
|
||||||
XC8TLhBiPpToK35Mh4DWrphbxEUcn86TltlWmEtUtZnTPt8aHt+0597SJq2bd59O
|
|
||||||
rNM6ywOMtDLFImLAKzgnxeEzVwHQufx56Tal7LzcP44SMVIAtqlzO+LudIQCBNhj
|
|
||||||
CYjsptxFini2JrLVVL5rQUo7ALV1eRfMTNUWZkr3MHgiEp5MIUW2qKuJsR6bP4dz
|
|
||||||
KgBCvx/lZ2nMLWeypIsDTNELHda9qU9KN/MZSP1SxJ/h/qc8ic62l3MEOXt+CxzW
|
|
||||||
ge0S5y3EXIbqcmGONJ5bDAhWx1ywTwczco7VVo0Itttg16uUS9Sy6oGTTh7W3J53
|
|
||||||
U9y96aFThIzuEPeY45tmjxMNhQqwQFAqYVxZgB8R5D88SUKV6ysNt1wdgypFCThu
|
|
||||||
S5iQ57PcUHvZZrY+BUgN2GgBQ7zdX4MNl0ttGKgA4HVq0WY/VFS+m2E2ArBiV2kG
|
|
||||||
KjuN0r8tmi8B4etuuyI+R24rRq/ynbmEuVufZHXQUBgL3cFuID7YNQUslfodkMXL
|
|
||||||
Nhx12UYEc5bEySKfocirK1eWKNUrg0EVEXhqyYuNEqt0712yycvzQM283z7Ru4W3
|
|
||||||
FhevoSc5uQINBGNunVEBEACeScywMTebpxo+bBPg/M48EgbSM0eOjYd07VT80QnD
|
|
||||||
EJJI6SLM+BLGCpnx5l8IjLDnjCy+sAFYw5W9R6fe2DZCOkY4PFxxN2mQm/pUip1r
|
|
||||||
2JF5USE3QrUCMBBIHYpaDqurCGKMQYjtmQshcvttPRhXeSjEMKMu+KhiTFTezHAb
|
|
||||||
77y5K7k/0GpUvJCgbXE1GipJSWcT1xopvVC2FnEtE1ix2Ugd6GPF39hRD9gfYQGh
|
|
||||||
u3bFWIub9zprUQwck7VEVgXP7N8fPutVtSi/dkFlBxm2S0Trov/Gs9C1OshcUwlC
|
|
||||||
us+HviepXma6nW/idjMfqLpcw6Q7R06gxfPmKsta1g8p4Xs+T5r5oapeyG4bRHnT
|
|
||||||
EdE8fdVGopa3r2JFemWeNL0RYFY00FGu9AE7zzutvVI9YgMXQdGzG5F1trEz+L9I
|
|
||||||
b8+a7PRSi3dUliO1LuWeOosxDGbZOJjZI85/MabFaadulil5O2PBgtoaCNphC+fn
|
|
||||||
6nW6IitDoDIRuDqtzrYbpCq+WpJHninbohykXsr9owNQ2iS067CtYq1B4fqu7dsT
|
|
||||||
b8Kn0OUAqreuFV6VvWbkauJOh4lt1XHTK7mthRWWW9LlOTND5OViy1TPDJpkTGEl
|
|
||||||
HD+2JwCCr/B5PeRDA7n/Odw+BHKUMNsRzxlyusyZalCBZRCeSGbBFT3AeiQL80ET
|
|
||||||
xQARAQABiQI2BBgBCAAgFiEEpPkrx7eSEIpGOZWCfB8torySlBIFAmNunVECGwwA
|
|
||||||
CgkQfB8torySlBLGDg//ROPDDuk8YVdmT9I2A057SQB6tkvXEvIE3u7sNsUjgsmv
|
|
||||||
oGc6BKYSC2yVUMyagZz7Mm64oMmvwSG/9ctI+1R4mhhlGgsPlrhzfMDWzm6OBRkB
|
|
||||||
XtpPsIcotNNYeEdydCdvK2XOJJ4hp9QGG0vsnuiSQL52ZM8j+A7a3NGRoDFtQ/2E
|
|
||||||
uB+AHpbbOu1avp5bNpmCBfbxl+upNDBP5er2OlyfTbaBSf8Z20dwLeXJJsb3AlED
|
|
||||||
eU3XUspAI0UsvUo1QLFWBv/MVU/Ryyqz2B4KMC9I1bRYLdaKaEtxIgQVT+cRwr0B
|
|
||||||
zwJc6+IewtQO1EjSSrkZxJSaZK7Jb600aiz3skRurQrpY+UoP9yAk7i4q1tJDNiR
|
|
||||||
t3QH2C4RwuWymhy8JlvVHKeo3KxEtJ0+3BKPnSyB9FNFELj8Mg1i+8mFCDVANUB/
|
|
||||||
mdbg+Jhpw9fBWq0B/qi5NcLq2GDWqxPEgRbX5Kc/PfY95DcBeWWAJ4wiZqalN49X
|
|
||||||
Wa6gstiQIvsxbKHnx8qoti1YRbnpHOqUYk41P2FLmREgaj1LVQRdL5A+4+NoXhdk
|
|
||||||
a7pC8jX+egWoP36wcbjb2DJsYWiYwbjYKeOxSZOFUT+Cb7iaCGf2KuIoh/tZ5NJ8
|
|
||||||
e5l0MwK1U6XpKTap1NF8WhoIge3lcQt/BH3cTdM+1CkQyTqtuHok6WAVqwgTa5Q=
|
|
||||||
=Fs3l
|
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
92
keys/pgp/jonasga.asc
Normal file
92
keys/pgp/jonasga.asc
Normal file
|
@ -0,0 +1,92 @@
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBGNNDUkBEADJu4HorNwlrimCfAmf1Sb2iHMoS4xwYn7AaU+U3RVivIfB/qNi
|
||||||
|
+ggKF6osggihttIPEQqXqS591jutnIKP+KKvD9n8/jfCsDi5m6Ddwz61rL2NvEad
|
||||||
|
bMJSViUzIEIDgQTJT8CByWJpPPND3MoKOuEK/XUQpKmhACT8l+xWSz9UpxPchAUa
|
||||||
|
1vI7Q+jt/ik0EI7sH5WFaBzFj4xAwXXyWYuw6G5nP2oW237NLQnMwMFywLOyI7Qm
|
||||||
|
+PfY/l4HKrNFYBiuv4ToGU5tAb1a23Rp+IV9faPZsT0IFYdxdkQUuu9s2JZ2UnvV
|
||||||
|
VfJ0NWheToCY/R4TZkMDGhNSpotsRLhgdsVJsoBws61ndV/IgrIQbVnMNZrXvn+z
|
||||||
|
tOtdlECVflGIICJkbXtBiGtgMRdJMNHnt4a3/2yPtCTG03Kt+38COh0ox5j3+HIg
|
||||||
|
87Xxxln7z8zolalRkKi6NbOY7qoITcnbZIF972/8SI3UjYERJ4/ay9ucKIU1WLGv
|
||||||
|
Ei97s+IDHt8KXJizc4Z7XfssZ9BcIZ/ekfOopN2Av0U33LCcTKHw9ZVmuoZCfL+u
|
||||||
|
L8TDQLHJT75n+4yOTKXu00pYxWqT5FOFS0RMYb98QLDmcIDQ+B7pw82UGF3/3Fx6
|
||||||
|
YBNY4IjFqIovVmU1UKt4KdLrdOSN8cQtcCxORqT+89bjIG68DbIzO7iCpQARAQAB
|
||||||
|
tDFKb25hcyBHYWZma2UgPGpvbmFzLmdhZmZrZUBtYWlsYm94LnR1LWRyZXNkZW4u
|
||||||
|
ZGU+iQJUBBMBCgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE+0TwdG3y
|
||||||
|
XwskourlhsiiV8PsgqsFAmS3zscFCQcOW/4ACgkQhsiiV8Psgqvirg/9H+XHvntb
|
||||||
|
shbst+vM9x8IKwhaOrH6IwZa/b9v8y8MRmbXoculQUuDyoeN0+RZkdeYZ25cjbnj
|
||||||
|
qGzFS2gspWgNcpQ6yH3lOiwFMWG18M8RrXnpe0lOuo1JrqN10xgnbE/XahAdzshq
|
||||||
|
riTMd8c2u8xaTQpLajdzPjgn13eDsqq1GfdTUi+p6olIwEhVH+PBxNQsav5EaU/0
|
||||||
|
BzVnIC0U/TDeNmZk6NNvxJItDwdGbDW9fIlWSoz112WlnBTaP0cwg9lKVGSXfECc
|
||||||
|
HSh+FKhJoaCxXxy2lsSJTz0yvjZp/lKCQ1aOd546CMChoncaN7G+rQZjk2reCoE2
|
||||||
|
zMey8zm0o3ik4aVEHLRbPhM7en0wywp1H4NmEq94cvQ2epYS58YB8owrZk/cSlqc
|
||||||
|
NH3Jw9wqQx3Wd+WLCYVn/Hoyj1QxeQJ1xvLau4KDE7dTVBXfWX9pv+zUi54R1bxB
|
||||||
|
82907uId83VrtC0hGtwNz68wIfFduZJapZ50nIe+aXM3h4/BBqA7R2H/MKBy3VoA
|
||||||
|
+pVVcIXk1HHEoZCt141ikHLOYAeUo8A98Dh6BESCuh0tCNa7Xh/3EZnvPIAVmiP4
|
||||||
|
twrHYz2ARG6NgIVJCwnmSHyV76gPwT98fuX5KRkGh9Ev19DBL75tvLiwLiqSiR4Y
|
||||||
|
liwM4YMa71wqet+CsQ7CAdI7LaGOB1wo7Xe0H0pvbmFzIEdhZmZrZSA8am9uYXNA
|
||||||
|
am9uYXNnYS5pbz6JAlQEEwEKAD4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AW
|
||||||
|
IQT7RPB0bfJfCySi6uWGyKJXw+yCqwUCZLfOxwUJBw5b/gAKCRCGyKJXw+yCq0tN
|
||||||
|
D/4/sle7D5dGsl12/2hq09rKOYeN2IedzTYtY6EYaMVMGgh35YVUXYRsj0JmIt3c
|
||||||
|
m/L68d3rhxkiIxSdaXxZDvVvoOATgAnn4wXuz2LrtxoPpwVb8yREBIDSTymAHKgT
|
||||||
|
5IXWl/x2CB6rQ9rlyg00m4sEOJ3newytVK24QtEiSseuDrR+5RGyP85UFjVSKWtE
|
||||||
|
kYuIk1Rst+T0XJUJlIMjpMLtTF9Z15FwTRvPUhHfO8wmdp/xfHWdyB0qZI0QdnlA
|
||||||
|
4uGP1TaXw7fm1o1frlla6LxIRCIe/Bk4pIPVg70BjO8HDPr8AQhTLqa2+1rI+AXD
|
||||||
|
Wp3ROOe5X0fXV3liT/J/lXLBerWbYibVcHZluvEru7cgS3xBrbKP4OCF0i3xvueU
|
||||||
|
dZnat1bfNPua6VXxACfoIGP7XYoRH+mx1Pv0tCiGv++5Lr9QGmDRwFEC1IgMnPu3
|
||||||
|
YVu3wrTVZhyhyPKlp1golx9ZCemgyimqNNdfDEea0I75UTkoOfLpjwFGHuB2KiOX
|
||||||
|
xyfaIxgOLN3/eefT6GYGmI9/it7E2cZhjEMCRRHsqFEa3MSZABIs/VGFctsJVVQy
|
||||||
|
ke5hZavElLUGbDeP3GCdAnYb+DG3lP1KuzCqaGwpfZOh9WqlmxhGHnr+SkPDcAwO
|
||||||
|
E6FZ63E6da1BW7aqQK9IQIlz1wT2fwLfyyiNTuH0GksA67QkSm9uYXMgR2FmZmtl
|
||||||
|
IDxqb25hcy5nYWZma2VAYWdkc24uZGU+iQJUBBMBCgA+AhsDBQsJCAcCBhUKCQgL
|
||||||
|
AgQWAgMBAh4BAheAFiEE+0TwdG3yXwskourlhsiiV8PsgqsFAmS3zscFCQcOW/4A
|
||||||
|
CgkQhsiiV8PsgqvrihAAryY5C9niS6gXqKVnXWNlf/cesDCRNEs1akOLmwF4S541
|
||||||
|
dsbKt9Ox4EWjaGkVC3ucKa7ejRqkOSoVnj+8iEDFaLJbhd2btYjKqWRXm8leuiHq
|
||||||
|
SJ8tdsBDXXYodp8riTaPw8q+BV/OIjalTRq06dCon7kJtQiPolSvUr+pz9BIcWCV
|
||||||
|
DxVlx/tI5SUuLEfa0cxFjkxVX/PyjijF3NXelMxDGDv4VjXZcZ8/gbHZUQeba4ku
|
||||||
|
utfyeUpz8Jk2QcCROtO9XQNvPw8ae9KC+zSmiWOmK8CEMM9UAnHHV3M4nPi8Toef
|
||||||
|
Na/W+48uWX7MNsD2DvQPft8Rv71bPnJpdU2sPfND4I8TsV0cjKRapfuhDkBA7QF7
|
||||||
|
RxQtDS2QE1pMI2MbLoAJi2vItnXx1GV61ZL40pNbofVylJLfddjSJ2Mt2Vr9CxOJ
|
||||||
|
yNk+lq36DzWELcWTbW8wlinEmzg3EPFMQKfPtMGAqQ/c+5e4WCxGPdwYZMpX5CRc
|
||||||
|
SevoIWIS7D0lSzxMFnEmSEbV8UTCiQTqOYKvwXpD8APJ0BlJzxSxh6nWOvW63O4q
|
||||||
|
hZWU+iNjifongAZ5bHdj9LTnLcMZtNZCUaGOT3JQOfXo9CFCa9CQY45RNHFCyWpj
|
||||||
|
jMONEUxh/kSBiNmCQ7hReiMOo0v0DPziZGlU6xOgbO7FY65w/aBG4KzyO54ObtG0
|
||||||
|
I0pvbmFzIEdhZmZrZSA8am9uYXMuZ2FmZmtlQGlmc3IuZGU+iQJUBBMBCgA+AhsD
|
||||||
|
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE+0TwdG3yXwskourlhsiiV8PsgqsF
|
||||||
|
AmS3zscFCQcOW/4ACgkQhsiiV8Psgqu1uRAAxd4g81gphfrBqh7dQdJxYoj6CWqZ
|
||||||
|
+yrqkoFLrHtT2nEc2o/gzJ3NRtUOVVkbZavWm3+U0/kYn0l/2pC/rRh7EzMmqVqV
|
||||||
|
tib+F56dWTSiJ/4jwkUIxKiQdUYP9M1HHyYUY+aNU+ob3S19IMy4hvE/jSk7o8y6
|
||||||
|
vYx4LsOkxr2/VclsUE+1F9rPUUymbwPzcLCuStP2dHrIvyVTyKFEE2SYv8Vt53sb
|
||||||
|
6IFfo1Fef3gVzlfPgYVpprnumF1SDufSIT4xy5NIbKngeUxlLzsXFpgjoAEqGJQM
|
||||||
|
XdlAc1JwOL0vB5F8fYVXvCn/xqGdm5XByAQZhZsod0yPvfLr56T57wRQl2KZLDFk
|
||||||
|
90FSVgn9Z+mfimixgo5sQ6PJaLmBZl4ZLdnX1RGT8sjXyhX8QRdB8VRk1NEoxBWv
|
||||||
|
W7ZvuLZXJ5HuVj8zsrS56PFBwcIure4K9OZyYdWIDLLGDyMWBcXhmbrcHxTsBoCH
|
||||||
|
vWIY6xQdpKBwnK/eDeMTcvyxnfbRbg1InvPp9WwUHixiJpFfJg/D3ljKp9DfhG1I
|
||||||
|
KZs6kc7rxiUdrxsAul2thrd9OdVWHWc8KZgHH3Lu/+0Ff4BqgTCHOtAQF1WRLGMq
|
||||||
|
Bz/ZmkaPpF+bCFL8DIWKpZ0RIroGzRrJ/+HpPrNifgTLppXFeORaERmBKjsvGxk9
|
||||||
|
kxs4/YrT7NRJFci5Ag0EY00NSQEQAL2QNEcd2EB7Pxgfywr8FKH5j7pa5LcLPAIQ
|
||||||
|
zSQYIcjkNJ2RwCFJ2NRmnlHi1K/Ig2rU/CyHn2AQ5xJirMn08Zfe40L8fLjR8nx8
|
||||||
|
8123BxURzC9jOy9/P4XQnVsyA82nyjm1b7ZdYxBKtfuw1p3N5ZBn0VIQ8tcdIkVw
|
||||||
|
WB1WWK5kvkhHzjrtJBTKsgFXGreKdy7eSXdJ+GnXRAcGMtvDdLI3FuuqFhSiQk5Z
|
||||||
|
8iuG8vbIefC/FvK74qADST3rFi+hKDVx+nMrGMtaNs41ogrgcsOL5kg62MLH562x
|
||||||
|
g3/a4xk75374t9j1SuJOz74PuSdpyNuj1Np9nrA7qjCpiXgoD2RKv6nUVdtg2ONT
|
||||||
|
2D4HU65gq4/EJhgLm0pybImBmaNV0yQ7c1jvTl5UvDe6eo+PiKSheDJUKt1Yf+qM
|
||||||
|
8RGquQ08kYvYSIqGEPmZGWTLfKUrmGdRPP8M1GiavOph5zagRRUvx8fMAZ24YmBD
|
||||||
|
NdkrFs4TykfwWpKXxxgnAFfpe/U8qh0Nn3EpMbFVddykGgbu/lp0hlD9sBwMRKSN
|
||||||
|
WrjP6EcQxU+2F+iXA7ycnqc0gm2NFbF7hxfq01aeHsAEDYjJ7P3MqhS77eizubnF
|
||||||
|
uMmFBN7bX8nSzgBW3EPf/U6MXWgVmBu6AoTlLryDN7FVM/lQROyysAzXAZTpVfdj
|
||||||
|
JYvK6Ek7ABEBAAGJAjYEGAEKACAWIQT7RPB0bfJfCySi6uWGyKJXw+yCqwUCY00N
|
||||||
|
SQIbDAAKCRCGyKJXw+yCq894EADEaqstXPduTKMdKoI3nA4IzODp89HXEyxZ5w7I
|
||||||
|
WBX9QVu6bsI6uIXCb6YTNaleLUoz6XKHKctzCexyNOSChbKeFC5pnCejqjTHZfip
|
||||||
|
6bUcuaFYGsbzWUEasIlMxISLs3yHSf5sN7FNU2Oms/3EE5nY/pFZKR4V/bvk7FdG
|
||||||
|
UIE6/Pv9Z7Xw/y83CH+W72y83Ugk3iqFjcNcFRQ1JIHASqka5T2k6FTSfTvHlrRG
|
||||||
|
yTSsGe9r2Gkh8GkGmaMboIW/drd71w81Wn5wUWDZBWqEP0UMQ5mld/sGCnmiM2u7
|
||||||
|
yWbYXSTUvluutHsXZuhlAv8TGp6VkpCtmUquoM1UpmEGRb223YDPtBZdyOl+UnQE
|
||||||
|
b8pN0pt+yDlYXX7kMi/i9WgR/vKm6YlAKziJwOdnKG4bP/urZDz602BXJWH8TWim
|
||||||
|
/1CT5uMEdSEN5xBjyUt0q6Q1eGtB4Rub9J492yGJmp3IhvzeYoOmKjtmyPKFdDki
|
||||||
|
21eBTU/TSPHToYtVW3Xm5afdM9313Y+hB3gyC9cQWWJdDi/rUtVi//j8lQErKxoM
|
||||||
|
h97b5VOeFMO21EFXGiTLlPaP+qs7Ngqc4/Y7rGAbr50CVVDJUxawMO0+r32j+M2o
|
||||||
|
rBWzVWTKM0uFGTRdVzwWSnYTltU1JoZ0xmV9HGJhLuQHRJ+F+8n7YxIke9wVU1yR
|
||||||
|
q0Mleg==
|
||||||
|
=M2wX
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
@ -1,78 +0,0 @@
|
||||||
{ pkgs, config, lib, ... }:
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
|
||||||
# We write a custom config file because the upstream config has some flaws
|
|
||||||
fd_cfg = config.services.bacula-fd;
|
|
||||||
fd_conf = pkgs.writeText "bacula-fd.conf" ''
|
|
||||||
Client {
|
|
||||||
Name = ${fd_cfg.name}
|
|
||||||
FDPort = ${toString fd_cfg.port}
|
|
||||||
WorkingDirectory = /var/lib/bacula
|
|
||||||
Pid Directory = /run
|
|
||||||
${fd_cfg.extraClientConfig}
|
|
||||||
}
|
|
||||||
|
|
||||||
${concatStringsSep "\n" (mapAttrsToList (name: value: ''
|
|
||||||
Director {
|
|
||||||
Name = ${name}
|
|
||||||
Password = ${value.password}
|
|
||||||
Monitor = ${value.monitor}
|
|
||||||
}
|
|
||||||
'') fd_cfg.director)}
|
|
||||||
|
|
||||||
Messages {
|
|
||||||
Name = Standard;
|
|
||||||
syslog = all, !skipped, !restored
|
|
||||||
${fd_cfg.extraMessagesConfig}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
# AGDSN is running an outdated version that we have to comply to
|
|
||||||
bacula_package = (pkgs.bacula.overrideAttrs (old: rec {
|
|
||||||
version = "9.6.7";
|
|
||||||
src = pkgs.fetchurl {
|
|
||||||
url = "mirror://sourceforge/bacula/${old.pname}-${version}.tar.gz";
|
|
||||||
sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
|
|
||||||
};
|
|
||||||
}));
|
|
||||||
in
|
|
||||||
{
|
|
||||||
sops.secrets = {
|
|
||||||
"bacula/password".owner = "bacula";
|
|
||||||
"bacula/keypair".owner = "bacula";
|
|
||||||
"bacula/masterkey".owner = "bacula";
|
|
||||||
};
|
|
||||||
networking.firewall.allowedTCPPorts = [ config.services.bacula-fd.port ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ config.services.bacula-fd.port ];
|
|
||||||
services.bacula-fd = {
|
|
||||||
enable = true;
|
|
||||||
name = "ifsr-quitte";
|
|
||||||
extraClientConfig = ''
|
|
||||||
Maximum Concurrent Jobs = 20
|
|
||||||
FDAddress = 141.30.30.169
|
|
||||||
PKI Signatures = Yes
|
|
||||||
PKI Encryption = Yes
|
|
||||||
PKI Keypair = ${config.sops.secrets."bacula/keypair".path}
|
|
||||||
PKI Master Key = ${config.sops.secrets."bacula/masterkey".path}
|
|
||||||
'';
|
|
||||||
extraMessagesConfig = ''
|
|
||||||
director = abel-dir = all, !skipped, !restored
|
|
||||||
mailcommand = "${bacula_package}/bin/bsmtp -f \"Bacula <bacula@${config.networking.domain}>\" -s \"Bacula report" %r"
|
|
||||||
mail = root+backup = all, !skipped
|
|
||||||
'';
|
|
||||||
director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}";
|
|
||||||
};
|
|
||||||
environment.etc."bacula/bconsole.conf".text = ''
|
|
||||||
Director {
|
|
||||||
Name = abel-dir
|
|
||||||
DIRport = 9101
|
|
||||||
address = 10.144.0.11
|
|
||||||
Password = @${config.sops.secrets."bacula/password".path}
|
|
||||||
}
|
|
||||||
Console {
|
|
||||||
Name = ifsr-quitte-console
|
|
||||||
Password = @${config.sops.secrets."bacula/password".path}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
systemd.services.bacula-fd.serviceConfig.ExecStart = lib.mkForce "${bacula_package}/sbin/bacula-fd -f -u root -g bacula -c ${fd_conf}";
|
|
||||||
}
|
|
47
modules/core/bacula.nix
Normal file
47
modules/core/bacula.nix
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
{ pkgs, config, ... }:
|
||||||
|
{
|
||||||
|
sops.secrets = {
|
||||||
|
"bacula/password".owner = "bacula";
|
||||||
|
"bacula/keypair".owner = "bacula";
|
||||||
|
"bacula/masterkey".owner = "bacula";
|
||||||
|
};
|
||||||
|
networking.firewall = {
|
||||||
|
extraInputRules = ''
|
||||||
|
ip saddr 10.144.0.11 tcp dport ${builtins.toString config.services.bacula-fd.port} accept comment "Only allow Bacula access from Abel"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
services.bacula-fd = {
|
||||||
|
enable = true;
|
||||||
|
name = "ifsr-quitte";
|
||||||
|
extraClientConfig = ''
|
||||||
|
Comm Compression = no
|
||||||
|
Maximum Concurrent Jobs = 20
|
||||||
|
FDAddress = 141.30.30.169
|
||||||
|
PKI Signatures = Yes
|
||||||
|
PKI Encryption = Yes
|
||||||
|
PKI Keypair = ${config.sops.secrets."bacula/keypair".path}
|
||||||
|
PKI Master Key = ${config.sops.secrets."bacula/masterkey".path}
|
||||||
|
'';
|
||||||
|
extraMessagesConfig = ''
|
||||||
|
director = abel-dir = all, !skipped, !restored
|
||||||
|
mailcommand = "${pkgs.bacula}/bin/bsmtp -f \"Bacula <bacula@${config.networking.domain}>\" -s \"Bacula report" %r"
|
||||||
|
mail = root+backup = all, !skipped
|
||||||
|
'';
|
||||||
|
director."abel-dir" = {
|
||||||
|
password = "@${config.sops.secrets."bacula/password".path}";
|
||||||
|
tls.enable = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
environment.etc."bacula/bconsole.conf".text = ''
|
||||||
|
Director {
|
||||||
|
Name = abel-dir
|
||||||
|
DIRport = 9101
|
||||||
|
address = 10.144.0.11
|
||||||
|
Password = @${config.sops.secrets."bacula/password".path}
|
||||||
|
}
|
||||||
|
Console {
|
||||||
|
Name = ifsr-quitte-console
|
||||||
|
Password = @${config.sops.secrets."bacula/password".path}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
}
|
|
@ -1,6 +1,5 @@
|
||||||
{ pkgs, config, ... }: {
|
{ pkgs, config, ... }: {
|
||||||
nix = {
|
nix = {
|
||||||
package = pkgs.nixUnstable; # or versioned attributes like nix_2_4
|
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
experimental-features = nix-command flakes
|
experimental-features = nix-command flakes
|
||||||
'';
|
'';
|
||||||
|
@ -11,10 +10,17 @@
|
||||||
echo System package diff:
|
echo System package diff:
|
||||||
${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true
|
${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
NO_FORMAT="\033[0m"
|
||||||
|
F_BOLD="\033[1m"
|
||||||
|
C_RED="\033[38;5;9m"
|
||||||
|
${pkgs.diffutils}/bin/cmp --silent \
|
||||||
|
<(readlink /run/current-system/{kernel,kernel-modules}) \
|
||||||
|
<(readlink $systemConfig/{kernel,kernel-modules}) \
|
||||||
|
|| echo -e "''${F_BOLD}''${C_RED}Kernel version changed, reboot is advised.''${NO_FORMAT}"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Select internationalisation properties.
|
# Select internationalisation properties.
|
||||||
i18n.defaultLocale = "en_US.UTF-8";
|
|
||||||
console = {
|
console = {
|
||||||
#font = "Lat2-Terminus16";
|
#font = "Lat2-Terminus16";
|
||||||
font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
|
font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
|
||||||
|
@ -22,7 +28,17 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable the OpenSSH daemon.
|
# Enable the OpenSSH daemon.
|
||||||
services.openssh.enable = true;
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
PermitRootLogin = "yes";
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
programs.mosh.enable = true;
|
||||||
|
|
||||||
|
# vs code server
|
||||||
|
services.vscode-server.enable = true;
|
||||||
|
|
||||||
# set root ssh keys
|
# set root ssh keys
|
||||||
users.users.root.openssh.authorizedKeys = {
|
users.users.root.openssh.authorizedKeys = {
|
||||||
|
@ -40,17 +56,17 @@
|
||||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXMHwy4AZ9B4pMRBa/P/rb7N3SCas9e7Lp89plTHdFS halcyon@eisvogel.moe"
|
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXMHwy4AZ9B4pMRBa/P/rb7N3SCas9e7Lp89plTHdFS halcyon@eisvogel.moe"
|
||||||
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii"
|
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii"
|
||||||
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad"
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff"
|
||||||
];
|
];
|
||||||
keyFiles = [
|
keyFiles = [
|
||||||
../keys/ssh/marcus-sapphire
|
../../keys/ssh/marcus-sapphire
|
||||||
../keys/ssh/schrader
|
../../keys/ssh/schrader
|
||||||
../keys/ssh/jannusch
|
../../keys/ssh/jannusch
|
||||||
../keys/ssh/jannusch-arch
|
../../keys/ssh/jannusch-arch
|
||||||
../keys/ssh/tassilo
|
../../keys/ssh/tassilo
|
||||||
../keys/ssh/jonasga
|
../../keys/ssh/jonasga
|
||||||
../keys/ssh/rouven
|
../../keys/ssh/rouven
|
||||||
../keys/ssh/joachim
|
../../keys/ssh/joachim
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -63,9 +79,10 @@
|
||||||
# $ nix search wget
|
# $ nix search wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
atop
|
atop
|
||||||
|
btop
|
||||||
bat
|
bat
|
||||||
git
|
git
|
||||||
htop
|
htop-vim
|
||||||
fd
|
fd
|
||||||
ripgrep
|
ripgrep
|
||||||
tldr
|
tldr
|
||||||
|
@ -73,6 +90,7 @@
|
||||||
usbutils
|
usbutils
|
||||||
wget
|
wget
|
||||||
neovim
|
neovim
|
||||||
|
helix
|
||||||
nmap
|
nmap
|
||||||
tcpdump
|
tcpdump
|
||||||
bat
|
bat
|
||||||
|
@ -91,8 +109,10 @@
|
||||||
sysstat
|
sysstat
|
||||||
tree
|
tree
|
||||||
whois
|
whois
|
||||||
exa
|
eza
|
||||||
zsh
|
zsh
|
||||||
|
unzip
|
||||||
|
yazi
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
15
modules/core/default.nix
Executable file
15
modules/core/default.nix
Executable file
|
@ -0,0 +1,15 @@
|
||||||
|
{ ... }: {
|
||||||
|
imports = [
|
||||||
|
./base.nix
|
||||||
|
./logging.nix
|
||||||
|
./bacula.nix
|
||||||
|
./fail2ban.nix
|
||||||
|
./initrd-ssh.nix
|
||||||
|
./mysql.nix
|
||||||
|
./nginx.nix
|
||||||
|
./podman.nix
|
||||||
|
./postgres.nix
|
||||||
|
./sssd.nix
|
||||||
|
./zsh.nix
|
||||||
|
];
|
||||||
|
}
|
27
modules/core/fail2ban.nix
Normal file
27
modules/core/fail2ban.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
services.fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
ignoreIP = [
|
||||||
|
"141.30.0.0/16"
|
||||||
|
"141.76.0.0/16"
|
||||||
|
];
|
||||||
|
bantime-increment = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
jails = {
|
||||||
|
dovecot = ''
|
||||||
|
enabled = true
|
||||||
|
# aggressive mode to add blocking for aborted connections
|
||||||
|
filter = dovecot[mode=aggressive]
|
||||||
|
maxretry = 3
|
||||||
|
'';
|
||||||
|
postfix = ''
|
||||||
|
enabled = true
|
||||||
|
filter = postfix[mode=aggressive]
|
||||||
|
maxretry = 3
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
29
modules/core/initrd-ssh.nix
Normal file
29
modules/core/initrd-ssh.nix
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
# Find the required kernel module for the network adapter using `lspci -v` and add it to `boot.initrd.availableKernelModules`.
|
||||||
|
# Enable `networking.useDHCP` or set a static ip using the `ip=` kernel parameter.
|
||||||
|
# Generate another SSH host key for the machine:
|
||||||
|
# $ ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key_initrd -C HOSTNAME-initrd
|
||||||
|
# Add the public key to your known_hosts and create an ssh config entry.
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
boot.initrd = {
|
||||||
|
availableKernelModules = [ "mlx5_core" ];
|
||||||
|
systemd = {
|
||||||
|
enable = true;
|
||||||
|
network = {
|
||||||
|
enable = true;
|
||||||
|
networks."10-wired-default" = config.systemd.network.networks."10-wired-default";
|
||||||
|
};
|
||||||
|
users.root.shell = "/bin/systemd-tty-ask-password-agent";
|
||||||
|
};
|
||||||
|
network = {
|
||||||
|
enable = true;
|
||||||
|
ssh = {
|
||||||
|
enable = true;
|
||||||
|
port = 222;
|
||||||
|
hostKeys = [ "/etc/ssh/ssh_host_ed25519_key_initrd" ];
|
||||||
|
# authorizedKeys option inherits root's authorizedKeys.keys, but not keyFiles
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
34
modules/core/logging.nix
Normal file
34
modules/core/logging.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
services.rsyslogd = {
|
||||||
|
enable = true;
|
||||||
|
defaultConfig = ''
|
||||||
|
$FileCreateMode 0640
|
||||||
|
:programname, isequal, "postfix" /var/log/postfix.log
|
||||||
|
|
||||||
|
auth.* -/var/log/auth.log
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
services.logrotate.configFile = pkgs.writeText "logrotate.conf" ''
|
||||||
|
weekly
|
||||||
|
missingok
|
||||||
|
notifempty
|
||||||
|
rotate 4
|
||||||
|
"/var/log/postfix.log" {
|
||||||
|
compress
|
||||||
|
delaycompress
|
||||||
|
weekly
|
||||||
|
rotate 156
|
||||||
|
}
|
||||||
|
"/var/log/nginx/*.log" {
|
||||||
|
compress
|
||||||
|
delaycompress
|
||||||
|
weekly
|
||||||
|
postrotate
|
||||||
|
[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`
|
||||||
|
endscript
|
||||||
|
rotate 26
|
||||||
|
su nginx nginx
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
}
|
20
modules/core/mysql.nix
Normal file
20
modules/core/mysql.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
services.mysql = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.mariadb;
|
||||||
|
settings.mysqld.bind_address = "127.0.0.1";
|
||||||
|
};
|
||||||
|
services.mysqlBackup = {
|
||||||
|
enable = true;
|
||||||
|
user = "mysql";
|
||||||
|
location = "/var/lib/backup/mysql";
|
||||||
|
databases = [
|
||||||
|
"decisions"
|
||||||
|
"fsrewsp"
|
||||||
|
"nightline"
|
||||||
|
"wiki_ese"
|
||||||
|
"wiki_vernetzung"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
60
modules/core/nginx.nix
Normal file
60
modules/core/nginx.nix
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
{ lib, config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
# set default options for virtualHosts
|
||||||
|
options = with lib; {
|
||||||
|
services.nginx.virtualHosts = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule
|
||||||
|
({ name, ... }: {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
# split up nginx access logs per vhost
|
||||||
|
extraConfig = ''
|
||||||
|
access_log /var/log/nginx/${name}_access.log;
|
||||||
|
error_log /var/log/nginx/${name}_error.log;
|
||||||
|
'';
|
||||||
|
})
|
||||||
|
);
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
|
networking.firewall.allowedUDPPorts = [ 443 ];
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.nginxQuic;
|
||||||
|
additionalModules = [ pkgs.nginxModules.pam ];
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
# appendHttpConfig = ''
|
||||||
|
# map $remote_addr $remote_addr_anon {
|
||||||
|
# ~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
|
||||||
|
# ~(?P<ip>[^:]+:[^:]+): $ip::;
|
||||||
|
# # IP addresses to not anonymize
|
||||||
|
# 127.0.0.1 $remote_addr;
|
||||||
|
# ::1 $remote_addr;
|
||||||
|
# default 0.0.0.0;
|
||||||
|
# }
|
||||||
|
# log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" '
|
||||||
|
# '$status $body_bytes_sent "$http_referer" '
|
||||||
|
# '"$http_user_agent" "$http_x_forwarded_for"';
|
||||||
|
|
||||||
|
# access_log /var/log/nginx/access.log anon_ip;
|
||||||
|
# '';
|
||||||
|
};
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults = {
|
||||||
|
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
||||||
|
email = "root@${config.networking.domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
security.pam.services.nginx.text = ''
|
||||||
|
auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
||||||
|
account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
26
modules/core/podman.nix
Normal file
26
modules/core/podman.nix
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
# From: https://nixos.wiki/wiki/Podman
|
||||||
|
virtualisation.containers.enable = true;
|
||||||
|
virtualisation = {
|
||||||
|
podman = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# Create a `docker` alias for podman, to use it as a drop-in replacement
|
||||||
|
dockerCompat = true;
|
||||||
|
|
||||||
|
# Required for containers under podman-compose to be able to talk to each other.
|
||||||
|
defaultNetwork.settings.dns_enabled = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
virtualisation.oci-containers.backend = "podman";
|
||||||
|
|
||||||
|
|
||||||
|
# Useful otherdevelopment tools
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
dive # look into docker image layers
|
||||||
|
podman-tui # status of containers in the terminal
|
||||||
|
#docker-compose # start group of containers for dev
|
||||||
|
#podman-compose # start group of containers for dev
|
||||||
|
];
|
||||||
|
}
|
|
@ -6,8 +6,10 @@
|
||||||
location = "/var/lib/backup/postgresql";
|
location = "/var/lib/backup/postgresql";
|
||||||
databases = [
|
databases = [
|
||||||
"course-management"
|
"course-management"
|
||||||
"gitea"
|
"git"
|
||||||
|
"grafana"
|
||||||
"hedgedoc"
|
"hedgedoc"
|
||||||
|
"keycloak"
|
||||||
"matrix-synapse"
|
"matrix-synapse"
|
||||||
"mautrix-telegram"
|
"mautrix-telegram"
|
||||||
"mediawiki"
|
"mediawiki"
|
||||||
|
@ -16,7 +18,10 @@
|
||||||
"sogo"
|
"sogo"
|
||||||
"vaultwarden"
|
"vaultwarden"
|
||||||
"mailman"
|
"mailman"
|
||||||
"mailmanweb"
|
"mailman-web"
|
||||||
|
"zammad"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.postgresql.settings.max_connections = 1000;
|
||||||
}
|
}
|
41
modules/core/sssd.nix
Normal file
41
modules/core/sssd.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
sops.secrets = {
|
||||||
|
"sssd/env" = { };
|
||||||
|
|
||||||
|
};
|
||||||
|
services.sssd = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = config.sops.secrets."sssd/env".path;
|
||||||
|
sshAuthorizedKeysIntegration = true;
|
||||||
|
config = ''
|
||||||
|
[sssd]
|
||||||
|
config_file_version = 2
|
||||||
|
services = nss, pam, ssh
|
||||||
|
domains = ldap
|
||||||
|
|
||||||
|
[ssh]
|
||||||
|
|
||||||
|
[nss]
|
||||||
|
|
||||||
|
[pam]
|
||||||
|
|
||||||
|
[domain/ldap]
|
||||||
|
auth_provider = ldap
|
||||||
|
ldap_uri = ldaps://auth.ifsr.de
|
||||||
|
ldap_default_authtok_type = password
|
||||||
|
ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK
|
||||||
|
ldap_search_base = dc=ifsr,dc=de
|
||||||
|
id_provider = ldap
|
||||||
|
ldap_default_bind_dn = uid=search,ou=users,dc=ifsr,dc=de
|
||||||
|
cache_credentials = True
|
||||||
|
ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt
|
||||||
|
ldap_tls_reqcert = hard
|
||||||
|
'';
|
||||||
|
|
||||||
|
};
|
||||||
|
security.pam.services = {
|
||||||
|
sshd.makeHomeDir = true;
|
||||||
|
login.makeHomeDir = true;
|
||||||
|
};
|
||||||
|
}
|
35
modules/core/zsh.nix
Normal file
35
modules/core/zsh.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ lib, pkgs, ... }:
|
||||||
|
{
|
||||||
|
users.users.root.shell = pkgs.zsh;
|
||||||
|
programs.command-not-found.enable = false;
|
||||||
|
programs.nix-index-database.comma.enable = true;
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
# fzf
|
||||||
|
bat
|
||||||
|
duf
|
||||||
|
];
|
||||||
|
programs.fzf = {
|
||||||
|
keybindings = true;
|
||||||
|
};
|
||||||
|
programs.zsh = {
|
||||||
|
enable = true;
|
||||||
|
autosuggestions = {
|
||||||
|
enable = true;
|
||||||
|
highlightStyle = "fg=#00bbbb,bold";
|
||||||
|
};
|
||||||
|
|
||||||
|
# don't override agdsn-zsh-config aliases
|
||||||
|
shellAliases = lib.mkForce { };
|
||||||
|
|
||||||
|
shellInit = ''
|
||||||
|
zsh-newuser-install () {}
|
||||||
|
'';
|
||||||
|
interactiveShellInit = ''
|
||||||
|
source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh
|
||||||
|
HW_CONF_ALIASES_GIT_AUTHOR_REMINDER=0
|
||||||
|
source ${pkgs.agdsn-zsh-config}/etc/zsh/zshrc
|
||||||
|
'';
|
||||||
|
promptInit = "";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -38,15 +38,28 @@ in
|
||||||
enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force
|
enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force
|
||||||
ensureUsers = [{
|
ensureUsers = [{
|
||||||
name = "course-management";
|
name = "course-management";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE \"course-management\"" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
ensureDatabases = [ "course-management" ];
|
ensureDatabases = [ "course-management" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${hostName} = {
|
services.nginx.virtualHosts.${hostName} = {
|
||||||
enableACME = true;
|
# phil redirects
|
||||||
forceSSL = true;
|
locations =
|
||||||
|
let
|
||||||
|
philDomain = "https://kurse-phil.ifsr.de";
|
||||||
|
courses = [ "238" "239" "240" "241" "242" "243" ];
|
||||||
|
subjects = [
|
||||||
|
"ESE 2023 PHIL Campustour"
|
||||||
|
"ESE 2023 PHIL Bowlingabend"
|
||||||
|
"ESE 2023 PHIL Filmabend"
|
||||||
|
"ESE 2023 PHIL Wandern"
|
||||||
|
"ESE 2023 PHIL Spieleabend Pen and Paper"
|
||||||
|
];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
"~ \"^/course/(${builtins.concatStringsSep "|" courses})/\"".return = "301 ${philDomain}/course/$1";
|
||||||
|
"~ \"^/subject/(${builtins.concatStringsSep "|" subjects})/\"".return = "301 ${philDomain}/subject/$1";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
93
modules/courses/phil.nix
Normal file
93
modules/courses/phil.nix
Normal file
|
@ -0,0 +1,93 @@
|
||||||
|
{ config, lib, course-management, ... }:
|
||||||
|
let
|
||||||
|
hostName = "kurse-phil.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx.virtualHosts."${hostName}" = {
|
||||||
|
locations."/".proxyPass = "http://127.0.0.1:8084";
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets = {
|
||||||
|
"course-management-phil/secret-key" = { };
|
||||||
|
"course-management-phil/adminpass" = { };
|
||||||
|
};
|
||||||
|
containers."courses-phil" = {
|
||||||
|
autoStart = true;
|
||||||
|
extraFlags = [
|
||||||
|
"--load-credential=course-secret-key:${config.sops.secrets."course-management-phil/secret-key".path}"
|
||||||
|
"--load-credential=course-adminpass:${config.sops.secrets."course-management-phil/adminpass".path}"
|
||||||
|
];
|
||||||
|
config = { config, ... }: {
|
||||||
|
system.stateVersion = "23.05";
|
||||||
|
networking.domain = "ifsr.de";
|
||||||
|
imports = [
|
||||||
|
course-management.nixosModules.default
|
||||||
|
];
|
||||||
|
systemd.services.course-management = {
|
||||||
|
after = [ "postgresql.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
LoadCredential = [
|
||||||
|
"secret-key:course-secret-key"
|
||||||
|
"adminpass:course-adminpass"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.course-management = {
|
||||||
|
inherit hostName;
|
||||||
|
enable = true;
|
||||||
|
listenPort = 5001;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
secretKeyFile = "$CREDENTIALS_DIRECTORY/secret-key";
|
||||||
|
adminPassFile = "$CREDENTIALS_DIRECTORY/adminpass";
|
||||||
|
admins = [{
|
||||||
|
name = "Root iFSR";
|
||||||
|
email = "root@${config.networking.domain}";
|
||||||
|
}];
|
||||||
|
database = {
|
||||||
|
ENGINE = "django.db.backends.postgresql";
|
||||||
|
NAME = "course-management";
|
||||||
|
};
|
||||||
|
email = lib.mkDefault {
|
||||||
|
fromEmail = "noreply@${config.networking.domain}";
|
||||||
|
serverEmail = "root@${config.networking.domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults = {
|
||||||
|
email = "root@${config.networking.domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
enableTCPIP = lib.mkForce false;
|
||||||
|
ensureUsers = [{
|
||||||
|
name = "course-management";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}];
|
||||||
|
ensureDatabases = [ "course-management" ];
|
||||||
|
};
|
||||||
|
systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${config.services.postgresql.package}/bin/postgres -c listen_addresses=''";
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
|
|
||||||
|
virtualHosts.${hostName} = {
|
||||||
|
listen = [{
|
||||||
|
addr = "127.0.0.1";
|
||||||
|
port = 8084;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
46
modules/decisions.nix
Normal file
46
modules/decisions.nix
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
{ config, ... }:
|
||||||
|
let
|
||||||
|
domain = "decisions.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."decisions_env" = { };
|
||||||
|
virtualisation.oci-containers = {
|
||||||
|
containers.decisions = {
|
||||||
|
image = "ghcr.io/fsr/decisions";
|
||||||
|
volumes = [
|
||||||
|
"/var/lib/nextcloud/data/root/files/FSR/protokolle:/protokolle:ro"
|
||||||
|
];
|
||||||
|
extraOptions = [ "--network=host" ];
|
||||||
|
environmentFiles = [
|
||||||
|
config.sops.secrets."decisions_env".path
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:5055";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.timers."decisions-to-db" = {
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = "01:11:00";
|
||||||
|
Unit = "decisions-to-db.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# systemd.services."decisions-to-db" = {
|
||||||
|
# script = ''
|
||||||
|
# set -eu
|
||||||
|
# ${pkgs.podman}/bin/podman exec decisions python tex_to_db.py
|
||||||
|
# '';
|
||||||
|
# serviceConfig = {
|
||||||
|
# Type = "oneshot";
|
||||||
|
# User = "root";
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
}
|
30
modules/forgejo/actions.nix
Normal file
30
modules/forgejo/actions.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
sops.secrets."forgejo/runner-token" = { };
|
||||||
|
services.gitea-actions-runner = {
|
||||||
|
package = pkgs.forgejo-actions-runner;
|
||||||
|
instances."quitte" = {
|
||||||
|
enable = true;
|
||||||
|
labels = [
|
||||||
|
# provide a debian base with nodejs for actions
|
||||||
|
"debian-latest:docker://node:18-bullseye"
|
||||||
|
# fake the ubuntu name, because node provides no ubuntu builds
|
||||||
|
"ubuntu-latest:docker://node:18-bullseye"
|
||||||
|
# provide native execution on the host
|
||||||
|
# "native:host"
|
||||||
|
];
|
||||||
|
tokenFile = config.sops.secrets."forgejo/runner-token".path;
|
||||||
|
url = "https://git.ifsr.de";
|
||||||
|
name = "quitte";
|
||||||
|
settings = {
|
||||||
|
container = {
|
||||||
|
# use podman's default network, otherwise dns was not working for some reason
|
||||||
|
network = "podman";
|
||||||
|
# don't mount the docker socket into the build containers,
|
||||||
|
# this would basically mean root on the host...
|
||||||
|
docker_host = "-";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,40 +1,45 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
domain = "git.${config.networking.domain}";
|
domain = "git.${config.networking.domain}";
|
||||||
giteaUser = "git";
|
gitUser = "git";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
imports = [
|
||||||
|
./actions.nix
|
||||||
|
];
|
||||||
sops.secrets.gitea_ldap_search = {
|
sops.secrets.gitea_ldap_search = {
|
||||||
key = "portunus/search-password";
|
key = "portunus/search-password";
|
||||||
owner = config.services.gitea.user;
|
owner = config.services.forgejo.user;
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.${giteaUser} = {
|
users.users.${gitUser} = {
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
home = config.services.gitea.stateDir;
|
home = config.services.forgejo.stateDir;
|
||||||
group = giteaUser;
|
group = gitUser;
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
};
|
};
|
||||||
users.groups.${giteaUser} = { };
|
users.groups.${gitUser} = { };
|
||||||
|
|
||||||
services.gitea = {
|
services.forgejo = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.forgejo; # community fork
|
user = gitUser;
|
||||||
user = giteaUser;
|
group = gitUser;
|
||||||
group = giteaUser;
|
|
||||||
appName = "iFSR Git";
|
|
||||||
lfs.enable = true;
|
lfs.enable = true;
|
||||||
|
|
||||||
database = {
|
database = {
|
||||||
type = "postgres";
|
type = "postgres";
|
||||||
|
name = "git"; # legacy
|
||||||
createDatabase = true;
|
createDatabase = true;
|
||||||
user = giteaUser;
|
user = gitUser;
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: enable periodic dumps of the DB and repos, maybe use this for backups?
|
# TODO: enable periodic dumps of the DB and repos, maybe use this for backups?
|
||||||
# dump = { };
|
# dump = { };
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
DEFAULT = {
|
||||||
|
APP_NAME = "iFSR Git";
|
||||||
|
};
|
||||||
server = {
|
server = {
|
||||||
PROTOCOL = "http+unix";
|
PROTOCOL = "http+unix";
|
||||||
DOMAIN = domain;
|
DOMAIN = domain;
|
||||||
|
@ -42,6 +47,7 @@ in
|
||||||
ROOT_URL = "https://${domain}";
|
ROOT_URL = "https://${domain}";
|
||||||
OFFLINE_MODE = true; # disable use of CDNs
|
OFFLINE_MODE = true; # disable use of CDNs
|
||||||
};
|
};
|
||||||
|
log.LEVEL = "Warn";
|
||||||
database.LOG_SQL = false;
|
database.LOG_SQL = false;
|
||||||
service = {
|
service = {
|
||||||
DISABLE_REGISTRATION = true;
|
DISABLE_REGISTRATION = true;
|
||||||
|
@ -63,12 +69,15 @@ in
|
||||||
COOKIE_SECURE = true;
|
COOKIE_SECURE = true;
|
||||||
PROVIDER = "db";
|
PROVIDER = "db";
|
||||||
};
|
};
|
||||||
|
actions.ENABLED = true;
|
||||||
|
# federation.ENABLED = true;
|
||||||
|
webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.gitea.preStart =
|
systemd.services.forgejo.preStart =
|
||||||
let
|
let
|
||||||
exe = lib.getExe config.services.gitea.package;
|
exe = lib.getExe config.services.forgejo.package;
|
||||||
portunus = config.services.portunus;
|
portunus = config.services.portunus;
|
||||||
basedn = "ou=users,${portunus.ldap.suffix}";
|
basedn = "ou=users,${portunus.ldap.suffix}";
|
||||||
ldapConfigArgs = ''
|
ldapConfigArgs = ''
|
||||||
|
@ -105,10 +114,8 @@ in
|
||||||
'';
|
'';
|
||||||
|
|
||||||
services.nginx.virtualHosts.${domain} = {
|
services.nginx.virtualHosts.${domain} = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}:/";
|
proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
locations."/api/v1/users/search".return = "403";
|
locations."/api/v1/users/search".return = "403";
|
|
@ -1,23 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
let
|
|
||||||
domain = "ftp.${config.networking.domain}";
|
|
||||||
in
|
|
||||||
{
|
|
||||||
services.nginx.additionalModules = [ pkgs.nginxModules.fancyindex ];
|
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
root = "/srv/ftp";
|
|
||||||
extraConfig = ''
|
|
||||||
fancyindex on;
|
|
||||||
fancyindex_exact_size off;
|
|
||||||
'';
|
|
||||||
locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = ''
|
|
||||||
allow 141.30.0.0/16;
|
|
||||||
allow 141.76.0.0/16;
|
|
||||||
allow 172.16.0.0/16;
|
|
||||||
deny all;
|
|
||||||
'';
|
|
||||||
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -14,9 +14,7 @@ in
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "hedgedoc";
|
name = "hedgedoc";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE hedgedoc" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
ensureDatabases = [ "hedgedoc" ];
|
ensureDatabases = [ "hedgedoc" ];
|
||||||
|
@ -70,12 +68,16 @@ in
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}";
|
proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
};
|
};
|
||||||
|
locations."/robots.txt" = {
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "User-agent: *\nDisallow: /\n";
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -4,6 +4,7 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets."hydra_ldap_search" = { owner = "hydra"; group = "hydra"; mode = "440"; };
|
sops.secrets."hydra_ldap_search" = { owner = "hydra"; group = "hydra"; mode = "440"; };
|
||||||
|
nix.settings.allowed-uris = [ "https://github.com/nix-community" ]; # whitelisted to fetch nix-index
|
||||||
services.hydra = {
|
services.hydra = {
|
||||||
enable = true;
|
enable = true;
|
||||||
port = 4000;
|
port = 4000;
|
||||||
|
@ -59,8 +60,6 @@ in
|
||||||
|
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
|
proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}";
|
||||||
};
|
};
|
||||||
|
|
34
modules/kanboard.nix
Normal file
34
modules/kanboard.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "kanboard.${config.networking.domain}";
|
||||||
|
domain_short = "kb.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."kanboard_env" = { };
|
||||||
|
|
||||||
|
virtualisation.oci-containers = {
|
||||||
|
containers.kanboard = {
|
||||||
|
image = "ghcr.io/kanboard/kanboard:v1.2.41";
|
||||||
|
volumes = [
|
||||||
|
"kanboard_data:/var/www/app/data"
|
||||||
|
"kanboard_plugins:/var/www/app/plugins"
|
||||||
|
];
|
||||||
|
ports = [ "127.0.0.1:8045:80" ];
|
||||||
|
environmentFiles = [
|
||||||
|
config.sops.secrets."kanboard_env".path
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."${domain_short}" = {
|
||||||
|
locations."/".return = "301 $scheme://${domain}$request_uri";
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8045";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
37
modules/keycloak/default.nix
Normal file
37
modules/keycloak/default.nix
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "sso.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."keycloak/db" = { };
|
||||||
|
services.keycloak = {
|
||||||
|
enable = true;
|
||||||
|
# we use unstable as the release in stable is insecure
|
||||||
|
# package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak;
|
||||||
|
settings = {
|
||||||
|
http-port = 8086;
|
||||||
|
https-port = 19000;
|
||||||
|
hostname = domain;
|
||||||
|
proxy = "edge";
|
||||||
|
};
|
||||||
|
# The module requires a password for the DB and works best with its own DB config
|
||||||
|
# Does an automatic Postgresql configuration
|
||||||
|
database = {
|
||||||
|
passwordFile = config.sops.secrets."keycloak/db".path;
|
||||||
|
};
|
||||||
|
initialAdminPassword = "plschangeme";
|
||||||
|
themes = with pkgs ; {
|
||||||
|
ifsr = keycloak_ifsr_theme;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}";
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_buffer_size 128k;
|
||||||
|
proxy_buffers 4 256k;
|
||||||
|
proxy_busy_buffers_size 256k;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
15
modules/keycloak/theme.nix
Normal file
15
modules/keycloak/theme.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{ stdenv }:
|
||||||
|
stdenv.mkDerivation rec {
|
||||||
|
name = "keycloak_ifsr_theme";
|
||||||
|
version = "1.1";
|
||||||
|
|
||||||
|
src = ./theme;
|
||||||
|
|
||||||
|
nativeBuildInputs = [ ];
|
||||||
|
buildInputs = [ ];
|
||||||
|
|
||||||
|
installPhase = ''
|
||||||
|
mkdir -p $out
|
||||||
|
cp -a login $out
|
||||||
|
'';
|
||||||
|
}
|
772
modules/keycloak/theme/login/resources/css/login.css
Normal file
772
modules/keycloak/theme/login/resources/css/login.css
Normal file
|
@ -0,0 +1,772 @@
|
||||||
|
.login-pf {
|
||||||
|
background: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf body {
|
||||||
|
background: url(../img/background.jpg) no-repeat center center fixed;
|
||||||
|
background-size: cover;
|
||||||
|
height: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*IE compatibility*/
|
||||||
|
.pf-c-form-control {
|
||||||
|
font-size: 14px;
|
||||||
|
font-size: var(--pf-global--FontSize--sm);
|
||||||
|
border-width: 1px;
|
||||||
|
border-width: var(--pf-global--BorderWidth--sm);;
|
||||||
|
border-color: #EDEDED #EDEDED #8A8D90 #EDEDED;
|
||||||
|
border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300);
|
||||||
|
background-color: #FFFFFF;
|
||||||
|
background-color: var(--pf-global--BackgroundColor--100);
|
||||||
|
height: 36px;
|
||||||
|
height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom));
|
||||||
|
padding: 5px 0.5rem;
|
||||||
|
padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft);
|
||||||
|
}
|
||||||
|
|
||||||
|
textarea.pf-c-form-control {
|
||||||
|
height: auto;
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-form-control:hover, .pf-c-form-control:focus {
|
||||||
|
border-bottom-color: #0066CC;
|
||||||
|
border-bottom-color: var(--pf-global--primary-color--100);
|
||||||
|
border-bottom-width: 2px;
|
||||||
|
border-bottom-width: var(--pf-global--BorderWidth--md);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-form-control[aria-invalid=true] {
|
||||||
|
border-bottom-color: #C9190B;
|
||||||
|
border-bottom-color: var(--pf-global--danger-color--100);
|
||||||
|
border-bottom-width: 2px;
|
||||||
|
border-bottom-width: var(--pf-global--BorderWidth--md);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-check__label, .pf-c-radio__label {
|
||||||
|
font-size: 14px;
|
||||||
|
font-size: var(--pf-global--FontSize--sm);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-inline {
|
||||||
|
margin-bottom: 0.5rem; /* default - IE compatibility */
|
||||||
|
margin-bottom: var(--pf-global--spacer--sm);
|
||||||
|
padding: 0.25rem;
|
||||||
|
padding: var(--pf-global--spacer--xs);
|
||||||
|
border: solid #ededed;
|
||||||
|
border: solid var(--pf-global--BorderColor--300);
|
||||||
|
border-width: 1px;
|
||||||
|
border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth);
|
||||||
|
display: -ms-flexbox;
|
||||||
|
display: grid;
|
||||||
|
-ms-grid-columns: max-content 1fr max-content;
|
||||||
|
grid-template-columns:max-content 1fr max-content;
|
||||||
|
grid-template-columns: var(--pf-c-alert--grid-template-columns);
|
||||||
|
grid-template-rows: 1fr auto;
|
||||||
|
grid-template-rows: var(--pf-c-alert--grid-template-rows);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-inline::before {
|
||||||
|
position: absolute;
|
||||||
|
top: -1px;
|
||||||
|
top: var(--pf-c-alert--m-inline--before--Top);
|
||||||
|
bottom: -1px;
|
||||||
|
bottom: var(--pf-c-alert--m-inline--before--Bottom);
|
||||||
|
left: 0;
|
||||||
|
width: 3px;
|
||||||
|
width: var(--pf-c-alert--m-inline--before--Width);
|
||||||
|
content: ;
|
||||||
|
background-color: #FFFFFF;
|
||||||
|
background-color: var(--pf-global--BackgroundColor--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-inline.pf-m-success::before {
|
||||||
|
background-color: #92D400;
|
||||||
|
background-color: var(--pf-global--success-color--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-inline.pf-m-danger::before {
|
||||||
|
background-color: #C9190B;
|
||||||
|
background-color: var(--pf-global--danger-color--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-inline.pf-m-warning::before {
|
||||||
|
background-color: #F0AB00;
|
||||||
|
background-color: var(--pf-global--warning-color--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-inline .pf-c-alert__icon {
|
||||||
|
padding: 1rem 0.5rem 1rem 1rem;
|
||||||
|
padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft);
|
||||||
|
font-size: 16px;
|
||||||
|
font-size: var(--pf-c-alert--m-inline__icon--FontSize);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-success .pf-c-alert__icon {
|
||||||
|
color: #92D400;
|
||||||
|
color: var(--pf-global--success-color--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-success .pf-c-alert__title {
|
||||||
|
color: #486B00;
|
||||||
|
color: var(--pf-global--success-color--200);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-danger .pf-c-alert__icon {
|
||||||
|
color: #C9190B;
|
||||||
|
color: var(--pf-global--danger-color--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-danger .pf-c-alert__title {
|
||||||
|
color: #A30000;
|
||||||
|
color: var(--pf-global--danger-color--200);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-warning .pf-c-alert__icon {
|
||||||
|
color: #F0AB00;
|
||||||
|
color: var(--pf-global--warning-color--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert.pf-m-warning .pf-c-alert__title {
|
||||||
|
color: #795600;
|
||||||
|
color: var(--pf-global--warning-color--200);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-alert__title {
|
||||||
|
font-size: 14px; /* default - IE compatibility */
|
||||||
|
font-size: var(--pf-global--FontSize--sm);
|
||||||
|
padding: 5px 8px;
|
||||||
|
padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft);
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-c-button{
|
||||||
|
padding:0.375rem 1rem;
|
||||||
|
padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* default - IE compatibility */
|
||||||
|
.pf-m-primary {
|
||||||
|
color: #FFFFFF;
|
||||||
|
background-color: #0066CC;
|
||||||
|
background-color: var(--pf-global--primary-color--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* default - IE compatibility */
|
||||||
|
.pf-m-primary:hover {
|
||||||
|
background-color: #004080;
|
||||||
|
background-color: var(--pf-global--primary-color--200);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* default - IE compatibility */
|
||||||
|
.pf-c-button.pf-m-control {
|
||||||
|
border: solid 1px;
|
||||||
|
border: solid var(--pf-global--BorderWidth--sm);
|
||||||
|
border-color: rgba(230, 230, 230, 0.5);
|
||||||
|
}
|
||||||
|
/*End of IE compatibility*/
|
||||||
|
h1#kc-page-title {
|
||||||
|
margin-top: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-locale ul {
|
||||||
|
background-color: #FFF;
|
||||||
|
background-color: var(--pf-global--BackgroundColor--100);
|
||||||
|
display: none;
|
||||||
|
top: 20px;
|
||||||
|
min-width: 100px;
|
||||||
|
padding: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-locale-dropdown{
|
||||||
|
display: inline-block;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-locale-dropdown:hover ul {
|
||||||
|
display:block;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* IE compatibility */
|
||||||
|
#kc-locale-dropdown a {
|
||||||
|
color: #6A6E73;
|
||||||
|
color: var(--pf-global--Color--200);
|
||||||
|
text-align: right;
|
||||||
|
font-size: 14px;
|
||||||
|
font-size: var(--pf-global--FontSize--sm);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* IE compatibility */
|
||||||
|
a#kc-current-locale-link::after {
|
||||||
|
content: 2c5;
|
||||||
|
margin-left: 4px;
|
||||||
|
margin-left: var(--pf-global--spacer--xs)
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf .container {
|
||||||
|
padding-top: 40px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf a:hover {
|
||||||
|
color: #0099d3;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-logo {
|
||||||
|
width: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.kc-logo-text {
|
||||||
|
background-image: url(../img/agdsn_logo.png);
|
||||||
|
background-repeat: no-repeat;
|
||||||
|
background-size: auto;
|
||||||
|
position: relative;
|
||||||
|
top: 0%;
|
||||||
|
left: 25%;
|
||||||
|
width: 950px;
|
||||||
|
height: 250px;
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
div.kc-logo-text span {
|
||||||
|
display: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-header {
|
||||||
|
color: #ededed;
|
||||||
|
overflow: visible;
|
||||||
|
white-space: nowrap;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-header-wrapper {
|
||||||
|
font-size: 29px;
|
||||||
|
text-transform: uppercase;
|
||||||
|
letter-spacing: 3px;
|
||||||
|
line-height: 1.2em;
|
||||||
|
padding: 62px 10px 20px;
|
||||||
|
white-space: normal;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-content {
|
||||||
|
width: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-attempted-username {
|
||||||
|
font-size: 20px;
|
||||||
|
font-family: inherit;
|
||||||
|
font-weight: normal;
|
||||||
|
padding-right: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-username {
|
||||||
|
text-align: center;
|
||||||
|
margin-bottom:-10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-webauthn-settings-form {
|
||||||
|
padding-top: 8px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-webauthn .select-auth-box-parent {
|
||||||
|
pointer-events: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-webauthn .select-auth-box-desc {
|
||||||
|
color: var(--pf-global--palette--black-600);
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-webauthn .select-auth-box-headline {
|
||||||
|
color: var(--pf-global--Color--300);
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-webauthn .select-auth-box-icon {
|
||||||
|
flex: 0 0 3em;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-webauthn .select-auth-box-icon-properties {
|
||||||
|
margin-top: 10px;
|
||||||
|
font-size: 1.8em;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class {
|
||||||
|
margin-top: 3px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-webauthn .pf-l-stack__item {
|
||||||
|
margin: -1px 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-content-wrapper {
|
||||||
|
margin-top: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-wrapper {
|
||||||
|
margin-top: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-info {
|
||||||
|
margin: 20px -40px -30px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-info-wrapper {
|
||||||
|
font-size: 13px;
|
||||||
|
padding: 15px 35px;
|
||||||
|
background-color: #F0F0F0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-options span {
|
||||||
|
display: block;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-options .checkbox {
|
||||||
|
margin-top: 0;
|
||||||
|
color: #72767b;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-terms-text {
|
||||||
|
margin-bottom: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-registration {
|
||||||
|
margin-bottom: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* TOTP */
|
||||||
|
|
||||||
|
.subtitle {
|
||||||
|
text-align: right;
|
||||||
|
margin-top: 30px;
|
||||||
|
color: #909090;
|
||||||
|
}
|
||||||
|
|
||||||
|
.required {
|
||||||
|
color: #A30000; /* default - IE compatibility */
|
||||||
|
color: var(--pf-global--danger-color--200);
|
||||||
|
}
|
||||||
|
|
||||||
|
ol#kc-totp-settings {
|
||||||
|
margin: 0;
|
||||||
|
padding-left: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
ul#kc-totp-supported-apps {
|
||||||
|
margin-bottom: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-totp-secret-qr-code {
|
||||||
|
max-width:150px;
|
||||||
|
max-height:150px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-totp-secret-key {
|
||||||
|
background-color: #fff;
|
||||||
|
color: #333333;
|
||||||
|
font-size: 16px;
|
||||||
|
padding: 10px 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* OAuth */
|
||||||
|
|
||||||
|
#kc-oauth h3 {
|
||||||
|
margin-top: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-oauth ul {
|
||||||
|
list-style: none;
|
||||||
|
padding: 0;
|
||||||
|
margin: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-oauth ul li {
|
||||||
|
border-top: 1px solid rgba(255, 255, 255, 0.1);
|
||||||
|
font-size: 12px;
|
||||||
|
padding: 10px 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-oauth ul li:first-of-type {
|
||||||
|
border-top: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-oauth .kc-role {
|
||||||
|
display: inline-block;
|
||||||
|
width: 50%;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Code */
|
||||||
|
#kc-code textarea {
|
||||||
|
width: 100%;
|
||||||
|
height: 8em;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Social */
|
||||||
|
.kc-social-links {
|
||||||
|
margin-top: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-provider-logo {
|
||||||
|
font-size: 23px;
|
||||||
|
width: 30px;
|
||||||
|
height: 25px;
|
||||||
|
float: left;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-gray {
|
||||||
|
color: #737679; /* default - IE compatibility */
|
||||||
|
color: var(--pf-global--Color--200);
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-item {
|
||||||
|
margin-bottom: 0.5rem; /* default - IE compatibility */
|
||||||
|
margin-bottom: var(--pf-global--spacer--sm);
|
||||||
|
font-size: 15px;
|
||||||
|
text-align: center;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-provider-name {
|
||||||
|
position: relative;
|
||||||
|
top: 3px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-icon-text {
|
||||||
|
left: -15px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-grid {
|
||||||
|
display:grid;
|
||||||
|
grid-column-gap: 10px;
|
||||||
|
grid-row-gap: 5px;
|
||||||
|
grid-column-end: span 6;
|
||||||
|
--pf-l-grid__item--GridColumnEnd: span 6;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-grid .kc-social-icon-text {
|
||||||
|
left: -10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-login-tooltip {
|
||||||
|
position: relative;
|
||||||
|
display: inline-block;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-section {
|
||||||
|
text-align: center;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-section hr{
|
||||||
|
margin-bottom: 10px
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-login-tooltip .kc-tooltip-text{
|
||||||
|
top:-3px;
|
||||||
|
left:160%;
|
||||||
|
background-color: black;
|
||||||
|
visibility: hidden;
|
||||||
|
color: #fff;
|
||||||
|
|
||||||
|
min-width:130px;
|
||||||
|
text-align: center;
|
||||||
|
border-radius: 2px;
|
||||||
|
box-shadow:0 1px 8px rgba(0,0,0,0.6);
|
||||||
|
padding: 5px;
|
||||||
|
|
||||||
|
position: absolute;
|
||||||
|
opacity:0;
|
||||||
|
transition:opacity 0.5s;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Show tooltip */
|
||||||
|
.kc-login-tooltip:hover .kc-tooltip-text {
|
||||||
|
visibility: visible;
|
||||||
|
opacity:0.7;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Arrow for tooltip */
|
||||||
|
.kc-login-tooltip .kc-tooltip-text::after {
|
||||||
|
content: ;
|
||||||
|
position: absolute;
|
||||||
|
top: 15px;
|
||||||
|
right: 100%;
|
||||||
|
margin-top: -5px;
|
||||||
|
border-width: 5px;
|
||||||
|
border-style: solid;
|
||||||
|
border-color: transparent black transparent transparent;
|
||||||
|
}
|
||||||
|
|
||||||
|
@media (min-width: 768px) {
|
||||||
|
#kc-container-wrapper {
|
||||||
|
position: absolute;
|
||||||
|
width: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf .container {
|
||||||
|
padding-right: 80px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-locale {
|
||||||
|
position: relative;
|
||||||
|
text-align: right;
|
||||||
|
z-index: 9999;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@media (max-width: 767px) {
|
||||||
|
|
||||||
|
.login-pf body {
|
||||||
|
background: white;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-header {
|
||||||
|
padding-left: 15px;
|
||||||
|
padding-right: 15px;
|
||||||
|
float: none;
|
||||||
|
text-align: left;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-header-wrapper {
|
||||||
|
font-size: 16px;
|
||||||
|
font-weight: bold;
|
||||||
|
padding: 20px 60px 0 0;
|
||||||
|
color: #72767b;
|
||||||
|
letter-spacing: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
div.kc-logo-text {
|
||||||
|
margin: 0;
|
||||||
|
width: 150px;
|
||||||
|
height: 32px;
|
||||||
|
background-size: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form {
|
||||||
|
float: none;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-info-wrapper {
|
||||||
|
border-top: 1px solid rgba(255, 255, 255, 0.1);
|
||||||
|
background-color: transparent;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf .container {
|
||||||
|
padding-top: 15px;
|
||||||
|
padding-bottom: 15px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-locale {
|
||||||
|
position: absolute;
|
||||||
|
width: 200px;
|
||||||
|
top: 20px;
|
||||||
|
right: 20px;
|
||||||
|
text-align: right;
|
||||||
|
z-index: 9999;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@media (min-height: 646px) {
|
||||||
|
#kc-container-wrapper {
|
||||||
|
bottom: 12%;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@media (max-height: 645px) {
|
||||||
|
#kc-container-wrapper {
|
||||||
|
padding-top: 50px;
|
||||||
|
top: 20%;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
.card-pf form.form-actions .btn {
|
||||||
|
float: right;
|
||||||
|
margin-left: 10px;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-buttons {
|
||||||
|
margin-top: 20px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf-page .login-pf-brand {
|
||||||
|
margin-top: 20px;
|
||||||
|
max-width: 360px;
|
||||||
|
width: 40%;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Internet Explorer 11 compatibility workaround for select-authenticator screen */
|
||||||
|
@media all and (-ms-high-contrast: none),
|
||||||
|
(-ms-high-contrast: active) {
|
||||||
|
.select-auth-box-parent {
|
||||||
|
border-top: 1px solid #f0f0f0;
|
||||||
|
padding-top: 1rem;
|
||||||
|
padding-bottom: 1rem;
|
||||||
|
cursor: pointer;
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-box-headline {
|
||||||
|
font-size: 16px;
|
||||||
|
color: #06c;
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-box-desc {
|
||||||
|
font-size: 14px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.pf-l-stack {
|
||||||
|
flex-basis: 100%;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* End of IE11 workaround for select-authenticator screen */
|
||||||
|
|
||||||
|
.select-auth-box-arrow{
|
||||||
|
display: flex;
|
||||||
|
align-items: center;
|
||||||
|
margin-right: 2rem;
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-box-icon{
|
||||||
|
display: flex;
|
||||||
|
flex: 0 0 2em;
|
||||||
|
justify-content: center;
|
||||||
|
margin-right: 1rem;
|
||||||
|
margin-left: 3rem;
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-box-parent{
|
||||||
|
border-top: 1px solid var(--pf-global--palette--black-200);
|
||||||
|
padding-top: 1rem;
|
||||||
|
padding-bottom: 1rem;
|
||||||
|
cursor: pointer;
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-box-parent:hover{
|
||||||
|
background-color: #f7f8f8;
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-container {
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-box-headline {
|
||||||
|
font-size: var(--pf-global--FontSize--md);
|
||||||
|
color: var(--pf-global--primary-color--100);
|
||||||
|
font-weight: bold;
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-box-desc {
|
||||||
|
font-size: var(--pf-global--FontSize--sm);
|
||||||
|
}
|
||||||
|
|
||||||
|
.select-auth-box-paragraph {
|
||||||
|
text-align: center;
|
||||||
|
font-size: var(--pf-global--FontSize--md);
|
||||||
|
margin-bottom: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.card-pf {
|
||||||
|
margin: 0 auto;
|
||||||
|
box-shadow: var(--pf-global--BoxShadow--lg);
|
||||||
|
padding: 0 20px;
|
||||||
|
max-width: 500px;
|
||||||
|
border-top: 4px solid;
|
||||||
|
border-color: #0066CC; /* default - IE compatibility */
|
||||||
|
border-color: var(--pf-global--primary-color--100);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*phone*/
|
||||||
|
@media (max-width: 767px) {
|
||||||
|
.login-pf-page .card-pf {
|
||||||
|
max-width: none;
|
||||||
|
margin-left: 0;
|
||||||
|
margin-right: 0;
|
||||||
|
padding-top: 0;
|
||||||
|
border-top: 0;
|
||||||
|
box-shadow: 0 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-grid {
|
||||||
|
grid-column-end: 12;
|
||||||
|
--pf-l-grid__item--GridColumnEnd: span 12;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-social-grid .kc-social-icon-text {
|
||||||
|
left: -15px;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf-page .login-pf-signup {
|
||||||
|
font-size: 15px;
|
||||||
|
color: #72767b;
|
||||||
|
}
|
||||||
|
#kc-content-wrapper .row {
|
||||||
|
margin-left: 0;
|
||||||
|
margin-right: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf-page.login-pf-page-accounts {
|
||||||
|
margin-left: auto;
|
||||||
|
margin-right: auto;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf-page .btn-primary {
|
||||||
|
margin-top: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf-page .list-view-pf .list-group-item {
|
||||||
|
border-bottom: 1px solid #ededed;
|
||||||
|
}
|
||||||
|
|
||||||
|
.login-pf-page .list-view-pf-description {
|
||||||
|
width: 100%;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-form-login div.form-group:last-of-type,
|
||||||
|
#kc-register-form div.form-group:last-of-type,
|
||||||
|
#kc-update-profile-form div.form-group:last-of-type {
|
||||||
|
margin-bottom: 0px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.no-bottom-margin {
|
||||||
|
margin-bottom: 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#kc-back {
|
||||||
|
margin-top: 5px;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Recovery codes */
|
||||||
|
.kc-recovery-codes-warning {
|
||||||
|
margin-bottom: 32px;
|
||||||
|
}
|
||||||
|
.kc-recovery-codes-warning .pf-c-alert__description p {
|
||||||
|
font-size: 0.875rem;
|
||||||
|
}
|
||||||
|
.kc-recovery-codes-list {
|
||||||
|
list-style: none;
|
||||||
|
columns: 2;
|
||||||
|
margin: 16px 0;
|
||||||
|
padding: 16px 16px 8px 16px;
|
||||||
|
border: 1px solid #D2D2D2;
|
||||||
|
}
|
||||||
|
.kc-recovery-codes-list li {
|
||||||
|
margin-bottom: 8px;
|
||||||
|
font-size: 11px;
|
||||||
|
}
|
||||||
|
.kc-recovery-codes-list li span {
|
||||||
|
color: #6A6E73;
|
||||||
|
width: 16px;
|
||||||
|
text-align: right;
|
||||||
|
display: inline-block;
|
||||||
|
margin-right: 1px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-recovery-codes-actions {
|
||||||
|
margin-bottom: 24px;
|
||||||
|
}
|
||||||
|
.kc-recovery-codes-actions button {
|
||||||
|
padding-left: 0;
|
||||||
|
}
|
||||||
|
.kc-recovery-codes-actions button i {
|
||||||
|
margin-right: 8px;
|
||||||
|
}
|
||||||
|
|
||||||
|
.kc-recovery-codes-confirmation {
|
||||||
|
align-items: baseline;
|
||||||
|
margin-bottom: 16px;
|
||||||
|
}
|
||||||
|
/* End Recovery codes */
|
||||||
|
|
||||||
|
|
BIN
modules/keycloak/theme/login/resources/img/background.jpg
Normal file
BIN
modules/keycloak/theme/login/resources/img/background.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.1 MiB |
4
modules/keycloak/theme/login/theme.properties
Normal file
4
modules/keycloak/theme/login/theme.properties
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
parent=keycloak
|
||||||
|
import=common/keycloak
|
||||||
|
|
||||||
|
styles=css/login.css
|
|
@ -1,25 +1,35 @@
|
||||||
From f5c68898be345fb0dca5ab7b596b9cbe674f5dfb Mon Sep 17 00:00:00 2001
|
diff --git a/cmd/portunus-orchestrator/config.go b/cmd/portunus-orchestrator/config.go
|
||||||
From: Rouven Seifert <rouven@rfive.de>
|
index 4db19f2..290128a 100644
|
||||||
Date: Tue, 4 Jul 2023 15:14:00 +0200
|
--- a/cmd/portunus-orchestrator/config.go
|
||||||
Subject: [PATCH] update user validation regex
|
+++ b/cmd/portunus-orchestrator/config.go
|
||||||
|
@@ -23,7 +23,7 @@ type valueCheck struct {
|
||||||
---
|
}
|
||||||
internal/core/validation.go | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/internal/core/validation.go b/internal/core/validation.go
|
|
||||||
index 3e168b5..10dfc0a 100644
|
|
||||||
--- a/internal/core/validation.go
|
|
||||||
+++ b/internal/core/validation.go
|
|
||||||
@@ -30,7 +30,7 @@ import (
|
|
||||||
)
|
|
||||||
|
|
||||||
//this regexp copied from useradd(8) manpage
|
|
||||||
-const posixAccountNamePattern = `[a-z_][a-z0-9_-]*\$?`
|
|
||||||
+const posixAccountNamePattern = `[a-z_][a-z0-9._-]*\$?`
|
|
||||||
|
|
||||||
var (
|
var (
|
||||||
errIsMissing = errors.New("is missing")
|
- userOrGroupPattern = `^[a-z_][a-z0-9_-]*\$?$`
|
||||||
--
|
+ userOrGroupPattern = `^[a-z_][a-z0-9._-]*\$?$`
|
||||||
2.41.0
|
envDefaults = map[string]string{
|
||||||
|
//empty value = not optional
|
||||||
|
"PORTUNUS_DEBUG": "false",
|
||||||
|
diff --git a/internal/grammars/grammars.go b/internal/grammars/grammars.go
|
||||||
|
index 1253c05..e458fd0 100644
|
||||||
|
--- a/internal/grammars/grammars.go
|
||||||
|
+++ b/internal/grammars/grammars.go
|
||||||
|
@@ -39,7 +39,7 @@ const (
|
||||||
|
// This regex is based on the respective format description in the useradd(8) manpage.
|
||||||
|
//
|
||||||
|
// This is only shown for documentation purposes here; use func IsPOSIXAccountName instead.
|
||||||
|
- POSIXAccountNameRegex = `^[a-z_][a-z0-9_-]*\$?$`
|
||||||
|
+ POSIXAccountNameRegex = `^[a-z_][a-z0-9._-]*\$?$`
|
||||||
|
)
|
||||||
|
|
||||||
|
//TODO There is also some `import "regexp"` in cmd/orchestrator/ldap.go to render
|
||||||
|
@@ -159,7 +159,7 @@ func checkByteInPOSIXAccountName(idx, length int, b byte) bool {
|
||||||
|
switch {
|
||||||
|
case (b >= 'a' && b <= 'z') || b == '_':
|
||||||
|
return true
|
||||||
|
- case (b >= '0' && b <= '9') || b == '-':
|
||||||
|
+ case (b >= '0' && b <= '9') || b == '-' || b == '.':
|
||||||
|
return idx != 0 // not allowed at start
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
diff --git a/cmd/orchestrator/ldap.go b/cmd/orchestrator/ldap.go
|
diff --git a/cmd/portunus-orchestrator/ldap.go b/cmd/portunus-orchestrator/ldap.go
|
||||||
index ed0d466..a672046 100644
|
index 9564c5e..40cd2d7 100644
|
||||||
--- a/cmd/orchestrator/ldap.go
|
--- a/cmd/portunus-orchestrator/ldap.go
|
||||||
+++ b/cmd/orchestrator/ldap.go
|
+++ b/cmd/portunus-orchestrator/ldap.go
|
||||||
@@ -130,7 +130,7 @@ func runLDAPServer(environment map[string]string) {
|
@@ -134,7 +134,7 @@ func runLDAPServer(environment map[string]string) {
|
||||||
|
|
||||||
bindURL := "ldap:///"
|
bindURL := "ldap:///"
|
||||||
if environment["PORTUNUS_SLAPD_TLS_CERTIFICATE"] != "" {
|
if environment["PORTUNUS_SLAPD_TLS_CERTIFICATE"] != "" {
|
||||||
|
|
|
@ -1,24 +1,26 @@
|
||||||
diff --git a/internal/core/user.go b/internal/core/user.go
|
diff --git a/internal/ldap/object.go b/internal/ldap/object.go
|
||||||
index e74ccfe..291c75b 100644
|
index d4e5c6f..fcefec7 100644
|
||||||
--- a/internal/core/user.go
|
--- a/internal/ldap/object.go
|
||||||
+++ b/internal/core/user.go
|
+++ b/internal/ldap/object.go
|
||||||
@@ -8,6 +8,7 @@ package core
|
@@ -8,6 +8,7 @@ package ldap
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
+ "strconv"
|
+ "regexp"
|
||||||
)
|
|
||||||
|
|
||||||
// User represents a single user account.
|
"github.com/majewsky/portunus/internal/core"
|
||||||
@@ -86,9 +87,9 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject
|
)
|
||||||
|
@@ -94,10 +95,11 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object {
|
||||||
|
if u.POSIX.LoginShell != "" {
|
||||||
obj.Attributes["loginShell"] = []string{u.POSIX.LoginShell}
|
obj.Attributes["loginShell"] = []string{u.POSIX.LoginShell}
|
||||||
}
|
}
|
||||||
|
+ var nonASCII = regexp.MustCompile("[^\\x00-\\x7F]")
|
||||||
if u.POSIX.GECOS == "" {
|
if u.POSIX.GECOS == "" {
|
||||||
- obj.Attributes["gecos"] = []string{u.FullName()}
|
- obj.Attributes["gecos"] = []string{u.FullName()}
|
||||||
+ obj.Attributes["gecos"] = []string{strconv.QuoteToASCII(u.FullName())}
|
+ obj.Attributes["gecos"] = []string{nonASCII.ReplaceAllString(u.FullName(), "")}
|
||||||
} else {
|
} else {
|
||||||
- obj.Attributes["gecos"] = []string{u.POSIX.GECOS}
|
- obj.Attributes["gecos"] = []string{u.POSIX.GECOS}
|
||||||
+ obj.Attributes["gecos"] = []string{strconv.QuoteToASCII(u.POSIX.GECOS)}
|
+ obj.Attributes["gecos"] = []string{nonASCII.ReplaceAllString(u.POSIX.GECOS, "")}
|
||||||
}
|
}
|
||||||
obj.Attributes["objectClass"] = append(obj.Attributes["objectClass"], "posixAccount")
|
obj.Attributes["objectClass"] = append(obj.Attributes["objectClass"], "posixAccount")
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,8 +1,20 @@
|
||||||
diff --git a/internal/core/user.go b/internal/core/user.go
|
diff --git a/internal/core/user.go b/internal/core/user.go
|
||||||
index e74ccfe..ce03eeb 100644
|
index f45fdf7..4f93b37 100644
|
||||||
--- a/internal/core/user.go
|
--- a/internal/core/user.go
|
||||||
+++ b/internal/core/user.go
|
+++ b/internal/core/user.go
|
||||||
@@ -64,7 +64,6 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject
|
@@ -76,7 +76,6 @@ func (u User) validateLocal(cfg *ValidationConfig) (errs errext.ErrorSet) {
|
||||||
|
MustBePosixAccountNameIf(u.LoginName, u.POSIX != nil),
|
||||||
|
))
|
||||||
|
errs.Add(ref.Field("given_name").WrapFirst(
|
||||||
|
- MustNotBeEmpty(u.GivenName),
|
||||||
|
MustNotHaveSurroundingSpaces(u.GivenName),
|
||||||
|
))
|
||||||
|
errs.Add(ref.Field("family_name").WrapFirst(
|
||||||
|
diff --git a/internal/ldap/object.go b/internal/ldap/object.go
|
||||||
|
index d4e5c6f..1225084 100644
|
||||||
|
--- a/internal/ldap/object.go
|
||||||
|
+++ b/internal/ldap/object.go
|
||||||
|
@@ -73,7 +73,6 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object {
|
||||||
"uid": {u.LoginName},
|
"uid": {u.LoginName},
|
||||||
"cn": {u.FullName()},
|
"cn": {u.FullName()},
|
||||||
"sn": {u.FamilyName},
|
"sn": {u.FamilyName},
|
||||||
|
@ -10,7 +22,7 @@ index e74ccfe..ce03eeb 100644
|
||||||
"userPassword": {u.PasswordHash},
|
"userPassword": {u.PasswordHash},
|
||||||
"isMemberOf": memberOfGroupDNames,
|
"isMemberOf": memberOfGroupDNames,
|
||||||
"objectClass": {"portunusPerson", "inetOrgPerson", "organizationalPerson", "person", "top"},
|
"objectClass": {"portunusPerson", "inetOrgPerson", "organizationalPerson", "person", "top"},
|
||||||
@@ -74,6 +73,9 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject
|
@@ -83,6 +82,9 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object {
|
||||||
if u.EMailAddress != "" {
|
if u.EMailAddress != "" {
|
||||||
obj.Attributes["mail"] = []string{u.EMailAddress}
|
obj.Attributes["mail"] = []string{u.EMailAddress}
|
||||||
}
|
}
|
||||||
|
@ -20,15 +32,3 @@ index e74ccfe..ce03eeb 100644
|
||||||
if len(u.SSHPublicKeys) > 0 {
|
if len(u.SSHPublicKeys) > 0 {
|
||||||
obj.Attributes["sshPublicKey"] = u.SSHPublicKeys
|
obj.Attributes["sshPublicKey"] = u.SSHPublicKeys
|
||||||
}
|
}
|
||||||
diff --git a/internal/frontend/users.go b/internal/frontend/users.go
|
|
||||||
index 225c5b3..1a961ca 100644
|
|
||||||
--- a/internal/frontend/users.go
|
|
||||||
+++ b/internal/frontend/users.go
|
|
||||||
@@ -168,7 +168,6 @@ func buildUserMasterdataFieldset(e core.Engine, u *core.User, state *h.FormState
|
|
||||||
Name: "given_name",
|
|
||||||
Label: "Given name",
|
|
||||||
Rules: []h.ValidationRule{
|
|
||||||
- core.MustNotBeEmpty,
|
|
||||||
core.MustNotHaveSurroundingSpaces,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
domain = "auth.${config.networking.domain}";
|
domain = "auth.${config.networking.domain}";
|
||||||
seed = {
|
seedSettings = {
|
||||||
groups = [
|
groups = [
|
||||||
{
|
{
|
||||||
name = "admins";
|
name = "admins";
|
||||||
|
@ -46,11 +46,6 @@ in
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
"portunus/admin-password".owner = config.services.portunus.user;
|
"portunus/admin-password".owner = config.services.portunus.user;
|
||||||
"portunus/search-password".owner = config.services.portunus.user;
|
"portunus/search-password".owner = config.services.portunus.user;
|
||||||
"dex/environment".owner = config.systemd.services.dex.serviceConfig.User;
|
|
||||||
nslcd_ldap_search = {
|
|
||||||
key = "portunus/search-password";
|
|
||||||
owner = config.systemd.services.nslcd.serviceConfig.User;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.portunus = {
|
services.portunus = {
|
||||||
|
@ -62,13 +57,11 @@ in
|
||||||
./0003-gecos-ascii-escape.patch
|
./0003-gecos-ascii-escape.patch
|
||||||
./0004-make-givenName-optional.patch
|
./0004-make-givenName-optional.patch
|
||||||
];
|
];
|
||||||
|
doCheck = false; # posix regex related tests break
|
||||||
});
|
});
|
||||||
|
|
||||||
inherit domain;
|
inherit domain seedSettings;
|
||||||
port = 8681;
|
port = 8681;
|
||||||
dex.enable = true;
|
|
||||||
seedPath = pkgs.writeText "portunus-seed.json" (builtins.toJSON seed);
|
|
||||||
|
|
||||||
ldap = {
|
ldap = {
|
||||||
suffix = "dc=ifsr,dc=de";
|
suffix = "dc=ifsr,dc=de";
|
||||||
searchUserName = "search";
|
searchUserName = "search";
|
||||||
|
@ -79,47 +72,19 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.dex.settings.oauth2.skipApprovalScreen = true;
|
|
||||||
|
|
||||||
systemd.services.dex.serviceConfig = {
|
|
||||||
DynamicUser = lib.mkForce false;
|
|
||||||
EnvironmentFile = config.sops.secrets."dex/environment".path;
|
|
||||||
StateDirectory = "dex";
|
|
||||||
User = "dex";
|
|
||||||
};
|
|
||||||
|
|
||||||
users = {
|
|
||||||
users.dex = {
|
|
||||||
group = "dex";
|
|
||||||
isSystemUser = true;
|
|
||||||
};
|
|
||||||
groups.dex = { };
|
|
||||||
|
|
||||||
ldap =
|
|
||||||
let portunus = config.services.portunus; in
|
|
||||||
rec {
|
|
||||||
enable = true;
|
|
||||||
server = "ldap://localhost";
|
|
||||||
base = "${portunus.ldap.suffix}";
|
|
||||||
bind = {
|
|
||||||
distinguishedName = "uid=${portunus.ldap.searchUserName},ou=users,${base}";
|
|
||||||
passwordFile = config.sops.secrets.nslcd_ldap_search.path;
|
|
||||||
};
|
|
||||||
daemon.enable = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
security.pam.services.sshd.makeHomeDir = true;
|
security.pam.services.sshd.makeHomeDir = true;
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts."${config.services.portunus.domain}" = {
|
virtualHosts."${config.services.portunus.domain}" = {
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations = {
|
locations = {
|
||||||
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
||||||
"/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
networking.firewall = {
|
||||||
|
extraInputRules = ''
|
||||||
|
ip saddr { 141.30.86.192/26, 141.76.100.128/25, 141.30.30.169, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,298 +1,17 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, ... }:
|
||||||
let
|
let
|
||||||
hostname = "mail.${config.networking.domain}";
|
hostname = "mail.${config.networking.domain}";
|
||||||
domain = config.networking.domain;
|
|
||||||
rspamd-domain = "rspamd.${config.networking.domain}";
|
|
||||||
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
|
|
||||||
uris = ldap://localhost
|
|
||||||
dn = uid=search, ou=users, dc=ifsr, dc=de
|
|
||||||
auth_bind = yes
|
|
||||||
!include ${config.sops.secrets."dovecot_ldap_search".path}
|
|
||||||
|
|
||||||
ldap_version = 3
|
|
||||||
scope = subtree
|
|
||||||
base = dc=ifsr, dc=de
|
|
||||||
user_filter = (&(objectClass=posixAccount)(uid=%n))
|
|
||||||
pass_filter = (&(objectClass=posixAccount)(uid=%n))
|
|
||||||
'';
|
|
||||||
# see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
|
|
||||||
header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
|
|
||||||
/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
|
|
||||||
/^\s*User-Agent/ IGNORE
|
|
||||||
/^\s*X-Enigmail/ IGNORE
|
|
||||||
/^\s*X-Mailer/ IGNORE
|
|
||||||
/^\s*X-Originating-IP/ IGNORE
|
|
||||||
/^\s*Mime-Version/ IGNORE
|
|
||||||
'';
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets."rspamd-password".owner = config.users.users.rspamd.name;
|
imports = [
|
||||||
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
|
./postfix.nix
|
||||||
sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user;
|
./dovecot2.nix
|
||||||
|
./rspamd.nix
|
||||||
networking.firewall.allowedTCPPorts = [
|
./sogo.nix
|
||||||
25 # insecure SMTP
|
./mailman.nix
|
||||||
143
|
|
||||||
465
|
|
||||||
587 # SMTP
|
|
||||||
993 # IMAP
|
|
||||||
4190 # sieve
|
|
||||||
];
|
];
|
||||||
users.users.postfix.extraGroups = [ "opendkim" ];
|
|
||||||
environment.etc = {
|
|
||||||
"dovecot/sieve-pipe/sa-learn-spam.sh" = {
|
|
||||||
text = ''
|
|
||||||
#!/bin/sh
|
|
||||||
${pkgs.rspamd}/bin/rspamc learn_spam
|
|
||||||
'';
|
|
||||||
mode = "0555";
|
|
||||||
};
|
|
||||||
"dovecot/sieve-pipe/sa-learn-ham.sh" = {
|
|
||||||
text = ''
|
|
||||||
#!/bin/sh
|
|
||||||
${pkgs.rspamd}/bin/rspamc learn_ham
|
|
||||||
'';
|
|
||||||
mode = "0555";
|
|
||||||
};
|
|
||||||
"dovecot/sieve/report-spam.sieve" = {
|
|
||||||
source = ./report-spam.sieve;
|
|
||||||
user = "dovecot2";
|
|
||||||
group = "dovecot2";
|
|
||||||
mode = "0544";
|
|
||||||
};
|
|
||||||
"dovecot/sieve/report-ham.sieve" = {
|
|
||||||
source = ./report-ham.sieve;
|
|
||||||
user = "dovecot2";
|
|
||||||
group = "dovecot2";
|
|
||||||
mode = "0544";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
security.acme.certs."${hostname}" = {
|
||||||
postfix = {
|
|
||||||
enable = true;
|
|
||||||
enableSubmission = true;
|
|
||||||
enableSubmissions = true;
|
|
||||||
hostname = "${hostname}";
|
|
||||||
domain = "${domain}";
|
|
||||||
origin = "${domain}";
|
|
||||||
destination = [ "${hostname}" "${domain}" "localhost" ];
|
|
||||||
networksStyle = "host"; # localhost and own public IP
|
|
||||||
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
|
||||||
sslKey = "/var/lib/acme/${hostname}/key.pem";
|
|
||||||
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
|
||||||
config = {
|
|
||||||
home_mailbox = "Maildir/";
|
|
||||||
# hostname used in helo command. It is recommended to have this match the reverse dns entry
|
|
||||||
smtp_helo_name = config.networking.rDNS;
|
|
||||||
smtp_use_tls = true;
|
|
||||||
# smtp_tls_security_level = "encrypt";
|
|
||||||
smtpd_use_tls = true;
|
|
||||||
# smtpd_tls_security_level = lib.mkForce "encrypt";
|
|
||||||
# smtpd_tls_auth_only = true;
|
|
||||||
smtpd_tls_protocols = [
|
|
||||||
"!SSLv2"
|
|
||||||
"!SSLv3"
|
|
||||||
"!TLSv1"
|
|
||||||
"!TLSv1.1"
|
|
||||||
];
|
|
||||||
# "reject_non_fqdn_hostname"
|
|
||||||
smtpd_recipient_restrictions = [
|
|
||||||
"permit_sasl_authenticated"
|
|
||||||
"permit_mynetworks"
|
|
||||||
"reject_unauth_destination"
|
|
||||||
"reject_non_fqdn_sender"
|
|
||||||
"reject_non_fqdn_recipient"
|
|
||||||
"reject_unknown_sender_domain"
|
|
||||||
"reject_unknown_recipient_domain"
|
|
||||||
"reject_unauth_destination"
|
|
||||||
"reject_unauth_pipelining"
|
|
||||||
"reject_invalid_hostname"
|
|
||||||
"check_policy_service inet:localhost:12340"
|
|
||||||
];
|
|
||||||
smtpd_relay_restrictions = [
|
|
||||||
"permit_sasl_authenticated"
|
|
||||||
"permit_mynetworks"
|
|
||||||
"reject_unauth_destination"
|
|
||||||
];
|
|
||||||
smtp_header_checks = "pcre:${header_cleanup}";
|
|
||||||
# smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
|
|
||||||
alias_maps = [ "hash:/etc/aliases" ];
|
|
||||||
alias_database = [ "hash:/etc/aliases" ];
|
|
||||||
# alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
|
|
||||||
smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
|
|
||||||
non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
|
|
||||||
smtpd_sasl_auth_enable = true;
|
|
||||||
smtpd_sasl_path = "/var/lib/postfix/auth";
|
|
||||||
smtpd_sasl_type = "dovecot";
|
|
||||||
#mailman stuff
|
|
||||||
mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
|
||||||
|
|
||||||
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
|
||||||
virtual_alias_maps = [ "hash:/var/lib/mailman/data/postfix_vmap" ];
|
|
||||||
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
dovecot2 = {
|
|
||||||
enable = true;
|
|
||||||
enableImap = true;
|
|
||||||
enableQuota = true;
|
|
||||||
quotaGlobalPerUser = "10G";
|
|
||||||
enableLmtp = true;
|
|
||||||
mailLocation = "maildir:~/Maildir";
|
|
||||||
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
|
||||||
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
|
|
||||||
protocols = [ "imap" "sieve" ];
|
|
||||||
mailPlugins = {
|
|
||||||
perProtocol = {
|
|
||||||
imap = {
|
|
||||||
enable = [ "imap_sieve" ];
|
|
||||||
};
|
|
||||||
lmtp = {
|
|
||||||
enable = [ "sieve" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
mailboxes = {
|
|
||||||
Spam = {
|
|
||||||
auto = "subscribe";
|
|
||||||
specialUse = "Junk";
|
|
||||||
autoexpunge = "60d";
|
|
||||||
};
|
|
||||||
Sent = {
|
|
||||||
auto = "subscribe";
|
|
||||||
specialUse = "Sent";
|
|
||||||
};
|
|
||||||
Drafts = {
|
|
||||||
auto = "subscribe";
|
|
||||||
specialUse = "Drafts";
|
|
||||||
};
|
|
||||||
Trash = {
|
|
||||||
auto = "subscribe";
|
|
||||||
specialUse = "Trash";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
modules = [
|
|
||||||
pkgs.dovecot_pigeonhole
|
|
||||||
];
|
|
||||||
extraConfig = ''
|
|
||||||
auth_username_format = %Ln
|
|
||||||
passdb {
|
|
||||||
driver = ldap
|
|
||||||
args = ${dovecot-ldap-args}
|
|
||||||
}
|
|
||||||
userdb {
|
|
||||||
driver = ldap
|
|
||||||
args = ${dovecot-ldap-args}
|
|
||||||
}
|
|
||||||
service auth {
|
|
||||||
unix_listener /var/lib/postfix/auth {
|
|
||||||
group = postfix
|
|
||||||
mode = 0660
|
|
||||||
user = postfix
|
|
||||||
}
|
|
||||||
}
|
|
||||||
service managesieve-login {
|
|
||||||
inet_listener sieve {
|
|
||||||
port = 4190
|
|
||||||
}
|
|
||||||
service_count = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
namespace inbox {
|
|
||||||
separator = /
|
|
||||||
inbox = yes
|
|
||||||
}
|
|
||||||
|
|
||||||
service lmtp {
|
|
||||||
unix_listener dovecot-lmtp {
|
|
||||||
group = postfix
|
|
||||||
mode = 0600
|
|
||||||
user = postfix
|
|
||||||
}
|
|
||||||
client_limit = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
mail_plugins = $mail_plugins listescape
|
|
||||||
plugin {
|
|
||||||
sieve_plugins = sieve_imapsieve sieve_extprograms
|
|
||||||
sieve_global_extensions = +vnd.dovecot.pipe
|
|
||||||
sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe
|
|
||||||
|
|
||||||
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
|
|
||||||
imapsieve_mailbox1_name = Spam
|
|
||||||
imapsieve_mailbox1_causes = COPY APPEND FLAG
|
|
||||||
imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve
|
|
||||||
|
|
||||||
# Ham: From Spam folder to elsewhere
|
|
||||||
imapsieve_mailbox2_name = *
|
|
||||||
imapsieve_mailbox2_from = Spam
|
|
||||||
imapsieve_mailbox2_causes = COPY
|
|
||||||
imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve
|
|
||||||
|
|
||||||
# https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
|
|
||||||
listescape_char = "\\"
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
opendkim = {
|
|
||||||
enable = true;
|
|
||||||
domains = "csl:${config.networking.domain}";
|
|
||||||
selector = config.networking.hostName;
|
|
||||||
configFile = pkgs.writeText "opendkim-config" ''
|
|
||||||
UMask 0117
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
rspamd = {
|
|
||||||
enable = true;
|
|
||||||
postfix.enable = true;
|
|
||||||
locals = {
|
|
||||||
"worker-controller.inc".source = config.sops.secrets."rspamd-password".path;
|
|
||||||
"redis.conf".text = ''
|
|
||||||
read_servers = "127.0.0.1";
|
|
||||||
write_servers = "127.0.0.1";
|
|
||||||
'';
|
|
||||||
# headers in spamassasin style to not break old sieve scripts
|
|
||||||
"worker-proxy.inc".text = ''
|
|
||||||
spam_header = "X-Spam-Flag";
|
|
||||||
'';
|
|
||||||
"milter_headers.conf".text = ''
|
|
||||||
use = ["x-spam-level", "x-spam-status"];
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
redis = {
|
|
||||||
vmOverCommit = true;
|
|
||||||
servers.rspamd = {
|
|
||||||
enable = true;
|
|
||||||
port = 6379;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
nginx = {
|
|
||||||
enable = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
|
|
||||||
virtualHosts."${hostname}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
};
|
|
||||||
virtualHosts."${rspamd-domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations = {
|
|
||||||
"/" = {
|
|
||||||
proxyPass = "http://127.0.0.1:11334";
|
|
||||||
proxyWebsockets = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
security.acme.certs."${domain}" = {
|
|
||||||
reloadServices = [
|
reloadServices = [
|
||||||
"postfix.service"
|
"postfix.service"
|
||||||
"dovecot2.service"
|
"dovecot2.service"
|
||||||
|
|
158
modules/mail/dovecot2.nix
Normal file
158
modules/mail/dovecot2.nix
Normal file
|
@ -0,0 +1,158 @@
|
||||||
|
{ lib, config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
hostname = "mail.${config.networking.domain}";
|
||||||
|
dovecot-ldap-args = pkgs.writeText "ldap-args" ''
|
||||||
|
uris = ldap://localhost
|
||||||
|
dn = uid=search, ou=users, dc=ifsr, dc=de
|
||||||
|
auth_bind = yes
|
||||||
|
!include ${config.sops.secrets."dovecot_ldap_search".path}
|
||||||
|
|
||||||
|
ldap_version = 3
|
||||||
|
scope = subtree
|
||||||
|
base = dc=ifsr, dc=de
|
||||||
|
user_filter = (&(objectClass=posixAccount)(uid=%n))
|
||||||
|
pass_filter = (&(objectClass=posixAccount)(uid=%n))
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
993 # IMAPS
|
||||||
|
4190 # Managesieve
|
||||||
|
];
|
||||||
|
sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
|
||||||
|
services.dovecot2 = {
|
||||||
|
enable = true;
|
||||||
|
enableImap = true;
|
||||||
|
enableQuota = true;
|
||||||
|
quotaGlobalPerUser = "10G";
|
||||||
|
enableLmtp = true;
|
||||||
|
enablePAM = false;
|
||||||
|
mailLocation = "maildir:~/Maildir";
|
||||||
|
sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
||||||
|
sslServerKey = "/var/lib/acme/${hostname}/key.pem";
|
||||||
|
protocols = [ "imap" "sieve" ];
|
||||||
|
mailPlugins = {
|
||||||
|
globally.enable = [ "listescape" ];
|
||||||
|
perProtocol = {
|
||||||
|
imap = {
|
||||||
|
enable = [ "imap_sieve" "imap_filter_sieve" ];
|
||||||
|
};
|
||||||
|
lmtp = {
|
||||||
|
enable = [ "sieve" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
mailboxes = {
|
||||||
|
Spam = {
|
||||||
|
auto = "subscribe";
|
||||||
|
specialUse = "Junk";
|
||||||
|
autoexpunge = "60d";
|
||||||
|
};
|
||||||
|
Sent = {
|
||||||
|
auto = "subscribe";
|
||||||
|
specialUse = "Sent";
|
||||||
|
};
|
||||||
|
Drafts = {
|
||||||
|
auto = "subscribe";
|
||||||
|
specialUse = "Drafts";
|
||||||
|
};
|
||||||
|
Trash = {
|
||||||
|
auto = "subscribe";
|
||||||
|
specialUse = "Trash";
|
||||||
|
};
|
||||||
|
Archive = {
|
||||||
|
auto = "no";
|
||||||
|
specialUse = "Archive";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
modules = [
|
||||||
|
pkgs.dovecot_pigeonhole
|
||||||
|
];
|
||||||
|
# set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways
|
||||||
|
mailUser = "vmail";
|
||||||
|
mailGroup = "vmail";
|
||||||
|
sieve = {
|
||||||
|
# just pot something in here to prevent empty strings
|
||||||
|
extensions = [ "notify" ];
|
||||||
|
pipeBins = map lib.getExe [
|
||||||
|
(pkgs.writeShellScriptBin "learn-ham.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_ham")
|
||||||
|
(pkgs.writeShellScriptBin "learn-spam.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_spam")
|
||||||
|
];
|
||||||
|
plugins = [
|
||||||
|
"sieve_imapsieve"
|
||||||
|
"sieve_extprograms"
|
||||||
|
];
|
||||||
|
scripts = {
|
||||||
|
before = pkgs.writeText "spam.sieve" ''
|
||||||
|
require "fileinto";
|
||||||
|
|
||||||
|
if anyof(
|
||||||
|
header :contains "x-spam-flag" "yes",
|
||||||
|
header :contains "X-Spam-Status" "Yes"){
|
||||||
|
fileinto "Spam";
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
imapsieve.mailbox = [
|
||||||
|
{
|
||||||
|
# Spam: From elsewhere to Spam folder or flag changed in Spam folder
|
||||||
|
name = "Spam";
|
||||||
|
causes = [ "COPY" "APPEND" "FLAG" ];
|
||||||
|
before = ./report-spam.sieve;
|
||||||
|
|
||||||
|
}
|
||||||
|
{
|
||||||
|
# From Junk folder to elsewhere
|
||||||
|
name = "*";
|
||||||
|
from = "Spam";
|
||||||
|
causes = [ "COPY" ];
|
||||||
|
before = ./report-ham.sieve;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
extraConfig = ''
|
||||||
|
auth_username_format = %Ln
|
||||||
|
passdb {
|
||||||
|
driver = ldap
|
||||||
|
args = ${dovecot-ldap-args}
|
||||||
|
}
|
||||||
|
userdb {
|
||||||
|
driver = ldap
|
||||||
|
args = ${dovecot-ldap-args}
|
||||||
|
}
|
||||||
|
service auth {
|
||||||
|
unix_listener /var/lib/postfix/auth {
|
||||||
|
group = postfix
|
||||||
|
mode = 0660
|
||||||
|
user = postfix
|
||||||
|
}
|
||||||
|
}
|
||||||
|
service managesieve-login {
|
||||||
|
inet_listener sieve {
|
||||||
|
port = 4190
|
||||||
|
}
|
||||||
|
service_count = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
namespace inbox {
|
||||||
|
separator = /
|
||||||
|
inbox = yes
|
||||||
|
}
|
||||||
|
|
||||||
|
service lmtp {
|
||||||
|
unix_listener dovecot-lmtp {
|
||||||
|
group = postfix
|
||||||
|
mode = 0600
|
||||||
|
user = postfix
|
||||||
|
}
|
||||||
|
client_limit = 1
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
plugin {
|
||||||
|
# https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/
|
||||||
|
listescape_char = "\\"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
|
@ -20,8 +20,10 @@
|
||||||
webSettings = {
|
webSettings = {
|
||||||
DATABASES.default = {
|
DATABASES.default = {
|
||||||
ENGINE = "django.db.backends.postgresql";
|
ENGINE = "django.db.backends.postgresql";
|
||||||
NAME = "mailmanweb";
|
NAME = "mailman-web";
|
||||||
};
|
};
|
||||||
|
ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = false;
|
||||||
|
ACCOUNT_PREVENT_ENUMERATION = false;
|
||||||
};
|
};
|
||||||
ldap = {
|
ldap = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -40,26 +42,43 @@
|
||||||
superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de";
|
superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
services.postfix = {
|
||||||
|
relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
|
||||||
|
config = {
|
||||||
|
mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp";
|
||||||
|
transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||||
|
virtual_alias_maps = [ "hash:/var/lib/mailman/data/postfix_vmap" ];
|
||||||
|
local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
services.postgresql = {
|
services.postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "mailman";
|
name = "mailman";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE mailman" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
name = "mailman-web";
|
name = "mailman-web";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE mailmanweb" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
ensureDatabases = [ "mailman" "mailmanweb" ];
|
ensureDatabases = [ "mailman" "mailman-web" ];
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."lists.${config.networking.domain}" = {
|
services.nginx.virtualHosts."lists.${config.networking.domain}" = {
|
||||||
enableACME = true;
|
locations."/accounts/signup" = {
|
||||||
forceSSL = true;
|
extraConfig = ''
|
||||||
|
allow 141.30.0.0/16;
|
||||||
|
allow 141.76.0.0/16;
|
||||||
|
deny all;
|
||||||
|
uwsgi_pass unix:/run/mailman-web.socket;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
locations."/robots.txt" = {
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "User-agent: *\nDisallow: /\n";
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
98
modules/mail/postfix.nix
Normal file
98
modules/mail/postfix.nix
Normal file
|
@ -0,0 +1,98 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = config.networking.domain;
|
||||||
|
hostname = "mail.${config.networking.domain}";
|
||||||
|
# see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/
|
||||||
|
header_cleanup = pkgs.writeText "header_cleanup_outgoing" ''
|
||||||
|
/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
|
||||||
|
/^\s*User-Agent/ IGNORE
|
||||||
|
/^\s*X-Enigmail/ IGNORE
|
||||||
|
/^\s*X-Mailer/ IGNORE
|
||||||
|
/^\s*X-Originating-IP/ IGNORE
|
||||||
|
/^\s*Mime-Version/ IGNORE
|
||||||
|
'';
|
||||||
|
# https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address
|
||||||
|
login_maps = pkgs.writeText "login_maps.pcre" ''
|
||||||
|
# basic username => username@ifsr.de
|
||||||
|
/^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1}
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user;
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
25 # SMTP
|
||||||
|
465 # Submissions
|
||||||
|
587 # Submission
|
||||||
|
];
|
||||||
|
services = {
|
||||||
|
postfix = {
|
||||||
|
enable = true;
|
||||||
|
enableSubmission = true;
|
||||||
|
enableSubmissions = true;
|
||||||
|
hostname = "${hostname}";
|
||||||
|
domain = "${domain}";
|
||||||
|
origin = "${domain}";
|
||||||
|
destination = [ "${hostname}" "${domain}" "localhost" ];
|
||||||
|
networksStyle = "host"; # localhost and own public IP
|
||||||
|
sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
|
||||||
|
sslKey = "/var/lib/acme/${hostname}/key.pem";
|
||||||
|
config = {
|
||||||
|
home_mailbox = "Maildir/";
|
||||||
|
# 25 MiB
|
||||||
|
message_size_limit = "26214400";
|
||||||
|
# hostname used in helo command. It is recommended to have this match the reverse dns entry
|
||||||
|
smtp_helo_name = config.networking.rDNS;
|
||||||
|
smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name";
|
||||||
|
smtp_tls_security_level = "may";
|
||||||
|
smtpd_tls_security_level = "may";
|
||||||
|
smtpd_tls_auth_only = true;
|
||||||
|
smtpd_tls_protocols = [
|
||||||
|
"!SSLv2"
|
||||||
|
"!SSLv3"
|
||||||
|
"!TLSv1"
|
||||||
|
"!TLSv1.1"
|
||||||
|
];
|
||||||
|
# "reject_non_fqdn_hostname"
|
||||||
|
smtpd_recipient_restrictions = [
|
||||||
|
"permit_sasl_authenticated"
|
||||||
|
"permit_mynetworks"
|
||||||
|
"reject_unauth_destination"
|
||||||
|
"reject_non_fqdn_sender"
|
||||||
|
"reject_non_fqdn_recipient"
|
||||||
|
"reject_unknown_sender_domain"
|
||||||
|
"reject_unknown_recipient_domain"
|
||||||
|
"reject_unauth_destination"
|
||||||
|
"reject_unauth_pipelining"
|
||||||
|
"reject_invalid_hostname"
|
||||||
|
"check_policy_service inet:localhost:12340"
|
||||||
|
];
|
||||||
|
smtpd_relay_restrictions = [
|
||||||
|
"permit_sasl_authenticated"
|
||||||
|
"permit_mynetworks"
|
||||||
|
"reject_unauth_destination"
|
||||||
|
];
|
||||||
|
# https://www.postfix.org/smtp-smuggling.html
|
||||||
|
smtpd_data_restrictions = [
|
||||||
|
"reject_unauth_pipelining"
|
||||||
|
];
|
||||||
|
smtpd_sender_restrictions = [
|
||||||
|
"reject_authenticated_sender_login_mismatch"
|
||||||
|
];
|
||||||
|
smtpd_sender_login_maps = [
|
||||||
|
"pcre:/etc/special-aliases.pcre"
|
||||||
|
"pcre:${login_maps}"
|
||||||
|
];
|
||||||
|
smtp_header_checks = "pcre:${header_cleanup}";
|
||||||
|
# smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ];
|
||||||
|
alias_maps = [ "hash:/etc/aliases" ];
|
||||||
|
alias_database = [ "hash:/etc/aliases" ];
|
||||||
|
# alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ];
|
||||||
|
smtpd_sasl_auth_enable = true;
|
||||||
|
smtpd_sasl_path = "/var/lib/postfix/auth";
|
||||||
|
smtpd_sasl_type = "dovecot";
|
||||||
|
local_recipient_maps = [ "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -12,4 +12,4 @@ if environment :matches "imap.user" "*" {
|
||||||
set "username" "${1}";
|
set "username" "${1}";
|
||||||
}
|
}
|
||||||
|
|
||||||
pipe :copy "sa-learn-ham.sh" [ "${username}" ];
|
pipe :copy "learn-ham.sh" [ "${username}" ];
|
||||||
|
|
|
@ -4,4 +4,4 @@ if environment :matches "imap.user" "*" {
|
||||||
set "username" "${1}";
|
set "username" "${1}";
|
||||||
}
|
}
|
||||||
|
|
||||||
pipe :copy "sa-learn-spam.sh" [ "${username}" ];
|
pipe :copy "learn-spam.sh" [ "${username}" ];
|
||||||
|
|
218
modules/mail/rspamd.nix
Normal file
218
modules/mail/rspamd.nix
Normal file
|
@ -0,0 +1,218 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "rspamd.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."rspamd-password".owner = config.users.users.rspamd.name;
|
||||||
|
users.users.rspamd.extraGroups = [ "redis-rspamd" ];
|
||||||
|
services = {
|
||||||
|
rspamd = {
|
||||||
|
enable = true;
|
||||||
|
postfix.enable = true;
|
||||||
|
locals = {
|
||||||
|
"worker-controller.inc".source = config.sops.secrets."rspamd-password".path;
|
||||||
|
"redis.conf".text = ''
|
||||||
|
read_servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
write_servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
'';
|
||||||
|
# headers in spamassasin style to not break old sieve scripts
|
||||||
|
"worker-proxy.inc".text = ''
|
||||||
|
spam_header = "X-Spam-Flag";
|
||||||
|
'';
|
||||||
|
"milter_headers.conf".text = ''
|
||||||
|
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
|
||||||
|
'';
|
||||||
|
"neural.conf".text = ''
|
||||||
|
servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
enabled = true;
|
||||||
|
'';
|
||||||
|
"neural_group.conf".text = ''
|
||||||
|
symbols = {
|
||||||
|
"NEURAL_SPAM" {
|
||||||
|
weight = 0.5; # fairly low weight since we don't know how this will behave
|
||||||
|
description = "Neural network spam";
|
||||||
|
}
|
||||||
|
"NEURAL_HAM" {
|
||||||
|
weight = -0.5;
|
||||||
|
description = "Neural network ham";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
"dmarc.conf".text = ''
|
||||||
|
reporting {
|
||||||
|
enabled = true;
|
||||||
|
email = 'noreply-dmarc@${config.networking.domain}';
|
||||||
|
domain = '${config.networking.domain}';
|
||||||
|
org_name = '${config.networking.domain}';
|
||||||
|
from_name = 'DMARC Aggregate Report';
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
"dkim_signing.conf".text = ''
|
||||||
|
selector = "quitte2024";
|
||||||
|
allow_username_mismatch = true;
|
||||||
|
allow_hdrfrom_mismatch = true;
|
||||||
|
use_domain_sign_local = "ifsr.de";
|
||||||
|
path = /var/lib/rspamd/dkim/$domain.$selector.key;
|
||||||
|
|
||||||
|
'';
|
||||||
|
"reputation.conf".text = ''
|
||||||
|
rules {
|
||||||
|
ip_reputation = {
|
||||||
|
selector "ip" {
|
||||||
|
}
|
||||||
|
backend "redis" {
|
||||||
|
servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
}
|
||||||
|
|
||||||
|
symbol = "IP_REPUTATION";
|
||||||
|
}
|
||||||
|
spf_reputation = {
|
||||||
|
selector "spf" {
|
||||||
|
}
|
||||||
|
backend "redis" {
|
||||||
|
servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
}
|
||||||
|
|
||||||
|
symbol = "SPF_REPUTATION";
|
||||||
|
}
|
||||||
|
dkim_reputation = {
|
||||||
|
selector "dkim" {
|
||||||
|
}
|
||||||
|
backend "redis" {
|
||||||
|
servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
}
|
||||||
|
|
||||||
|
symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
|
||||||
|
}
|
||||||
|
generic_reputation = {
|
||||||
|
selector "generic" {
|
||||||
|
selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html
|
||||||
|
}
|
||||||
|
backend "redis" {
|
||||||
|
servers = "/run/redis-rspamd/redis.sock";
|
||||||
|
}
|
||||||
|
|
||||||
|
symbol = "GENERIC_REPUTATION";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
"groups.conf".text = ''
|
||||||
|
group "reputation" {
|
||||||
|
symbols = {
|
||||||
|
"IP_REPUTATION_HAM" {
|
||||||
|
weight = 1.0;
|
||||||
|
}
|
||||||
|
"IP_REPUTATION_SPAM" {
|
||||||
|
weight = 4.0;
|
||||||
|
}
|
||||||
|
|
||||||
|
"DKIM_REPUTATION" {
|
||||||
|
weight = 1.0;
|
||||||
|
}
|
||||||
|
|
||||||
|
"SPF_REPUTATION_HAM" {
|
||||||
|
weight = 1.0;
|
||||||
|
}
|
||||||
|
"SPF_REPUTATION_SPAM" {
|
||||||
|
weight = 2.0;
|
||||||
|
}
|
||||||
|
|
||||||
|
"GENERIC_REPUTATION" {
|
||||||
|
weight = 1.0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
"multimap.conf".text =
|
||||||
|
let
|
||||||
|
local_ips = pkgs.writeText "localhost.map" ''
|
||||||
|
::1
|
||||||
|
127.0.0.1
|
||||||
|
'';
|
||||||
|
tud_ips = pkgs.writeText "tud.map" ''
|
||||||
|
141.30.0.0/16
|
||||||
|
141.76.0.0/16
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
''
|
||||||
|
WHITELIST_SENDER_DOMAIN {
|
||||||
|
type = "from";
|
||||||
|
filter = "email:domain";
|
||||||
|
map = "/var/lib/rspamd/whitelist.sender.domain.map";
|
||||||
|
action = "accept";
|
||||||
|
regexp = true;
|
||||||
|
}
|
||||||
|
WHITELIST_SENDER_EMAIL {
|
||||||
|
type = "from";
|
||||||
|
map = "/var/lib/rspamd/whitelist.sender.email.map";
|
||||||
|
action = "accept";
|
||||||
|
regexp = true;
|
||||||
|
}
|
||||||
|
BLACKLIST_SENDER_DOMAIN {
|
||||||
|
type = "from";
|
||||||
|
filter = "email:domain";
|
||||||
|
map = "/var/lib/rspamd/blacklist.sender.domain.map";
|
||||||
|
action = "reject";
|
||||||
|
regexp = true;
|
||||||
|
}
|
||||||
|
BLACKLIST_SENDER_EMAIL {
|
||||||
|
type = "from";
|
||||||
|
map = "/var/lib/rspamd/blacklist.sender.email.map";
|
||||||
|
action = "reject";
|
||||||
|
regexp = true;
|
||||||
|
}
|
||||||
|
BLACKLIST_SUBJECT_KEYWORDS {
|
||||||
|
type = "header";
|
||||||
|
header = "Subject"
|
||||||
|
map = "/var/lib/rspamd/blacklist.keyword.subject.map";
|
||||||
|
action = "reject";
|
||||||
|
regexp = true;
|
||||||
|
}
|
||||||
|
RECEIVED_LOCALHOST {
|
||||||
|
type = "ip";
|
||||||
|
action = "accept";
|
||||||
|
map = ${local_ips};
|
||||||
|
}
|
||||||
|
RECEIVED_TU_NETWORKS {
|
||||||
|
type = "ip";
|
||||||
|
map = ${tud_ips};
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
redis = {
|
||||||
|
vmOverCommit = true;
|
||||||
|
servers.rspamd = {
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
nginx = {
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:11334";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
extraConfig = ''
|
||||||
|
allow 141.30.0.0/16;
|
||||||
|
allow 141.76.0.0/16;
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd = {
|
||||||
|
services.rspamd-dmarc-report = {
|
||||||
|
description = "rspamd dmarc reporter";
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
|
||||||
|
User = "rspamd";
|
||||||
|
Group = "rspamd";
|
||||||
|
};
|
||||||
|
startAt = "daily";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -51,9 +51,7 @@ in
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "sogo";
|
name = "sogo";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE sogo" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
ensureDatabases = [ "sogo" ];
|
ensureDatabases = [ "sogo" ];
|
||||||
|
@ -67,11 +65,7 @@ in
|
||||||
proxy_buffers 8 64k;
|
proxy_buffers 8 64k;
|
||||||
proxy_buffer_size 64k;
|
proxy_buffer_size 64k;
|
||||||
'';
|
'';
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations = {
|
locations = {
|
||||||
|
|
||||||
|
|
||||||
"^~/SOGo".extraConfig = lib.mkForce ''
|
"^~/SOGo".extraConfig = lib.mkForce ''
|
||||||
proxy_pass http://127.0.0.1:20000;
|
proxy_pass http://127.0.0.1:20000;
|
||||||
proxy_redirect http://127.0.0.1:20000 default;
|
proxy_redirect http://127.0.0.1:20000 default;
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
domainServer = "matrix.staging.${config.networking.domain}";
|
domainServer = "matrix.${config.networking.domain}";
|
||||||
domainClient = "chat.staging.${config.networking.domain}";
|
domainClient = "chat.${config.networking.domain}";
|
||||||
|
|
||||||
clientConfig = {
|
clientConfig = {
|
||||||
"m.homeserver" = {
|
"m.homeserver" = {
|
||||||
|
@ -19,15 +19,17 @@ let
|
||||||
return 200 '${builtins.toJSON data}';
|
return 200 '${builtins.toJSON data}';
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# build ldap3 plugin from git because it's very outdated in nixpkgs
|
matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
|
||||||
matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ../pkgs/matrix-synapse-ldap3.nix { };
|
|
||||||
# matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
imports = [ ./mautrix-telegram.nix ];
|
||||||
sops.secrets.matrix_ldap_search = {
|
sops.secrets.matrix_ldap_search = {
|
||||||
key = "portunus/search-password";
|
key = "portunus/search-password";
|
||||||
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
owner = config.systemd.services.matrix-synapse.serviceConfig.User;
|
||||||
};
|
};
|
||||||
|
nixpkgs.config.permittedInsecurePackages = [
|
||||||
|
"olm-3.2.16"
|
||||||
|
];
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
postgresql = {
|
postgresql = {
|
||||||
|
@ -42,9 +44,6 @@ in
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
# synapse
|
# synapse
|
||||||
"${domainServer}" = {
|
"${domainServer}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
|
|
||||||
# homeserver discovery
|
# homeserver discovery
|
||||||
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
|
||||||
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
|
||||||
|
@ -59,12 +58,12 @@ in
|
||||||
|
|
||||||
# element
|
# element
|
||||||
"${domainClient}" = {
|
"${domainClient}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
|
|
||||||
root = pkgs.element-web.override {
|
root = pkgs.element-web.override {
|
||||||
conf = {
|
conf = {
|
||||||
default_server_config = clientConfig;
|
default_server_config = {
|
||||||
|
inherit (clientConfig) "m.homeserver";
|
||||||
|
"m.identity_server".base_url = "";
|
||||||
|
};
|
||||||
disable_3pid_login = true;
|
disable_3pid_login = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -77,6 +76,10 @@ in
|
||||||
|
|
||||||
plugins = [ matrix-synapse-ldap3 ];
|
plugins = [ matrix-synapse-ldap3 ];
|
||||||
|
|
||||||
|
|
||||||
|
log = {
|
||||||
|
root.level = "WARNING";
|
||||||
|
};
|
||||||
settings = {
|
settings = {
|
||||||
server_name = domainServer;
|
server_name = domainServer;
|
||||||
|
|
|
@ -10,9 +10,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
ensureUsers = [{
|
ensureUsers = [{
|
||||||
name = "mautrix-telegram";
|
name = "mautrix-telegram";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE \"mautrix-telegram\"" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}];
|
}];
|
||||||
ensureDatabases = [ "mautrix-telegram" ];
|
ensureDatabases = [ "mautrix-telegram" ];
|
||||||
};
|
};
|
||||||
|
@ -46,12 +44,13 @@ in
|
||||||
# Use postgresql instead of sqlite
|
# Use postgresql instead of sqlite
|
||||||
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
|
database = "postgresql:///mautrix-telegram?host=/run/postgresql";
|
||||||
port = 8082;
|
port = 8082;
|
||||||
address = "localhost:${toString port}";
|
address = "http://localhost:${toString port}";
|
||||||
};
|
};
|
||||||
|
|
||||||
bridge = {
|
bridge = {
|
||||||
relaybot.authless_portals = false;
|
relaybot.authless_portals = false;
|
||||||
permissions = {
|
permissions = {
|
||||||
|
# Add yourself here temporarily
|
||||||
"@admin:${homeserverDomain}" = "admin";
|
"@admin:${homeserverDomain}" = "admin";
|
||||||
};
|
};
|
||||||
relay_user_distinguishers = [ ];
|
relay_user_distinguishers = [ ];
|
52
modules/minecraft/default.nix
Normal file
52
modules/minecraft/default.nix
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
{ pkgs, config, lib, ... }:
|
||||||
|
{
|
||||||
|
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
|
||||||
|
"minecraft-server"
|
||||||
|
];
|
||||||
|
services.minecraft-servers = {
|
||||||
|
enable = true;
|
||||||
|
eula = true;
|
||||||
|
servers.ifsr = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.fabricServers.fabric-1_21;
|
||||||
|
jvmOpts = "-Xmx8192M -Xms8192M";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
services.bluemap = {
|
||||||
|
enable = true;
|
||||||
|
host = "map.mc.ifsr.de";
|
||||||
|
eula = true;
|
||||||
|
onCalendar = "hourly";
|
||||||
|
defaultWorld = "/srv/minecraft/ifsr/world";
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts."map.mc.ifsr.de".extraConfig = ''
|
||||||
|
allow 141.30.0.0/16;
|
||||||
|
allow 141.76.0.0/16;
|
||||||
|
allow 217.160.244.15/32; # jonas uptime kuma
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
extraInputRules = ''
|
||||||
|
ip saddr { 141.30.0.0/16, 141.76.0.0/16, 217.160.244.15/32 } tcp dport 25565 accept comment "Allow minecraft access from TU network and jonas monitoring"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
users.users.minecraft = {
|
||||||
|
isNormalUser = true;
|
||||||
|
isSystemUser = lib.mkForce false;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkxTuzjS3EswMfj+wSKu9ciRyStvjDlDUXzkqEUGDaP rouven@thinkpad"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOhdjiPvtAo/ZV36RjBBPSlixzeP3VN6cqa4YAmM5uXM ff00005@ff00005-laptop" # malte
|
||||||
|
];
|
||||||
|
};
|
||||||
|
security.sudo.extraRules = [
|
||||||
|
{
|
||||||
|
users = [ "minecraft" ];
|
||||||
|
commands = [
|
||||||
|
{ command = "/run/current-system/sw/bin/systemctl restart minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
|
||||||
|
{ command = "/run/current-system/sw/bin/systemctl start minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
|
||||||
|
{ command = "/run/current-system/sw/bin/systemctl stop minecraft-server-ifsr"; options = [ "NOPASSWD" ]; }
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
90
modules/monitoring/default.nix
Normal file
90
modules/monitoring/default.nix
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
{ config, ... }:
|
||||||
|
let
|
||||||
|
domain = "monitoring.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."grafana/oidc_secret" = {
|
||||||
|
owner = "grafana";
|
||||||
|
};
|
||||||
|
# grafana configuration
|
||||||
|
services.grafana = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
inherit domain;
|
||||||
|
http_addr = "127.0.0.1";
|
||||||
|
http_port = 2342;
|
||||||
|
root_url = "https://monitoring.ifsr.de";
|
||||||
|
};
|
||||||
|
database = {
|
||||||
|
type = "postgres";
|
||||||
|
user = "grafana";
|
||||||
|
host = "/run/postgresql";
|
||||||
|
};
|
||||||
|
"auth.generic_oauth" = {
|
||||||
|
enabled = true;
|
||||||
|
name = "iFSR";
|
||||||
|
allow_sign_up = true;
|
||||||
|
client_id = "grafana";
|
||||||
|
client_secret = "$__file{${config.sops.secrets."grafana/oidc_secret".path}}";
|
||||||
|
scopes = "openid email profile offline_access roles";
|
||||||
|
|
||||||
|
email_attribute_path = "email";
|
||||||
|
login_attribute_path = "username";
|
||||||
|
name_attribute_path = "full_name";
|
||||||
|
|
||||||
|
auth_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/auth";
|
||||||
|
token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token";
|
||||||
|
api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo";
|
||||||
|
role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = "grafana";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
ensureDatabases = [ "grafana" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.prometheus = {
|
||||||
|
enable = true;
|
||||||
|
port = 9001;
|
||||||
|
exporters = {
|
||||||
|
node = {
|
||||||
|
enable = true;
|
||||||
|
enabledCollectors = [ "systemd" ];
|
||||||
|
port = 9002;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
scrapeConfigs = [
|
||||||
|
{
|
||||||
|
job_name = "node";
|
||||||
|
static_configs = [{
|
||||||
|
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
|
||||||
|
}];
|
||||||
|
scrape_interval = "15s";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
job_name = "rspamd";
|
||||||
|
static_configs = [{
|
||||||
|
targets = [ "rspamd.ifsr.de:11334" ];
|
||||||
|
}];
|
||||||
|
scrape_interval = "15s";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# nginx reverse proxy
|
||||||
|
services.nginx.virtualHosts.${domain} = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,7 +1,6 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
domain = "nc.staging.${config.networking.domain}";
|
domain = "nc.${config.networking.domain}";
|
||||||
legacy_domain = "oc.${config.networking.domain}";
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
|
@ -15,8 +14,8 @@ in
|
||||||
services = {
|
services = {
|
||||||
nextcloud = {
|
nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nextcloud25;
|
configureRedis = true;
|
||||||
enableBrokenCiphersForSSE = false; # disable the openssl warning
|
package = pkgs.nextcloud29;
|
||||||
hostName = domain;
|
hostName = domain;
|
||||||
https = true; # Use https for all urls
|
https = true; # Use https for all urls
|
||||||
phpExtraExtensions = all: [
|
phpExtraExtensions = all: [
|
||||||
|
@ -29,17 +28,22 @@ in
|
||||||
};
|
};
|
||||||
# postgres database is configured automatically
|
# postgres database is configured automatically
|
||||||
database.createLocally = true;
|
database.createLocally = true;
|
||||||
};
|
|
||||||
|
|
||||||
# Enable ACME and force SSL
|
# enable HEIC image preview
|
||||||
nginx.virtualHosts.${domain} = {
|
settings.enabledPreviewProviders = [
|
||||||
enableACME = true;
|
"OC\\Preview\\BMP"
|
||||||
forceSSL = true;
|
"OC\\Preview\\GIF"
|
||||||
};
|
"OC\\Preview\\JPEG"
|
||||||
nginx.virtualHosts.${legacy_domain} = {
|
"OC\\Preview\\Krita"
|
||||||
enableACME = true;
|
"OC\\Preview\\MarkDown"
|
||||||
forceSSL = true;
|
"OC\\Preview\\MP3"
|
||||||
locations."/".return = "301 https://nc.ifsr.de";
|
"OC\\Preview\\OpenDocument"
|
||||||
|
"OC\\Preview\\PNG"
|
||||||
|
"OC\\Preview\\TXT"
|
||||||
|
"OC\\Preview\\XBitmap"
|
||||||
|
"OC\\Preview\\HEIC"
|
||||||
|
];
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -74,6 +78,9 @@ in
|
||||||
preStart = pkgs.writeScript "nextcloud-preStart" ''
|
preStart = pkgs.writeScript "nextcloud-preStart" ''
|
||||||
# enable included LDAP app
|
# enable included LDAP app
|
||||||
${occ} app:enable user_ldap
|
${occ} app:enable user_ldap
|
||||||
|
${occ} app:enable calendar
|
||||||
|
${occ} app:enable tasks
|
||||||
|
${occ} app:enable polls
|
||||||
|
|
||||||
# set up new LDAP config if it does not exist
|
# set up new LDAP config if it does not exist
|
||||||
if ! ${occ} ldap:show-config s01 > /dev/null; then
|
if ! ${occ} ldap:show-config s01 > /dev/null; then
|
||||||
|
|
|
@ -1,39 +0,0 @@
|
||||||
{ config, pkgs, ... }:
|
|
||||||
{
|
|
||||||
services.nginx = {
|
|
||||||
|
|
||||||
additionalModules = [ pkgs.nginxModules.pam ];
|
|
||||||
enable = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
|
|
||||||
appendHttpConfig = ''
|
|
||||||
map $remote_addr $remote_addr_anon {
|
|
||||||
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
|
|
||||||
~(?P<ip>[^:]+:[^:]+): $ip::;
|
|
||||||
# IP addresses to not anonymize
|
|
||||||
127.0.0.1 $remote_addr;
|
|
||||||
::1 $remote_addr;
|
|
||||||
default 0.0.0.0;
|
|
||||||
}
|
|
||||||
log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" '
|
|
||||||
'$status $body_bytes_sent "$http_referer" '
|
|
||||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
||||||
|
|
||||||
access_log /var/log/nginx/access.log anon_ip;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
defaults = {
|
|
||||||
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
||||||
email = "root@${config.networking.domain}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
security.pam.services.nginx.text = ''
|
|
||||||
auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
|
||||||
account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
|
|
||||||
'';
|
|
||||||
}
|
|
18
modules/nix-serve.nix
Normal file
18
modules/nix-serve.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "cache.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
sops.secrets."nix-serve/key" = { };
|
||||||
|
services.nix-serve = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.nix-serve-ng;
|
||||||
|
secretKeyFile = config.sops.secrets."nix-serve/key".path;
|
||||||
|
port = 5002;
|
||||||
|
};
|
||||||
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:${toString config.services.nix-serve.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -24,13 +24,7 @@ in
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
virtualHosts.${domain} = {
|
virtualHosts.${domain} = {
|
||||||
root = pkgs.callPackage ../pkgs/padlist { };
|
root = "/srv/web/padlist";
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
extraConfig = ''
|
|
||||||
auth_pam "LDAP Authentication Required";
|
|
||||||
auth_pam_service_name "nginx";
|
|
||||||
'';
|
|
||||||
locations = {
|
locations = {
|
||||||
"= /" = {
|
"= /" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -41,13 +35,15 @@ in
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
fastcgi_pass unix:${config.services.phpfpm.pools.padlist.socket};
|
fastcgi_pass unix:${config.services.phpfpm.pools.padlist.socket};
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
include ${pkgs.nginx}/conf/fastcgi.conf;
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
"/vendor".return = "403";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
{ ... }:
|
|
||||||
{
|
|
||||||
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
|
|
||||||
sops.age.generateKey = false;
|
|
||||||
}
|
|
|
@ -4,8 +4,6 @@
|
||||||
nginx = {
|
nginx = {
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"stream.${config.networking.domain}" = {
|
"stream.${config.networking.domain}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" =
|
locations."/" =
|
||||||
let
|
let
|
||||||
cfg = config.services.owncast;
|
cfg = config.services.owncast;
|
||||||
|
|
32
modules/struktur-bot.nix
Normal file
32
modules/struktur-bot.nix
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{
|
||||||
|
sops.secrets."strukturbot_env" = { };
|
||||||
|
# virtualisation.docker.daemon.settings.dns = [ "141.30.1.1" "141.76.14.1" ];
|
||||||
|
virtualisation.oci-containers = {
|
||||||
|
containers.struktur-bot = {
|
||||||
|
image = "struktur-bot";
|
||||||
|
environmentFiles = [
|
||||||
|
config.sops.secrets."strukturbot_env".path
|
||||||
|
];
|
||||||
|
extraOptions = [ "--network=host" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
systemd.timers."overleaf-backup" = {
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = "02:22:00";
|
||||||
|
Unit = "overleaf-backup.service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services."overleaf-backup" = {
|
||||||
|
script = ''
|
||||||
|
set -eu
|
||||||
|
${pkgs.docker}/bin/docker exec struktur-bot python3 backup.py
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -25,16 +25,12 @@ in
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "vaultwarden";
|
name = "vaultwarden";
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE vaultwarden" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
ensureDatabases = [ "vaultwarden" ];
|
ensureDatabases = [ "vaultwarden" ];
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
|
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
|
||||||
};
|
};
|
||||||
|
|
16
modules/web/default.nix
Normal file
16
modules/web/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./ifsrde.nix
|
||||||
|
./ese.nix
|
||||||
|
./infoscreen.nix
|
||||||
|
./kpp.nix
|
||||||
|
./nightline.nix
|
||||||
|
./fsrewsp.nix
|
||||||
|
./manual.nix
|
||||||
|
./sharepic.nix
|
||||||
|
./userdir.nix
|
||||||
|
./ftp.nix
|
||||||
|
./hyperilo.nix
|
||||||
|
];
|
||||||
|
}
|
34
modules/web/ese.nix
Normal file
34
modules/web/ese.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "ese.${config.networking.domain}";
|
||||||
|
webRoot = "/srv/web/ese";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
locations."= /" = {
|
||||||
|
# temporary redirect, to avoid caching problems
|
||||||
|
return = "302 /2024/";
|
||||||
|
};
|
||||||
|
locations."/" = {
|
||||||
|
root = webRoot;
|
||||||
|
tryFiles = "$uri $uri/ =404";
|
||||||
|
};
|
||||||
|
# cache static assets
|
||||||
|
locations."~* \.(?:css|svg|webp|jpg|jpeg|gif|png|ico|mp4|mp3|ogg|ogv|webm|ttf|woff2|woff)$" = {
|
||||||
|
root = webRoot;
|
||||||
|
extraConfig = ''
|
||||||
|
expires 1y;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users."ese-deploy" = {
|
||||||
|
isNormalUser = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWGdTdobZN2oSLsTQmHOahdc9vqyuwUBS0PSk5IQhGV''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
73
modules/web/fsrewsp.nix
Normal file
73
modules/web/fsrewsp.nix
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
{ pkgs, config, lib, ... }:
|
||||||
|
let
|
||||||
|
domain = "fsrewsp.de";
|
||||||
|
user = "fsrewsp";
|
||||||
|
group = "fsrewsp";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users.users.${user} = {
|
||||||
|
group = group;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.groups.${group} = { };
|
||||||
|
users.users.nginx = {
|
||||||
|
extraGroups = [ group ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.phpfpm.pools.fsrewsp = {
|
||||||
|
user = "fsrewsp";
|
||||||
|
group = "fsrewsp";
|
||||||
|
settings = {
|
||||||
|
"listen.owner" = config.services.nginx.user;
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 32;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 5;
|
||||||
|
"php_admin_value[error_log]" = "stderr";
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
};
|
||||||
|
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
services.nginx.enable = true;
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."www.${domain}" = {
|
||||||
|
locations."/".return = "301 $scheme://${domain}$request_uri";
|
||||||
|
};
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
root = "/srv/web/fsrewsp";
|
||||||
|
extraConfig = ''
|
||||||
|
index index.php index.html;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
tryFiles = "$uri $uri/ /index.php?$args";
|
||||||
|
};
|
||||||
|
"~ \.php$" = {
|
||||||
|
extraConfig = ''
|
||||||
|
try_files $uri =404;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.fsrewsp.socket};
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
||||||
|
fastcgi_param HTTP_HOST $host;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"~ \.log$".return = "403";
|
||||||
|
"~ ^/\.user\.ini".return = "403";
|
||||||
|
"~* \.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = ''
|
||||||
|
expires max;
|
||||||
|
log_not_found off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
38
modules/web/ftp.nix
Normal file
38
modules/web/ftp.nix
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "ftp.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx.additionalModules = [ pkgs.nginxModules.fancyindex ];
|
||||||
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
|
root = "/srv/ftp";
|
||||||
|
extraConfig = ''
|
||||||
|
fancyindex on;
|
||||||
|
fancyindex_exact_size off;
|
||||||
|
error_page 403 /403.html;
|
||||||
|
fancyindex_localtime on;
|
||||||
|
'';
|
||||||
|
locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = ''
|
||||||
|
allow 141.30.0.0/16;
|
||||||
|
allow 141.76.0.0/16;
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
locations."~ /komplexpruef".extraConfig = ''
|
||||||
|
default_type text/plain;
|
||||||
|
'';
|
||||||
|
locations."=/403.html" = {
|
||||||
|
root = pkgs.writeTextDir "403.html" ''
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<title>403 Forbidden</title>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<center><h1>403 Forbidden</h1></center>
|
||||||
|
<center>Dieser Ordner ist nur aus dem Uni-Netz zugänglich.</center>
|
||||||
|
<center>This directory is only accessible from the TUD network.</center>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
34
modules/web/hyperilo.nix
Normal file
34
modules/web/hyperilo.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
# provide access to iLO of colocated server
|
||||||
|
# in case of questions, contact @bennofs
|
||||||
|
services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = {
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/".proxyPass = "https://192.168.0.120:443";
|
||||||
|
locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess";
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
proxy_ssl_verify off;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection $connection_upgrade_capitalized;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# HP iLO requires uppercase Upgrade, not lowercase "upgrade"
|
||||||
|
services.nginx.commonHttpConfig = ''
|
||||||
|
map $http_upgrade $connection_upgrade_capitalized {
|
||||||
|
default Upgrade;
|
||||||
|
''' close;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
|
systemd.network.networks."20-hyperilo" = {
|
||||||
|
matchConfig.Name = "eno8303";
|
||||||
|
address = [ "192.168.0.1/24" ];
|
||||||
|
networkConfig.LLDP = true;
|
||||||
|
networkConfig.EmitLLDP = "nearest-bridge";
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."hyperilo_htaccess".owner = "nginx";
|
||||||
|
}
|
|
@ -10,7 +10,9 @@ in
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
users.groups.${group} = { };
|
users.groups.${group} = { };
|
||||||
|
users.users.nginx = {
|
||||||
|
extraGroups = [ group ];
|
||||||
|
};
|
||||||
services.phpfpm.pools.ifsrde = {
|
services.phpfpm.pools.ifsrde = {
|
||||||
user = user;
|
user = user;
|
||||||
group = group;
|
group = group;
|
||||||
|
@ -32,14 +34,9 @@ in
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
|
|
||||||
virtualHosts."www.${config.networking.domain}" = {
|
virtualHosts."www.${config.networking.domain}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/".return = "301 $scheme://ifsr.de$request_uri";
|
locations."/".return = "301 $scheme://ifsr.de$request_uri";
|
||||||
|
|
||||||
};
|
};
|
||||||
virtualHosts."${config.networking.domain}" = {
|
virtualHosts."${config.networking.domain}" = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
root = "/srv/web/ifsrde";
|
root = "/srv/web/ifsrde";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
index index.html index.php;
|
index index.html index.php;
|
||||||
|
@ -63,6 +60,7 @@ in
|
||||||
"~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
|
"~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
|
||||||
"/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
|
"/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
|
||||||
"/kpp".return = "301 https://kpp.ifsr.de";
|
"/kpp".return = "301 https://kpp.ifsr.de";
|
||||||
|
"/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
|
||||||
# security
|
# security
|
||||||
"~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
|
"~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
|
||||||
# deny running scripts inside core system folders
|
# deny running scripts inside core system folders
|
12
modules/web/infoscreen.nix
Normal file
12
modules/web/infoscreen.nix
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
{ config, ... }:
|
||||||
|
let
|
||||||
|
domain = "infoscreen.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
root = "/srv/web/infoscreen/dist";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -7,9 +7,4 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
hostName = domain;
|
hostName = domain;
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
}
|
10
modules/web/manual.nix
Normal file
10
modules/web/manual.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
{ config, ... }:
|
||||||
|
let
|
||||||
|
domain = "manual.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.ese-manual = {
|
||||||
|
enable = true;
|
||||||
|
hostName = domain;
|
||||||
|
};
|
||||||
|
}
|
70
modules/web/nightline.nix
Normal file
70
modules/web/nightline.nix
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
{ pkgs, config, lib, ... }:
|
||||||
|
let
|
||||||
|
domain = "nightline-dresden.de";
|
||||||
|
user = "nightline";
|
||||||
|
group = "nightline";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users.users.${user} = {
|
||||||
|
group = group;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.users.nginx = {
|
||||||
|
extraGroups = [ group ];
|
||||||
|
};
|
||||||
|
users.groups.${group} = { };
|
||||||
|
|
||||||
|
services.phpfpm.pools.nightline = {
|
||||||
|
user = "nightline";
|
||||||
|
group = "nightline";
|
||||||
|
settings = {
|
||||||
|
"listen.owner" = config.services.nginx.user;
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 32;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 5;
|
||||||
|
"php_admin_value[error_log]" = "stderr";
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
};
|
||||||
|
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."www.${domain}" = {
|
||||||
|
locations."/".return = "301 $scheme://${domain}$request_uri";
|
||||||
|
};
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
root = "/srv/web/nightline";
|
||||||
|
extraConfig = ''
|
||||||
|
index index.php index.html;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
tryFiles = "$uri $uri/ /index.php?$args";
|
||||||
|
};
|
||||||
|
"~ \.php$" = {
|
||||||
|
extraConfig = ''
|
||||||
|
try_files $uri =404;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.nightline.socket};
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
||||||
|
fastcgi_param HTTP_HOST $host;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"~ \.log$".return = "403";
|
||||||
|
"~ ^/\.user\.ini".return = "403";
|
||||||
|
"~* \.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = ''
|
||||||
|
expires max;
|
||||||
|
log_not_found off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
60
modules/web/sharepic.nix
Normal file
60
modules/web/sharepic.nix
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
{ pkgs, config, lib, ... }:
|
||||||
|
let
|
||||||
|
domain = "sharepic.${config.networking.domain}";
|
||||||
|
user = "sharepic";
|
||||||
|
group = "sharepic";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
users.users.${user} = {
|
||||||
|
group = group;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.groups.${group} = { };
|
||||||
|
|
||||||
|
services.phpfpm.pools.sharepic = {
|
||||||
|
user = "sharepic";
|
||||||
|
group = "sharepic";
|
||||||
|
settings = {
|
||||||
|
"listen.owner" = config.services.nginx.user;
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 32;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 5;
|
||||||
|
"php_admin_value[error_log]" = "stderr";
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
};
|
||||||
|
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
root = "/srv/web/sharepic";
|
||||||
|
extraConfig = ''
|
||||||
|
index index.php index.html;
|
||||||
|
'';
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
tryFiles = "$uri $uri/ =404";
|
||||||
|
};
|
||||||
|
"~ \.php$" = {
|
||||||
|
extraConfig = ''
|
||||||
|
try_files $uri =404;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.sharepic.socket};
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/data".return = "403";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, ... }:
|
{ config, pkgs, ... }:
|
||||||
let
|
let
|
||||||
domain = "users.${config.networking.domain}";
|
domain = "users.${config.networking.domain}";
|
||||||
port = 8083;
|
port = 8083;
|
||||||
|
@ -18,18 +18,21 @@ in
|
||||||
|
|
||||||
mkdir -p $HOME/public_html
|
mkdir -p $HOME/public_html
|
||||||
# public_html dir: apache and $USER have rwx on everything inside
|
# public_html dir: apache and $USER have rwx on everything inside
|
||||||
setfacl -m u:${apacheUser}:rwx,d:u:${apacheUser}:rwx,d:u:$USER:rwx $HOME/public_html
|
setfacl -m u:${apacheUser}:rwx,d:u:${apacheUser}:rwx,d:u:''${USER}:rwx $HOME/public_html
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
|
|
||||||
services.httpd = {
|
services.httpd = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enablePHP = true;
|
enablePHP = true;
|
||||||
|
maxClients = 10;
|
||||||
|
mpm = "prefork";
|
||||||
|
extraModules = [ "userdir" ];
|
||||||
|
|
||||||
virtualHosts.${domain} = {
|
virtualHosts.${domain} = {
|
||||||
enableUserDir = true;
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
UserDir /home/users/*/public_html
|
UserDir disabled root
|
||||||
|
UserDir /home/users/*/public_html/
|
||||||
<Directory "/home/users/*/public_html">
|
<Directory "/home/users/*/public_html">
|
||||||
Options -Indexes +MultiViews +SymLinksIfOwnerMatch +IncludesNoExec
|
Options -Indexes +MultiViews +SymLinksIfOwnerMatch +IncludesNoExec
|
||||||
DirectoryIndex index.php index.html
|
DirectoryIndex index.php index.html
|
||||||
|
@ -47,14 +50,33 @@ in
|
||||||
inherit port;
|
inherit port;
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
phpPackage = pkgs.php.buildEnv {
|
||||||
|
extraConfig = ''
|
||||||
|
display_errors=0
|
||||||
|
post_max_size = 40M
|
||||||
|
upload_max_filesize = 40M
|
||||||
|
extension=sysvsem.so
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${domain} = {
|
services.nginx.virtualHosts.${domain} = {
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://localhost:${toString port}";
|
proxyPass = "http://localhost:${toString port}";
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_intercept_errors on;
|
||||||
|
error_page 403 404 =404 /404.html;
|
||||||
|
client_max_body_size 40M;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
locations."/robots.txt" = {
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "User-agent: *\nDisallow: /\n";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
8
modules/wiki/default.nix
Normal file
8
modules/wiki/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./fsr.nix
|
||||||
|
./vernetzung.nix
|
||||||
|
./ese.nix
|
||||||
|
];
|
||||||
|
}
|
83
modules/wiki/ese.nix
Normal file
83
modules/wiki/ese.nix
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "wiki.ese.${config.networking.domain}";
|
||||||
|
user = "wiki-ese";
|
||||||
|
group = "wiki-ese";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
|
||||||
|
users.users.${user} = {
|
||||||
|
group = group;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.groups.${group} = { };
|
||||||
|
services.phpfpm.pools.wiki-ese = {
|
||||||
|
user = user;
|
||||||
|
group = group;
|
||||||
|
settings = {
|
||||||
|
"listen.owner" = config.services.nginx.user;
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 32;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 5;
|
||||||
|
"php_admin_value[error_log]" = "stderr";
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
};
|
||||||
|
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||||
|
};
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
root = "/srv/web/wiki.ese";
|
||||||
|
extraConfig = ''
|
||||||
|
index index.php;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
tryFiles = "$uri $uri/ @rewrite";
|
||||||
|
};
|
||||||
|
"@rewrite".extraConfig = ''
|
||||||
|
rewrite ^/(.*)$ /index.php?title=$1&$args;
|
||||||
|
'';
|
||||||
|
"^~ /maintenance/".return = "403";
|
||||||
|
"~ \.php$" = {
|
||||||
|
extraConfig = ''
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.wiki-ese.socket};
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/rest.php" = {
|
||||||
|
tryFiles = "$uri $uri/ /rest.php?$args";
|
||||||
|
};
|
||||||
|
"~* \.(js|css|png|jpg|jpeg|gif|ico)$" = {
|
||||||
|
tryFiles = "$uri /index.php";
|
||||||
|
extraConfig = ''
|
||||||
|
expires max;
|
||||||
|
log_not_found off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/_.gif" = {
|
||||||
|
extraConfig = ''
|
||||||
|
expires max;
|
||||||
|
empty_gif;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"^~ /cache/".extraConfig = ''
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
"/dumps" = {
|
||||||
|
root = "/srv/web/wiki-ese/local";
|
||||||
|
extraConfig = ''
|
||||||
|
autoindex on;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -63,11 +63,12 @@ in
|
||||||
# Auth
|
# Auth
|
||||||
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
|
# https://www.mediawiki.org/wiki/Extension:PluggableAuth
|
||||||
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
|
# https://www.mediawiki.org/wiki/Extension:OpenID_Connect
|
||||||
|
$wgOpenIDConnect_MigrateUsersByEmail = true;
|
||||||
$wgPluggableAuth_EnableLocalLogin = true;
|
$wgPluggableAuth_EnableLocalLogin = true;
|
||||||
$wgPluggableAuth_Config["iFSR Login"] = [
|
$wgPluggableAuth_Config["iFSR Login"] = [
|
||||||
"plugin" => "OpenIDConnect",
|
"plugin" => "OpenIDConnect",
|
||||||
"data" => [
|
"data" => [
|
||||||
"providerURL" => "${config.services.portunus.domain}/dex",
|
"providerURL" => "https://sso.ifsr.de/realms/internal",
|
||||||
"clientID" => "wiki",
|
"clientID" => "wiki",
|
||||||
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
|
"clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'),
|
||||||
],
|
],
|
||||||
|
@ -76,30 +77,33 @@ in
|
||||||
|
|
||||||
extensions = {
|
extensions = {
|
||||||
PluggableAuth = pkgs.fetchzip {
|
PluggableAuth = pkgs.fetchzip {
|
||||||
url = "https://web.archive.org/web/20230615112924/https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-068be5d.tar.gz";
|
url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_41-b92b48e.tar.gz";
|
||||||
hash = "sha256-kmdSPMQNaO0qgEzb8j0+eLlsNQLmfJfo0Ls4yvYgOFI=";
|
hash = "sha256-Fv5reEqFVVpSvmb4cy4oZBzeKc/fVddoJIsalnW4wUY=";
|
||||||
};
|
};
|
||||||
OpenIDConnect = pkgs.fetchzip {
|
OpenIDConnect = pkgs.fetchzip {
|
||||||
url = "https://web.archive.org/web/20230615113527/https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_39-42e4d75.tar.gz";
|
url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_41-520f4bf.tar.gz";
|
||||||
hash = "sha256-VN0G0Crjlx0DTLeDvaSFtMmYsfB7VzgYkSNDS+nkIyQ=";
|
hash = "sha256-gLHaveEzfmpqU9fWATZsUU377FJj2yq//raHZUR/VWk=";
|
||||||
};
|
};
|
||||||
VisualEditor = pkgs.fetchzip {
|
VisualEditor = pkgs.fetchzip {
|
||||||
url = "https://web.archive.org/web/20230723212424/https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_39-b1204c9.tar.gz";
|
url = "https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_41-1bdb5a0.tar.gz";
|
||||||
hash = "sha256-g/ATW3xkecHynwbwLbmYgawNW+LCVTth0ZlhY7A3N5U=";
|
hash = "sha256-HtKV9Uru0SRtl61nP3PgMcT9t8okB8jGPKFmtYIV1XM=";
|
||||||
|
};
|
||||||
|
SyntaxHighlight = pkgs.fetchzip {
|
||||||
|
url = "https://extdist.wmflabs.org/dist/extensions/SyntaxHighlight_GeSHi-REL1_41-e5818be.tar.gz";
|
||||||
|
hash = "sha256-dvXfOUlvT2Y8ELx83JlEx0S51oKyW4DDbVyUzyh5zag=";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
portunus.dex.oidcClients = [{
|
|
||||||
id = "wiki";
|
|
||||||
callbackURL = "https://${domain}/Spezial:PluggableAuthLogin";
|
|
||||||
}];
|
|
||||||
|
|
||||||
nginx = {
|
nginx = {
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
virtualHosts.${domain} = {
|
virtualHosts.${domain} = {
|
||||||
enableACME = true;
|
locations."/robots.txt" = {
|
||||||
forceSSL = true;
|
extraConfig = ''
|
||||||
|
add_header Content-Type text/plain;
|
||||||
|
return 200 "User-agent: *\nDisallow: /\n";
|
||||||
|
'';
|
||||||
|
};
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString listenPort}";
|
proxyPass = "http://127.0.0.1:${toString listenPort}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
83
modules/wiki/vernetzung.nix
Normal file
83
modules/wiki/vernetzung.nix
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
domain = "vernetzung.${config.networking.domain}";
|
||||||
|
user = "vernetzung";
|
||||||
|
group = "vernetzung";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
|
||||||
|
users.users.${user} = {
|
||||||
|
group = group;
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.groups.${group} = { };
|
||||||
|
services.phpfpm.pools.vernetzung = {
|
||||||
|
user = user;
|
||||||
|
group = group;
|
||||||
|
settings = {
|
||||||
|
"listen.owner" = config.services.nginx.user;
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 32;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 5;
|
||||||
|
"php_admin_value[error_log]" = "stderr";
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
};
|
||||||
|
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
|
||||||
|
};
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts."${domain}" = {
|
||||||
|
root = "/srv/web/vernetzung";
|
||||||
|
extraConfig = ''
|
||||||
|
index index.php;
|
||||||
|
'';
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
tryFiles = "$uri $uri/ @rewrite";
|
||||||
|
};
|
||||||
|
"@rewrite".extraConfig = ''
|
||||||
|
rewrite ^/(.*)$ /index.php?title=$1&$args;
|
||||||
|
'';
|
||||||
|
"^~ /maintenance/".return = "403";
|
||||||
|
"~ \.php$" = {
|
||||||
|
extraConfig = ''
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.vernetzung.socket};
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi_params;
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/rest.php" = {
|
||||||
|
tryFiles = "$uri $uri/ /rest.php?$args";
|
||||||
|
};
|
||||||
|
"~* \.(js|css|png|jpg|jpeg|gif|ico)$" = {
|
||||||
|
tryFiles = "$uri /index.php";
|
||||||
|
extraConfig = ''
|
||||||
|
expires max;
|
||||||
|
log_not_found off;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/_.gif" = {
|
||||||
|
extraConfig = ''
|
||||||
|
expires max;
|
||||||
|
empty_gif;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"^~ /cache/".extraConfig = ''
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
"/dumps" = {
|
||||||
|
root = "/srv/web/vernetzung/local";
|
||||||
|
extraConfig = ''
|
||||||
|
autoindex on;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
33
modules/zammad.nix
Normal file
33
modules/zammad.nix
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
{ config, ... }:
|
||||||
|
let
|
||||||
|
domain = "tickets.${config.networking.domain}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.zammad = {
|
||||||
|
enable = true;
|
||||||
|
database = {
|
||||||
|
createLocally = true;
|
||||||
|
type = "PostgreSQL";
|
||||||
|
};
|
||||||
|
port = 8085;
|
||||||
|
secretKeyBaseFile = config.sops.secrets."zammad_secret".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
# disably spammy logs
|
||||||
|
systemd.services.zammad-web.preStart = ''
|
||||||
|
sed -i -e "s|debug|warn|" ./config/environments/production.rb
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.nginx.virtualHosts.${domain} = {
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:${toString config.services.zammad.port}";
|
||||||
|
};
|
||||||
|
locations."/ws" = {
|
||||||
|
proxyPass = "http://localhost:${toString config.services.zammad.websocketPort}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."zammad_secret".owner = "zammad";
|
||||||
|
}
|
|
@ -1,36 +0,0 @@
|
||||||
{ pkgs, ... }:
|
|
||||||
{
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
# fzf
|
|
||||||
bat
|
|
||||||
duf
|
|
||||||
];
|
|
||||||
users.defaultUserShell = pkgs.zsh;
|
|
||||||
programs.fzf = {
|
|
||||||
fuzzyCompletion = true;
|
|
||||||
keybindings = true;
|
|
||||||
};
|
|
||||||
programs.zsh = {
|
|
||||||
enable = true;
|
|
||||||
shellAliases = {
|
|
||||||
l = "ls -l";
|
|
||||||
ll = "ls -la";
|
|
||||||
la = "ls -a";
|
|
||||||
less = "bat";
|
|
||||||
};
|
|
||||||
histSize = 100000;
|
|
||||||
histFile = "~/.local/share/zsh/history";
|
|
||||||
autosuggestions = {
|
|
||||||
enable = true;
|
|
||||||
highlightStyle = "fg=#00bbbb,bold";
|
|
||||||
};
|
|
||||||
|
|
||||||
shellInit =
|
|
||||||
''
|
|
||||||
source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh
|
|
||||||
|
|
||||||
zsh-newuser-install () {}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
27
overlays/default.nix
Normal file
27
overlays/default.nix
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
_final: prev:
|
||||||
|
let
|
||||||
|
inherit (prev) fetchurl;
|
||||||
|
inherit (prev) callPackage;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
# AGDSN is running an outdated version that we have to comply to
|
||||||
|
bacula = (prev.bacula.overrideAttrs (old: rec {
|
||||||
|
version = "9.6.7";
|
||||||
|
src = fetchurl {
|
||||||
|
url = "mirror://sourceforge/bacula/${old.pname}-${version}.tar.gz";
|
||||||
|
sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4=";
|
||||||
|
};
|
||||||
|
}));
|
||||||
|
# Mailman internal server error fix
|
||||||
|
# https://gitlab.com/mailman/mailman/-/issues/1137
|
||||||
|
# https://github.com/NixOS/nixpkgs/pull/321136
|
||||||
|
pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
|
||||||
|
(_python-final: python-prev: {
|
||||||
|
readme-renderer = python-prev.readme-renderer.overridePythonAttrs (_oldAttrs: {
|
||||||
|
propagatedBuildInputs = [ python-prev.cmarkgfm ];
|
||||||
|
});
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
|
keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix { };
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
From f4c5dd5628c873981b2d6d6b8f3bbf036b9fd724 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rouven Seifert <rouven.seifert@ifsr.de>
|
||||||
|
Date: Thu, 2 May 2024 11:20:27 +0200
|
||||||
|
Subject: [PATCH] cleanup: also catch milter-reject
|
||||||
|
|
||||||
|
---
|
||||||
|
postfix_exporter.go | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/postfix_exporter.go b/postfix_exporter.go
|
||||||
|
index f20d99c..676d767 100644
|
||||||
|
--- a/postfix_exporter.go
|
||||||
|
+++ b/postfix_exporter.go
|
||||||
|
@@ -335,6 +335,8 @@ func (e *PostfixExporter) CollectFromLogLine(line string) {
|
||||||
|
e.cleanupProcesses.Inc()
|
||||||
|
} else if strings.Contains(remainder, ": reject: ") {
|
||||||
|
e.cleanupRejects.Inc()
|
||||||
|
+ } else if strings.Contains(remainder, ": milter-reject: ") {
|
||||||
|
+ e.cleanupRejects.Inc()
|
||||||
|
} else {
|
||||||
|
e.addToUnsupportedLine(line, subprocess, level)
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.44.0
|
||||||
|
|
|
@ -1,21 +0,0 @@
|
||||||
{ isPy3k, buildPythonPackage, pkgs, service-identity, ldap3, twisted, ldaptor, mock }:
|
|
||||||
|
|
||||||
buildPythonPackage rec {
|
|
||||||
pname = "matrix-synapse-ldap3";
|
|
||||||
version = "0.2.2";
|
|
||||||
|
|
||||||
format = "pyproject";
|
|
||||||
|
|
||||||
src = pkgs.fetchFromGitHub {
|
|
||||||
owner = "matrix-org";
|
|
||||||
repo = "matrix-synapse-ldap3";
|
|
||||||
rev = "2584736204165f16c176567183f9c350ee253f74";
|
|
||||||
sha256 = "gMsC5FpC2zt5hypPdGgPbWT/Rwz38EoQz3tj5dQ9BQ8=";
|
|
||||||
};
|
|
||||||
|
|
||||||
propagatedBuildInputs = [ service-identity ldap3 twisted ];
|
|
||||||
|
|
||||||
# ldaptor is not ready for py3 yet
|
|
||||||
doCheck = !isPy3k;
|
|
||||||
checkInputs = [ ldaptor mock ];
|
|
||||||
}
|
|
|
@ -1,10 +0,0 @@
|
||||||
{ stdenvNoCC, ... }:
|
|
||||||
stdenvNoCC.mkDerivation {
|
|
||||||
name = "padlister";
|
|
||||||
src = ./.;
|
|
||||||
phases = [ "unpackPhase" "installPhase" ];
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p $out
|
|
||||||
cp -r $src/index.php $out
|
|
||||||
'';
|
|
||||||
}
|
|
|
@ -1,79 +0,0 @@
|
||||||
<?php
|
|
||||||
error_reporting(E_ALL);
|
|
||||||
ini_set('display_errors', 1);
|
|
||||||
|
|
||||||
|
|
||||||
$host = '/run/postgresql';
|
|
||||||
$dbname = 'hedgedoc';
|
|
||||||
$user = 'hedgedoc';
|
|
||||||
|
|
||||||
try {
|
|
||||||
$dbh = new PDO("pgsql:host=$host;dbname=$dbname", $user);
|
|
||||||
} catch (PDOException $e) {
|
|
||||||
echo "Error: " . $e->getMessage();
|
|
||||||
die();
|
|
||||||
}
|
|
||||||
|
|
||||||
$query = 'SELECT "Notes".title, "Notes"."updatedAt", "Notes"."shortid", "Users".profile FROM "Notes" JOIN "Users" ON "Notes"."ownerId" = "Users".id WHERE (permission = \'freely\' OR permission = \'editable\' OR permission = \'limited\') AND strpos(content, \'tags: listed\')>0 ORDER BY "Notes"."updatedAt" DESC';
|
|
||||||
try {
|
|
||||||
$stmt = $dbh->query($query);
|
|
||||||
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
|
||||||
} catch (PDOException $e) {
|
|
||||||
echo "Error: " . $e->getMessage();
|
|
||||||
die();
|
|
||||||
}
|
|
||||||
|
|
||||||
function formatDateString($stringDate)
|
|
||||||
{
|
|
||||||
$datetime = DateTime::createFromFormat('Y-m-d H:i:s.uP', $stringDate);
|
|
||||||
$formattedDate = $datetime->format('d.m.Y H:i');
|
|
||||||
return $formattedDate;
|
|
||||||
}
|
|
||||||
?>
|
|
||||||
|
|
||||||
<!DOCTYPE html>
|
|
||||||
<html lang="de">
|
|
||||||
|
|
||||||
<head>
|
|
||||||
<meta charset="UTF-8">
|
|
||||||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
||||||
<title>Pad lister</title>
|
|
||||||
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@picocss/pico@1/css/pico.min.css">
|
|
||||||
|
|
||||||
</head>
|
|
||||||
|
|
||||||
<body>
|
|
||||||
<div class="container">
|
|
||||||
<br><br>
|
|
||||||
<table>
|
|
||||||
<tr>
|
|
||||||
<th>Titel</th>
|
|
||||||
<th>Owner</th>
|
|
||||||
<th>Last edit</th>
|
|
||||||
</tr>
|
|
||||||
|
|
||||||
<?php
|
|
||||||
foreach ($rows as $row) {
|
|
||||||
?>
|
|
||||||
<tr>
|
|
||||||
<td>
|
|
||||||
<a href="https://pad.ifsr.de/<?= $row['shortid'] ?>"><?= $row['title'] ?></a>
|
|
||||||
</td>
|
|
||||||
<td>
|
|
||||||
<?= json_decode($row['profile'])->username ?>
|
|
||||||
</td>
|
|
||||||
<td>
|
|
||||||
<?= formatDateString($row['updatedAt']) ?>
|
|
||||||
</td>
|
|
||||||
</tr>
|
|
||||||
|
|
||||||
<?php
|
|
||||||
}
|
|
||||||
?>
|
|
||||||
</table>
|
|
||||||
<br><br>
|
|
||||||
</div>
|
|
||||||
</body>
|
|
||||||
|
|
||||||
</html>
|
|
|
@ -1,135 +1,147 @@
|
||||||
cachix_password: ENC[AES256_GCM,data:7SleCWYfyhlde2vuIr6hGtAwuSbiz5W8PpUHd8TIh4I=,iv:mAr67t4jvLc7cUn7WQaY/oU3AN1w28tCBJBI1ZfeS3U=,tag:Dodk7V+nnswtSuEH6R5LGw==,type:str]
|
cachix_password: ENC[AES256_GCM,data:SjzpKHIFRvXDARjidS03eA0EmzXtsNjfkSnPTsafNhc=,iv:mAr67t4jvLc7cUn7WQaY/oU3AN1w28tCBJBI1ZfeS3U=,tag:VSPF158J1iP5x6qkytGeGA==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
azure_kv: []
|
azure_kv: []
|
||||||
hc_vault: []
|
hc_vault: []
|
||||||
age: []
|
age: []
|
||||||
lastmodified: "2023-08-14T09:08:46Z"
|
lastmodified: "2023-12-26T17:03:43Z"
|
||||||
mac: ENC[AES256_GCM,data:Vb5iZpE0D0kQrhrtm18y4WQj7W4c8oT+oFeFPgQBCJ1EJyHemREgn2RskCZeevad896qjWAR3xtk2uGc9SOEqFhWX4OkyhTGAo5h66YygNw3LbCsarfUcYQ7Jthdw2rnozLLIOEZ0yykeaayWEULbdHZjgaJwI+DIwOyTkBgmK8=,iv:96/Ph7+HDjT8su+vmtUB7d24OVY4h4BmfiTudwW+7DQ=,tag:F9JfGnSZOMN3GHdMXCVRPg==,type:str]
|
mac: ENC[AES256_GCM,data:RJ1qczvz9tRPf0krPFbSDURZJSx5Bx/K7Pz3urNYn8wt4/M1B9EJI0nlHMuun/QjCDYMmiOzvvJMEdOBI/OeRZaQrp9+9LBB+9r4jOhU8BIP5czzKaGpDpZ9o/6avZf38SfrjR0M8NHVuTRGW8vzstu92KyeXaIRqfJ1JX+ucbo=,iv:93dkoIJHFVQaGqNBW/9/QxobRLiv+hd73lsV2ZXJHX4=,tag:H7IJVW+c4EaMPdmJDr+7oA==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-08-14T09:08:12Z"
|
- created_at: "2024-02-29T15:23:18Z"
|
||||||
enc: |
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hF4DntlvaG5T7wcSAQdASuJ50zZbRm83JgWvBkhhqb9CYA7I5b4erFYEG4YAugMw
|
hF4DntlvaG5T7wcSAQdAnAE456PXzGekxSnrumXHqeCY5tm0/20vrPDDidjy3Wcw
|
||||||
r0nWOEVjWhMiYuvgQkNbD2QLioNbmYrElL7zRpLW66HhXX0F+SSF07SGxBY3DFX5
|
k4WIu4Sglhukn5LrQkzzcskoFpGHrPj5tN84jilNDjMz8nVR1zniAlrKTP59C/fQ
|
||||||
0l4BqOepz3eG9yUO3rWewZZmdFmtgSSgutCqHSA3Z/3dmNupSoScGUl2qVTFTZ0n
|
0l4BIQYlqkqkEDc+kuWzy2O0mteKrlo86Byv6NryvY5DseXUFd6pVde8n8ns5tSZ
|
||||||
pZqfDRnLrrRLGdqQ8ChgyzkaD4g6wQULApScmewit/QlRi4s84JBvqVcro6OXXof
|
/jSh5Fo3/xkmJ+aS2SturNqUixHYbGBHUpfQ/IakxriSfLdtkf3N82M8e5jJUWB3
|
||||||
=8TRl
|
=ZaVg
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B
|
fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B
|
||||||
- created_at: "2023-08-14T09:08:12Z"
|
- created_at: "2024-02-29T15:23:18Z"
|
||||||
enc: |
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hQIMA/YLzOYaRIJJAQ//aIBDcdbJwRjT0xgiRjmMIpiM9ZXfipl/UGP6N3y9Xndx
|
hQIMA/YLzOYaRIJJAQ/9F9PE1/Dpehh2HvyzkbBMxar0ZrWItB9UpMN4VJjipI7x
|
||||||
IaVp4trITGXIIvChYo0WylCvPPrXdnUdwthu7sR7P7yjF/ZyDorYnSGB856/bUaV
|
8cMU7iIp3gDrVfwEzdARzXOUGugoxYPttJMe4ZRrIHtjnQBWf+e0TcDy4eqdHqYH
|
||||||
nX6to+zNnk6Zo7VBXW9HIqH+nG1JQW2kv8uF7hZSIvXVTYuuS2FfZMV3Vye1eQJ+
|
COAWRBctYAWqSU7n4Gq/mqtNGe1VDY9Q5rhpDqhPc01KWO72AgLUwH6zoyGM4YBN
|
||||||
5hbraPc0ioJFZe+sz9vLICGGdS7aY73lGrWllgpOgmtKc+S6OAHSH6zSkJ0rGzxq
|
7u7eF0vqcaZGQyzo4IjasnYlPjgIDehVzdl8Zpy/yYOFNozLFBV7HLqItEl7vdEq
|
||||||
AhkaVytNeB6Wc9QZw0YETwRv5ZKEZNCuMLDsB6OvP11T5Bod+SK59uFk4qFyHk40
|
DPGzz7vKAK1pHK0Qie5MBTbEMJ2yIBiGIJ/rZv5h9RvAuVu0uqjFbehis5yK2N4s
|
||||||
AcZ/FpdVPyH38rpBEjR68ARypLCXQqcTCUcVMtqW3+xm+msOF5Oax7psqBFLd1C3
|
hEBVaECXfvuvc0wP7EIgxdUoDeh+o4OUL6OneQRXeMqdlsw+oq8WnKywi4bf8dDl
|
||||||
C1X7MnXNWIcUiqm0Cl/d8DQUB4SNoKLwKMFGH9voPmpcht/1aqudMuloiSJrR8ia
|
1gNs7PLa0ROQKyOiB/LAZn4GmnNLSD2KnlTYoyrt3s8tgfRCHOhoWxGmBGfV3Z2C
|
||||||
B7out4PhQh4UGtdqilbEsntWmoiDmftvYKQiK+iA2PaNZPvFaDET6a21L9Ezk4mW
|
KjbucxT0Wz0gSSBr6ht0lL0DD0UFQ9WJbz2Dns82CCr5T+ehHk5YVGQPSSxPaDlz
|
||||||
XVZ8AiSxyQRH2c7l2jVPZZ3KZa40EOvdP1lIiCvlrp2KBlj+r+lqduFR/qG7vr/E
|
qnNdS+OvrgbofKAk7JcR9Po/ajoOAEvv6GfA0ujFi3FxyjwgaPS6Je4fC2gUVrwb
|
||||||
avRT2qxqR4y+wVlXGcPONyTrb9qGZrn1bnwkZ5at4O0QYYyiOt2PTe16WBgEhOyd
|
2z7OCzmpp3vGrFB0BvKSwrCQLIeffWl8M4bOoCDKM+XyMEUML7TsTrFkoQ+wzvqN
|
||||||
WDT2dnb7lG7fDSiY6iVzhYmnywEOREDEZ7ZoGzfGpgz9fDwrVvfpWgWkfLayHDLS
|
V53askywgCRfSkfBsEWV1Aoms4QmPnvkuoD0N4F40MRtD2HmhxrgqwmSh3Iu9qPS
|
||||||
XgEGvE2F1rGyAQVrAaLWNH01WL/7waZd8C/M3R0tbvyNVl+cEWnVmtz/LhRQuji1
|
XgGkJ/TnuWJ0KkBePo8xBqokVTfbhiGufYXXz6B80tHl6Xrmd5rcz8km0tCc/GUZ
|
||||||
qVXKzZSkc/YKuDLoJnIl4x9pVoi42AWf23YGltdk8osyq5b4eOMmoExhsdXItLg=
|
R8yygpt4uFujJEQzaCdT7Y8kt+WRXaNq7pZ0lsQF7lYtpusZhPBv3pDkb4/6ALs=
|
||||||
=dCdG
|
=nVIs
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||||
- created_at: "2023-08-14T09:08:12Z"
|
- created_at: "2024-02-29T15:23:18Z"
|
||||||
enc: |
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hQIMA8uqUsBLHj6XAQ//b1bA73WQ0H2rYX/scP68fDjnkeIRq227YW6sY3Fm/ob1
|
hQIMA8uqUsBLHj6XAQ/+Ofo4GZUZEca+ThmZmF8g5OlPOfgPxRUHuTHoiOthXTuS
|
||||||
4vmllEgZBTlzQwZb84fc0FBIP2xBzHXgKCmzt/+EEb0VUAc0KvNyJwa65apOV1MV
|
IO7BSCYPHdZlnDqNMELdQfKZHRFirehibMIFedfoiKEuhJaQ1p9go0CnIhcX7tzA
|
||||||
juzNYzL1rPph+rlk0NVkWQvop6OTGZ1rsq8GgJoffm3dYUAZysoyKJFwn+zy2sh6
|
aNaBbbJBmAYxUfPdExkJK9SqDxV7aXC8OHzXHwcZqCc/G38E4fOMVsvUVdD+Nymf
|
||||||
Q9kbWCsX8O/6ImLp6WgJXGUGt2MkkXUkMTdIvWHQntNuQtgh2E4Fz/HCdSW5TT3z
|
lEXmgXpU1ib5vRaH1oCOf8d1C6LFFC+peBBbyzwhNgFgVYP8NrXWkeIiRSiKpFpx
|
||||||
FoV/FaVNPMP1JiG3ym+q4p9zRQTynWb8JqGlWgt86vKdyqf/sBDMZHpjbZeX5O4m
|
3lsLODLIYXteoO0DkkuT2z/0G86EYo+bmSx5Ubi0waxfO3sLdUnDaIIC/6pJqbS8
|
||||||
RKiTpjAgDoJJYCB7WrnHhHJkVo2E0vi8bM86BJ0G4rubWTYhYlpLOMNIl+iVo1j5
|
QM3HtEL1kQaAFure/r+K7Ck8l0eTKbfnd52jLoMFK+1g5587KjV70fpx4QBvyq0X
|
||||||
H11vtJ/dphat1/8006dpeyA7xlw6Woq09Org6dRGV43sBK2oiNNznbigt6BCKylw
|
d0xJAfJSRptkIlMOS5+tYOXd2SOtoG7XwprrUs+lleE/Z4SaOjyGWkLE0L1D+Qhp
|
||||||
m2sUY/VyAEqkd2knYsfkfiVUy6R/yHkgGUJo94QUtfEs7Yw0VMwx8U/N7Gwrx5zB
|
/8jw0cU46O69ig0p47H1klvJ5TkZkSroCkarVRUS4AHhpnLLnDMYDkuVoZeKM+rz
|
||||||
8CUxxOnCNeynDPP3sPsei61RXretbJ0wXxoOv8P1GHIPYhAbEX9Oi3u81FnAmykJ
|
tOF8Sj/ySF3PA0W5cGf8dK8u8EXgIlApLbo4ZOBHff9yJJvuDJjt2b3hWPZh/uHF
|
||||||
NxM+Ip9RbeS9lRvuasMJSFawqJU10v7XLp6EjB+Ed+vNDzxPBnhbUYNKJRE/Gq4k
|
ASxPF26cz6+ysGLl8COvWLRlxDD22aP27P2A7+9LYi9p1csNL+wuYwfnF7/rrrLx
|
||||||
Phx/ySn900r+MX/1097TvL0GQH5TDK94R/Pip6K+iAeZPoFQFbhh0r4aYlARTpnU
|
Suv2InJqsUV5JkLlhoTYnv6kIwrz0oVSnTOFIBgQ3dex3T0DUn/eEdFO1BHY7BfU
|
||||||
aAEJAhCiPLz6o+/CDSsM7HQuATjywPk487/2PZ7SVYXNl1mXPgTfQJaDvOHjlinU
|
aAEJAhDp5eds7PB2IJhFuHuYcsYquRDlwlQ6CY0fWTR3cI3bzNTLAe+ITv19CBUV
|
||||||
yPO2XNwDkKQwtq72AY1oSEODJvFQyTLHSNNCt3Wbfm7LNbzp3UAarQ8g8dFOfCuY
|
eGi9XUc05QDgUapvUewGXZXlFxo7iDDw1H7S1exSeRY/sbmeDE1G8beZxEqD2Rbq
|
||||||
p6vOQwd0oQ4B
|
Rlwq7HypFnxX
|
||||||
=ZwoK
|
=M/ss
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: F8634A1CFF7D61608503A70B24363525EA0E8A99
|
fp: F8634A1CFF7D61608503A70B24363525EA0E8A99
|
||||||
- created_at: "2023-08-14T09:08:12Z"
|
- created_at: "2024-02-29T15:23:18Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
wcFMAzUXo8ZPJwGLAQ//YGciouPJhSuo1gEi8A31dsuXM0ka9INVTCtOP1kcZmAT
|
hQIMAzUXo8ZPJwGLAQ/+Jbtq6OyOcXYHWj6T74BDA1hcilHrP7yp5w3Za7DwKWpp
|
||||||
4ov/00GfaCd0XkoX43ZEV7lZrpQ8zW1iBFNi2Ojknu3HRJrmiRtTj2wv6ZOtsyvz
|
sLTcXo1ZywokwSBH8lm1zmhnho5BN968YTbwqb/y4FMX2MJP/VIgjgpkl9KoiZHM
|
||||||
2Ac2ADp91AMaACibt+XzEPGtnU9FitVEl0MM7pbllcu6jqcV/sa8CNf2564OTTQ0
|
py818xRsVttggsqoTnN6mtOYIEOu9lQCtA8zXgc5BIr1xDpRlVmz8VyeG70a32vI
|
||||||
6Fy1NsvbpAwJ5lyk5fXxsUlR/SGN8HWJRjytal0DLwyhgQZpnbZro+pMfM771x6U
|
PaG6BAmOoIQXNikNqhzyinSKkHHzDFGyxfdYGR2bMuGNSbpIr42DHOHVKWd7mzHW
|
||||||
5JztJVTILMGhfomSa5Tjotkncfilymjhg4eVGoD2MVbc9pjmze+pLzH2cjP8NyyA
|
Wm3BOaFHe76aYUByXujBPJ1oXm3PYLAPxXVudc4GCj23V3fj7oczCU74ggmmFLGk
|
||||||
4zrp7UgNT/EQM8RNgYg1KxIPGYYIEa+83253bjfCexR2gh0xlyVqc5o0Ql2xBUVY
|
PJkRRIRHHqAjb3C6LZ2V1sF2+eazlpSLcvf/KVRc12wFMzoPSpEb+Ft3MHYEhBn6
|
||||||
LckLYVFAowgxuTOFDLIEgs5t0qFotHbLxQsfy1grFShhp/4p+vPRq8UgAHBjTzTJ
|
o+7+BC94RhGUzu7OI2dK0oMUMZaeByLqFLHH0iZ171TuD3Tqr3NnsUBTJWT7hPw+
|
||||||
NKw69yaJySeZ47hR7p+AUODTfjyZ0UrdFraI8qT16LRa9xPH7S8+F50dj8aeeEU+
|
FN/yFsf0ZbRiShv4Vvxyib3NRZZfZ3VTG11qlV1xEBEsBnA3QzUr+J923FxPwOkj
|
||||||
ss+3g1ionuNGztLWJOK7yIm3ZHh/RIP6DyLp7r+PAII9jyWQLOOWZ1+Ugo8irevb
|
jBzxv9EJX/imXCj965R3vevCbc/6xf8Hy4x4GlqtTTFsw8uKwaQgoqL9eSejEcpU
|
||||||
xGBMxt7FhqWAxzGMBL+x7qSOGAh+hDv4aIP2692nBjSOwmao5LF5A5jsLk7JbJ3e
|
TXrMaKN4zUEgT/ZPI76teU7HKBxNfS+1yocznaZ6dr3SN5IwX0tX9q3k9Y7D0DyR
|
||||||
6DJz435wCdbNklHu09oSn6hoD5LuTFNP1K/q+FmOd8GZKhaqR6SXJuTN6RfPwyHS
|
LI1U0Wrx7JmbXQa/6ArKzp3fuwNFVkfQNbjvNFh7ghBTWQ8rWXtOU920KzAKwL/S
|
||||||
UQHZexhIfUx4aUQFzY/PbFxjI6QnHoW8PgaZ8vrL598Mpb5Sqd8Dx+NSnN8ifEXz
|
XgHlxl1gj7/YMrifU01zjSOerzzLetDRBtBQkl0DKeTUXwIjM82Hd8CP2yFaTAFx
|
||||||
ophXLjNmlamF0wyx8z9bEitGwZvckt5rSdu+KxkF+duVAQ==
|
AqjVgiJBB5ffCnKLz2wB8QP7BX0IzbVaNAgxwM+dx1tBH5riSXuzCIgrPnuEq8c=
|
||||||
=QRWO
|
=0rd1
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
|
fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
|
||||||
- created_at: "2023-08-14T09:08:12Z"
|
- created_at: "2024-02-29T15:23:18Z"
|
||||||
enc: |
|
|
||||||
-----BEGIN PGP MESSAGE-----
|
|
||||||
|
|
||||||
hQIMA30JDs8MiK29AQ//bWhIT9dYWez0pXeu/NGoMFBa2OxsxxRiJh4Yz0FPTpBl
|
|
||||||
meDjRhVgg5avcGQT30bFzN8YAxFjoLns0/eWTZvoXWA2boSIwGbH9Yi5tmXp2OKD
|
|
||||||
mKxtxOQzBsDnzCR5wdUYNbgDX7ebgeRL4dodDpG3MSzWaydSLogCvhDgCE6Spfyc
|
|
||||||
N/ZvdN4pFzeylQUMgtMinfuAnqSplU1mgkE6Fpzi/BG1mUZyqDEIwlEzJ8uxQqMj
|
|
||||||
DbiE0aZkt7tOoYaSaX6X/wCkncToIjoVBm3Vvy4nVD/U3HwJMWW+xxZKHEyg3bwm
|
|
||||||
jySJ8bSoj3u9B0OVn3x/CQpRbGfYvWleCgSR/AbB8x7ccL49x+n5U72q3zsijSGJ
|
|
||||||
NmS8HZfEvYCEP82Zp7pCZOphrjZg1TKgHB3MXkRdo6tmy/jtznnMbQyobYkj6lFB
|
|
||||||
NsLg9wcGwG9nK5PK0kB3YrBTi+wSsu8ExxD0MaNpOm12v9ygMbNU0n+bNyUyEseI
|
|
||||||
KZLapICHWSLSRuQWbbk682CadXmqLlzzzF/FP+4mhx1z+S7f6nuzbariK+ccI4XY
|
|
||||||
JeeIE9M0vX1foO782WBYI3TvGUAA/MCWdrze3j304RgTxSOl6m3IKq7e89HCt0xo
|
|
||||||
PUQyfD/e7lsC46dxhuqI62ikKrTgtadVEjTCSUqRlVkJ4DGCkGae5BPsPcF7GpvS
|
|
||||||
XgHm3czu9w4jda9Qhqv3aqNZhletlYeyJEbY8/7V+mSDvvgjRTZxrxfDcPslraLm
|
|
||||||
WqqT1IAZRL339pJnPXtPnvAZyjxU6INTzGQfV8j0AAZbIzCGqMU6xkuaStugASY=
|
|
||||||
=vPdd
|
|
||||||
-----END PGP MESSAGE-----
|
|
||||||
fp: BF37903AE6FD294C4C674EE24472A20091BFA792
|
|
||||||
- created_at: "2023-08-14T09:08:12Z"
|
|
||||||
enc: |-
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
wV4DNffZWjBmO5ASAQdAKSKcjuQ4oCCz1foAgnTSXiRz5FRTE8kGfFMVnZxOpF0w
|
hQIMA30JDs8MiK29ARAAvPwNXd3KkiVXNtNsOg1udXh08URE59ZJJUPBbe/XOHZI
|
||||||
FCTf4e/KeNBkkHs3fU8KikPirMmbO57MxU+w578efXrM8LRgJFvvkkxLr6tMpfkh
|
aUlrU5kwfswTcpmbHok1Faw8ppw9u9HMmL5HoUQ3LpdYBoZFDUmnu2AAhWjEilMB
|
||||||
0lEB6rCNiRb0PzqkowhMZqL6vwqBA7TF0hog1BGkdQPjac7V52oIVdqMyMJU1le2
|
EoQ/Er+Nq+EfZ1XDufZT3DkHydPVHEIPrau3U+Lf92xzOi6Gqcdx655orHrZSyXl
|
||||||
lb6NWDgi4mqYlrX/6+cTHnXC9Mub75r5iYzKV935PmUb3JA=
|
Z7xRUZi/Py43olmJm3jaLhhju3nVTOPJWAr/im+lVEtTL0jEw/OuSo+63GFmkILi
|
||||||
=U9Xi
|
bESz682YVL4ZtrPwQKZpdoIzsqwTGUSEO4yjuLEshM5QDL1HFE2E9whtehBAfOt+
|
||||||
|
4wTt756hHFpaweQDUm9e+Ce3sA7lifTVjX/h4ZJ55etW53EPP59bTW327mk4Sxxj
|
||||||
|
X85wo2kD7CaUxwrk01QBkAptuSdUf9d03cw6t3EH/uXYER2mc0BNPdlJB44eYtXE
|
||||||
|
mwUIk1UZ5rZ2tUPKIdUj0xFNywbTJPN+FKgW44y7k1/PcEKQpwndK1Xoi45HemY7
|
||||||
|
cMxMptNSldv1DAQank0CG3xYdCLfkLXfixOrI64Cqx8owTPLvUCic29e7Rw3+vAw
|
||||||
|
LOR6+mSpF2bGMt1NvpZAP0nHTijWWuGg4V8eMyJcdQ6eHnhFjVaq+EVqQlYas9ym
|
||||||
|
gPHLZ+eQ2Zy39nutaV/CgmgeniXS45l/H1K6QFhJahg7bpa4Z/qWRAkF/jaUfBbS
|
||||||
|
XgFhjoVIe3SO2E8YUh+Z0pFyHo5GlKkgENBeO7KJbiOYzwLoIpvpO1baIhHGPyrj
|
||||||
|
Th/Qj0uYyPYknrwgNivl/c+1nZbkNU4Btsp22+bw+4vq8c8jHKgtvMCwKsNbU4Y=
|
||||||
|
=beaI
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: B1A16011B86BACB56ADB713DB712039D23133661
|
fp: BF37903AE6FD294C4C674EE24472A20091BFA792
|
||||||
- created_at: "2023-08-14T09:08:12Z"
|
- created_at: "2024-02-29T15:23:18Z"
|
||||||
enc: |
|
enc: |-
|
||||||
-----BEGIN PGP MESSAGE-----
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
hQIMA6MARpDCLIz2AQ/7Bvm+qrO0UdHN3goHTwAcy2TKmthBOrknBjTN12ZVPV0L
|
hF4DNffZWjBmO5ASAQdAluq9PmE0yZUumm/G4UtwQpohy8vpNzAh8D1EWVj2KgIw
|
||||||
21fmywd1MAJrARYnshhUkaaZrjd/hkeRfk2GfRAM58sHQi7J16xVxhvurqErVTTF
|
CkO+UYwhgB0Sl4rqYYgyGI1FK0aVQQYEV8jlvVpzWvaKga2bm3yT7kAp1o8b5Nv4
|
||||||
3vOyDeZ1VkscmB9kWYpg9B6dkffs87Yq17N6wTPh/bxStYImRuHx1TmzhdsEZ+9k
|
1GgBCQIQp3OqASoqHK2MGQURJr/NY3aHQVBltEe2bkgXj4FgBXu9a1L5hwxow9Ze
|
||||||
QmBeOY1nEGeaHYcXsVLNrfHwcL+VX8kCG9f5W0voR5wOcoJwOEQzz8URzKlzgV8L
|
YMDBVLkDaH8oCBBwvQVdqBmQe+LEwyr5eb/r0PtTksOfuQQ1TV3kX1Gj1XN31ilQ
|
||||||
uRAhtEt6zWmXv7BiVW39r1JnWNgTjVwp9PhJI6knghiIfibXndGc9pDhJRuWnSQK
|
LHXyhm6gI7zslw==
|
||||||
d9SrCEPmtWfQxzhdAlFobLI3XkagrZvSj1fIyYbT1dwEiR+4p+FoOp4YuN87xs0I
|
=zVpt
|
||||||
WeDPUoEMABVpYG6PoICWxCvaFU1cv9yqAc7TKhM8vDFQn1tJ4Ante4U9dLZ+iEbw
|
|
||||||
LxFr2XdQXLiqYUOI4dtEWO8IQqjyxva3AxU92clN7LIi3CeCDoEJZcg3l4eCtwyP
|
|
||||||
NUOXozZjnEixw4Q+1EVZZACCTPyAb5Gd994JqtjYmb5575xApWWiQNXf4hGo/WGn
|
|
||||||
zV0ZIfvohRBKxpWvgv3KUZwwHzz13AbWlBjrPIextRDdnQRZWv9jU6xRUFLM99XO
|
|
||||||
PlYbAPp5amaYRmwvG86opjcqmPuUTT/W+ss/aK8ddU69KYM+YI7OzqUXC0zPg4bS
|
|
||||||
XgGpDo6bqCP2YYkSzLYwKzMUHgHz9Ml0IyL5DQw3DMvu54IGL9nkgEd3DyIHdvsn
|
|
||||||
roJxHvGw18eBhHT0mXuWi9iK0vVMJW8tPw7CVZVSKuLFFsm+3LgkC1UftLvT2yY=
|
|
||||||
=NSHU
|
|
||||||
-----END PGP MESSAGE-----
|
-----END PGP MESSAGE-----
|
||||||
fp: A4F92BC7B792108A463995827C1F2DA2BC929412
|
fp: B1A16011B86BACB56ADB713DB712039D23133661
|
||||||
|
- created_at: "2024-02-29T15:23:18Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA1tId/HHLgxAARAAkoe0CqLnz2Nythjm3wnMVrwv+U/ZeaVGemBJCaS9MWXd
|
||||||
|
inmKUj9fmGdrbqoIhxwgbMBjuHFWrHWO10ahMjQ+X8qOH22SJEDYhZ7H3I+KkuFa
|
||||||
|
dBrubZizjI7STYSC4vsLftcgNkVtaIWNhc34t4Gv5Dk5rjSXuM3WORm9xrIvJ0N1
|
||||||
|
KXBUP6JF9LF0JZTwn86EWeb7Fa3QDKuQ3T7tM+8kypqyh40gd7sKLx7onXLRacbq
|
||||||
|
U6fcls4Z3m2N+NayNyi+EoKDCUOkDJfms49I21acq7wiigGE/pIDA6MFhL2X5N82
|
||||||
|
lj1V3SySHNXfm3QeHi0HvWiNtLp5W7yDoN/T2kLf76gIsiXlrnSR9BnvY0LrnYTR
|
||||||
|
wY+j9q+942eG3QL0g9gG7L0mM8wZ8QcvdVmbgw3WpbValHSEXwfg4kSuCroZH38e
|
||||||
|
XEzSgqbuBMrEprGnH8/+gp2VxxDcOnpUQApe6tvrSk0d3GmGxoIriIQonrvEPnNJ
|
||||||
|
B/25jIns9X3DK3FxL2tYzUSIXv00plLLuy5P0Sl1fvD3/J3faTJ1uX8xB0z4c9Nv
|
||||||
|
/GG88hE4Al+2da5XRdDhgrS8L5YX0gxKPvwFcALO58v4YU9UxNjp12kEnteqbfPh
|
||||||
|
0X57Tin/2cvPdH3e3g7CDi1RPHK7mcxqpcshmuiPNVhou7I7tTh7BGJpP6vpJB7S
|
||||||
|
XgHwQVfKx/rmB//dUZ3ZcZ6IXActfAxm+F1uXjhRi3hbctLV4GlMAV2/ijLX92Ob
|
||||||
|
WZv+zdCH1fioicsObmRgYuyk6gPlpMyAA9u915MH12o0G/AwZaquIfocmRlDwuU=
|
||||||
|
=zv+X
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB
|
||||||
|
- created_at: "2024-02-29T15:23:18Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hF4Da5T//DC6DJkSAQdAtDsm8pgrR36jWw5qeWr2Ezxa0Y/feoC5R2rDatrPySsw
|
||||||
|
rXez9HoJLmHPJf5iFMxpEhgO8LAeRkSOUVDoMQAKnwP76CRAI+Y6uDa9qlWvWFDQ
|
||||||
|
0l4Byo0ib5MviXkFCy0ZslKpwAL5NR4VllC87HhndwkynizQgRevmB+ITU4QeNZo
|
||||||
|
+eNJaGphJdn0CuAO1F4vOw/qTHSzVxrLaux9J7Ovy1oM/jbFcAbUIelfkLZc13xR
|
||||||
|
=5kVn
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.7.3
|
||||||
|
|
File diff suppressed because one or more lines are too long
162
secrets/tomate.yaml
Normal file
162
secrets/tomate.yaml
Normal file
|
@ -0,0 +1,162 @@
|
||||||
|
portunus:
|
||||||
|
search-password: ENC[AES256_GCM,data:lUG8qGioYZOAQHRhDMCBq6rRRFOs9R4ohMHEctxi/f6soE4aQZHyENEW,iv:6wgDgre5wr630SkRlT2kHak4nnOkx3DVFbNcq4FehGw=,tag:S5EiXEsoId+pGYaQ8lq7JA==,type:str]
|
||||||
|
print:
|
||||||
|
smtp-password: ENC[AES256_GCM,data:XoaLiEpqAdKapeS9YoBfh2w7HFuTCV9rHIciH+qUbhHcdsgVpnPMsSlC,iv:WxfP5d2K9soJPoRPuS6O6PbNvo4TBQjPGiV0e+a501Q=,tag:ZsTdR+b/oYFAYz/MN73PFg==,type:str]
|
||||||
|
sssd:
|
||||||
|
env: ENC[AES256_GCM,data:9IbU7uaElmemQHVUvsM88hcyNl3WFehgQeLZPtUxt2Sd0IECm8qNkQhWJ4kuvoBnQsdsUrFm/0QuW7AfDFOeE7FxMxg0,iv:dyzsYHlqClWbfzsoJ36iYjaXWpidB1ZqHXI7RP7js2Y=,tag:97FMOeVwAEy8Ka79uZKC8Q==,type:str]
|
||||||
|
ifsr-apb-auth: ENC[AES256_GCM,data:hxJOvRbgjB//YU3wy04P7yrQbV0Ggoi18wQxwy4hHgbXizTHbmlfiZ/MstITrZQ6qEPVBEW41/iGU3DO2Cg2ofpWvFU5Gr8FM1AC9DKq8SppLGqzel1mEejPfrh4RbQUMe0zZlc/YfhCah5sM0oPnBQNg8bPpveEO+5/bRq5S24jkkv7w6/AAS8tGvjALVf/g95jsCrQO2MYg9jCCEkdhORU0bowGD8cjTr6wnPkNhwzn5tiKoPn6eH6TFBkqNC+Q/5E+os10i9F1c3z/sv8Snrcl7V5higqrQekhEvGRDmax/4lE8Yb3AoxC/2M4/+9x+OPi0JUkkhC6rghETXpmYkuaD7E8+eEtLeSbiJPlPijq2HTtbtsHcSoMUdoGO8644TVe/jDxaEe54p9OWEFjRRpONijQKsfH3wENlUXmqDQDLfMSpoANxIHMh+RmRzktGIvTgvs6rlKXsWp7/gggFVxdM/5QPbE3pUvGr+JPWz4,iv:6c1HxYGrItPwKzAnQ0zUvO3TSejVZ/aWF9zs99ufzl4=,tag:fELOskceJWKmkm74MCsfoA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18lwgjazaxujqgcc5j0gjllnykhtjn6p0q44jzrsk4au2a5k6nd9s77kd6d
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bW5yM1o5SHNXZldjcWtO
|
||||||
|
NkxENWNqTlpVeXVRS0MvNFhCUnNlWmVDSkZJCi9KNiszcUZHTXl0WXdJMExtcGYw
|
||||||
|
WFZVNGJkZVRrdkNRV3llUEJjay83NmMKLS0tIEhWNGRkREJuYWhaamFWQ2lEZUo2
|
||||||
|
TXVrMHZCNU5zOG5hVnNkdEoxcTZqWXMKA9eG1zM6HeLAAOpIo8Z5+5KD4Z5P3rdc
|
||||||
|
kE8sUXHD3d8SMmSKcTYe6gGVzFuw0xxnMb/AmjAQosvDFTQsWy1sTw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-16T08:58:21Z"
|
||||||
|
mac: ENC[AES256_GCM,data:2aOOVZK7kshJFBWphvW/BqRUXht4p80Q15nGJNA1EbjT05f3tYdrr8QuM5Xd1vJO07rgmokWv4XwbzodRIwqidEXD5xuJ1v+kHC/jJnO3yrBKY7kVMHkia2Wq00bcN/iwdW6G6AP5D4HQbmFNo+rLHyjIVwPvtu9jutKpz12NH0=,iv:YCBX2gSEmiUa6HrHi0VEcRGWDJrXGajD8ZbOZcppFnM=,tag:FK2E4hukl8oL5aZNTCQESA==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2024-02-29T15:23:28Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hF4DntlvaG5T7wcSAQdAVYr0vThE6byTzCZiUrErtuouL9k2b3uTQKR3pnk1qmcw
|
||||||
|
Pw8+vdUOal5i/M9jFWexJzJ1nenzhIogFWry4FdXRX7V39/nRJQ1mbF3+3T/yldD
|
||||||
|
0l4BdQ3xmtVUiz+PYCzazHC5+wPB4iCVs3fkTiLvNBNzUDEHvj6T7w72eKhld9VT
|
||||||
|
NFcOI2lSDea9EYksEdLef4VnE8gI1DeYxJAc60GXydmBJZO30xeOFMru+XE2N7Cy
|
||||||
|
=S7ex
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B
|
||||||
|
- created_at: "2024-02-29T15:23:28Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA/YLzOYaRIJJARAA0fWU9NbHhvooG/4gYcadlwNPtQqOIw+6g/L9Gx8wKEhR
|
||||||
|
i9451S9oez3ElkwIeiF1YPCzokF6TuKv/++nV5SjC9PZVSHnrixrQscdN1FtMvH9
|
||||||
|
ad2dC4GD69fXebq3f1vj77fAZxif6OMcEMpDiRRXHHJetzuUDkLpk0YSR/ZM23m/
|
||||||
|
ag/JrHNUNgSJPLFRjvSNqX/DO/Etf/RfEwuMoPmwpGrQFhBTwtcIjjrJ2zT38q21
|
||||||
|
PhWrjAL0Mxjnt1zFOGLLXwV5wkpmLOj2GGIBJJ+/B1zEawkbOx/ROuzPFKrDmrrh
|
||||||
|
xz29AVi7Ok9JanwgPGRNytnUHmxToisIH+FZqwpDTsop0ZQOCtiUWIZot+i8XGxs
|
||||||
|
rJhHTKxetJfsJCQUe4K2RJtHnVKIluzLDFyxoOb5SVmXoslY/EIQEYJz2lFPG2sc
|
||||||
|
PbP6XUh5ObZTK3IRIFqeQzjjLI1eaLdYjEOr+a4Do98Dd7+vJ1nLwkC9Wo7JLaaR
|
||||||
|
yd4emYpyB8R72Zf5+TPhN6ZWAL97OQdCZCSxyh3hDUZt4Wckg3I2yjw1mh56yVJF
|
||||||
|
fFOCOA/nXWpYXyRTbxuPuvCqjVsmVDEh+STZLIFsARzvz+yrlpEFoQw0G+Xa/XfO
|
||||||
|
aUt+HWGYji15+KVZJnSOXHhN4z4amsg8mtAEKfhCU7pl3jyrxa2MvArPBIU8FB/S
|
||||||
|
XgG8vs/FjyRkm+BvmHHEHmh8JkC9B9Lx1kmMpHw+fMis90IqZ52I82RmA6aO5jqR
|
||||||
|
ywlIrtvDLC/5STZaBdTt6EJwf3OAvRY+H1Br+SLtz9xXUxgzV9JOHWTefzRH2JQ=
|
||||||
|
=3Wnv
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 91EBE87016391323642A6803B966009D57E69CC6
|
||||||
|
- created_at: "2024-02-29T15:23:28Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA8uqUsBLHj6XAQ//SVU6B8zLxtpp1gQ/U+EGpgbP8N3IrIcUPrPVx72dIu+y
|
||||||
|
7acCmdgralvEe/MLG4vNSnkrJdCCk7piBG2JFTMUFbqbFkUVSyZyG1yRsyezB3AZ
|
||||||
|
czSdffSQ0SbxWL73ANO7Z4asRwXkqjDTTKTl3xL3Iw8tDu22INeFwmcZPFV9F19J
|
||||||
|
K/BanSBuofUOiQB73BNv/8lA6ssxqufj+9pDDoutzF5XWpd8wUPn2hIcNWtr6NyY
|
||||||
|
wl9U/Jb/gkhnUR/UHGO2Nz5kAWz1lhysa/dur6I1mrxBJ0mO9I0j8A6U2cBPxdG5
|
||||||
|
JBiTuKlFi4RhKUAraPDC+c3fM3Zp6zIOWhZgRNGlnR0Tu3fTeqdt7DwYh0bCOpJy
|
||||||
|
tTtj779hRj+cnleKG0QB89MY3XFpHQR60iBEMnqg522LLlTzLbvu6BEUvM/4jv+j
|
||||||
|
2aq45zyYyIHC99k8xG9vl5Ou+3XhDqqVRUQ3qCRbavupWRKdibaNqjcaMr/zDqQ3
|
||||||
|
TxmDluLnsbCGnyYmZDocwAqVvTVorHEr8yumjViFpXPImRe+na/0JCuxRHbBcVt+
|
||||||
|
9WynLgKy83rHY3tWKhqYobh20mLXNNcCiUvdGFYI2X/wyUmSRMkuNpT8fsvdr179
|
||||||
|
BtERX0a3VpzaBV41pMsEIj7okx1MScMxXEmAktnDEQgyPBwV2CZpp2lM3YJajVjU
|
||||||
|
aAEJAhBKMkW8iDDTeG/ISzhGv3Qz4B2ujOvb22N1j/LVH6HUcq/Kg9tNJ3nDuT0v
|
||||||
|
zP1O6zxkwZsm23at68ZkfxXdBm6Qwf/sblfxYi2SOvWn+fXSmkSfGPVgw0vDG3+G
|
||||||
|
0DskmbWWbRuD
|
||||||
|
=9+VA
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: F8634A1CFF7D61608503A70B24363525EA0E8A99
|
||||||
|
- created_at: "2024-02-29T15:23:28Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAzUXo8ZPJwGLAQ/+MGbYqzJX74UDkNrAC1QUvA54pROBzoKnI45ODtT9gp/5
|
||||||
|
9Cv5Hx3d/1UA/IGjGh6Wjv7ljCjH335R47bWBDmnE4WmrD9O2gopjBqAuF/k/tIs
|
||||||
|
Vc4+8AD7F85PTSSdb1t/2hu/gYO/FAmwpwxLBmWD7iwAwpDZoPB3lBYwvqNOlnmX
|
||||||
|
8cFYALyacBBMskwp5ydNEUtQO02ycHUfr3WVC3TponHva971Bsif2Lq4aQW2jCfm
|
||||||
|
0a+RvO9cdv4RjVkd0/eKXnjpsFRkmggTAmXrlrer1hydENbdq9Fl9QHPxRG/jp6b
|
||||||
|
SjzqSEc38wbxX2zo9GihPWRHPNjXEJbXGWfwAA6MZpHpI16NEU98+B3OOsrFZ6D7
|
||||||
|
Zr7BAhVqYXgriICx9K/czFN+oDp5Dpsy1/9NGhx2mg+KJXx6F66MN4ZB24u/rgTR
|
||||||
|
iC3YGoXfx9vq0tbv2m8zPOoJ3PjmmLzfSwXQszK/GOFvu89r57Hz92K4UpyFiLPf
|
||||||
|
jUoT7GDfEnU+4OFKdmBDzqFV2xm5TCnoCpjCfi+kbpszThoaF2L3ZvgypxK5K4cf
|
||||||
|
SkPoU2HgXwL79sXfFknajKKtBFcE55eLggtKmANoBN2NOf+yUQuqwnJRaN+ELtKp
|
||||||
|
1HJ+ztoPEcrEG3zljNZ77/n8B8kprVA+E4sxzLrNHM+sRzoiDixq+nEB7p5F6+zS
|
||||||
|
XgH/wanI8NFYgP4w48mM50rboUeeadwGoju7XNNoEcaLzCaGWkoUWNbtH+NGnaAR
|
||||||
|
OGux0gslpa4mPnHWySU7b/1LZiIop9PyXCqGDyUzjBCaNKQypMMO3BhmvdHf0ug=
|
||||||
|
=oRNh
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09
|
||||||
|
- created_at: "2024-02-29T15:23:28Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA30JDs8MiK29AQ/+JcDqCXFj6/8NsrMx+mv92Xgqo5b8hQC92DxOEVd2kBrE
|
||||||
|
aqe7LPbhpm8ujuR5rRRNKmnJX1QQXn7GHAua8tA2+7oYVhVJfpIp1m3FlOkv6Jt0
|
||||||
|
Mz2FMotFfts/Lq5MGUB2WU1fkXMcZ2J9gXZGoEwVRFFATu4lHy6IZKtbYHm8onlM
|
||||||
|
WXuhX3+uM1Tw4TCaqnyfi8fEGvocpwD1kT4Y2F7VipNVoSbP9DNf9rVIuKfTzLMX
|
||||||
|
NxueFmfUcLt3Z1/HSV40KkYseaZcLhWOtKbpFTwG/zdzdSIWzCjxPGwcK+nVBDeS
|
||||||
|
OhFdcoKC7c9GKb1bbxaPq5BwSpy29/PBv7SBM2vfUvyc9MrKvXdh1VzOgTkSAjdH
|
||||||
|
DxeEtFNMIhrCeCuMZwjBrIckSr3dFh73YqvEbSV/1Z2nK8qLBWKEy4noAOhI0Kxe
|
||||||
|
T05cCaGFHVJxy34lmb1AMHATLt6ZDDUn+kgiOD13SozMAsS9045MSnJgcVCb953/
|
||||||
|
cxx5LfyN3KJO/17YFgNlq28yVavFTp5h5en/DexY35nvvACBi7uah5WQh8Y3fbB6
|
||||||
|
5Eb0t2FcsHY3L11tbjnVz16oFRE/SuS2NK+k20QEo36eBc272cKjkj9CS1w6D3lq
|
||||||
|
7qFQCBD4NWITn1FgHDNfDVNZI3rocMMp8VgBzpknvBZmRc2PQlW1+jIt/7x+JP3S
|
||||||
|
XgFd5m3vvtbLhJVG5X0GMbFHC4QaBTou6buKdfvuQ8ZqUb8o52MPNXKmTDW99ywM
|
||||||
|
5pItfzPtHZ7q8T+rZKEnNcL2TBhgfHsuFzqC06D2jeC/tulvbhw0VtBcnJzSlSg=
|
||||||
|
=ihPC
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: BF37903AE6FD294C4C674EE24472A20091BFA792
|
||||||
|
- created_at: "2024-02-29T15:23:28Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hF4DNffZWjBmO5ASAQdAD+Em/15kuzC0vIaYSkTGQS5SwwCGRmBc9V5u5ChsunAw
|
||||||
|
RiXIlOl3EhpR6qzxCfUgLSr+WEXK20AFGo8gEfCpKqAVE3orPGh4btwcV/AzZyID
|
||||||
|
1GgBCQIQO4OYcDhulX1kReGuRHVJWLsjvWlUJQjlYPXPaS7QD6vCmie986wNEOAN
|
||||||
|
kqDyuSsoetM3OdZgTvyj0tmTdNNm9X90xKjyV+wcYKlAkVL82PbnEwIqQhlMoZv/
|
||||||
|
0Uhdu9hQ3VXC1Q==
|
||||||
|
=0iem
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: B1A16011B86BACB56ADB713DB712039D23133661
|
||||||
|
- created_at: "2024-02-29T15:23:28Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMA1tId/HHLgxAAQ/+P7hzNKzSA3JVSSAqfAV5umI1hACWf3ticSkT9tlfGYx6
|
||||||
|
+xWvkwmtLBAumPYwIrVVvKSG2KBdiD/p0CugbpMUA2164IGrJVQsnBpeyV3fgaNQ
|
||||||
|
GMbb+Jq1Nfh5QsmI0X+D4xcNcPae3Ml+4TXtjXkDlowG2c4x7AHiHKnQj9Agszry
|
||||||
|
F+IUdlVt4dESbMGv+ck6fz6AqJ3OiQaesRps+FTrWtVhzuu9DIuup4E+nb7qaADz
|
||||||
|
knmjPfPxX7rSwfAVbvgmGZ0hRM4KaIqt26Fyd0pnnxc37KslgBcQDl2bIu214SKT
|
||||||
|
vmaSwqCOF1JXe3MAKJjFu0e1Rq+6/Dt9sZxWcXi+uKVqXaQznHXrxXywG8dmV2jZ
|
||||||
|
SS1rLoHKZ7Sk+3EG9WAfNA0SDNpcRQ11TXCXKYaNkbhsNucKBa3ipGO+l3ypFWNj
|
||||||
|
zmJMHR9mZuH/cV/DRC7eyWihbcYSAVfOuNYp61KUsW5Z4aYN/yrBZIDi8wqbN2J5
|
||||||
|
TNI13Opj/3Xvu8mVC4fipORvwRpwlFX5hT1ioDZ/vmtgufWWPNSc7XEN6HIie3OY
|
||||||
|
8nljJqPOhdYuTStejtBkt/qvqWWGlpPILCKndqTEFoMv5h7ussNV/+6eGUIx3+1Q
|
||||||
|
G1Hj0Dptw+w9dx/CAh6BVjSCF05892o8UNljOzr0mdxvZYfOrnrMjm2aqWLYO37S
|
||||||
|
XgGHuVKMpj8zFhIERSZj9q5ZZuH4f7AFgEzeRBghNZCGeMlA9T8BW1ctZ7v20wpL
|
||||||
|
q5F3s6h/Vpif4WrdcuVwxrsF5Sar08mJaVRQdJrps6hFENwy0qs0zn55gKIae/Q=
|
||||||
|
=HZ7i
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB
|
||||||
|
- created_at: "2024-02-29T15:23:28Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hF4Da5T//DC6DJkSAQdALa6lkOmkWCMYVZj7SE95wbejf6w18ouzh0NeKx1SeTEw
|
||||||
|
NoAN13YgKuk1b30zfSbjbr1LeGvk4xvDF+1nk+8dLccUPFQO8svT0/L2DhAQ8EV3
|
||||||
|
0l4Bf3h1T3Hoc28my9LvjvMo7brUGqX6TDRsZiLdOe/wk/EbnuGnTUCtHytxGUIy
|
||||||
|
dtQa263hpVrA1xRIxHyhHRKACp+4PD3SvmDpQ2u33bVfZ9F9vzRPGXvE6E3Rw8jD
|
||||||
|
=Dxdr
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Loading…
Reference in a new issue