Compare commits
333 commits
#56-extern
...
main
Author | SHA1 | Date | |
---|---|---|---|
|
f92fea1224 | ||
|
2d9a3cbd11 | ||
70a83bd97b | |||
e012fdf3a7 | |||
|
e478af71a1 | ||
a1c9125397 | |||
67c3787d2e | |||
7799bda982 | |||
af1535b7dc | |||
19a0b8044f | |||
2728487448 | |||
13eba34a56 | |||
1baeb24761 | |||
|
b2297e2843 | ||
|
4f4431cd6d | ||
8c98281eff | |||
45afc95d99 | |||
49d69b1a10 | |||
cb2fba3f81 | |||
6d2a13cf03 | |||
97a062180e | |||
be75fcb296 | |||
50fc679172 | |||
45e9d60967 | |||
59855b06e3 | |||
6d4160fe65 | |||
ff6af9916d | |||
2c196ae87e | |||
c648bded74 | |||
8a85846c0d | |||
5448662230 | |||
50459f7982 | |||
|
c114f31d2e | ||
|
74a3f11f9b | ||
|
87383ccaae | ||
9a8b446497 | |||
2fc07e49aa | |||
|
cd10457035 | ||
|
8e48b61473 | ||
86efe11f83 | |||
1fcfc78c6b | |||
91d76c08f1 | |||
0b0db08f01 | |||
5c5ea3678d | |||
a4be5de575 | |||
ad9e434a28 | |||
51d8a84432 | |||
259a6df8a7 | |||
|
c0aa5c138d | ||
|
e1a3a64a8d | ||
|
542ee2858e | ||
|
df6825cb7e | ||
|
335f2f08f1 | ||
|
d47abf2527 | ||
|
8275f3063b | ||
|
d76d5acbb7 | ||
|
be4f8dbe89 | ||
|
71d6d7555b | ||
|
14334cbee4 | ||
|
181a78286e | ||
|
a6a368457a | ||
|
7eb83514ca | ||
|
743f6faa44 | ||
95e9b971b2 | |||
|
13e9552799 | ||
|
6831976805 | ||
|
103bd93772 | ||
|
8725a9af9d | ||
|
668dd90358 | ||
|
b215f10513 | ||
|
0907c36e18 | ||
|
fdebdb6cc5 | ||
|
839009195a | ||
|
951a72d0a6 | ||
|
5d72d1aa84 | ||
|
5eeda983eb | ||
|
5012dd992f | ||
|
2e06a80dfc | ||
|
65d4a91fa4 | ||
2bcdfb0f83 | |||
8c828738ca | |||
|
7c8d9641b5 | ||
|
97ca87ec11 | ||
|
c692663e0e | ||
|
37c564be74 | ||
|
fdd2c24bbd | ||
|
5d6aec46de | ||
|
32d534be45 | ||
31e7cca4ed | |||
7dcbf88fa4 | |||
|
4b2720df36 | ||
|
5fa1bbd818 | ||
|
a050b6ced7 | ||
38e0322f67 | |||
|
31dc474c84 | ||
|
3347ac8a89 | ||
|
9143fdc77c | ||
|
11d4c2269c | ||
|
4196934565 | ||
35b12b57aa | |||
6c9a852e78 | |||
ddf5a22d8b | |||
287b268161 | |||
|
31c94bc8d2 | ||
|
34ffe6c37f | ||
|
884617ddb7 | ||
|
39fd65d467 | ||
|
ac7db8f099 | ||
99b2ba1477 | |||
36e9e6b76d | |||
|
97d750ac66 | ||
fc78bb7287 | |||
5d93ffb71f | |||
41dd05cd36 | |||
350f4266ed | |||
aefd9bbdb0 | |||
|
598ae73b3e | ||
bf939cc941 | |||
|
4688eec153 | ||
961a35b990 | |||
987db0c6aa | |||
|
6ce2a6337f | ||
deb43c0768 | |||
|
6c9df12566 | ||
|
fb1ef7b66b | ||
75740f9bae | |||
6376e910f1 | |||
|
8e57469ee2 | ||
|
1638e44caa | ||
58800bf7b2 | |||
|
68d5a91b0b | ||
a7b559972b | |||
|
39be11301a | ||
afa3515cd8 | |||
0e5990e563 | |||
|
8302b216e0 | ||
|
9a67dfee37 | ||
|
3997805406 | ||
2d95094fbd | |||
|
692ed8e3f0 | ||
|
04944584c6 | ||
fbff2a4ab2 | |||
|
de72894701 | ||
|
5cdcd97f6b | ||
|
25c4007e3e | ||
|
fea5ec177e | ||
|
f49bf144ae | ||
|
e76262aa43 | ||
|
20f0c16e2f | ||
9c6844fed2 | |||
f61b9c8d6d | |||
|
62115a3d93 | ||
0e7048be31 | |||
c2ace73a9b | |||
9120a81d6b | |||
186833f70c | |||
|
31f54b1e92 | ||
5a21783b63 | |||
529b0e13ec | |||
410017d86f | |||
1fb4318310 | |||
f00ae5bd2d | |||
97d1783561 | |||
98136e802b | |||
86e0c091fb | |||
4f87e56d63 | |||
cd002aec03 | |||
9c7d08c153 | |||
35920eda0c | |||
ba527ead3b | |||
1212ecc7a1 | |||
bbcc8fc1f6 | |||
ba6d831f73 | |||
bd96a84fe8 | |||
d64997991d | |||
537863c913 | |||
ed4dcbc756 | |||
5c6939bc83 | |||
2834fbba8d | |||
c5a651d98e | |||
648b437767 | |||
a4d83fde50 | |||
2a949f8e82 | |||
abdc5b6d50 | |||
c5c44acc8b | |||
1287160cdf | |||
4c8ebb455e | |||
454e58b085 | |||
2a8a7cc7f4 | |||
0b25b5ac54 | |||
356ac2e505 | |||
1a07781c4d | |||
15e534c222 | |||
e9d5985adf | |||
cb0cfbaf4a | |||
b1bd6ca40a | |||
9fb45cba7e | |||
3837ff2dd1 | |||
b6b9ae0579 | |||
|
b7cb7eeade | ||
2a45bc4f70 | |||
e6954d3448 | |||
09e7f8f0d4 | |||
dac45073d6 | |||
9583eaa9be | |||
a0215b2271 | |||
cd13520aba | |||
8009b7c8d1 | |||
|
07cb42dd65 | ||
6229abcefa | |||
|
c197f0df85 | ||
435379e610 | |||
44c81b1f3e | |||
897c52cc3e | |||
7ea813667b | |||
d226e905a2 | |||
40ece2f683 | |||
9b84ff8619 | |||
|
5933cb5dfe | ||
|
c0ddc2d6a9 | ||
9e90553a6b | |||
|
e0a461bb0a | ||
ed331c3f08 | |||
452f33baa8 | |||
|
149b58ce09 | ||
|
1b848029e2 | ||
|
d3030aa2d1 | ||
5c33399d97 | |||
1d3549d541 | |||
5c8dcdef00 | |||
34f8f0eb8c | |||
fee1e34ca8 | |||
69bd2be07c | |||
4b9a743e40 | |||
|
8c96241b67 | ||
672ad2b96e | |||
ce820a5d3c | |||
e94683c3d5 | |||
3d6a1ba696 | |||
8c7f2b5454 | |||
5ba92dcbc1 | |||
7d8833a451 | |||
|
37bfebec20 | ||
|
62fe4a2ba5 | ||
|
b7a5042538 | ||
a156d1ba1e | |||
|
b2ecb14f68 | ||
|
c4e3a41831 | ||
dbf7a4d5d1 | |||
|
991758ef46 | ||
8d60c67722 | |||
cbc5af9b53 | |||
1fb2bba4ce | |||
62d28bab4e | |||
9316caa559 | |||
be9f5084eb | |||
689344e518 | |||
379cb84839 | |||
f8c7860eb5 | |||
54b43c9962 | |||
e156b4ecaf | |||
73a9419798 | |||
449ada5cec | |||
023b491d89 | |||
75f0a17fcb | |||
9eafd6f53e | |||
|
c71b3571ce | ||
a6b070a971 | |||
e7e5d554b2 | |||
f55d23e821 | |||
b545c623d2 | |||
44750155f1 | |||
694cbb2f0b | |||
|
c0816ccce4 | ||
|
889bb0dab6 | ||
f7dd90e92b | |||
147bd86ad5 | |||
|
963a189bcb | ||
9148963c1f | |||
b8c6e153a4 | |||
15271c1d09 | |||
62ead11aad | |||
aba1a41d4d | |||
0f75f11918 | |||
|
03ae1c5101 | ||
|
061453e5d1 | ||
23f77caef6 | |||
|
40e4fe5ac4 | ||
|
fd3beade9b | ||
|
9aeb7313b4 | ||
|
1ea703bfa1 | ||
|
113084148c | ||
|
ca87227571 | ||
|
9b3e7265dd | ||
|
82305d43ff | ||
|
be56e6b9e9 | ||
|
cf600e2dc1 | ||
|
7f5f21dc8a | ||
|
4637777e5c | ||
|
183f5a0e7d | ||
50abdb90ab | |||
|
4ce0f69fb3 | ||
|
2a605151f8 | ||
|
739529caae | ||
|
961509ddc8 | ||
|
70b1d6324d | ||
|
115535c386 | ||
|
519e907278 | ||
867e7a702f | |||
|
1b31b6535d | ||
|
eee9632878 | ||
|
44a7fde53c | ||
63874105a8 | |||
5bf1ddbebe | |||
7408873102 | |||
6ae584c895 | |||
cb6f9c2b8e | |||
|
aec580a93e | ||
210845d2cd | |||
ebefd81def | |||
48e48c43c7 | |||
54606be0df | |||
a4c52ea87c | |||
|
2b09716c4d | ||
|
b1d7c15a4d | ||
|
d48e68d3b3 | ||
|
d73be0c8d3 | ||
|
25f687cacf | ||
|
05ab8b0238 | ||
|
7cd4f9288b | ||
|
57a16a2c8f | ||
|
b343009682 | ||
da721924e4 |
98 changed files with 3217 additions and 2214 deletions
59
.forgejo/workflows/deploy.yaml
Normal file
59
.forgejo/workflows/deploy.yaml
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
name: Build_Deploy
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_run:
|
||||||
|
workflows: [ "Update_Flake" ]
|
||||||
|
types:
|
||||||
|
- completed
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- 'main'
|
||||||
|
paths:
|
||||||
|
- applications/**/*
|
||||||
|
- machines/**/*
|
||||||
|
- secrets/**/*
|
||||||
|
- flake.*
|
||||||
|
- config/**/*
|
||||||
|
- .forgejo/**/*
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
linter:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- run: nix fmt -- --check .
|
||||||
|
- run: nix --version
|
||||||
|
|
||||||
|
#if: github.repository == 'Skynet/nixos'
|
||||||
|
build:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- run: nix develop -v
|
||||||
|
# - name: Archive Test Results
|
||||||
|
# if: always()
|
||||||
|
# run: sleep 100m
|
||||||
|
# - run: colmena build -v --on @active-dns
|
||||||
|
# - run: colmena build -v --on @active-core
|
||||||
|
# - run: colmena build -v --on @active
|
||||||
|
# - run: colmena build -v --on @active-ext
|
||||||
|
# - run: colmena build -v --on @active-gitlab
|
||||||
|
|
||||||
|
deploy_dns:
|
||||||
|
runs-on: nix
|
||||||
|
needs: [ linter, build ]
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- run: colmena apply -v --on @active-dns --show-trace
|
||||||
|
shell: bash
|
||||||
|
|
||||||
|
deploy_active:
|
||||||
|
strategy:
|
||||||
|
matrix:
|
||||||
|
batch: [ active-core, active, active-ext ]
|
||||||
|
runs-on: nix
|
||||||
|
needs: [ deploy_dns ]
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- run: colmena apply -v --on @${{ matrix.batch }} --show-trace
|
||||||
|
shell: bash
|
12
.forgejo/workflows/deploy_forgejo.yaml
Normal file
12
.forgejo/workflows/deploy_forgejo.yaml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
name: Update_Forgejo
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
deploy:
|
||||||
|
runs-on: nix
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- run: colmena apply -v --on @active-gitlab --show-trace
|
||||||
|
shell: bash
|
31
.forgejo/workflows/update_input.yaml
Normal file
31
.forgejo/workflows/update_input.yaml
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
name: Update_Flake
|
||||||
|
|
||||||
|
run-name: "[Update Flake] ${{ inputs.input_to_update }}"
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
input_to_update:
|
||||||
|
description: 'Flake input to update'
|
||||||
|
required: false
|
||||||
|
type: string
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
update:
|
||||||
|
runs-on: nix
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
# Give the default GITHUB_TOKEN write permission to commit and push the
|
||||||
|
# added or changed files to the repository.
|
||||||
|
contents: write
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
ref: ${{ github.head_ref }}
|
||||||
|
token: ${{ secrets.PIPELINE_TOKEN }}
|
||||||
|
- run: nix flake update ${{ inputs.input_to_update }}
|
||||||
|
shell: bash
|
||||||
|
- uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
|
||||||
|
with:
|
||||||
|
commit_message: "Updated flake for ${{ inputs.input_to_update }}"
|
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -6,6 +6,9 @@
|
||||||
*.tmp
|
*.tmp
|
||||||
tmp
|
tmp
|
||||||
|
|
||||||
|
# open office tmp lockfiles
|
||||||
|
.~lock.*
|
||||||
|
|
||||||
# Test files
|
# Test files
|
||||||
test.*
|
test.*
|
||||||
*.test.*
|
*.test.*
|
||||||
|
|
|
@ -30,7 +30,7 @@ update:
|
||||||
# the part that updates the flake
|
# the part that updates the flake
|
||||||
- nix --experimental-features 'nix-command flakes' flake lock --update-input $PACKAGE_NAME
|
- nix --experimental-features 'nix-command flakes' flake lock --update-input $PACKAGE_NAME
|
||||||
- git add flake.lock
|
- git add flake.lock
|
||||||
- git commit -m "[skip ci] Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
|
- git commit -m "Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
|
||||||
# we have a custom domain
|
# we have a custom domain
|
||||||
- git remote rm origin && git remote add origin ssh://git@gitlab.skynet.ie:2222/compsoc1/skynet/nixos.git
|
- git remote rm origin && git remote add origin ssh://git@gitlab.skynet.ie:2222/compsoc1/skynet/nixos.git
|
||||||
- git push origin HEAD:$CI_COMMIT_REF_NAME
|
- git push origin HEAD:$CI_COMMIT_REF_NAME
|
||||||
|
@ -48,13 +48,14 @@ sync_repos:
|
||||||
- chmod +x ./sync.sh
|
- chmod +x ./sync.sh
|
||||||
- ./sync.sh
|
- ./sync.sh
|
||||||
rules:
|
rules:
|
||||||
- if: '$SYNC_OVERRIDE == "true"'
|
- if: $UPDATE_FLAKE == "yes"
|
||||||
- changes:
|
when: never
|
||||||
|
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
|
||||||
|
changes:
|
||||||
- sync/repos.csv
|
- sync/repos.csv
|
||||||
|
|
||||||
.scripts_base: &scripts_base
|
.scripts_base: &scripts_base
|
||||||
# load nix environment
|
# load nix environment
|
||||||
- git pull origin $CI_COMMIT_REF_NAME
|
|
||||||
- . "$HOME/.nix-profile/etc/profile.d/nix.sh"
|
- . "$HOME/.nix-profile/etc/profile.d/nix.sh"
|
||||||
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#colmena
|
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#colmena
|
||||||
|
|
||||||
|
@ -65,13 +66,23 @@ sync_repos:
|
||||||
- mkdir -p ~/.ssh
|
- mkdir -p ~/.ssh
|
||||||
- chmod 700 ~/.ssh
|
- chmod 700 ~/.ssh
|
||||||
|
|
||||||
|
.scripts_cache: &scripts_cache
|
||||||
|
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#attic-client
|
||||||
|
- attic login skynet https://nix-cache.skynet.ie/ $CACHE_KEY
|
||||||
|
- attic use skynet-cache
|
||||||
|
# add any new items to the cache
|
||||||
|
- attic watch-store skynet-cache &
|
||||||
|
|
||||||
# every commit on main will build and deploy
|
# every commit on main will build and deploy
|
||||||
.build_template: &builder
|
.build_template: &builder
|
||||||
tags:
|
tags:
|
||||||
- nix
|
- nix
|
||||||
before_script:
|
before_script:
|
||||||
- *scripts_base
|
- *scripts_base
|
||||||
|
- *scripts_cache
|
||||||
rules:
|
rules:
|
||||||
|
- if: $UPDATE_FLAKE == "yes"
|
||||||
|
when: never
|
||||||
- changes:
|
- changes:
|
||||||
- applications/**/*
|
- applications/**/*
|
||||||
- machines/**/*
|
- machines/**/*
|
||||||
|
@ -85,7 +96,10 @@ sync_repos:
|
||||||
before_script:
|
before_script:
|
||||||
- *scripts_deploy
|
- *scripts_deploy
|
||||||
- *scripts_base
|
- *scripts_base
|
||||||
|
- *scripts_cache
|
||||||
rules:
|
rules:
|
||||||
|
- if: $UPDATE_FLAKE == "yes"
|
||||||
|
when: never
|
||||||
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
|
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
|
||||||
changes:
|
changes:
|
||||||
- flake.nix
|
- flake.nix
|
||||||
|
@ -105,6 +119,7 @@ build:
|
||||||
<<: *builder
|
<<: *builder
|
||||||
stage: test
|
stage: test
|
||||||
script:
|
script:
|
||||||
|
- nix --extra-experimental-features 'nix-command flakes' develop
|
||||||
- colmena build -v --on @active-dns
|
- colmena build -v --on @active-dns
|
||||||
- colmena build -v --on @active-core
|
- colmena build -v --on @active-core
|
||||||
- colmena build -v --on @active
|
- colmena build -v --on @active
|
||||||
|
@ -146,7 +161,6 @@ deploy_ext:
|
||||||
- deploy_dns
|
- deploy_dns
|
||||||
script:
|
script:
|
||||||
- colmena apply -v --on @active-ext
|
- colmena apply -v --on @active-ext
|
||||||
allow_failure: true
|
|
||||||
|
|
||||||
deploy_gitlab:
|
deploy_gitlab:
|
||||||
<<: *builder
|
<<: *builder
|
||||||
|
|
45
ITD/Firewall_Rules.csv
Normal file
45
ITD/Firewall_Rules.csv
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
Rule,Action,Ticket,Status,Source_IP,Source_Server,Destination_IP,Destination_Server,Port_TCP,Port_UDP,Notes
|
||||||
|
SKYNET_FIREWALL_00000,Add,,Complete,VPN,-,93.1.99.71 - 193.1.99.126,All,22,-,sftp/ssh required from vpn to servers for admins
|
||||||
|
SKYNET_FIREWALL_00001,Add,,Complete,All,-,193.1.99.109,SKYNET00004,-,53,Nameserver for skynet.ie
|
||||||
|
SKYNET_FIREWALL_00002,Add,,Complete,All,-,193.1.99.111,SKYNET00005,"80, 443, 8000",-,"ULFM, http(s) for internet streaming, 8000 for connecting to the server."
|
||||||
|
SKYNET_FIREWALL_00003,Add,,Complete,All,-,193.1.99.112,SKYNET00006,"80, 443, 25565",-,"Games host, Minecraft uses 25565 (will have more ports in the future)"
|
||||||
|
SKYNET_FIREWALL_00004,Add,,Complete,All,-,193.1.99.120,SKYNET00002,-,53,Nameserver for skynet.ie
|
||||||
|
SKYNET_FIREWALL_00005,Add,i23-01-19_681,Complete,193.1.99.72,SKYNET00001,All,-,-,-,Allow outbound access
|
||||||
|
SKYNET_FIREWALL_00006,Add,i23-01-19_681,Complete,193.1.99.75,SKYNET00008,All,-,-,-,Allow outbound access
|
||||||
|
SKYNET_FIREWALL_00007,Add,i23-01-19_681,Complete,193.1.99.109,SKYNET00004,All,-,-,-,Allow outbound access
|
||||||
|
SKYNET_FIREWALL_00008,Add,i23-01-19_681,Complete,193.1.99.111,SKYNET00005,All,-,-,-,Allow outbound access
|
||||||
|
SKYNET_FIREWALL_00009,Add,i23-01-19_681,Complete,193.1.99.112,SKYNET00006,All,-,-,-,Allow outbound access
|
||||||
|
SKYNET_FIREWALL_00010,Add,i23-01-19_681,Complete,193.1.99.120,SKYNET00002,All,-,-,-,Allow outbound access
|
||||||
|
SKYNET_FIREWALL_00011,Add,i23-05-18_249,Complete,All,-,193.1.99.75,SKYNET00008,"80, 443",-,For gitlab Access
|
||||||
|
SKYNET_FIREWALL_00012,Add,i23-05-18_249,Complete,193.1.99.72 - 193.1.99.126,-,All,-,-,-,"I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages).
|
||||||
|
I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones.
|
||||||
|
In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control.
|
||||||
|
Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured."
|
||||||
|
SKYNET_FIREWALL_00013,Add,i23-05-18_249,Complete,All,-,193.1.99.76,SKYNET00009,"143, 993, 587, 465",-,Email Server
|
||||||
|
SKYNET_FIREWALL_00014,Add,i23-06-19_525,Complete,All,-,193.1.99.76,SKYNET00009,"80, 443, 25",-,"Mailserver here, SPF, DKIM and DMARC are all set up"
|
||||||
|
SKYNET_FIREWALL_00015,Add,i23-06-19_525,Complete,All,-,193.1.99.79,SKYNET00011,"80, 443",-,Main Skynet webserver
|
||||||
|
SKYNET_FIREWALL_00016,Add,i23-06-30_024,Complete,All,-,193.1.96.165,SKYNET00012,22,-,"Skynet user's server
|
||||||
|
Outlet is 131 or 132"
|
||||||
|
SKYNET_FIREWALL_00017,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.120,SKYNET00002,-,53,Allow Skynet server to use our own internal DNS
|
||||||
|
SKYNET_FIREWALL_00018,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.74,SKYNET00007,389/636,-,Allow Skynet server to access LDAP
|
||||||
|
,Add,i23-07-28_010,Denied,All,-,193.1.99.74,SKYNET00007,"80, 443",-,Self Service site for Skynet accounts – Only 443 on account modification pages
|
||||||
|
SKYNET_FIREWALL_00019,Add,i23-07-28_010,Complete,All,-,193.1.99.74,SKYNET00007,443,-,Self Service site for Skynet accounts
|
||||||
|
SKYNET_FIREWALL_00020,Add,i23-09-05_639,Complete,All,-,193.1.96.165,SKYNET00012,"80, 443",-,Web hosting for user sites
|
||||||
|
SKYNET_FIREWALL_00021,Add,i23-10-27_014,Complete,All,-,193.1.99.77,SKYNET00014,"80, 443",-,"Nextcloud, selfhosted google services, filestorage and documents"
|
||||||
|
SKYNET_FIREWALL_00022,Add,i24-02-01_102,Complete,193.1.96.165,SKYNET00012,103.1.99.109,SKYNET00004,-,53,Give the Skynet server access to ur secondary DNS
|
||||||
|
SKYNET_FIREWALL_00023,Add,i24-02-01_102,Complete,193.1.99.78,SKYNET00010,193.1.96.165,SKYNET00012,22,-,Allow our gitlab runner to access and deploy to teh external server
|
||||||
|
SKYNET_FIREWALL_00024,Add,i24-02-16_065,Complete,All,-,193.1.99.90,SKYNET00016,"80, 443",-,Games Server Administrative panel
|
||||||
|
SKYNET_FIREWALL_00025,Add,i24-02-16_065,Complete,All,-,193.1.99.91,SKYNET00017,25518-25525,"19132, 24418-24425",Minecraft Games server
|
||||||
|
SKYNET_FIREWALL_00026,Add,i24-06-04_017,Complete,All,-,193.1.99.76,SKYNET00009,4190,-,"Email sieve to allow members to add email filters to their
|
||||||
|
skynet mail."
|
||||||
|
SKYNET_FIREWALL_00027,Add,i24-06-04_017,Complete,All,-,193.1.99.82,SKYNET00018,80/443,-,"Public services such as a binary cache, open governance and keyserver"
|
||||||
|
,Add,i24-06-04_017,Denied,All,-,193.1.99.90,SKYNET00016,8080,-,"Websocket for admin panel on games management server
|
||||||
|
Denied because more information on wat it was for was requested"
|
||||||
|
,Add,i24-06-04_017,Denied,193.1.99.74,SKYNET00007,193.1.96.165,SKYNET00012,9000-9020,-,"Metrics collection, not done because not enough info provided"
|
||||||
|
SKYNET_FIREWALL_00028,Remove,i24-06-04_017,Complete,-,-,193.1.99.112,SKYNET00019,25565,-,No longer the minecraft game host
|
||||||
|
SKYNET_FIREWALL_00029,Add,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Websocket for admin panel on games management server
|
||||||
|
SKYNET_FIREWALL_00030,Add,i24-06-04_017,Complete,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection
|
||||||
|
SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server
|
||||||
|
SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel
|
||||||
|
SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
|
||||||
|
,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
|
|
22
ITD/Server_Inventory.csv
Normal file
22
ITD/Server_Inventory.csv
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
Index,Name,Status,IP_Address,OS,Description
|
||||||
|
SKYNET00001,agentjones,Active,193.1.99.72,Nixos-24.05,Firewall (currently not active)
|
||||||
|
SKYNET00002,vendetta,Active,193.1.99.120,Nixos-24.05,DNS Nameserver 1
|
||||||
|
SKYNET00003,jarvis,Active,193.1.99.73,Nixos-24.05,VM Host
|
||||||
|
SKYNET00004,vigil,Active,193.1.99.109,Nixos-24.05,DNS Nameserver 2
|
||||||
|
SKYNET00005,galatea,Active,193.1.99.111,Nixos-24.05,ULFM Radio
|
||||||
|
SKYNET00006,optimus,Retired,193.1.99.112,Nixos-24.05,Retired Games server
|
||||||
|
SKYNET00007,kitt,Active,193.1.99.74,Nixos-24.05,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
|
||||||
|
SKYNET00008,glados,Active,193.1.99.75,Nixos-24.05,Gitlab server
|
||||||
|
SKYNET00009,gir,Active,193.1.99.76,Nixos-24.05,Email and Webmail
|
||||||
|
SKYNET00010,wheatly,Active,193.1.99.78,Nixos-24.05,Gitlab Runner
|
||||||
|
SKYNET00011,earth,Active,193.1.99.79,Nixos-24.05,Offical website host
|
||||||
|
SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ)
|
||||||
|
SKYNET00013,neuromancer,Active,193.1.99.80,Nixos-24.05,Local Backup Server
|
||||||
|
SKYNET00014,cadie,Active,193.1.99.77,Nixos-24.05,"Services VM, has nextcloud to start with"
|
||||||
|
SKYNET00015,marvin,Active,193.1.99.81,Nixos-24.05,Trainee testing server
|
||||||
|
SKYNET00016,optimus,Active,193.1.99.90,Debian-12,Games server manager (replacing SKYNET00006 soon)
|
||||||
|
SKYNET00017,bumblebee,Active,193.1.99.91,Debian-12,Game server - Minecraft
|
||||||
|
SKYNET00018,calculon,Active,193.1.99.82,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver"
|
||||||
|
SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic
|
||||||
|
SKYNET00020,ariia,Active,193.1.99.83,Nixos-24.05,"Metrics, Grafana and Prometheus"
|
||||||
|
SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access
|
|
6
ITD/VPN_Admins.csv
Normal file
6
ITD/VPN_Admins.csv
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
Index,First Name,Surname,UL Student Email
|
||||||
|
SKYNET_VPN_ADM_001,Brendan,Golden,12136891@studentmail.ul.ie
|
||||||
|
SKYNET_VPN_ADM_002,Evan,Cassidy,External
|
||||||
|
SKYNET_VPN_ADM_003,Eoghan,Conlon,21310262@studentmail.ul.ie
|
||||||
|
SKYNET_VPN_ADM_004,Eliza,Macovei,23382619@studentmail.ul.ie
|
||||||
|
SKYNET_VPN_ADM_005,Daragh,Downes,22351159@studentmail.ul.ie
|
|
7
ITD/VPN_Admins_changes.csv
Normal file
7
ITD/VPN_Admins_changes.csv
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
Date,Date Modified,Action,Ticket,ID
|
||||||
|
SKYNET_VPN_ADM_CHANGE_001,2023/04/04,Added,,SKYNET_VPN_ADM_001
|
||||||
|
SKYNET_VPN_ADM_CHANGE_002,2023/04/04,Added,,SKYNET_VPN_ADM_002
|
||||||
|
SKYNET_VPN_ADM_CHANGE_003,2023/04/04,Added,,SKYNET_VPN_ADM_003
|
||||||
|
SKYNET_VPN_ADM_CHANGE_003,2024/07/21,Removed,i24-07-22_760,SKYNET_VPN_ADM_003
|
||||||
|
SKYNET_VPN_ADM_CHANGE_004,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_004
|
||||||
|
SKYNET_VPN_ADM_CHANGE_005,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_005
|
|
|
@ -1,18 +0,0 @@
|
||||||
Index,Name,IP_Address,DNS_Name,Ports_Current,Ports_Requested,Related_Tickets,Description
|
|
||||||
SKYNET00001,agentjones,193.1.99.72,agentjones,"","","",Firewall (currently not active)
|
|
||||||
SKYNET00002,vendetta,193.1.99.120,vendetta/ns1,53,"","",DNS Nameserver 1
|
|
||||||
SKYNET00003,jarvis,193.1.99.73,jarvis,"","","",VM Host
|
|
||||||
SKYNET00004,vigil,193.1.99.109,vigil/ns2,53,"","",DNS Nameserver 2
|
|
||||||
SKYNET00005,galatea,193.1.99.111,galatea/stream,80/443 8000,"","",ULFM Radio
|
|
||||||
SKYNET00006,optimus,193.1.99.112,optimus/games/*.games,80/443 25565,"","",Games server
|
|
||||||
SKYNET00007,kitt,193.1.99.74,kitt/account/api.account,443,"",i23-07-28_010,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
|
|
||||||
SKYNET00008,glados,193.1.99.75,glados/gitlab/*.pages.gitlab,80/443,2222,i23-05-18_249,Gitlab server
|
|
||||||
SKYNET00009,gir,193.1.99.76,gir/mail/imap/pop3/smtp,80/443 25/143/993/587/465,"",i23-06-19_525/i23-06-19_525,Email and Webmail
|
|
||||||
SKYNET00010,wheatly,193.1.99.78,wheatly,"","","",Gitlab Runner
|
|
||||||
SKYNET00011,earth,193.1.99.79,earth,80/443,"",i23-06-19_525,Offical website host
|
|
||||||
SKYNET00012,skynet,193.1.96.165,skynet/*.users,22 80/443,"",i23-06-30_024,Skynet server. (DMZ)
|
|
||||||
SKYNET00013,neuromancer,193.1.99.80,neuromancer,"","","",Local Backup Server
|
|
||||||
SKYNET00014,cadie,193.1.99.77,cadie/nextcloud/onlyoffice.nextcloud,80/443,"",i23-10-27_014,"Services VM, has nextcloud to start with"
|
|
||||||
SKYNET00015,marvin,193.1.99.81,marvin,,,,Trainee testing server
|
|
||||||
SKYNET00016,optimus,193.1.99.99,,,,,Games server manager (replacing SKYNET00006 soon)
|
|
||||||
SKYNET00017,bumblebee,193.1.99.100,,,,,Game server - Minecraft
|
|
|
9
LICENSE
Normal file
9
LICENSE
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
MIT License
|
||||||
|
|
||||||
|
Copyright (c) 2024 Skynet
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
@ -1,5 +1,6 @@
|
||||||
https://web.archive.org/web/20180815150202/https://wiki.skynet.ie/Admin/SkynetMachines
|
https://web.archive.org/web/20180815150202/https://wiki.skynet.ie/Admin/SkynetMachines
|
||||||
https://en.m.wikipedia.org/wiki/Category:Fictional_artificial_intelligences
|
https://en.m.wikipedia.org/wiki/Category:Fictional_artificial_intelligences
|
||||||
|
https://en.wikipedia.org/wiki/List_of_artificial_intelligence_films
|
||||||
|
|
||||||
* agentsmith
|
* agentsmith
|
||||||
* skynet
|
* skynet
|
||||||
|
|
74
applications/_base.nix
Normal file
74
applications/_base.nix
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
# root service
|
||||||
|
cfg = config.services.skynet;
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
# every server needs to have a dns record
|
||||||
|
./dns/dns.nix
|
||||||
|
|
||||||
|
# every server should have proper certs
|
||||||
|
./acme.nix
|
||||||
|
./nginx.nix
|
||||||
|
|
||||||
|
# every server may need the firewall config stuff
|
||||||
|
./firewall.nix
|
||||||
|
|
||||||
|
# every server needs teh ldap client for admins
|
||||||
|
./ldap/client.nix
|
||||||
|
|
||||||
|
# every server will need the config to backup to
|
||||||
|
./restic.nix
|
||||||
|
|
||||||
|
# every server will be monitored for grafana
|
||||||
|
./prometheus.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet = {
|
||||||
|
# since we use this basically everywhere provide a standard way to set it
|
||||||
|
host = {
|
||||||
|
ip = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
name = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
hostname = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "${cfg.host.name}.skynet.ie";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
{
|
||||||
|
record = cfg.host.name;
|
||||||
|
r_type = "A";
|
||||||
|
value = cfg.host.ip;
|
||||||
|
server = true;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = cfg.host.ip;
|
||||||
|
r_type = "PTR";
|
||||||
|
value = cfg.host.hostname;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts = {
|
||||||
|
# for every server unless explisitly defined redirect the ip to skynet.ie
|
||||||
|
"${cfg.host.ip}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
locations."/".return = "307 https://skynet.ie";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -6,27 +6,17 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_games;
|
name = "games";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./dns.nix
|
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
./games/minecraft.nix
|
./games/minecraft.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_games = {
|
options.services.skynet."${name}" = {
|
||||||
enable = mkEnableOption "Skynet Games";
|
enable = mkEnableOption "Skynet Games";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = {
|
domain = {
|
||||||
tld = mkOption {
|
tld = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -46,26 +36,20 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
# need a base domain
|
# need a base domain
|
||||||
{
|
{
|
||||||
record = cfg.domain.sub;
|
record = cfg.domain.sub;
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
"${cfg.domain.sub}.skynet.ie"
|
"${cfg.domain.sub}.skynet.ie"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"${cfg.host.ip}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
locations."/".return = "307 https://skynet.ie";
|
|
||||||
};
|
|
||||||
|
|
||||||
"${cfg.domain.sub}.skynet.ie" = {
|
"${cfg.domain.sub}.skynet.ie" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "skynet";
|
useACMEHost = "skynet";
|
||||||
|
@ -74,14 +58,9 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# the minecraft servers
|
# the minecraft servers
|
||||||
services.skynet_games_minecraft = {
|
services.skynet.games_minecraft = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = cfg.host.ip;
|
|
||||||
name = cfg.domain.sub;
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = {
|
domain = {
|
||||||
sub = "minecraft.${cfg.domain.sub}";
|
sub = "minecraft.${cfg.domain.sub}";
|
||||||
};
|
};
|
|
@ -6,32 +6,19 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_games_minecraft;
|
name = "games_minecraft";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
# got tired of how long this is so I created a var for it.
|
# got tired of how long this is so I created a var for it.
|
||||||
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../acme.nix
|
|
||||||
../dns.nix
|
|
||||||
../firewall.nix
|
|
||||||
../nginx.nix
|
|
||||||
inputs.arion.nixosModules.arion
|
inputs.arion.nixosModules.arion
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_games_minecraft = {
|
options.services.skynet."${name}" = {
|
||||||
enable = mkEnableOption "Skynet Games Minecraft";
|
enable = mkEnableOption "Skynet Games Minecraft";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = {
|
domain = {
|
||||||
tld = mkOption {
|
tld = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -52,53 +39,53 @@ in {
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
skynet_firewall.forward = [
|
skynet_firewall.forward = [
|
||||||
"ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
|
"ip daddr ${config.services.skynet.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
|
||||||
"ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
|
"ip daddr ${config.services.skynet.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
|
||||||
"ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept"
|
"ip daddr ${config.services.skynet.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept"
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
"*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
"*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
# the minecraft (web) config server
|
# the minecraft (web) config server
|
||||||
{
|
{
|
||||||
record = "config.${cfg.domain.sub}";
|
record = "config.${cfg.domain.sub}";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
|
|
||||||
# our own minecraft hosts
|
# our own minecraft hosts
|
||||||
{
|
{
|
||||||
record = "compsoc_classic.${cfg.domain.sub}";
|
record = "compsoc_classic.${cfg.domain.sub}";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
record = "compsoc.${cfg.domain.sub}";
|
record = "compsoc.${cfg.domain.sub}";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
|
|
||||||
# gsoc servers
|
# gsoc servers
|
||||||
{
|
{
|
||||||
record = "gsoc.${cfg.domain.sub}";
|
record = "gsoc.${cfg.domain.sub}";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
record = "gsoc_abridged.${cfg.domain.sub}";
|
record = "gsoc_abridged.${cfg.domain.sub}";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
|
|
||||||
# phildeb
|
# phildeb
|
||||||
{
|
{
|
||||||
record = "phildeb.${cfg.domain.sub}";
|
record = "phildeb.${cfg.domain.sub}";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -108,12 +95,6 @@ in {
|
||||||
];
|
];
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"${cfg.host.ip}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
locations."/".return = "307 https://skynet.ie";
|
|
||||||
};
|
|
||||||
|
|
||||||
# https://config.minecraft.games.skynet.ie
|
# https://config.minecraft.games.skynet.ie
|
||||||
"config.${short_domain}" = {
|
"config.${short_domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
|
@ -5,12 +5,12 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.skynet_acme;
|
name = "acme";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
in {
|
in {
|
||||||
imports = [];
|
imports = [];
|
||||||
|
|
||||||
options = {
|
options.services.skynet."${name}" = {
|
||||||
skynet_acme = {
|
|
||||||
domains = lib.mkOption {
|
domains = lib.mkOption {
|
||||||
default = [];
|
default = [];
|
||||||
type = lib.types.listOf lib.types.str;
|
type = lib.types.listOf lib.types.str;
|
||||||
|
@ -19,7 +19,7 @@ in {
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
config = {
|
config = {
|
||||||
# group that will own the certificates
|
# group that will own the certificates
|
||||||
users.groups.acme = {};
|
users.groups.acme = {};
|
||||||
|
@ -32,15 +32,15 @@ in {
|
||||||
|
|
||||||
defaults = {
|
defaults = {
|
||||||
email = "admin_acme@skynet.ie";
|
email = "admin_acme@skynet.ie";
|
||||||
|
credentialsFile = config.age.secrets.acme.path;
|
||||||
# we use our own dns authorative server for verifying we own the domain.
|
# we use our own dns authorative server for verifying we own the domain.
|
||||||
dnsProvider = "rfc2136";
|
dnsProvider = "rfc2136";
|
||||||
credentialsFile = config.age.secrets.acme.path;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
certs = {
|
certs = {
|
||||||
"skynet" = {
|
"skynet" = {
|
||||||
domain = "skynet.ie";
|
domain = "skynet.ie";
|
||||||
extraDomainNames = cfg.domains;
|
extraDomainNames = lists.naturalSort cfg.domains;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,324 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
with lib; let
|
|
||||||
cfg = config.services.bitwarden-directory-connector-cli;
|
|
||||||
in {
|
|
||||||
disabledModules = ["services/security/bitwarden-directory-connector-cli.nix"];
|
|
||||||
|
|
||||||
options.services.bitwarden-directory-connector-cli = {
|
|
||||||
enable = mkEnableOption "Bitwarden Directory Connector";
|
|
||||||
|
|
||||||
package = mkPackageOption pkgs "bitwarden-directory-connector-cli" {};
|
|
||||||
|
|
||||||
domain = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on.";
|
|
||||||
example = "https://vaultwarden.example.com";
|
|
||||||
};
|
|
||||||
|
|
||||||
user = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "User to run the program.";
|
|
||||||
default = "bwdc";
|
|
||||||
};
|
|
||||||
|
|
||||||
interval = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "*:0,15,30,45";
|
|
||||||
description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax.";
|
|
||||||
};
|
|
||||||
|
|
||||||
ldap = mkOption {
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Options to configure the LDAP connection.
|
|
||||||
If you used the desktop application to test the configuration you can find the settings by searching for `ldap` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
|
|
||||||
'';
|
|
||||||
default = {};
|
|
||||||
type = types.submodule ({
|
|
||||||
config,
|
|
||||||
options,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
freeformType = types.attrsOf (pkgs.formats.json {}).type;
|
|
||||||
|
|
||||||
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
|
|
||||||
|
|
||||||
options = {
|
|
||||||
finalJSON = mkOption {
|
|
||||||
type = (pkgs.formats.json {}).type;
|
|
||||||
internal = true;
|
|
||||||
readOnly = true;
|
|
||||||
visible = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
ssl = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "Whether to use TLS.";
|
|
||||||
};
|
|
||||||
startTls = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "Whether to use STARTTLS.";
|
|
||||||
};
|
|
||||||
|
|
||||||
hostname = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "The host the LDAP is accessible on.";
|
|
||||||
example = "ldap.example.com";
|
|
||||||
};
|
|
||||||
|
|
||||||
port = mkOption {
|
|
||||||
type = types.port;
|
|
||||||
default = 389;
|
|
||||||
description = lib.mdDoc "Port LDAP is accessible on.";
|
|
||||||
};
|
|
||||||
|
|
||||||
ad = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "Whether the LDAP Server is an Active Directory.";
|
|
||||||
};
|
|
||||||
|
|
||||||
pagedSearch = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "Whether the LDAP server paginates search results.";
|
|
||||||
};
|
|
||||||
|
|
||||||
rootPath = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Root path for LDAP.";
|
|
||||||
example = "dc=example,dc=com";
|
|
||||||
};
|
|
||||||
|
|
||||||
username = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "The user to authenticate as.";
|
|
||||||
example = "cn=admin,dc=example,dc=com";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
|
|
||||||
sync = mkOption {
|
|
||||||
description = lib.mdDoc ''
|
|
||||||
Options to configure what gets synced.
|
|
||||||
If you used the desktop application to test the configuration you can find the settings by searching for `sync` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
|
|
||||||
'';
|
|
||||||
default = {};
|
|
||||||
type = types.submodule ({
|
|
||||||
config,
|
|
||||||
options,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
freeformType = types.attrsOf (pkgs.formats.json {}).type;
|
|
||||||
|
|
||||||
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
|
|
||||||
|
|
||||||
options = {
|
|
||||||
finalJSON = mkOption {
|
|
||||||
type = (pkgs.formats.json {}).type;
|
|
||||||
internal = true;
|
|
||||||
readOnly = true;
|
|
||||||
visible = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
removeDisabled = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = true;
|
|
||||||
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
|
|
||||||
};
|
|
||||||
|
|
||||||
overwriteExisting = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description =
|
|
||||||
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
|
|
||||||
};
|
|
||||||
|
|
||||||
largeImport = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
|
|
||||||
};
|
|
||||||
|
|
||||||
memberAttribute = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Attribute that lists members in a LDAP group.";
|
|
||||||
example = "uniqueMember";
|
|
||||||
};
|
|
||||||
|
|
||||||
creationDateAttribute = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Attribute that lists a user's creation date.";
|
|
||||||
example = "whenCreated";
|
|
||||||
};
|
|
||||||
|
|
||||||
useEmailPrefixSuffix = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
|
|
||||||
};
|
|
||||||
emailPrefixAttribute = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "The attribute that contains the users username.";
|
|
||||||
example = "accountName";
|
|
||||||
};
|
|
||||||
emailSuffix = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Suffix for the email, normally @example.com.";
|
|
||||||
example = "@example.com";
|
|
||||||
};
|
|
||||||
|
|
||||||
users = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "Sync users.";
|
|
||||||
};
|
|
||||||
userPath = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "User directory, relative to root.";
|
|
||||||
default = "ou=users";
|
|
||||||
};
|
|
||||||
userObjectClass = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Class that users must have.";
|
|
||||||
default = "inetOrgPerson";
|
|
||||||
};
|
|
||||||
userEmailAttribute = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Attribute for a users email.";
|
|
||||||
default = "mail";
|
|
||||||
};
|
|
||||||
userFilter = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "LDAP filter for users.";
|
|
||||||
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
|
|
||||||
default = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
groups = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = lib.mdDoc "Whether to sync ldap groups into BitWarden.";
|
|
||||||
};
|
|
||||||
groupPath = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Group directory, relative to root.";
|
|
||||||
default = "ou=groups";
|
|
||||||
};
|
|
||||||
groupObjectClass = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "A class that groups will have.";
|
|
||||||
default = "groupOfNames";
|
|
||||||
};
|
|
||||||
groupNameAttribute = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "Attribute for a name of group.";
|
|
||||||
default = "cn";
|
|
||||||
};
|
|
||||||
groupFilter = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = lib.mdDoc "LDAP filter for groups.";
|
|
||||||
example = "(cn=sales)";
|
|
||||||
default = "";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
|
|
||||||
secrets = {
|
|
||||||
ldap = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Path to file that contains LDAP password for user in {option}`ldap.username";
|
|
||||||
};
|
|
||||||
|
|
||||||
bitwarden = {
|
|
||||||
client_path_id = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Path to file that contains Client ID.";
|
|
||||||
};
|
|
||||||
client_path_secret = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = "Path to file that contains Client Secret.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
users.groups."${cfg.user}" = {};
|
|
||||||
users.users."${cfg.user}" = {
|
|
||||||
isSystemUser = true;
|
|
||||||
group = cfg.user;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd = {
|
|
||||||
timers.bitwarden-directory-connector-cli = {
|
|
||||||
description = "Sync timer for Bitwarden Directory Connector";
|
|
||||||
wantedBy = ["timers.target"];
|
|
||||||
after = ["network-online.target"];
|
|
||||||
timerConfig = {
|
|
||||||
OnCalendar = cfg.interval;
|
|
||||||
Unit = "bitwarden-directory-connector-cli.service";
|
|
||||||
Persistent = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.bitwarden-directory-connector-cli = {
|
|
||||||
description = "Main process for Bitwarden Directory Connector";
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
BITWARDENCLI_CONNECTOR_APPDATA_DIR = "/tmp";
|
|
||||||
BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
|
|
||||||
};
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
User = "${cfg.user}";
|
|
||||||
PrivateTmp = true;
|
|
||||||
ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
|
|
||||||
set -eo pipefail
|
|
||||||
|
|
||||||
# create the config file
|
|
||||||
${lib.getExe cfg.package} data-file
|
|
||||||
touch /tmp/data.json.tmp
|
|
||||||
chmod 600 /tmp/data.json{,.tmp}
|
|
||||||
|
|
||||||
${lib.getExe cfg.package} config server ${cfg.domain}
|
|
||||||
|
|
||||||
# now login to set credentials
|
|
||||||
export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
|
|
||||||
export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
|
|
||||||
${lib.getExe cfg.package} login
|
|
||||||
|
|
||||||
${lib.getExe pkgs.jq} '.authenticatedAccounts[0] as $account
|
|
||||||
| .[$account].directoryConfigurations.ldap |= $ldap_data
|
|
||||||
| .[$account].directorySettings.organizationId |= $orgID
|
|
||||||
| .[$account].directorySettings.sync |= $sync_data' \
|
|
||||||
--argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \
|
|
||||||
--arg orgID "''${BW_CLIENTID//organization.}" \
|
|
||||||
--argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \
|
|
||||||
/tmp/data.json \
|
|
||||||
> /tmp/data.json.tmp
|
|
||||||
|
|
||||||
mv -f /tmp/data.json.tmp /tmp/data.json
|
|
||||||
|
|
||||||
# final config
|
|
||||||
${lib.getExe cfg.package} config directory 0
|
|
||||||
${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap}
|
|
||||||
'';
|
|
||||||
|
|
||||||
ExecStart = "${lib.getExe cfg.package} sync";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
meta.maintainers = with maintainers; [Silver-Golden];
|
|
||||||
}
|
|
|
@ -6,9 +6,7 @@
|
||||||
}: let
|
}: let
|
||||||
user = "bwdc";
|
user = "bwdc";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [];
|
||||||
./bitwarden-directory-connector-cli.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
options = {};
|
options = {};
|
||||||
|
|
||||||
|
|
|
@ -6,53 +6,36 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_vaultwarden;
|
name = "vaultwarden";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
domain_sub = "pw";
|
domain_sub = "pw";
|
||||||
domain = "${domain_sub}.skynet.ie";
|
domain = "${domain_sub}.skynet.ie";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../acme.nix
|
|
||||||
../dns.nix
|
|
||||||
../nginx.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_vaultwarden = {
|
options.services.skynet."${name}" = {
|
||||||
enable = mkEnableOption "Skynet vaultwarden server";
|
enable = mkEnableOption "Skynet VaultWarden server";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
#backups = [ "/etc/silver_ul_ical/database.db" ];
|
#backups = [ "/etc/silver_ul_ical/database.db" ];
|
||||||
|
|
||||||
# Website config
|
# Website config
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
domain
|
domain
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
{
|
{
|
||||||
record = domain_sub;
|
record = domain_sub;
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"${cfg.host.ip}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
locations."/".return = "307 https://skynet.ie";
|
|
||||||
};
|
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "skynet";
|
useACMEHost = "skynet";
|
||||||
|
|
|
@ -6,13 +6,14 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.discord_bot;
|
name = "discord_bot";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
inputs.skynet_discord_bot.nixosModule."x86_64-linux"
|
inputs.skynet_discord_bot.nixosModule."x86_64-linux"
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.discord_bot = {
|
options.services.skynet."${name}" = {
|
||||||
enable = mkEnableOption "Skynet LDAP backend server";
|
enable = mkEnableOption "Skynet LDAP backend server";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -20,21 +21,18 @@ in {
|
||||||
#backups = [ "/etc/silver_ul_ical/database.db" ];
|
#backups = [ "/etc/silver_ul_ical/database.db" ];
|
||||||
|
|
||||||
age.secrets.discord_token.file = ../secrets/discord/token.age;
|
age.secrets.discord_token.file = ../secrets/discord/token.age;
|
||||||
age.secrets.discord_ldap.file = ../secrets/discord/ldap.age;
|
|
||||||
age.secrets.discord_mail.file = ../secrets/email/details.age;
|
age.secrets.discord_mail.file = ../secrets/email/details.age;
|
||||||
age.secrets.discord_wolves.file = ../secrets/wolves/details.age;
|
age.secrets.discord_wolves.file = ../secrets/wolves/details.age;
|
||||||
|
|
||||||
|
# this is what was imported
|
||||||
services.skynet_discord_bot = {
|
services.skynet_discord_bot = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
env = {
|
env = {
|
||||||
discord = config.age.secrets.discord_token.path;
|
discord = config.age.secrets.discord_token.path;
|
||||||
ldap = config.age.secrets.discord_ldap.path;
|
|
||||||
mail = config.age.secrets.discord_mail.path;
|
mail = config.age.secrets.discord_mail.path;
|
||||||
wolves = config.age.secrets.discord_wolves.path;
|
wolves = config.age.secrets.discord_wolves.path;
|
||||||
};
|
};
|
||||||
|
|
||||||
discord.server = "689189992417067052";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,18 +3,42 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
config,
|
config,
|
||||||
nodes,
|
nodes,
|
||||||
|
self,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
cfg = config.skynet_dns;
|
name = "dns";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
# reads that date to a string (will need to be fixed in 2038)
|
# reads that date to a string (will need to be fixed in 2038)
|
||||||
current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}";
|
current_date = self.lastModified;
|
||||||
|
|
||||||
|
# this gets a list of all domains we have records for
|
||||||
|
domains = lib.lists.naturalSort (lib.lists.unique (
|
||||||
|
lib.lists.forEach records (x: x.domain)
|
||||||
|
));
|
||||||
|
|
||||||
|
# get the ip's of our servers
|
||||||
|
servers = lib.lists.naturalSort (lib.lists.unique (
|
||||||
|
lib.lists.forEach (sort_records_a_server records) (x: x.value)
|
||||||
|
));
|
||||||
|
|
||||||
|
domains_owned = [
|
||||||
|
# for historic reasons we own this
|
||||||
|
"csn.ul.ie"
|
||||||
|
# the main one we use now
|
||||||
|
"skynet.ie"
|
||||||
|
# a backup
|
||||||
|
"ulcompsoc.ie"
|
||||||
|
];
|
||||||
|
|
||||||
# gets a list of records that match this type
|
# gets a list of records that match this type
|
||||||
filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records;
|
filter_records_type = records: r_type: builtins.filter (x: x.r_type == r_type) records;
|
||||||
filter_records_server = builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type "A");
|
# Get all the A records that are for servers (base record for them)
|
||||||
filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A");
|
filter_records_a_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
|
||||||
|
# Every other A record
|
||||||
|
filter_records_a = records: builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type records "A");
|
||||||
|
|
||||||
|
# These functions are to get the final 3 digits of an IP address so we can use them for reverse pointer
|
||||||
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
|
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
|
||||||
process_ptr_sub = record: {
|
process_ptr_sub = record: {
|
||||||
record = builtins.substring 9 3 record.record;
|
record = builtins.substring 9 3 record.record;
|
||||||
|
@ -23,87 +47,100 @@
|
||||||
};
|
};
|
||||||
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
|
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
|
||||||
|
|
||||||
sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server;
|
# filter and sort records so we cna group them in the right place later
|
||||||
sort_records_a = builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) filter_records_a;
|
sort_records_a_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_a_server records);
|
||||||
sort_records_cname = builtins.sort (a: b: a.value < b.value) (filter_records_type "CNAME");
|
sort_records_a = records: builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) (filter_records_a records);
|
||||||
sort_records_ptr = builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type "PTR"));
|
sort_records_cname = records: builtins.sort (a: b: a.value < b.value) (filter_records_type records "CNAME");
|
||||||
sort_records_srv = builtins.sort (a: b: a.record < b.record) (filter_records_type "SRV");
|
sort_records_ptr = records: builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type records "PTR"));
|
||||||
|
sort_records_srv = records: builtins.sort (a: b: a.record < b.record) (filter_records_type records "SRV");
|
||||||
|
|
||||||
format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
|
# a tad overkill but type guarding is useful
|
||||||
|
max = x: y:
|
||||||
|
assert builtins.isInt x;
|
||||||
|
assert builtins.isInt y;
|
||||||
|
if x < y
|
||||||
|
then y
|
||||||
|
else x;
|
||||||
|
|
||||||
# small function to trim it down a tad
|
# get teh max length of a list of strings
|
||||||
|
max_len = records: lib.lists.foldr (a: b: (max a b)) 0 (lib.lists.forEach records (record: lib.strings.stringLength record.record));
|
||||||
|
|
||||||
|
# Now that we can get teh max lenth of a list of strings
|
||||||
|
# we can pad it out to the max len +1
|
||||||
|
# this is so that teh generated file is easier for a human to read
|
||||||
|
format_records = records: let
|
||||||
|
offset = (max_len records) + 1;
|
||||||
|
in
|
||||||
|
lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
|
||||||
|
|
||||||
|
# small function to add spaces until it reaches teh required length
|
||||||
padString = text: length: fixedWidthString_post length " " text;
|
padString = text: length: fixedWidthString_post length " " text;
|
||||||
|
|
||||||
# like lib.strings.fixedWidthString but postfix
|
# like lib.strings.fixedWidthString but postfix
|
||||||
|
# recursive function to extend a string up to a limit
|
||||||
fixedWidthString_post = width: filler: str: let
|
fixedWidthString_post = width: filler: str: let
|
||||||
strw = lib.stringLength str;
|
strw = lib.stringLength str;
|
||||||
reqWidth = width - (lib.stringLength filler);
|
reqWidth = width - (lib.stringLength filler);
|
||||||
in
|
in
|
||||||
|
# this is here because we were manually setting teh length, now max_len does that for us
|
||||||
assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
|
assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
|
||||||
if strw == width
|
if strw == width
|
||||||
then str
|
then str
|
||||||
else (fixedWidthString_post reqWidth filler str) + filler;
|
else (fixedWidthString_post reqWidth filler str) + filler;
|
||||||
|
|
||||||
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
|
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
|
||||||
|
# ";" are comments in this file
|
||||||
get_config_file = (
|
get_config_file = (
|
||||||
domain: ''
|
domain: records: ''
|
||||||
$TTL 60 ; 1 minute
|
$TTL 60 ; 1 minute
|
||||||
; hostmaster@${domain} is an email address that recieves stuff related to dns
|
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
|
||||||
@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. (
|
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
|
||||||
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
|
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
|
||||||
${current_date}
|
${toString current_date}
|
||||||
600 ; Refresh (10 minutes)
|
600 ; Refresh (10 minutes)
|
||||||
300 ; Retry (5 minutes)
|
300 ; Retry (5 minutes)
|
||||||
604800 ; Expire (1 week)
|
604800 ; Expire (1 week)
|
||||||
3600 ; Minimum (1 hour)
|
3600 ; Minimum (1 hour)
|
||||||
)
|
)
|
||||||
|
|
||||||
@ NS ns1.${domain}.
|
|
||||||
@ NS ns2.${domain}.
|
|
||||||
; @ stands for teh root domain so teh A record below is where ${domain} points to
|
; @ stands for teh root domain so teh A record below is where ${domain} points to
|
||||||
;@ A 193.1.99.76
|
@ NS ns1.skynet.ie.
|
||||||
;@ MX 5 ${domain}.
|
@ NS ns2.skynet.ie.
|
||||||
|
|
||||||
; can have multiple mailserves
|
|
||||||
@ MX 10 mail.${domain}.
|
|
||||||
|
|
||||||
|
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
; Server Names (A Records)
|
; Server Names (A Records)
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
${format_records sort_records_server 31}
|
${format_records (sort_records_a_server records)}
|
||||||
|
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
; A (non server names
|
; A (non server names
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
${format_records sort_records_a 31}
|
${format_records (sort_records_a records)}
|
||||||
|
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
; CNAMES
|
; CNAMES
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
${format_records sort_records_cname 31}
|
${format_records (sort_records_cname records)}
|
||||||
|
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
; TXT
|
; TXT
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
${format_records (filter_records_type "TXT") 31}
|
${format_records (filter_records_type records "TXT")}
|
||||||
|
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
; MX
|
; MX
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
${format_records (filter_records_type "MX") 31}
|
${format_records (filter_records_type records "MX")}
|
||||||
|
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
; SRV
|
; SRV
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
${format_records sort_records_srv 65}
|
${format_records (sort_records_srv records)}
|
||||||
|
|
||||||
|
|
||||||
''
|
''
|
||||||
);
|
);
|
||||||
|
|
||||||
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
|
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
|
||||||
# config for our reverse dnspointers (not properly working)
|
# config for our reverse dns pointers (not properly working)
|
||||||
get_config_file_rev = (
|
get_config_file_rev = (
|
||||||
domain: ''
|
domain: ''
|
||||||
$ORIGIN 64-64.99.1.193.in-addr.arpa.
|
$ORIGIN 64-64.99.1.193.in-addr.arpa.
|
||||||
|
@ -111,7 +148,7 @@
|
||||||
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
|
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
|
||||||
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
|
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
|
||||||
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
|
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
|
||||||
${current_date}
|
${toString current_date}
|
||||||
600 ; Refresh (10 minutes)
|
600 ; Refresh (10 minutes)
|
||||||
300 ; Retry (5 minutes)
|
300 ; Retry (5 minutes)
|
||||||
604800 ; Expire (1 week)
|
604800 ; Expire (1 week)
|
||||||
|
@ -124,55 +161,37 @@
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
; PTR
|
; PTR
|
||||||
; ------------------------------------------
|
; ------------------------------------------
|
||||||
${format_records sort_records_ptr 3}
|
${format_records (sort_records_ptr records)}
|
||||||
''
|
''
|
||||||
);
|
);
|
||||||
|
|
||||||
# domains we dont have proper ownship over, only here to ensure the logs dont get cluttered.
|
# arrays of teh two nameservers
|
||||||
get_config_file_old_domains = (
|
nameserver_1 = ["193.1.99.109"];
|
||||||
domain: ''
|
nameserver_2 = ["193.1.99.120"];
|
||||||
$TTL 60 ; 1 minute
|
|
||||||
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
|
|
||||||
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
|
|
||||||
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
|
|
||||||
${current_date}
|
|
||||||
600 ; Refresh (10 minutes)
|
|
||||||
300 ; Retry (5 minutes)
|
|
||||||
604800 ; Expire (1 week)
|
|
||||||
3600 ; Minimum (1 hour)
|
|
||||||
)
|
|
||||||
|
|
||||||
@ NS ns1.skynet.ie.
|
|
||||||
@ NS ns2.skynet.ie.
|
|
||||||
|
|
||||||
''
|
|
||||||
);
|
|
||||||
|
|
||||||
# arrys of teh two nameservers
|
|
||||||
tmp1 = ["193.1.99.109"];
|
|
||||||
tmp2 = ["193.1.99.120"];
|
|
||||||
|
|
||||||
primaries = (
|
primaries = (
|
||||||
if cfg.server.primary
|
if cfg.server.primary
|
||||||
then
|
then
|
||||||
# primary servers have no primaries (ones they listen to)
|
# primary servers have no primaries (ones they listen to)
|
||||||
[]
|
[]
|
||||||
else if builtins.elem cfg.server.ip tmp1
|
else if builtins.elem cfg.server.ip nameserver_1
|
||||||
then tmp2
|
then nameserver_2
|
||||||
else tmp1
|
else nameserver_1
|
||||||
);
|
);
|
||||||
|
|
||||||
secondaries = (
|
secondaries = (
|
||||||
if cfg.server.primary
|
if cfg.server.primary
|
||||||
then
|
then
|
||||||
if builtins.elem cfg.server.ip tmp1
|
if builtins.elem cfg.server.ip nameserver_1
|
||||||
then tmp2
|
then nameserver_2
|
||||||
else tmp1
|
else nameserver_1
|
||||||
else []
|
else []
|
||||||
);
|
);
|
||||||
|
|
||||||
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
|
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
|
||||||
create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
|
# now limited explicitly to servers that we are administering
|
||||||
|
# See i24-09-30_050 for more information
|
||||||
|
create_cache_networks = map (x: "${toString x}/32") servers;
|
||||||
|
|
||||||
# standard function to create the etc file, pass in the text and domain and it makes it
|
# standard function to create the etc file, pass in the text and domain and it makes it
|
||||||
create_entry_etc_sub = domain: text: {
|
create_entry_etc_sub = domain: text: {
|
||||||
|
@ -184,27 +203,38 @@
|
||||||
# The UNIX file mode bits
|
# The UNIX file mode bits
|
||||||
mode = "0664";
|
mode = "0664";
|
||||||
|
|
||||||
|
# content of the file
|
||||||
text = text;
|
text = text;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
# (text.owned "csn.ul.ie")
|
|
||||||
|
|
||||||
# standard function to create the etc file, pass in the text and domain and it makes it
|
# standard function to create the etc file, pass in the text and domain and it makes it
|
||||||
create_entry_etc = domain: type:
|
create_entry_etc = domain: type: let
|
||||||
|
domain_records = lib.lists.filter (x: x.domain == domain) records;
|
||||||
|
in
|
||||||
|
# this is the main type of record that most folks are used to
|
||||||
if type == "owned"
|
if type == "owned"
|
||||||
then create_entry_etc_sub domain (text.owned domain)
|
then create_entry_etc_sub domain (get_config_file domain domain_records)
|
||||||
|
# reverse lookups allow for using an IP to find domains pointing to it
|
||||||
else if type == "reverse"
|
else if type == "reverse"
|
||||||
then create_entry_etc_sub domain (text.reverse domain)
|
then create_entry_etc_sub domain (get_config_file_rev domain)
|
||||||
else if type == "old"
|
|
||||||
then create_entry_etc_sub domain (text.old domain)
|
|
||||||
else {};
|
else {};
|
||||||
|
|
||||||
create_entry_zone = domain: extraConfig: {
|
create_entry_zone = domain: let
|
||||||
|
if_primary_and_owned =
|
||||||
|
if cfg.server.primary && (lib.lists.any (item: item == domain) domains_owned)
|
||||||
|
then ''
|
||||||
|
allow-update { key rfc2136key.skynet.ie.; };
|
||||||
|
dnssec-policy default;
|
||||||
|
inline-signing yes;
|
||||||
|
''
|
||||||
|
else "";
|
||||||
|
in {
|
||||||
"${domain}" = {
|
"${domain}" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
${extraConfig}
|
${if_primary_and_owned}
|
||||||
// for bumping the config
|
// for bumping the config
|
||||||
// ${current_date}
|
// ${toString current_date}
|
||||||
'';
|
'';
|
||||||
# really wish teh nixos config didnt use master/slave
|
# really wish teh nixos config didnt use master/slave
|
||||||
master = cfg.server.primary;
|
master = cfg.server.primary;
|
||||||
|
@ -217,69 +247,16 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
text = {
|
|
||||||
owned = domain: get_config_file domain;
|
|
||||||
reverse = domain: get_config_file_rev domain;
|
|
||||||
old = domain: get_config_file_old_domains domain;
|
|
||||||
};
|
|
||||||
|
|
||||||
extraConfig = {
|
|
||||||
owned =
|
|
||||||
if cfg.server.primary
|
|
||||||
then ''
|
|
||||||
allow-update { key rfc2136key.skynet.ie.; };
|
|
||||||
|
|
||||||
dnssec-policy default;
|
|
||||||
inline-signing yes;
|
|
||||||
''
|
|
||||||
else "";
|
|
||||||
|
|
||||||
# no extra config for reverse
|
|
||||||
reverse = "";
|
|
||||||
|
|
||||||
old = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
records =
|
records =
|
||||||
config.skynet.records
|
config.skynet.records
|
||||||
|
/*
|
||||||
|
Need to "manually" grab it from each server.
|
||||||
|
Nix is laxy evalusted so if it does not need to open a file it wont.
|
||||||
|
This is to iterate through each server (node) and evaluate the dns records for that server.
|
||||||
|
*/
|
||||||
++ builtins.concatLists (
|
++ builtins.concatLists (
|
||||||
lib.attrsets.mapAttrsToList (
|
lib.attrsets.mapAttrsToList (
|
||||||
key: value: let
|
key: value: value.config.services.skynet.dns.records
|
||||||
details_server = value.config.skynet_dns.server;
|
|
||||||
details_records = value.config.skynet_dns.records;
|
|
||||||
in
|
|
||||||
if builtins.hasAttr "skynet_dns" value.config
|
|
||||||
then
|
|
||||||
(
|
|
||||||
# got to handle habing a dns record for the dns serves themselves.
|
|
||||||
if details_server.enable
|
|
||||||
then
|
|
||||||
(
|
|
||||||
if details_server.primary
|
|
||||||
then
|
|
||||||
details_records
|
|
||||||
++ [
|
|
||||||
{
|
|
||||||
record = "ns1";
|
|
||||||
r_type = "A";
|
|
||||||
value = details_server.ip;
|
|
||||||
server = false;
|
|
||||||
}
|
|
||||||
]
|
|
||||||
else
|
|
||||||
details_records
|
|
||||||
++ [
|
|
||||||
{
|
|
||||||
record = "ns2";
|
|
||||||
r_type = "A";
|
|
||||||
value = details_server.ip;
|
|
||||||
server = false;
|
|
||||||
}
|
|
||||||
]
|
|
||||||
)
|
|
||||||
else details_records
|
|
||||||
)
|
|
||||||
else []
|
|
||||||
)
|
)
|
||||||
nodes
|
nodes
|
||||||
);
|
);
|
||||||
|
@ -290,12 +267,10 @@
|
||||||
else "ns2";
|
else "ns2";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./firewall.nix
|
../../config/dns.nix
|
||||||
../config/dns.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options = {
|
options.services.skynet."${name}" = {
|
||||||
skynet_dns = {
|
|
||||||
server = {
|
server = {
|
||||||
enable = lib.mkEnableOption {
|
enable = lib.mkEnableOption {
|
||||||
default = false;
|
default = false;
|
||||||
|
@ -316,34 +291,22 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# mirrorred in ../config/dns.nix
|
|
||||||
records = lib.mkOption {
|
records = lib.mkOption {
|
||||||
description = "Records, sorted based on therir type";
|
description = "Records, sorted based on therir type";
|
||||||
type = with lib.types;
|
type = lib.types.listOf (lib.types.submodule (import ./options-records.nix {
|
||||||
listOf (submodule {
|
inherit lib;
|
||||||
options = {
|
}));
|
||||||
record = lib.mkOption {
|
|
||||||
type = str;
|
|
||||||
};
|
|
||||||
r_type = lib.mkOption {
|
|
||||||
type = enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
|
|
||||||
};
|
|
||||||
value = lib.mkOption {
|
|
||||||
type = str;
|
|
||||||
};
|
|
||||||
server = lib.mkOption {
|
|
||||||
description = "Core record for a server";
|
|
||||||
type = bool;
|
|
||||||
default = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.server.enable {
|
config = lib.mkIf cfg.server.enable {
|
||||||
# services.skynet_backup.normal.backups = ["/etc/skynet/dns"];
|
# logging
|
||||||
|
services.prometheus.exporters.bind = {
|
||||||
|
enable = true;
|
||||||
|
openFirewall = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
# services.skynet.backup.normal.backups = ["/etc/skynet/dns"];
|
||||||
|
|
||||||
# open the firewall for this
|
# open the firewall for this
|
||||||
skynet_firewall.forward = [
|
skynet_firewall.forward = [
|
||||||
|
@ -351,29 +314,40 @@ in {
|
||||||
"ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept"
|
"ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.bind.zones =
|
services.skynet.dns.records = [
|
||||||
(create_entry_zone "csn.ul.ie" extraConfig.owned)
|
{
|
||||||
// (create_entry_zone "skynet.ie" extraConfig.owned)
|
record = nameserver;
|
||||||
// (create_entry_zone "ulcompsoc.ie" extraConfig.owned)
|
r_type = "A";
|
||||||
// (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse)
|
value = config.services.skynet.host.ip;
|
||||||
// (create_entry_zone "conradcollins.net" extraConfig.old)
|
}
|
||||||
// (create_entry_zone "edelharty.net" extraConfig.old);
|
];
|
||||||
|
|
||||||
environment.etc =
|
services.bind.zones = lib.attrsets.mergeAttrsList (
|
||||||
(create_entry_etc "csn.ul.ie" "owned")
|
# uses teh domains lsited in teh records
|
||||||
// (create_entry_etc "skynet.ie" "owned")
|
(lib.lists.forEach domains (domain: (create_entry_zone domain)))
|
||||||
// (create_entry_etc "ulcompsoc.ie" "owned")
|
# we have to do a reverse dns
|
||||||
// (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
|
++ [
|
||||||
// (create_entry_etc "conradcollins.net" "old")
|
(create_entry_zone "64-64.99.1.193.in-addr.arpa")
|
||||||
// (create_entry_etc "edelharty.net" "old");
|
]
|
||||||
|
);
|
||||||
|
|
||||||
|
environment.etc = lib.attrsets.mergeAttrsList (
|
||||||
|
# uses teh domains lsited in teh records
|
||||||
|
(lib.lists.forEach domains (domain: (create_entry_etc domain "owned")))
|
||||||
|
# we have to do a reverse dns
|
||||||
|
++ [
|
||||||
|
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
|
||||||
|
]
|
||||||
|
);
|
||||||
|
|
||||||
# secrets required
|
# secrets required
|
||||||
age.secrets.dns_dnskeys = {
|
age.secrets.dns_dnskeys = {
|
||||||
file = ../secrets/dns_dnskeys.conf.age;
|
file = ../../secrets/dns_dnskeys.conf.age;
|
||||||
owner = "named";
|
owner = "named";
|
||||||
group = "named";
|
group = "named";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# basic but ensure teh dns ports are open
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
allowedTCPPorts = [53];
|
allowedTCPPorts = [53];
|
||||||
allowedUDPPorts = [53];
|
allowedUDPPorts = [53];
|
||||||
|
@ -387,6 +361,10 @@ in {
|
||||||
# need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
|
# need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
include "/run/agenix/dns_dnskeys";
|
include "/run/agenix/dns_dnskeys";
|
||||||
|
|
||||||
|
statistics-channels {
|
||||||
|
inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
|
||||||
|
};
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# piles of no valid RRSIG resolving 'com/DS/IN' errors
|
# piles of no valid RRSIG resolving 'com/DS/IN' errors
|
31
applications/dns/options-records.nix
Normal file
31
applications/dns/options-records.nix
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
/*
|
||||||
|
Define the options for dns records here.
|
||||||
|
They are imported into anything that needs to use them
|
||||||
|
*/
|
||||||
|
{lib, ...}:
|
||||||
|
with lib; {
|
||||||
|
options = {
|
||||||
|
domain = lib.mkOption {
|
||||||
|
description = "Domain this record is for";
|
||||||
|
type = lib.types.str;
|
||||||
|
default = "skynet.ie";
|
||||||
|
};
|
||||||
|
record = lib.mkOption {
|
||||||
|
description = "What you want to name the subdomain.";
|
||||||
|
type = lib.types.str;
|
||||||
|
};
|
||||||
|
r_type = lib.mkOption {
|
||||||
|
description = "Type of record that this is.";
|
||||||
|
type = lib.types.enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
|
||||||
|
};
|
||||||
|
value = lib.mkOption {
|
||||||
|
description = "What the record points to, normally ip or another record.";
|
||||||
|
type = lib.types.str;
|
||||||
|
};
|
||||||
|
server = lib.mkOption {
|
||||||
|
description = "Core record for a server";
|
||||||
|
type = lib.types.bool;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -6,7 +6,8 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_email;
|
name = "email";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
# create teh new strings
|
# create teh new strings
|
||||||
create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
|
create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
|
||||||
|
@ -91,7 +92,7 @@ with lib; let
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
configFile =
|
sieveConfigFile =
|
||||||
# https://doc.dovecot.org/configuration_manual/sieve/examples/#plus-addressed-mail-filtering
|
# https://doc.dovecot.org/configuration_manual/sieve/examples/#plus-addressed-mail-filtering
|
||||||
pkgs.writeText "basic_sieve"
|
pkgs.writeText "basic_sieve"
|
||||||
''
|
''
|
||||||
|
@ -104,45 +105,47 @@ with lib; let
|
||||||
|
|
||||||
# this should be close to teh last step
|
# this should be close to teh last step
|
||||||
if allof (
|
if allof (
|
||||||
address :localpart ["To"] ["${toString create_config_to}"],
|
address :localpart ["To", "Cc"] ["${toString create_config_to}"],
|
||||||
address :domain ["To"] "skynet.ie"
|
address :domain ["To", "Cc"] "skynet.ie"
|
||||||
){
|
){
|
||||||
if address :matches ["To"] "*@skynet.ie" {
|
if address :matches ["To", "Cc"] "*@skynet.ie" {
|
||||||
if header :is "X-Spam" "Yes" {
|
if header :is "X-Spam" "Yes" {
|
||||||
fileinto :create "''${1}.Junk";
|
fileinto :create "''${1}.Junk";
|
||||||
stop;
|
stop;
|
||||||
} else {
|
} else {
|
||||||
fileinto :create "''${1}";
|
fileinto :create "''${1}";
|
||||||
|
stop;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if allof (
|
||||||
|
address :localpart ["From"] ["${toString create_config_to}"],
|
||||||
|
address :domain ["From"] "skynet.ie"
|
||||||
|
){
|
||||||
|
if address :matches ["From"] "*@skynet.ie" {
|
||||||
|
if header :is "X-Spam" "Yes" {
|
||||||
|
fileinto :create "''${1}.Junk";
|
||||||
|
stop;
|
||||||
|
} else {
|
||||||
|
fileinto :create "''${1}";
|
||||||
|
stop;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./dns.nix
|
|
||||||
./acme.nix
|
|
||||||
./nginx.nix
|
|
||||||
inputs.simple-nixos-mailserver.nixosModule
|
inputs.simple-nixos-mailserver.nixosModule
|
||||||
|
|
||||||
# for teh config
|
# for teh config
|
||||||
../config/users.nix
|
../config/users.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_email = {
|
options.services.skynet."${name}" = {
|
||||||
# options that need to be passed in to make this work
|
# options that need to be passed in to make this work
|
||||||
|
|
||||||
enable = mkEnableOption "Skynet Email";
|
enable = mkEnableOption "Skynet Email";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = mkOption {
|
domain = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "skynet.ie";
|
default = "skynet.ie";
|
||||||
|
@ -198,8 +201,8 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
services.skynet_backup.normal.backups = [
|
services.skynet.backup.normal.backups = [
|
||||||
"/var/vmail"
|
#"/var/vmail"
|
||||||
"/var/dkim"
|
"/var/dkim"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -245,12 +248,6 @@ in {
|
||||||
|
|
||||||
# to provide the certs
|
# to provide the certs
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"${cfg.host.ip}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
locations."/".return = "307 https://skynet.ie";
|
|
||||||
};
|
|
||||||
|
|
||||||
"mail.skynet.ie" = {
|
"mail.skynet.ie" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "mail";
|
useACMEHost = "mail";
|
||||||
|
@ -285,12 +282,21 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# set up dns record for it
|
# set up dns record for it
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records =
|
||||||
|
[
|
||||||
|
# core record
|
||||||
|
{
|
||||||
|
record = "@";
|
||||||
|
r_type = "MX";
|
||||||
|
# the number is the priority in teh case of multiple mailservers
|
||||||
|
value = "10 mail.${cfg.domain}.";
|
||||||
|
}
|
||||||
|
|
||||||
# basic one
|
# basic one
|
||||||
{
|
{
|
||||||
record = "mail";
|
record = "mail";
|
||||||
r_type = "A";
|
r_type = "A";
|
||||||
value = cfg.host.ip;
|
value = config.services.skynet.host.ip;
|
||||||
}
|
}
|
||||||
#DNS config for K-9 Mail
|
#DNS config for K-9 Mail
|
||||||
{
|
{
|
||||||
|
@ -310,41 +316,10 @@ in {
|
||||||
}
|
}
|
||||||
|
|
||||||
# TXT records, all tehse are inside escaped strings to allow using ""
|
# TXT records, all tehse are inside escaped strings to allow using ""
|
||||||
# SPF record
|
|
||||||
{
|
|
||||||
record = "${cfg.domain}.";
|
|
||||||
r_type = "TXT";
|
|
||||||
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
|
|
||||||
}
|
|
||||||
|
|
||||||
# DKIM keys
|
|
||||||
{
|
|
||||||
record = "mail._domainkey.skynet.ie.";
|
|
||||||
r_type = "TXT";
|
|
||||||
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = "mail._domainkey.ulcompsoc.ie.";
|
|
||||||
r_type = "TXT";
|
|
||||||
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
|
|
||||||
}
|
|
||||||
|
|
||||||
# DMARC
|
|
||||||
{
|
|
||||||
record = "_dmarc.${cfg.domain}.";
|
|
||||||
r_type = "TXT";
|
|
||||||
# p : quarantine => sends to spam, reject => never sent
|
|
||||||
# rua : mail that receives reports about DMARC activity
|
|
||||||
# pct : percentage of unathenticated messages that DMARC stops
|
|
||||||
# adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
|
|
||||||
# aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
|
|
||||||
# sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
|
|
||||||
value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=none"'';
|
|
||||||
}
|
|
||||||
|
|
||||||
# reverse pointer
|
# reverse pointer
|
||||||
{
|
{
|
||||||
record = cfg.host.ip;
|
record = config.services.skynet.host.ip;
|
||||||
r_type = "PTR";
|
r_type = "PTR";
|
||||||
value = "${cfg.sub}.${cfg.domain}.";
|
value = "${cfg.sub}.${cfg.domain}.";
|
||||||
}
|
}
|
||||||
|
@ -373,6 +348,42 @@ in {
|
||||||
r_type = "SRV";
|
r_type = "SRV";
|
||||||
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
|
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
|
||||||
}
|
}
|
||||||
|
]
|
||||||
|
# SPF record
|
||||||
|
++ [
|
||||||
|
{
|
||||||
|
record = "${cfg.domain}.";
|
||||||
|
r_type = "TXT";
|
||||||
|
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} ip4:${config.services.skynet.host.ip} -all"'';
|
||||||
|
}
|
||||||
|
]
|
||||||
|
# DKIM keys
|
||||||
|
++ [
|
||||||
|
{
|
||||||
|
record = "mail._domainkey.skynet.ie.";
|
||||||
|
r_type = "TXT";
|
||||||
|
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
|
||||||
|
}
|
||||||
|
{
|
||||||
|
domain = "ulcompsoc.ie";
|
||||||
|
record = "mail._domainkey.ulcompsoc.ie.";
|
||||||
|
r_type = "TXT";
|
||||||
|
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
|
||||||
|
}
|
||||||
|
]
|
||||||
|
# DMARC
|
||||||
|
++ [
|
||||||
|
{
|
||||||
|
record = "_dmarc.${cfg.domain}.";
|
||||||
|
r_type = "TXT";
|
||||||
|
# p : quarantine => sends to spam, reject => never sent
|
||||||
|
# rua : mail that receives reports about DMARC activity
|
||||||
|
# pct : percentage of unathenticated messages that DMARC stops
|
||||||
|
# adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
|
||||||
|
# aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
|
||||||
|
# sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
|
||||||
|
value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=quarantine"'';
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
#https://nixos-mailserver.readthedocs.io/en/latest/add-roundcube.html
|
#https://nixos-mailserver.readthedocs.io/en/latest/add-roundcube.html
|
||||||
|
@ -466,7 +477,40 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.dovecot2.sieve.scripts = {
|
services.dovecot2.sieve.scripts = {
|
||||||
before = configFile;
|
before = sieveConfigFile;
|
||||||
|
};
|
||||||
|
|
||||||
|
# This is to add a bcc to outgoing mail
|
||||||
|
# this then interacts with teh filters to put it in the right folder
|
||||||
|
# we can directly add to the postfix service here
|
||||||
|
services.postfix = let
|
||||||
|
# mostly copied from the upstream mailserver config/functions
|
||||||
|
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
|
||||||
|
|
||||||
|
sender_bcc_maps_file = let
|
||||||
|
content = lookupTableToString create_skynet_service_bcc;
|
||||||
|
in
|
||||||
|
builtins.toFile "sender_bcc_maps" content;
|
||||||
|
|
||||||
|
lookupTableToString = attrs: let
|
||||||
|
valueToString = value: lib.concatStringsSep ", " value;
|
||||||
|
in
|
||||||
|
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
|
||||||
|
|
||||||
|
# convert the mailboxes config to something that can be used here
|
||||||
|
create_skynet_email_bcc = mailbox: {
|
||||||
|
name = "${mailbox}@skynet.ie";
|
||||||
|
value = ["${mailbox}@skynet.ie"];
|
||||||
|
};
|
||||||
|
create_skynet_service_bcc = builtins.listToAttrs (map (mailbox: (create_skynet_email_bcc mailbox.account)) service_mailboxes);
|
||||||
|
in {
|
||||||
|
mapFiles."sender_bcc_maps" = sender_bcc_maps_file;
|
||||||
|
|
||||||
|
config = {
|
||||||
|
sender_bcc_maps = [
|
||||||
|
(mappedFile "sender_bcc_maps")
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# tune the spam filter
|
# tune the spam filter
|
||||||
|
|
129
applications/git/forgejo.nix
Normal file
129
applications/git/forgejo.nix
Normal file
|
@ -0,0 +1,129 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "forgejo";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
|
domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
|
domain_full = "${cfg.domain.sub}.${domain_base}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Skynet Forgejo";
|
||||||
|
|
||||||
|
domain = {
|
||||||
|
tld = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "ie";
|
||||||
|
};
|
||||||
|
|
||||||
|
base = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "skynet";
|
||||||
|
};
|
||||||
|
|
||||||
|
sub = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = name;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
forgejo = {
|
||||||
|
port = mkOption {
|
||||||
|
type = types.port;
|
||||||
|
default = 3000;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# age.secrets.forgejo-mailer-password = {
|
||||||
|
# file = ../../secrets/forgejo/mailer-password.age;
|
||||||
|
# mode = "400";
|
||||||
|
# owner = "forgejo";
|
||||||
|
# };
|
||||||
|
|
||||||
|
services.skynet.acme.domains = [
|
||||||
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
|
];
|
||||||
|
|
||||||
|
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
{
|
||||||
|
record = cfg.domain.sub;
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
# main site
|
||||||
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:${toString cfg.forgejo.port}";
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 1000M;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# for signing reasons
|
||||||
|
programs.gnupg.agent = {
|
||||||
|
enable = true;
|
||||||
|
enableSSHSupport = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.forgejo = {
|
||||||
|
enable = true;
|
||||||
|
package = pkgs.forgejo;
|
||||||
|
database.type = "sqlite3";
|
||||||
|
# Enable support for Git Large File Storage
|
||||||
|
lfs.enable = true;
|
||||||
|
settings = {
|
||||||
|
server = {
|
||||||
|
DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
|
# You need to specify this to remove the port from URLs in the web UI.
|
||||||
|
ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
|
||||||
|
HTTP_PORT = cfg.forgejo.port;
|
||||||
|
};
|
||||||
|
|
||||||
|
# You can temporarily allow registration to create an admin user.
|
||||||
|
service.DISABLE_REGISTRATION = true;
|
||||||
|
|
||||||
|
# Add support for actions, based on act: https://github.com/nektos/act
|
||||||
|
actions = {
|
||||||
|
ENABLED = true;
|
||||||
|
DEFAULT_ACTIONS_URL = "github";
|
||||||
|
};
|
||||||
|
|
||||||
|
# Allow for signing off merge requests
|
||||||
|
# "repository.signing" = {
|
||||||
|
# SIGNING_KEY = "5B2DED0FE9F8627A";
|
||||||
|
# SIGNING_NAME = "Skynet";
|
||||||
|
# SIGNING_EMAIL = "forgejo@glados.skynet.ie";
|
||||||
|
# MERGES = "always";
|
||||||
|
# };
|
||||||
|
|
||||||
|
# Sending emails is completely optional
|
||||||
|
# You can send a test email from the web UI at:
|
||||||
|
# Profile Picture > Site Administration > Configuration > Mailer Configuration
|
||||||
|
# mailer = {
|
||||||
|
# ENABLED = true;
|
||||||
|
# SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
|
# FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
|
# USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
|
# };
|
||||||
|
};
|
||||||
|
# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
159
applications/git/forgejo_runner.nix
Normal file
159
applications/git/forgejo_runner.nix
Normal file
|
@ -0,0 +1,159 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "forgejo_runner";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Skynet ForgeJo Runner";
|
||||||
|
|
||||||
|
runner = {
|
||||||
|
name = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = config.networking.hostName;
|
||||||
|
};
|
||||||
|
|
||||||
|
website = mkOption {
|
||||||
|
default = "https://forgejo.skynet.ie";
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
default = "gitea-runner";
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
forgejo-actions-runner
|
||||||
|
];
|
||||||
|
|
||||||
|
age.secrets.forgejo_runner_token = {
|
||||||
|
file = ../../secrets/forgejo/runners/token.age;
|
||||||
|
owner = cfg.runner.user;
|
||||||
|
group = cfg.runner.user;
|
||||||
|
};
|
||||||
|
|
||||||
|
# make sure the ssh config stuff is in teh right palce
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
#"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}"
|
||||||
|
"L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}"
|
||||||
|
];
|
||||||
|
age.secrets.forgejo_runner_ssh = {
|
||||||
|
file = ../../secrets/forgejo/runners/ssh.age;
|
||||||
|
mode = "600";
|
||||||
|
owner = "${cfg.runner.user}";
|
||||||
|
group = "${cfg.runner.user}";
|
||||||
|
symlink = false;
|
||||||
|
path = "/home/${cfg.runner.user}/.ssh/skynet/root";
|
||||||
|
};
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
settings = {
|
||||||
|
trusted-users = [
|
||||||
|
# allow the runner to build nix stuff and to use the cache
|
||||||
|
"gitea-runner"
|
||||||
|
];
|
||||||
|
trusted-public-keys = [
|
||||||
|
"skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
|
||||||
|
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||||
|
];
|
||||||
|
substituters = [
|
||||||
|
"https://nix-cache.skynet.ie/skynet-cache/"
|
||||||
|
"https://cache.nixos.org/"
|
||||||
|
];
|
||||||
|
trusted-substituters = [
|
||||||
|
"https://nix-cache.skynet.ie/skynet-cache/"
|
||||||
|
"https://cache.nixos.org/"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# very basic setup to always be watching for changes in teh cache
|
||||||
|
systemd.services.attic-uploader = {
|
||||||
|
enable = true;
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
|
||||||
|
User = "root";
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = 1;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# give teh runner user a home to store teh ssh config stuff
|
||||||
|
systemd.services.gitea-runner-default.serviceConfig = {
|
||||||
|
DynamicUser = lib.mkForce false;
|
||||||
|
User = lib.mkForce cfg.runner.user;
|
||||||
|
};
|
||||||
|
users = {
|
||||||
|
groups."${cfg.runner.user}" = {};
|
||||||
|
users."${cfg.runner.user}" = {
|
||||||
|
#isSystemUser = true;
|
||||||
|
isNormalUser = true;
|
||||||
|
group = cfg.runner.user;
|
||||||
|
createHome = true;
|
||||||
|
shell = pkgs.bash;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
|
||||||
|
virtualisation.docker.enable = true;
|
||||||
|
|
||||||
|
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
|
||||||
|
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
|
||||||
|
|
||||||
|
# the actual runner
|
||||||
|
services.gitea-actions-runner = {
|
||||||
|
package = pkgs.forgejo-actions-runner;
|
||||||
|
instances.default = {
|
||||||
|
enable = true;
|
||||||
|
name = cfg.runner.name;
|
||||||
|
url = cfg.runner.website;
|
||||||
|
tokenFile = config.age.secrets.forgejo_runner_token.path;
|
||||||
|
labels = [
|
||||||
|
## optionally provide native execution on the host:
|
||||||
|
"nix:host"
|
||||||
|
"docker:docker://node:22-bookworm"
|
||||||
|
"ubuntu-latest:docker://node:22-bookworm"
|
||||||
|
];
|
||||||
|
|
||||||
|
hostPackages = with pkgs; [
|
||||||
|
# default ones
|
||||||
|
bash
|
||||||
|
coreutils
|
||||||
|
curl
|
||||||
|
gawk
|
||||||
|
git
|
||||||
|
gnused
|
||||||
|
nodejs
|
||||||
|
wget
|
||||||
|
|
||||||
|
# useful to have in path
|
||||||
|
jq
|
||||||
|
which
|
||||||
|
dpkg
|
||||||
|
zip
|
||||||
|
git-lfs
|
||||||
|
|
||||||
|
# used in deployments
|
||||||
|
inputs.colmena.defaultPackage."x86_64-linux"
|
||||||
|
attic-client
|
||||||
|
lix
|
||||||
|
openssh
|
||||||
|
sudo
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -5,31 +5,18 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_gitlab;
|
name = "gitlab";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
|
domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
domain_full = "${cfg.domain.sub}.${domain_base}";
|
domain_full = "${cfg.domain.sub}.${domain_base}";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./acme.nix
|
|
||||||
./dns.nix
|
|
||||||
./firewall.nix
|
|
||||||
./nginx.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_gitlab = {
|
options.services.skynet."${name}" = {
|
||||||
enable = mkEnableOption "Skynet Gitlab";
|
enable = mkEnableOption "Skynet Gitlab";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = {
|
domain = {
|
||||||
tld = mkOption {
|
tld = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -43,7 +30,7 @@ in {
|
||||||
|
|
||||||
sub = mkOption {
|
sub = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "gitlab";
|
default = name;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -69,54 +56,54 @@ in {
|
||||||
# grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab /
|
# grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab /
|
||||||
|
|
||||||
age.secrets.gitlab_pw = {
|
age.secrets.gitlab_pw = {
|
||||||
file = ../secrets/gitlab/pw.age;
|
file = ../../secrets/gitlab/pw.age;
|
||||||
owner = cfg.user;
|
owner = cfg.user;
|
||||||
group = cfg.user;
|
group = cfg.user;
|
||||||
};
|
};
|
||||||
age.secrets.gitlab_secrets_db = {
|
age.secrets.gitlab_secrets_db = {
|
||||||
file = ../secrets/gitlab/secrets_db.age;
|
file = ../../secrets/gitlab/secrets_db.age;
|
||||||
owner = cfg.user;
|
owner = cfg.user;
|
||||||
group = cfg.user;
|
group = cfg.user;
|
||||||
};
|
};
|
||||||
age.secrets.gitlab_secrets_secret = {
|
age.secrets.gitlab_secrets_secret = {
|
||||||
file = ../secrets/gitlab/secrets_secret.age;
|
file = ../../secrets/gitlab/secrets_secret.age;
|
||||||
owner = cfg.user;
|
owner = cfg.user;
|
||||||
group = cfg.user;
|
group = cfg.user;
|
||||||
};
|
};
|
||||||
age.secrets.gitlab_secrets_otp = {
|
age.secrets.gitlab_secrets_otp = {
|
||||||
file = ../secrets/gitlab/secrets_otp.age;
|
file = ../../secrets/gitlab/secrets_otp.age;
|
||||||
owner = cfg.user;
|
owner = cfg.user;
|
||||||
group = cfg.user;
|
group = cfg.user;
|
||||||
};
|
};
|
||||||
age.secrets.gitlab_secrets_jws = {
|
age.secrets.gitlab_secrets_jws = {
|
||||||
file = ../secrets/gitlab/secrets_jws.age;
|
file = ../../secrets/gitlab/secrets_jws.age;
|
||||||
owner = cfg.user;
|
owner = cfg.user;
|
||||||
group = cfg.user;
|
group = cfg.user;
|
||||||
};
|
};
|
||||||
age.secrets.gitlab_db_pw = {
|
age.secrets.gitlab_db_pw = {
|
||||||
file = ../secrets/gitlab/db_pw.age;
|
file = ../../secrets/gitlab/db_pw.age;
|
||||||
owner = cfg.user;
|
owner = cfg.user;
|
||||||
group = cfg.user;
|
group = cfg.user;
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
# Lets Encrypt seems to have a 4 levels limit for certs
|
# Lets Encrypt seems to have a 4 levels limit for certs
|
||||||
"*.pages.${cfg.domain.base}.${cfg.domain.tld}"
|
"*.pages.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
];
|
];
|
||||||
|
|
||||||
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
|
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
{
|
{
|
||||||
record = cfg.domain.sub;
|
record = cfg.domain.sub;
|
||||||
r_type = "A";
|
r_type = "A";
|
||||||
value = cfg.host.ip;
|
value = config.services.skynet.host.ip;
|
||||||
}
|
}
|
||||||
# for gitlab pages
|
# for gitlab pages
|
||||||
{
|
{
|
||||||
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
|
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
|
||||||
r_type = "A";
|
r_type = "A";
|
||||||
value = cfg.host.ip;
|
value = config.services.skynet.host.ip;
|
||||||
}
|
}
|
||||||
|
|
||||||
# for email
|
# for email
|
||||||
|
@ -126,7 +113,7 @@ in {
|
||||||
value = ''10 ${domain_full}.'';
|
value = ''10 ${domain_full}.'';
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
record = cfg.host.ip;
|
record = config.services.skynet.host.ip;
|
||||||
r_type = "PTR";
|
r_type = "PTR";
|
||||||
value = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}.";
|
value = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}.";
|
||||||
}
|
}
|
||||||
|
@ -150,17 +137,16 @@ in {
|
||||||
services.openssh.ports = [22 2222];
|
services.openssh.ports = [22 2222];
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"${cfg.host.ip}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
locations."/".return = "307 https://skynet.ie";
|
|
||||||
};
|
|
||||||
|
|
||||||
# main site
|
# main site
|
||||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "skynet";
|
useACMEHost = "skynet";
|
||||||
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
locations."/" = {
|
||||||
|
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
|
||||||
|
extraConfig = ''
|
||||||
|
client_max_body_size 1000M;
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# pages
|
# pages
|
||||||
|
@ -258,7 +244,7 @@ in {
|
||||||
# default for pages is set to 8090 but that leaves an "ugly" port in the url,
|
# default for pages is set to 8090 but that leaves an "ugly" port in the url,
|
||||||
# override it here to make it look good
|
# override it here to make it look good
|
||||||
port = 80;
|
port = 80;
|
||||||
#external_http = ["${cfg.host.ip}:80"];
|
#external_http = ["${config.services.skynet.host.ip}:80"];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
5
applications/git/ssh_config
Normal file
5
applications/git/ssh_config
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
Host *.skynet.ie 193.1.99.* 193.1.96.165
|
||||||
|
User root
|
||||||
|
IdentityFile ~/.ssh/skynet/root
|
||||||
|
IdentitiesOnly yes
|
||||||
|
|
|
@ -1,121 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
with lib; let
|
|
||||||
cfg = config.services.skynet_gitlab_runner;
|
|
||||||
in {
|
|
||||||
imports = [
|
|
||||||
];
|
|
||||||
|
|
||||||
options.services.skynet_gitlab_runner = {
|
|
||||||
enable = mkEnableOption "Skynet Gitlab Runner";
|
|
||||||
|
|
||||||
runner = {
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
gitlab = mkOption {
|
|
||||||
default = "https://gitlab.skynet.ie";
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
description = mkOption {
|
|
||||||
default = cfg.runner.name;
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
docker = {
|
|
||||||
image = mkOption {
|
|
||||||
default = "alpine:3.18.4";
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
cleanup_dates = mkOption {
|
|
||||||
# https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS
|
|
||||||
# it will use a lot of storage so clear it daily, may change to hourly if required
|
|
||||||
default = "daily";
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
|
|
||||||
environment.systemPackages = [
|
|
||||||
pkgs.gitlab-runner
|
|
||||||
];
|
|
||||||
|
|
||||||
age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age;
|
|
||||||
age.secrets.runner_02_general.file = ../secrets/gitlab/runners/runner02.age;
|
|
||||||
|
|
||||||
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
|
|
||||||
virtualisation.docker.enable = true;
|
|
||||||
|
|
||||||
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
|
|
||||||
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
|
|
||||||
|
|
||||||
services.gitlab-runner = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
# clear-docker-cache = {
|
|
||||||
# enable = true;
|
|
||||||
# dates = cfg.runner.docker.cleanup_dates;
|
|
||||||
# };
|
|
||||||
|
|
||||||
services = {
|
|
||||||
# might make a function later to have multiple runners, might never need it though
|
|
||||||
runner_nix = {
|
|
||||||
cloneUrl = cfg.runner.gitlab;
|
|
||||||
description = "For Nix only";
|
|
||||||
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
|
|
||||||
registrationConfigFile = config.age.secrets.runner_01_nix.path;
|
|
||||||
dockerImage = cfg.runner.docker.image;
|
|
||||||
|
|
||||||
# from https://nixos.wiki/wiki/Gitlab_runner
|
|
||||||
dockerVolumes = [
|
|
||||||
"/nix/store:/nix/store:ro"
|
|
||||||
"/nix/var/nix/db:/nix/var/nix/db:ro"
|
|
||||||
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
|
|
||||||
];
|
|
||||||
dockerDisableCache = true;
|
|
||||||
preBuildScript = pkgs.writeScript "setup-container" ''
|
|
||||||
mkdir -p -m 0755 /nix/var/log/nix/drvs
|
|
||||||
mkdir -p -m 0755 /nix/var/nix/gcroots
|
|
||||||
mkdir -p -m 0755 /nix/var/nix/profiles
|
|
||||||
mkdir -p -m 0755 /nix/var/nix/temproots
|
|
||||||
mkdir -p -m 0755 /nix/var/nix/userpool
|
|
||||||
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
|
|
||||||
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
|
|
||||||
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
|
|
||||||
mkdir -p -m 0700 "$HOME/.nix-defexpr"
|
|
||||||
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
|
|
||||||
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3
|
|
||||||
${pkgs.nix}/bin/nix-channel --update nixpkgs
|
|
||||||
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
|
|
||||||
'';
|
|
||||||
environmentVariables = {
|
|
||||||
ENV = "/etc/profile";
|
|
||||||
USER = "root";
|
|
||||||
NIX_REMOTE = "daemon";
|
|
||||||
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
|
|
||||||
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
|
|
||||||
};
|
|
||||||
tagList = ["nix"];
|
|
||||||
};
|
|
||||||
|
|
||||||
runner_general = {
|
|
||||||
cloneUrl = cfg.runner.gitlab;
|
|
||||||
description = "General Runner";
|
|
||||||
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
|
|
||||||
registrationConfigFile = config.age.secrets.runner_02_general.path;
|
|
||||||
dockerImage = cfg.runner.docker.image;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
79
applications/grafana.nix
Normal file
79
applications/grafana.nix
Normal file
|
@ -0,0 +1,79 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "grafana";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
port = 4444;
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Grafana Server";
|
||||||
|
|
||||||
|
datasource = {
|
||||||
|
name = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
|
||||||
|
url = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
{
|
||||||
|
record = "${name}";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.skynet.acme.domains = [
|
||||||
|
"${name}.skynet.ie"
|
||||||
|
];
|
||||||
|
|
||||||
|
age.secrets.grafana_pw = {
|
||||||
|
file = ../secrets/grafana/pw.age;
|
||||||
|
owner = "grafana";
|
||||||
|
group = "grafana";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.grafana = {
|
||||||
|
enable = true;
|
||||||
|
domain = "${name}.skynet.ie";
|
||||||
|
port = port;
|
||||||
|
|
||||||
|
settings.security.admin_password = "$__file{${config.age.secrets.grafana_pw.path}}";
|
||||||
|
|
||||||
|
provision = {
|
||||||
|
enable = true;
|
||||||
|
datasources.settings.datasources = [
|
||||||
|
{
|
||||||
|
name = "Prometheus";
|
||||||
|
type = "prometheus";
|
||||||
|
url = "http://localhost:${toString config.services.skynet.prometheus.server.port}";
|
||||||
|
isDefault = true;
|
||||||
|
editable = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"${name}.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:${toString port}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -6,30 +6,18 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.ldap_backend;
|
name = "ldap_backend";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
port_backend = "8087";
|
port_backend = "8087";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../acme.nix
|
|
||||||
../dns.nix
|
|
||||||
../nginx.nix
|
|
||||||
inputs.skynet_ldap_backend.nixosModule."x86_64-linux"
|
inputs.skynet_ldap_backend.nixosModule."x86_64-linux"
|
||||||
../../config/users.nix
|
../../config/users.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.ldap_backend = {
|
options.services.skynet."${name}" = {
|
||||||
enable = mkEnableOption "Skynet LDAP backend server";
|
enable = mkEnableOption "Skynet LDAP backend server";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = {
|
domain = {
|
||||||
tld = mkOption {
|
tld = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -52,19 +40,18 @@ in {
|
||||||
#backups = [ "/etc/silver_ul_ical/database.db" ];
|
#backups = [ "/etc/silver_ul_ical/database.db" ];
|
||||||
|
|
||||||
age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
|
age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
|
||||||
age.secrets.ldap_discord.file = ../../secrets/discord/ldap.age;
|
|
||||||
age.secrets.ldap_mail.file = ../../secrets/email/details.age;
|
age.secrets.ldap_mail.file = ../../secrets/email/details.age;
|
||||||
age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age;
|
age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age;
|
||||||
|
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
{
|
{
|
||||||
record = cfg.domain.sub;
|
record = cfg.domain.sub;
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -74,13 +61,13 @@ in {
|
||||||
locations."/".proxyPass = "http://localhost:${port_backend}";
|
locations."/".proxyPass = "http://localhost:${port_backend}";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# this got imported
|
||||||
services.skynet_ldap_backend = {
|
services.skynet_ldap_backend = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
# contains teh password in env form
|
# contains teh password in env form
|
||||||
env = {
|
env = {
|
||||||
ldap = config.age.secrets.ldap_details.path;
|
ldap = config.age.secrets.ldap_details.path;
|
||||||
discord = config.age.secrets.ldap_discord.path;
|
|
||||||
mail = config.age.secrets.ldap_mail.path;
|
mail = config.age.secrets.ldap_mail.path;
|
||||||
wolves = config.age.secrets.ldap_wolves.path;
|
wolves = config.age.secrets.ldap_wolves.path;
|
||||||
};
|
};
|
||||||
|
|
|
@ -5,7 +5,8 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_ldap_client;
|
name = "ldap_client";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
# always ensure the admin group has access
|
# always ensure the admin group has access
|
||||||
create_filter_check_admin = x:
|
create_filter_check_admin = x:
|
||||||
|
@ -27,9 +28,9 @@ in {
|
||||||
imports = [];
|
imports = [];
|
||||||
|
|
||||||
# give users access to this server
|
# give users access to this server
|
||||||
#services.skynet_ldap_client.groups = ["skynet-users-linux"];
|
#services.skynet.ldap_client.groups = ["skynet-users-linux"];
|
||||||
|
|
||||||
options.services.skynet_ldap_client = {
|
options.services.skynet."${name}" = {
|
||||||
# options that need to be passed in to make this work
|
# options that need to be passed in to make this work
|
||||||
|
|
||||||
enable = mkEnableOption "Skynet LDAP client";
|
enable = mkEnableOption "Skynet LDAP client";
|
||||||
|
|
|
@ -9,32 +9,19 @@ Gonna use a priper nixos module for this
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_ldap;
|
name = "ldap";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
in {
|
in {
|
||||||
# these are needed for teh program in question
|
# these are needed for teh program in question
|
||||||
imports = [
|
imports = [
|
||||||
../acme.nix
|
|
||||||
../dns.nix
|
|
||||||
../nginx.nix
|
|
||||||
./backend.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_ldap = {
|
options.services.skynet."${name}" = {
|
||||||
# options that need to be passed in to make this work
|
# options that need to be passed in to make this work
|
||||||
|
|
||||||
enable = mkEnableOption "Skynet LDAP service";
|
enable = mkEnableOption "Skynet LDAP service";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = {
|
domain = {
|
||||||
tld = mkOption {
|
tld = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -64,13 +51,6 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
# passthrough to the backend
|
|
||||||
services.ldap_backend = {
|
|
||||||
enable = true;
|
|
||||||
host.ip = cfg.host.ip;
|
|
||||||
host.name = cfg.host.name;
|
|
||||||
};
|
|
||||||
|
|
||||||
# after changing teh password openldap.service has to be restarted
|
# after changing teh password openldap.service has to be restarted
|
||||||
age.secrets.ldap_pw = {
|
age.secrets.ldap_pw = {
|
||||||
file = ../../secrets/ldap/pw.age;
|
file = ../../secrets/ldap/pw.age;
|
||||||
|
@ -79,15 +59,15 @@ in {
|
||||||
group = "openldap";
|
group = "openldap";
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
domain
|
domain
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
{
|
{
|
||||||
record = cfg.domain.sub;
|
record = cfg.domain.sub;
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
@ -5,28 +5,16 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_nextcloud;
|
name = "nextcloud";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./acme.nix
|
|
||||||
./dns.nix
|
|
||||||
./nginx.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_nextcloud = {
|
options.services.skynet."${name}" = {
|
||||||
enable = mkEnableOption "Skynet Nextcloud";
|
enable = mkEnableOption "Skynet Nextcloud";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = {
|
domain = {
|
||||||
tld = mkOption {
|
tld = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -40,7 +28,7 @@ in {
|
||||||
|
|
||||||
sub = mkOption {
|
sub = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "nextcloud";
|
default = name;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -54,29 +42,35 @@ in {
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
domain
|
domain
|
||||||
"onlyoffice.${domain}"
|
"onlyoffice.${domain}"
|
||||||
|
"whiteboard.${domain}"
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
{
|
{
|
||||||
record = cfg.domain.sub;
|
record = cfg.domain.sub;
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
record = "onlyoffice.${cfg.domain.sub}";
|
record = "onlyoffice.${cfg.domain.sub}";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
|
# {
|
||||||
|
# record = "whiteboard.${cfg.domain.sub}";
|
||||||
|
# r_type = "CNAME";
|
||||||
|
# value = config.services.skynet.host.name;
|
||||||
|
# }
|
||||||
];
|
];
|
||||||
|
|
||||||
# /var/lib/nextcloud/data
|
# /var/lib/nextcloud/data
|
||||||
|
|
||||||
services.nextcloud = {
|
services.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.nextcloud28;
|
package = pkgs.nextcloud30;
|
||||||
hostName = domain;
|
hostName = domain;
|
||||||
https = true;
|
https = true;
|
||||||
|
|
||||||
|
@ -90,8 +84,8 @@ in {
|
||||||
|
|
||||||
appstoreEnable = true;
|
appstoreEnable = true;
|
||||||
|
|
||||||
extraApps = with config.services.nextcloud.package.packages.apps; {
|
extraApps = {
|
||||||
inherit forms groupfolders maps notes onlyoffice polls;
|
inherit (config.services.nextcloud.package.packages.apps) richdocuments;
|
||||||
};
|
};
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
|
@ -102,17 +96,23 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# environment.etc."nextcloud-whiteboard-secret".text = ''
|
||||||
|
# JWT_SECRET_KEY=test123
|
||||||
|
# '';
|
||||||
|
#
|
||||||
|
# services.nextcloud-whiteboard-server = {
|
||||||
|
# enable = true;
|
||||||
|
# settings.NEXTCLOUD_URL = "https://nextcloud.skynet.ie";
|
||||||
|
# secrets = ["/etc/nextcloud-whiteboard-secret"];
|
||||||
|
# };
|
||||||
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
services.onlyoffice = {
|
# impacted by https://github.com/NixOS /nixpkgs/issues/352443
|
||||||
enable = true;
|
# services.onlyoffice = {
|
||||||
};
|
# enable = true;
|
||||||
|
# };
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"${cfg.host.ip}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
locations."/".return = "307 https://skynet.ie";
|
|
||||||
};
|
|
||||||
${domain} = {
|
${domain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "skynet";
|
useACMEHost = "skynet";
|
||||||
|
@ -122,6 +122,14 @@ in {
|
||||||
useACMEHost = "skynet";
|
useACMEHost = "skynet";
|
||||||
locations."/".proxyPass = "http://127.0.0.1:8000";
|
locations."/".proxyPass = "http://127.0.0.1:8000";
|
||||||
};
|
};
|
||||||
|
# "whiteboard.${domain}" = {
|
||||||
|
# forceSSL = true;
|
||||||
|
# useACMEHost = "skynet";
|
||||||
|
# locations."/" = {
|
||||||
|
# proxyPass = "http://localhost:3002";
|
||||||
|
# proxyWebsockets = true;
|
||||||
|
# };
|
||||||
|
# };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,8 +9,6 @@
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
|
|
||||||
statusPage = true;
|
|
||||||
|
|
||||||
# give Nginx access to our certs
|
# give Nginx access to our certs
|
||||||
group = "acme";
|
group = "acme";
|
||||||
};
|
};
|
||||||
|
|
98
applications/nix_cache/nix_cache.nix
Normal file
98
applications/nix_cache/nix_cache.nix
Normal file
|
@ -0,0 +1,98 @@
|
||||||
|
/*
|
||||||
|
A nix cache for our use
|
||||||
|
|
||||||
|
|
||||||
|
atticd-atticadm make-token --sub "admin_username" --validity "10y" --pull "*" --push "*" --create-cache "*" --delete "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*"
|
||||||
|
|
||||||
|
# for the gitlab runner, done eyarly
|
||||||
|
atticd-atticadm make-token --sub "wheatly-runner" --validity "1y" --pull "skynet-cache" --push "skynet-cache"
|
||||||
|
|
||||||
|
|
||||||
|
Documentation:
|
||||||
|
https://docs.attic.rs/introduction.html
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "nix-cache";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Skynet Nix Cache";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.skynet.acme.domains = [
|
||||||
|
"${name}.skynet.ie"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
{
|
||||||
|
record = "${name}";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
users.groups."nix-serve" = {};
|
||||||
|
users.users."nix-serve" = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "nix-serve";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.atticd = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
# Replace with absolute path to your credentials file
|
||||||
|
environmentFile = "/etc/atticd.env";
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
listen = "127.0.0.1:8080";
|
||||||
|
|
||||||
|
# Data chunking
|
||||||
|
#
|
||||||
|
# Warning: If you change any of the values here, it will be
|
||||||
|
# difficult to reuse existing chunks for newly-uploaded NARs
|
||||||
|
# since the cutpoints will be different. As a result, the
|
||||||
|
# deduplication ratio will suffer for a while after the change.
|
||||||
|
chunking = {
|
||||||
|
# The minimum NAR size to trigger chunking
|
||||||
|
#
|
||||||
|
# If 0, chunking is disabled entirely for newly-uploaded NARs.
|
||||||
|
# If 1, all NARs are chunked.
|
||||||
|
nar-size-threshold = 64 * 1024; # 64 KiB
|
||||||
|
|
||||||
|
# The preferred minimum size of a chunk, in bytes
|
||||||
|
min-size = 16 * 1024; # 16 KiB
|
||||||
|
|
||||||
|
# The preferred average size of a chunk, in bytes
|
||||||
|
avg-size = 64 * 1024; # 64 KiB
|
||||||
|
|
||||||
|
# The preferred maximum size of a chunk, in bytes
|
||||||
|
max-size = 256 * 1024; # 256 KiB
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
|
services.nginx = {
|
||||||
|
clientMaxBodySize = "500m";
|
||||||
|
virtualHosts = {
|
||||||
|
"${name}.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8080";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
17
applications/open_governance/README.md
Normal file
17
applications/open_governance/README.md
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# Open Governance
|
||||||
|
|
||||||
|
Started by DCU this is an initiative to make the running of (computer) societies more open and resilient.
|
||||||
|
The goal is to back these up in multiple locations.
|
||||||
|
|
||||||
|
|
||||||
|
| Uni | Tag | Repo | Notes |
|
||||||
|
|-----|----------|----------------------------------------------------------|-------|
|
||||||
|
| DCU | redbrick | https://github.com/redbrick/open-governance | |
|
||||||
|
| UL | skynet | https://gitlab.skynet.ie/compsoc1/compsoc/open-goverance | |
|
||||||
|
| | | | |
|
||||||
|
|
||||||
|
|
||||||
|
## Keys
|
||||||
|
We host our own keyserver: https://keyserver.skynet.ie
|
||||||
|
Use it in commands like so:
|
||||||
|
``gpg --keyserver hkp://keyserver.skynet.ie:80 --send-key KEY_ID``
|
62
applications/open_governance/keyserver.nix
Normal file
62
applications/open_governance/keyserver.nix
Normal file
|
@ -0,0 +1,62 @@
|
||||||
|
/*
|
||||||
|
This file is for hosting teh open governance for other societies
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "keyserver";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
port = 11371;
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Skynet Public Keyserver";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.skynet.acme.domains = [
|
||||||
|
"${name}.skynet.ie"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
{
|
||||||
|
record = "${name}";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.hockeypuck = {
|
||||||
|
enable = true;
|
||||||
|
port = port;
|
||||||
|
};
|
||||||
|
|
||||||
|
# hockeypuck needs a database backend
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = ["hockeypuck"];
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = "hockeypuck";
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"${name}.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:${toString port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
61
applications/open_governance/open_governance.nix
Normal file
61
applications/open_governance/open_governance.nix
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
/*
|
||||||
|
This file is for hosting teh open governance for other societies
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
# - instead of _ for dns reasons
|
||||||
|
name = "open-governance";
|
||||||
|
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
folder = "/var/skynet/${name}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Skynet Open Governance";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = {
|
||||||
|
services.skynet.acme.domains = [
|
||||||
|
"${name}.skynet.ie"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
{
|
||||||
|
record = "${name}";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
# create a folder to store the archives
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${folder} 0755 ${config.services.nginx.user} ${config.services.nginx.group}"
|
||||||
|
"L+ ${folder}/README.md - - - - ${./README.md}"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"${name}.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
root = folder;
|
||||||
|
locations = {
|
||||||
|
"/".extraConfig = "autoindex on;";
|
||||||
|
|
||||||
|
# show md files as plain text
|
||||||
|
"~ \.md".extraConfig = ''
|
||||||
|
types {
|
||||||
|
text/plain md;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
95
applications/prometheus.nix
Normal file
95
applications/prometheus.nix
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
{
|
||||||
|
nodes,
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "prometheus";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
|
# dont have to worry about any external addresses for this
|
||||||
|
# create a list of either "ip@port" or ""
|
||||||
|
# the ""s then get filtered out by filter_empty
|
||||||
|
exporters = {
|
||||||
|
dns = (
|
||||||
|
lib.attrsets.mapAttrsToList (
|
||||||
|
key: value:
|
||||||
|
if value.config.services.skynet.dns.server.enable
|
||||||
|
then "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.bind.port}"
|
||||||
|
else ""
|
||||||
|
)
|
||||||
|
nodes
|
||||||
|
);
|
||||||
|
node = lib.attrsets.mapAttrsToList (key: value: "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.node.port}") nodes;
|
||||||
|
};
|
||||||
|
|
||||||
|
# clears any invalid entries
|
||||||
|
filter_empty = inputs: (builtins.filter (value: value != "") inputs);
|
||||||
|
in {
|
||||||
|
imports = [];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
server = {
|
||||||
|
enable = mkEnableOption "Prometheus Server";
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = types.port;
|
||||||
|
default = 9001;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
external = {
|
||||||
|
node = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [];
|
||||||
|
description = ''
|
||||||
|
To add other nodes outside of nix, specify ip and port that server should listen to here
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
ports = {
|
||||||
|
node = mkOption {
|
||||||
|
type = types.port;
|
||||||
|
default = 9100;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkMerge [
|
||||||
|
{
|
||||||
|
services.prometheus.exporters.node = {
|
||||||
|
enable = true;
|
||||||
|
port = cfg.ports.node;
|
||||||
|
openFirewall = true;
|
||||||
|
# most collectors are on by default see https://github.com/prometheus/node_exporter for more options
|
||||||
|
enabledCollectors = ["systemd" "processes"];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
(mkIf cfg.server.enable {
|
||||||
|
services.prometheus = {
|
||||||
|
enable = true;
|
||||||
|
port = cfg.server.port;
|
||||||
|
scrapeConfigs = [
|
||||||
|
{
|
||||||
|
job_name = "node_exporter";
|
||||||
|
static_configs = [
|
||||||
|
{
|
||||||
|
targets = filter_empty (exporters.node ++ cfg.external.node);
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
job_name = "bind";
|
||||||
|
static_configs = [
|
||||||
|
{
|
||||||
|
targets = filter_empty exporters.dns;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
})
|
||||||
|
];
|
||||||
|
}
|
|
@ -12,19 +12,19 @@ with lib; {
|
||||||
enable = mkOption {
|
enable = mkOption {
|
||||||
default = true;
|
default = true;
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
description = lib.mdDoc "Whether to enable the ProxmoxLXC.";
|
description = lib.mdDoc "Whether to enable the Proxmox VE LXC module.";
|
||||||
};
|
};
|
||||||
privileged = mkOption {
|
privileged = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = lib.mdDoc ''
|
description = ''
|
||||||
Whether to enable privileged mounts
|
Whether to enable privileged mounts
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
manageNetwork = mkOption {
|
manageNetwork = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = lib.mdDoc ''
|
description = ''
|
||||||
Whether to manage network interfaces through nix options
|
Whether to manage network interfaces through nix options
|
||||||
When false, systemd-networkd is enabled to accept network
|
When false, systemd-networkd is enabled to accept network
|
||||||
configuration from proxmox.
|
configuration from proxmox.
|
||||||
|
@ -33,7 +33,7 @@ with lib; {
|
||||||
manageHostName = mkOption {
|
manageHostName = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = lib.mdDoc ''
|
description = ''
|
||||||
Whether to manage hostname through nix options
|
Whether to manage hostname through nix options
|
||||||
When false, the hostname is picked up from /etc/hostname
|
When false, the hostname is picked up from /etc/hostname
|
||||||
populated by proxmox.
|
populated by proxmox.
|
||||||
|
@ -68,6 +68,8 @@ with lib; {
|
||||||
loader.initScript.enable = true;
|
loader.initScript.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
console.enable = true;
|
||||||
|
|
||||||
networking = mkIf (!cfg.manageNetwork) {
|
networking = mkIf (!cfg.manageNetwork) {
|
||||||
useDHCP = false;
|
useDHCP = false;
|
||||||
useHostResolvConf = false;
|
useHostResolvConf = false;
|
||||||
|
@ -81,13 +83,14 @@ with lib; {
|
||||||
startWhenNeeded = mkDefault true;
|
startWhenNeeded = mkDefault true;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.mounts =
|
systemd = {
|
||||||
mkIf (!cfg.privileged)
|
mounts = mkIf (!cfg.privileged) [
|
||||||
[
|
|
||||||
{
|
{
|
||||||
where = "/sys/kernel/debug";
|
|
||||||
enable = false;
|
enable = false;
|
||||||
|
where = "/sys/kernel/debug";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
services."getty@".unitConfig.ConditionPathExists = ["" "/dev/%I"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -7,7 +7,8 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_backup;
|
name = "backup";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
|
||||||
enable_client = cfg.normal.backups != null && cfg.normal.backups != [];
|
enable_client = cfg.normal.backups != null && cfg.normal.backups != [];
|
||||||
|
|
||||||
|
@ -37,22 +38,24 @@ with lib; let
|
||||||
ownServers = builtins.listToAttrs (builtins.concatLists (
|
ownServers = builtins.listToAttrs (builtins.concatLists (
|
||||||
lib.attrsets.mapAttrsToList (
|
lib.attrsets.mapAttrsToList (
|
||||||
key: value: let
|
key: value: let
|
||||||
backup = value.config.services.skynet_backup;
|
backup = value.config.services.skynet.backup;
|
||||||
|
backup_host = value.config.services.skynet.host;
|
||||||
in
|
in
|
||||||
if
|
if
|
||||||
(
|
(
|
||||||
(builtins.hasAttr "skynet_backup" value.config.services)
|
(builtins.hasAttr "backup" value.config.services.skynet)
|
||||||
&& backup.server.enable
|
&& backup.server.enable
|
||||||
&& backup.host.name != cfg.host.name
|
# chgeck that its not itself
|
||||||
|
&& backup_host.name != config.services.skynet.host.name
|
||||||
&& !backup.server.appendOnly
|
&& !backup.server.appendOnly
|
||||||
)
|
)
|
||||||
then [
|
then [
|
||||||
{
|
{
|
||||||
name = backup.host.name;
|
name = backup_host.name;
|
||||||
value =
|
value =
|
||||||
base
|
base
|
||||||
// {
|
// {
|
||||||
repositoryFile = "/etc/skynet/restic/${backup.host.name}";
|
repositoryFile = "/etc/skynet/restic/${backup_host.name}";
|
||||||
|
|
||||||
backupPrepareCommand = ''
|
backupPrepareCommand = ''
|
||||||
#!${pkgs.stdenv.shell}
|
#!${pkgs.stdenv.shell}
|
||||||
|
@ -63,13 +66,13 @@ with lib; let
|
||||||
mkdir -p $baseDir
|
mkdir -p $baseDir
|
||||||
cd $baseDir
|
cd $baseDir
|
||||||
|
|
||||||
echo -n "rest:http://root:password@${backup.host.ip}:${toString backup.server.port}/root/${cfg.host.name}" > ${backup.host.name}
|
echo -n "rest:http://root:password@${backup_host.ip}:${toString backup.server.port}/root/${config.services.skynet.host.name}" > ${backup_host.name}
|
||||||
|
|
||||||
# read in teh password
|
# read in teh password
|
||||||
#PW = `cat ${config.age.secrets.restic.path}`
|
#PW = `cat ${config.age.secrets.restic.path}`
|
||||||
line=$(head -n 1 ${config.age.secrets.restic.path})
|
line=$(head -n 1 ${config.age.secrets.restic.path})
|
||||||
|
|
||||||
sed -i "s/password/$line/g" ${backup.host.name}
|
sed -i "s/password/$line/g" ${backup_host.name}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -85,9 +88,8 @@ in {
|
||||||
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
|
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
|
||||||
# https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
|
# https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
|
||||||
# will eb enabled on every server
|
# will eb enabled on every server
|
||||||
options.services.skynet_backup = {
|
options.services.skynet."${name}" = {
|
||||||
# backup is enabled by default
|
enable = mkEnableOption "Skynet backup";
|
||||||
# enable = mkEnableOption "Skynet backup";
|
|
||||||
|
|
||||||
# what folders to backup
|
# what folders to backup
|
||||||
normal = {
|
normal = {
|
||||||
|
@ -127,16 +129,6 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
enable = mkEnableOption "Skynet backup Server";
|
enable = mkEnableOption "Skynet backup Server";
|
||||||
|
|
||||||
|
@ -152,14 +144,15 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config =
|
config = mkMerge [
|
||||||
{
|
{
|
||||||
# these values are anabled for every client
|
# these values are anabled for every client
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
restic
|
restic
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
// mkIf cfg.server.enable {
|
|
||||||
|
(mkIf cfg.server.enable {
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
cfg.server.port
|
cfg.server.port
|
||||||
];
|
];
|
||||||
|
@ -175,12 +168,13 @@ in {
|
||||||
|
|
||||||
services.restic.server = {
|
services.restic.server = {
|
||||||
enable = true;
|
enable = true;
|
||||||
listenAddress = "${cfg.host.ip}:${toString cfg.server.port}";
|
listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
|
||||||
appendOnly = cfg.server.appendOnly;
|
appendOnly = cfg.server.appendOnly;
|
||||||
privateRepos = true;
|
privateRepos = true;
|
||||||
};
|
};
|
||||||
}
|
})
|
||||||
// mkIf enable_client {
|
|
||||||
|
(mkIf enable_client {
|
||||||
# client stuff here
|
# client stuff here
|
||||||
|
|
||||||
# A list of all login accounts. To create the password hashes, use
|
# A list of all login accounts. To create the password hashes, use
|
||||||
|
@ -189,15 +183,17 @@ in {
|
||||||
|
|
||||||
age.secrets.restic.file = ../secrets/backup/restic.age;
|
age.secrets.restic.file = ../secrets/backup/restic.age;
|
||||||
|
|
||||||
services.restic.backups =
|
services.restic.backups = mkMerge [
|
||||||
ownServers
|
ownServers
|
||||||
// {
|
{
|
||||||
# merge teh two configs together
|
# merge teh two configs together
|
||||||
# backblaze = base // {
|
# backblaze = base // {
|
||||||
# # backupos for each server are stored in a folder under their name
|
# # backupos for each server are stored in a folder under their name
|
||||||
# repository = "b2:NixOS-Main2:/${cfg.host.name}";
|
# repository = "b2:NixOS-Main2:/${config.services.skynet.host.name}";
|
||||||
# #environmentFile = config.age.secrets.backblaze.path;
|
# #environmentFile = config.age.secrets.backblaze.path;
|
||||||
# };
|
# };
|
||||||
};
|
}
|
||||||
};
|
];
|
||||||
|
})
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,108 +0,0 @@
|
||||||
{
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
inputs,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
with lib; let
|
|
||||||
cfg = config.services.skynet;
|
|
||||||
in {
|
|
||||||
imports = [
|
|
||||||
./acme.nix
|
|
||||||
./dns.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
options.services.skynet = {
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = {
|
|
||||||
skynet_acme.domains = [
|
|
||||||
# the root one is already covered by teh certificate
|
|
||||||
"2016.skynet.ie"
|
|
||||||
"discord.skynet.ie"
|
|
||||||
"public.skynet.ie"
|
|
||||||
"renew.skynet.ie"
|
|
||||||
];
|
|
||||||
|
|
||||||
skynet_dns.records = [
|
|
||||||
# means root domain, so skynet.ie
|
|
||||||
{
|
|
||||||
record = "@";
|
|
||||||
r_type = "A";
|
|
||||||
value = cfg.host.ip;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = "2016";
|
|
||||||
r_type = "CNAME";
|
|
||||||
value = cfg.host.name;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = "discord";
|
|
||||||
r_type = "CNAME";
|
|
||||||
value = cfg.host.name;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = "public";
|
|
||||||
r_type = "CNAME";
|
|
||||||
value = cfg.host.name;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = "renew";
|
|
||||||
r_type = "CNAME";
|
|
||||||
value = cfg.host.name;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [80 443];
|
|
||||||
services.nginx = {
|
|
||||||
enable = true;
|
|
||||||
group = "acme";
|
|
||||||
|
|
||||||
virtualHosts = {
|
|
||||||
# main site
|
|
||||||
"skynet.ie" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
|
|
||||||
};
|
|
||||||
|
|
||||||
# archive of teh site as it was ~2012 to 2016
|
|
||||||
"2016.skynet.ie" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
root = "${inputs.skynet_website_2016.defaultPackage."x86_64-linux"}";
|
|
||||||
};
|
|
||||||
|
|
||||||
# a custom discord url, because we are too cheap otehrwise
|
|
||||||
"discord.skynet.ie" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
|
|
||||||
};
|
|
||||||
|
|
||||||
"public.skynet.ie" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
root = "${inputs.compsoc_public.packages.x86_64-linux.default}";
|
|
||||||
locations."/".extraConfig = "autoindex on;";
|
|
||||||
};
|
|
||||||
|
|
||||||
# for alumni members to renew their account
|
|
||||||
"renew.skynet.ie" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
root = "${inputs.skynet_website_renew.defaultPackage."x86_64-linux"}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
34
applications/skynet.ie/old_site.nix
Normal file
34
applications/skynet.ie/old_site.nix
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{year}: {
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; {
|
||||||
|
imports = [];
|
||||||
|
|
||||||
|
config = {
|
||||||
|
services.skynet.acme.domains = [
|
||||||
|
"${year}.skynet.ie"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
{
|
||||||
|
record = year;
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts = {
|
||||||
|
"${year}.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
root = "${inputs."skynet_website_${year}".defaultPackage."x86_64-linux"}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
82
applications/skynet.ie/skynet.ie.nix
Normal file
82
applications/skynet.ie/skynet.ie.nix
Normal file
|
@ -0,0 +1,82 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "website";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
# import in past website versions, available at $year.skynet.ie
|
||||||
|
# at teh end of teh year add it here
|
||||||
|
(import ./old_site.nix {year = "2023";})
|
||||||
|
(import ./old_site.nix {year = "2017";})
|
||||||
|
(import ./old_site.nix {year = "2009";})
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Skynet Main Website";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.skynet.acme.domains = [
|
||||||
|
"discord.skynet.ie"
|
||||||
|
"public.skynet.ie"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
# means root domain, so skynet.ie
|
||||||
|
{
|
||||||
|
record = "@";
|
||||||
|
r_type = "A";
|
||||||
|
value = config.services.skynet.host.ip;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "discord";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "public";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts = {
|
||||||
|
# main site
|
||||||
|
"skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
locations = {
|
||||||
|
"/".root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
|
||||||
|
|
||||||
|
# this redirects old links to new format
|
||||||
|
"~* ~(?<username>[a-z_0-9]*)(?<files>\\S*)$" = {
|
||||||
|
priority = 1;
|
||||||
|
return = "307 https://$username.users.skynet.ie$files";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# a custom discord url, because we are too cheap otehrwise
|
||||||
|
"discord.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
|
||||||
|
};
|
||||||
|
|
||||||
|
"public.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
root = "${inputs.compsoc_public.packages.x86_64-linux.default}";
|
||||||
|
locations."/".extraConfig = "autoindex on;";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
64
applications/skynet.ie/wiki.nix
Normal file
64
applications/skynet.ie/wiki.nix
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
with lib; let
|
||||||
|
name = "wiki";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
];
|
||||||
|
|
||||||
|
options.services.skynet."${name}" = {
|
||||||
|
enable = mkEnableOption "Skynet Wiki";
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
services.skynet.acme.domains = [
|
||||||
|
"renew.skynet.ie"
|
||||||
|
"wiki.skynet.ie"
|
||||||
|
];
|
||||||
|
|
||||||
|
services.skynet.dns.records = [
|
||||||
|
{
|
||||||
|
record = "renew";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "wiki";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = config.services.skynet.host.name;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
virtualHosts = {
|
||||||
|
"wiki.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
root = "${inputs.skynet_website_wiki.defaultPackage."x86_64-linux"}";
|
||||||
|
# https://stackoverflow.com/a/38238001/11964934
|
||||||
|
extraConfig = ''
|
||||||
|
location / {
|
||||||
|
if ($request_uri ~ ^/(.*)\.html) {
|
||||||
|
return 302 /$1;
|
||||||
|
}
|
||||||
|
try_files $uri $uri.html $uri/ =404;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
# redirect old links to the new wiki
|
||||||
|
"renew.skynet.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "skynet";
|
||||||
|
locations."/".return = "307 https://wiki.skynet.ie";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -6,30 +6,25 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_users;
|
name = "website_users";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
|
php_pool = name;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./acme.nix
|
|
||||||
./dns.nix
|
|
||||||
./nginx.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_users = {
|
options.services.skynet."${name}" = {
|
||||||
host = {
|
enable = mkEnableOption "Skynet User Linux Server";
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
# ssh access
|
# we havea more limited ports range on the skynet server
|
||||||
|
services.skynet.prometheus.ports = {
|
||||||
|
node = 9000;
|
||||||
|
};
|
||||||
|
|
||||||
# allow more than admins access
|
# allow more than admins access
|
||||||
services.skynet_ldap_client = {
|
services.skynet.ldap_client = {
|
||||||
groups = [
|
groups = [
|
||||||
"skynet-admins-linux"
|
"skynet-admins-linux"
|
||||||
"skynet-users-linux"
|
"skynet-users-linux"
|
||||||
|
@ -37,21 +32,21 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# Website config
|
# Website config
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
"users.skynet.ie"
|
"users.skynet.ie"
|
||||||
"*.users.skynet.ie"
|
"*.users.skynet.ie"
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
{
|
{
|
||||||
record = "users";
|
record = "users";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
record = "*.users";
|
record = "*.users";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -69,14 +64,41 @@ in {
|
||||||
|
|
||||||
# normally services cannot read home dirs
|
# normally services cannot read home dirs
|
||||||
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
|
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
|
||||||
|
systemd.services."phpfpm-${php_pool}".serviceConfig.ProtectHome = lib.mkForce "read-only";
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.phpfpm.pools.${php_pool} = {
|
||||||
"${cfg.host.ip}" = {
|
user = config.services.nginx.user;
|
||||||
forceSSL = true;
|
group = config.services.nginx.group;
|
||||||
useACMEHost = "skynet";
|
settings = {
|
||||||
locations."/".return = "307 https://skynet.ie";
|
"listen.owner" = config.services.nginx.user;
|
||||||
|
"pm" = "dynamic";
|
||||||
|
"pm.max_children" = 32;
|
||||||
|
"pm.max_requests" = 500;
|
||||||
|
"pm.start_servers" = 2;
|
||||||
|
"pm.min_spare_servers" = 2;
|
||||||
|
"pm.max_spare_servers" = 5;
|
||||||
|
"php_admin_value[error_log]" = "stderr";
|
||||||
|
"php_admin_flag[log_errors]" = true;
|
||||||
|
"catch_workers_output" = true;
|
||||||
|
};
|
||||||
|
phpEnv."PATH" = lib.makeBinPath [pkgs.php];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts = {
|
||||||
|
"outinul.ie" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
alias = "/home/outinul/public_html/";
|
||||||
|
index = "index.html";
|
||||||
|
extraConfig = ''
|
||||||
|
autoindex on;
|
||||||
|
'';
|
||||||
|
tryFiles = "$uri$args $uri$args/ /index.html";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
# main site
|
# main site
|
||||||
"*.users.skynet.ie" = {
|
"*.users.skynet.ie" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
|
@ -88,12 +110,28 @@ in {
|
||||||
# chmod 711 ~
|
# chmod 711 ~
|
||||||
# chmod -R 755 ~/public_html
|
# chmod -R 755 ~/public_html
|
||||||
|
|
||||||
locations."/" = {
|
locations = {
|
||||||
|
"/" = {
|
||||||
alias = "/home/$user/public_html/";
|
alias = "/home/$user/public_html/";
|
||||||
index = "index.html";
|
index = "index.html";
|
||||||
extraConfig = "autoindex on;";
|
extraConfig = ''
|
||||||
|
autoindex on;
|
||||||
|
'';
|
||||||
tryFiles = "$uri$args $uri$args/ /index.html";
|
tryFiles = "$uri$args $uri$args/ /index.html";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
"~ ^(.+\\.php)(.*)$" = {
|
||||||
|
root = "/home/$user/public_html/";
|
||||||
|
index = "index.php";
|
||||||
|
extraConfig = ''
|
||||||
|
autoindex on;
|
||||||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||||
|
fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};
|
||||||
|
include ${pkgs.nginx}/conf/fastcgi.conf;
|
||||||
|
'';
|
||||||
|
tryFiles = "$uri$args $uri$args/ /index.php";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -5,28 +5,15 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
cfg = config.services.skynet_ulfm;
|
name = "ulfm";
|
||||||
|
cfg = config.services.skynet."${name}";
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./acme.nix
|
|
||||||
./dns.nix
|
|
||||||
./firewall.nix
|
|
||||||
./nginx.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options.services.skynet_ulfm = {
|
options.services.skynet."${name}" = {
|
||||||
enable = mkEnableOption "ULFM service";
|
enable = mkEnableOption "ULFM service";
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
|
|
||||||
name = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
domain = {
|
domain = {
|
||||||
tld = mkOption {
|
tld = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
@ -53,22 +40,22 @@ in {
|
||||||
8000
|
8000
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_acme.domains = [
|
services.skynet.acme.domains = [
|
||||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet.dns.records = [
|
||||||
{
|
{
|
||||||
record = cfg.domain.sub;
|
record = cfg.domain.sub;
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = cfg.host.name;
|
value = config.services.skynet.host.name;
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_firewall.forward = [
|
skynet_firewall.forward = [
|
||||||
"ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
|
"ip daddr ${config.services.skynet.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
|
||||||
"ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
|
"ip daddr ${config.services.skynet.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
|
||||||
"ip daddr ${cfg.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept"
|
"ip daddr ${config.services.skynet.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept"
|
||||||
];
|
];
|
||||||
|
|
||||||
users.groups."icecast" = {};
|
users.groups."icecast" = {};
|
||||||
|
@ -94,20 +81,12 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
|
||||||
group = "acme";
|
|
||||||
|
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
|
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "skynet";
|
useACMEHost = "skynet";
|
||||||
locations."/".proxyPass = "http://localhost:8000";
|
locations."/".proxyPass = "http://localhost:8000";
|
||||||
};
|
};
|
||||||
"${cfg.host.ip}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "skynet";
|
|
||||||
locations."/".return = "307 https://skynet.ie";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
103
config/dns.nix
103
config/dns.nix
|
@ -1,37 +1,26 @@
|
||||||
{lib, ...}: {
|
{lib, ...}: {
|
||||||
imports = [
|
imports = [
|
||||||
# Paths to other modules.
|
|
||||||
# Compose this module out of smaller ones.
|
|
||||||
];
|
];
|
||||||
|
|
||||||
# this needs to mirror ../applications/dns.nix
|
|
||||||
options.skynet.records = lib.mkOption {
|
options.skynet.records = lib.mkOption {
|
||||||
description = "Records, sorted based on therir type";
|
description = "Records, sorted based on therir type";
|
||||||
type = with lib.types;
|
type = lib.types.listOf (lib.types.submodule (import ../applications/dns/options-records.nix {
|
||||||
listOf (submodule {
|
inherit lib;
|
||||||
options = {
|
}));
|
||||||
record = lib.mkOption {
|
|
||||||
type = str;
|
|
||||||
};
|
|
||||||
r_type = lib.mkOption {
|
|
||||||
type = enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
|
|
||||||
};
|
|
||||||
value = lib.mkOption {
|
|
||||||
type = str;
|
|
||||||
};
|
|
||||||
server = lib.mkOption {
|
|
||||||
description = "Core record for a server";
|
|
||||||
type = bool;
|
|
||||||
default = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
});
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
skynet.records = [
|
skynet.records =
|
||||||
|
[
|
||||||
|
# wifi in server room
|
||||||
{
|
{
|
||||||
record = "optimus-reborn";
|
record = "ash";
|
||||||
|
r_type = "A";
|
||||||
|
value = "193.1.99.114";
|
||||||
|
server = true;
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "optimus";
|
||||||
r_type = "A";
|
r_type = "A";
|
||||||
value = "193.1.99.90";
|
value = "193.1.99.90";
|
||||||
server = true;
|
server = true;
|
||||||
|
@ -39,7 +28,7 @@
|
||||||
{
|
{
|
||||||
record = "panel.games";
|
record = "panel.games";
|
||||||
r_type = "CNAME";
|
r_type = "CNAME";
|
||||||
value = "optimus-reborn";
|
value = "optimus";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
record = "bumblebee";
|
record = "bumblebee";
|
||||||
|
@ -55,7 +44,69 @@
|
||||||
{
|
{
|
||||||
record = "_minecraft._tcp.minecraft.compsoc.games.skynet.ie.";
|
record = "_minecraft._tcp.minecraft.compsoc.games.skynet.ie.";
|
||||||
r_type = "SRV";
|
r_type = "SRV";
|
||||||
value = "0 10 25518 minecraft.compsoc.games.skynet.ie.";
|
value = "0 10 25518 bumblebee.skynet.ie.";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "minecraft-classic.compsoc.games";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = "bumblebee";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "_minecraft._tcp.minecraft-classic.compsoc.games.skynet.ie.";
|
||||||
|
r_type = "SRV";
|
||||||
|
value = "0 10 25518 bumblebee.skynet.ie.";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "minecraft.gsoc.games";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = "bumblebee";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "_minecraft._tcp.minecraft.gsoc.games.skynet.ie.";
|
||||||
|
r_type = "SRV";
|
||||||
|
value = "0 10 25521 bumblebee.skynet.ie.";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "minecraft.phildeb.games";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = "bumblebee";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "_minecraft._tcp.minecraft.phildeb.games.skynet.ie.";
|
||||||
|
r_type = "SRV";
|
||||||
|
value = "0 10 25522 bumblebee.skynet.ie.";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "minecraft-aged.compsoc.games";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = "bumblebee";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
record = "_minecraft._tcp.minecraft-aged.compsoc.games.skynet.ie.";
|
||||||
|
r_type = "SRV";
|
||||||
|
value = "0 10 25519 bumblebee.skynet.ie.";
|
||||||
|
}
|
||||||
|
]
|
||||||
|
# non skynet domains
|
||||||
|
++ [
|
||||||
|
{
|
||||||
|
domain = "conradcollins.net";
|
||||||
|
record = "www";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = "skynet.skynet.ie.";
|
||||||
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
domain = "edelharty.net";
|
||||||
|
record = "www";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = "skynet.skynet.ie.";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
domain = "damienconroy.com";
|
||||||
|
record = "www";
|
||||||
|
r_type = "CNAME";
|
||||||
|
value = "skynet.skynet.ie.";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,6 +1,11 @@
|
||||||
{lib, ...}:
|
{
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
with lib; let
|
with lib; let
|
||||||
port_backend = "8087";
|
port_backend = "8087";
|
||||||
|
cfg = config.skynet.users;
|
||||||
in {
|
in {
|
||||||
options.skynet = {
|
options.skynet = {
|
||||||
users = {
|
users = {
|
||||||
|
@ -44,34 +49,43 @@ in {
|
||||||
|
|
||||||
config.skynet = {
|
config.skynet = {
|
||||||
users = {
|
users = {
|
||||||
committee = [
|
committee = lib.lists.unique (
|
||||||
|
# Committee - Core
|
||||||
|
[
|
||||||
"silver"
|
"silver"
|
||||||
"eoghanconlon73"
|
"eoghanconlon73"
|
||||||
"sidhiel"
|
|
||||||
"maksimsger1"
|
|
||||||
"kaiden"
|
|
||||||
"pine"
|
|
||||||
"nanda"
|
"nanda"
|
||||||
"sourabh1805"
|
"emily1999"
|
||||||
"kronsy"
|
"dgr"
|
||||||
|
]
|
||||||
|
# Committee - OCM
|
||||||
|
++ [
|
||||||
|
"sidhiel"
|
||||||
"skyapples"
|
"skyapples"
|
||||||
];
|
"eliza"
|
||||||
|
"amymucko"
|
||||||
|
"archiedms"
|
||||||
|
]
|
||||||
|
# Committee - SISTEM
|
||||||
|
++ [
|
||||||
|
"peace"
|
||||||
|
]
|
||||||
|
# Admins are part of Committee as well
|
||||||
|
++ cfg.admin
|
||||||
|
);
|
||||||
admin = [
|
admin = [
|
||||||
"silver"
|
"silver"
|
||||||
"evanc"
|
"evanc"
|
||||||
"eoghanconlon73"
|
|
||||||
"eliza"
|
"eliza"
|
||||||
];
|
|
||||||
trainee = [
|
|
||||||
"milan"
|
|
||||||
"esy"
|
"esy"
|
||||||
"kronsy"
|
|
||||||
];
|
];
|
||||||
|
trainee = [];
|
||||||
lifetime = [];
|
lifetime = [];
|
||||||
banned = [];
|
banned = [];
|
||||||
|
|
||||||
clubs_societies = [
|
clubs_societies = [
|
||||||
"outinul"
|
"outinul"
|
||||||
|
"gamesdev"
|
||||||
];
|
];
|
||||||
|
|
||||||
restricted =
|
restricted =
|
||||||
|
|
989
flake.lock
989
flake.lock
File diff suppressed because it is too large
Load diff
114
flake.nix
114
flake.nix
|
@ -7,83 +7,69 @@
|
||||||
# Return to using unstable once the current master is merged in
|
# Return to using unstable once the current master is merged in
|
||||||
# nixpkgs.url = "nixpkgs/nixos-unstable";
|
# nixpkgs.url = "nixpkgs/nixos-unstable";
|
||||||
|
|
||||||
|
lix-module = {
|
||||||
|
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
|
|
||||||
# utility stuff
|
# utility stuff
|
||||||
flake-utils.url = "github:numtide/flake-utils";
|
flake-utils.url = "github:numtide/flake-utils";
|
||||||
agenix.url = "github:ryantm/agenix";
|
agenix.url = "github:ryantm/agenix";
|
||||||
arion.url = "github:hercules-ci/arion";
|
arion.url = "github:hercules-ci/arion";
|
||||||
alejandra = {
|
alejandra = {
|
||||||
url = "github:kamadorueda/alejandra/3.0.0";
|
url = "github:kamadorueda/alejandra";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
colmena.url = "github:zhaofengli/colmena";
|
||||||
|
|
||||||
# email
|
# we host our own
|
||||||
# simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
|
|
||||||
simple-nixos-mailserver = {
|
simple-nixos-mailserver = {
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
type = "gitlab";
|
url = "git+https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver";
|
||||||
host = "gitlab.skynet.ie";
|
|
||||||
owner = "compsoc1%2Fskynet";
|
|
||||||
repo = "misc%2Fnixos-mailserver";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# account.skynet.ie
|
######################
|
||||||
skynet_ldap_backend = {
|
### skynet backend ###
|
||||||
type = "gitlab";
|
######################
|
||||||
host = "gitlab.skynet.ie";
|
skynet_ldap_backend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_backend";
|
||||||
owner = "compsoc1%2Fskynet";
|
skynet_ldap_frontend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_frontend";
|
||||||
repo = "ldap%2Fbackend";
|
skynet_website_wiki.url = "git+https://forgejo.skynet.ie/Skynet/wiki";
|
||||||
};
|
skynet_website_games.url = "git+https://forgejo.skynet.ie/Skynet/website_games";
|
||||||
skynet_ldap_frontend = {
|
skynet_discord_bot.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot";
|
||||||
type = "gitlab";
|
|
||||||
host = "gitlab.skynet.ie";
|
#####################
|
||||||
owner = "compsoc1%2Fskynet";
|
### compsoc stuff ###
|
||||||
repo = "ldap%2Ffrontend";
|
#####################
|
||||||
};
|
compsoc_public.url = "git+https://forgejo.skynet.ie/Computer_Society/presentations_compsoc";
|
||||||
skynet_website = {
|
|
||||||
type = "gitlab";
|
#################
|
||||||
host = "gitlab.skynet.ie";
|
### skynet.ie ###
|
||||||
owner = "compsoc1%2Fskynet";
|
#################
|
||||||
repo = "website%2F2023";
|
|
||||||
};
|
# this should always point to teh current website
|
||||||
skynet_website_2016 = {
|
skynet_website.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/main.tar.gz";
|
||||||
type = "gitlab";
|
|
||||||
host = "gitlab.skynet.ie";
|
# these are past versions of teh website
|
||||||
owner = "compsoc1%2Fskynet";
|
skynet_website_2023.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/c4d61c753292bf73ed41b47b1607cfc92a82a191.tar.gz";
|
||||||
repo = "website%2F2016";
|
# this is not 100% right since this is from teh archive from 2022 or so
|
||||||
};
|
skynet_website_2017.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/edd922c5b13fa1f520e8e265a3d6e4e189852b99.tar.gz";
|
||||||
skynet_website_renew = {
|
|
||||||
type = "gitlab";
|
# this is more of 2012 than 2009 but started in 2009
|
||||||
host = "gitlab.skynet.ie";
|
skynet_website_2009.url = "https://forgejo.skynet.ie/Skynet/website_2009/archive/main.tar.gz";
|
||||||
owner = "compsoc1%2Fskynet";
|
|
||||||
repo = "website%2Falumni-renew";
|
|
||||||
};
|
|
||||||
skynet_website_games = {
|
|
||||||
type = "gitlab";
|
|
||||||
host = "gitlab.skynet.ie";
|
|
||||||
owner = "compsoc1%2Fskynet";
|
|
||||||
repo = "website%2Fgames.skynet.ie";
|
|
||||||
};
|
|
||||||
skynet_discord_bot = {
|
|
||||||
type = "gitlab";
|
|
||||||
host = "gitlab.skynet.ie";
|
|
||||||
owner = "compsoc1%2Fskynet";
|
|
||||||
repo = "discord-bot";
|
|
||||||
};
|
|
||||||
compsoc_public = {
|
|
||||||
type = "gitlab";
|
|
||||||
host = "gitlab.skynet.ie";
|
|
||||||
owner = "compsoc1%2Fcompsoc";
|
|
||||||
repo = "presentations%2Fpresentations";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
nixConfig.bash-prompt-suffix = "[Skynet Dev] ";
|
nixConfig = {
|
||||||
|
bash-prompt-suffix = "[Skynet Dev] ";
|
||||||
|
extra-substituters = "https://nix-cache.skynet.ie/skynet-cache";
|
||||||
|
extra-trusted-public-keys = "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo=";
|
||||||
|
};
|
||||||
|
|
||||||
outputs = {
|
outputs = {
|
||||||
self,
|
self,
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
agenix,
|
agenix,
|
||||||
alejandra,
|
alejandra,
|
||||||
|
colmena,
|
||||||
...
|
...
|
||||||
} @ inputs: let
|
} @ inputs: let
|
||||||
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
|
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
|
||||||
|
@ -94,7 +80,8 @@
|
||||||
name = "Skynet build env";
|
name = "Skynet build env";
|
||||||
nativeBuildInputs = [
|
nativeBuildInputs = [
|
||||||
pkgs.buildPackages.git
|
pkgs.buildPackages.git
|
||||||
pkgs.buildPackages.colmena
|
colmena.defaultPackage."x86_64-linux"
|
||||||
|
pkgs.attic-client
|
||||||
pkgs.buildPackages.nmap
|
pkgs.buildPackages.nmap
|
||||||
];
|
];
|
||||||
buildInputs = [agenix.packages.x86_64-linux.default];
|
buildInputs = [agenix.packages.x86_64-linux.default];
|
||||||
|
@ -108,7 +95,7 @@
|
||||||
overlays = [];
|
overlays = [];
|
||||||
};
|
};
|
||||||
specialArgs = {
|
specialArgs = {
|
||||||
inherit inputs;
|
inherit inputs self;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -127,9 +114,6 @@
|
||||||
# icecast - ULFM
|
# icecast - ULFM
|
||||||
galatea = import ./machines/galatea.nix;
|
galatea = import ./machines/galatea.nix;
|
||||||
|
|
||||||
# Game host
|
|
||||||
optimus = import ./machines/optimus.nix;
|
|
||||||
|
|
||||||
# LDAP host
|
# LDAP host
|
||||||
kitt = import ./machines/kitt.nix;
|
kitt = import ./machines/kitt.nix;
|
||||||
|
|
||||||
|
@ -156,6 +140,12 @@
|
||||||
|
|
||||||
# trainee server
|
# trainee server
|
||||||
marvin = import ./machines/marvin.nix;
|
marvin = import ./machines/marvin.nix;
|
||||||
|
|
||||||
|
# Public Services
|
||||||
|
calculon = import ./machines/calculon.nix;
|
||||||
|
|
||||||
|
# metrics
|
||||||
|
ariia = import ./machines/ariia.nix;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,17 +18,11 @@ in {
|
||||||
# for the secrets
|
# for the secrets
|
||||||
inputs.agenix.nixosModules.default
|
inputs.agenix.nixosModules.default
|
||||||
|
|
||||||
# every sever may need the firewall config stuff
|
# base application config for all servers
|
||||||
../applications/firewall.nix
|
../applications/_base.nix
|
||||||
|
|
||||||
# every sever needs to have a dns record
|
#
|
||||||
../applications/dns.nix
|
inputs.lix-module.nixosModules.default
|
||||||
|
|
||||||
# every server needs teh ldap client for admins
|
|
||||||
../applications/ldap/client.nix
|
|
||||||
|
|
||||||
# every server will need the config to backup to
|
|
||||||
../applications/restic.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
options.skynet = {
|
options.skynet = {
|
||||||
|
@ -95,7 +89,7 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
# skynet-admin-linux will always be added, individual servers can override the groups option
|
# skynet-admin-linux will always be added, individual servers can override the groups option
|
||||||
services.skynet_ldap_client.enable = true;
|
services.skynet.ldap_client.enable = true;
|
||||||
|
|
||||||
networking = {
|
networking = {
|
||||||
# every sever needs to be accessable over ssh for admin use at least
|
# every sever needs to be accessable over ssh for admin use at least
|
||||||
|
@ -126,19 +120,20 @@ in {
|
||||||
# https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9
|
# https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9
|
||||||
systemd.network.wait-online.enable = false;
|
systemd.network.wait-online.enable = false;
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = with pkgs; [
|
||||||
# for flakes
|
# for flakes
|
||||||
pkgs.git
|
git
|
||||||
|
git-lfs
|
||||||
# useful tools
|
# useful tools
|
||||||
pkgs.ncdu_2
|
ncdu_2
|
||||||
pkgs.htop
|
htop
|
||||||
pkgs.nano
|
nano
|
||||||
pkgs.nmap
|
nmap
|
||||||
pkgs.bind
|
bind
|
||||||
pkgs.zip
|
zip
|
||||||
pkgs.traceroute
|
traceroute
|
||||||
pkgs.openldap
|
openldap
|
||||||
pkgs.screen
|
screen
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,6 +17,11 @@ Notes: Used to have Agent Smith as a partner but it died (Ironically)
|
||||||
name = "agentjones";
|
name = "agentjones";
|
||||||
ip_pub = "193.1.99.72";
|
ip_pub = "193.1.99.72";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./hardware/RM001.nix
|
./hardware/RM001.nix
|
||||||
|
@ -31,25 +36,9 @@ in {
|
||||||
tags = ["active-firewall"];
|
tags = ["active-firewall"];
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.enable = true;
|
||||||
r_type = "A";
|
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# keep the wired usb connection alive (front panel)
|
# keep the wired usb connection alive (front panel)
|
||||||
|
|
47
machines/ariia.nix
Normal file
47
machines/ariia.nix
Normal file
|
@ -0,0 +1,47 @@
|
||||||
|
/*
|
||||||
|
|
||||||
|
Name: https://en.wikipedia.org/wiki/Eagle_Eye
|
||||||
|
Why: ARIIA - Autonomous Reconnaissance Intelligence Integration Analyst
|
||||||
|
Type: VM
|
||||||
|
Hardware: -
|
||||||
|
From: 2024
|
||||||
|
Role: Metrics gathering and Analysis
|
||||||
|
Notes:
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
nodes,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
# name of the server, sets teh hostname and record for it
|
||||||
|
name = "ariia";
|
||||||
|
ip_pub = "193.1.99.83";
|
||||||
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
../applications/grafana.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
deployment = {
|
||||||
|
targetHost = hostname;
|
||||||
|
targetPort = 22;
|
||||||
|
targetUser = null;
|
||||||
|
|
||||||
|
tags = ["active-core"];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.skynet = {
|
||||||
|
host = host;
|
||||||
|
backup.enable = true;
|
||||||
|
|
||||||
|
prometheus.server.enable = true;
|
||||||
|
grafana.enable = true;
|
||||||
|
};
|
||||||
|
}
|
|
@ -18,6 +18,11 @@ Notes:
|
||||||
name = "cadie";
|
name = "cadie";
|
||||||
ip_pub = "193.1.99.77";
|
ip_pub = "193.1.99.77";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/nextcloud.nix
|
../applications/nextcloud.nix
|
||||||
|
@ -31,33 +36,10 @@ in {
|
||||||
tags = ["active"];
|
tags = ["active"];
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.enable = true;
|
||||||
r_type = "A";
|
nextcloud.enable = true;
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet_nextcloud = {
|
|
||||||
enable = true;
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# this was causing a conflict for some reason
|
# this was causing a conflict for some reason
|
||||||
|
|
49
machines/calculon.nix
Normal file
49
machines/calculon.nix
Normal file
|
@ -0,0 +1,49 @@
|
||||||
|
/*
|
||||||
|
|
||||||
|
Name: https://futurama.fandom.com/wiki/Calculon
|
||||||
|
Why: Public Service server
|
||||||
|
Type: VM
|
||||||
|
Hardware: -
|
||||||
|
From: 2024
|
||||||
|
Role: Public services such as Nix Cache, Open governance stuff.
|
||||||
|
Notes:
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
nodes,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
name = "calculon";
|
||||||
|
ip_pub = "193.1.99.82";
|
||||||
|
hostname = "${name}.skynet.ie";
|
||||||
|
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
../applications/nix_cache/nix_cache.nix
|
||||||
|
../applications/open_governance/open_governance.nix
|
||||||
|
../applications/open_governance/keyserver.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
deployment = {
|
||||||
|
targetHost = hostname;
|
||||||
|
targetPort = 22;
|
||||||
|
targetUser = null;
|
||||||
|
|
||||||
|
tags = ["active"];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.skynet = {
|
||||||
|
host = host;
|
||||||
|
backup.enable = true;
|
||||||
|
nix-cache.enable = true;
|
||||||
|
open-governance.enable = true;
|
||||||
|
keyserver.enable = true;
|
||||||
|
};
|
||||||
|
}
|
|
@ -18,45 +18,29 @@ Notes:
|
||||||
name = "earth";
|
name = "earth";
|
||||||
ip_pub = "193.1.99.79";
|
ip_pub = "193.1.99.79";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/skynet.ie.nix
|
../applications/skynet.ie/skynet.ie.nix
|
||||||
|
../applications/skynet.ie/wiki.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
deployment = {
|
deployment = {
|
||||||
targetHost = ip_pub;
|
targetHost = hostname;
|
||||||
targetPort = 22;
|
targetPort = 22;
|
||||||
targetUser = null;
|
targetUser = null;
|
||||||
|
|
||||||
tags = ["active-core"];
|
tags = ["active-core"];
|
||||||
};
|
};
|
||||||
|
|
||||||
# it has two network devices so two
|
|
||||||
skynet_dns.records = [
|
|
||||||
{
|
|
||||||
record = name;
|
|
||||||
r_type = "A";
|
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet = {
|
services.skynet = {
|
||||||
host = {
|
host = host;
|
||||||
ip = ip_pub;
|
backup.enable = true;
|
||||||
name = name;
|
website.enable = true;
|
||||||
};
|
wiki.enable = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,6 +19,11 @@ Notes:
|
||||||
name = "galatea";
|
name = "galatea";
|
||||||
ip_pub = "193.1.99.111";
|
ip_pub = "193.1.99.111";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/ulfm.nix
|
../applications/ulfm.nix
|
||||||
|
@ -32,32 +37,9 @@ in {
|
||||||
tags = ["active"];
|
tags = ["active"];
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.enable = true;
|
||||||
r_type = "A";
|
ulfm.enable = true;
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet_ulfm = {
|
|
||||||
enable = true;
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,7 +18,11 @@ Notes:
|
||||||
name = "gir";
|
name = "gir";
|
||||||
ip_pub = "193.1.99.76";
|
ip_pub = "193.1.99.76";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
#hostname = ip_pub;
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/email.nix
|
../applications/email.nix
|
||||||
|
@ -32,35 +36,9 @@ in {
|
||||||
tags = ["active-core"];
|
tags = ["active-core"];
|
||||||
};
|
};
|
||||||
|
|
||||||
# add this server to dns
|
services.skynet = {
|
||||||
skynet_dns.records = [
|
host = host;
|
||||||
{
|
backup.enable = true;
|
||||||
record = name;
|
email.enable = true;
|
||||||
r_type = "A";
|
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# we use this to pass in teh relevent infomation to the
|
|
||||||
services.skynet_email = {
|
|
||||||
enable = true;
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
domain = "skynet.ie";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,9 +19,15 @@ Notes: Each user has roughly 20gb os storage
|
||||||
name = "glados";
|
name = "glados";
|
||||||
ip_pub = "193.1.99.75";
|
ip_pub = "193.1.99.75";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/gitlab.nix
|
../applications/git/gitlab.nix
|
||||||
|
../applications/git/forgejo.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
deployment = {
|
deployment = {
|
||||||
|
@ -32,32 +38,10 @@ in {
|
||||||
tags = ["active-gitlab"];
|
tags = ["active-gitlab"];
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.enable = true;
|
||||||
r_type = "A";
|
gitlab.enable = true;
|
||||||
value = ip_pub;
|
forgejo.enable = true;
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet_gitlab = {
|
|
||||||
enable = true;
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,6 +9,7 @@ Role: LDAP Server
|
||||||
Notes:
|
Notes:
|
||||||
*/
|
*/
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
|
@ -18,10 +19,15 @@ Notes:
|
||||||
name = "kitt";
|
name = "kitt";
|
||||||
ip_pub = "193.1.99.74";
|
ip_pub = "193.1.99.74";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
#hostname = ip_pub;
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/ldap/server.nix
|
../applications/ldap/server.nix
|
||||||
|
../applications/ldap/backend.nix
|
||||||
../applications/discord.nix
|
../applications/discord.nix
|
||||||
../applications/bitwarden/vaultwarden.nix
|
../applications/bitwarden/vaultwarden.nix
|
||||||
../applications/bitwarden/bitwarden_sync.nix
|
../applications/bitwarden/bitwarden_sync.nix
|
||||||
|
@ -35,46 +41,18 @@ in {
|
||||||
tags = ["active-core"];
|
tags = ["active-core"];
|
||||||
};
|
};
|
||||||
|
|
||||||
# add this server to dns
|
services.skynet = {
|
||||||
skynet_dns.records = [
|
host = host;
|
||||||
{
|
backup.enable = true;
|
||||||
record = name;
|
|
||||||
r_type = "A";
|
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
# ldap setup
|
||||||
host = {
|
ldap.enable = true;
|
||||||
ip = ip_pub;
|
ldap_backend.enable = true;
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet_ldap = {
|
# private member services
|
||||||
enable = true;
|
discord_bot.enable = true;
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.discord_bot = {
|
# committee/admin services
|
||||||
enable = true;
|
vaultwarden.enable = true;
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet_vaultwarden = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,6 +17,11 @@ Notes:
|
||||||
name = "marvin";
|
name = "marvin";
|
||||||
ip_pub = "193.1.99.81";
|
ip_pub = "193.1.99.81";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
|
|
||||||
groups = [
|
groups = [
|
||||||
"skynet-admins-linux"
|
"skynet-admins-linux"
|
||||||
|
@ -44,31 +49,13 @@ in {
|
||||||
++ groups_trusted;
|
++ groups_trusted;
|
||||||
|
|
||||||
# allow trainees access
|
# allow trainees access
|
||||||
services.skynet_ldap_client = {
|
services.skynet.ldap_client = {
|
||||||
groups = groups;
|
groups = groups;
|
||||||
sudo_groups = groups;
|
sudo_groups = groups;
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.enable = true;
|
||||||
r_type = "A";
|
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
# Put test services below this
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,6 +18,11 @@ Notes:
|
||||||
name = "neuromancer";
|
name = "neuromancer";
|
||||||
ip_pub = "193.1.99.80";
|
ip_pub = "193.1.99.80";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./hardware/RM007.nix
|
./hardware/RM007.nix
|
||||||
|
@ -44,25 +49,8 @@ in {
|
||||||
tags = ["active-core"];
|
tags = ["active-core"];
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.server.enable = true;
|
||||||
r_type = "A";
|
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
server.enable = true;
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,9 +22,6 @@ Notes: Thius vpn is for admin use only, to give access to all the servers via
|
||||||
hostname = ip_pub;
|
hostname = ip_pub;
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
# applications for this particular server
|
|
||||||
../applications/firewall.nix
|
|
||||||
../applications/dns.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
deployment = {
|
deployment = {
|
||||||
|
@ -39,7 +36,7 @@ in {
|
||||||
"ip daddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
|
"ip daddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
|
||||||
];
|
];
|
||||||
|
|
||||||
skynet_dns.records = {
|
services.skynet.dns.records = {
|
||||||
external = [
|
external = [
|
||||||
"${name} A ${ip_pub}"
|
"${name} A ${ip_pub}"
|
||||||
];
|
];
|
||||||
|
|
|
@ -19,6 +19,11 @@ Notes:
|
||||||
name = "optimus";
|
name = "optimus";
|
||||||
ip_pub = "193.1.99.112";
|
ip_pub = "193.1.99.112";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/games.nix
|
../applications/games.nix
|
||||||
|
@ -32,32 +37,9 @@ in {
|
||||||
tags = ["active"];
|
tags = ["active"];
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.enable = true;
|
||||||
r_type = "A";
|
games.enable = true;
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet_games = {
|
|
||||||
enable = true;
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
|
@ -18,16 +18,19 @@ Notes: Does not host offical sites
|
||||||
name = "skynet";
|
name = "skynet";
|
||||||
# DMZ that ITD provided
|
# DMZ that ITD provided
|
||||||
ip_pub = "193.1.96.165";
|
ip_pub = "193.1.96.165";
|
||||||
# for internal network connectivity
|
|
||||||
ip_int = "193.1.99.82";
|
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/skynet_users.nix
|
../applications/skynet_users.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
deployment = {
|
deployment = {
|
||||||
targetHost = ip_pub;
|
targetHost = hostname;
|
||||||
targetPort = 22;
|
targetPort = 22;
|
||||||
targetUser = null;
|
targetUser = null;
|
||||||
|
|
||||||
|
@ -35,29 +38,9 @@ in {
|
||||||
tags = ["active-ext"];
|
tags = ["active-ext"];
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.enable = true;
|
||||||
r_type = "A";
|
website_users.enable = true;
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup.host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet_users = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,6 +18,11 @@ Notes: Using the server that used to be called Earth
|
||||||
name = "vendetta";
|
name = "vendetta";
|
||||||
ip_pub = "193.1.99.120";
|
ip_pub = "193.1.99.120";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./hardware/RM002.nix
|
./hardware/RM002.nix
|
||||||
|
@ -45,35 +50,16 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.skynet_backup = {
|
services.skynet = {
|
||||||
host = {
|
host = host;
|
||||||
ip = ip_pub;
|
backup.enable = true;
|
||||||
name = name;
|
dns = {
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
skynet_dns = {
|
|
||||||
server = {
|
server = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# primary dns server (ns1)
|
# primary dns server (ns1)
|
||||||
primary = true;
|
primary = true;
|
||||||
ip = ip_pub;
|
ip = ip_pub;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
records = [
|
|
||||||
# vendetta IN A 193.1.99.120
|
|
||||||
{
|
|
||||||
record = name;
|
|
||||||
r_type = "A";
|
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
# 120 IN PTR vendetta.skynet.ie.
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,6 +17,11 @@ Notes:
|
||||||
name = "vigil";
|
name = "vigil";
|
||||||
ip_pub = "193.1.99.109";
|
ip_pub = "193.1.99.109";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
];
|
];
|
||||||
|
@ -29,36 +34,16 @@ in {
|
||||||
tags = ["active-dns" "dns"];
|
tags = ["active-dns" "dns"];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.skynet_backup = {
|
services.skynet = {
|
||||||
host = {
|
host = host;
|
||||||
ip = ip_pub;
|
backup.enable = true;
|
||||||
name = name;
|
dns = {
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
skynet_dns = {
|
|
||||||
server = {
|
server = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# secondary dns server (ns2)
|
# secondary dns server (ns2)
|
||||||
primary = false;
|
primary = false;
|
||||||
ip = ip_pub;
|
ip = ip_pub;
|
||||||
};
|
};
|
||||||
|
};
|
||||||
# this server will have to have dns records
|
|
||||||
records = [
|
|
||||||
# vigil IN A 193.1.99.109
|
|
||||||
{
|
|
||||||
record = name;
|
|
||||||
r_type = "A";
|
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
# 109 IN PTR vigil.skynet.ie.
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,9 +18,14 @@ Notes:
|
||||||
name = "wheatly";
|
name = "wheatly";
|
||||||
ip_pub = "193.1.99.78";
|
ip_pub = "193.1.99.78";
|
||||||
hostname = "${name}.skynet.ie";
|
hostname = "${name}.skynet.ie";
|
||||||
|
host = {
|
||||||
|
ip = ip_pub;
|
||||||
|
name = name;
|
||||||
|
hostname = hostname;
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
../applications/gitlab_runner.nix
|
../applications/git/forgejo_runner.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
deployment = {
|
deployment = {
|
||||||
|
@ -31,29 +36,9 @@ in {
|
||||||
tags = ["active-gitlab"];
|
tags = ["active-gitlab"];
|
||||||
};
|
};
|
||||||
|
|
||||||
skynet_dns.records = [
|
services.skynet = {
|
||||||
{
|
host = host;
|
||||||
record = name;
|
backup.enable = true;
|
||||||
r_type = "A";
|
forgejo_runner.enable = true;
|
||||||
value = ip_pub;
|
|
||||||
server = true;
|
|
||||||
}
|
|
||||||
{
|
|
||||||
record = ip_pub;
|
|
||||||
r_type = "PTR";
|
|
||||||
value = hostname;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
services.skynet_backup = {
|
|
||||||
host = {
|
|
||||||
ip = ip_pub;
|
|
||||||
name = name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.skynet_gitlab_runner = {
|
|
||||||
enable = true;
|
|
||||||
runner.name = "runner01";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
|
@ -1,17 +1,19 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA LoF1ddALOVnrPikVoFfIO/Hrydrqoh/4W5DaSMZHkUs
|
-> ssh-ed25519 V1pwNA d/AgQuQidsB5+UMBxg3/YIA/4EVMF9+BeZrEMzgU52Y
|
||||||
Fla3oxohjlE6oUkx9tsroXcbDqQoQfi4qixrEqy2+/4
|
gPmTDd4oeIwwJ5ZdnWp/s6cEupsYPY08TBvmL5fe3NE
|
||||||
-> ssh-ed25519 4PzZog tojPturHggZ54bUlyCbr0hwLbhTPpBR/o90XT9DYf0Y
|
-> ssh-ed25519 4PzZog iR02KGER5WMrs4djPPpMRc3v5qN5FpcpjTkB+O4GyV0
|
||||||
it+mlc2OKzxnEF08ao0J+aJezA20eAaRBW+ODgiX09k
|
ibvzSePq1ruF03QBsHRr40VCZ6ZcnWjvcJzybB5vt4g
|
||||||
-> ssh-ed25519 5Nd93w W5FDJ7geDB27elGpL6SHBA54Al3uTU67FNsTt63E5H4
|
-> ssh-ed25519 dA0vRg pVsTTA9yknN8gl6K/CkY/HnUc8eW1F/pSqXq/Upq3SE
|
||||||
1N3NVwEC3QqjpwdFk/SRWFpTUk1tTH7YPQdV2MmF/II
|
3ymQH0jBAk9ktwBUvth8G9ZdDzr9Ozqi9YNVB8fyvGE
|
||||||
-> ssh-ed25519 q8eJgg yJj2ImpyTpjLGiPqxQ/03tGFDnDN08Gr93rPRUYLLyk
|
-> ssh-ed25519 5Nd93w fSPTiW3c4va0F5IYoFF+QoN4u1tFGRBrMO9lypICiXo
|
||||||
PLSFba8JFM2na4h6XIzVeKKEw61/ZwlpQdesIHPtggY
|
8MgZPPUXJGGOdmGknXhaV0xgJl76dg9B1e5r0Ud/iW8
|
||||||
-> ssh-ed25519 3pl/Kw Zu5dWL1GkgL8ZhmFuTg56GRGTvTTDXYOXGN75/h37wQ
|
-> ssh-ed25519 q8eJgg UFiK3B6YB3YR8fVOWOPLlpGuo5pWpK6b7zteIngC2Cc
|
||||||
nvNXCSa/VsjchPWRMoFNCRLe6SK/trUrGgKa7iJkprA
|
K+e9B1V7AdimOMdy7YCJ7tJnHsHoQChAmWmOJDIdwMU
|
||||||
-> vZ[z@fHA-grease
|
-> ssh-ed25519 KVr8rw FeMibaL1ITDNByDL26VRXVz6d2FP13SpKoN87RgTYDo
|
||||||
mAV/h887fY2ispnlxuTZ+LR/EIYhV6LqbyuDpEc4p0jnwdpYhEAfU4KKZtnxae22
|
e0LPmpAe9wRRvgKTYq96Qk+WiUhfixiatuWPPi72Nlk
|
||||||
q/IM3g
|
-> ssh-ed25519 fia1eQ i5+7lIZDOm48wywy6CRMOLVhHWnmV71WM0QLSbyhqV4
|
||||||
--- QXUMgsJS6LdbF4du60HslLfcBq5xNsazlzAHb7jSeDI
|
S5nAEPHEmAn3AGxN04FpVKwVHrWtZS2s/dPeVv4ryCE
|
||||||
|á©eC Ÿ® ¶>,ÎVÄ•Ë<E280A2>3Mb<4D>$iœ¥IŽsÒ=qk܃œDi
|
-> ssh-ed25519 3pl/Kw Mhc4y4szabQQaeBWtZ7mVdDnZYRwtninrBhcyHoUm24
|
||||||
ÖŸîè;S¸´)ßÄ<+€ÔÆìò)¨uRê²—eó‘[ÍðŒ4©}¢{61WrÈEíëPI
|
lQpLgpgU0ak9WDQIJxd5Yz/DUe14szLvsUGxAil+5dk
|
||||||
|
--- eUzkrzEEXETs3FXa2YqSW4yqQiRLFC8Umr1D+Bq334c
|
||||||
|
ڙءm“ }ïÁý9Ž.›û‚”I^éY%Kcö¨SšÒÈ®#ö¤hVó„Á{þ7Z'i¸<¡Z#–s<E28093>íÆ<C3AD>šs. Þ<>„zÒIW=†WÀuþ7ϱÚàX
|
Binary file not shown.
Binary file not shown.
|
@ -1,15 +1,19 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA BxPb6d6nlJHiTkbcwOoPrvAPBuR1iJSFAXIp9n23Ix0
|
-> ssh-ed25519 V1pwNA LbYb1XP9bLe1lcsAfGwPkK2/r2+TnkkEgfS9fi1YKRo
|
||||||
hl0X3RjOEYp2G1QU4SC6CBF5YVlCWiakMsRbGTBYkzs
|
Z20C/zQluu+Qanf4d9GSj4pLirCyqJpa60H9hodMt5k
|
||||||
-> ssh-ed25519 4PzZog Nf/tUysmhTfzaoHhubwdQ5NKZw5SBd3CEs129FGkuio
|
-> ssh-ed25519 4PzZog IFlhg/gbQpiMugcQZUHwfAnSvhxCwW67XmfSNmYOSQE
|
||||||
750oaBtfeBEpDuasZFr7RY5uBzFZZNMNGQkRyFfEGCo
|
nOp4xPFMvIhUH9OUVz8B3L8GI+Um2egjHV0FgmdNwwM
|
||||||
-> ssh-ed25519 5Nd93w fI9TNLWkDkvLCDA8eTMfVw7fRPylWHPGzPupya737xY
|
-> ssh-ed25519 dA0vRg OAmV1KiprjoIgOPHCYcme2uLiU1xEdohTWA5CiN0yG8
|
||||||
wQcz+yf+EqDNmRWqldNuQjjy9tKc1zN//yumtGpGbaM
|
4/LHk5LCGrpMISvpjfo7QuhnRrE3ycFGwGTQ1i6VaZE
|
||||||
-> ssh-ed25519 q8eJgg T9Iv+fRwmOLYMXe3ur6dqudA1z2wQsKQX6ogkyQT3Fw
|
-> ssh-ed25519 5Nd93w jv27aiNze8Nxp2ohY7NIRtZv5lBxAdKYGWdqWD12zU0
|
||||||
LBYKL2OtLiwq25FkvZjT4H3tu8fOA+KFmFp5vjbncLI
|
E5Rk0r8To4B39UsaZavEkAZlIPiaXswsShMgsyNPMoY
|
||||||
-> ssh-ed25519 IzAMqA O9JfKAlOUao2S14iczlnTzT2sTSAM1vOR5KjO8eJMG0
|
-> ssh-ed25519 q8eJgg /o798N6b1KlQfMM9gQf48TF9V7nXORxW4SOpcpYCuhI
|
||||||
ioTSe6X4E6jE4c9Utl2d6EUHZYilnbtRnB5QJg3S3Q4
|
RVYXWwZLFL6ZUjGbmXBzEj0+Pe2wpZFPIj5yH9kRIwY
|
||||||
-> 6&-grease
|
-> ssh-ed25519 KVr8rw +N2w/8vvD7/uG3TMYb+9vml/vZhLkoS+03KEDlQWNhs
|
||||||
BkWorA2LiphyWLmdV3AeKsI
|
Hne+3S6vVc5Sx7QJ+OCrPCt4s5usZ7B7WwusnFQLmSo
|
||||||
--- +MO1wX7pJf7eq4MkiWSP+xyxThI5jnfseS8jd7LbFoY
|
-> ssh-ed25519 fia1eQ PJYYKfL1GolRt90KC52dvUyZ/HjWRJm9vMTjBvrCOkQ
|
||||||
¿ÕWV¥—>ådD"ð`ûi+€Ç¸ÃæÕ¬ã<C2AC>ÂSмk°H¨Ojt<6A>±Ç*âòkßäŒØ<C592>ŒÔ¢9Ë×P
|
Xc7SpT5TZLTOORLO3uE8tPXKx7thUwaJi3ixngLRljM
|
||||||
|
-> ssh-ed25519 IzAMqA AtoNahZ3dTQasdfP3wf7U1RJyx//Kt82e1TMSIkW6QA
|
||||||
|
neLAeCvnsl4RDq2H1slZJ+5i3JErqy4aRGoscpRUi/0
|
||||||
|
--- W8B6kla08fEkl4Kpp+0eAHj7B1j3WYCDcuwJvAIEW58
|
||||||
|
)8ýG(ž¶ ìò<C3AC><C3B2>žÛær_št¤Ö©zµ¥|>¢od…ð×ù6µø*0j»…r‚´ñTü«\*v^#‚
|
|
@ -1,22 +1,26 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA icye7bxeLugaCuSwMYAZQOrI7tcG8uc9XR5lTYBkWQ4
|
-> ssh-ed25519 V1pwNA 6NKUbOSUbwVjzW/ZUpl8qEiUTTegFlji4+tVJyqY3SE
|
||||||
HRsRB0GVkMPS0afDz0ybcTZ/oexA7zV9U6hYyyVm/hQ
|
fRQvaKnLMkVBboTEriQpWlGY9VBAP3ppsEbAB2QTScs
|
||||||
-> ssh-ed25519 4PzZog ihJwwtlgiICUNgrpwVVKAAcDP9JxPgBmcruW1em8RU4
|
-> ssh-ed25519 4PzZog mp/+b5LpB+DvRduqAZiKWqkZq6+tlyQgVTZz7Oge2Us
|
||||||
/c6JJDzrHwyEelgMaoDeADVD/yL+ptrDdgSSMFceuXs
|
OycqmZyDr3levWSfRFxypJOkITLDix0Q15Todya6BNc
|
||||||
-> ssh-ed25519 5Nd93w aLRd09zpjgCnj84pFFfPd9FrJGsnemOb99EG/TPe+UM
|
-> ssh-ed25519 dA0vRg yp/4LvS9DbdatHFWFsP5qhH8CP8Bs0IjVSenUtG4+Xs
|
||||||
hEM/T5j4oZI05597dI148eRbRU0P/E02RAD5ypsl1eo
|
hHiJEtl1ffYXltsJzuEMLGUl2i/i3pFzv4bjbx/cbOI
|
||||||
-> ssh-ed25519 q8eJgg dwCo6ph1KTMDgFnJLrGFtzscrHxog6WGRUaPdBOuCSo
|
-> ssh-ed25519 5Nd93w BTngmy4NGLGKhC8lPos63QEVBKoQT82KswQ22EypcQQ
|
||||||
WCxgbOjZy9vkgcYTa4t/bgc5qfxlpFOiQ3vtCvb+uWM
|
OCnJMkOwwXQVbtCitUizXM4nynC6a1tiPSkm7MxulWA
|
||||||
-> ssh-ed25519 IzAMqA Q+XUnmVUAstlxgZTiXXGZN7Nzo6G0zgS3jtil8MKd0w
|
-> ssh-ed25519 q8eJgg NaEjVcDBVICRgXuJchEdE4vg3qmkNmJAbDDxLq1fX0M
|
||||||
1VFkeEGLZLh+j7e1RJW1iCx8ueLNTljTsxpujkhwBPI
|
YFwUmEPwJIik5YJ2SV5IAmqGlY+h24voJJlrBaoCBwA
|
||||||
-> ssh-ed25519 uZzB3g FeuGUR8zcPUHkev9PVARM2ac4Ezk9EjO3gWL15kkjjM
|
-> ssh-ed25519 KVr8rw ZnyVITZFkuozEs/rbTdxXDQNS3Nggo+JkBL1Icht2SM
|
||||||
W7DXwMWrIKEzs2IJ4MH/diaqkUK+lYE5ocJ3qD26NyU
|
B4jVVts5lK1kIlOWMl0eiN7TpsTeJZWIu7NqildxeGE
|
||||||
-> ssh-ed25519 Hb0ipQ +hueeoIxI4+E0bkElclszUoD4ftHLkiqe6XGcMNbAn4
|
-> ssh-ed25519 fia1eQ kvzARRScl/eypC2a5cY66sXcH+TZqz4sYg4W/k9iJxQ
|
||||||
mS/SFhLfjQYa76qhDXvMijkvbWkGRGcv7HWlszArX14
|
Ga+4TVvXiQ6i5/+fgUQ3E5tJiLqdBsEsXjenXEpRV/A
|
||||||
-> ssh-ed25519 IzAMqA CLf1vDYSLjW2InHfHCEfq/b7j3zyRH0TTcLSQ0Evmn4
|
-> ssh-ed25519 IzAMqA 5sizvlhLhAhAR1bViHJtRJ8fAIO56TAuLVSOwE177QE
|
||||||
tuq2+h0UVzt/lTFdpLn+fr5rIYdf8mgdDny8Cak+k3c
|
b9oJ8BC2xiBjvc3D0H0EF7bSNDlpvIidyBCTf04ndJI
|
||||||
-> x-grease
|
-> ssh-ed25519 uZzB3g g9y66zNmQbqP6Rbhg2t06W3YOgy8DkRvJZbWVegT71s
|
||||||
Eeo9UQ7LVOjORlpR2Jf7K6P2OEdc6HWWQ6/Yt//KHWxKStUtMv2fPIHu3A8h8mHl
|
2dH7E76tDMrWQJbLPefyORP66iaPHQnSjwu8NCdSyJo
|
||||||
iQT/Xmlg
|
-> ssh-ed25519 Hb0ipQ azOzBLXfshInlFVpV0PzIBidL/VzA/+kKRXFFVD6ZF4
|
||||||
--- 0/OGiJqIu2aFUO8vqJ936PvDDNiohDSVkqpsiCxzfiE
|
iXBF/Wcv4KWo5qUXUlyimuo0l6aClKxOCtkm3MxAIBc
|
||||||
—Z ¥lŽ.§j‚¥õßZöE‡¤ääóÓ´ì€Fx®6Mœ!ã:øö‘×û¼ÁzbªùÎ.tDΊz#:xãc}<r0‘n£°/èþ*?·ÿÓ*;Ûò؈kzùûîAõÑO"†”|K>?cF£/ÑÅÎ؉Õ;Ë<>¤"´eJM_Gv·©e7ôck»\E9<45>³à&öOúž+â< ÁÚ“+ýÕŠ 2«Hm<48>½
|
-> ssh-ed25519 IzAMqA EWitYyV8RsPIB6HEFE2OI/C1zcC6WfBEeDI62rGVmkk
|
||||||
|
Bk9tdSqIjLjat21J2LM8RXAt9GwdQxYdfPzqDtCjunE
|
||||||
|
--- waY7j+HMEOdqEZs/TcLEhUY9gJs6ZSc51VNfuCmCxJ4
|
||||||
|
Ý;dÙ9A‡vÔé±nq<“ê;TèáƒB؇$ÐGÌvï¯h
|
||||||
|
»\^Žé§lÖ¯`š¼ÄÎ?l¸<0C>au~üЧ×yâ[ךju²üvÂ;]!œ6Ëè±ãXIs4ÇŒ!Ù@ß϶û¬‘|›úïª">eÈÿ[VVŠž´,ÿ5˜ý8N§¹Œh<04><>[ƒ×´ZD,zý&âñíó¡”õIØ>ŠØù¡<C3B9>|ÎézÉm
|
Binary file not shown.
|
@ -1,34 +1,49 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA 2QqdIJOBGkHQYLkNX0NRvazb6IBk4SYYps1lAC8N+WM
|
-> ssh-ed25519 V1pwNA 5xvtgxFvEOX/bVAOdBBF2Fyb0euGt95YjhOcfpGgHk4
|
||||||
GkubePEafiWi3SfR8GXeXU8+HH4PxdwHPd9GOgvzhWw
|
6oN4Xba0W5g/d3EX2aC4N6UFVf/oHGgdTxBcMbjIdHo
|
||||||
-> ssh-ed25519 4PzZog WEUGHm/9UeG0iFVKxFkaZYRtmqlVF3b3ikRQlA4Jgyw
|
-> ssh-ed25519 4PzZog SjAcOftaZBEAAZ/P+Z9OTira4/QLSMRefC+JkQcf0G8
|
||||||
yl/pe3c9C147jQj/uNIN5QMkFiVSAG9CQHMEOmK8UUQ
|
zG0R3/r+PBjWj7WBABmHPXpqx18uLyuFMJKB2az9i2E
|
||||||
-> ssh-ed25519 5Nd93w glFj1OmRcPMfXX8ZNklv3Lpoq27u9pK7LNtFWVUwjio
|
-> ssh-ed25519 dA0vRg k8fekPA7w/QFMVnDfCrpOlfv531/nw9tO7B0d+mWHiA
|
||||||
FeNTpW3aqxYE84kGRze9BMR2hDRsBj9a9+439fqp23A
|
jp+DndebWEdk9+wt/nvS0LfRsFf8T7+dMffWmx3tPw8
|
||||||
-> ssh-ed25519 q8eJgg 2GCD+0xk/pRUefV/qWv5GKsTS/vu5hGtr7lOPteWSS8
|
-> ssh-ed25519 5Nd93w dYe/tZ5qHoacI1IBa7yvDL/grZU7Lc40gU8boQY8Wj0
|
||||||
M4Fsni71ockMvu669XMHM9++hXiz7TdFLf6o1izc0bc
|
eBs8fYre18RGW8+RH4J4AleG3kNpCZ0agAfcojSCy2Y
|
||||||
-> ssh-ed25519 XSrA6w yaCOzzT0GnCzdrARp2FQHV7npbD/JnuV4tSYwIprdXE
|
-> ssh-ed25519 q8eJgg 9UZdBq2oZ29U/kzeNOGn+q8RbkLbJwM0eSJHqSLV6Ek
|
||||||
iEIgUn1+aDXN6+qDBNj4ltdCXYqxEmXXql645cGSyrE
|
vqa610t5XxHiKBSf7veOc09ZFYW7EF1KpIbCpdCsegw
|
||||||
-> ssh-ed25519 DVzSig kQJIpvtSZSw1IUDIb3z7HNRz4dw5H3jb8ozcynSe5Bk
|
-> ssh-ed25519 KVr8rw 1CkykLAC3c615TDRlOeI4GHmqu0VT2kclWkr+DT9dSM
|
||||||
aHT8f8DncqP8pgE9oL70619xyNtDBzxB29Hq/ma2rt8
|
0MyPNEmkHICQZxpKt0jBZpce13c+jn4WC7IJL4uWZHo
|
||||||
-> ssh-ed25519 SqDBmA QDrZMYCMSsqmhFIMaNi/keyPOry3YHwS0dMGGumJLzs
|
-> ssh-ed25519 fia1eQ OtFYStmc1y+yqYNaNgHxEheIIVykYAa/uR0dKS4xX3Y
|
||||||
Tj0oKWFsU2aR7CQSyeDYWq7nY/vbcOkMD9JrLFaq2Uo
|
c2HYDyrD6Db3FNLP8tebLngtS2S8LHsmHovbofsUk3U
|
||||||
-> ssh-ed25519 UE6fcQ Hb0Bp60va2pYytRaSaLbT9sKcosbcezSJs7DNiS7jgw
|
-> ssh-ed25519 /Gb5gQ rAc4CqbqdkIAFystL0rLqGNH56GrKxOBamqhiIFAY3c
|
||||||
41IjrgNOPB69pabq3JRhdFNocy661JSCmXLdk988Hyw
|
RR+NsZe0HQdQv6SgeIqy9IcIChXdvrsspNDBngW6Byw
|
||||||
-> ssh-ed25519 IzAMqA 54sUUDUo1EurSpAIHhwUYWUF4jabHauQqzdaZv+q6WU
|
-> ssh-ed25519 NtlN/A 93citgkp9Aj1LDK5UdzJqYVVYaWgt/Cc6yMJka+ccyY
|
||||||
14C6ao5GUpicJrdIzP0YibKO0xoY3ehc1GDEWdWA3Mg
|
KTcyd/SygOLp4mPI1zGDTKCNT7LfVUw12Bw/qnTnMpE
|
||||||
-> ssh-ed25519 uZzB3g I/XkpzTDdYac5rJjElfNpD9gh70hnzImBBtBnEse5z8
|
-> ssh-ed25519 v2Y09A +fWNE2zU+lz5KGu2Ed2MHb9UXzJPUAUuBWilF/AS1Qo
|
||||||
9SzTUatocYlqsyoNJ3oPaA6nZ4gZaRzUUs/zSXTPLM0
|
UVJWnAjRcD7X6iA/heoWdZTcsUS+1VMG5leIHxWZGNA
|
||||||
-> ssh-ed25519 Hb0ipQ h/VbRE/4QmlDmxl0nuzV828L75zK14FJTlxucIgw5Fc
|
-> ssh-ed25519 XSrA6w fft3i85PNprS9QqQo2yKr3lx3qHuSVFeVYuT5Gtfyng
|
||||||
EbTPH0ma+TA+tbfluXrvNU7mfqrK3Onn1riikEA3t08
|
lNOo2jQXvaMElQawI9x8vnQN5bnnNefEyYXD3YqwOwM
|
||||||
-> ssh-ed25519 uZzB3g M0z7FxgMYUNi5CMRYnpTueyx5RwhJtArrv8o6pj+LEI
|
-> ssh-ed25519 DVzSig a5q+imjqWqTzyM3aU+UvvGv3wH3RLTPl+kva+qVSSFs
|
||||||
JjlkieTaJ+kz4CxdyPN4MDR1IUoWJf/uCGZj9jc+csY
|
Pobzi/5ZVyfGhVK4cMqvMqaAol9X4+P3hEaUeHdiacY
|
||||||
-> ssh-ed25519 YFaxCg 1C4qRq/rM5B36KZ3MkGl1wT9NwsSQBoefccxiBi3qVc
|
-> ssh-ed25519 uZzB3g B1D2S87+yPr66EikAqLw7s5pazfQeQUxAj4FFnk0nAE
|
||||||
TKz4Ok/TVANl7cQ5sySccxWySWBXPtvJDM+eV1dsTz4
|
3lEw0t99aSGqkZdi+ILl3+s+JWRKpY4BHLXdrHfFxng
|
||||||
-> !s-grease j^W+6, Ab
|
-> ssh-ed25519 CqOTGQ urZpNzMYvDnGR1UgjgrRYp06gKWcTEWUDjyb4fdDTD0
|
||||||
Io86Mr5+tdtC+WUnf7YWjuOE9oHm2iLwyRRiEKgjxDIvNtDgdiZ+0nZ7yDRmuO48
|
7jeFeoMBitwGFQLSynYVyIYsEhHe7A8mdl65goiX5c8
|
||||||
6OKmc9Wc2nsqknT6odS8hAgR2jIPXvg
|
-> ssh-ed25519 IzAMqA QmtcH5afcef4NMRX4AMrUHW1tCPGOlJ+gIhhDFkUCSY
|
||||||
--- 4YBEXs7Qucs2NbbyqhTgQrWZhejQa4XmK1mgd5eW4yc
|
I4Yg8vgoYGcsV43qq04+nrhzMJ20eaQjOD4EJM0z2xw
|
||||||
<EFBFBD>ë~#ñ)¤Œ+s?ÐYy>Ï_b?ÝL+)cÙ(8õ$HmMâ<U†
|
-> ssh-ed25519 Hb0ipQ CO7nQSSKrmkQ/C6DuJxesIMJmm99eQytLzJ+3/Q38AI
|
||||||
ß<EFBFBD>F•a§Ä˜Ô,zøæ>`7'ö†cÿÐð¾&cO¯hõJs|xW6±kâHw7¾õ@4„N´P ¢zW<7A>m„ >"?JÿP
8Kaç—óU^±.×ô"Ì=¯gìµ6(j†AEîPÅàÁ.—yòWšŠl›¼ç
°—ÇÀò-£3¯<14><0C>¦aãã<C3A3>
|
/kBnqeivoQLMaAA7nX0t4/UAvcOIchEu9bJWxIuUOV0
|
||||||
M"lkÌûyºÓ¨ì 9#og`p÷<70>unïÜÒ·™Ïý„C¯›Š
|
-> ssh-ed25519 3pl/Kw qUD++i8FGbEAuqa+/v6f664tlVTwHGYF3AmTo0cuZyA
|
||||||
|
vjImiKQm0SHiuO7jZTKRg/3MKzDExfE+p9ZT2nHZr4M
|
||||||
|
-> ssh-ed25519 SqDBmA BGwTqAeEptBFRbwwVkHZWX+OKQpALqrPvA2+Cl356D4
|
||||||
|
Gg69WAtr+AAfYT1G+WcTSIlCbNqS5DyxsZw81DaBSkk
|
||||||
|
-> ssh-ed25519 UE6fcQ 4JZzLWThfgJQSNDDtDp8ayM7N9o5tQ6PVwKMj28inC8
|
||||||
|
RyEWRmMbuXezYZntsTdVIbjy/YEbrflqMpirdg08UVQ
|
||||||
|
-> ssh-ed25519 YFaxCg LTsikBkuBwOuc2qrnTAMVtRawZyBosZScefH8qWIqzQ
|
||||||
|
aLiVK7XFI8iDRTCGH2yJnUpydjTp7NF1Ygok6D2Fo44
|
||||||
|
-> ssh-ed25519 elCEeg TKQKeAvY3kn5IuvHoS0SWtX647nEn1txDftt7pPQEG8
|
||||||
|
OPAFqPGdSS3Ud+gFtMXG0shrXSmVrIBzvwc19Ac1NJQ
|
||||||
|
-> ssh-ed25519 8vZ9CQ NGLF9epPqcfbQWcbtMeYIcH0jAZMvO4P7UbKtl8lGRY
|
||||||
|
ZJ5afGOI32OYBpWs6pe15z2IB+5xgO04/OsKp6ixT5o
|
||||||
|
-> ssh-ed25519 rmrvjw tfgMxvtTE2vv2qQJtQk1J+YV2UC/2iZSs0nvbVzV1Hc
|
||||||
|
HW86DML/9MXoTs0WWn/zNi4Rh9SBhaHl2WC2bkiLbmw
|
||||||
|
--- Q4amxZgWmdHcf7aqav2TpKA8KX8B8ZHuBhzIcKwbFTs
|
||||||
|
E¾ã™r<0F><\Å?ë @î}ËkRÕ(ƒù;È^3P–ÐJäO“ãSÜ‹Ø â`¶¦ sb?9ø¢¯Âÿx$ñû/<2F>ø~4ÊFŸv_¨þp4{5 GZ²f"’<<3C>x×"q‹ºbj¯:cTuWå>BͶ'<27>ã)/¥×]«ôÁÈëöà•wžÉK%þo B*&Þ׫{\ZŒ•pë£KöŒƒ³Î¯k}ÏåíßÔ}P=Œ¸û·?<õ¬ºyB…‡sbŠ„<C5A0>ÿѪ%â$¢#"
|
|
@ -1,18 +1,21 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA 4DenEF3jiCxCBa/F8ehgk13NlKvLzEfIxeQVTlMvM3Y
|
-> ssh-ed25519 V1pwNA +Ug8WtIQLZK1chInj0113Okqae8ImSdTvQYYDD558ig
|
||||||
czXCvVsOMZDmAzqxT6z0mCsGntVeLNAJX+IIz/5XS6Q
|
ao7w/Uow6sCtoqRDr3Y8NjuF6f9P62sKfx5+5+3yV8k
|
||||||
-> ssh-ed25519 4PzZog 1fBsKWaKTGW1gioyrDoRsCqFhGfIThj1cq3GaPDlIjs
|
-> ssh-ed25519 4PzZog KZwHoIkqMTVHcHma22+hG19oBgCNZ3zZ9fgs0i3NMx8
|
||||||
BFcSRxbrO3n91pEXNV7pInCRAH3W4NHFOYPDlvpPqkc
|
hxgtsHVx2KATvEQM790y7foAaWVBFnqXz72CovkbcyU
|
||||||
-> ssh-ed25519 5Nd93w 4vy51/o4XExQqMRP3DyeVK0GJO71jYCm17qH5tC230k
|
-> ssh-ed25519 dA0vRg QORz3gYpB5PiM5Dgm4s2JNyJSBFTzY15tlC0JNMtoTE
|
||||||
UgDrJ2xPGL0O16g+BFOw/kEso19lB3QD35vLhxmQ2h4
|
1AuUbuw4YSoyly/iHY2DGBOhRijWoXjsFfFM1pKKlUY
|
||||||
-> ssh-ed25519 q8eJgg tAGYnvVu5NAlrs9UoEIUb6H898V5y/st/lnGm3w2o1Q
|
-> ssh-ed25519 5Nd93w glPMyqAhDvJSOgief6VEWflVervhftUbNgnDOVtKX1I
|
||||||
SYK1mWCClDoK3dj2KYmicOLRvgDC0qdOmhE/AFFWa+s
|
xDSl0Oe0UPiWRnFythx/6ErNSy04paTWWKrlheEEzLo
|
||||||
-> ssh-ed25519 NtlN/A iXJJI8ILFcZvIPaHkWOYSUVwFJOEB5GPpZX/5EcWJlQ
|
-> ssh-ed25519 q8eJgg 4Xs8DKl5BV5E8oGE9MrhBanGuTltQZz3JsCI57UYwiU
|
||||||
XpiJUa+J2rjsAhhQT4szCwDMudGjuveslcsLs3wVSA4
|
c99NCU+f8vbvFq9T+P4Gi51ae5xygzuyLMFGf8px9CQ
|
||||||
-> ssh-ed25519 v2Y09A SkswYtVP5bn6FJZwL9AxxONpEyB44Oct+tz+eP4bUwE
|
-> ssh-ed25519 KVr8rw mPvw8t8On+jnc97m5f8x79Kcx9ZhHWyL/YW2zVllqUU
|
||||||
0rDV7iOQI7GAJ0VkqozwgA3guoCRvCb5e3lgPAmhlXo
|
X8CuzLbLfT6sDhZp4rGif9RDD0zHQzjEp+v5PHX2BAk
|
||||||
-> ~=-grease
|
-> ssh-ed25519 fia1eQ CRUdnRPTZQtB/YlTqGcghTUjUlN7avoJ3iip5rNgcEo
|
||||||
xBfYaHlWp09gHdR9CQ
|
IX1fAfmdteXLwXF7S4aFidVmzr7ClQE5Dlh5siyQZPM
|
||||||
--- wrlmOZpShrH1kgr4cDBNDjPk/zLA5Ro94cpUy06cH34
|
-> ssh-ed25519 NtlN/A BRTimkF1zqBp4N1cep8+Mzet7cX45ZHTz9NekWNaNTw
|
||||||
hsõIC
|
//1gIudKHmPM5A/1fJNPaQO5TqbZzV7FDFM8EhEFzIk
|
||||||
€s‡1¶…ßø5k|`3rˆUŠV»öÚ‹Œ†`vó©”ÿ¬{×¢1Õ´€ù˜¶Ç‹Hï¿ùÔ¡<C394>Ó¥Y+N‰ÒªÃs浓ÏC+„±&0"VØìyíjVù¤â <C3A2>Ï¿ªÿ¯ã“pܽ$Ÿ¢-8$@<40>Õ¥á{‰«ˆÇTF›ºFîñÒd|±
|
-> ssh-ed25519 v2Y09A U0jsaGMHVO2LpKActT5oYiJrbw6oLeSwzgzR7ufQpF8
|
||||||
|
CfB7xVWpyMHsRZbfwhtlBdZyUwAuLic9R0LBm6vXNUo
|
||||||
|
--- wiRWKVnnLoriKkk//al7FuIGYKru0nO1/XGhpz6yWls
|
||||||
|
§$r¶£üþlÁk=n†CxªgA3Ö•^%ÛõøÚÚ8ùs€±öúJº&<26><> -×Cå&Yõ(Íe(jðv€“ù¦Ž¥!¢ä€ ¤?å9^çU·¿ñ>fA¼ê(ŸÝò„Ó1Ûìæ#<23>\³0c"Zš†Íû³‰^œ4_ÌÜÙ&Zø»•ÏX°¯6+Fÿ<C383>
|
Binary file not shown.
BIN
secrets/forgejo/runners/ssh.age
Normal file
BIN
secrets/forgejo/runners/ssh.age
Normal file
Binary file not shown.
19
secrets/forgejo/runners/token.age
Normal file
19
secrets/forgejo/runners/token.age
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 V1pwNA 8acWnck16a9QK194orAzlQgQKINum/cyUzJqO6i0rkg
|
||||||
|
In2UpSbBR6QoTMTZR/GpZJN3x+5CK3hZcEvr5fORoOI
|
||||||
|
-> ssh-ed25519 4PzZog /YeuXUmWrWFohgOSEmUygaTax668bLZpYO2T7KXl8n8
|
||||||
|
mgnBBIsPycR6RMhLk4HQei5xQLzVHiBHaooOzZdb4YA
|
||||||
|
-> ssh-ed25519 dA0vRg DidrxIBYvAfPkwNzQXy2+f6inafUafoX8cfUChA7l2Q
|
||||||
|
/wfxyJAyrQ3Uycxwov+0b9pKKOxPP9mySRK5g4BzMnY
|
||||||
|
-> ssh-ed25519 5Nd93w i+oP7x/eHY/Roj4mdpOFHrBe5rxUL7/4617F4O3jPh8
|
||||||
|
yTVD0dR3ljoUSv1qyuKcOvr1fMRm9C8YAZKKjURtCPk
|
||||||
|
-> ssh-ed25519 q8eJgg Y0yxgrLm9/E8nYBg6Yvd0GPbY7PwCJCumQ9CtgWFxxo
|
||||||
|
9BfGPSP7pTTM8Dm9qXagKaw95hbqvvp7qsFkhQgQco4
|
||||||
|
-> ssh-ed25519 KVr8rw pXha2ebkoIFX9dMX3uRz+0rcbwcQ1mwPnLWp/wCzx10
|
||||||
|
BQQ77pXJl75c6myecmKlEpqHtWB/rSdG6Pwpbxzcfbk
|
||||||
|
-> ssh-ed25519 fia1eQ gCgas1CqGNZ7n09J7iXOvh2xeGgoszn36ABZwiskBBw
|
||||||
|
3a7WMN9aB6ZvwFyP98At9V9K99hD1vkvSJgnY16/JKY
|
||||||
|
-> ssh-ed25519 CqOTGQ DU1oon3RPo4MCdzigrM2+b3KnTzzTSG/WDSvtBaF1VE
|
||||||
|
zwKaQnXT004dMojYFXPz9UERL4ULe7mPZ+vwlZMxFvY
|
||||||
|
--- FWICxx8MWe7awI8P5t0XsbA4Ye0zbxCdMbapTs325HI
|
||||||
|
wûùÿŒ-”¥d!Ñ×=gŸ&ÜžH¬©ó?÷IçÛ’ÚᕪªêÏ<C3AA>Ò¢Ù„öLÒLË-<08>Ù¸ÏñU¿? )ûVýJæb®éÄÎC
|
Binary file not shown.
|
@ -1,16 +1,19 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA 82JAj5XsvsKT8sIuARe4FTmSiCygEhTive+jIJ7h/R8
|
-> ssh-ed25519 V1pwNA aYjPUkjZHoQm86XHx3VbGswLy6VdKNaaHe3f3CGa1ls
|
||||||
M3U8He0axy2HLdKnmKDyvilT99LQPEkw27FF2hUI3tI
|
HMuWoZj4tY/nWj1nrgOxob1hJJD/mPD3kQnDgJJafeI
|
||||||
-> ssh-ed25519 4PzZog c45jK9DTUO6sXTbhs8UrUjLIELIL8XVdYiOYZsR/4yY
|
-> ssh-ed25519 4PzZog GojGaXIg5RK7WjJSCZxJksXvsm9TZTlbHITuksMivBY
|
||||||
HS4ng3Sb4J0f9OYHZLmWHWS/c3uetn3w6HG80uZNdUY
|
4oAuKXtJ4ksvusFX3OM3VpdzfArrglxJTN8kCdhIjrU
|
||||||
-> ssh-ed25519 5Nd93w fBv3U1fx4kIQcPWAMl1xRUeIwiM1+0FpfhJZrHQMww4
|
-> ssh-ed25519 dA0vRg AzGx90D7iz93gHtSvV5oIbBkwgQEpVY7DTRQIZ16IiQ
|
||||||
8ANUGKVp5Tpq/wbIgXhpi5cPsxFALOuOsisMEN5A4j0
|
GlMsor4NxuhHs1HJg62O3ZtPF6CHHFc46din6fm89G8
|
||||||
-> ssh-ed25519 q8eJgg HTr8SCqna6YrbpdEWdXf3vcR/ohxQStlXabHjZN+zW8
|
-> ssh-ed25519 5Nd93w oAyaZjUSGC9moA7pLR4+dzoKAggFuKUNMnRbn/fm2FQ
|
||||||
vyoLfNsO0zW+S2+nIHfB1s8GaD/XjfqnPq/i3G4IJqs
|
eHa/2iLWrqv/pPXjgfxtk68MgBX6EYW1YWfs1kXkazU
|
||||||
-> ssh-ed25519 uZzB3g f6+fXpF/3aP36u+G1sDOhaQtdaWXwxoW2aWWC5E8X0Y
|
-> ssh-ed25519 q8eJgg xBdXNLjZqKi2o+cbCXGdOOSFnlfPgaxjQb+IK60MYHw
|
||||||
KRDi36ChFupksZMkxWEnUkaNBgZujYsXEhS7ngueo8E
|
dxV3kTuaJ1ANFgRaYchwAa0kjGZHZ3POc/Wrw/per+w
|
||||||
-> /Q|[]_7-grease WOAZ6f R~_\$m7
|
-> ssh-ed25519 KVr8rw TR3AjhWy5K1ntzMx3mZZZWGYi7EvcWiFpTHyU/+pV3Q
|
||||||
e0+qF+9VouiUjHXF8coBkESl7COpdlPlBQYamcTsTto6CgZUZkYqWQ
|
Y/xu0hrhaFZdO9YY8vINp3796HZ+LAL+QvBmIWmoS7A
|
||||||
--- n0CQNPMTO1iiR+zt+dDvj0FocVteXkclIlI0EXoKV7w
|
-> ssh-ed25519 fia1eQ zF6CArF4sVXzIRenfDq7WHz06WXFdo7vMgD15NI/sR4
|
||||||
OÐâr€é¥ÜP¼K]PK<>ðxò>ÿe3rðd™¹Éçž¿¢½÷ôÝÆÀŸÝ¦9d¾Ñ4¿G‚
cά<C38E>|T7gÕ7ßz
|
m3sGJNMtAeY/yIq+D2nNncGNxX+KKXt0wCO1WMZmSTI
|
||||||
P”¤º´ô‹ó02ïïÀb¶Ú<C2B6>„fäÇ,ÔÒ¨<C392>Ñâ2Åm
‰ŽÌz›^»]M$jùƒñÒi7uYŒØ_lNPuÌA%·<ô@Ž« €c„²ÿõ{7
|
-> ssh-ed25519 uZzB3g pTocgT3gT7VHD7BWt+rGRIqUZYuh2G+1VeTJxyb7Xxs
|
||||||
|
q5UYfrUVbgaqJCxWKegc0q0PvPR6AZ7AlI5ff4ePfjM
|
||||||
|
--- 9KS9xFBleYVsxyktikZ+TX9++1wqXmDBZxU3g7vwwLU
|
||||||
|
<{r<>U/˜½Œ°ßR¦*°Jd)¥<>“»,#ø9ns!LsÈW#_ÙwÒ<77>¤äÃéÐMÃM‰Ãýð8sÏØ]ß•üƒ—8ð3ˆ¤7@·YNØçXlÿ¸æÜ庚¾Il^0p"aºMf«¬çG SÂdBŸ/»sêéÌ×,¡4!ãÌ<C3A3>rPÖ¢Ñ-Cáòky‚<H˜ƒÆ ÞZì'
|
|
@ -1,17 +1,20 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA zbwJFS2QBIHZRiE4K5BdN7eGfbQlmRtLuLeoEpyFCFM
|
-> ssh-ed25519 V1pwNA RT5AJD4kBHmv0pPNB9TASl4j8h4cIS418P3V9rUUjWs
|
||||||
OndU3qfYY+iT/nYdOtas7p1dYi39xCUMb1Nj+YVJSJk
|
tupAAUlbIdszxHMO3T/LgFcl0LlyxnSmu2E7MWuCFDI
|
||||||
-> ssh-ed25519 4PzZog 5aTl6FlbnR1pZpULLw+jlNW0rowRIuyGO/96DXbxvD8
|
-> ssh-ed25519 4PzZog Vq8xPSUr64TjNwWY/5aV9tw2UqmCcflWphHQgl1qNmM
|
||||||
d8Yg+Qz65ovpmHTITfaNR1htvi1uHpgWD4pLNJSVMIE
|
WBWAJUfJ5+otsz5ubRqIMPvk5p0/h/yQhyg+sV41hBE
|
||||||
-> ssh-ed25519 5Nd93w hhQ2hSlt4zwb3Fd+yn5xf6n/AgYfKduNwfErOl1h0iI
|
-> ssh-ed25519 dA0vRg Hkzhdyy2NueyE6zrVxzkXvPBzPiczjCYsT63XpqcSHY
|
||||||
lLDJeVxVHXxDVitPEO1khWp/naBS01PRhghqdwGX7/o
|
bP2gd7I43q9vjKdyvrxddxxlG9b3mRq+NS8gC6NXc78
|
||||||
-> ssh-ed25519 q8eJgg 0685al0XDu1n4mW/V8XOissXUZpZWsRY2gwoPaDLx2w
|
-> ssh-ed25519 5Nd93w SLwM7TepNucy+RZJpEHm6ZffUInNzsNVqbqYz1QcGFo
|
||||||
Q4FBE0pRvOk46vPHurWEquxIVmUT8VNyoy1r6NE3po4
|
nnxkYPOQkHkDFIBOVoB0/96NblBpy3sBwSf4JHjQWMA
|
||||||
-> ssh-ed25519 uZzB3g J3o3a8ZacO5Da98//sQuBpIesKnRqMTX8sr0utvsllM
|
-> ssh-ed25519 q8eJgg GZpY0Ya99WQl+SaQ9+uROl00vRnQ7AKfAL7L/f2UEjc
|
||||||
PLRxThLCtvk5UStENFzLR1MwG4icX7skmA4SQrrhIiQ
|
Ylvcy7f/6whLkWW8a9V7cFHQynznmoiK59d1KouN+nA
|
||||||
-> mv-grease O \ Y.]cK_N
|
-> ssh-ed25519 KVr8rw dkq2lBd6MX7QwX7VLYoERu0TH1kl5mQps+oPtrwcUBc
|
||||||
LQ04Y00qPx5cYrRotw/pR9ROOBtKr9JdruuC0UbPcyTMXImMGmU5rboZ2u269aq7
|
gAdFa9ycxKUDErboYQRgIs1B6QK9ExWLkl6bzwHjOcE
|
||||||
6ik
|
-> ssh-ed25519 fia1eQ PBbnQ2fhPW2GB5y8DpYAu9Kugb3sdWb86h0bSYwXRzc
|
||||||
--- ObM3b2VMeI10gASzAkq/H7poz5NBh1eGAKq5EI2z2TA
|
1HVvMRgb7c9V53ApEasPXetfBvsz9GSArJOxGtRXbMM
|
||||||
&KË;îm#F·©ěX"HN•ZéŻ
|
-> ssh-ed25519 uZzB3g BMRR0RZLtsSAzI1EsQzeeLx1JyCZ7QzhnGvn255rlyk
|
||||||
Űy"Ń\%ĄíDşDw'Ü˝l«ň«p«Je¦Q©Jˇp¸îKínxÉćáśřĄá;“0ZňWÜlś±?őŚx‰ľ_h_w1§»îwďá|"şj]Zö>Č9]iłľNxmDťĽĂĐÍ<C490>mUr«xčZ_<*„ý4ů9´v¬0;Ö@Ôľűŕr
|
jPWO8HsZFX2TGtRbxwHV6x2OWwbCJb+sPl45f0mAHp0
|
||||||
|
--- J1ejh1XpuAwFhOdWUga4WiJzgFmFdAgLpp2pe0K7cnA
|
||||||
|
ÒEзP¯s¬*ãÇw´€Þ⎲[ ~Äž6H=].ú!C?‰#›$å5ëáóàAv<0C> øEïý§asöxKñ‚d ÉV’Ñ¿·ï¹DQ¼×²$Ü;µé-S;‡ƒ%0Òï<C392>ÍËEˆ•œÛ‚•ŠÿR0äô¢ø½<C3B8>)ÐFéˆÒ)¦§ãb<C3A3>¦ê1åD¸ è›
|
||||||
|
¡yʪ<ÙßñG®7Ð@åMú
|
Binary file not shown.
|
@ -1,17 +1,20 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA Hym08jdz0fAk4kfbwmNrYrzc6p/Kenkx2u1nUmiLsiA
|
-> ssh-ed25519 V1pwNA 28zceeGyLaA02L8gNeGtC4kaGMJYZ+ATchzxrI1idAQ
|
||||||
gCHJvbBXSp+KQz7/2V7CvKEyCanQAuF1NEFdZy/1YCE
|
G8mCYZvVdVL0ZLdhpsvjreLd7RfOe2iGdEkoVHTddl8
|
||||||
-> ssh-ed25519 4PzZog eZRTh03b4vYeFgXxlrBYlIiJhxOJ4l14Sj+DyAfryCo
|
-> ssh-ed25519 4PzZog 1Hb7J2Ya0UhC5A8zGDkI4WesR/LrQRrM7hNHtRvUYE4
|
||||||
zj/kPI+cZ1G4kuAFEhAY6wGPuugVivGsM9vNj3RYhCk
|
QhviN1YQ63yi32rd3dRX+wYfCjYET+XOq4eRR5nzKmE
|
||||||
-> ssh-ed25519 5Nd93w NhMYMSY9jCFHgiwUfiwrVykTUyqPvRgwz3ZruUk9VEg
|
-> ssh-ed25519 dA0vRg +GHqKkHt/WqrwaZo17FDEtgAOd+pGS4FKWJ8Cbfa/xE
|
||||||
ADo089uYJxxOXEkppmjQrI8NsLZi4RTk0aiR5wX1jjk
|
1PRGkDWtdFEYQB+0TziC7umhbRBt6PNNTI3YWNBj5Ew
|
||||||
-> ssh-ed25519 q8eJgg Fcy5/ngWteFDEDc71YCsQibn08zeorGMadUmEg2SPHk
|
-> ssh-ed25519 5Nd93w ebfKVKjzUnyRpNuV0M5vQ5GiU1r2/wQcEVJIyvoykz8
|
||||||
K21yelJUAHQFhwg7/k+1VoU+drNBR+gtM53T1GRZ9JQ
|
KxsegupR/9iIpSXrD1A6FCcSf5mEiVr7DQL2TUXhqaQ
|
||||||
-> ssh-ed25519 yvS9bw uYEhuPR9HEwPdPpIQENcwfv1sMx780daREkNBBzlOQk
|
-> ssh-ed25519 q8eJgg ul8MazD9isC+MPT1JEAnjL0dZ2r12WUyYwvgPi726j0
|
||||||
DBvCCCbcu5Qap0fjRRNQbWHm+/AkljiEUnqK6UJUS5c
|
5Csc4hiPxLaIYK6v+zRZPPctqsLMfJ4U8lKQS082viM
|
||||||
-> }Ac.6c-grease u'7G>w_6 "Q~=R
|
-> ssh-ed25519 KVr8rw keye4xiStda7ZUTSAFBFL170jR0b8E3Fj2WpEy66qVM
|
||||||
cGf5wLTJwI5rCzuPdjMzzlJit6mK3vVFBKnXV1iiItNG7LNAyP9NsgUrvj3cudke
|
Lxu15JXZWqommKNiqan2uXJj8hSnpBnbNka2rOtH5R8
|
||||||
cp7noppOtSk+N09mZBNEVOeLkae6Og
|
-> ssh-ed25519 fia1eQ bfJsTYdcsdTNqkLd3KKIoH9WqsdrAx3OWlk6wpqm/Sc
|
||||||
--- M8RKavL3FOtBhuVcCyrbykLVsFkN7MSku7yrUtA6Fu8
|
yXIhT4OX4iaLKttkOP5njFML8ZNCloz8H0pjzF64qWE
|
||||||
|
-> ssh-ed25519 CqOTGQ jx8KLE8ejaRLnhV48jRN4muKClVCiPzFE6ibHzVCayc
|
||||||
ÏRú6î<EFBFBD>ýñ<>Ó ^‰JXÐݲ{|¹bó]¬wìðŒ°°¾$~ýdœŠ8ö½á”Ž‹l¨+UèG×ã©súøñú;Ì\GÜÄÃV•<56>AM¢èpë Lɤ×ë±´¬3ÅhÎ2ÊÇ
dþæI'ïê©Ä*s^Ò
|
E3bBriDPT6FLdR8XoDLxkch0Pgroyfk5unZcQu50y9A
|
||||||
|
--- fj3blhJZXxvg8Ecvk5/e4+0Mg6gwRrWlhQ1z0aXExjY
|
||||||
|
4<EFBFBD>æâðJâ˜=ìÏØ/c<>î<EFBFBD>ª’B¶QáȇˆÃúd9«¶<>úúÐ<C3BA>ò»I¼¶¶eëÊ£†IæÌ<õ7VaL~Ÿ¡®âœ”r
|
||||||
|
ŸQ~<7E>Úæ,²anñIl°#NHdª^ª)\Ú<'šwScÏqzÝ
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1,15 +1,19 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA pHgtxpGfmBvYNwvFM/pXYzXeXQ+52trMIB/uAC5i4g8
|
-> ssh-ed25519 V1pwNA J3U7/2AXc6au88y6cZ1ottq7ZY/dU/N6xDg0LRPbXxo
|
||||||
HJ3p6wZ9J95UiRJ6Q2soNNlJnTG7KGMsnPwGsyVT19A
|
0haZ3EvhpeeeT0cISY6tjxcE6VpDJqGLX+68m071gn8
|
||||||
-> ssh-ed25519 4PzZog V3M3WeMD4mF3gabCDToU9R3eydxxEq/7mMtSQSO9mSg
|
-> ssh-ed25519 4PzZog oXXG203aCEltjB9FZx/H4W/QMPG1MiixW3a4nV1kPyg
|
||||||
/GOoWyEN5LUbw2MkYUxhDBnHaTBY6KBx2mV2B3rKGdI
|
WxUvEWcDF3XFP4YkXceRx00SWY7adxCZ2nmGsytBDEU
|
||||||
-> ssh-ed25519 5Nd93w k5yjgOyeQnc51NN6HXMyokfR9yU/ONKCoJ/3RBPfn10
|
-> ssh-ed25519 dA0vRg MTQucbTSFClxM1NM/LS0128AESkGjkVPOdpTsGbEEFM
|
||||||
DH4npc8GNl3AfWRsiqKu3kPfpZKxamqUgmjnKXsGgiA
|
X1xEivyUoxu/Par6uBXD37f0/GeXodHuagFqguuHQco
|
||||||
-> ssh-ed25519 q8eJgg 81lltYkEyM9WqSFNASOA/OdfBuZ0vRyICG9B9+6YdBE
|
-> ssh-ed25519 5Nd93w rZzdZrjSce5JhPTPPCzHJxKIUFcDJY9mccA6/QnCa3A
|
||||||
VHFm0DiOmDh+SJGhnuuwXobHxl6xC3mYOPu4DvxrGEQ
|
Wo+eoxbZZ3m82w5bywcvrpHxnyn8in6TDUb0oaglADo
|
||||||
-> ssh-ed25519 uZzB3g aysXj+Bgow4aTPxBtB3sazBvwc5V2dO/1i+ZyW2mqH4
|
-> ssh-ed25519 q8eJgg Xs7oARCYw4wmA9p1L36jRwp1r0KRZ9+XePaYIoQITRI
|
||||||
fbzuL1lXT8STLEXidyzPhoqkb53NMNBMzczr4FvhTlM
|
AWpIl5i7TjgJK2WPz3VZR0UVEeK0u77V6pTTRSgvGas
|
||||||
-> pgy-grease AS<jNLT
|
-> ssh-ed25519 KVr8rw 7viimD+3AhhCl+ORBApuvtnrjY2bNsEbUqGoM0R9q1g
|
||||||
LjHqAM3sepswVBIl0O+++Bqia2znH/2+BnBYd3eTM4FCG1IdyMRFFtM
|
vylA7Zx4eVkI4kg+lKx/D+Ro5Bbn2wWP36Hnxas7Z4I
|
||||||
--- ZAAqXOmA/JaqHCcaGJF3Aag0rUsRYqwLG986FS0oQGE
|
-> ssh-ed25519 fia1eQ LYO7HMLlyXRpJJJgJ1uyrYrsfdCbRYqxXgeBtTyrn2w
|
||||||
M@,4«<$iőżaÝ‘Đz<C490>)Ăž7<>*v 2$k›“Dă)c¦„e(±‰ÝĄÍqmą»`JGęăŰw›˝SŮ?ť@y·L•ă‰)ÜßŇž^Hń€‘—ö.˘jru¨G`zăłçy}ÉńžYÚÂĚËř[·ĎR-MĽ”Ů 4;CŢ˧AŰČň;Rv^‹á~=Zm ^ă]4Âčo:dď3
|
5oNtkzAoPWg1JY9aoXVYWByCMqEuQ1QDs7Jw6/VEEiw
|
||||||
|
-> ssh-ed25519 uZzB3g GKbJ3OU6hN4u0hS+601Hau09sq6q5ZCNwlFJhVeEEiM
|
||||||
|
LcN5eHSOgEFxR2rmC10RkHMllbQW9ZDARUG+9XeX24E
|
||||||
|
--- siGgnCjaHw6TOAYR4mjwfLjtQRxFjnjGN2/MRAkIdeY
|
||||||
|
<EFBFBD>}+3'ýY†[/*û†ÒÉo¿Ìãcbyê<79>û RÃ!¤ŽS\ÿ‡@N4‰®æPŒ=`N7<µ‚àa‹ãbšÑ²ÛUN7Ã9 dµ%~òæ{Çý éñºJ¾›ú`ÉH|™È,îë[·»4Êb¿=œ“ÿûÒF‘ÁI¹ímÀëbM„’Û¥4Ùšnz-<2D>9‹£OIu„µFó
|
19
secrets/grafana/pw.age
Normal file
19
secrets/grafana/pw.age
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> ssh-ed25519 V1pwNA Je94T4psgEbYV6YBZ2BSQ4JZbKubHtPEKNuVjL9CaSk
|
||||||
|
Fp8uHwymTnjkFQBfezrFj2ycXsYrnqqW2+KeKfsjONY
|
||||||
|
-> ssh-ed25519 4PzZog paDltxaTs3odGMIkWFMuTfe+LnO2RqvRTqAi7pK8EB0
|
||||||
|
+ZtGVOK71gSGzgY6nSlDT32Q6IQFFvZd8xMp42GD/xg
|
||||||
|
-> ssh-ed25519 dA0vRg 2ZGLw9dW0qbzkJb+M1DhhEaW19VaPdgy9YvzxeEuZzw
|
||||||
|
Gycx9hEatq1jOQpE7EqF4G8y3+XvRnIC8oNK3hJmOzw
|
||||||
|
-> ssh-ed25519 5Nd93w uyUnDy48bjq4cfG/HfIF57bnCxNGSFze18MTW2XmDmc
|
||||||
|
TWCJRIC3J9KyjbCaM/WmCoD0x2MtrGGKVgHCA/TBe0I
|
||||||
|
-> ssh-ed25519 q8eJgg qPb7JIMkwOWIWw4yIhQku0u6d09QqFKtOXx1gC3XowA
|
||||||
|
8+YLpW8xzEzq02zKFhlbjOggEWfMZ6j2G5RGIq/TE/o
|
||||||
|
-> ssh-ed25519 KVr8rw zcZRh0qTa55ENUWXRIPk/kAv3tKB0+anEQ+IuEhsFjY
|
||||||
|
8oN0U8jD1BA07XOS4idvHgu8LA7/E5aciLZOshsZJJY
|
||||||
|
-> ssh-ed25519 fia1eQ gkdxv6Uda41PT9GhALDwPCfzzSiCDWluZG5m3WRwKAQ
|
||||||
|
5YSmnIYFXmBgTur0Z7PcLOT9ANvLJgIech5gp4Pqwjk
|
||||||
|
-> ssh-ed25519 rmrvjw H0ZmvmeUIpb4ZAUvh+7k47mUmZidcsKxDHC2oC/100A
|
||||||
|
IjYufbdJxMMANqicCHQQAU0Vh/NvROfCfaxJBM3rai8
|
||||||
|
--- TrZyyHaK0o4ot71wVxZzBT+3mVrVUQ3jKv6FuWNO4Mc
|
||||||
|
R3±g”GÛVðgñX3cÅœëñÕPÌ\Úy’‹gûqÐqÒ·"KO(ôÜ.ý©
÷8Í·&Ò3Äpëù‹)‡‹4:MRS¦³pK
|
Binary file not shown.
Binary file not shown.
|
@ -1,15 +1,20 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 V1pwNA DqbnodZkTmARvGsqUcwZJ6Z6dRJw+Pc/u/OyvLUXNlI
|
-> ssh-ed25519 V1pwNA wC7Nch41YKEjrwpf/sDR+SUWKm1porqP2DyQhz/MLh0
|
||||||
ra9Q9EprYEJELcQi7yS/2+AvyrEDehZ2XjIE4SD3K4Q
|
Mu8NGcxWphZZLgb0F7h10EJGCPiontn6y2lWNSldNGw
|
||||||
-> ssh-ed25519 4PzZog 1bLboYJt4kTh2oYIkPtBWOKyCdQQYY7Z/NMhdWRr7Bg
|
-> ssh-ed25519 4PzZog 6H6fsEDq6xiIkmIy6gUUGL+Mm03HSEaSGnjel3EO8EU
|
||||||
XYX6Sj2dfHJdVr52vy7F5SLNudmPw0l+qX4VXkxo5Zw
|
xzqv1RZijhQqeiWIFq7ReVzh2JLtBoo9HmZJ1VXrMPU
|
||||||
-> ssh-ed25519 5Nd93w 1V+Zb7AmYGLbBnMLy/yEuC+vUdWq8no/X6j+7Zykbw0
|
-> ssh-ed25519 dA0vRg UC9Vm0pLH8N9XGxKAZ/3Efe/9SRvx/rlxCYx0u5oljg
|
||||||
Cu9av/RkbqGfE31UO1HobDcemy0C52WYt3F3ZJuPD0c
|
gF4IFYdCIXfvPPrOsJFvGMf1PzrSyureKpOP66ZHB1Q
|
||||||
-> ssh-ed25519 q8eJgg JkrqxwHOf7vch7sa5iERrPS6GtH7SOz6vkiJZ9iejhM
|
-> ssh-ed25519 5Nd93w 338ts/scFEwjZ+3f4Vcd8C9Q//E/ZGoSxIutAxKgpAo
|
||||||
G0OBTxAN1Ip3vv5loXQPejnv25tK6Xu6xNqYIBQch0Y
|
C0vs3fiisD9FsZ8gYJZj/I81mT3Psw3g1jN5ztyuDQ4
|
||||||
-> ssh-ed25519 YFaxCg ZjtuzeSNBZLGykOpsyxmeRLF8GE2eIhZBhn84bN8X08
|
-> ssh-ed25519 q8eJgg eIHEYfE/50IRNy+gnNmqQD4jtVgJRla4ilAQp2gYfjE
|
||||||
WXQsIs4Are7WVJhkDafrMm+FwyWfWTOHR6JYUg7nzPY
|
bFNJA6KPlBiZWrB5vjyTilXC+rkW+xqVSWcvHln9H/8
|
||||||
-> O1CHe-grease <`%L
|
-> ssh-ed25519 KVr8rw Kq/0pxm2r136ezrKRugC1So2cIIx2VTShPv6WTc6m1E
|
||||||
yfN8CioGGgvdsecROJgtsRw1BVyHtPcNgKMk1bGsNry37eY0/8PIQA
|
W7VrsPf9jkkxqndVjrFuGBwqJR3v4hwig7Fed9xJSAI
|
||||||
--- jVQDWIOkjduvoYdMFhEl2Y8do4IsplwELZ1N1dlEv2E
|
-> ssh-ed25519 fia1eQ 1sA1YfEKVatTzHV5Wd/tzqwRiIPUBQlfoKZkJpxRYig
|
||||||
3ê‘ЈØ>p¢ÿN0À‘ô¯‹<C2AF>jˆÚ{<7B>Ò qLÔÔÜ;{× {¼±‚%OJ›Á€‚â_“ά’í3N†R#‹ì4® í
|
lLtPzvg8H0y+FpfGfF/Q5g1nCap1TgW2wipIKU+Q+WA
|
||||||
|
-> ssh-ed25519 YFaxCg zUYYpsC6BXvPRcIignITwUmvBhfhy9EnxFeCFg1niQk
|
||||||
|
QcmAhpDajw2lJyttDX9kn+0bdugmYYifSl1esaa3xpU
|
||||||
|
--- 0sQ4g4YxMBe/VBe39F9ZfwVh9XEOHYHqgiX5oakBzPU
|
||||||
|
¦cò±hðWÚp@å
‘
"L·<4C>åÒ[)’ØtŠ¼/<2F>+”MyÍä¾ò'
|
||||||
|
‘8K¼ƒ[©m›}·qÿÈ1«{²µ¯]·OS%ᙯ>»
|
|
@ -1,14 +1,20 @@
|
||||||
let
|
let
|
||||||
admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
|
admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
|
||||||
silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg NixOS Laptop";
|
silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg silver@helios";
|
||||||
|
silver_laptop_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmm4CCnpT+tF7vecSrku0+7aDA1z3pQ+PDqZvoCynCR silver@aether";
|
||||||
silver_desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop";
|
silver_desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop";
|
||||||
thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
|
thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
|
||||||
|
eliza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJaVEGPDxG/0gbYJovPB+tiODgBDUABlgc1OokmF3WA eliza-skynet";
|
||||||
|
esy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINS2UR/o+nK8lNHHTj5I84ZAAp6P+ZhXqhedMfx0KHE4 <Skynet>";
|
||||||
|
|
||||||
users = [
|
users = [
|
||||||
admin
|
admin
|
||||||
silver_laptop
|
silver_laptop
|
||||||
|
silver_laptop_2
|
||||||
silver_desktop
|
silver_desktop
|
||||||
thenobrainer
|
thenobrainer
|
||||||
|
eliza
|
||||||
|
esy
|
||||||
];
|
];
|
||||||
|
|
||||||
agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHOxA3uYcqS5gTrG1hS8XXwehzQYAI2I4iULtU8cXft root@agentjones";
|
agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHOxA3uYcqS5gTrG1hS8XXwehzQYAI2I4iULtU8cXft root@agentjones";
|
||||||
|
@ -17,7 +23,7 @@ let
|
||||||
galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea";
|
galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea";
|
||||||
optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus";
|
optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus";
|
||||||
glados = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6go7ScvOga9vYqC5HglPfh2Nu8wQTpEKpvIZuMAZom root@glados";
|
glados = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6go7ScvOga9vYqC5HglPfh2Nu8wQTpEKpvIZuMAZom root@glados";
|
||||||
wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEehcrWqZbTr4+do1ONE9Il/SayP0xXMvhozm845tonN root@wheatly";
|
wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPlgCGtyvd3xwYg9ZNyjTJNB/LvUSJO01SzN8PGcDLP root@wheatly";
|
||||||
kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt";
|
kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt";
|
||||||
gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir";
|
gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir";
|
||||||
neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFAs6lBJSUBRhtZO3zGKhEIlWvqnHFGAQuQ//9FdAn6 root@neuromancer";
|
neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFAs6lBJSUBRhtZO3zGKhEIlWvqnHFGAQuQ//9FdAn6 root@neuromancer";
|
||||||
|
@ -25,6 +31,8 @@ let
|
||||||
earth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpvgQcvK7iAm0QrIp5qSvUJzDhOrSBN9MJn9JUSI31I root@earth";
|
earth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpvgQcvK7iAm0QrIp5qSvUJzDhOrSBN9MJn9JUSI31I root@earth";
|
||||||
cadie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACcwg27wzzFVvzuTytcnzRmCfGkhULwlHJA/3BeVtgf root@cadie";
|
cadie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACcwg27wzzFVvzuTytcnzRmCfGkhULwlHJA/3BeVtgf root@cadie";
|
||||||
marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAme2vuVpGYX4La/JtXm3zunsWNDP+SlGmBk/pWmYkH root@marvin";
|
marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAme2vuVpGYX4La/JtXm3zunsWNDP+SlGmBk/pWmYkH root@marvin";
|
||||||
|
calculon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsmeBfh4Jw2GOL7Iyswzn4TVNzalDbxDgh7WuQotFxR root@calculon";
|
||||||
|
ariia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4kV6W1/tP/nf2ZWNhRoV1mK04R4pS+c5vdsA1n5gpN root@ariia";
|
||||||
|
|
||||||
systems = [
|
systems = [
|
||||||
agentjones
|
agentjones
|
||||||
|
@ -41,6 +49,8 @@ let
|
||||||
earth
|
earth
|
||||||
cadie
|
cadie
|
||||||
marvin
|
marvin
|
||||||
|
calculon
|
||||||
|
ariia
|
||||||
];
|
];
|
||||||
|
|
||||||
dns = [
|
dns = [
|
||||||
|
@ -67,6 +77,10 @@ let
|
||||||
wheatly
|
wheatly
|
||||||
];
|
];
|
||||||
|
|
||||||
|
grafana = [
|
||||||
|
ariia
|
||||||
|
];
|
||||||
|
|
||||||
# these need dns stuff
|
# these need dns stuff
|
||||||
webservers =
|
webservers =
|
||||||
[
|
[
|
||||||
|
@ -78,6 +92,10 @@ let
|
||||||
skynet
|
skynet
|
||||||
# our offical server
|
# our offical server
|
||||||
earth
|
earth
|
||||||
|
|
||||||
|
# nix
|
||||||
|
|
||||||
|
calculon
|
||||||
]
|
]
|
||||||
# ldap servers are web facing
|
# ldap servers are web facing
|
||||||
++ ldap
|
++ ldap
|
||||||
|
@ -102,7 +120,7 @@ let
|
||||||
in {
|
in {
|
||||||
# nix run github:ryantm/agenix -- -e secret1.age
|
# nix run github:ryantm/agenix -- -e secret1.age
|
||||||
|
|
||||||
"dns_certs.secret.age".publicKeys = users ++ webservers;
|
"dns_certs.secret.age".publicKeys = users ++ systems;
|
||||||
"dns_dnskeys.conf.age".publicKeys = users ++ dns;
|
"dns_dnskeys.conf.age".publicKeys = users ++ dns;
|
||||||
|
|
||||||
"stream_ulfm.age".publicKeys = users ++ [galatea];
|
"stream_ulfm.age".publicKeys = users ++ [galatea];
|
||||||
|
@ -118,6 +136,9 @@ in {
|
||||||
"gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
|
"gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
|
||||||
"gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
|
"gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
|
||||||
|
|
||||||
|
"forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
|
||||||
|
"forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
|
||||||
|
|
||||||
# for ldap
|
# for ldap
|
||||||
"ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
|
"ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
|
||||||
# for use connectring to teh ldap
|
# for use connectring to teh ldap
|
||||||
|
@ -128,7 +149,6 @@ in {
|
||||||
"backup/restic_pw.age".publicKeys = users ++ restic;
|
"backup/restic_pw.age".publicKeys = users ++ restic;
|
||||||
|
|
||||||
# discord bot and discord
|
# discord bot and discord
|
||||||
"discord/ldap.age".publicKeys = users ++ ldap ++ discord;
|
|
||||||
"discord/token.age".publicKeys = users ++ discord;
|
"discord/token.age".publicKeys = users ++ discord;
|
||||||
|
|
||||||
# email stuff
|
# email stuff
|
||||||
|
@ -144,4 +164,7 @@ in {
|
||||||
"bitwarden/id.age".publicKeys = users ++ bitwarden;
|
"bitwarden/id.age".publicKeys = users ++ bitwarden;
|
||||||
"bitwarden/secret.age".publicKeys = users ++ bitwarden;
|
"bitwarden/secret.age".publicKeys = users ++ bitwarden;
|
||||||
"bitwarden/details.age".publicKeys = users ++ bitwarden;
|
"bitwarden/details.age".publicKeys = users ++ bitwarden;
|
||||||
|
|
||||||
|
# grafana
|
||||||
|
"grafana/pw.age".publicKeys = users ++ grafana;
|
||||||
}
|
}
|
||||||
|
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue