diff --git a/.forgejo/workflows/deploy.yaml b/.forgejo/workflows/deploy.yaml deleted file mode 100644 index b3f6453..0000000 --- a/.forgejo/workflows/deploy.yaml +++ /dev/null @@ -1,59 +0,0 @@ -name: Build_Deploy - -on: - workflow_run: - workflows: [ "Update_Flake" ] - types: - - completed - push: - branches: - - 'main' - paths: - - applications/**/* - - machines/**/* - - secrets/**/* - - flake.* - - config/**/* - - .forgejo/**/* - -jobs: - linter: - runs-on: nix - steps: - - uses: actions/checkout@v4 - - run: nix fmt -- --check . - - run: nix --version - - #if: github.repository == 'Skynet/nixos' - build: - runs-on: nix - steps: - - uses: actions/checkout@v4 - - run: nix develop -v -# - name: Archive Test Results -# if: always() -# run: sleep 100m -# - run: colmena build -v --on @active-dns -# - run: colmena build -v --on @active-core -# - run: colmena build -v --on @active -# - run: colmena build -v --on @active-ext -# - run: colmena build -v --on @active-git - - deploy_dns: - runs-on: nix - needs: [ linter, build ] - steps: - - uses: actions/checkout@v4 - - run: colmena apply -v --on @active-dns --show-trace - shell: bash - - deploy_active: - strategy: - matrix: - batch: [ active-core, active, active-ext ] - runs-on: nix - needs: [ deploy_dns ] - steps: - - uses: actions/checkout@v4 - - run: colmena apply -v --on @${{ matrix.batch }} --show-trace - shell: bash \ No newline at end of file diff --git a/.forgejo/workflows/deploy_forgejo.yaml b/.forgejo/workflows/deploy_forgejo.yaml deleted file mode 100644 index 0fee7f9..0000000 --- a/.forgejo/workflows/deploy_forgejo.yaml +++ /dev/null @@ -1,12 +0,0 @@ -name: Update_Forgejo - -on: - workflow_dispatch: - -jobs: - deploy: - runs-on: nix - steps: - - uses: actions/checkout@v4 - - run: colmena apply -v --on @active-git --show-trace - shell: bash \ No newline at end of file diff --git a/.forgejo/workflows/update_input.yaml b/.forgejo/workflows/update_input.yaml deleted file mode 100644 index 8e13da6..0000000 --- a/.forgejo/workflows/update_input.yaml +++ /dev/null @@ -1,31 +0,0 @@ -name: Update_Flake - -run-name: "[Update Flake] ${{ inputs.input_to_update }}" - -on: - workflow_dispatch: - inputs: - input_to_update: - description: 'Flake input to update' - required: false - type: string - -jobs: - update: - runs-on: nix - - permissions: - # Give the default GITHUB_TOKEN write permission to commit and push the - # added or changed files to the repository. - contents: write - - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.head_ref }} - token: ${{ secrets.PIPELINE_TOKEN }} - - run: nix flake update ${{ inputs.input_to_update }} - shell: bash - - uses: https://github.com/stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: "Updated flake for ${{ inputs.input_to_update }}" \ No newline at end of file diff --git a/.forgejo/workflows/update_websites.yaml b/.forgejo/workflows/update_websites.yaml deleted file mode 100644 index c27629e..0000000 --- a/.forgejo/workflows/update_websites.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# The websites can sometimes cause issues when being built and deployed -# This pipeline is to update the inputs from the server - -name: Update_Flake_Websites - -run-name: "[Update Flake Websites]" - -on: - workflow_dispatch: - -jobs: - update: - runs-on: nix - - permissions: - # Give the default GITHUB_TOKEN write permission to commit and push the - # added or changed files to the repository. - contents: write - - steps: - - uses: actions/checkout@v4 - with: - ref: ${{ github.head_ref }} - token: ${{ secrets.PIPELINE_TOKEN }} - - run: nix flake update skynet_website_2003 - shell: bash - - run: nix flake update skynet_website_2006 - shell: bash - - run: nix flake update skynet_website_2016 - shell: bash - - run: nix flake update skynet_website_2021 - shell: bash - - run: nix flake update skynet_website_2023 - shell: bash - - run: nix flake update skynet_website_2024 - shell: bash - - run: nix flake update skynet_website - shell: bash - - uses: https://github.com/stefanzweifel/git-auto-commit-action@v5 - with: - commit_message: "Updated flake for Websites" \ No newline at end of file diff --git a/.gitignore b/.gitignore index 3e54b4d..4a79ea1 100644 --- a/.gitignore +++ b/.gitignore @@ -4,10 +4,6 @@ # Microsoft office Lockfiles ~$* *.tmp -tmp - -# open office tmp lockfiles -.~lock.* # Test files test.* @@ -26,8 +22,3 @@ test.* # Dealing with Mac users .DS_Store - -# nixos stuff -result -/result -.gcroots diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8b6254c..6799ed8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,7 +1,7 @@ # borrowed from https://gitlab.com/nix17/nixos-config/-/blob/main/.gitlab-ci.yml stages: - - misc + - flake - test - deploy - deploy_gitlab @@ -11,7 +11,7 @@ stages: # $PACKAGE_NAME = name of the flake that needs to be updated # $UPDATE_FLAKE = flag to update the flake update: - stage: misc + stage: flake tags: - nix # from https://forum.gitlab.com/t/git-push-from-inside-a-gitlab-runner/30554/5 @@ -30,7 +30,7 @@ update: # the part that updates the flake - nix --experimental-features 'nix-command flakes' flake lock --update-input $PACKAGE_NAME - git add flake.lock - - git commit -m "Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit" + - git commit -m "[skip ci] Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit" # we have a custom domain - git remote rm origin && git remote add origin ssh://git@gitlab.skynet.ie:2222/compsoc1/skynet/nixos.git - git push origin HEAD:$CI_COMMIT_REF_NAME @@ -40,24 +40,11 @@ update: variables: - $UPDATE_FLAKE == "yes" -sync_repos: - stage: misc - image: registry.gitlab.com/gitlab-ci-utils/curl-jq:2.0.0 - script: - - cd sync - - chmod +x ./sync.sh - - ./sync.sh - rules: - - if: $UPDATE_FLAKE == "yes" - when: never - - if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' - changes: - - sync/repos.csv - .scripts_base: &scripts_base # load nix environment + - git pull origin $CI_COMMIT_REF_NAME - . "$HOME/.nix-profile/etc/profile.d/nix.sh" - - nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#colmena + - nix-env -if https://github.com/zhaofengli/colmena/tarball/v0.4.0 .scripts_deploy: &scripts_deploy # setup ssh key @@ -66,65 +53,34 @@ sync_repos: - mkdir -p ~/.ssh - chmod 700 ~/.ssh -.scripts_cache: &scripts_cache - - nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#attic-client - - attic login skynet https://nix-cache.skynet.ie/ $CACHE_KEY - - attic use skynet-cache - # add any new items to the cache - - attic watch-store skynet-cache & - # every commit on main will build and deploy .build_template: &builder tags: - nix before_script: - *scripts_base - - *scripts_cache - rules: - - if: $UPDATE_FLAKE == "yes" - when: never - - changes: + only: + changes: - applications/**/* - machines/**/* - secrets/**/* - flake.* - .gitlab-ci.yml - - config/**/* # deploy items only run on main .deploy_template: &deployment before_script: - *scripts_deploy - *scripts_base - - *scripts_cache - rules: - - if: $UPDATE_FLAKE == "yes" - when: never - - if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' - changes: - - flake.nix - - flake.lock - - applications/**/* - - machines/**/* - - secrets/**/* - - config/**/* - -linter: - <<: *builder - stage: test - script: - - nix --extra-experimental-features 'nix-command flakes' fmt -- --check . + only: + refs: + - main build: <<: *builder stage: test script: - - nix --extra-experimental-features 'nix-command flakes' develop - - colmena build -v --on @active-dns - - colmena build -v --on @active-core - - colmena build -v --on @active - - colmena build -v --on @active-ext - - colmena build -v --on @active-git + - colmena build # dns always has to be deployed first deploy_dns: @@ -132,7 +88,7 @@ deploy_dns: <<: *deployment stage: deploy script: - - colmena apply -v --on @active-dns + - colmena apply --on @active-dns deploy_core: <<: *builder @@ -141,7 +97,7 @@ deploy_core: needs: - deploy_dns script: - - colmena apply -v --on @active-core + - colmena apply --on @active-core deploy_active: <<: *builder @@ -150,22 +106,12 @@ deploy_active: needs: - deploy_dns script: - - colmena apply -v --on @active - -# this is just skynet server -deploy_ext: - <<: *builder - <<: *deployment - stage: deploy - needs: - - deploy_dns - script: - - colmena apply -v --on @active-ext + - colmena apply --on @active deploy_gitlab: <<: *builder <<: *deployment stage: deploy_gitlab script: - - colmena apply -v --on @active-git - when: manual + - colmena apply --on @active-gitlab + when: manual \ No newline at end of file diff --git a/.mailmap b/.mailmap deleted file mode 100644 index 1aaf5b3..0000000 --- a/.mailmap +++ /dev/null @@ -1 +0,0 @@ -Brendan Golden \ No newline at end of file diff --git a/ITD/Firewall_Rules.csv b/ITD/Firewall_Rules.csv deleted file mode 100644 index ebc5333..0000000 --- a/ITD/Firewall_Rules.csv +++ /dev/null @@ -1,49 +0,0 @@ -Rule,Action,Ticket,Status,Source_IP,Source_Server,Destination_IP,Destination_Server,Port_TCP,Port_UDP,Notes -SKYNET_FIREWALL_00000,Add,,Complete,VPN,-,93.1.99.71 - 193.1.99.126,All,22,-,sftp/ssh required from vpn to servers for admins -SKYNET_FIREWALL_00001,Add,,Complete,All,-,193.1.99.109,SKYNET00004,-,53,Nameserver for skynet.ie -SKYNET_FIREWALL_00002,Add,,Complete,All,-,193.1.99.111,SKYNET00005,"80, 443, 8000",-,"ULFM, http(s) for internet streaming, 8000 for connecting to the server." -SKYNET_FIREWALL_00003,Add,,Complete,All,-,193.1.99.112,SKYNET00006,"80, 443, 25565",-,"Games host, Minecraft uses 25565 (will have more ports in the future)" -SKYNET_FIREWALL_00004,Add,,Complete,All,-,193.1.99.120,SKYNET00002,-,53,Nameserver for skynet.ie -SKYNET_FIREWALL_00005,Add,i23-01-19_681,Complete,193.1.99.72,SKYNET00001,All,-,-,-,Allow outbound access -SKYNET_FIREWALL_00006,Add,i23-01-19_681,Complete,193.1.99.75,SKYNET00008,All,-,-,-,Allow outbound access -SKYNET_FIREWALL_00007,Add,i23-01-19_681,Complete,193.1.99.109,SKYNET00004,All,-,-,-,Allow outbound access -SKYNET_FIREWALL_00008,Add,i23-01-19_681,Complete,193.1.99.111,SKYNET00005,All,-,-,-,Allow outbound access -SKYNET_FIREWALL_00009,Add,i23-01-19_681,Complete,193.1.99.112,SKYNET00006,All,-,-,-,Allow outbound access -SKYNET_FIREWALL_00010,Add,i23-01-19_681,Complete,193.1.99.120,SKYNET00002,All,-,-,-,Allow outbound access -SKYNET_FIREWALL_00011,Add,i23-05-18_249,Complete,All,-,193.1.99.75,SKYNET00008,"80, 443",-,For gitlab Access -SKYNET_FIREWALL_00012,Add,i23-05-18_249,Complete,193.1.99.72 - 193.1.99.126,-,All,-,-,-,"I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages). -I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones. -In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control. -Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured." -SKYNET_FIREWALL_00013,Add,i23-05-18_249,Complete,All,-,193.1.99.76,SKYNET00009,"143, 993, 587, 465",-,Email Server -SKYNET_FIREWALL_00014,Add,i23-06-19_525,Complete,All,-,193.1.99.76,SKYNET00009,"80, 443, 25",-,"Mailserver here, SPF, DKIM and DMARC are all set up" -SKYNET_FIREWALL_00015,Add,i23-06-19_525,Complete,All,-,193.1.99.79,SKYNET00011,"80, 443",-,Main Skynet webserver -SKYNET_FIREWALL_00016,Add,i23-06-30_024,Complete,All,-,193.1.96.165,SKYNET00012,22,-,"Skynet user's server -Outlet is 131 or 132" -SKYNET_FIREWALL_00017,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.120,SKYNET00002,-,53,Allow Skynet server to use our own internal DNS -SKYNET_FIREWALL_00018,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.74,SKYNET00007,389/636,-,Allow Skynet server to access LDAP -,Add,i23-07-28_010,Denied,All,-,193.1.99.74,SKYNET00007,"80, 443",-,Self Service site for Skynet accounts – Only 443 on account modification pages -SKYNET_FIREWALL_00019,Add,i23-07-28_010,Complete,All,-,193.1.99.74,SKYNET00007,443,-,Self Service site for Skynet accounts -SKYNET_FIREWALL_00020,Add,i23-09-05_639,Complete,All,-,193.1.96.165,SKYNET00012,"80, 443",-,Web hosting for user sites -SKYNET_FIREWALL_00021,Add,i23-10-27_014,Complete,All,-,193.1.99.77,SKYNET00014,"80, 443",-,"Nextcloud, selfhosted google services, filestorage and documents" -SKYNET_FIREWALL_00022,Add,i24-02-01_102,Complete,193.1.96.165,SKYNET00012,103.1.99.109,SKYNET00004,-,53,Give the Skynet server access to ur secondary DNS -SKYNET_FIREWALL_00023,Add,i24-02-01_102,Complete,193.1.99.78,SKYNET00010,193.1.96.165,SKYNET00012,22,-,Allow our gitlab runner to access and deploy to teh external server -SKYNET_FIREWALL_00024,Add,i24-02-16_065,Complete,All,-,193.1.99.90,SKYNET00016,"80, 443",-,Games Server Administrative panel -SKYNET_FIREWALL_00025,Add,i24-02-16_065,Complete,All,-,193.1.99.91,SKYNET00017,25518-25525,"19132, 24418-24425",Minecraft Games server -SKYNET_FIREWALL_00026,Add,i24-06-04_017,Complete,All,-,193.1.99.76,SKYNET00009,4190,-,"Email sieve to allow members to add email filters to their -skynet mail." -SKYNET_FIREWALL_00027,Add,i24-06-04_017,Complete,All,-,193.1.99.82,SKYNET00018,80/443,-,"Public services such as a binary cache, open governance and keyserver" -,Add,i24-06-04_017,Denied,All,-,193.1.99.90,SKYNET00016,8080,-,"Websocket for admin panel on games management server -Denied because more information on wat it was for was requested" -,Add,i24-06-04_017,Denied,193.1.99.74,SKYNET00007,193.1.96.165,SKYNET00012,9000-9020,-,"Metrics collection, not done because not enough info provided" -SKYNET_FIREWALL_00028,Remove,i24-06-04_017,Complete,-,-,193.1.99.112,SKYNET00019,25565,-,No longer the minecraft game host -SKYNET_FIREWALL_00029,Add,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Websocket for admin panel on games management server -SKYNET_FIREWALL_00030,Add,i24-06-04_017,Complete,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection -SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server -SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel -SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server -,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet' -SKYNET_FIREWALL_00034,Add,i25-01-26_075,Complete,All,-,193.1.99.91,SKYNET00017,-,23318-23325,Ports for Minecraft Bedrock on the main games server. -SKYNET_FIREWALL_00035,Add,i25-02-14_114,Complete,193.1.99.75,SKYNET00008,193.1.96.165,SKYNET00012,22,-,Allow our forgejo runner to access and deploy to teh external server -SKYNET_FIREWALL_00036,Add,i25-03-11_125,Complete,All,-,193.1.99.86,SKYNET00027,25,-,Email Filter -SKYNET_FIREWALL_00037,Add,i25-03-30_018,Complete,All,-,193.1.99.91,SKYNET00017,27015/27016/27020,27015/27020,CSGO/TF2 Ports \ No newline at end of file diff --git a/ITD/Server_Inventory.csv b/ITD/Server_Inventory.csv deleted file mode 100644 index c7a57f1..0000000 --- a/ITD/Server_Inventory.csv +++ /dev/null @@ -1,28 +0,0 @@ -Index,Name,Status,IP_Address,OS,Description -SKYNET00001,agentjones,Active,193.1.99.072,Nixos-24.05,Firewall (currently not active) -SKYNET00002,vendetta,Active,193.1.99.120,Nixos-24.05,DNS Nameserver 1 -SKYNET00003,jarvis,Active,193.1.99.073,Proxmox,VM Host -SKYNET00004,vigil,Active,193.1.99.109,Nixos-24.05,DNS Nameserver 2 -SKYNET00005,galatea,Active,193.1.99.111,Nixos-24.05,ULFM Radio -SKYNET00006,optimus,Retired,193.1.99.112,Nixos-24.05,Retired Games server -SKYNET00007,kitt,Active,193.1.99.074,Nixos-24.05,"LDAP and Self-Service Password/Account management, also hosts our Discord bot" -SKYNET00008,glados,Active,193.1.99.075,Nixos-24.05,Gitlab server -SKYNET00009,gir,Active,193.1.99.076,Nixos-24.05,Email and Webmail -SKYNET00010,wheatly,Active,193.1.99.078,Nixos-24.05,Gitlab Runner -SKYNET00011,earth,Active,193.1.99.079,Nixos-24.05,Offical website host -SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ) -SKYNET00013,neuromancer,Active,193.1.99.080,Nixos-24.05,Local Backup Server -SKYNET00014,cadie,Active,193.1.99.077,Nixos-24.05,"Services VM, has nextcloud to start with" -SKYNET00015,marvin,Active,193.1.99.081,Nixos-24.05,Trainee testing server -SKYNET00016,optimus,Retired,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon) -SKYNET00017,bumblebee,Retired,193.1.99.091,Debian-12,Game server - Minecraft -SKYNET00018,calculon,Active,193.1.99.082,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver" -SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic -SKYNET00020,ariia,Active,193.1.99.083,Nixos-24.05,"Metrics, Grafana and Prometheus" -SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access -SKYNET00022,ultron,Active,193.1.99.084,Proxmox,VM Host -SKYNET00023,optimus-test,Retired,193.1.99.085,Nixos,Testing flake for Pelecian -SKYNET00024,optimus,Active,193.1.99.090,Nixos,Games server manager (replaced SKYNET00016) -SKYNET00025,bumblebee,Active,193.1.99.091,Nixos,Game server - Minecraft (replaced SKYNET00017) -SKYNET00026,vision,Active,193.1.99.085,Raspbian,Proxmox Qurom server -SKYNET00027,mimi,Active,193.1.99.086,Proxmox-Mail-Gateway,Proxmox Mail Gateway \ No newline at end of file diff --git a/ITD/VPN_Admins.csv b/ITD/VPN_Admins.csv deleted file mode 100644 index 6e3860a..0000000 --- a/ITD/VPN_Admins.csv +++ /dev/null @@ -1,6 +0,0 @@ -Index,First Name,Surname,UL Student Email -SKYNET_VPN_ADM_001,Brendan,Golden,12136891@studentmail.ul.ie -SKYNET_VPN_ADM_002,Evan,Cassidy,External -SKYNET_VPN_ADM_003,Eoghan,Conlon,21310262@studentmail.ul.ie -SKYNET_VPN_ADM_004,Eliza,Macovei,23382619@studentmail.ul.ie -SKYNET_VPN_ADM_005,Daragh,Downes,22351159@studentmail.ul.ie diff --git a/ITD/VPN_Admins_changes.csv b/ITD/VPN_Admins_changes.csv deleted file mode 100644 index f9e4a0e..0000000 --- a/ITD/VPN_Admins_changes.csv +++ /dev/null @@ -1,7 +0,0 @@ -Date,Date Modified,Action,Ticket,ID -SKYNET_VPN_ADM_CHANGE_001,2023/04/04,Added,,SKYNET_VPN_ADM_001 -SKYNET_VPN_ADM_CHANGE_002,2023/04/04,Added,,SKYNET_VPN_ADM_002 -SKYNET_VPN_ADM_CHANGE_003,2023/04/04,Added,,SKYNET_VPN_ADM_003 -SKYNET_VPN_ADM_CHANGE_003,2024/07/21,Removed,i24-07-22_760,SKYNET_VPN_ADM_003 -SKYNET_VPN_ADM_CHANGE_004,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_004 -SKYNET_VPN_ADM_CHANGE_005,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_005 diff --git a/ITD_Firewall.csv b/ITD_Firewall.csv new file mode 100644 index 0000000..8e256af --- /dev/null +++ b/ITD_Firewall.csv @@ -0,0 +1,14 @@ +Index,Name,IP_Address,DNS_Name,Ports_Current,Ports_Requested,Related_Tickets,Description +SKYNET00001,agentjones,193.1.99.72,agentjones,"","","",Firewall (currently not active) +SKYNET00002,vendetta,193.1.99.120,vendetta/ns1,53,"","",DNS Nameserver 1 +SKYNET00003,jarvis,193.1.99.73,jarvis,"","","",VM Host +SKYNET00004,vigil,193.1.99.109,vigil/ns2,53,"","",DNS Nameserver 2 +SKYNET00005,galatea,193.1.99.111,galatea/stream,80/443 8000,"","",ULFM Radio +SKYNET00006,optimus,193.1.99.112,optimus/games/*.games,80/443 25565,"","",Games server +SKYNET00007,kitt,193.1.99.74,kitt/account/api.account,"",80/443,i23-07-28_010,LDAP and Self-Service Password/Account management +SKYNET00008,glados,193.1.99.75,glados/gitlab/*.pages.gitlab,80/443,2222,i23-05-18_249,Gitlab server +SKYNET00009,gir,193.1.99.76,gir/mail,80/443 25/143/993/587/465,"",i23-06-19_525/i23-06-19_525,Email and Webmail +SKYNET00010,wheatly,193.1.99.78,wheatly,"","","",Gitlab Runner +SKYNET00011,skynet_internal,193.1.99.79,skynet/skynet.int,80/443,"",i23-06-19_525,"Skynet server, Temp until I can get the DMZ setup properly on my end" +SKYNET00012,skynet_dmz,193.1.96.165,skynet,22 80/443,"",i23-06-30_024,Skynet server. +SKYNET00013,neuromancer,193.1.99.80,neuromancer,"","","",Local Backup Server \ No newline at end of file diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 3283b25..0000000 --- a/LICENSE +++ /dev/null @@ -1,9 +0,0 @@ -MIT License - -Copyright (c) 2024 Skynet - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/Possible_Server_Names.md b/Possible_Server_Names.md deleted file mode 100644 index 27c5d1d..0000000 --- a/Possible_Server_Names.md +++ /dev/null @@ -1,20 +0,0 @@ -https://web.archive.org/web/20180815150202/https://wiki.skynet.ie/Admin/SkynetMachines -https://en.m.wikipedia.org/wiki/Category:Fictional_artificial_intelligences -https://en.wikipedia.org/wiki/List_of_artificial_intelligence_films - -* agentsmith -* skynet -* caro -* Lowe - https://westworld.fandom.com/wiki/Bernard_Lowe -* ultron -* walle -* eve -* calculon -* deepthought -* earth -* flexo -* bender -* marvin -* kitt -* wopr -* wintermute diff --git a/README.md b/README.md index 1990b82..35019eb 100644 --- a/README.md +++ b/README.md @@ -43,27 +43,14 @@ colmena build --on @active-dns Deploying is putting (apply-ing) the config tat was built onto the server, there is no need to build first, it will automatically do so. While the ***recommended way of deploying is using the CI/CD process*** there are times when you will have to manually deploy the config. -One such case is the ``@active-git`` group if either Gitlab or Gitlab-runner got updated. +One such case is the ``@active-gitlab`` group if either Gitlab or Gitlab-runner got updated. Another is if ye have fecked up DNS. -Your ``~/.ssh/config`` should be set up as follows and you should be a member of ``skynet-admins-linux`` - -```ini -Host *.skynet.ie 193.1.99.* 193.1.96.165 - User username - IdentityFile ~/.ssh/skynet/username - IdentitiesOnly yes -``` - -Then you can run the following commands like so: - ```shell -colmena apply -colmena apply --on @active-dns -colmena apply --on @active-git +colmena apply --on @active-gitlab ``` -The CI/CD pipeline has a manual job that can be triggered to update ``@active-git`` if you know it wont cause issues. +The CI/CD pipeline has a manual job that can be triggered to update ``@active-gitlab`` if you know it wont cause issues. ### Agenix @@ -98,16 +85,6 @@ We should be updating ``nixpkgs`` at least once a semester, ideally to teh next ```shell nix flake lock --update-input nixpkgs -# newser versions -nix flake update nixpkgs -``` - -### Formatting -Formatting helps keep everything nice and consistent. -The pipeline will only run if the file is correctly formatted. - -```shell -nix fmt ``` diff --git a/applications/_base.nix b/applications/_base.nix deleted file mode 100644 index 79a83df..0000000 --- a/applications/_base.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - # root service - cfg = config.services.skynet; -in { - imports = [ - # every server needs to have a dns record - ./dns/dns.nix - - # every server should have proper certs - ./acme.nix - ./nginx.nix - - # every server may need the firewall config stuff - ./firewall.nix - - # every server needs teh ldap client for admins - ./ldap/client.nix - - # every server will need the config to backup to - ./restic.nix - - # every server will be monitored for grafana - ./prometheus.nix - ]; - - options.services.skynet = { - # since we use this basically everywhere provide a standard way to set it - host = { - ip = mkOption { - type = types.str; - }; - name = mkOption { - type = types.str; - }; - hostname = mkOption { - type = types.str; - default = "${cfg.host.name}.skynet.ie"; - }; - interface = mkOption { - type = types.str; - description = "Will most likely be ``eno1`` for physical servers."; - default = "eth0"; - }; - cidr = mkOption { - type = types.int; - description = "Most of our servers are /26, "; - default = 26; - }; - }; - }; - - config = { - services.skynet.dns.records = [ - { - record = cfg.host.name; - r_type = "A"; - value = cfg.host.ip; - server = true; - } - { - record = cfg.host.ip; - r_type = "PTR"; - value = cfg.host.hostname; - } - ]; - - # use lix instead of nix - nix.package = pkgs.lixPackageSets.stable.lix; - - # set - networking = { - hostName = cfg.host.name; - defaultGateway.interface = lib.mkForce cfg.host.interface; - - # needs to have an address statically assigned - interfaces."${cfg.host.interface}".ipv4.addresses = [ - { - address = cfg.host.ip; - prefixLength = cfg.host.cidr; - } - ]; - }; - - services.nginx = { - virtualHosts = { - # for every server unless explisitly defined redirect the ip to skynet.ie - "${cfg.host.ip}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".return = "307 https://skynet.ie"; - }; - }; - }; - }; -} diff --git a/applications/_retired/games.nix b/applications/_retired/games.nix deleted file mode 100644 index 2f48ae0..0000000 --- a/applications/_retired/games.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "games"; - cfg = config.services.skynet."${name}"; -in { - imports = [ - ./nginx.nix - ./games/minecraft.nix - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Games"; - - domain = { - tld = mkOption { - type = types.str; - default = "ie"; - }; - - base = mkOption { - type = types.str; - default = "skynet"; - }; - - sub = mkOption { - type = types.str; - default = "games"; - }; - }; - }; - - config = mkIf cfg.enable { - services.skynet.dns.records = [ - # need a base domain - { - record = cfg.domain.sub; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.skynet.acme.domains = [ - "${cfg.domain.sub}.skynet.ie" - ]; - - services.nginx.virtualHosts = { - "${cfg.domain.sub}.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - root = "${inputs.skynet_website_games.defaultPackage.x86_64-linux}"; - }; - }; - - # the minecraft servers - services.skynet.games_minecraft = { - enable = true; - - domain = { - sub = "minecraft.${cfg.domain.sub}"; - }; - }; - }; -} diff --git a/applications/_retired/games/minecraft.nix b/applications/_retired/games/minecraft.nix deleted file mode 100644 index a71121c..0000000 --- a/applications/_retired/games/minecraft.nix +++ /dev/null @@ -1,165 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "games_minecraft"; - cfg = config.services.skynet."${name}"; - - # got tired of how long this is so I created a var for it. - short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; -in { - imports = [ - inputs.arion.nixosModules.arion - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Games Minecraft"; - - domain = { - tld = mkOption { - type = types.str; - default = "ie"; - }; - - base = mkOption { - type = types.str; - default = "skynet"; - }; - - sub = mkOption { - type = types.str; - default = "minecraft.games"; - }; - }; - }; - - config = mkIf cfg.enable { - skynet_firewall.forward = [ - "ip daddr ${config.services.skynet.host.ip} tcp dport 80 counter packets 0 bytes 0 accept" - "ip daddr ${config.services.skynet.host.ip} tcp dport 443 counter packets 0 bytes 0 accept" - "ip daddr ${config.services.skynet.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept" - ]; - - services.skynet.acme.domains = [ - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - "*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - ]; - - services.skynet.dns.records = [ - # the minecraft (web) config server - { - record = "config.${cfg.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - - # our own minecraft hosts - { - record = "compsoc_classic.${cfg.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "compsoc.${cfg.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - - # gsoc servers - { - record = "gsoc.${cfg.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "gsoc_abridged.${cfg.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - - # phildeb - { - record = "phildeb.${cfg.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - networking.firewall.allowedTCPPorts = [ - # for the proxy - 25565 - ]; - - services.nginx.virtualHosts = { - # https://config.minecraft.games.skynet.ie - "config.${short_domain}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/" = { - proxyPass = "https://localhost:8443"; - proxyWebsockets = true; - }; - }; - - # https://compsoc_classic.minecraft.games.skynet.ie/map/ - "compsoc_classic.${short_domain}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/"; - }; - }; - - # arion is one way to use docker on nixos - # see https://gitlab.com/c2842/computer_society/nixos/-/blob/733b867f4782afa795848135a83e97a5cafaf16a/applications/games/minecraft.nix - # for an example of a single compose file with multiple services - virtualisation.arion = { - backend = "docker"; - projects = { - minecraft.settings.services = { - mc_proxy.service = { - image = "itzg/mc-router:1.18.0"; - ports = ["25565:25565/tcp"]; - expose = ["25565"]; - command = [ - "--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003,phildeb.${short_domain}=mc_config:20004" - ]; - }; - - mc_config.service = { - image = "registry.gitlab.com/crafty-controller/crafty-4:4.1.1"; - - environment = { - TZ = "Etc/UTC"; - }; - - volumes = [ - "/etc/games/minecraft/craftycontrol/backups:/crafty/backups" - "/etc/games/minecraft/craftycontrol/logs:/crafty/logs" - "/etc/games/minecraft/craftycontrol/servers:/crafty/servers" - "/etc/games/minecraft/craftycontrol/config:/crafty/app/config" - "/etc/games/minecraft/craftycontrol/import:/crafty/import" - ]; - - ports = [ - # this ius https only - "8443:8443/tcp" - # compsoc classic - "20000:20000/tcp" - # compsoc - "20001:20001/tcp" - # games - "20002:20002/tcp" - "20003:20003/tcp" - # phildeb - "20004:20004/tcp" - ]; - }; - }; - }; - }; - }; -} diff --git a/applications/acme.nix b/applications/acme.nix index 97aff51..3018c5a 100644 --- a/applications/acme.nix +++ b/applications/acme.nix @@ -1,18 +1,13 @@ -{ - config, - pkgs, - lib, - ... -}: -with lib; let - name = "acme"; - cfg = config.services.skynet."${name}"; -in { +{ config, pkgs, lib, ... }: + with lib; + let + cfg = config.skynet_acme; + in { imports = []; - options.services.skynet."${name}" = { + options.skynet_acme = { domains = lib.mkOption { - default = []; + default = [ ]; type = lib.types.listOf lib.types.str; description = '' A list of domains to use for this server. @@ -27,19 +22,20 @@ in { age.secrets.acme.file = ../secrets/dns_certs.secret.age; security.acme = { + preliminarySelfsigned = false; acceptTerms = true; defaults = { email = "admin_acme@skynet.ie"; - credentialsFile = config.age.secrets.acme.path; # we use our own dns authorative server for verifying we own the domain. dnsProvider = "rfc2136"; + credentialsFile = config.age.secrets.acme.path; }; certs = { "skynet" = { domain = "skynet.ie"; - extraDomainNames = lists.naturalSort cfg.domains; + extraDomainNames = cfg.domains; }; }; }; diff --git a/applications/bitwarden/bitwarden_sync.nix b/applications/bitwarden/bitwarden_sync.nix deleted file mode 100644 index db8b970..0000000 --- a/applications/bitwarden/bitwarden_sync.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ - pkgs, - config, - lib, - ... -}: let - user = "bwdc"; -in { - imports = []; - - options = {}; - - config = { - age.secrets.bitwarden_sync_id = { - file = ../../secrets/bitwarden/id.age; - owner = user; - group = user; - }; - age.secrets.bitwarden_sync_secret = { - file = ../../secrets/bitwarden/secret.age; - owner = user; - group = user; - }; - age.secrets.bitwarden_sync_ldap = { - file = ../../secrets/ldap/pw.age; - owner = user; - group = user; - }; - - services.bitwarden-directory-connector-cli = { - enable = true; - - user = user; - - domain = "https://pw.skynet.ie"; - - ldap = { - ssl = false; - startTls = false; - sslAllowUnauthorized = false; - ad = false; - port = 389; - hostname = "account.skynet.ie"; - rootPath = "dc=skynet,dc=ie"; - username = "cn=admin,dc=skynet,dc=ie"; - }; - - sync = { - removeDisabled = true; - overwriteExisting = false; - largeImport = false; - memberAttribute = "member"; - creationDateAttribute = "skCreated"; - - users = true; - userPath = "ou=users"; - userObjectClass = "inetOrgPerson"; - userEmailAttribute = "skMail"; - userFilter = "(|(memberOf=cn=skynet-committee,ou=groups,dc=skynet,dc=ie)(memberOf=cn=skynet-admins,ou=groups,dc=skynet,dc=ie))"; - - groups = true; - groupPath = "ou=groups"; - groupObjectClass = "groupOfNames"; - groupNameAttribute = "cn"; - }; - - secrets = { - ldap = config.age.secrets.bitwarden_sync_ldap.path; - bitwarden = { - client_path_id = config.age.secrets.bitwarden_sync_id.path; - client_path_secret = config.age.secrets.bitwarden_sync_secret.path; - }; - }; - }; - }; -} diff --git a/applications/bitwarden/vaultwarden.nix b/applications/bitwarden/vaultwarden.nix deleted file mode 100644 index fad00f4..0000000 --- a/applications/bitwarden/vaultwarden.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "vaultwarden"; - cfg = config.services.skynet."${name}"; - - domain_sub = "pw"; - domain = "${domain_sub}.skynet.ie"; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet VaultWarden server"; - }; - - config = mkIf cfg.enable { - #backups = [ "/etc/silver_ul_ical/database.db" ]; - - # Website config - services.skynet.acme.domains = [ - domain - ]; - - services.skynet.dns.records = [ - { - record = domain_sub; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.nginx.virtualHosts = { - "${domain}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; - }; - }; - }; - - # has ADMIN_TOKEN and SMTP_PASSWORD - age.secrets.bitwarden_details.file = ../../secrets/bitwarden/details.age; - - services.vaultwarden = { - enable = true; - - environmentFile = config.age.secrets.bitwarden_details.path; - config = { - DOMAIN = "https://${domain}"; - SENDS_ALLOWED = true; - SIGNUPS_ALLOWED = false; - - INVITATION_ORG_NAME = "Skyhold"; - - ORG_GROUPS_ENABLED = true; - - USE_SENDMAIL = false; - - SMTP_HOST = "mail.skynet.ie"; - SMTP_FROM = "vaultwarden@skynet.ie"; - SMTP_FROM_NAME = "Skynet Bitwarden server"; - SMTP_SECURITY = "starttls"; - SMTP_PORT = 587; - - SMTP_USERNAME = "vaultwarden@skynet.ie"; - SMTP_AUTH_MECHANISM = "Login"; - SMTP_EMBED_IMAGES = true; - - ROCKET_ADDRESS = "127.0.0.1"; - ROCKET_PORT = 8222; - - ROCKET_LOG = "critical"; - }; - }; - }; -} diff --git a/applications/discord.nix b/applications/discord.nix index 27c1bc9..28ca061 100644 --- a/applications/discord.nix +++ b/applications/discord.nix @@ -1,37 +1,38 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "discord_bot"; - cfg = config.services.skynet."${name}"; -in { +{ config, pkgs, lib, inputs, ... }: + with lib; + let + cfg = config.services.discord_bot; + in { + imports = [ inputs.skynet_discord_bot.nixosModule."x86_64-linux" ]; - options.services.skynet."${name}" = { + options.services.discord_bot = { enable = mkEnableOption "Skynet LDAP backend server"; }; config = mkIf cfg.enable { + #backups = [ "/etc/silver_ul_ical/database.db" ]; - age.secrets.discord_token.file = ../secrets/discord/token.age; - age.secrets.discord_mail.file = ../secrets/email/details.age; - age.secrets.discord_wolves.file = ../secrets/wolves/details.age; + age.secrets.discord_token.file = ../secrets/discord/token.age; + age.secrets.discord_ldap.file = ../secrets/discord/ldap.age; - # this is what was imported services.skynet_discord_bot = { enable = true; env = { discord = config.age.secrets.discord_token.path; - mail = config.age.secrets.discord_mail.path; - wolves = config.age.secrets.discord_wolves.path; + ldap = config.age.secrets.discord_ldap.path; + }; + + discord = { + server = "689189992417067052"; + role = { + past = "689192357727436926"; + current = "887072218004197418"; + }; }; }; }; diff --git a/applications/discord_t-800.nix b/applications/discord_t-800.nix deleted file mode 100644 index cad630a..0000000 --- a/applications/discord_t-800.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "discord_bot_t-800"; - cfg = config.services.skynet."${name}"; -in { - imports = [ - inputs.skynet_discord_bot_t-800.nixosModule."x86_64-linux" - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Logging Bot"; - }; - - config = mkIf cfg.enable { - #backups = [ "/etc/silver_ul_ical/database.db" ]; - - age.secrets.discord_t-800_details.file = ../secrets/discord/t-800.age; - - # this is what was imported - services.skynet_discord_bot_t-800 = { - enable = true; - - env = config.age.secrets.discord_t-800_details.path; - }; - }; -} diff --git a/applications/dns.nix b/applications/dns.nix new file mode 100644 index 0000000..2f3cf8a --- /dev/null +++ b/applications/dns.nix @@ -0,0 +1,400 @@ +{ lib, pkgs, config, nodes, ... }: +let + cfg = config.skynet_dns; + + # reads that date to a string (will need to be fixed in 2038) + current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}"; + + # gets a list of records that match this type + filter_records_type = r_type: builtins.filter (x: x.r_type == r_type) records; + filter_records_server = builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type "A"); + filter_records_a = builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type "A"); + + process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x); + process_ptr_sub = record: {record=(builtins.substring 9 3 record.record); r_type="PTR"; value=record.value;}; + ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip); + + sort_records_server = builtins.sort (a: b: a.record < b.record) filter_records_server; + sort_records_a = builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) filter_records_a; + sort_records_cname = builtins.sort (a: b: a.value < b.value) (filter_records_type "CNAME"); + sort_records_ptr = builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type "PTR")); + sort_records_srv = builtins.sort (a: b: a.record < b.record) (filter_records_type "SRV"); + + format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records; + + # small function to trim it down a tad + padString = text: length: fixedWidthString_post length " " text; + + # like lib.strings.fixedWidthString but postfix + fixedWidthString_post = width: filler: str: + let + strw = lib.stringLength str; + reqWidth = width - (lib.stringLength filler); + in + assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; + if strw == width + then str + else (fixedWidthString_post reqWidth filler str) + filler; + + + + # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) + get_config_file = (domain: +''$TTL 60 ; 1 minute +; hostmaster@${domain} is an email address that recieves stuff related to dns +@ IN SOA ${nameserver}.${domain}. hostmaster.${domain}. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) + +@ NS ns1.${domain}. +@ NS ns2.${domain}. + ; @ stands for teh root domain so teh A record below is where ${domain} points to +;@ A 193.1.99.76 +;@ MX 5 ${domain}. + +; can have multiple mailserves +@ MX 10 mail.${domain}. + + +; ------------------------------------------ +; Server Names (A Records) +; ------------------------------------------ +${format_records sort_records_server 11} + +; ------------------------------------------ +; A (non server names +; ------------------------------------------ +${format_records sort_records_a 18} + +; ------------------------------------------ +; CNAMES +; ------------------------------------------ +${format_records sort_records_cname 31} + +; ------------------------------------------ +; TXT +; ------------------------------------------ +${format_records (filter_records_type "TXT") 29} + +; ------------------------------------------ +; SRV +; ------------------------------------------ +${format_records sort_records_srv 17} + + +'' + ); + + + # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse + # config for our reverse dnspointers (not properly working) + get_config_file_rev = (domain: +''$ORIGIN 64-64.99.1.193.in-addr.arpa. +$TTL 60 ; 1 minute +; hostmaster@skynet.ie is an email address that recieves stuff related to dns +@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) + +@ NS ns1.skynet.ie. +@ NS ns2.skynet.ie. + +; ------------------------------------------ +; PTR +; ------------------------------------------ +${format_records sort_records_ptr 3} +'' + ); + + # domains we dont have proper ownship over, only here to ensure the logs dont get cluttered. + get_config_file_old_domains = (domain: +''$TTL 60 ; 1 minute +; hostmaster@skynet.ie is an email address that recieves stuff related to dns +@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( + ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated + ${current_date} + 600 ; Refresh (10 minutes) + 300 ; Retry (5 minutes) + 604800 ; Expire (1 week) + 3600 ; Minimum (1 hour) + ) + +@ NS ns1.skynet.ie. +@ NS ns2.skynet.ie. + +'' + ); + + # arrys of teh two nameservers + tmp1 = ["193.1.99.109"]; + tmp2 = ["193.1.99.120"]; + + primaries = (if cfg.server.primary then + # primary servers have no primaries (ones they listen to) + [] + else + if builtins.elem cfg.server.ip tmp1 then + tmp2 + else + tmp1 + ); + + secondaries = (if cfg.server.primary then + if builtins.elem cfg.server.ip tmp1 then + tmp2 + else + tmp1 + else + [] + ); + + # small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router + create_cache_networks = (map (x: "193.1.99.${toString x}/32" ) (lib.lists.range 71 126) ); + + + # standard function to create the etc file, pass in the text and domain and it makes it + create_entry_etc_sub = domain: text: { + # Creates /etc/skynet/dns/domain + "skynet/dns/${domain}" = { + user = "named"; + group = "named"; + + # The UNIX file mode bits + mode = "0664"; + + text = text; + }; + }; +# (text.owned "csn.ul.ie") + + + # standard function to create the etc file, pass in the text and domain and it makes it + create_entry_etc = domain: type: + if type == "owned" then + create_entry_etc_sub domain (text.owned domain) + else if type == "reverse" then + create_entry_etc_sub domain (text.reverse domain) + else if type == "old" then + create_entry_etc_sub domain (text.old domain) + else + {}; + + create_entry_zone = (domain: extraConfig: { + "${domain}" = { + extraConfig = '' +${extraConfig} +// for bumping the config +// ${current_date} +''; + # really wish teh nixos config didnt use master/slave + master = cfg.server.primary; + masters = primaries; + slaves = secondaries; + # need to write this to a file + # using the date in it so it will trigger a restart + file = "/etc/skynet/dns/${domain}"; + # no leading whitespace for first line + }; + }); + + text = { + owned = domain: get_config_file domain; + reverse = domain: get_config_file_rev domain; + old = domain: get_config_file_old_domains domain; + }; + + extraConfig = { + owned = + if cfg.server.primary then +'' +allow-update { key rfc2136key.skynet.ie.; }; + +dnssec-policy default; +inline-signing yes; +'' + else + ""; + + # no extra config for reverse + reverse = ""; + + old = ""; + }; + + records = builtins.concatLists ( + lib.attrsets.mapAttrsToList (key: value: + let + details_server = value.config.skynet_dns.server; + details_records = value.config.skynet_dns.records; + in + if builtins.hasAttr "skynet_dns" value.config + then ( + # got to handle habing a dns record for the dns serves themselves. + if details_server.enable + then ( + if details_server.primary + then details_records ++ [ {record="ns1"; r_type="A"; value=details_server.ip; server=false;} ] + else details_records ++ [ {record="ns2"; r_type="A"; value=details_server.ip; server=false;} ] + ) + else details_records + ) + else [] + ) nodes + ); + + nameserver = if cfg.server.primary then "ns1" else "ns2"; + +in { + + imports = [ + ../applications/firewall.nix + ]; + + options = { + skynet_dns = { + server = { + enable = lib.mkEnableOption { + default = false; + description = "Skynet DNS server"; + type = lib.types.bool; + }; + + primary = lib.mkOption { + type = lib.types.bool; + default = false; + }; + + ip = lib.mkOption { + type = lib.types.str; + description = '' + ip of this server + ''; + }; + }; + + records = lib.mkOption { + description = "Records, sorted based on therir type"; + type = with lib.types; listOf (submodule { + options = { + record = lib.mkOption { + type = str; + }; + r_type = lib.mkOption { + type = enum ["A" "CNAME" "TXT" "PTR" "SRV"]; + }; + value = lib.mkOption { + type = str; + }; + server = lib.mkOption { + description = "Core record for a server"; + type = bool; + default = false; + }; + }; + }); + }; + + }; + }; + + config = lib.mkIf cfg.server.enable { + + # open the firewall for this + skynet_firewall.forward = [ + "ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept" + "ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept" + ]; + + services.bind.zones = + (create_entry_zone "csn.ul.ie" extraConfig.owned ) // + (create_entry_zone "skynet.ie" extraConfig.owned ) // + (create_entry_zone "ulcompsoc.ie" extraConfig.owned ) // + + (create_entry_zone "64-64.99.1.193.in-addr.arpa" extraConfig.reverse ) // + + (create_entry_zone "conradcollins.net" extraConfig.old )// + (create_entry_zone "edelharty.net" extraConfig.old ); + + environment.etc = + (create_entry_etc "csn.ul.ie" "owned") // + (create_entry_etc "skynet.ie" "owned") // + (create_entry_etc "ulcompsoc.ie" "owned") // + + (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse") // + + (create_entry_etc "conradcollins.net" "old") // + (create_entry_etc "edelharty.net" "old"); + + + # secrets required + age.secrets.dns_dnskeys = { + file = ../secrets/dns_dnskeys.conf.age; + owner = "named"; + group = "named"; + }; + + networking.firewall = { + allowedTCPPorts = [53]; + allowedUDPPorts = [53]; + }; + + services.bind = { + enable = true; + + ipv4Only = true; + + # need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns + extraConfig = '' + include "/run/agenix/dns_dnskeys"; + ''; + + # piles of no valid RRSIG resolving 'com/DS/IN' errors + extraOptions = '' + dnssec-validation yes; + ''; + + # set the upstream dns servers + # overrides the default dns servers + forwarders = [ + # Cloudflare + "1.1.1.1" + # Google + "8.8.8.8" + # Quad9 + "9.9.9.9" + ]; + + cacheNetworks = [ + # this server itself + "127.0.0.0/24" + # all of skynet can use this as a resolver + /* + Origianl idea, however all external traffic had the ip of the router + "193.1.99.64/26" + + So to fix this we need to allow smaller ranges? - Didnt work + Fallback is explisitly listing each ip we have + + Now have a function for it + */ + ] ++ create_cache_networks; + }; + + # creates a folder in /etc for the dns to use + users.users.named = { + createHome = true; + home = "/etc/skynet/dns"; + }; + + }; +} \ No newline at end of file diff --git a/applications/dns/dns.nix b/applications/dns/dns.nix deleted file mode 100644 index 3286a98..0000000 --- a/applications/dns/dns.nix +++ /dev/null @@ -1,429 +0,0 @@ -{ - lib, - pkgs, - config, - nodes, - self, - ... -}: let - name = "dns"; - cfg = config.services.skynet."${name}"; - - # reads that date to a string (will need to be fixed in 2038) - current_date = self.lastModified; - - # this gets a list of all domains we have records for - domains = lib.lists.naturalSort (lib.lists.unique ( - lib.lists.forEach records (x: x.domain) - )); - - # get the ip's of our servers - servers = lib.lists.naturalSort (lib.lists.unique ( - lib.lists.forEach (sort_records_a_server records) (x: x.value) - )); - - domains_owned = [ - # for historic reasons we own this - "csn.ul.ie" - # the main one we use now - "skynet.ie" - # a backup - "ulcompsoc.ie" - ]; - - # gets a list of records that match this type - filter_records_type = records: r_type: builtins.filter (x: x.r_type == r_type) records; - # Get all the A records that are for servers (base record for them) - filter_records_a_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A"); - # Every other A record - filter_records_a = records: builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type records "A"); - - # These functions are to get the final 3 digits of an IP address so we can use them for reverse pointer - process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x); - process_ptr_sub = record: { - record = builtins.substring 9 3 record.record; - r_type = "PTR"; - value = record.value; - }; - ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip); - - # filter and sort records so we cna group them in the right place later - sort_records_a_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_a_server records); - sort_records_a = records: builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) (filter_records_a records); - sort_records_cname = records: builtins.sort (a: b: a.value < b.value) (filter_records_type records "CNAME"); - sort_records_ptr = records: builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type records "PTR")); - sort_records_srv = records: builtins.sort (a: b: a.record < b.record) (filter_records_type records "SRV"); - - # a tad overkill but type guarding is useful - max = x: y: - assert builtins.isInt x; - assert builtins.isInt y; - if x < y - then y - else x; - - # get teh max length of a list of strings - max_len = records: lib.lists.foldr (a: b: (max a b)) 0 (lib.lists.forEach records (record: lib.strings.stringLength record.record)); - - # Now that we can get teh max lenth of a list of strings - # we can pad it out to the max len +1 - # this is so that teh generated file is easier for a human to read - format_records = records: let - offset = (max_len records) + 1; - in - lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records; - - # small function to add spaces until it reaches teh required length - padString = text: length: fixedWidthString_post length " " text; - - # like lib.strings.fixedWidthString but postfix - # recursive function to extend a string up to a limit - fixedWidthString_post = width: filler: str: let - strw = lib.stringLength str; - reqWidth = width - (lib.stringLength filler); - in - # this is here because we were manually setting teh length, now max_len does that for us - assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; - if strw == width - then str - else (fixedWidthString_post reqWidth filler str) + filler; - - # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) - # ";" are comments in this file - get_config_file = ( - domain: records: '' - $TTL 60 ; 1 minute - ; hostmaster@skynet.ie is an email address that recieves stuff related to dns - @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( - ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated - ${toString current_date} - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 604800 ; Expire (1 week) - 3600 ; Minimum (1 hour) - ) - - ; @ stands for teh root domain so teh A record below is where ${domain} points to - @ NS ns1.skynet.ie. - @ NS ns2.skynet.ie. - - ; ------------------------------------------ - ; Server Names (A Records) - ; ------------------------------------------ - ${format_records (sort_records_a_server records)} - - ; ------------------------------------------ - ; A (non server names - ; ------------------------------------------ - ${format_records (sort_records_a records)} - - ; ------------------------------------------ - ; CNAMES - ; ------------------------------------------ - ${format_records (sort_records_cname records)} - - ; ------------------------------------------ - ; TXT - ; ------------------------------------------ - ${format_records (filter_records_type records "TXT")} - - ; ------------------------------------------ - ; MX - ; ------------------------------------------ - ${format_records (filter_records_type records "MX")} - - ; ------------------------------------------ - ; SRV - ; ------------------------------------------ - ${format_records (sort_records_srv records)} - '' - ); - - # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse - # config for our reverse dns pointers (not properly working) - get_config_file_rev = ( - domain: '' - $ORIGIN 64-64.99.1.193.in-addr.arpa. - $TTL 60 ; 1 minute - ; hostmaster@skynet.ie is an email address that recieves stuff related to dns - @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( - ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated - ${toString current_date} - 600 ; Refresh (10 minutes) - 300 ; Retry (5 minutes) - 604800 ; Expire (1 week) - 3600 ; Minimum (1 hour) - ) - - @ NS ns1.skynet.ie. - @ NS ns2.skynet.ie. - - ; ------------------------------------------ - ; PTR - ; ------------------------------------------ - ${format_records (sort_records_ptr records)} - '' - ); - - # arrays of teh two nameservers - nameserver_1 = ["193.1.99.109"]; - nameserver_2 = ["193.1.99.120"]; - - primaries = ( - if cfg.server.primary - then - # primary servers have no primaries (ones they listen to) - [] - else if builtins.elem cfg.server.ip nameserver_1 - then nameserver_2 - else nameserver_1 - ); - - secondaries = ( - if cfg.server.primary - then - if builtins.elem cfg.server.ip nameserver_1 - then nameserver_2 - else nameserver_1 - else [] - ); - - # small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router - # now limited explicitly to servers that we are administering - # See i24-09-30_050 for more information - create_cache_networks = map (x: "${toString x}/32") servers; - - # standard function to create the etc file, pass in the text and domain and it makes it - create_entry_etc_sub = domain: text: { - # Creates /etc/skynet/dns/domain - "skynet/dns/${domain}" = { - user = "named"; - group = "named"; - - # The UNIX file mode bits - mode = "0664"; - - # content of the file - text = text; - }; - }; - - # standard function to create the etc file, pass in the text and domain and it makes it - create_entry_etc = domain: type: let - domain_records = lib.lists.filter (x: x.domain == domain) records; - in - # this is the main type of record that most folks are used to - if type == "owned" - then create_entry_etc_sub domain (get_config_file domain domain_records) - # reverse lookups allow for using an IP to find domains pointing to it - else if type == "reverse" - then create_entry_etc_sub domain (get_config_file_rev domain) - else {}; - - create_entry_zone = domain: let - if_primary_and_owned = - if cfg.server.primary && (lib.lists.any (item: item == domain) domains_owned) - then '' - allow-update { key rfc2136key.skynet.ie.; }; - dnssec-policy default; - inline-signing yes; - '' - else ""; - in { - "${domain}" = { - extraConfig = '' - ${if_primary_and_owned} - // for bumping the config - // ${toString current_date} - ''; - # really wish teh nixos config didnt use master/slave - master = cfg.server.primary; - masters = primaries; - slaves = secondaries; - # need to write this to a file - # using the date in it so it will trigger a restart - file = "/etc/skynet/dns/${domain}"; - # no leading whitespace for first line - }; - }; - - records = - config.skynet.records - /* - Need to "manually" grab it from each server. - Nix is laxy evalusted so if it does not need to open a file it wont. - This is to iterate through each server (node) and evaluate the dns records for that server. - */ - ++ builtins.concatLists ( - lib.attrsets.mapAttrsToList ( - key: value: value.config.services.skynet.dns.records - ) - nodes - ); - - nameserver = - if cfg.server.primary - then "ns1" - else "ns2"; -in { - imports = [ - ../../config/dns.nix - ]; - - options.services.skynet."${name}" = { - server = { - enable = lib.mkEnableOption { - default = false; - description = "Skynet DNS server"; - type = lib.types.bool; - }; - - primary = lib.mkOption { - type = lib.types.bool; - default = false; - }; - - ip = lib.mkOption { - type = lib.types.str; - description = '' - ip of this server - ''; - }; - }; - - records = lib.mkOption { - description = "Records, sorted based on therir type"; - type = lib.types.listOf (lib.types.submodule (import ./options-records.nix { - inherit lib; - })); - }; - }; - - config = lib.mkIf cfg.server.enable { - # logging - services.prometheus.exporters.bind = { - enable = true; - openFirewall = true; - }; - - # services.skynet.backup.normal.backups = ["/etc/skynet/dns"]; - - # open the firewall for this - skynet_firewall.forward = [ - "ip daddr ${cfg.server.ip} tcp dport 53 counter packets 0 bytes 0 accept" - "ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept" - ]; - - services.skynet.dns.records = [ - { - record = nameserver; - r_type = "A"; - value = config.services.skynet.host.ip; - } - ]; - - services.bind.zones = lib.attrsets.mergeAttrsList ( - # uses teh domains lsited in teh records - (lib.lists.forEach domains (domain: (create_entry_zone domain))) - # we have to do a reverse dns - ++ [ - (create_entry_zone "64-64.99.1.193.in-addr.arpa") - ] - ); - - environment.etc = lib.attrsets.mergeAttrsList ( - # uses teh domains lsited in teh records - (lib.lists.forEach domains (domain: (create_entry_etc domain "owned"))) - # we have to do a reverse dns - ++ [ - (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse") - ] - ); - - # secrets required - age.secrets.dns_dnskeys = { - file = ../../secrets/dns_dnskeys.conf.age; - owner = "named"; - group = "named"; - }; - - # basic but ensure teh dns ports are open - networking.firewall = { - allowedTCPPorts = [53]; - allowedUDPPorts = [53]; - }; - - services.bind = { - enable = true; - - ipv4Only = true; - - # need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns - extraConfig = '' - include "/run/agenix/dns_dnskeys"; - - statistics-channels { - inet 127.0.0.1 port 8053 allow { 127.0.0.1; }; - }; - ''; - - # piles of no valid RRSIG resolving 'com/DS/IN' errors - extraOptions = '' - dnssec-validation auto; - ''; - - # set the upstream dns servers - # overrides the default dns servers - forwarders = [ - # Cloudflare - "1.1.1.1" - # Google - "8.8.8.8" - # Quad9 - "9.9.9.9" - ]; - - cacheNetworks = - [ - # this server itself - "127.0.0.0/24" - - # skynet server in the dmz - "193.1.96.165/32" - # all of skynet can use this as a resolver - /* - Origianl idea, however all external traffic had the ip of the router - "193.1.99.64/26" - - So to fix this we need to allow smaller ranges? - Didnt work - Fallback is explisitly listing each ip we have - - Now have a function for it - */ - ] - ++ create_cache_networks; - }; - - systemd.services.bind = { - # deletes teh journal files evey start so it no longer stalls out - preStart = '' - rm -vf /etc/skynet/dns/*.jnl - rm -vf /etc/skynet/dns/*.jbk - ''; - restartTriggers = [ - "${config.environment.etc."skynet/dns/skynet.ie".source}" - ]; - }; - - # creates a folder in /etc for the dns to use - users.groups.named = {}; - - users.users.named = { - createHome = true; - home = "/etc/skynet/dns"; - group = "named"; - # X11 is to ensure the directory can be traversed - homeMode = "711"; - }; - }; -} diff --git a/applications/dns/options-records.nix b/applications/dns/options-records.nix deleted file mode 100644 index 53e443f..0000000 --- a/applications/dns/options-records.nix +++ /dev/null @@ -1,31 +0,0 @@ -/* -Define the options for dns records here. -They are imported into anything that needs to use them -*/ -{lib, ...}: -with lib; { - options = { - domain = lib.mkOption { - description = "Domain this record is for"; - type = lib.types.str; - default = "skynet.ie"; - }; - record = lib.mkOption { - description = "What you want to name the subdomain."; - type = lib.types.str; - }; - r_type = lib.mkOption { - description = "Type of record that this is."; - type = lib.types.enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"]; - }; - value = lib.mkOption { - description = "What the record points to, normally ip or another record."; - type = lib.types.str; - }; - server = lib.mkOption { - description = "Core record for a server"; - type = lib.types.bool; - default = false; - }; - }; -} diff --git a/applications/email.nix b/applications/email.nix index 97b2362..265fc45 100644 --- a/applications/email.nix +++ b/applications/email.nix @@ -1,176 +1,39 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "email"; - cfg = config.services.skynet."${name}"; +{ config, pkgs, lib, inputs, ...}: with lib; + let + cfg = config.services.skynet_email; - # create teh new strings - create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})"); + # create teh new strings + create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})"); - create_filter_join = x: concatStringsSep "" x; + create_filter_join = (x: concatStringsSep "" x); - # thought you could escape racket? - create_filter = groups: create_filter_join (create_filter_array groups); + # thought you could escape racket? + create_filter = (groups: create_filter_join (create_filter_array groups) ); - # using +mailbox puts the mail in a seperate folder - create_skynet_email_int = accounts: mailbox: (map (account: "${account}@skynet.ie") accounts); - groups_to_accounts = groups: builtins.concatMap (x: config.skynet.users.${x}) groups; - create_skynet_email_attribute = mailbox: groups: (create_skynet_email_int (groups_to_accounts groups) mailbox) ++ ["int_${mailbox}@skynet.ie"]; - create_skynet_email = mailbox: groups: { - name = "${mailbox}@skynet.ie"; - value = create_skynet_email_attribute mailbox groups; - }; - create_skynet_service_mailboxes = builtins.listToAttrs (map (mailbox: (create_skynet_email mailbox.account mailbox.members)) service_mailboxes); + in { - create_config_to = concatStringsSep "\",\"" (map (mailbox: "${mailbox.account}") service_mailboxes); - - service_mailboxes = [ - { - account = "root"; - members = ["admin"]; - } - { - account = "abuse"; - members = ["admin"]; - } - { - account = "accounts"; - members = ["committee"]; - } - { - account = "compsoc"; - members = ["committee"]; - } - { - account = "contact"; - members = ["committee"]; - } - { - account = "committee"; - members = ["committee"]; - } - { - account = "dbadmin"; - members = ["admin"]; - } - { - account = "dnsadm"; - members = ["admin"]; - } - { - account = "hostmaster"; - members = ["admin"]; - } - { - account = "intersocsrep"; - members = ["committee"]; - } - { - account = "mailman"; - members = ["admin"]; - } - { - account = "security"; - members = ["admin"]; - } - { - account = "sysadm"; - members = ["admin"]; - } - { - account = "webadmin"; - members = ["admin"]; - } - { - account = "pycon2023"; - members = ["committee"]; - } - { - account = "skynet_topdesk"; - members = ["admin" "trainee"]; - } - ]; - - sieveConfigFile = - # https://doc.dovecot.org/configuration_manual/sieve/examples/#plus-addressed-mail-filtering - pkgs.writeText "basic_sieve" - '' - require "copy"; - require "mailbox"; - require "imap4flags"; - require ["fileinto", "reject"]; - require "variables"; - require "regex"; - require "subaddress"; - - # this should be close to teh last step - if allof ( - address :user ["To", "Cc"] ["${toString create_config_to}"], - address :domain ["To", "Cc"] "skynet.ie" - ){ - if address :matches ["To", "Cc"] "*@skynet.ie" { - # handle spam reports specifically for teh service accounts in each users inbox - if address :matches ["From"] "postmaster@mimi.skynet.ie" { - fileinto :create "''${1}.Spam_Report"; - stop; - } - - # user+subdir - if address :matches ["To", "Cc"] "*+*@skynet.ie" { - fileinto :create "''${1}.''${2}"; - stop; - } - - # no detail, proceed normally - if header :is "X-Spam" "Yes" { - fileinto :create "''${1}.Junk"; - stop; - } else { - fileinto :create "''${1}"; - stop; - } - } - } - - # handle spam Reports for general users - if address :matches ["From"] "postmaster@mimi.skynet.ie" { - fileinto :create "INBOX.Spam_Report"; - stop; - } - - if allof ( - address :localpart ["From"] ["${toString create_config_to}"], - address :domain ["From"] "skynet.ie" - ){ - if address :matches ["From"] "*@skynet.ie" { - if header :is "X-Spam" "Yes" { - fileinto :create "''${1}.Junk"; - stop; - } else { - fileinto :create "''${1}"; - stop; - } - } - } - ''; -in { imports = [ + ./dns.nix + ./acme.nix + ./nginx.nix inputs.simple-nixos-mailserver.nixosModule - - # for teh config - ../config/users.nix ]; - options.services.skynet."${name}" = { + options.services.skynet_email = { # options that need to be passed in to make this work enable = mkEnableOption "Skynet Email"; + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + domain = mkOption { type = types.str; default = "skynet.ie"; @@ -222,223 +85,71 @@ in { default = "cn=admin,${cfg.ldap.base}"; description = lib.mdDoc "where to find users"; }; + }; }; config = mkIf cfg.enable { - services.skynet.backup.normal.backups = [ - #"/var/vmail" + services.skynet_backup.normal.backups = [ + "/var/vmail" "/var/dkim" ]; age.secrets.ldap_pw.file = ../secrets/ldap/pw.age; - security.acme.certs = { - "mail" = { - domain = "mail.skynet.ie"; - extraDomainNames = [ - "imap.skynet.ie" - "pop3.skynet.ie" - "smtp.skynet.ie" - ]; - }; + skynet_acme.domains = [ + "${cfg.sub}.${cfg.domain}" + ]; - "imap" = { - domain = "imap.skynet.ie"; - extraDomainNames = [ - "mail.skynet.ie" - "pop3.skynet.ie" - "smtp.skynet.ie" - ]; - }; + # set up dns record for it + skynet_dns.records = [ + # basic one + {record="mail"; r_type="A"; value=cfg.host.ip;} - "pop3" = { - domain = "pop3.skynet.ie"; - extraDomainNames = [ - "imap.skynet.ie" - "mail.skynet.ie" - "smtp.skynet.ie" - ]; - }; + # TXT records, all tehse are inside escaped strings to allow using "" + # SPF record + {record="${cfg.domain}."; r_type="TXT"; value=''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';} + + # DKIM keys + {record="mail._domainkey.skynet.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';} + {record="mail._domainkey.ulcompsoc.ie."; r_type="TXT"; value=''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';} - "smtp" = { - domain = "smtp.skynet.ie"; - extraDomainNames = [ - "imap.skynet.ie" - "pop3.skynet.ie" - "mail.skynet.ie" - ]; - }; - }; + # DMARC + {record="_dmarc.${cfg.domain}."; r_type="TXT"; value=''"v=DMARC1; p=none"'';} + + # reverse pointer + {record=cfg.host.ip; r_type="PTR"; value="${cfg.sub}.${cfg.domain}.";} + + # SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie + # https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406 + # response should be: + # _imap._tcp SRV 0 1 143 imap.example.com. + {record="_imaps._tcp"; r_type="SRV"; value="0 1 993 ${cfg.sub}.${cfg.domain}.";} + {record="_imap._tcp"; r_type="SRV"; value="0 1 143 ${cfg.sub}.${cfg.domain}.";} + {record="_submissions._tcp"; r_type="SRV"; value="0 1 465 ${cfg.sub}.${cfg.domain}.";} + {record="_submission._tcp"; r_type="SRV"; value="0 1 587 ${cfg.sub}.${cfg.domain}.";} + ]; # to provide the certs services.nginx.virtualHosts = { - "mail.skynet.ie" = { - forceSSL = true; - useACMEHost = "mail"; + "${cfg.sub}.${cfg.domain}" = { + forceSSL = true; + useACMEHost = "skynet"; # override the inbuilt nginx config enableACME = false; - serverName = "mail.skynet.ie"; - }; - - "imap.skynet.ie" = { - forceSSL = true; - useACMEHost = "imap"; - # override the inbuilt nginx config - enableACME = false; - serverName = "imap.skynet.ie"; - }; - - "pop3.skynet.ie" = { - forceSSL = true; - useACMEHost = "pop3"; - # override the inbuilt nginx config - enableACME = false; - serverName = "pop3.skynet.ie"; - }; - - "smtp.skynet.ie" = { - forceSSL = true; - useACMEHost = "smtp"; - # override the inbuilt nginx config - enableACME = false; - serverName = "smtp.skynet.ie"; + serverName = "${cfg.sub}.${cfg.domain}"; }; }; - # set up dns record for it - services.skynet.dns.records = - [ - { - # This is the mail gateway, try to send all mail to it first - # Lower number = higher priority - record = "@"; - r_type = "MX"; - # the number is the priority in teh case of multiple mailservers - value = "5 mimi.${cfg.domain}."; - } - { - # this is the main email server - record = "@"; - r_type = "MX"; - # the number is the priority in teh case of multiple mailservers - value = "10 mail.${cfg.domain}."; - } - { - record = "@"; - r_type = "MX"; - # the number is the priority in teh case of multiple mailservers - value = "10 lists.${cfg.domain}."; - } - - # basic one - { - record = "mail"; - r_type = "A"; - value = config.services.skynet.host.ip; - } - { - record = "lists"; - r_type = "A"; - value = config.services.skynet.host.ip; - } - #DNS config for K-9 Mail - { - record = "imap"; - r_type = "CNAME"; - value = "mail"; - } - { - record = "pop3"; - r_type = "CNAME"; - value = "mail"; - } - { - record = "smtp"; - r_type = "CNAME"; - value = "mail"; - } - - # TXT records, all tehse are inside escaped strings to allow using "" - - # reverse pointer - { - record = config.services.skynet.host.ip; - r_type = "PTR"; - value = "${cfg.sub}.${cfg.domain}."; - } - - # SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie - # https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406 - # response should be: - # _imap._tcp SRV 0 1 143 imap.example.com. - { - record = "_imaps._tcp"; - r_type = "SRV"; - value = "0 1 993 ${cfg.sub}.${cfg.domain}."; - } - { - record = "_imap._tcp"; - r_type = "SRV"; - value = "0 1 143 ${cfg.sub}.${cfg.domain}."; - } - { - record = "_submissions._tcp"; - r_type = "SRV"; - value = "0 1 465 ${cfg.sub}.${cfg.domain}."; - } - { - record = "_submission._tcp"; - r_type = "SRV"; - value = "0 1 587 ${cfg.sub}.${cfg.domain}."; - } - ] - # SPF record - ++ [ - { - record = "${cfg.domain}."; - r_type = "TXT"; - value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} ip4:${config.services.skynet.host.ip} -all"''; - } - ] - # DKIM keys - ++ [ - { - record = "mail._domainkey.skynet.ie."; - r_type = "TXT"; - value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"''; - } - { - domain = "ulcompsoc.ie"; - record = "mail._domainkey.ulcompsoc.ie."; - r_type = "TXT"; - value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"''; - } - ] - # DMARC - ++ [ - { - record = "_dmarc.${cfg.domain}."; - r_type = "TXT"; - # p : quarantine => sends to spam, reject => never sent - # rua : mail that receives reports about DMARC activity - # pct : percentage of unathenticated messages that DMARC stops - # adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed - # aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed - # sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent - value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=quarantine"''; - } - ]; - #https://nixos-mailserver.readthedocs.io/en/latest/add-roundcube.html users.groups.nginx = {}; users.groups.roundcube = {}; services.roundcube = { - enable = true; - # this is the url of the vhost, not necessarily the same as the fqdn of - # the mailserver - hostName = "${cfg.sub}.${cfg.domain}"; - extraConfig = '' + enable = true; + # this is the url of the vhost, not necessarily the same as the fqdn of + # the mailserver + hostName = "${cfg.sub}.${cfg.domain}"; + extraConfig = '' # starttls needed for authentication, so the fqdn required to match # the certificate $config['smtp_server'] = "ssl://${cfg.sub}.${cfg.domain}"; @@ -460,40 +171,24 @@ in { 'name' => 'cn', 'surname' => 'sn', 'email' => 'skMail:*', - ] + ] ); ''; }; - # for https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/275 - services.dovecot2.sieve.extensions = ["fileinto"]; - mailserver = { enable = true; - stateVersion = 3; - fqdn = "${cfg.sub}.${cfg.domain}"; domains = [ cfg.domain - "lists.skynet.ie" ]; - enableManageSieve = true; - - lmtpSaveToDetailMailbox = "yes"; - - extraVirtualAliases = create_skynet_service_mailboxes; - # use the letsencrypt certs certificateScheme = "acme"; # 20MB max size messageSizeLimit = 20000000; - # policydSPFExtraConfig = '' - # skip_addresses = 193.1.99.86/32 - # ''; - ldap = { enable = true; uris = cfg.ldap.hosts; @@ -506,13 +201,13 @@ in { searchScope = "sub"; dovecot = { - userFilter = "(skMail=%{user})"; + userFilter = "(skMail=%u)"; # can lock down how much space each user has access to from ldap userAttrs = "quotaEmail=quota_rule=*:bytes=%$,=quota_rule2=Trash:storage=+100M"; # accept emails in, but only allow access to paid up members - passFilter = "(&(|${create_filter cfg.groups})(skMail=%{user}))"; + passFilter = "(&(|${create_filter cfg.groups})(skMail=%u))"; }; postfix = { @@ -520,68 +215,25 @@ in { uidAttribute = "skMail"; mailAttribute = "skMail"; }; + }; # feckin spammers rejectRecipients = [ + ]; - }; - services.dovecot2.sieve.scripts = { - before = sieveConfigFile; - }; - - # This is to add a bcc to outgoing mail - # this then interacts with teh filters to put it in the right folder - # we can directly add to the postfix service here - services.postfix = let - # mostly copied from the upstream mailserver config/functions - mappedFile = name: "hash:/var/lib/postfix/conf/${name}"; - - sender_bcc_maps_file = let - content = lookupTableToString create_skynet_service_bcc; - in - builtins.toFile "sender_bcc_maps" content; - - lookupTableToString = attrs: let - valueToString = value: lib.concatStringsSep ", " value; - in - lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs); - - # convert the mailboxes config to something that can be used here - create_skynet_email_bcc = mailbox: { - name = "${mailbox}@skynet.ie"; - value = ["${mailbox}@skynet.ie"]; - }; - create_skynet_service_bcc = builtins.listToAttrs (map (mailbox: (create_skynet_email_bcc mailbox.account)) service_mailboxes); - in { - mapFiles."sender_bcc_maps" = sender_bcc_maps_file; - - config = { - sender_bcc_maps = [ - (mappedFile "sender_bcc_maps") - ]; - }; }; # tune the spam filter - services.rspamd.locals = { - "multimap.conf" = { - text = '' - IP_WHITELIST { - type = "ip"; - prefilter = true; - map = "/etc/rspamd/local.d/ip_whitelist.map"; - action = "accept"; - } - ''; - }; - - "ip_whitelist.map" = { - text = '' - 193.1.99.86 - ''; - }; - }; + /* + services.rspamd.extraConfig = '' + actions { + reject = null; # Disable rejects, default is 15 + add_header = 7; # Add header when reaching this score + greylist = 4; # Apply greylisting when reaching this score + } + ''; + */ }; } diff --git a/applications/firewall.nix b/applications/firewall.nix index 51bdeb6..1faef0e 100644 --- a/applications/firewall.nix +++ b/applications/firewall.nix @@ -1,9 +1,5 @@ -{ - lib, - pkgs, - config, - ... -}: { +{lib, pkgs, config, ...}: { + # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base options = { skynet_firewall = { @@ -14,7 +10,7 @@ type = lib.types.bool; }; forward = lib.mkOption { - default = []; + default = [ ]; type = lib.types.listOf lib.types.str; description = '' A list of routes to forward @@ -23,16 +19,16 @@ own = { ip = lib.mkOption { - default = "127.0.0.1"; - type = lib.types.str; - description = '' - IP of the firewall - ''; + default = "127.0.0.1"; + type = lib.types.str; + description = '' + IP of the firewall + ''; }; ports = { tcp = lib.mkOption { - default = []; + default = [ ]; type = lib.types.listOf lib.types.int; description = '' A list of TCP ports for the machiene running the firewall @@ -40,13 +36,15 @@ }; udp = lib.mkOption { - default = []; + default = [ ]; type = lib.types.listOf lib.types.int; description = '' A list of UDP ports for the machiene running the firewall ''; }; + }; + }; }; }; @@ -58,7 +56,8 @@ # fules for the firewall # beware of EOL conversion. - networking.nftables.ruleset = '' + networking.nftables.ruleset = + '' # using https://oxcrag.net/2021/12/25/build-your-own-router-with-nftables-part-1/ as a guide # Clear out any existing rules @@ -165,6 +164,9 @@ } } - ''; + ''; + }; + + } diff --git a/applications/games.nix b/applications/games.nix new file mode 100644 index 0000000..7c7b126 --- /dev/null +++ b/applications/games.nix @@ -0,0 +1,68 @@ +{ config, pkgs, lib, ... }: + with lib; + let + cfg = config.services.skynet_games; + in { + imports = [ + ./dns.nix + + ./games/minecraft.nix + ]; + + + options.services.skynet_games = { + enable = mkEnableOption "Skynet Games"; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + + domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; + + base = mkOption { + type = types.str; + default = "skynet"; + }; + + sub = mkOption { + type = types.str; + default = "games"; + }; + }; + + }; + + + config = mkIf cfg.enable { + skynet_dns.records = [ + # need a base domain + {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} + ]; + + # the minecraft servers + services.skynet_games_minecraft = { + enable = true; + + host = { + ip = cfg.host.ip; + name = cfg.domain.sub; + }; + + domain = { + sub = "minecraft.${cfg.domain.sub}"; + }; + }; + + + }; +} \ No newline at end of file diff --git a/applications/games/minecraft.nix b/applications/games/minecraft.nix index 9dce4bb..4fc1a17 100644 --- a/applications/games/minecraft.nix +++ b/applications/games/minecraft.nix @@ -1,60 +1,147 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: let - # function to create the cname record for eachs erver - create_cname = configs: - lib.lists.forEach configs ( - c: { - record = "${c.address}.games"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ); +{ config, pkgs, lib, inputs, ... }: + with lib; + let + cfg = config.services.skynet_games_minecraft; - # function to create the srv record - # this allows us to change the port without impacting (java) users - create_srv = configs: - lib.lists.forEach configs (c: { - record = "_minecraft._tcp.${c.address}.games.skynet.ie."; - r_type = "SRV"; - value = "0 10 ${c.port} ${config.services.skynet.host.name}.skynet.ie."; - }); + # got tired of how long this is so I created a var for it. + short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; + in { - servers = [ - { - address = "minecraft.compsoc"; - port = "25518"; - } - { - address = "minecraft-classic.compsoc"; - port = "25518"; - } - { - address = "minecraft-aged.compsoc"; - port = "25519"; - } - { - address = "minecraft.gsoc"; - port = "25521"; - } - { - address = "minecraft.phildeb"; - port = "25522"; - } - { - address = "minecraft.anime"; - port = "25523"; - } - ]; -in { imports = [ + ../acme.nix + ../dns.nix + ../firewall.nix + ../nginx.nix + inputs.arion.nixosModules.arion ]; - config = { - services.skynet.dns.records = (create_cname servers) ++ (create_srv servers); + options.services.skynet_games_minecraft = { + enable = mkEnableOption "Skynet Games Minecraft"; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + + domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; + + base = mkOption { + type = types.str; + default = "skynet"; + }; + + sub = mkOption { + type = types.str; + default = "minecraft.games"; + }; + }; }; -} + + config = mkIf cfg.enable { + skynet_firewall.forward = [ + "ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept" + "ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept" + "ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept" + ]; + + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + "*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" + ]; + + skynet_dns.records = [ + # the minecraft (web) config server + {record="config.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} + + # our own minecraft hosts + {record="compsoc_classic.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} + {record="compsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} + + # gsoc servers + {record="gsoc.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} + {record="gsoc_abridged.${cfg.domain.sub}"; r_type="CNAME"; value=cfg.host.name;} + ]; + + networking.firewall.allowedTCPPorts = [ + # for the proxy + 25565 + ]; + + services.nginx.virtualHosts = { + + # https://config.minecraft.games.skynet.ie + "config.${short_domain}" = { + forceSSL = true; + useACMEHost = "skynet"; + locations."/" = { + proxyPass = "https://localhost:8443"; + proxyWebsockets = true; + }; + }; + + # https://compsoc_classic.minecraft.games.skynet.ie/map/ + "compsoc_classic.${short_domain}" = { + forceSSL = true; + useACMEHost = "skynet"; + locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/"; + }; + + }; + + # arion is one way to use docker on nixos + # see https://gitlab.com/c2842/computer_society/nixos/-/blob/733b867f4782afa795848135a83e97a5cafaf16a/applications/games/minecraft.nix + # for an example of a single compose file with multiple services + virtualisation.arion = { + backend = "docker"; + projects = { + + minecraft.settings.services = { + mc_proxy.service = { + image = "itzg/mc-router:1.18.0"; + ports = [ "25565:25565/tcp" ]; + expose = [ "25565" ]; + command = [ + "--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003" + ]; + }; + + mc_config.service = { + image = "registry.gitlab.com/crafty-controller/crafty-4:4.1.1"; + + environment = { + TZ="Etc/UTC"; + }; + + volumes = [ + "/etc/games/minecraft/craftycontrol/backups:/crafty/backups" + "/etc/games/minecraft/craftycontrol/logs:/crafty/logs" + "/etc/games/minecraft/craftycontrol/servers:/crafty/servers" + "/etc/games/minecraft/craftycontrol/config:/crafty/app/config" + "/etc/games/minecraft/craftycontrol/import:/crafty/import" + ]; + + ports = [ + # this ius https only + "8443:8443/tcp" + # compsoc classic + "20000:20000/tcp" + # compsoc + "20001:20001/tcp" + # games + "20002:20002/tcp" + ]; + }; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/applications/git/forgejo.nix b/applications/git/forgejo.nix deleted file mode 100644 index cfe0a60..0000000 --- a/applications/git/forgejo.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -with lib; let - name = "forgejo"; - cfg = config.services.skynet."${name}"; - - domain_base = "${cfg.domain.base}.${cfg.domain.tld}"; - domain_full = "${cfg.domain.sub}.${domain_base}"; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Forgejo"; - - domain = { - tld = mkOption { - type = types.str; - default = "ie"; - }; - - base = mkOption { - type = types.str; - default = "skynet"; - }; - - sub = mkOption { - type = types.str; - default = name; - }; - }; - - forgejo = { - port = mkOption { - type = types.port; - default = 3000; - }; - }; - }; - - config = mkIf cfg.enable { - # age.secrets.forgejo-mailer-password = { - # file = ../../secrets/forgejo/mailer-password.age; - # mode = "400"; - # owner = "forgejo"; - # }; - - services.skynet.acme.domains = [ - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" - ]; - - # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide - services.skynet.dns.records = [ - { - record = cfg.domain.sub; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.nginx.virtualHosts = { - # main site - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/" = { - proxyPass = "http://localhost:${toString cfg.forgejo.port}"; - extraConfig = '' - add_header Content-Security-Policy "frame-ancestors 'self' https://silver.users.skynet.ie"; - client_max_body_size 1000M; - ''; - }; - }; - }; - - # for signing reasons - programs.gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - - services.forgejo = { - enable = true; - package = pkgs.forgejo; - database.type = "sqlite3"; - # Enable support for Git Large File Storage - lfs.enable = true; - settings = { - server = { - DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; - # You need to specify this to remove the port from URLs in the web UI. - ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/"; - HTTP_PORT = cfg.forgejo.port; - }; - - # You can temporarily allow registration to create an admin user. - service.DISABLE_REGISTRATION = true; - - # Add support for actions, based on act: https://github.com/nektos/act - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "github"; - }; - - indexer = { - # Will consume more disk space, but we have plenty of that - REPO_INDEXER_ENABLED = true; - }; - - database = { - SQLITE_JOURNAL_MODE = "WAL"; - }; - - # Allow for signing off merge requests - # "repository.signing" = { - # SIGNING_KEY = "5B2DED0FE9F8627A"; - # SIGNING_NAME = "Skynet"; - # SIGNING_EMAIL = "forgejo@glados.skynet.ie"; - # MERGES = "always"; - # }; - - # Sending emails is completely optional - # You can send a test email from the web UI at: - # Profile Picture > Site Administration > Configuration > Mailer Configuration - # mailer = { - # ENABLED = true; - # SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}"; - # FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; - # USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; - # }; - }; - # mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path; - }; - }; -} diff --git a/applications/git/forgejo_runner.nix b/applications/git/forgejo_runner.nix deleted file mode 100644 index c43ecec..0000000 --- a/applications/git/forgejo_runner.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "forgejo_runner"; - cfg = config.services.skynet."${name}"; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet ForgeJo Runner"; - - name = mkOption { - type = types.str; - default = config.networking.hostName; - }; - - website = mkOption { - default = "https://forgejo.skynet.ie"; - type = types.str; - }; - - user = mkOption { - default = "gitea-runner"; - type = types.str; - }; - - secret = mkOption { - type = types.path; - }; - }; - - config = mkIf cfg.enable { - # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner. - environment.systemPackages = with pkgs; [ - forgejo-actions-runner - ]; - - age.secrets.forgejo_runner_token = { - file = cfg.secret; - owner = cfg.user; - group = cfg.user; - }; - - # make sure the ssh config stuff is in teh right palce - systemd.tmpfiles.rules = [ - #"d /home/${cfg.user} 0755 ${cfg.user} ${cfg.user}" - "L+ /home/${cfg.user}/.ssh/config 0755 ${cfg.user} ${cfg.user} - ${./ssh_config}" - ]; - age.secrets.forgejo_runner_ssh = { - file = ../../secrets/forgejo/runners/ssh.age; - mode = "600"; - owner = "${cfg.user}"; - group = "${cfg.user}"; - symlink = false; - path = "/home/${cfg.user}/.ssh/skynet/root"; - }; - - nix = { - settings = { - trusted-users = [ - # allow the runner to build nix stuff and to use the cache - "gitea-runner" - ]; - trusted-public-keys = [ - "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo=" - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - ]; - substituters = [ - "https://nix-cache.skynet.ie/skynet-cache/" - "https://cache.nixos.org/" - ]; - trusted-substituters = [ - "https://nix-cache.skynet.ie/skynet-cache/" - "https://cache.nixos.org/" - ]; - }; - }; - - # very basic setup to always be watching for changes in teh cache - systemd.services.attic-uploader = { - enable = true; - serviceConfig = { - ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache"; - User = "root"; - Restart = "always"; - RestartSec = 1; - }; - }; - - # give teh runner user a home to store teh ssh config stuff - systemd.services.gitea-runner-default.serviceConfig = { - DynamicUser = lib.mkForce false; - User = lib.mkForce cfg.user; - }; - users = { - groups."${cfg.user}" = {}; - users."${cfg.user}" = { - #isSystemUser = true; - isNormalUser = true; - group = cfg.user; - createHome = true; - shell = pkgs.bash; - }; - }; - - boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 - virtualisation.docker.enable = true; - - # taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128 - virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"]; - - # the actual runner - services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = cfg.name; - url = cfg.website; - tokenFile = config.age.secrets.forgejo_runner_token.path; - labels = [ - ## optionally provide native execution on the host: - "nix:host" - "docker:docker://node:22-bookworm" - "ubuntu-latest:docker://node:22-bookworm" - ]; - - hostPackages = with pkgs; [ - # default ones - bash - coreutils - curl - gawk - git - gnused - nodejs - wget - - # useful to have in path - jq - which - dpkg - zip - git-lfs - - # used in deployments - inputs.colmena.defaultPackage."x86_64-linux" - attic-client - lix - openssh - sudo - ]; - }; - }; - }; -} diff --git a/applications/git/ssh_config b/applications/git/ssh_config deleted file mode 100644 index 70bbef0..0000000 --- a/applications/git/ssh_config +++ /dev/null @@ -1,5 +0,0 @@ -Host *.skynet.ie 193.1.99.* 193.1.96.165 - User root - IdentityFile ~/.ssh/skynet/root - IdentitiesOnly yes - diff --git a/applications/git/gitlab.nix b/applications/gitlab.nix similarity index 68% rename from applications/git/gitlab.nix rename to applications/gitlab.nix index 0d90b7b..8ecda83 100644 --- a/applications/git/gitlab.nix +++ b/applications/gitlab.nix @@ -1,22 +1,28 @@ -{ - config, - pkgs, - lib, - ... -}: -with lib; let - name = "gitlab"; - cfg = config.services.skynet."${name}"; - - domain_base = "${cfg.domain.base}.${cfg.domain.tld}"; - domain_full = "${cfg.domain.sub}.${domain_base}"; -in { +{ config, pkgs, lib, ... }: + with lib; + let + cfg = config.services.skynet_gitlab; + in { imports = [ + ./acme.nix + ./dns.nix + ./firewall.nix + ./nginx.nix ]; - options.services.skynet."${name}" = { + options.services.skynet_gitlab = { enable = mkEnableOption "Skynet Gitlab"; + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + domain = { tld = mkOption { type = types.str; @@ -30,7 +36,7 @@ in { sub = mkOption { type = types.str; - default = name; + default = "gitlab"; }; }; @@ -46,7 +52,9 @@ in { default = "dc=skynet,dc=ie"; description = lib.mdDoc "The base address in the ldap server"; }; + }; + }; config = mkIf cfg.enable { @@ -56,77 +64,47 @@ in { # grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab / age.secrets.gitlab_pw = { - file = ../../secrets/gitlab/pw.age; + file = ../secrets/gitlab/pw.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_secrets_db = { - file = ../../secrets/gitlab/secrets_db.age; + file = ../secrets/gitlab/secrets_db.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_secrets_secret = { - file = ../../secrets/gitlab/secrets_secret.age; + file = ../secrets/gitlab/secrets_secret.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_secrets_otp = { - file = ../../secrets/gitlab/secrets_otp.age; + file = ../secrets/gitlab/secrets_otp.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_secrets_jws = { - file = ../../secrets/gitlab/secrets_jws.age; + file = ../secrets/gitlab/secrets_jws.age; owner = cfg.user; group = cfg.user; }; age.secrets.gitlab_db_pw = { - file = ../../secrets/gitlab/db_pw.age; + file = ../secrets/gitlab/db_pw.age; owner = cfg.user; group = cfg.user; }; - services.skynet.acme.domains = [ + skynet_acme.domains = [ "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" # Lets Encrypt seems to have a 4 levels limit for certs - "*.pages.${cfg.domain.base}.${cfg.domain.tld}" + "*.pages.${cfg.domain.base}.${cfg.domain.tld}" ]; # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide - services.skynet.dns.records = [ - { - record = cfg.domain.sub; - r_type = "A"; - value = config.services.skynet.host.ip; - } + skynet_dns.records = [ + {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} # for gitlab pages - { - record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}."; - r_type = "A"; - value = config.services.skynet.host.ip; - } - - # for email - { - record = "${cfg.domain.sub}"; - r_type = "MX"; - value = ''10 ${domain_full}.''; - } - { - record = config.services.skynet.host.ip; - r_type = "PTR"; - value = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}."; - } - { - record = "${domain_full}."; - r_type = "TXT"; - value = ''"v=spf1 a:gitlab.skynet.ie -all"''; - } - { - record = "_dmarc.${domain_full}."; - r_type = "TXT"; - value = ''"v=DMARC1; p=none"''; - } + {record="*.pages.${cfg.domain.base}.${cfg.domain.tld}."; r_type="A"; value=cfg.host.ip;} ]; networking.firewall.allowedTCPPorts = [ @@ -134,19 +112,14 @@ in { 2222 ]; - services.openssh.ports = [22 2222]; + services.openssh.ports = [ 22 2222 ]; services.nginx.virtualHosts = { # main site "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { forceSSL = true; useACMEHost = "skynet"; - locations."/" = { - proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; - extraConfig = '' - client_max_body_size 1000M; - ''; - }; + locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; }; # pages @@ -157,13 +130,6 @@ in { }; }; - # set a valid HELO address - services.postfix = { - hostname = lib.mkForce domain_full; - origin = lib.mkForce domain_full; - domain = lib.mkForce domain_base; - }; - services.gitlab = { enable = true; @@ -197,11 +163,13 @@ in { auth-server = "https://gitlab.example.com"; */ }; + }; - - # use the local email client - smtp.enable = true; - + #smtp = { + # enable = true; + # address = "localhost"; + # port = 25; + #}; secrets = { dbFile = config.age.secrets.gitlab_secrets_db.path; secretFile = config.age.secrets.gitlab_secrets_secret.path; @@ -232,7 +200,7 @@ in { name = "cn"; }; - group_base = "ou=groups,${cfg.ldap.base}"; + group_base= "ou=groups,${cfg.ldap.base}"; admin_group = "skynet-admins"; sync_ssh_keys = "sshPublicKey"; @@ -244,9 +212,9 @@ in { # default for pages is set to 8090 but that leaves an "ugly" port in the url, # override it here to make it look good port = 80; - #external_http = ["${config.services.skynet.host.ip}:80"]; + #external_http = ["${cfg.host.ip}:80"]; }; }; }; }; -} +} \ No newline at end of file diff --git a/applications/gitlab_runner.nix b/applications/gitlab_runner.nix new file mode 100644 index 0000000..48559da --- /dev/null +++ b/applications/gitlab_runner.nix @@ -0,0 +1,117 @@ +{ config, pkgs, lib, ... }: + with lib; + let + cfg = config.services.skynet_gitlab_runner; + in { + imports = [ + + ]; + + options.services.skynet_gitlab_runner = { + enable = mkEnableOption "Skynet Gitlab Runner"; + + runner = { + name = mkOption { + type = types.str; + }; + + gitlab = mkOption { + default = "https://gitlab.skynet.ie"; + type = types.str; + }; + + description = mkOption { + default = cfg.runner.name; + type = types.str; + }; + + docker = { + image = mkOption { + default = "alpine:latest"; + type = types.str; + }; + + cleanup_dates = mkOption { + # https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS + # it will use a lot of storage so clear it daily, may change to hourly if required + default = "daily"; + type = types.str; + }; + }; + }; + }; + + config = mkIf cfg.enable { + # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner. + environment.systemPackages = [ + pkgs.gitlab-runner + ]; + + age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age; + age.secrets.runner_02_general.file = ../secrets/gitlab/runners/runner02.age; + + boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 + + # taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128 + virtualisation.docker.listenOptions = [ "/run/docker.sock" "127.0.0.1:2375" ]; + + services.gitlab-runner = { + enable = true; + + clear-docker-cache = { + enable = true; + dates = cfg.runner.docker.cleanup_dates; + }; + + services = { + # might make a function later to have multiple runners, might never need it though + runner_nix = { + cloneUrl = cfg.runner.gitlab; + description = "For Nix only"; + registrationFlags = [ "--docker-host" "tcp://127.0.0.1:2375" ]; + registrationConfigFile = config.age.secrets.runner_01_nix.path; + dockerImage = cfg.runner.docker.image; + + # from https://nixos.wiki/wiki/Gitlab_runner + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + ]; + dockerDisableCache = true; + preBuildScript = pkgs.writeScript "setup-container" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" + . ${pkgs.nix}/etc/profile.d/nix-daemon.sh + ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3 + ${pkgs.nix}/bin/nix-channel --update nixpkgs + ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} + ''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + tagList = [ "nix" ]; + }; + + runner_general = { + cloneUrl = cfg.runner.gitlab; + description = "General Runner"; + registrationFlags = [ "--docker-host" "tcp://127.0.0.1:2375" ]; + registrationConfigFile = config.age.secrets.runner_02_general.path; + dockerImage = cfg.runner.docker.image; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/applications/grafana.nix b/applications/grafana.nix deleted file mode 100644 index 953b02e..0000000 --- a/applications/grafana.nix +++ /dev/null @@ -1,81 +0,0 @@ -{ - lib, - config, - ... -}: -with lib; let - name = "grafana"; - cfg = config.services.skynet."${name}"; - port = 4444; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Grafana Server"; - - datasource = { - name = mkOption { - type = types.str; - }; - - url = mkOption { - type = types.str; - }; - }; - }; - - config = mkIf cfg.enable { - services.skynet.dns.records = [ - { - record = "${name}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.skynet.acme.domains = [ - "${name}.skynet.ie" - ]; - - age.secrets.grafana_pw = { - file = ../secrets/grafana/pw.age; - owner = "grafana"; - group = "grafana"; - }; - - services.grafana = { - enable = true; - domain = "${name}.skynet.ie"; - port = port; - - settings.server.root_url = "https://${name}.skynet.ie"; - - settings.security.admin_password = "$__file{${config.age.secrets.grafana_pw.path}}"; - - provision = { - enable = true; - datasources.settings.datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:${toString config.services.skynet.prometheus.server.port}"; - isDefault = true; - editable = true; - } - ]; - }; - }; - - services.nginx.virtualHosts = { - "${name}.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/" = { - proxyPass = "http://localhost:${toString port}"; - proxyWebsockets = true; - }; - }; - }; - }; -} diff --git a/applications/ldap/backend.nix b/applications/ldap/backend.nix index a24f259..b5baf68 100644 --- a/applications/ldap/backend.nix +++ b/applications/ldap/backend.nix @@ -1,23 +1,30 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "ldap_backend"; - cfg = config.services.skynet."${name}"; - port_backend = "8087"; -in { +{ config, pkgs, lib, inputs, ... }: + with lib; + let + cfg = config.services.ldap_backend; + port_backend = "8087"; + in { + imports = [ + ../acme.nix + ../dns.nix + ../nginx.nix inputs.skynet_ldap_backend.nixosModule."x86_64-linux" - ../../config/users.nix ]; - options.services.skynet."${name}" = { + options.services.ldap_backend = { enable = mkEnableOption "Skynet LDAP backend server"; + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + domain = { tld = mkOption { type = types.str; @@ -37,43 +44,65 @@ in { }; config = mkIf cfg.enable { + #backups = [ "/etc/silver_ul_ical/database.db" ]; - age.secrets.ldap_details.file = ../../secrets/ldap/details.age; - age.secrets.ldap_mail.file = ../../secrets/email/details.age; - age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age; + age.secrets.ldap_self_service.file = ../../secrets/ldap/self_service.age; + age.secrets.ldap_discord.file = ../../secrets/discord/ldap.age; - services.skynet.acme.domains = [ + skynet_acme.domains = [ "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" ]; - services.skynet.dns.records = [ - { - record = cfg.domain.sub; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } + skynet_dns.records = [ + {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { forceSSL = true; useACMEHost = "skynet"; locations."/".proxyPass = "http://localhost:${port_backend}"; + +# extraConfig = '' +# add_header Access-Control-Allow-Origin "https://account.${cfg.domain.base}.${cfg.domain.tld}"; +# ''; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + ''; }; - # this got imported services.skynet_ldap_backend = { enable = true; # contains teh password in env form env = { - ldap = config.age.secrets.ldap_details.path; - mail = config.age.secrets.ldap_mail.path; - wolves = config.age.secrets.ldap_wolves.path; + ldap = config.age.secrets.ldap_self_service.path; + discord = config.age.secrets.ldap_discord.path; + }; + + ldap = { + host = "ldaps://account.skynet.ie"; + admin = "uid=ldap_api,ou=users,dc=skynet,dc=ie"; + }; + + users = { + admin = [ + "silver" + "evanc" + "eoghanconlon73" + ]; + committee = [ + "grym" + "dawidk5" + "leo" + "silver" + "eoghanconlon73" + ]; + lifetime = []; + banned = []; }; host_port = "127.0.0.1:${port_backend}"; - users = config.skynet.users; }; }; } diff --git a/applications/ldap/client.nix b/applications/ldap/client.nix index 038907d..2a7324a 100644 --- a/applications/ldap/client.nix +++ b/applications/ldap/client.nix @@ -1,36 +1,28 @@ -{ - config, - pkgs, - lib, - ... -}: -with lib; let - name = "ldap_client"; - cfg = config.services.skynet."${name}"; +{ config, pkgs, lib, ... }: + with lib; + let + cfg = config.services.skynet_ldap_client; - # always ensure the admin group has access - create_filter_check_admin = x: - if !(builtins.elem "skynet-admins" x) - then x ++ ["skynet-admins"] - else x; + # always ensure the admin group has access + create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x); - # create teh new strings - create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})"); + # create teh new strings + create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})"); - create_filter_join = x: concatStringsSep "" x; + create_filter_join = (x: concatStringsSep "" x); - # thought you could escape racket? - create_filter = x: create_filter_join (create_filter_array (create_filter_check_admin x)); + # thought you could escape racket? + create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) ); + + in { - sudo_create_filter = x: (concatStringsSep ", " (map (x: "cn=${x},ou=groups,${cfg.base}") x)); -in { # these are needed for teh program in question imports = []; # give users access to this server - #services.skynet.ldap_client.groups = ["skynet-users-linux"]; + #services.skynet_ldap_client.groups = ["skynet-users-linux"]; - options.services.skynet."${name}" = { + options.services.skynet_ldap_client = { # options that need to be passed in to make this work enable = mkEnableOption "Skynet LDAP client"; @@ -54,13 +46,7 @@ in { ]; description = lib.mdDoc "Groups we want to allow access to the server"; }; - sudo_groups = mkOption { - type = types.listOf types.str; - default = [ - "skynet-admins-linux" - ]; - description = lib.mdDoc "Groups we want to allow access to the server"; - }; + }; config = mkIf cfg.enable { @@ -68,17 +54,10 @@ in { security.sudo.extraRules = [ # admin group has sudo access - { - groups = cfg.sudo_groups; - commands = [ - { - command = "ALL"; - options = ["NOPASSWD"]; - } - ]; - } + { groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; } ]; + # give users a home dir security.pam.services.sshd.makeHomeDir = true; @@ -89,7 +68,7 @@ in { # tell users where tehy cna setup their ssh key banner = '' If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address} - ''; + ''; }; services.sssd = { @@ -98,41 +77,41 @@ in { sshAuthorizedKeysIntegration = true; config = '' - [domain/skynet.ie] - id_provider = ldap - auth_provider = ldap - sudo_provider = ldap +[domain/skynet.ie] +id_provider = ldap +auth_provider = ldap +sudo_provider = ldap - ldap_uri = ldaps://${cfg.address}:636 +ldap_uri = ldaps://${cfg.address}:636 - ldap_search_base = ${cfg.base} - # thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d - ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) - ldap_group_search_base = ou=groups,${cfg.base} - # using commas from https://support.hpe.com/hpesc/public/docDisplay?docId=c02793175&docLocale=en_US - ldap_sudo_search_base, ${sudo_create_filter cfg.sudo_groups} +ldap_search_base = ${cfg.base} +# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d +ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups}) +ldap_group_search_base = ou=groups,${cfg.base} +ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base} - ldap_group_nesting_level = 5 +ldap_group_nesting_level = 5 - cache_credentials = false - entry_cache_timeout = 1 +cache_credentials = false +entry_cache_timeout = 1 - ldap_user_member_of = skMemberOf +ldap_user_member_of = skMemberOf - [sssd] - config_file_version = 2 - services = nss, pam, sudo, ssh - domains = skynet.ie +[sssd] +config_file_version = 2 +services = nss, pam, sudo, ssh +domains = skynet.ie - [nss] - # override_homedir = /home/%u +[nss] +# override_homedir = /home/%u - [pam] +[pam] - [sudo] +[sudo] - [autofs] +[autofs] ''; }; + }; -} +} \ No newline at end of file diff --git a/applications/ldap/server.nix b/applications/ldap/server.nix index ee55600..b63861f 100644 --- a/applications/ldap/server.nix +++ b/applications/ldap/server.nix @@ -1,27 +1,37 @@ /* Gonna use a priper nixos module for this */ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "ldap"; - cfg = config.services.skynet."${name}"; - domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; -in { + +{ config, pkgs, lib, inputs, ... }: + with lib; + let + cfg = config.services.skynet_ldap; + in { + # these are needed for teh program in question imports = [ + ../acme.nix + ../dns.nix + ../nginx.nix + ./backend.nix ]; - options.services.skynet."${name}" = { + + options.services.skynet_ldap = { # options that need to be passed in to make this work enable = mkEnableOption "Skynet LDAP service"; + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + domain = { tld = mkOption { type = types.str; @@ -51,6 +61,14 @@ in { }; config = mkIf cfg.enable { + + # passthrough to the backend + services.ldap_backend = { + enable = true; + host.ip = cfg.host.ip; + host.name = cfg.host.name; + }; + # after changing teh password openldap.service has to be restarted age.secrets.ldap_pw = { file = ../../secrets/ldap/pw.age; @@ -59,16 +77,12 @@ in { group = "openldap"; }; - services.skynet.acme.domains = [ - domain + skynet_acme.domains = [ + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" ]; - services.skynet.dns.records = [ - { - record = cfg.domain.sub; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } + skynet_dns.records = [ + {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; # firewall on teh computer itself @@ -78,7 +92,7 @@ in { ]; services.nginx.virtualHosts = { - ${domain} = { + "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { forceSSL = true; useACMEHost = "skynet"; locations."/" = { @@ -97,29 +111,25 @@ in { # using https://nixos.wiki/wiki/OpenLDAP for base config systemd.services.openldap = { - wants = ["acme-${cfg.domain.base}.service"]; - after = ["acme-${cfg.domain.base}.service"]; + wants = [ "acme-${cfg.domain.base}.service" ]; + after = [ "acme-${cfg.domain.base}.service" ]; }; - users.groups.acme.members = ["openldap"]; + users.groups.acme.members = [ "openldap" ]; services.openldap = { # backup /var/lib/openldap/slapd.d enable = true; - /* - enable plain and secure connections - */ - urlList = ["ldap:///" "ldaps:///"]; + /* enable plain and secure connections */ + urlList = [ "ldap:///" "ldaps:///" ]; settings = { attrs = { olcLogLevel = "conns config"; - /* - settings for acme ssl - */ + /* settings for acme ssl */ olcTLSCACertificateFile = "/var/lib/acme/${cfg.domain.base}/full.pem"; olcTLSCertificateFile = "/var/lib/acme/${cfg.domain.base}/cert.pem"; olcTLSCertificateKeyFile = "/var/lib/acme/${cfg.domain.base}/key.pem"; @@ -144,74 +154,67 @@ in { ./skMemberOf.ldif ]; + "cn=modules".attrs = { - objectClass = ["olcModuleList"]; - cn = "modules"; + objectClass = [ "olcModuleList" ]; + cn = "modules"; olcModuleLoad = ["dynlist" "memberof" "refint" "pw-sha2"]; }; "olcDatabase={-1}frontend".attrs = { - objectClass = ["olcDatabaseConfig" "olcFrontendConfig"]; + objectClass = [ "olcDatabaseConfig" "olcFrontendConfig" ]; olcPasswordHash = "{SSHA512}"; }; "olcDatabase={1}mdb" = { attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; olcDatabase = "{1}mdb"; olcDbDirectory = "/var/lib/openldap/data"; olcSuffix = cfg.base; - /* - your admin account, do not use writeText on a production system - */ + /* your admin account, do not use writeText on a production system */ olcRootDN = "cn=admin,${cfg.base}"; olcRootPW.path = config.age.secrets.ldap_pw.path; + #olcOverlay = "memberof"; + olcAccess = [ - /* - custom access rules for userPassword attributes - */ - '' - {0}to attrs=userPassword + /* custom access rules for userPassword attributes */ + ''{0}to attrs=userPassword by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage by self write by anonymous auth - by * none - '' + by * none'' - '' - {1}to attrs=mail,sshPublicKey,cn,sn + ''{1}to attrs=mail,sshPublicKey,cn,sn,skDiscord by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage by self write - by * read - '' + by * read'' - /* - allow read on anything else - */ - '' - {2}to * + /* allow read on anything else */ + ''{2}to * by dn.exact="uid=ldap_api,ou=users,dc=skynet,dc=ie" manage - by * read - '' + by * read'' ]; + + }; # https://blog.oddbit.com/post/2013-07-22-generating-a-membero/ children = { "olcOverlay=dynlist".attrs = { - objectClass = ["olcOverlayConfig" "olcDynamicList"]; - olcOverlay = "dynlist"; + objectClass = [ "olcOverlayConfig" "olcDynamicList" ]; + olcOverlay = "dynlist"; olcDlAttrSet = "skPerson labeledURI skMemberOf"; }; "olcOverlay=memberof".attrs = { - objectClass = ["olcOverlayConfig" "olcMemberOf" "olcConfig" "top"]; - olcOverlay = "memberof"; + objectClass = [ "olcOverlayConfig" "olcMemberOf" "olcConfig" "top" ]; + olcOverlay = "memberof"; olcMemberOfDangling = "ignore"; olcMemberOfRefInt = "TRUE"; @@ -220,7 +223,10 @@ in { olcMemberOfMemberOfAD = "memberOf"; }; }; + + }; + }; }; }; diff --git a/applications/ldap/skMemberOf.ldif b/applications/ldap/skMemberOf.ldif index 12b981e..af4385b 100644 --- a/applications/ldap/skMemberOf.ldif +++ b/applications/ldap/skMemberOf.ldif @@ -24,12 +24,24 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.4.1 EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.5.1 + NAME 'skDiscord' + DESC 'Discord username' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + ) olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.6.1 NAME 'skCreated' DESC 'When the account was created' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +#olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.7.1 +# NAME 'skEnabled' +# DESC 'TRUE/FALSE' +# EQUALITY booleanMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 +# ) # https://github.com/variablenix/ldap-mail-schema/blob/master/quota.schema olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.8.1 NAME 'quotaEmail' @@ -43,10 +55,16 @@ olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.9.1 EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} ) +olcAttributeTypes: ( 1.3.6.1.4.1.24441.1.10.1 + NAME 'skSecure' + DESC '1 if secure' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + ) olcObjectClasses: ( 1.3.6.1.4.1.24441.1.1.1 NAME 'skPerson' DESC 'skynet person' SUP top AUXILIARY MUST ( skMail $ skCreated ) - MAY ( skMemberOf $ skID $ quotaEmail $ quotaDisk ) + MAY ( skMemberOf $ skID $ skDiscord $ quotaEmail $ quotaDisk $ skSecure ) ) diff --git a/applications/nextcloud.nix b/applications/nextcloud.nix deleted file mode 100644 index bc7b1ae..0000000 --- a/applications/nextcloud.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - name = "nextcloud"; - cfg = config.services.skynet."${name}"; - domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Nextcloud"; - - domain = { - tld = mkOption { - type = types.str; - default = "ie"; - }; - - base = mkOption { - type = types.str; - default = "skynet"; - }; - - sub = mkOption { - type = types.str; - default = name; - }; - }; - }; - - config = mkIf cfg.enable { - # shove the entire config file into secrets - - age.secrets.nextcloud_admin_pass = { - file = ../secrets/nextcloud/pw.age; - owner = "nextcloud"; - group = "nextcloud"; - }; - - services.skynet.acme.domains = [ - domain - "onlyoffice.${domain}" - "whiteboard.${domain}" - ]; - - services.skynet.dns.records = [ - { - record = cfg.domain.sub; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "onlyoffice.${cfg.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "whiteboard.${cfg.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - # /var/lib/nextcloud/data - - services.nextcloud = { - enable = true; - package = pkgs.nextcloud30; - hostName = domain; - https = true; - - configureRedis = true; - - database.createLocally = true; - config = { - dbtype = "pgsql"; - adminpassFile = config.age.secrets.nextcloud_admin_pass.path; - }; - - appstoreEnable = true; - - extraApps = { - inherit (config.services.nextcloud.package.packages.apps) richdocuments; - }; - extraAppsEnable = true; - - settings = { - trusted_proxies = ["193.1.99.65"]; - default_phone_region = "IE"; - mail_smtpmode = "sendmail"; - mail_sendmailmode = "pipe"; - }; - }; - - environment.etc."nextcloud-whiteboard-secret".text = '' - JWT_SECRET_KEY=test123 - ''; - - services.nextcloud-whiteboard-server = { - enable = true; - settings.NEXTCLOUD_URL = "https://nextcloud.skynet.ie"; - secrets = ["/etc/nextcloud-whiteboard-secret"]; - }; - - nixpkgs.config.allowUnfree = true; - # impacted by https://github.com/NixOS /nixpkgs/issues/352443 - # services.onlyoffice = { - # enable = true; - # }; - - services.nginx.virtualHosts = { - ${domain} = { - forceSSL = true; - useACMEHost = "skynet"; - }; - "onlyoffice.${domain}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".proxyPass = "http://127.0.0.1:8000"; - }; - "whiteboard.${domain}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/" = { - proxyPass = "http://localhost:3002"; - proxyWebsockets = true; - }; - }; - }; - }; -} diff --git a/applications/nginx.nix b/applications/nginx.nix index 5970a20..d2524fc 100644 --- a/applications/nginx.nix +++ b/applications/nginx.nix @@ -1,4 +1,5 @@ # using K900's one https://gitlab.com/K900/nix/-/blob/a69502b8bf39fd99a85342b2f7989fe5896a6ae0/applications/base/nginx.nix + {pkgs, ...}: { services.nginx = { enable = true; @@ -9,6 +10,8 @@ recommendedGzipSettings = true; recommendedProxySettings = true; + statusPage = true; + # give Nginx access to our certs group = "acme"; }; diff --git a/applications/nix_cache/nix_cache.nix b/applications/nix_cache/nix_cache.nix deleted file mode 100644 index aead693..0000000 --- a/applications/nix_cache/nix_cache.nix +++ /dev/null @@ -1,98 +0,0 @@ -/* -A nix cache for our use - - -atticd-atticadm make-token --sub "admin_username" --validity "10y" --pull "*" --push "*" --create-cache "*" --delete "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*" - -# for the gitlab runner, done eyarly -atticd-atticadm make-token --sub "wheatly-runner" --validity "1y" --pull "skynet-cache" --push "skynet-cache" - - -Documentation: -https://docs.attic.rs/introduction.html -*/ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - name = "nix-cache"; - cfg = config.services.skynet."${name}"; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Nix Cache"; - }; - - config = mkIf cfg.enable { - services.skynet.acme.domains = [ - "${name}.skynet.ie" - ]; - - services.skynet.dns.records = [ - { - record = "${name}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - users.groups."nix-serve" = {}; - users.users."nix-serve" = { - isSystemUser = true; - group = "nix-serve"; - }; - - services.atticd = { - enable = true; - - # Replace with absolute path to your credentials file - environmentFile = "/etc/atticd.env"; - - settings = { - listen = "127.0.0.1:8080"; - - # Data chunking - # - # Warning: If you change any of the values here, it will be - # difficult to reuse existing chunks for newly-uploaded NARs - # since the cutpoints will be different. As a result, the - # deduplication ratio will suffer for a while after the change. - chunking = { - # The minimum NAR size to trigger chunking - # - # If 0, chunking is disabled entirely for newly-uploaded NARs. - # If 1, all NARs are chunked. - nar-size-threshold = 64 * 1024; # 64 KiB - - # The preferred minimum size of a chunk, in bytes - min-size = 16 * 1024; # 16 KiB - - # The preferred average size of a chunk, in bytes - avg-size = 64 * 1024; # 64 KiB - - # The preferred maximum size of a chunk, in bytes - max-size = 256 * 1024; # 256 KiB - }; - }; - }; - - networking.firewall.allowedTCPPorts = [80 443]; - services.nginx = { - clientMaxBodySize = "500m"; - virtualHosts = { - "${name}.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/" = { - proxyPass = "http://127.0.0.1:8080"; - }; - }; - }; - }; - }; -} diff --git a/applications/open_governance/README.md b/applications/open_governance/README.md deleted file mode 100644 index 7ae398f..0000000 --- a/applications/open_governance/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Open Governance - -Started by DCU this is an initiative to make the running of (computer) societies more open and resilient. -The goal is to back these up in multiple locations. - - -| Uni | Tag | Repo | Notes | -|-----|----------|----------------------------------------------------------|-------| -| DCU | redbrick | https://github.com/redbrick/open-governance | | -| UL | skynet | https://gitlab.skynet.ie/compsoc1/compsoc/open-goverance | | -| | | | | - - -## Keys -We host our own keyserver: https://keyserver.skynet.ie -Use it in commands like so: -``gpg --keyserver hkp://keyserver.skynet.ie:80 --send-key KEY_ID`` diff --git a/applications/open_governance/keyserver.nix b/applications/open_governance/keyserver.nix deleted file mode 100644 index 7e239a7..0000000 --- a/applications/open_governance/keyserver.nix +++ /dev/null @@ -1,62 +0,0 @@ -/* -This file is for hosting teh open governance for other societies -*/ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - name = "keyserver"; - cfg = config.services.skynet."${name}"; - port = 11371; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Public Keyserver"; - }; - - config = mkIf cfg.enable { - services.skynet.acme.domains = [ - "${name}.skynet.ie" - ]; - - services.skynet.dns.records = [ - { - record = "${name}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.hockeypuck = { - enable = true; - port = port; - }; - - # hockeypuck needs a database backend - services.postgresql = { - enable = true; - ensureDatabases = ["hockeypuck"]; - ensureUsers = [ - { - name = "hockeypuck"; - ensureDBOwnership = true; - } - ]; - }; - - services.nginx.virtualHosts = { - "${name}.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/" = { - proxyPass = "http://localhost:${toString port}"; - }; - }; - }; - }; -} diff --git a/applications/open_governance/open_governance.nix b/applications/open_governance/open_governance.nix deleted file mode 100644 index 1b02248..0000000 --- a/applications/open_governance/open_governance.nix +++ /dev/null @@ -1,61 +0,0 @@ -/* -This file is for hosting teh open governance for other societies -*/ -{ - lib, - config, - pkgs, - ... -}: -with lib; let - # - instead of _ for dns reasons - name = "open-governance"; - - cfg = config.services.skynet."${name}"; - folder = "/var/skynet/${name}"; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Open Governance"; - }; - - config = { - services.skynet.acme.domains = [ - "${name}.skynet.ie" - ]; - - services.skynet.dns.records = [ - { - record = "${name}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - # create a folder to store the archives - systemd.tmpfiles.rules = [ - "d ${folder} 0755 ${config.services.nginx.user} ${config.services.nginx.group}" - "L+ ${folder}/README.md - - - - ${./README.md}" - ]; - - services.nginx.virtualHosts = { - "${name}.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - root = folder; - locations = { - "/".extraConfig = "autoindex on;"; - - # show md files as plain text - "~ \.md".extraConfig = '' - types { - text/plain md; - } - ''; - }; - }; - }; - }; -} diff --git a/applications/pelican/Notes.md b/applications/pelican/Notes.md deleted file mode 100644 index d5cc785..0000000 --- a/applications/pelican/Notes.md +++ /dev/null @@ -1,6 +0,0 @@ -# Notes on Pelican - -## Panel - -* ``pelican-install`` is in env that can be used to isntall -* then go to ``panel-address.skynet.ie/installer`` to finish the setup diff --git a/applications/pelican/pelican-panel-install.nix b/applications/pelican/pelican-panel-install.nix deleted file mode 100644 index da372e4..0000000 --- a/applications/pelican/pelican-panel-install.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - pkgs, - dir, -}: -pkgs.writeShellScriptBin "pelican-install" '' - DIR=${dir} - - echo "Installing Pelican panel to $DIR ..." - if [ -d $DIR ]; then - echo "Directory $DIR already exists, exiting" - exit 1 - fi - echo "Creating directory ..." - mkdir -p $DIR - cd $DIR - - echo "Downloading Pelican panel ..." - curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv - echo "Installing Pelican panel using composer ..." - yes | composer install --no-dev --optimize-autoloader - - echo "Setting up the environment ..." - yes "" | php artisan p:environment:setup - - echo "Setting permissions ..." - chmod -R 755 storage/* bootstrap/cache/ - chown -R nginx:acme $DIR - - echo "Pelican panel installed successfully" -'' diff --git a/applications/pelican/pelican-panel-update.nix b/applications/pelican/pelican-panel-update.nix deleted file mode 100644 index a159659..0000000 --- a/applications/pelican/pelican-panel-update.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - pkgs, - dir, -}: -pkgs.writeShellScriptBin "pelican-update" '' - DIR=${dir} - - echo "Updateing Pelican panel in $DIR ..." - if [ -d $DIR ]; then - echo "Directory $DIR found, entering maintenance mode ..." - else - echo "Directory $DIR does not exist, exiting" - exit 1 - fi - - cd $DIR - php artisan down - - echo "Downloading Pelican panel update ..." - curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv - - echo "Setting permissions ..." - chmod -R 755 storage/* bootstrap/cache - - echo "Updating Pelican panel using composer ..." - yes | composer install --no-dev --optimize-autoloader - - echo "Clearing compiled template cache ..." - php artisan view:clear - php artisan config:clear - - echo "Optimizing Pelican panel ..." - php artisan filament:optimize - - echo "Updating the database ..." - php artisan migrate --seed --force - - echo "Setting permissions ..." - chown -R nginx:acme $DIR - - echo "Restart Pelican queue service ..." - systemctl restart pelican-queue.service - - echo "Exiting maintenance mode ..." - php artisan up - - echo "Pelican panel updated successfully" -'' diff --git a/applications/pelican/pelican-wing-package.nix b/applications/pelican/pelican-wing-package.nix deleted file mode 100644 index 8b0aa7b..0000000 --- a/applications/pelican/pelican-wing-package.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - stdenv, - lib, - fetchurl, - docker, - gnutar, -}: -stdenv.mkDerivation rec { - pname = "pelican-wings"; - version = "v1.0.0-beta9"; - - src = fetchurl { - url = "https://github.com/pelican-dev/wings/releases/download/${version}/wings_linux_amd64"; - hash = "sha256-YaS1bthNSeWXH5drc2yensRqsRAOa2VXvivJOaPybqc="; - }; - - buildInputs = [docker gnutar]; - - phases = ["installPhase"]; - - installPhase = '' - install -D $src $out/bin/wings - ''; -} diff --git a/applications/pelican/pelican.nix b/applications/pelican/pelican.nix deleted file mode 100644 index a03980d..0000000 --- a/applications/pelican/pelican.nix +++ /dev/null @@ -1,323 +0,0 @@ -{ - inputs, - pkgs, - lib, - config, - ... -}: -with lib; let - name = "pelican"; - cfg = config.services.skynet."${name}"; - php_pool = name; - domain_panel = "${cfg.panel.domain.sub}.${cfg.panel.domain.base}.${cfg.panel.domain.tld}"; - - packages = let - dir = cfg.panel.dir; - in [ - pkgs.curl - pkgs.gnutar - pkgs.unzip - pkgs.gzip - pkgs.php83 - pkgs.php83Packages.composer - pkgs.php83Extensions.gd - pkgs.php83Extensions.mysqli - pkgs.php83Extensions.mbstring - pkgs.php83Extensions.bcmath - pkgs.php83Extensions.xml - pkgs.php83Extensions.curl - pkgs.php83Extensions.zip - pkgs.php83Extensions.intl - pkgs.php83Extensions.sqlite3 - (import ./pelican-panel-update.nix { - inherit pkgs; - inherit dir; - }) - ]; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - panel = { - enable = mkEnableOption "Pelican Panel"; - - dir = mkOption { - type = types.str; - default = "/var/lib/pelican_panel"; - }; - - domain = { - tld = mkOption { - type = types.str; - default = "ie"; - }; - - base = mkOption { - type = types.str; - default = "skynet"; - }; - - sub = mkOption { - type = types.str; - #default = name; - default = "panel.games"; - }; - }; - }; - - wing = { - enable = mkEnableOption "Pelican Wing"; - - node_name = mkOption { - type = types.str; - }; - }; - }; - - config = mkMerge [ - (mkIf cfg.panel.enable { - services.skynet.acme.domains = [ - domain_panel - ]; - - # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide - services.skynet.dns.records = [ - { - record = cfg.panel.domain.sub; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - environment.systemPackages = packages; - - systemd.timers."pelican-cron" = { - wantedBy = ["timers.target"]; - timerConfig = { - OnBootSec = "5m"; - OnUnitActiveSec = "1m"; - Unit = "pelican-cron.service"; - }; - }; - - systemd.services."pelican-cron" = { - script = '' - ${pkgs.php83}/bin/php ${cfg.panel.dir}/artisan schedule:run >> /dev/null 2>&1 - ''; - serviceConfig = { - Type = "oneshot"; - }; - }; - - systemd.services.pelican-queue = { - wantedBy = ["multi-user.target"]; - serviceConfig = { - User = config.services.nginx.user; - Group = config.services.nginx.group; - Restart = "always"; - ExecStart = "${pkgs.php83}/bin/php -q ${cfg.panel.dir}/artisan queue:work --tries=3"; - startLimitInterval = 180; - startLimitBurst = 30; - RestartSec = "5"; - }; - }; - - systemd.services.pelican-panel-setup = { - wantedBy = ["pelican-queue.target" "pelican-cron.target"]; - partOf = []; - path = packages; - serviceConfig = { - Type = "oneshot"; - User = "root"; - Group = "root"; - TimeoutSec = "infinity"; - Restart = "on-failure"; - RemainAfterExit = true; - ExecStart = pkgs.writeShellScript "pelican-panel-install" '' - DIR=${cfg.panel.dir} - - echo "Installing Pelican panel to $DIR ..." - if [ -d $DIR ]; then - echo "Directory $DIR already exists, exiting" - exit 1 - fi - echo "Creating directory ..." - mkdir -p $DIR - cd $DIR - - echo "Downloading Pelican panel ..." - curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv - echo "Installing Pelican panel using composer ..." - yes | composer install --no-dev --optimize-autoloader - - echo "Setting up the environment ..." - yes "" | php artisan p:environment:setup - - echo "Setting permissions ..." - chmod -R 755 storage/* bootstrap/cache/ - chown -R ${config.services.nginx.user}:${config.services.nginx.group} $DIR - - echo "Pelican panel installed successfully" - ''; - }; - }; - - services.phpfpm.pools.${php_pool} = { - user = config.services.nginx.user; - group = config.services.nginx.group; - settings = { - "listen.owner" = config.services.nginx.user; - "listen.group" = config.services.nginx.group; - "listen.mode" = "0600"; - "pm" = "dynamic"; - "pm.max_children" = 75; - "pm.start_servers" = 10; - "pm.min_spare_servers" = 5; - "pm.max_spare_servers" = 20; - "pm.max_requests" = 500; - "catch_workers_output" = 1; - }; - }; - - services.nginx.virtualHosts."${domain_panel}" = { - root = "${cfg.panel.dir}/public"; - - forceSSL = true; - useACMEHost = "skynet"; - - extraConfig = '' - index index.html index.htm index.php; - charset utf-8; - - access_log off; - error_log /var/log/nginx/pelican.app-error.log error; - - client_max_body_size 100m; - client_body_timeout 120s; - - sendfile off; - - ssl_session_cache shared:SSL:10m; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; - ssl_prefer_server_ciphers on; - - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header Content-Security-Policy "frame-ancestors 'self'"; - add_header X-Frame-Options DENY; - add_header Referrer-Policy same-origin; - ''; - - locations = { - "/" = { - extraConfig = '' - try_files $uri $uri/ /index.php?$query_string; - ''; - }; - - "/favicon.ico".extraConfig = '' - access_log off; - log_not_found off; - ''; - - "/robots.txt".extraConfig = '' - access_log off; - log_not_found off; - ''; - - "~ \\.php$" = { - extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket}; - fastcgi_index index.php; - include ${config.services.nginx.package}/conf/fastcgi_params; - fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M"; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param HTTP_PROXY ""; - fastcgi_intercept_errors off; - fastcgi_buffer_size 16k; - fastcgi_buffers 4 16k; - fastcgi_connect_timeout 300; - fastcgi_send_timeout 300; - fastcgi_read_timeout 300; - ''; - }; - - "~ /\\.ht".extraConfig = '' - deny all; - ''; - }; - }; - }) - - (mkIf cfg.wing.enable { - services.skynet.acme.domains = [ - "${cfg.wing.node_name}.${domain_panel}" - ]; - - # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide - services.skynet.dns.records = [ - { - record = "${cfg.wing.node_name}.${cfg.panel.domain.sub}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - services.nginx.virtualHosts = { - "${cfg.wing.node_name}.${domain_panel}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".proxyPass = "http://127.0.0.1:8080"; - }; - }; - - networking.firewall.allowedTCPPorts = [8080 8443]; - - virtualisation.docker.enable = true; - - environment.systemPackages = [ - (pkgs.callPackage ./pelican-wing-package.nix {}) - ]; - - users.groups.pelican = {}; - users.users.pelican = { - #createHome = true; - isSystemUser = true; - #home = "/etc/pelican"; - group = "pelican"; - extraGroups = ["docker" "acme"]; - # X11 is to ensure the directory can be traversed - #homeMode = "711"; - }; - - systemd.services.pelican-wings = { - description = "Wings Daemon"; - after = ["docker.service"]; - requires = ["docker.service"]; - partOf = ["docker.service"]; - - serviceConfig = { - User = "root"; - WorkingDirectory = "/etc/pelican"; - LimitNOFILE = 4096; - PIDFile = "/var/run/wings/daemon.pid"; - ExecStart = "/run/current-system/sw/bin/wings"; - Restart = "on-failure"; - startLimitInterval = 180; - startLimitBurst = 30; - RestartSec = "5"; - }; - - wantedBy = ["multi-user.target"]; - }; - - systemd.tmpfiles.rules = [ - "L+ /etc/letsencrypt/live/${cfg.wing.node_name}.${domain_panel}/fullchain.pem - pelican acme - /var/lib/acme/skynet/fullchain.pem" - "L+ /etc/letsencrypt/live/${cfg.wing.node_name}.${domain_panel}/privkey.pem - pelican acme - /var/lib/acme/skynet/key.pem" - ]; - }) - ]; -} diff --git a/applications/prometheus.nix b/applications/prometheus.nix deleted file mode 100644 index a342a76..0000000 --- a/applications/prometheus.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ - nodes, - lib, - config, - ... -}: -with lib; let - name = "prometheus"; - cfg = config.services.skynet."${name}"; - - # dont have to worry about any external addresses for this - # create a list of either "ip@port" or "" - # the ""s then get filtered out by filter_empty - exporters = { - dns = ( - lib.attrsets.mapAttrsToList ( - key: value: - if value.config.services.skynet.dns.server.enable - then "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.bind.port}" - else "" - ) - nodes - ); - node = lib.attrsets.mapAttrsToList (key: value: "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.node.port}") nodes; - }; - - # clears any invalid entries - filter_empty = inputs: (builtins.filter (value: value != "") inputs); -in { - imports = []; - - options.services.skynet."${name}" = { - server = { - enable = mkEnableOption "Prometheus Server"; - - port = mkOption { - type = types.port; - default = 9001; - }; - }; - - external = { - node = mkOption { - type = types.listOf types.str; - default = []; - description = '' - To add other nodes outside of nix, specify ip and port that server should listen to here - ''; - }; - }; - - ports = { - node = mkOption { - type = types.port; - default = 9100; - }; - }; - }; - - config = mkMerge [ - { - services.prometheus.exporters.node = { - enable = true; - port = cfg.ports.node; - openFirewall = true; - # most collectors are on by default see https://github.com/prometheus/node_exporter for more options - enabledCollectors = ["systemd" "processes"]; - }; - } - (mkIf cfg.server.enable { - services.prometheus = { - enable = true; - port = cfg.server.port; - scrapeConfigs = [ - { - job_name = "node_exporter"; - static_configs = [ - { - targets = filter_empty (exporters.node ++ cfg.external.node); - } - ]; - } - { - job_name = "bind"; - static_configs = [ - { - targets = filter_empty exporters.dns; - } - ]; - } - ]; - }; - }) - ]; -} diff --git a/applications/restic.nix b/applications/restic.nix index e410a5f..1598acb 100644 --- a/applications/restic.nix +++ b/applications/restic.nix @@ -1,199 +1,199 @@ + # nodes is all the nodes -{ - lib, - config, - nodes, - pkgs, - ... -}: -with lib; let - name = "backup"; - cfg = config.services.skynet."${name}"; +{ lib, config, nodes, pkgs, ...}: with lib; + let + cfg = config.services.skynet_backup; - enable_client = cfg.normal.backups != null && cfg.normal.backups != []; - # since they should all have the same config we can do this - base = { - paths = cfg.normal.backups; - exclude = cfg.normal.exclude; - initialize = true; - passwordFile = config.age.secrets.restic.path; + # since they should all have the same config we can do this + base = { + paths = cfg.normal.backups; + exclude = cfg.normal.exclude; + initialize = true; + passwordFile = config.age.secrets.restic.path; - pruneOpts = [ - #"--keep-within 0y2m0d0h" - #"--keep-monthly 2" - ]; + pruneOpts = [ + #"--keep-within 0y2m0d0h" + #"--keep-monthly 2" + ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - RandomizedDelaySec = "5h"; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + RandomizedDelaySec = "5h"; + }; }; - }; - # takes nodes, - # for each check if iut has teh abckup attribute, - # then if the server is enabled, - # then pull relevant dtails - ownServers = builtins.listToAttrs (builtins.concatLists ( - lib.attrsets.mapAttrsToList ( - key: value: let - backup = value.config.services.skynet.backup; - backup_host = value.config.services.skynet.host; - in - if - ( - (builtins.hasAttr "backup" value.config.services.skynet) - && backup.server.enable - # chgeck that its not itself - && backup_host.name != config.services.skynet.host.name - && !backup.server.appendOnly - ) + # takes nodes, + # for each check if iut has teh abckup attribute, + # then if the server is enabled, + # then pull relevant dtails + ownServers = builtins.listToAttrs (builtins.concatLists ( + lib.attrsets.mapAttrsToList (key: value: + let + backup = value.config.services.skynet_backup; + in + if ( + (builtins.hasAttr "skynet_backup" value.config.services) + && backup.server.enable + && backup.host.name != cfg.host.name + && !backup.server.appendOnly + ) then [ { - name = backup_host.name; - value = - base - // { - repositoryFile = "/etc/skynet/restic/${backup_host.name}"; + name = backup.host.name; + value = base // { + repositoryFile = "/etc/skynet/restic/${backup.host.name}"; - backupPrepareCommand = '' - #!${pkgs.stdenv.shell} - set -euo pipefail + backupPrepareCommand = '' + #!${pkgs.stdenv.shell} + set -euo pipefail - baseDir="/etc/skynet/restic" + baseDir="/etc/skynet/restic" - mkdir -p $baseDir - cd $baseDir + mkdir -p $baseDir + cd $baseDir - echo -n "rest:http://root:password@${backup_host.ip}:${toString backup.server.port}/root/${config.services.skynet.host.name}" > ${backup_host.name} + echo -n "rest:http://root:password@${backup.host.ip}:${toString backup.server.port}/root/${cfg.host.name}" > ${backup.host.name} - # read in teh password - #PW = `cat ${config.age.secrets.restic.path}` - line=$(head -n 1 ${config.age.secrets.restic.path}) + # read in teh password + #PW = `cat ${config.age.secrets.restic.path}` + line=$(head -n 1 ${config.age.secrets.restic.path}) - sed -i "s/password/$line/g" ${backup_host.name} - ''; - }; + sed -i "s/password/$line/g" ${backup.host.name} + ''; + + }; } ] - else [] - ) - nodes - )); -in { - imports = [ - ]; + else [ ] + ) nodes + )); - # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base - # https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix - # will eb enabled on every server - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet backup"; - # what folders to backup - normal = { - backups = lib.mkOption { - default = []; - type = lib.types.listOf lib.types.str; - description = '' - A list of paths to backup. - ''; + + in { + + imports = [ + + ]; + + # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base + # https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix + # will eb enabled on every server + options.services.skynet_backup = { + # backup is enabled by default + # enable = mkEnableOption "Skynet backup"; + + # what folders to backup + normal = { + backups = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + A list of paths to backup. + ''; + }; + + exclude = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + A list of paths to exclide . + ''; + }; }; - exclude = lib.mkOption { - default = []; - type = lib.types.listOf lib.types.str; - description = '' - A list of paths to exclide . - ''; + # append only data so space limited + secure = { + backups = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + A list of paths to backup. + ''; + }; + + exclude = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + A list of paths to exclide . + ''; + }; }; + + host = { + ip = mkOption { + type = types.str; + }; + + name = mkOption { + type = types.str; + }; + }; + + server = { + enable = mkEnableOption "Skynet backup Server"; + + port = mkOption { + type = types.port; + default = 8765; + }; + + appendOnly = mkOption { + type = types.bool; + default = false; + }; + }; + }; - # append only data so space limited - secure = { - backups = lib.mkOption { - default = []; - type = lib.types.listOf lib.types.str; - description = '' - A list of paths to backup. - ''; - }; - exclude = lib.mkOption { - default = []; - type = lib.types.listOf lib.types.str; - description = '' - A list of paths to exclide . - ''; - }; + config = { + # these values are anabled for every client + + environment.systemPackages = [ + # for flakes + pkgs.restic + ]; + + # A list of all login accounts. To create the password hashes, use + # nix-shell -p apacheHttpd + # htpasswd -nbB "" "password" | cut -d: -f2 + + age.secrets.restic.file = ../secrets/backup/restic.age; + + networking.firewall.allowedTCPPorts = [ + cfg.server.port + ]; + + services.restic.backups = ownServers // { + # merge teh two configs together +# backblaze = base // { +# # backupos for each server are stored in a folder under their name +# repository = "b2:NixOS-Main2:/${cfg.host.name}"; +# #environmentFile = config.age.secrets.backblaze.path; +# }; + }; - server = { - enable = mkEnableOption "Skynet backup Server"; - - port = mkOption { - type = types.port; - default = 8765; - }; - - appendOnly = mkOption { - type = types.bool; - default = false; - }; + age.secrets.restic_pw = mkIf cfg.server.enable { + file = ../secrets/backup/restic_pw.age; + path = "${config.services.restic.server.dataDir}/.htpasswd"; + symlink = false; + mode = "770"; + owner = "restic"; + group = "restic"; }; + + services.restic.server = mkIf cfg.server.enable{ + enable = true; + listenAddress = "${cfg.host.ip}:${toString cfg.server.port}"; + appendOnly = cfg.server.appendOnly; + privateRepos = true; + }; + + }; - - config = mkMerge [ - { - # these values are anabled for every client - environment.systemPackages = with pkgs; [ - restic - ]; - } - - (mkIf cfg.server.enable { - networking.firewall.allowedTCPPorts = [ - cfg.server.port - ]; - - age.secrets.restic_pw = { - file = ../secrets/backup/restic_pw.age; - path = "${config.services.restic.server.dataDir}/.htpasswd"; - symlink = false; - mode = "770"; - owner = "restic"; - group = "restic"; - }; - - services.restic.server = { - enable = true; - listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}"; - appendOnly = cfg.server.appendOnly; - privateRepos = true; - }; - }) - - (mkIf enable_client { - # client stuff here - - # A list of all login accounts. To create the password hashes, use - # nix-shell -p apacheHttpd - # htpasswd -nbB "" "password" | cut -d: -f2 - - age.secrets.restic.file = ../secrets/backup/restic.age; - - services.restic.backups = mkMerge [ - ownServers - { - # merge teh two configs together - # backblaze = base // { - # # backupos for each server are stored in a folder under their name - # repository = "b2:NixOS-Main2:/${config.services.skynet.host.name}"; - # #environmentFile = config.age.secrets.backblaze.path; - # }; - } - ]; - }) - ]; } diff --git a/applications/skynet.ie.nix b/applications/skynet.ie.nix new file mode 100644 index 0000000..6008bdb --- /dev/null +++ b/applications/skynet.ie.nix @@ -0,0 +1,78 @@ +{ config, pkgs, lib, inputs, ... }: + with lib; + let + cfg = config.services.skynet; + in { + + imports = [ + ./acme.nix + ./dns.nix + ]; + + options.services.skynet = { + host = { + ip = mkOption { + type = types.str; + }; + name = mkOption { + type = types.str; + }; + }; + }; + + config = { + skynet_acme.domains = [ + # the root one is already covered by teh certificate + "2016.skynet.ie" + "discord.skynet.ie" + "ext.skynet.ie" + ]; + + skynet_dns.records = [ + # means root domain, so skynet.ie + {record="@"; r_type="A"; value=cfg.host.ip;} + {record="2016"; r_type="CNAME"; value="skynet";} + {record="discord"; r_type="CNAME"; value="skynet";} + ]; + + networking.firewall.allowedTCPPorts = [80 443]; + services.httpd = { + enable = true; + group = "acme"; + + virtualHosts = { + # main site + "skynet.ie" = { + forceSSL = true; + useACMEHost = "skynet"; + documentRoot = "${inputs.skynet_website.defaultPackage."x86_64-linux"}"; + # only on skynet.ie + # skynet.ie/~username + enableUserDir = true; + }; + "ext.skynet.ie" = { + forceSSL = true; + useACMEHost = "skynet"; + documentRoot = "${inputs.skynet_website.defaultPackage."x86_64-linux"}"; + # only on skynet.ie + # skynet.ie/~username + enableUserDir = true; + }; + + # archive of teh site as it was ~2012 to 2016 + "2016.skynet.ie" = { + forceSSL = true; + useACMEHost = "skynet"; + documentRoot = "${inputs.skynet_website_2016.defaultPackage."x86_64-linux"}"; + }; + + # archive of teh site as it was ~2012 to 2016 + "discord.skynet.ie" = { + forceSSL = true; + useACMEHost = "skynet"; + globalRedirect = "https://discord.gg/mkuKJkCuyM"; + }; + }; + }; + }; +} \ No newline at end of file diff --git a/applications/skynet.ie/old_site.nix b/applications/skynet.ie/old_site.nix deleted file mode 100644 index 18f80df..0000000 --- a/applications/skynet.ie/old_site.nix +++ /dev/null @@ -1,52 +0,0 @@ -{year}: { - config, - pkgs, - lib, - inputs, - ... -}: -with lib; { - imports = []; - - config = { - services.skynet.dns.records = [ - { - record = year; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.nginx = { - virtualHosts = { - "${year}.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - root = "${inputs."skynet_website_${year}".defaultPackage."x86_64-linux"}"; - # Handle any of the old php sites - # https://stackoverflow.com/a/21911610 - locations = { - "/" = { - index = "index.html index.htm index.php"; - tryFiles = "$uri $uri.html $uri/ @extensionless-php"; - }; - - "~ \\.php$" = { - extraConfig = '' - fastcgi_pass unix:${config.services.phpfpm.pools.old_sites.socket}; - fastcgi_index index.php; - ''; - tryFiles = "$uri =404"; - }; - - "@extensionless-php" = { - extraConfig = '' - rewrite ^(.*)$ $1.php last; - ''; - }; - }; - }; - }; - }; - }; -} diff --git a/applications/skynet.ie/skynet.ie.nix b/applications/skynet.ie/skynet.ie.nix deleted file mode 100644 index 99cc46d..0000000 --- a/applications/skynet.ie/skynet.ie.nix +++ /dev/null @@ -1,134 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "website"; - cfg = config.services.skynet."${name}"; -in { - imports = [ - # import in past website versions, available at $year.skynet.ie - # at teh end of teh year add it here - (import ./old_site.nix {year = "2024";}) - (import ./old_site.nix {year = "2023";}) - (import ./old_site.nix {year = "2022";}) - (import ./old_site.nix {year = "2016";}) - (import ./old_site.nix {year = "2006";}) - (import ./old_site.nix {year = "2003";}) - (import ./old_site.nix {year = "1996";}) - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Main Website"; - }; - - config = mkIf cfg.enable { - services.skynet.acme.domains = [ - "*.skynet.ie" - "*.discord.skynet.ie" - ]; - - services.skynet.dns.records = [ - # means root domain, so skynet.ie - { - record = "@"; - r_type = "A"; - value = config.services.skynet.host.ip; - } - { - record = "www"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "discord"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "wolves"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "public"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "*.discord"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.nginx = { - virtualHosts = let - main_site = { - forceSSL = true; - useACMEHost = "skynet"; - locations = { - "/".root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}"; - - # this redirects old links to new format - "~* ~(?[a-z_0-9]*)(?\\S*)$" = { - priority = 1; - return = "307 https://$username.users.skynet.ie$files"; - }; - }; - }; - in { - # main site - "www.skynet.ie" = main_site; - "skynet.ie" = main_site; - - "wolves.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".return = "307 https://ulwolves.ie/society/computer"; - }; - - # a custom discord url, because we are too cheap otehrwise - "discord.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".return = "307 https://discord.gg/mkuKJkCuyM"; - }; - "compsoc.discord.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".return = "307 https://discord.gg/mkuKJkCuyM"; - }; - "committee.discord.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".return = "307 https://discord.gg/D6mbASJKxU"; - }; - - "public.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - root = "${inputs.compsoc_public.packages.x86_64-linux.default}"; - locations."/".extraConfig = "autoindex on;"; - }; - }; - }; - - # Some old sites need a php pool running - services.phpfpm.pools.old_sites = { - user = "nobody"; - settings = { - "pm" = "dynamic"; - "listen.owner" = config.services.nginx.user; - "pm.max_children" = 5; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 3; - "pm.max_requests" = 500; - }; - }; - }; -} diff --git a/applications/skynet.ie/wiki.nix b/applications/skynet.ie/wiki.nix deleted file mode 100644 index 19250b3..0000000 --- a/applications/skynet.ie/wiki.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "wiki"; - cfg = config.services.skynet."${name}"; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet Wiki"; - }; - - config = mkIf cfg.enable { - services.skynet.dns.records = [ - { - record = "renew"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "wiki"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.nginx = { - virtualHosts = { - "wiki.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - root = "${inputs.skynet_website_wiki.defaultPackage."x86_64-linux"}"; - # https://stackoverflow.com/a/38238001/11964934 - extraConfig = '' - location / { - if ($request_uri ~ ^/(.*)\.html) { - return 302 /$1; - } - try_files $uri $uri.html $uri/ =404; - } - ''; - }; - - # redirect old links to the new wiki - "renew.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".return = "307 https://wiki.skynet.ie"; - }; - }; - }; - }; -} diff --git a/applications/skynet_users.nix b/applications/skynet_users.nix deleted file mode 100644 index 88347a2..0000000 --- a/applications/skynet_users.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - config, - pkgs, - lib, - inputs, - ... -}: -with lib; let - name = "website_users"; - cfg = config.services.skynet."${name}"; - php_pool = name; - - custom = domain: user: { - "${domain}" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { - alias = "/home/${user}/public_html/"; - index = "index.html"; - extraConfig = '' - autoindex on; - ''; - tryFiles = "$uri$args $uri$args/ /index.html"; - }; - }; - }; - }; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Skynet User Linux Server"; - }; - - config = { - # we havea more limited ports range on the skynet server - services.skynet.prometheus.ports = { - node = 9000; - }; - - # allow more than admins access - services.skynet.ldap_client = { - groups = [ - "skynet-admins-linux" - "skynet-users-linux" - ]; - }; - - # Website config - services.skynet.acme.domains = [ - "users.skynet.ie" - "*.users.skynet.ie" - ]; - - services.skynet.dns.records = [ - { - record = "users"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - { - record = "*.users"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - environment.systemPackages = with pkgs; [ - vim - php - ]; - - networking = { - defaultGateway = { - address = lib.mkDefault "193.1.96.161"; - interface = lib.mkDefault "eth1"; - }; - }; - - # normally services cannot read home dirs - systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; - systemd.services."phpfpm-${php_pool}".serviceConfig.ProtectHome = lib.mkForce "read-only"; - - services.phpfpm.pools.${php_pool} = { - user = config.services.nginx.user; - group = config.services.nginx.group; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = true; - "catch_workers_output" = true; - }; - phpEnv."PATH" = lib.makeBinPath [pkgs.php]; - }; - - services.nginx.virtualHosts = lib.mkMerge [ - # main site - { - "*.users.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - serverName = "~^(?.+)\.users\.skynet\.ie"; - - # username.users.skynet.ie/ - # user goes: - # chmod 711 ~ - # chmod -R 755 ~/public_html - - locations = { - "/" = { - alias = "/home/$user/public_html/"; - index = "index.html"; - extraConfig = '' - autoindex on; - ''; - tryFiles = "$uri$args $uri$args/ /index.html"; - }; - - "~ ^(.+\\.php)(.*)$" = { - root = "/home/$user/public_html/"; - index = "index.php"; - extraConfig = '' - autoindex on; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket}; - include ${pkgs.nginx}/conf/fastcgi.conf; - ''; - tryFiles = "$uri$args $uri$args/ /index.php"; - }; - }; - }; - } - - (custom "outinul.ie" "outinul") - (custom "www.outinul.ie" "outinul") - ]; - }; -} diff --git a/applications/sso.nix b/applications/sso.nix deleted file mode 100644 index 3bae2c2..0000000 --- a/applications/sso.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ - lib, - config, - ... -}: -with lib; let - name = "sso"; - cfg = config.services.skynet."${name}"; -in { - imports = [ - ]; - - options.services.skynet."${name}" = { - enable = mkEnableOption "Keycloak server"; - - datasource = { - name = mkOption { - type = types.str; - }; - - url = mkOption { - type = types.str; - }; - }; - }; - - config = mkIf cfg.enable { - services.skynet.dns.records = [ - { - record = "${name}"; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } - ]; - - services.skynet.acme.domains = [ - "${name}.skynet.ie" - ]; - - age.secrets.keycloak_pw.file = ../secrets/keycloak/pw.age; - - services.nginx.virtualHosts = { - "${name}.skynet.ie" = { - forceSSL = true; - useACMEHost = "skynet"; - locations = { - "/" = { - proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/"; - }; - }; - }; - }; - - services.postgresql.enable = true; - - services.keycloak = { - enable = true; - - initialAdminPassword = "sharky_loves_sso"; - - database = { - type = "postgresql"; - createLocally = true; - - username = "keycloak"; - passwordFile = config.age.secrets.keycloak_pw.path; - }; - - settings = { - hostname = "${name}.skynet.ie"; - http-port = 38080; - proxy-headers = "xforwarded"; - http-enabled = true; - }; - }; - }; -} diff --git a/applications/ulfm.nix b/applications/ulfm.nix index d7bd97b..f970e0d 100644 --- a/applications/ulfm.nix +++ b/applications/ulfm.nix @@ -1,61 +1,67 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - name = "ulfm"; - cfg = config.services.skynet."${name}"; -in { +{ config, lib, pkgs, ... }: + with lib; + let + cfg = config.services.skynet_ulfm; + in { + imports = [ + ./acme.nix + ./dns.nix + ./firewall.nix + ./nginx.nix ]; - options.services.skynet."${name}" = { - enable = mkEnableOption "ULFM service"; + options.services.skynet_ulfm = { + enable = mkEnableOption "ULFM service"; - domain = { - tld = mkOption { - type = types.str; - default = "ie"; - }; + host = { + ip = mkOption { + type = types.str; + }; - base = mkOption { - type = types.str; - default = "skynet"; - }; + name = mkOption { + type = types.str; + }; + }; - sub = mkOption { - type = types.str; - default = "ulfm"; - }; - }; + domain = { + tld = mkOption { + type = types.str; + default = "ie"; + }; + + base = mkOption { + type = types.str; + default = "skynet"; + }; + + sub = mkOption { + type = types.str; + default = "ulfm"; + }; + }; }; config = mkIf cfg.enable { - # TODO: extract this out into its own config + # shove the entire config file into secrets age.secrets.ulfm.file = ../secrets/stream_ulfm.age; networking.firewall.allowedTCPPorts = [ 8000 ]; - services.skynet.acme.domains = [ + skynet_acme.domains = [ "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" ]; - services.skynet.dns.records = [ - { - record = cfg.domain.sub; - r_type = "CNAME"; - value = config.services.skynet.host.name; - } + skynet_dns.records = [ + {record=cfg.domain.sub; r_type="CNAME"; value=cfg.host.name;} ]; skynet_firewall.forward = [ - "ip daddr ${config.services.skynet.host.ip} tcp dport 80 counter packets 0 bytes 0 accept" - "ip daddr ${config.services.skynet.host.ip} tcp dport 443 counter packets 0 bytes 0 accept" - "ip daddr ${config.services.skynet.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept" + "ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept" + "ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept" + "ip daddr ${cfg.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept" ]; users.groups."icecast" = {}; @@ -68,9 +74,9 @@ in { }; systemd.services.icecast = { - after = ["network.target"]; + after = [ "network.target" ]; description = "Icecast Network Audio Streaming Server"; - wantedBy = ["multi-user.target"]; + wantedBy = [ "multi-user.target" ]; preStart = "mkdir -p /var/log/icecast && chown nobody:nogroup /var/log/icecast"; serviceConfig = { @@ -80,14 +86,12 @@ in { }; }; - services.nginx = { - virtualHosts = { - "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { - forceSSL = true; - useACMEHost = "skynet"; - locations."/".proxyPass = "http://localhost:8000"; - }; - }; + services.nginx.virtualHosts."${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { + forceSSL = true; + useACMEHost = "skynet"; + locations."/".proxyPass = "http://localhost:8000"; }; + }; -} + +} \ No newline at end of file diff --git a/config/dns.nix b/config/dns.nix deleted file mode 100644 index ccb1df3..0000000 --- a/config/dns.nix +++ /dev/null @@ -1,70 +0,0 @@ -{lib, ...}: { - imports = [ - ]; - - options.skynet.records = lib.mkOption { - description = "Records, sorted based on therir type"; - type = lib.types.listOf (lib.types.submodule (import ../applications/dns/options-records.nix { - inherit lib; - })); - }; - - config = { - skynet.records = - [ - # Proxmox hosts - { - record = "jarvis"; - r_type = "A"; - value = "193.1.99.73"; - server = true; - } - { - record = "ultron"; - r_type = "A"; - value = "193.1.99.84"; - server = true; - } - # wifi in server room - { - record = "ash"; - r_type = "A"; - value = "193.1.99.114"; - server = true; - } - { - record = "mimi"; - r_type = "A"; - value = "193.1.99.86"; - server = true; - } - { - record = "nuked"; - r_type = "CNAME"; - value = "neuromancer.skynet.ie."; - } - ] - # non skynet domains - ++ [ - { - domain = "conradcollins.net"; - record = "www"; - r_type = "CNAME"; - value = "skynet.skynet.ie."; - } - - { - domain = "edelharty.net"; - record = "www"; - r_type = "CNAME"; - value = "skynet.skynet.ie."; - } - { - domain = "damienconroy.com"; - record = "www"; - r_type = "CNAME"; - value = "skynet.skynet.ie."; - } - ]; - }; -} diff --git a/config/users.nix b/config/users.nix deleted file mode 100644 index d49d998..0000000 --- a/config/users.nix +++ /dev/null @@ -1,420 +0,0 @@ -{ - lib, - config, - ... -}: -with lib; let - port_backend = "8087"; - cfg = config.skynet.users; -in { - options.skynet = { - users = { - committee = mkOption rec { - type = types.listOf types.str; - default = []; - description = "array of committee members"; - }; - admin = mkOption rec { - type = types.listOf types.str; - default = []; - description = "array of admins"; - }; - trainee = mkOption rec { - type = types.listOf types.str; - default = []; - description = "array of trainee admins"; - }; - lifetime = mkOption rec { - type = types.listOf types.str; - default = []; - description = "array of lifetime users"; - }; - banned = mkOption rec { - type = types.listOf types.str; - default = []; - description = "array of banned users"; - }; - restricted = mkOption rec { - type = types.listOf types.str; - default = []; - description = "array of restricted user accounts"; - }; - clubs_societies = mkOption rec { - type = types.listOf types.str; - default = []; - description = "array of accounts for Clubs and Societies"; - }; - }; - }; - - config.skynet = { - users = { - committee = lib.lists.unique ( - # Committee - Core - [ - # President - "silver" - # Secretary - "kaiden" - # Treasurer - "peace" - # PRO - "amymucko" - # HSO - "skyapples" - ] - # Committee - OCM - ++ [ - "connormc" - "cordlesscoder" - "dca_" - "eliza" - "emilyrutai" - "generically" - "mysticwolf" - "nanda" - "rituk_0817" - "sania_m" - "shourjyo24_" - "sunny" - "tatabbyi" - "wormyworm5" - ] - # Committee - SISTEM - ++ [] - # Admins are part of Committee as well - ++ cfg.admin - ); - admin = [ - "silver" - "evanc" - "eliza" - "esy" - ]; - trainee = []; - lifetime = []; - banned = []; - - clubs_societies = [ - "outinul" - "gamesdev" - ]; - - restricted = - [ - # usernames folks arent allowed to use - "contact" - "dnsadm" - "president" - "treasurer" - "secretary" - "pro" - "sysadmin" - "root" - ] - ++ [ - # basis comes from https://discord.com/channels/689189992417067052/1126084496710713414/1149072061466169444 - # start off with compsoc stuff first - "competition_www" - "demo1" - "demouser" - "ftp" - "lost+found" - "postfix" - "skynews.old" - "system_backup" - "test" - "test12" - "test20202" - "test20203" - "tmp" - "webadm" - ] - ++ [ - # clubs and socs (as far as I can tell - "aerosoc" - "aikido" - "anfocal" - "bics" - "boarding" - "cns" - "dev" - "filmsoc" - "gaa" - "german" - "golfsoc" - "handball" - "hispanic" - "history" - "hockey" - "home" - "legosoc" - "lifesave" - "mens_gfc" - "musicsoc" - "pagansoc" - "peacesoc" - "physics" - "poker" - "prolife" - "radio" - "ragweek" - "sinnfein" - "soccer" - "ulbs" - "ulcamogie" - "ulcc" - "ulgaa" - "ulils" - "ulladiesfootball" - "ullaughinsoc" - "ulrfc" - "ulriders" - "ulssc" - "ultennis" - "viking" - ] - ++ [ - # remaining, most likely usernames - "_9thwonder" - "abc" - "activate" - "aiesec" - "air" - "aladdin" - "alaric" - "aldozzie" - "allenli" - "amg" - "amgl" - "annette" - "annlad" - "ards_backup" - "arisquez" - "arthur" - "austin" - "beta" - "bh" - "bigdave" - "bios" - "bizarroal" - "bmacaree" - "boardy" - "boddah" - "bogus.anime.fakh" - "bogus.bhudt.dacf" - "bogus.citoge.baym" - "bogus.electro.ba0a" - "bogus.fencing.baw5" - "bogus.harry.ba8f" - "bogus.hui.hong.baci" - "bogus.ironman.baqib" - "bogus.joe.bach" - "bogus.kenny.bas6" - "bogus.kerswin.baybb" - "bogus.kravmaga.ba0w" - "bogus.methi.baq5" - "bogus.nelsonmw.bauc" - "bogus.poshea.ba0m" - "bogus.redwolf.bawn" - "bogus.romanov.baat" - "bogus.ryan.bae-" - "bogus.rynnea.bask" - "bogus.sea.af" - "bogus.shane.c.ba8z" - "bogus.t1000.baggb" - "bogus.ullrugby.ba8p" - "brendan" - "bubba" - "c_material_removed" - "ca_worm" - "cactus" - "carticus" - "cathalc" - "cathald-broken" - "cdschedule" - "celtic" - "christine" - "cian" - "ciara" - "ciaran" - "colin" - "cosmo" - "counsel" - "creosote" - "crew" - "cues" - "cur" - "cwhelan" - "dac" - "daktulu" - "datacore" - "davec" - "daverus" - "deano" - "deccy" - "declanmu" - "deiji" - "dermotmc" - "derrick" - "deshocks" - "diarmuid" - "dippy" - "djraptor" - "dmackey" - "dmir" - "dom" - "dom_mckay" - "donie" - "donnacha" - "dos30" - "drazhar" - "duffman" - "eas" - "electal" - "emc" - "emilia" - "emma" - "emmag" - "ents" - "envcom" - "eoinh95" - "epgriffin" - "equest" - "fiacc" - "fint" - "flanno" - "fmannix" - "foodcoop" - "gamenet" - "ganainm" - "gar" - "ger88" - "ghama" - "ging" - "goborobo" - "gooner" - "greekweek" - "hawking" - "hb" - "homer" - "hoshi" - "ian" - "ianrice" - "ilug" - "infinity" - "ingenuus" - "internat" - "jamessy" - "jamiebarry" - "jbravo" - "jdonegan" - "joedredd" - "johann" - "jokill" - "jsoccer" - "jules" - "kate" - "katie" - "kellyj" - "kiely" - "koo" - "l_d_ablo" - "lakes" - "laura" - "lebowski" - "liabraid" - "lynn" - "mal" - "manuel" - "maraz" - "marieke" - "marky" - "mature" - "mbyrne" - "meanturtle" - "mickaful" - "mickasul" - "mikado" - "mikeh" - "mikkel" - "mixiezme" - "mmc" - "molly" - "moochie" - "moonser" - "mopic" - "mp" - "nastros" - "neutrino" - "new" - "nezzy" - "nkdc" - "nmcenroy" - "noelle" - "nugget" - "ob" - "omega" - "oneillbeano" - "pamela" - "peterj" - "photyl" - "plake" - "pmcg1986" - "pyro" - "qubeat" - "rachel" - "rachelg" - "ralmeida" - "raymond" - "razzlero" - "red" - "rmacm" - "rmorrissey" - "robson" - "selena" - "shark" - "shayscannell" - "shazlove" - "shelley" - "shelly" - "silver.old" - "sirhc" - "sithlord" - "sk" - "sligoer" - "slowey" - "smallp" - "smurfy" - "sordfish" - "soul98" - "soular" - "st" - "stefanovich" - "svp" - "szczerba" - "tangsoodo" - "tc" - "tenfor" - "teslacut" - "theematt" - "thomasl" - "tockman" - "ugm" - "vanzan" - "volleyb" - "warren" - "weather" - "wiles" - "yvonne" - "zrahman" - ] - ++ [ - # former aliases - "david.dolphin" - "cc" - "mark.brennan" - ]; - }; - }; -} diff --git a/flake.lock b/flake.lock index 6f89ba0..ff57a21 100644 --- a/flake.lock +++ b/flake.lock @@ -4,15 +4,14 @@ "inputs": { "darwin": "darwin", "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "systems": "systems" + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1723293904, - "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", + "lastModified": 1690228878, + "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=", "owner": "ryantm", "repo": "agenix", - "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", + "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792", "type": "github" }, "original": { @@ -21,48 +20,6 @@ "type": "github" } }, - "alejandra": { - "inputs": { - "fenix": "fenix", - "flakeCompat": "flakeCompat", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733729059, - "narHash": "sha256-5xYai0KZirUX2EQpNMMCWoC27932n/i1E4KeVRIss7s=", - "owner": "kamadorueda", - "repo": "alejandra", - "rev": "6db88764334bd6a8b7a33cb312c318baad1d5e93", - "type": "github" - }, - "original": { - "owner": "kamadorueda", - "repo": "alejandra", - "type": "github" - } - }, - "alejandra_2": { - "inputs": { - "fenix": "fenix_2", - "flakeCompat": "flakeCompat_2", - "nixpkgs": "nixpkgs_24" - }, - "locked": { - "lastModified": 1719514321, - "narHash": "sha256-ys1nJdZ8zB8JlpUbQmnj0hZalg03bEPgQdZN30DhETE=", - "owner": "kamadorueda", - "repo": "alejandra", - "rev": "d7552fef2ccf1bbf0d36b27f6fddb19073f205b7", - "type": "github" - }, - "original": { - "owner": "kamadorueda", - "repo": "alejandra", - "type": "github" - } - }, "arion": { "inputs": { "flake-parts": "flake-parts", @@ -70,11 +27,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1733918465, - "narHash": "sha256-hSuGa8Hh67EHr2x812Ay6WFyFT2BGKn+zk+FJWeKXPg=", + "lastModified": 1690376079, + "narHash": "sha256-IJiajoljCMUGlp1bwT/loXs1B3RH2FXpLepnqvcPNEY=", "owner": "hercules-ci", "repo": "arion", - "rev": "f01c95c10f9d4f04bb08d97b3233b530b180f12e", + "rev": "f0436c8478d1b5530c115a6b1202c4478dfe2f81", "type": "github" }, "original": { @@ -83,26 +40,6 @@ "type": "github" } }, - "bfom": { - "inputs": { - "naersk": "naersk", - "nixpkgs": "nixpkgs_5", - "utils": "utils" - }, - "locked": { - "lastModified": 1723500950, - "narHash": "sha256-t1eApFGI+JzLIW2YToLlDV20n+Nevk1q4fZBYU1m93I=", - "owner": "silver_rust", - "repo": "bfom", - "rev": "7f339f28442758ecc3f1697e3f70d441973664b9", - "type": "gitlab" - }, - "original": { - "owner": "silver_rust", - "repo": "bfom", - "type": "gitlab" - } - }, "blobs": { "flake": false, "locked": { @@ -119,48 +56,6 @@ "type": "gitlab" } }, - "colmena": { - "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs_3", - "stable": "stable" - }, - "locked": { - "lastModified": 1734897875, - "narHash": "sha256-LLpiqfOGBippRax9F33kSJ/Imt8gJXb6o0JwSBiNHCk=", - "owner": "zhaofengli", - "repo": "colmena", - "rev": "a6b51f5feae9bfb145daa37fd0220595acb7871e", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "repo": "colmena", - "type": "github" - } - }, - "compsoc_public": { - "inputs": { - "bfom": "bfom", - "nixpkgs": "nixpkgs_6", - "utils": "utils_2" - }, - "locked": { - "lastModified": 1758582048, - "narHash": "sha256-SIt6rPXx7O3YMrEw8YrwHNMjOrrJLu/Tf1sMll1Qp9A=", - "ref": "refs/heads/main", - "rev": "4d825caf25cb966ddb5ce33a0e9b2aa73b0262c6", - "revCount": 130, - "type": "git", - "url": "https://forgejo.skynet.ie/Computer_Society/presentations_compsoc" - }, - "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Computer_Society/presentations_compsoc" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -169,11 +64,11 @@ ] }, "locked": { - "lastModified": 1700795494, - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", + "lastModified": 1673295039, + "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", + "rev": "87b9d090ad39b25b2400029c64825fc2a8868943", "type": "github" }, "original": { @@ -183,75 +78,14 @@ "type": "github" } }, - "fenix": { - "inputs": { - "nixpkgs": [ - "alejandra", - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" - }, - "locked": { - "lastModified": 1730615655, - "narHash": "sha256-2HBR3zLn57LXKNRtxBb+O+uDqHM4n0pz51rPayMl4cg=", - "owner": "nix-community", - "repo": "fenix", - "rev": "efeb50e2535b17ffd4a135e6e3e5fd60a525180c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "fenix", - "type": "github" - } - }, - "fenix_2": { - "inputs": { - "nixpkgs": [ - "skynet_website_wiki", - "alejandra", - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src_2" - }, - "locked": { - "lastModified": 1668234453, - "narHash": "sha256-FmuZThToBvRsqCauYJ3l8HJoGLAY5cMULeYEKIaGrRw=", - "owner": "nix-community", - "repo": "fenix", - "rev": "8f219f6b36e8d0d56afa7f67e6e3df63ef013cdb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "fenix", - "type": "github" - } - }, "flake-compat": { "flake": false, "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", "type": "github" }, "original": { @@ -268,11 +102,11 @@ ] }, "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "lastModified": 1675933616, + "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "rev": "47478a4a003e745402acf63be7f9a092d51b83d7", "type": "github" }, "original": { @@ -282,30 +116,15 @@ } }, "flake-utils": { - "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { "inputs": { - "systems": "systems_4" + "systems": "systems" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -314,86 +133,6 @@ "type": "github" } }, - "flakeCompat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flakeCompat_2": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "git-hooks": { - "inputs": { - "flake-compat": [ - "simple-nixos-mailserver", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "simple-nixos-mailserver", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1750779888, - "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "simple-nixos-mailserver", - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, "haskell-flake": { "locked": { "lastModified": 1675296942, @@ -418,11 +157,11 @@ ] }, "locked": { - "lastModified": 1703113217, - "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", + "lastModified": 1682203081, + "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=", "owner": "nix-community", "repo": "home-manager", - "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", + "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1", "type": "github" }, "original": { @@ -433,14 +172,14 @@ }, "naersk": { "inputs": { - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1713520724, - "narHash": "sha256-CO8MmVDmqZX2FovL75pu5BvwhW+Vugc7Q6ze7Hj8heI=", + "lastModified": 1692351612, + "narHash": "sha256-KTGonidcdaLadRnv9KFgwSMh1ZbXoR/OBmPjeNMhFwU=", "owner": "nix-community", "repo": "naersk", - "rev": "c5037590290c6c7dae2e42e7da1e247e54ed2d49", + "rev": "78789c30d64dea2396c9da516bbcc8db3a475207", "type": "github" }, "original": { @@ -451,14 +190,14 @@ }, "naersk_2": { "inputs": { - "nixpkgs": "nixpkgs_8" + "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1721727458, - "narHash": "sha256-r/xppY958gmZ4oTfLiHN0ZGuQ+RSTijDblVgVLFi1mw=", + "lastModified": 1686572087, + "narHash": "sha256-jXTut7ZSYqLEgm/nTk7TuVL2ExahTip605bLINklAnQ=", "owner": "nix-community", "repo": "naersk", - "rev": "3fb418eaf352498f6b6c30592e3beb63df42ef11", + "rev": "8507af04eb40c5520bd35d9ce6f9d2342cea5ad1", "type": "github" }, "original": { @@ -467,70 +206,13 @@ "type": "github" } }, - "naersk_3": { - "inputs": { - "nixpkgs": "nixpkgs_10" - }, - "locked": { - "lastModified": 1745925850, - "narHash": "sha256-cyAAMal0aPrlb1NgzMxZqeN1mAJ2pJseDhm2m6Um8T0=", - "owner": "nix-community", - "repo": "naersk", - "rev": "38bc60bbc157ae266d4a0c96671c6c742ee17a5f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "naersk", - "type": "github" - } - }, - "naersk_4": { - "inputs": { - "nixpkgs": "nixpkgs_12" - }, - "locked": { - "lastModified": 1739824009, - "narHash": "sha256-fcNrCMUWVLMG3gKC5M9CBqVOAnJtyRvGPxptQFl5mVg=", - "owner": "nix-community", - "repo": "naersk", - "rev": "e5130d37369bfa600144c2424270c96f0ef0e11d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "naersk", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "colmena", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1703013332, - "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=", + "lastModified": 1677676435, + "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6", + "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169", "type": "github" }, "original": { @@ -540,201 +222,51 @@ "type": "github" } }, - "nixpkgs-25_05": { + "nixpkgs-22_11": { "locked": { - "lastModified": 1753749649, - "narHash": "sha256-+jkEZxs7bfOKfBIk430K+tK9IvXlwzqQQnppC2ZKFj4=", + "lastModified": 1669558522, + "narHash": "sha256-yqxn+wOiPqe6cxzOo4leeJOp1bXE/fjPEi/3F/bBHv8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1f08a4df998e21f4e8be8fb6fbf61d11a1a5076a", + "rev": "ce5fe99df1f15a09a91a86be9738d68fadfbad82", "type": "github" }, "original": { + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" + } + }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1684782344, + "narHash": "sha256-SHN8hPYYSX0thDrMLMWPWYulK3YFgASOrCsIL3AJ78g=", "owner": "NixOS", - "ref": "nixos-25.05", "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-mozilla": { - "flake": false, - "locked": { - "lastModified": 1744624473, - "narHash": "sha256-S6zT/w5SyAkJ//dYdjbrXgm+6Vkd/k7qqUl4WgZ6jjk=", - "owner": "mozilla", - "repo": "nixpkgs-mozilla", - "rev": "2292d4b35aa854e312ad2e95c4bb5c293656f21a", + "rev": "8966c43feba2c701ed624302b6a935f97bcbdf88", "type": "github" }, "original": { - "owner": "mozilla", - "repo": "nixpkgs-mozilla", - "type": "github" - } - }, - "nixpkgs-mozilla_2": { - "flake": false, - "locked": { - "lastModified": 1744624473, - "narHash": "sha256-S6zT/w5SyAkJ//dYdjbrXgm+6Vkd/k7qqUl4WgZ6jjk=", - "owner": "mozilla", - "repo": "nixpkgs-mozilla", - "rev": "2292d4b35aa854e312ad2e95c4bb5c293656f21a", - "type": "github" - }, - "original": { - "owner": "mozilla", - "repo": "nixpkgs-mozilla", - "type": "github" - } - }, - "nixpkgs-mozilla_3": { - "flake": false, - "locked": { - "lastModified": 1740762144, - "narHash": "sha256-I7a6e3IYJAp9u3PwUSW1+oilO1tAfnbeN3/YJQ+ObCo=", - "owner": "mozilla", - "repo": "nixpkgs-mozilla", - "rev": "e35b0e071cae97469d80222be988fdd972b22c3b", - "type": "github" - }, - "original": { - "owner": "mozilla", - "repo": "nixpkgs-mozilla", - "type": "github" + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" } }, "nixpkgs_10": { "locked": { - "lastModified": 1750731501, - "narHash": "sha256-Ah4qq+SbwMaGkuXCibyg+Fwn00el4KmI3XFX6htfDuk=", + "lastModified": 1689935543, + "narHash": "sha256-6GQ9ib4dA/r1leC5VUpsBo0BmDvNxLjKrX1iyL+h8mc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "69dfebb3d175bde602f612915c5576a41b18486b", + "rev": "e43e2448161c0a2c4928abec4e16eae1516571bc", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "type": "indirect" } }, "nixpkgs_11": { - "locked": { - "lastModified": 1750506804, - "narHash": "sha256-VLFNc4egNjovYVxDGyBYTrvVCgDYgENp5bVi9fPTDYc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4206c4cb56751df534751b058295ea61357bbbaa", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-unstable", - "type": "indirect" - } - }, - "nixpkgs_12": { - "locked": { - "lastModified": 1741462378, - "narHash": "sha256-ZF3YOjq+vTcH51S+qWa1oGA9FgmdJ67nTNPG2OIlXDc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "2d9e4457f8e83120c9fdf6f1707ed0bc603e5ac9", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_13": { - "locked": { - "lastModified": 1741513245, - "narHash": "sha256-7rTAMNTY1xoBwz0h7ZMtEcd8LELk9R5TzBPoHuhNSCk=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e3e32b642a31e6714ec1b712de8c91a3352ce7e1", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-unstable", - "type": "indirect" - } - }, - "nixpkgs_14": { - "locked": { - "lastModified": 1687274257, - "narHash": "sha256-TutzPriQcZ8FghDhEolnHcYU2oHIG5XWF+/SUBNnAOE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "2c9ecd1f0400076a4d6b2193ad468ff0a7e7fdc5", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_15": { - "locked": { - "lastModified": 1724114134, - "narHash": "sha256-V/w5MIQy4jTG/L7/V/AL2BF5gSEWCfxHVDQdzLBCV18=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "f02fa2f654c7bcc45f0e815c29d093da7f1245b4", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_16": { - "locked": { - "lastModified": 1741037377, - "narHash": "sha256-SvtvVKHaUX4Owb+PasySwZsoc5VUeTf1px34BByiOxw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "02032da4af073d0f6110540c8677f16d4be0117f", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_17": { - "locked": { - "lastModified": 1741037377, - "narHash": "sha256-SvtvVKHaUX4Owb+PasySwZsoc5VUeTf1px34BByiOxw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "02032da4af073d0f6110540c8677f16d4be0117f", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_18": { - "locked": { - "lastModified": 1741037377, - "narHash": "sha256-SvtvVKHaUX4Owb+PasySwZsoc5VUeTf1px34BByiOxw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "02032da4af073d0f6110540c8677f16d4be0117f", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_19": { "locked": { "lastModified": 1690026219, "narHash": "sha256-oOduRk/kzQxOBknZXTLSEYd7tk+GoKvr8wV6Ab+t4AU=", @@ -750,11 +282,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "lastModified": 1676300157, + "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462", "type": "github" }, "original": { @@ -764,129 +296,43 @@ "type": "github" } }, - "nixpkgs_20": { - "locked": { - "lastModified": 1724114134, - "narHash": "sha256-V/w5MIQy4jTG/L7/V/AL2BF5gSEWCfxHVDQdzLBCV18=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "f02fa2f654c7bcc45f0e815c29d093da7f1245b4", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_21": { - "locked": { - "lastModified": 1689935543, - "narHash": "sha256-6GQ9ib4dA/r1leC5VUpsBo0BmDvNxLjKrX1iyL+h8mc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "e43e2448161c0a2c4928abec4e16eae1516571bc", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_22": { - "locked": { - "lastModified": 1724114134, - "narHash": "sha256-V/w5MIQy4jTG/L7/V/AL2BF5gSEWCfxHVDQdzLBCV18=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "f02fa2f654c7bcc45f0e815c29d093da7f1245b4", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_23": { - "locked": { - "lastModified": 1695978539, - "narHash": "sha256-lta5HToBZMWZ2hl5CautNSUgIZViR41QxN7JKbMAjgQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "bd9b686c0168041aea600222be0805a0de6e6ab8", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_24": { - "locked": { - "lastModified": 1668226844, - "narHash": "sha256-G/S4FBWDAqHeBS/hfXwUCJbnaKnrQFoeeKwzvZEOgxM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "dd4767bf613bf9553eee6ff37c0996b9c876e7d8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_25": { - "locked": { - "lastModified": 1724395761, - "narHash": "sha256-zRkDV/nbrnp3Y8oCADf5ETl1sDrdmAW6/bBVJ8EbIdQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ae815cee91b417be55d43781eb4b73ae1ecc396c", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, "nixpkgs_3": { "locked": { - "lastModified": 1734119587, - "narHash": "sha256-AKU6qqskl0yf2+JdRdD0cfxX4b9x3KKV5RqA6wijmPM=", + "lastModified": 1691276849, + "narHash": "sha256-RNnrzxhW38SOFIF6TY/WaX7VB3PCkYFEeRE5YZU+wHw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3566ab7246670a43abd2ffa913cc62dad9cdf7d5", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1714091391, - "narHash": "sha256-68n3GBvlm1MIeJXadPzQ3v8Y9sIW3zmv8gI5w5sliC8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4c86138ce486d601d956a165e2f7a0fc029a03c1", + "rev": "5faab29808a2d72f4ee0c44c8e850e4e6ada972f", "type": "github" }, "original": { "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1670751203, + "narHash": "sha256-XdoH1v3shKDGlrwjgrNX/EN8s3c+kQV7xY6cLCE8vcI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64e0bf055f9d25928c31fb12924e59ff8ce71e60", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", "type": "indirect" } }, "nixpkgs_5": { "locked": { - "lastModified": 1714091391, - "narHash": "sha256-68n3GBvlm1MIeJXadPzQ3v8Y9sIW3zmv8gI5w5sliC8=", + "lastModified": 1693060755, + "narHash": "sha256-KNsbfqewEziFJEpPR0qvVz4rx0x6QXxw1CcunRhlFdk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4c86138ce486d601d956a165e2f7a0fc029a03c1", + "rev": "c66ccfa00c643751da2fd9290e096ceaa30493fc", "type": "github" }, "original": { @@ -896,440 +342,204 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1756787288, - "narHash": "sha256-rw/PHa1cqiePdBxhF66V7R+WAP8WekQ0mCDG4CFqT8Y=", + "lastModified": 1693087214, + "narHash": "sha256-Kn1SSqRfPpqcI1MDy82JXrPT1WI8c03TA2F0xu6kS+4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d0fc30899600b9b3466ddb260fd83deb486c32f1", + "rev": "f155f0cf4ea43c4e3c8918d2d327d44777b6cad4", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-unstable", + "ref": "nixos-23.05", "type": "indirect" } }, "nixpkgs_7": { "locked": { - "lastModified": 1751271578, - "narHash": "sha256-P/SQmKDu06x8yv7i0s8bvnnuJYkxVGBWLWHaU+tt4YY=", + "lastModified": 1687011986, + "narHash": "sha256-ZNSi/wBw12d7LO8YcZ4aehIlPp4lgSkKbrHaoF80IKI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3016b4b15d13f3089db8a41ef937b13a9e33a8df", + "rev": "2c09e8eb8717e240ef9c5727c1cc9186db9fb309", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-unstable", "type": "indirect" } }, "nixpkgs_8": { "locked": { - "lastModified": 1723151389, - "narHash": "sha256-9AVY0ReCmSGXHrlx78+1RrqcDgVSRhHUKDVV1LLBy28=", + "lastModified": 1686921029, + "narHash": "sha256-J1bX9plPCFhTSh6E3TWn9XSxggBh/zDD4xigyaIQBy8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "13fe00cb6c75461901f072ae62b5805baef9f8b2", + "rev": "c7ff1b9b95620ce8728c0d7bd501c458e6da9e04", "type": "github" }, "original": { "id": "nixpkgs", + "ref": "nixos-23.05", "type": "indirect" } }, "nixpkgs_9": { "locked": { - "lastModified": 1722995383, - "narHash": "sha256-UzuXo7ZM8ZK0SkWFhHocKkLSGQPHS4JxaE1jvVR4fUo=", + "lastModified": 1687274257, + "narHash": "sha256-TutzPriQcZ8FghDhEolnHcYU2oHIG5XWF+/SUBNnAOE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "957d95fc8b9bf1eb60d43f8d2eba352b71bbf2be", + "rev": "2c9ecd1f0400076a4d6b2193ad468ff0a7e7fdc5", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-unstable", "type": "indirect" } }, "root": { "inputs": { "agenix": "agenix", - "alejandra": "alejandra", "arion": "arion", - "colmena": "colmena", - "compsoc_public": "compsoc_public", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_7", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_3", "simple-nixos-mailserver": "simple-nixos-mailserver", "skynet_discord_bot": "skynet_discord_bot", - "skynet_discord_bot_t-800": "skynet_discord_bot_t-800", "skynet_ldap_backend": "skynet_ldap_backend", "skynet_ldap_frontend": "skynet_ldap_frontend", "skynet_website": "skynet_website", - "skynet_website_1996": "skynet_website_1996", - "skynet_website_2003": "skynet_website_2003", - "skynet_website_2006": "skynet_website_2006", - "skynet_website_2016": "skynet_website_2016", - "skynet_website_2022": "skynet_website_2022", - "skynet_website_2023": "skynet_website_2023", - "skynet_website_2024": "skynet_website_2024", - "skynet_website_games": "skynet_website_games", - "skynet_website_wiki": "skynet_website_wiki" - } - }, - "rust-analyzer-src": { - "flake": false, - "locked": { - "lastModified": 1730555913, - "narHash": "sha256-KNHZUlqsEibg3YtfUyOFQSofP8hp1HKoY+laoesBxRM=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "f17a5bbfd0969ba2e63a74505a80e55ecb174ed9", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" - } - }, - "rust-analyzer-src_2": { - "flake": false, - "locked": { - "lastModified": 1668182250, - "narHash": "sha256-PYGaOCiFvnJdVz+ZCaKF8geGdffXjJUNcMwaBHv0FT4=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "45ec315e01dc8dd1146dfeb65f0ef6e5c2efed78", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" + "skynet_website_2016": "skynet_website_2016" } }, "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", - "flake-compat": "flake-compat_2", - "git-hooks": "git-hooks", - "nixpkgs": [ - "nixpkgs" - ], - "nixpkgs-25_05": "nixpkgs-25_05" + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs_4", + "nixpkgs-22_11": "nixpkgs-22_11", + "nixpkgs-23_05": "nixpkgs-23_05", + "utils": "utils" }, "locked": { - "lastModified": 1758367587, - "narHash": "sha256-crj6Ps1BwNbmsk7I7v6K2Dw55vczuQRtTklYiFiQ0Jw=", - "ref": "refs/heads/master", - "rev": "8bca7ebf09d3eb2bfcafe41b9133ee262f09558d", - "revCount": 794, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver" + "lastModified": 1689976554, + "narHash": "sha256-uWJq3sIhkqfzPmfB2RWd5XFVooGFfSuJH9ER/r302xQ=", + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "rev": "c63f6e7b053c18325194ff0e274dba44e8d2271e", + "type": "gitlab" }, "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver" + "owner": "simple-nixos-mailserver", + "repo": "nixos-mailserver", + "type": "gitlab" } }, "skynet_discord_bot": { "inputs": { - "naersk": "naersk_2", - "nixpkgs": "nixpkgs_9", - "nixpkgs-mozilla": "nixpkgs-mozilla", - "utils": "utils_3" + "naersk": "naersk", + "nixpkgs": "nixpkgs_6", + "utils": "utils_2" }, "locked": { - "lastModified": 1758295049, - "narHash": "sha256-h14Vl/OVguj5jD54xf+3w3DBIloQkoFBH86/xJ35jV8=", - "ref": "refs/heads/main", - "rev": "313be247d96131fbea418b826d7b68521c48bd8a", - "revCount": 326, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/discord-bot" + "host": "gitlab.skynet.ie", + "lastModified": 1693175435, + "narHash": "sha256-OWvMD6k/IXCAU5m7gOS25Uw3wdXey/yu4CX/AmSNKAU=", + "owner": "compsoc1%2Fskynet", + "repo": "discord-bot", + "rev": "e6f3b5f15857183777cd545d4366c3b51c5e3a02", + "type": "gitlab" }, "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/discord-bot" - } - }, - "skynet_discord_bot_t-800": { - "inputs": { - "naersk": "naersk_3", - "nixpkgs": "nixpkgs_11", - "nixpkgs-mozilla": "nixpkgs-mozilla_2", - "utils": "utils_4" - }, - "locked": { - "lastModified": 1752232947, - "narHash": "sha256-WW6gL8JSoJu6p+3Xnea9J8+epWtSOs3O9Sk/+Uz+ZnM=", - "ref": "refs/heads/main", - "rev": "379cc1d431ec8395c368dae773d7c4120bee57d7", - "revCount": 28, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/discord-bot-t-800" - }, - "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/discord-bot-t-800" + "host": "gitlab.skynet.ie", + "owner": "compsoc1%2Fskynet", + "repo": "discord-bot", + "type": "gitlab" } }, "skynet_ldap_backend": { "inputs": { - "naersk": "naersk_4", - "nixpkgs": "nixpkgs_13", - "nixpkgs-mozilla": "nixpkgs-mozilla_3", - "utils": "utils_5" + "naersk": "naersk_2", + "nixpkgs": "nixpkgs_8", + "utils": "utils_3" }, "locked": { - "lastModified": 1757267915, - "narHash": "sha256-cJA/dTc+VCjODKu5WEycBrEZRxd4STzxhpfUK2kIS4g=", - "ref": "refs/heads/main", - "rev": "3d882056bc78707ff57321862522ca8d1fc2a3c1", - "revCount": 252, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/ldap_backend" + "host": "gitlab.skynet.ie", + "lastModified": 1693776743, + "narHash": "sha256-RM56u2CRAPQt7zzJr3Fl7xJjeYVMNQ2hkr0QDdFy3F0=", + "owner": "compsoc1%2Fskynet%2Fldap", + "repo": "backend", + "rev": "9d4575df2769966ecb93a42b08bad1d82f7af714", + "type": "gitlab" }, "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/ldap_backend" + "host": "gitlab.skynet.ie", + "owner": "compsoc1%2Fskynet%2Fldap", + "repo": "backend", + "type": "gitlab" } }, "skynet_ldap_frontend": { "inputs": { - "nixpkgs": "nixpkgs_14", - "utils": "utils_6" + "nixpkgs": "nixpkgs_9", + "utils": "utils_4" }, "locked": { - "lastModified": 1727122070, - "narHash": "sha256-X6g3kBASjv8NZxea2cdkBQ9YAIZdPWdAButM+LjeYm0=", - "ref": "refs/heads/main", - "rev": "e09818ca6b27bf98cf63c3427a7253309c39a816", - "revCount": 229, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/ldap_frontend" + "host": "gitlab.skynet.ie", + "lastModified": 1693775970, + "narHash": "sha256-45DsGGilo5X7hI3vMr/RPkQFvUWsZ5wOA+lmeApZTlA=", + "owner": "compsoc1%2Fskynet%2Fldap", + "repo": "frontend", + "rev": "947124c3b65cb76257d3e5e74adbd695ef581c53", + "type": "gitlab" }, "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/ldap_frontend" + "host": "gitlab.skynet.ie", + "owner": "compsoc1%2Fskynet%2Fldap", + "repo": "frontend", + "type": "gitlab" } }, "skynet_website": { "inputs": { - "nixpkgs": "nixpkgs_15", - "utils": "utils_7" + "nixpkgs": "nixpkgs_10", + "utils": "utils_5" }, "locked": { - "lastModified": 1758195787, - "narHash": "sha256-YK5rEiaPqH19PPwMO/smF3SJDdEosGyqUQ8pDEmnfK8=", - "ref": "refs/heads/main", - "rev": "afd55717913278d4541ae0d21ca915a045423574", - "revCount": 31, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2023" + "host": "gitlab.skynet.ie", + "lastModified": 1690725984, + "narHash": "sha256-1WNUS3f+YP9wHTxRo//a3yhOow4lzKH+hiNEAOFGtRM=", + "owner": "compsoc1%2Fskynet%2Fwebsite", + "repo": "2023", + "rev": "aef61e067345dd3e1512e5b9b529183c066dd077", + "type": "gitlab" }, "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2023" - } - }, - "skynet_website_1996": { - "inputs": { - "nixpkgs": "nixpkgs_16", - "utils": "utils_8" - }, - "locked": { - "lastModified": 1744118392, - "narHash": "sha256-0W+9obJUFjArArqULQ8pqJuFN5cY5ir0yRZPfhReh8I=", - "ref": "refs/heads/main", - "rev": "19ec9fa4c4dafc68ce8b24653782598834a5405d", - "revCount": 13, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_1996" - }, - "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_1996" - } - }, - "skynet_website_2003": { - "inputs": { - "nixpkgs": "nixpkgs_17", - "utils": "utils_9" - }, - "locked": { - "lastModified": 1743721206, - "narHash": "sha256-n9JGscEsckoasfmvpWKJ0kifQp1KPw8MbWPHhmmkLCU=", - "ref": "refs/heads/main", - "rev": "855b4c7139caeb3c520d75c9a02393f74fdb3be1", - "revCount": 14, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2003" - }, - "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2003" - } - }, - "skynet_website_2006": { - "inputs": { - "nixpkgs": "nixpkgs_18", - "utils": "utils_10" - }, - "locked": { - "lastModified": 1743715699, - "narHash": "sha256-BgXlk7bT9q+cOE9u74ZfmqxxW0zIHZ/ebLyldO682Zg=", - "ref": "refs/heads/main", - "rev": "616040e0e7636c1e33a06262cc20fb1bf1fb61b6", - "revCount": 15, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2006" - }, - "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2006" + "host": "gitlab.skynet.ie", + "owner": "compsoc1%2Fskynet%2Fwebsite", + "repo": "2023", + "type": "gitlab" } }, "skynet_website_2016": { "inputs": { - "nixpkgs": "nixpkgs_19", - "utils": "utils_11" + "nixpkgs": "nixpkgs_11", + "utils": "utils_6" }, "locked": { - "lastModified": 1743722645, - "narHash": "sha256-uelPrPuv/Z3i4NZ01BlbAqmpB4IlA6zaFL4DlaDWHuo=", - "ref": "refs/heads/main", - "rev": "316da6b20fe26a6c4c751e74ee214a23265a8205", - "revCount": 18, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2016" + "host": "gitlab.skynet.ie", + "lastModified": 1690726067, + "narHash": "sha256-/BrljRmgR65bdqWgGBBWlTFiBzr0EBh1OeMlLj+xTg4=", + "owner": "compsoc1%2Fskynet%2Fwebsite", + "repo": "2016", + "rev": "63e0b33c5a48cbd4e68f23dde4987959b6c8e97e", + "type": "gitlab" }, "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2016" - } - }, - "skynet_website_2022": { - "inputs": { - "nixpkgs": "nixpkgs_20", - "utils": "utils_12" - }, - "locked": { - "lastModified": 1743727062, - "narHash": "sha256-myrgO0BU23zCD+mZnLfjmr/txjCWQizqlR72Hjv+E3s=", - "ref": "2022", - "rev": "687a0b1811987cfc27c2e6f5a625c4d59ef577c2", - "revCount": 30, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2023" - }, - "original": { - "ref": "2022", - "rev": "687a0b1811987cfc27c2e6f5a625c4d59ef577c2", - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2023" - } - }, - "skynet_website_2023": { - "inputs": { - "nixpkgs": "nixpkgs_21", - "utils": "utils_13" - }, - "locked": { - "lastModified": 1696876711, - "narHash": "sha256-WdZQBLTX6WK8iT7FwvD6sNEefGwtAWmzxZzCvvmDxGo=", - "ref": "main", - "rev": "c4d61c753292bf73ed41b47b1607cfc92a82a191", - "revCount": 12, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2023" - }, - "original": { - "ref": "main", - "rev": "c4d61c753292bf73ed41b47b1607cfc92a82a191", - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2023" - } - }, - "skynet_website_2024": { - "inputs": { - "nixpkgs": "nixpkgs_22", - "utils": "utils_14" - }, - "locked": { - "lastModified": 1732375016, - "narHash": "sha256-Y+bJw85TNOp8N369OV0VrDdm3oDy8CXG+GUuG6pZjbo=", - "ref": "main", - "rev": "8987e33cb709e7f2c30017e77edf9161b87d9885", - "revCount": 29, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2023" - }, - "original": { - "ref": "main", - "rev": "8987e33cb709e7f2c30017e77edf9161b87d9885", - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_2023" - } - }, - "skynet_website_games": { - "inputs": { - "nixpkgs": "nixpkgs_23", - "utils": "utils_15" - }, - "locked": { - "lastModified": 1727122069, - "narHash": "sha256-GOPYcXDc+KN6LmxMqobFUOn6e9e0khBW3SrFLj6+2i4=", - "ref": "refs/heads/main", - "rev": "e6d9056653610ca12839ac6c6d699bb36e5fa6db", - "revCount": 12, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_games" - }, - "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/website_games" - } - }, - "skynet_website_wiki": { - "inputs": { - "alejandra": "alejandra_2", - "nixpkgs": "nixpkgs_25", - "utils": "utils_16" - }, - "locked": { - "lastModified": 1758635905, - "narHash": "sha256-PPqhD2RHUOwJrbey72H1wnmdpeELilwKlND4TR5qo2k=", - "ref": "refs/heads/main", - "rev": "eb1fc042b5d410b17dd63c492c03be78443ed07f", - "revCount": 167, - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/wiki" - }, - "original": { - "type": "git", - "url": "https://forgejo.skynet.ie/Skynet/wiki" - } - }, - "stable": { - "locked": { - "lastModified": 1730883749, - "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" + "host": "gitlab.skynet.ie", + "owner": "compsoc1%2Fskynet%2Fwebsite", + "repo": "2016", + "type": "gitlab" } }, "systems": { @@ -1347,141 +557,6 @@ "type": "github" } }, - "systems_10": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_11": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_12": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_13": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_14": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_15": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_16": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_17": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_18": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "systems_2": { "locked": { "lastModified": 1681028828, @@ -1557,187 +632,13 @@ "type": "github" } }, - "systems_7": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_8": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_9": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "utils": { - "inputs": { - "systems": "systems_2" - }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1605370193, + "narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_10": { - "inputs": { - "systems": "systems_12" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_11": { - "inputs": { - "systems": "systems_13" - }, - "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_12": { - "inputs": { - "systems": "systems_14" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_13": { - "inputs": { - "systems": "systems_15" - }, - "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_14": { - "inputs": { - "systems": "systems_16" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_15": { - "inputs": { - "systems": "systems_17" - }, - "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_16": { - "inputs": { - "systems": "systems_18" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "5021eac20303a61fafe17224c087f5519baed54d", "type": "github" }, "original": { @@ -1748,14 +649,14 @@ }, "utils_2": { "inputs": { - "systems": "systems_3" + "systems": "systems_2" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1692799911, + "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", "type": "github" }, "original": { @@ -1766,14 +667,14 @@ }, "utils_3": { "inputs": { - "systems": "systems_5" + "systems": "systems_3" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1685518550, + "narHash": "sha256-o2d0KcvaXzTrPRIo0kOLV0/QXHhDQ5DTi+OxcjO8xqY=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "a1720a10a6cfe8234c0e93907ffe81be440f4cef", "type": "github" }, "original": { @@ -1784,43 +685,7 @@ }, "utils_4": { "inputs": { - "systems": "systems_6" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_5": { - "inputs": { - "systems": "systems_7" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_6": { - "inputs": { - "systems": "systems_8" + "systems": "systems_4" }, "locked": { "lastModified": 1687171271, @@ -1836,16 +701,16 @@ "type": "github" } }, - "utils_7": { + "utils_5": { "inputs": { - "systems": "systems_9" + "systems": "systems_5" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { @@ -1854,34 +719,16 @@ "type": "github" } }, - "utils_8": { + "utils_6": { "inputs": { - "systems": "systems_10" + "systems": "systems_6" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1689068808, + "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "utils_9": { - "inputs": { - "systems": "systems_11" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 3053145..e341146 100644 --- a/flake.nix +++ b/flake.nix @@ -1,117 +1,61 @@ { + description = "Deployment for skynet"; inputs = { # gonna start off with a fairly modern base nixpkgs.url = "nixpkgs/nixos-unstable"; - # Return to using unstable once the current master is merged in - # nixpkgs.url = "nixpkgs/nixos-unstable"; # utility stuff flake-utils.url = "github:numtide/flake-utils"; agenix.url = "github:ryantm/agenix"; arion.url = "github:hercules-ci/arion"; - alejandra = { - url = "github:kamadorueda/alejandra"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - colmena.url = "github:zhaofengli/colmena"; - # we host our own - simple-nixos-mailserver = { - inputs.nixpkgs.follows = "nixpkgs"; - url = "git+https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver"; - }; + # email + # simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver"; - ###################### - ### skynet backend ### - ###################### - skynet_ldap_backend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_backend"; - # skynet_ldap_backend.url = "git+file:/_college/CompSoc/Skynet/ldap_backend?shallow=1"; - skynet_ldap_frontend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_frontend"; - skynet_website_wiki.url = "git+https://forgejo.skynet.ie/Skynet/wiki"; - skynet_website_games.url = "git+https://forgejo.skynet.ie/Skynet/website_games"; - skynet_discord_bot.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot"; - skynet_discord_bot_t-800.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot-t-800"; - # for testing a local build - # skynet_discord_bot.url = "git+file:/_college/CompSoc/Skynet/discord_bot?shallow=1"; + # account.skynet.ie + skynet_ldap_backend.url = "gitlab:compsoc1%2Fskynet%2Fldap/backend?host=gitlab.skynet.ie"; + skynet_ldap_frontend.url = "gitlab:compsoc1%2Fskynet%2Fldap/frontend?host=gitlab.skynet.ie"; - ##################### - ### compsoc stuff ### - ##################### - compsoc_public.url = "git+https://forgejo.skynet.ie/Computer_Society/presentations_compsoc"; + skynet_website.url = "gitlab:compsoc1%2Fskynet%2Fwebsite/2023?host=gitlab.skynet.ie"; + skynet_website_2016.url = "gitlab:compsoc1%2Fskynet%2Fwebsite/2016?host=gitlab.skynet.ie"; - ################# - ### skynet.ie ### - ################# - - # this should always point to teh current website - skynet_website.url = "git+https://forgejo.skynet.ie/Skynet/website_2023"; - - # past versions of the current website - skynet_website_2024.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=main&rev=8987e33cb709e7f2c30017e77edf9161b87d9885"; - skynet_website_2023.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=main&rev=c4d61c753292bf73ed41b47b1607cfc92a82a191"; - skynet_website_2022.url = "git+https://forgejo.skynet.ie/Skynet/website_2023?ref=2022&rev=687a0b1811987cfc27c2e6f5a625c4d59ef577c2"; - - skynet_website_2016.url = "git+https://forgejo.skynet.ie/Skynet/website_2016"; - skynet_website_2006.url = "git+https://forgejo.skynet.ie/Skynet/website_2006"; - skynet_website_2003.url = "git+https://forgejo.skynet.ie/Skynet/website_2003"; - skynet_website_1996.url = "git+https://forgejo.skynet.ie/Skynet/website_1996"; + skynet_discord_bot.url = "gitlab:compsoc1%2Fskynet/discord-bot?host=gitlab.skynet.ie"; }; - nixConfig = { - extra-substituters = "https://nix-cache.skynet.ie/skynet-cache"; - extra-trusted-public-keys = "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="; - }; + nixConfig.bash-prompt-suffix = "[Skynet Dev] "; - outputs = { - self, - nixpkgs, - agenix, - alejandra, - colmena, - ... - } @ inputs: let - pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs; - in { - formatter.x86_64-linux = alejandra.defaultPackage."x86_64-linux"; + outputs = { self, nixpkgs, agenix, ... } @inputs: + let + pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs; + in { devShells.x86_64-linux.default = pkgs.mkShell { - name = "Skynet"; + name = "Skynet build env"; nativeBuildInputs = [ - pkgs.buildPackages.git - colmena.defaultPackage."x86_64-linux" - pkgs.attic-client - pkgs.buildPackages.nmap + pkgs.buildPackages.git + pkgs.buildPackages.colmena + pkgs.buildPackages.nmap ]; - buildInputs = [agenix.packages.x86_64-linux.default]; - shellHook = ''export PROMPT_DIRTRIM=3; export PS1="[Skynet] \w:\$ "''; + buildInputs = [ agenix.packages.x86_64-linux.default ]; + shellHook = ''export EDITOR="${pkgs.nano}/bin/nano --nonewlines"''; }; colmena = { meta = { nixpkgs = import nixpkgs { system = "x86_64-linux"; - overlays = [ - (final: prev: { - inherit - (final.lixPackageSets.stable) - nixpkgs-review - nix-direnv - nix-eval-jobs - nix-fast-build - colmena - ; - }) - ]; + overlays = []; }; specialArgs = { - inherit inputs self; + inherit inputs; }; }; # installed for each machine - defaults = import ./machines/_base.nix; + defaults = import ./machines/_base.nix ; # firewall machiene agentjones = import ./machines/agentjones.nix; @@ -125,6 +69,9 @@ # icecast - ULFM galatea = import ./machines/galatea.nix; + # Game host + optimus = import ./machines/optimus.nix; + # LDAP host kitt = import ./machines/kitt.nix; @@ -140,29 +87,10 @@ # backup 1 neuromancer = import ./machines/neuromancer.nix; - # Skynet, user ssh access + # Skynet skynet = import ./machines/skynet.nix; - # Main skynet sites - earth = import ./machines/earth.nix; - - # Nextcloud - cadie = import ./machines/cadie.nix; - - # trainee server - marvin = import ./machines/marvin.nix; - - # Public Services - calculon = import ./machines/calculon.nix; - - # metrics - ariia = import ./machines/ariia.nix; - - # games server - panel - optimus = import ./machines/optimus.nix; - - # games server - host - bumblebee = import ./machines/bumblebee.nix; }; }; + } diff --git a/machines/_base.nix b/machines/_base.nix index a8f53ff..2a14cfc 100644 --- a/machines/_base.nix +++ b/machines/_base.nix @@ -1,150 +1,92 @@ +{ pkgs, modulesPath, config, options, inputs, ... }: + { - pkgs, - modulesPath, - config, - options, - inputs, - lib, - ... -}: -with lib; let - cfg = config.skynet; -in { imports = [ - # This is required for LXC to function properly (modulesPath + "/virtualisation/proxmox-lxc.nix") # for the secrets inputs.agenix.nixosModules.default - # base application config for all servers - ../applications/_base.nix + # every sever may need the firewall config stuff + ../applications/firewall.nix + + # every sever needs to have a dns record + ../applications/dns.nix + + # every server needs teh ldap client for admins + ../applications/ldap/client.nix + + # every server will need the config to backup to + ../applications/restic.nix ]; - options.skynet = { - lxc = mkOption { - type = types.bool; - # most of our servers are lxc so its true by default - default = true; - description = mdDoc "Is this a Linux Container?"; - }; + # flakes are essensial + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + system.stateVersion = "22.11"; + + services.openssh = { + enable = true; + settings.PermitRootLogin = "prohibit-password"; }; - config = { - # if its a lxc enable - proxmoxLXC = { - enable = cfg.lxc; - manageNetwork = true; - manageHostName = true; - }; + users.users.root = { + initialHashedPassword = ""; - age.secrets.root_pw.file = ../secrets/base/root_pass.age; + openssh.authorizedKeys.keys = [ + # no obligation to have name attached to keys - nix = { - settings = { - # flakes are essensial - experimental-features = ["nix-command" "flakes"]; - trusted-users = [ - "root" - "@skynet-admins-linux" - ]; - }; + # Root account + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" - # https://nixos.wiki/wiki/Storage_optimization - # gc = { - # automatic = true; - # dates = "weekly"; - # options = "--delete-older-than 30d"; - # }; + # CI/CD key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key" - # to free up to 100GiB whenever there is less than 1GiB left - extraOptions = '' - min-free = ${toString (1024 * 1024 * 1024 * 1)} - max-free = ${toString (1024 * 1024 * 1024 * 100)} - ''; - }; + # Brendan Golden + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" - system.stateVersion = "22.11"; - - services.openssh = { - enable = true; - settings.PermitRootLogin = "prohibit-password"; - }; - - users = { - mutableUsers = false; - - users.root = { - hashedPasswordFile = config.age.secrets.root_pw.path; - - openssh.authorizedKeys.keys = [ - # no obligation to have name attached to keys - - # Root account - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin" - - # CI/CD key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBDvexq/JjsMqL0G5P38klzoOkHs3IRyXYO1luEJuB5R colmena_key" - - # Brendan Golden - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb" - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer" - - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxHpsApRyCvuP2ToGm46G308Og8lO7BYPuz+EqHVU5w esy root" - ]; - }; - }; - - # skynet-admin-linux will always be added, individual servers can override the groups option - services.skynet.ldap_client.enable = true; - - networking = { - # every sever needs to be accessable over ssh for admin use at least - firewall.allowedTCPPorts = [22]; - - resolvconf.useLocalResolver = false; - resolvconf.extraConfig = "name_servers='193.1.99.120 193.1.99.109'"; - # explisitly stating this is good - defaultGateway = { - address = "193.1.99.65"; - interface = "eth0"; - }; - - # cannot use our own it seems? - nameservers = [ - # ns1 - "193.1.99.120" - # ns2 - "193.1.99.109" - ]; - }; - - # time on vendetta is strangely out of sync - networking.timeServers = options.networking.timeServers.default ++ ["ie.pool.ntp.org"]; - services.ntp.enable = true; - - # use teh above nameservers as the fallback dns - services.resolved.fallbackDns = config.networking.nameservers; - - # https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9 - systemd.network.wait-online.enable = false; - - environment.systemPackages = with pkgs; [ - # for flakes - git - git-lfs - # useful tools - ncdu_2 - htop - nano - nmap - bind - zip - traceroute - openldap - screen - inetutils + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer" ]; }; + + # skynet-admin-linux will always be added, individual servers can override the groups option + services.skynet_ldap_client.enable = true; + + networking = { + # every sever needs to be accessable over ssh for admin use at least + firewall.allowedTCPPorts = [22]; + + # explisitly stating this is good + defaultGateway = "193.1.99.65"; + + # cannot use our own it seems? + nameservers = [ + # ns1 + "193.1.99.120" + # ns2 + "193.1.99.109" + ]; + }; + + # time on vendetta is strangely out of sync + networking.timeServers = options.networking.timeServers.default ++ [ "ie.pool.ntp.org" ]; + services.ntp.enable = true; + + # use teh above nameservers as the fallback dns + services.resolved.fallbackDns = config.networking.nameservers; + + environment.systemPackages = [ + # for flakes + pkgs.git + # useful tools + pkgs.ncdu_2 + pkgs.htop + pkgs.nano + pkgs.nmap + pkgs.bind + pkgs.zip + pkgs.traceroute + pkgs.openldap + pkgs.screen + ]; } diff --git a/machines/_template.nix b/machines/_template.nix deleted file mode 100644 index 36a1189..0000000 --- a/machines/_template.nix +++ /dev/null @@ -1,56 +0,0 @@ -/* -Name: Link to where information on the name can be found -Why: Why is it named this -Type: VM/Physical -Hardware: - if its a VM, the hardware (PowerEdge r210) if its physical -From: 2023/2024/2025/... -Role: What role does it have in teh cluster -Notes: -*/ -{ - pkgs, - lib, - nodes, - ... -}: let - # name of the server, sets teh hostname and record for it - name = "name"; - # Assigned IP address - ip_pub = "193.1.99.000"; - - # dont need to change these - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; -in { - # what configurrations to import, email in this example - imports = [ - ../applications/email.nix - ]; - - deployment = { - # dont need to change these - targetHost = hostname; - targetPort = 22; - targetUser = null; - - # deployment option: active-dns/active-core/active-ext/active - tags = [ - "active" - ]; - }; - - services.skynet = { - # pass in the details of the host server - host = host; - - # enable the backup service - backup.enable = true; - - # enable the imported service - email.enable = true; - }; -} diff --git a/machines/agentjones.nix b/machines/agentjones.nix index f661104..cde9245 100644 --- a/machines/agentjones.nix +++ b/machines/agentjones.nix @@ -1,49 +1,75 @@ /* -Name: https://matrix.fandom.com/wiki/Agent_Jones -Type: Physical -Hardware: PowerEdge r210 -From: 2011 (?) -Role: Firewall -Notes: Used to have Agent Smith as a partner but it died (Ironically) + Name: https://matrix.fandom.com/wiki/Agent_Jones + Type: Physical + Hardware: PowerEdge r210 + From: 2011 (?) + Role: Firewall + Notes: Used to have Agent Smith as a partner but it died (Ironically) + */ -{ - pkgs, - lib, - nodes, - ... -}: let + +{ pkgs, lib, nodes, ... }: +let # name of the server, sets teh hostname and record for it - name = "agentjones"; - ip_pub = "193.1.99.72"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - interface = "eno1"; - }; + name = "agentjones"; + ip_pub = "193.1.99.72"; + ip_priv = "193.1.99.125"; + hostname = "${name}.skynet.ie"; + in { imports = [ + ./hardware/_base.nix ./hardware/RM001.nix ]; deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; # somehow ssh from runner to this fails - tags = ["active-firewall"]; + tags = [ "active-firewall" ]; }; - services.skynet = { - host = host; - backup.enable = true; + skynet_dns.records = [ + {record=name; r_type="A"; value=ip_pub; server=true;} + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; + }; }; # keep the wired usb connection alive (front panel) - # networking.interfaces.enp0s29u1u5u2.useDHCP = true; + networking.interfaces.enp0s29u1u5u2.useDHCP = true; + + networking.hostName = name; + # this has to be defined for any physical servers + # vms are defined by teh vm host + networking.interfaces = { + eno2 = { + ipv4.addresses = [ + { + address = ip_pub; + prefixLength = 26; + } + ]; + }; + eno1 = { + #useDHCP = false; + ipv4.addresses = [ + { + # internal address + address = ip_priv; + prefixLength = 26; + } + ]; + }; + }; # this server is teh firewall skynet_firewall = { @@ -61,25 +87,23 @@ in { }; }; - enable = false; + enable = true; # gonna have to get all the forward = builtins.concatLists ( # using this function "(key: value: value.config.skynet_firewall.forward)" turn the values ointo a list - lib.attrsets.mapAttrsToList ( - key: value: + lib.attrsets.mapAttrsToList (key: value: # make sure that anything running this firewall dosent count (recursion otherewise) # firewall may want to open ports in itself but can deal with that later - if builtins.hasAttr "skynet_firewall" value.config - then - ( - if value.config.skynet_firewall.enable - then [] - else value.config.skynet_firewall.forward - ) - else [] - ) - nodes + if builtins.hasAttr "skynet_firewall" value.config + then ( + if value.config.skynet_firewall.enable + then [] + else value.config.skynet_firewall.forward + ) + else [] + ) nodes ); }; + } diff --git a/machines/ariia.nix b/machines/ariia.nix deleted file mode 100644 index 724d115..0000000 --- a/machines/ariia.nix +++ /dev/null @@ -1,49 +0,0 @@ -/* - -Name: https://en.wikipedia.org/wiki/Eagle_Eye -Why: ARIIA - Autonomous Reconnaissance Intelligence Integration Analyst -Type: VM -Hardware: - -From: 2024 -Role: Metrics gathering and Analysis -Notes: -*/ -{ - config, - pkgs, - lib, - nodes, - ... -}: let - # name of the server, sets teh hostname and record for it - name = "ariia"; - ip_pub = "193.1.99.83"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; -in { - imports = [ - ../applications/grafana.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = null; - - tags = [ - # "active-core" - ]; - }; - - services.skynet = { - host = host; - backup.enable = true; - - prometheus.server.enable = true; - grafana.enable = true; - }; -} diff --git a/machines/bumblebee.nix b/machines/bumblebee.nix deleted file mode 100644 index e8e7a40..0000000 --- a/machines/bumblebee.nix +++ /dev/null @@ -1,51 +0,0 @@ -/* - -Name: https://en.wikipedia.org/wiki/Bumblebee_(Transformers) -Why: Created to sell toys so this vm is for games -Type: VM -Hardware: - -From: 2024 -Role: Game host -Notes: -*/ -{ - pkgs, - lib, - nodes, - arion, - ... -}: let - # name of the server, sets teh hostname and record for it - name = "bumblebee"; - ip_pub = "193.1.99.91"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; -in { - imports = [ - ../applications/pelican/pelican.nix - ../applications/games/minecraft.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = null; - - tags = ["active"]; - }; - - services.skynet = { - host = host; - backup.enable = true; - pelican = { - wing = { - enable = true; - node_name = "node01"; - }; - }; - }; -} diff --git a/machines/cadie.nix b/machines/cadie.nix deleted file mode 100644 index 96a6bed..0000000 --- a/machines/cadie.nix +++ /dev/null @@ -1,47 +0,0 @@ -/* - -Name: https://en.wikipedia.org/wiki/List_of_Google_April_Fools%27_Day_jokes#CADIE -Why: CADIE is what google could have been, but they chickened out. -Type: VM -Hardware: - -From: 2023 -Role: Google but better -Notes: -*/ -{ - pkgs, - lib, - nodes, - ... -}: let - # name of the server, sets teh hostname and record for it - name = "cadie"; - ip_pub = "193.1.99.77"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; -in { - imports = [ - ../applications/nextcloud.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = null; - - tags = ["active"]; - }; - - services.skynet = { - host = host; - backup.enable = true; - nextcloud.enable = true; - }; - - # this was causing a conflict for some reason - systemd.network.enable = lib.mkForce false; -} diff --git a/machines/calculon.nix b/machines/calculon.nix deleted file mode 100644 index 30ad6bd..0000000 --- a/machines/calculon.nix +++ /dev/null @@ -1,49 +0,0 @@ -/* - -Name: https://futurama.fandom.com/wiki/Calculon -Why: Public Service server -Type: VM -Hardware: - -From: 2024 -Role: Public services such as Nix Cache, Open governance stuff. -Notes: -*/ -{ - pkgs, - lib, - nodes, - inputs, - ... -}: let - name = "calculon"; - ip_pub = "193.1.99.82"; - hostname = "${name}.skynet.ie"; - - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; -in { - imports = [ - ../applications/nix_cache/nix_cache.nix - ../applications/open_governance/open_governance.nix - ../applications/open_governance/keyserver.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = null; - - tags = ["active"]; - }; - - services.skynet = { - host = host; - backup.enable = true; - nix-cache.enable = true; - open-governance.enable = true; - keyserver.enable = true; - }; -} diff --git a/machines/earth.nix b/machines/earth.nix deleted file mode 100644 index fadcef1..0000000 --- a/machines/earth.nix +++ /dev/null @@ -1,46 +0,0 @@ -/* - -Name: https://hitchhikers.fandom.com/wiki/Earth -Why: Our home(page) -Type: VM -Hardware: - -From: 2023 -Role: Webserver -Notes: -*/ -{ - pkgs, - lib, - nodes, - inputs, - ... -}: let - name = "earth"; - ip_pub = "193.1.99.79"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; -in { - imports = [ - ../applications/skynet.ie/skynet.ie.nix - ../applications/skynet.ie/wiki.nix - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = null; - - tags = ["active-core"]; - }; - - services.skynet = { - host = host; - backup.enable = true; - website.enable = true; - wiki.enable = true; - }; -} diff --git a/machines/galatea.nix b/machines/galatea.nix index 62af7e3..4989e78 100644 --- a/machines/galatea.nix +++ b/machines/galatea.nix @@ -1,29 +1,21 @@ /* -Name: https://en.wikipedia.org/wiki/Galatea_(mythology) -Why: Created as a product of artistic expression -Type: VM -Hardware: - -From: 2023 -Role: Icecast server for ULFM -Notes: + Name: https://en.wikipedia.org/wiki/Galatea_(mythology) + Why: Created as a product of artistic expression + Type: VM + Hardware: - + From: 2023 + Role: Icecast server for ULFM + Notes: + */ -{ - pkgs, - lib, - nodes, - config, - ... -}: let + +{ pkgs, lib, nodes, config, ... }: +let # name of the server, sets teh hostname and record for it - name = "galatea"; - ip_pub = "193.1.99.111"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; + name = "galatea"; + ip_pub = "193.1.99.111"; + hostname = "${name}.skynet.ie"; in { imports = [ ../applications/ulfm.nix @@ -32,14 +24,28 @@ in { deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active"]; + tags = [ "active" ]; }; - services.skynet = { - host = host; - backup.enable = true; - ulfm.enable = true; + skynet_dns.records = [ + {record=name; r_type="A"; value=ip_pub; server=true;} + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; + }; + }; + + services.skynet_ulfm = { + enable = true; + host = { + ip = ip_pub; + name = name; + }; }; } diff --git a/machines/gir.nix b/machines/gir.nix index 0f6dde4..2e16a39 100644 --- a/machines/gir.nix +++ b/machines/gir.nix @@ -1,28 +1,23 @@ /* -Name: https://zim.fandom.com/wiki/GIR -Why: Gir used to have this role before, servers never die -Type: VM -Hardware: - -From: 2023 -Role: Email Server -Notes: + Name: https://zim.fandom.com/wiki/GIR + Why: Gir used to have this role before, servers never die + Type: VM + Hardware: - + From: 2023 + Role: Email Server + Notes: + */ -{ - pkgs, - lib, - nodes, - ... -}: let + +{ pkgs, lib, nodes, ... }: +let # name of the server, sets teh hostname and record for it - name = "gir"; - ip_pub = "193.1.99.76"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; + name = "gir"; + ip_pub = "193.1.99.76"; + hostname = "${name}.skynet.ie"; + #hostname = ip_pub; + in { imports = [ ../applications/email.nix @@ -31,14 +26,31 @@ in { deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active-core"]; + tags = [ "active-core" ]; }; - services.skynet = { - host = host; - backup.enable = true; - email.enable = true; + # add this server to dns + skynet_dns.records = [ + {record=name; r_type="A"; value=ip_pub; server=true;} + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; + }; + }; + + # we use this to pass in teh relevent infomation to the + services.skynet_email = { + enable = true; + host = { + ip = ip_pub; + name = name; + }; + domain = "skynet.ie"; }; } diff --git a/machines/glados.nix b/machines/glados.nix index c5be714..fc2ec0e 100644 --- a/machines/glados.nix +++ b/machines/glados.nix @@ -1,50 +1,55 @@ /* -Name: https://half-life.fandom.com/wiki/GLaDOS -Why: Glados has a vast experence of testing and deploying. -Type: VM -Hardware: - -From: 2023 -Role: Git server -Notes: Each user has roughly 20gb os storage - 20 * 100 = 2000gb + Name: https://half-life.fandom.com/wiki/GLaDOS + Why: Glados has a vast experence of testing and deploying. + Type: VM + Hardware: - + From: 2023 + Role: Git server + Notes: Each user has roughly 20gb os storage + 20 * 100 = 2000gb + */ -{ - pkgs, - lib, - nodes, - ... -}: let + +{ pkgs, lib, nodes, ... }: +let # name of the server, sets teh hostname and record for it - name = "glados"; - ip_pub = "193.1.99.75"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; + name = "glados"; + ip_pub = "193.1.99.75"; + hostname = "${name}.skynet.ie"; + in { imports = [ - ../applications/git/forgejo.nix - ../applications/git/forgejo_runner.nix + ../applications/gitlab.nix ]; deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active-git"]; + tags = [ "active-gitlab" ]; }; - services.skynet = { - host = host; - backup.enable = true; - forgejo.enable = true; - forgejo_runner = { - enable = true; - secret = ../secrets/forgejo/runners/token2.age; + + skynet_dns.records = [ + {record=name; r_type="A"; value=ip_pub; server=true;} + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; }; }; -} + + services.skynet_gitlab = { + enable = true; + host = { + ip = ip_pub; + name = name; + }; + }; + +} \ No newline at end of file diff --git a/machines/hardware/RM001.nix b/machines/hardware/RM001.nix index 8d1ff3d..c5880d2 100644 --- a/machines/hardware/RM001.nix +++ b/machines/hardware/RM001.nix @@ -1,40 +1,31 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + { - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ./_base.nix - ]; + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + fileSystems."/" = + { device = "/dev/disk/by-uuid/9b177e4a-726e-4e68-a0e1-53837a8cae2e"; + fsType = "ext4"; + }; - fileSystems."/" = { - device = "/dev/disk/by-uuid/f7b9d648-735f-44b7-b439-6af601b234a7"; - fsType = "ext4"; - }; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/41AD-70AF"; + fsType = "vfat"; + }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/679E-C352"; - fsType = "vfat"; - }; - - swapDevices = [ - {device = "/dev/disk/by-uuid/b1da9f57-1ed0-4f10-a6c0-6536a0017b2a";} - ]; + swapDevices = + [ { device = "/dev/disk/by-uuid/c5990c64-077f-45b1-96b5-44ec93e6651f"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's @@ -43,6 +34,7 @@ networking.useDHCP = lib.mkDefault true; # networking.interfaces.eno1.useDHCP = lib.mkDefault true; # networking.interfaces.eno2.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s29u1u1.useDHCP = lib.mkDefault true; # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; diff --git a/machines/hardware/RM002.nix b/machines/hardware/RM002.nix index 1594370..06f4ad2 100644 --- a/machines/hardware/RM002.nix +++ b/machines/hardware/RM002.nix @@ -1,40 +1,31 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + { - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ./_base.nix - ]; + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + fileSystems."/" = + { device = "/dev/disk/by-uuid/34918a4f-ca27-4070-a309-94bc59bdd743"; + fsType = "ext4"; + }; - fileSystems."/" = { - device = "/dev/disk/by-uuid/5c1a39c9-c458-4518-b75b-5a831bebc204"; - fsType = "ext4"; - }; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/8B03-4D11"; + fsType = "vfat"; + }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/8CBD-7032"; - fsType = "vfat"; - }; - - swapDevices = [ - {device = "/dev/disk/by-uuid/515df5d9-abad-4068-bacc-559fb76e1fb1";} - ]; + swapDevices = + [ { device = "/dev/disk/by-uuid/c83e65ad-d252-4024-93a9-0253c5d8beac"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's @@ -43,6 +34,7 @@ networking.useDHCP = lib.mkDefault true; # networking.interfaces.eno1.useDHCP = lib.mkDefault true; # networking.interfaces.eno2.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s29u1u2.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; diff --git a/machines/hardware/RM007.nix b/machines/hardware/RM007.nix index 1b9c130..02ecb10 100644 --- a/machines/hardware/RM007.nix +++ b/machines/hardware/RM007.nix @@ -1,33 +1,31 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + { - config, - lib, - pkgs, - modulesPath, - ... -}: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ./_base.nix - ]; + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = ["ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod"]; - boot.initrd.kernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; - boot.loader.grub.device = "/dev/sda"; + fileSystems."/" = + { device = "/dev/disk/by-uuid/c48817e1-036f-49a7-adae-f63fc6c03cd5"; + fsType = "ext4"; + }; - fileSystems."/" = { - device = "/dev/disk/by-uuid/a6c96ea1-1e66-4ad3-aef6-dd7131c83530"; - fsType = "ext4"; - }; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/76CE-C65E"; + fsType = "vfat"; + }; - swapDevices = [ - {device = "/dev/disk/by-uuid/5408b486-62ce-45d9-bca5-b458e68ef7f4";} - ]; + swapDevices = + [ { device = "/dev/disk/by-uuid/eced30bd-b785-43e0-a202-cdaee7e0f4f7"; } + ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's diff --git a/machines/hardware/_base.nix b/machines/hardware/_base.nix index d984d8c..ed7ec20 100644 --- a/machines/hardware/_base.nix +++ b/machines/hardware/_base.nix @@ -1,27 +1,17 @@ -{ - config, - options, - lib, - ... -}: -with lib; let +{ config, options, lib, ... }: with lib; +let # get a list of interfaces interfaces = attrNames config.networking.interfaces; # check if an IP has been assigned has_ip = interface: (length config.networking.interfaces."${interface}".ipv4.addresses) != 0; in { config = { - skynet.lxc = false; - assertions = [ { assertion = lists.any has_ip interfaces; message = "Must have a ip address set"; } - { - assertion = config.networking.hostName != "nixos"; - message = "Must have networking.hostName set"; - } ]; }; -} + +} \ No newline at end of file diff --git a/machines/kitt.nix b/machines/kitt.nix index 35600c8..5858f9a 100644 --- a/machines/kitt.nix +++ b/machines/kitt.nix @@ -1,65 +1,59 @@ /* -Name: https://en.wikipedia.org/wiki/KITT -Why: Kitt used to have this role before (as well as email and dns) -Type: VM -Hardware: - -From: 2023 -Role: LDAP Server -Notes: + Name: https://en.wikipedia.org/wiki/KITT + Why: Kitt used to have this role before (as well as email and dns) + Type: VM + Hardware: - + From: 2023 + Role: LDAP Server + Notes: + */ -{ - config, - pkgs, - lib, - nodes, - ... -}: let + +{ pkgs, lib, nodes, ... }: +let # name of the server, sets teh hostname and record for it - name = "kitt"; - ip_pub = "193.1.99.74"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; + name = "kitt"; + ip_pub = "193.1.99.74"; + hostname = "${name}.skynet.ie"; + #hostname = ip_pub; + in { imports = [ ../applications/ldap/server.nix - ../applications/ldap/backend.nix ../applications/discord.nix - ../applications/discord_t-800.nix - ../applications/bitwarden/vaultwarden.nix - ../applications/bitwarden/bitwarden_sync.nix - ../applications/sso.nix ]; deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active-core"]; + tags = [ "active-core" ]; }; - services.skynet = { - host = host; - backup.enable = true; + # add this server to dns + skynet_dns.records = [ + {record=name; r_type="A"; value=ip_pub; server=true;} + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; - # ldap setup - ldap.enable = true; - ldap_backend.enable = true; + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; + }; + }; - # private member services - discord_bot.enable = true; + services.skynet_ldap = { + enable = true; + host = { + ip = ip_pub; + name = name; + }; + }; - # for logging on our own discord - discord_bot_t-800.enable = true; - - # committee/admin services - vaultwarden.enable = true; - - sso.enable = true; + services.discord_bot = { + enable = true; }; } diff --git a/machines/marvin.nix b/machines/marvin.nix deleted file mode 100644 index 175d61d..0000000 --- a/machines/marvin.nix +++ /dev/null @@ -1,61 +0,0 @@ -/* - -Name: https://en.wikipedia.org/wiki/Marvin_the_Paranoid_Android -Why: Has terrible pain in all the diodes down its left side -Type: VM -Hardware: - -From: 2023 -Role: For trainees. -Notes: -*/ -{ - pkgs, - lib, - nodes, - ... -}: let - name = "marvin"; - ip_pub = "193.1.99.81"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; - - groups = [ - "skynet-admins-linux" - "skynet-trainees-linux" - ]; - groups_trusted = map (x: "@${x}") groups; -in { - imports = [ - ]; - - deployment = { - targetHost = hostname; - targetPort = 22; - targetUser = null; - - # not deployed automatically as its a test server - tags = []; - }; - - # allow trainees to deploy - nix.settings.trusted-users = - [ - "root" - ] - ++ groups_trusted; - - # allow trainees access - services.skynet.ldap_client = { - groups = groups; - sudo_groups = groups; - }; - - services.skynet = { - host = host; - backup.enable = true; - }; -} diff --git a/machines/neuromancer.nix b/machines/neuromancer.nix index ed49d06..db3ad3e 100644 --- a/machines/neuromancer.nix +++ b/machines/neuromancer.nix @@ -1,44 +1,58 @@ /* -Name: https://williamgibson.fandom.com/wiki/Neuromancer_(AI) -Why: A sibling to Wintermute, stores and archives memories. -Type: VM -Hardware: - -From: 2023 -Role: Backup Server -Notes: + Name: https://williamgibson.fandom.com/wiki/Neuromancer_(AI) + Why: A sibling to Wintermute, stores and archives memories. + Type: VM + Hardware: - + From: 2023 + Role: Backup Server + Notes: + */ -{ - pkgs, - lib, - nodes, - ... -}: let + +{ pkgs, lib, nodes, ... }: +let # name of the server, sets teh hostname and record for it - name = "neuromancer"; - ip_pub = "193.1.99.80"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - interface = "eno1"; - }; + name = "neuromancer"; + ip_pub = "193.1.99.80"; + hostname = "${name}.skynet.ie"; + in { imports = [ + ./hardware/_base.nix ./hardware/RM007.nix ]; + + networking.hostName = name; + # this has to be defined for any physical servers + # vms are defined by teh vm host + networking.interfaces.eno1.ipv4.addresses = [ + { + address = ip_pub; + prefixLength = 26; + } + ]; + deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active-core"]; + tags = [ "active-core" ]; }; - services.skynet = { - host = host; - backup.server.enable = true; + skynet_dns.records = [ + {record=name; r_type="A"; value=ip_pub; server=true;} + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + + services.skynet_backup = { + server.enable = true; + host = { + ip = ip_pub; + name = name; + }; }; -} + +} \ No newline at end of file diff --git a/machines/optimus.nix b/machines/optimus.nix index 40c6e85..10d36c4 100644 --- a/machines/optimus.nix +++ b/machines/optimus.nix @@ -1,47 +1,52 @@ /* -Name: https://en.wikipedia.org/wiki/Optimus_Prime -Why: Created to sell toys so this vm is for games -Type: VM -Hardware: - -From: 2023 -Role: Game host -Notes: + Name: https://en.wikipedia.org/wiki/Optimus_Prime + Why: Created to sell toys so this vm is for games + Type: VM + Hardware: - + From: 2023 + Role: Game host + Notes: + */ -{ - pkgs, - lib, - nodes, - arion, - ... -}: let + +{ pkgs, lib, nodes, arion, ... }: +let # name of the server, sets teh hostname and record for it - name = "optimus"; - ip_pub = "193.1.99.90"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; + name = "optimus"; + ip_pub = "193.1.99.112"; + hostname = "${name}.skynet.ie"; + in { imports = [ - ../applications/pelican/pelican.nix + ../applications/games.nix ]; deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active"]; + tags = [ "active" ]; }; - services.skynet = { - host = host; - backup.enable = true; - pelican = { - panel.enable = true; + skynet_dns.records = [ + {record=name; r_type="A"; value=ip_pub; server=true;} + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; }; }; -} + + services.skynet_games = { + enable = true; + host = { + ip = ip_pub; + name = name; + }; + }; +} \ No newline at end of file diff --git a/machines/retired/ash.nix b/machines/retired/ash.nix index a350975..5c0b2cb 100644 --- a/machines/retired/ash.nix +++ b/machines/retired/ash.nix @@ -1,33 +1,35 @@ /* -Name: https://en.wikipedia.org/wiki/Ash_(Alien) -Why: Infilitrate into the network -Type: VM -Hardware: - -From: 2023 -Role: Wireguard (VPN) Server -Notes: Thius vpn is for admin use only, to give access to all the servers via ssh + Name: https://en.wikipedia.org/wiki/Ash_(Alien) + Why: Infilitrate into the network + Type: VM + Hardware: - + From: 2023 + Role: Wireguard (VPN) Server + Notes: Thius vpn is for admin use only, to give access to all the servers via ssh + */ -{ - pkgs, - lib, - nodes, - ... -}: let + +{ pkgs, lib, nodes, ... }: +let # name of the server, sets teh hostname and record for it - name = "ash"; - ip_pub = "193.1.99.75"; - ip_priv = "172.20.20.5"; + name = "ash"; + ip_pub = "193.1.99.75"; + ip_priv = "172.20.20.5"; # hostname = "${name}.skynet.ie"; - hostname = ip_pub; + hostname = ip_pub; + in { imports = [ + # applications for this particular server + ../applications/firewall.nix + ../applications/dns.nix ]; deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; }; # these two are to be able to add the rules for firewall and dns @@ -36,7 +38,7 @@ in { "ip daddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept" ]; - services.skynet.dns.records = { + skynet_dns.records = { external = [ "${name} A ${ip_pub}" ]; @@ -46,6 +48,7 @@ in { ]; }; + age.secrets.wireguard.file = ../secrets/wireguard.age; networking = { @@ -71,12 +74,12 @@ in { privateKeyFile = "/run/agenix/wireguard"; peers = [ - { - # silver - Brendan + { # silver - Brendan publicKey = "46jMR/DzJ4rQCR8MBqLMwcyr2tsSII/xeCjihb6EQgQ="; - allowedIPs = ["172.20.21.2/32"]; + allowedIPs = [ "172.20.21.2/32" ]; } ]; + }; }; @@ -84,4 +87,5 @@ in { # needed to generate keys pkgs.wireguard-tools ]; + } diff --git a/machines/skynet.nix b/machines/skynet.nix index 546596e..2bb7c0a 100644 --- a/machines/skynet.nix +++ b/machines/skynet.nix @@ -1,48 +1,110 @@ /* -Name: https://en.wikipedia.org/wiki/Skynet_(Terminator) -Why: Skynet is eternal -Type: VM -Hardware: - -From: 2023 -Role: Webserver and member linux box -Notes: Does not host offical sites + Name: https://en.wikipedia.org/wiki/Skynet_(Terminator) + Why: Skynet is eternal + Type: VM + Hardware: - + From: 2023 + Role: Webserver and member linux box + Notes: + */ -{ - pkgs, - lib, - nodes, - inputs, - ... -}: let - name = "skynet"; + +{ pkgs, lib, nodes, inputs, ... }: +let + # name of the server, sets teh hostname and record for it + name = "skynet"; # DMZ that ITD provided - ip_pub = "193.1.96.165"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - interface = "eth1"; - cidr = 28; - }; + ip_pub = "193.1.96.165"; + ip_priv = "193.1.99.79"; + hostname = "${name}.skynet.ie"; + hostname_int = "${name}.int.skynet.ie"; + in { imports = [ - ../applications/skynet_users.nix + ../applications/skynet.ie.nix ]; deployment = { - targetHost = hostname; + targetHost = ip_priv; targetPort = 22; - targetUser = null; + targetUser = "root"; - # this one is manually deployed - tags = ["active-ext"]; + tags = [ "active-core" ]; + }; + + # it has two network devices so two + skynet_dns.records = [ + #{record=name; r_type="A"; value=ip_pub; server=true;} + {record=name; r_type="A"; value=ip_priv; server=true; } + {record="ext"; r_type="A"; value=ip_pub; server=false;} + + {record="${name}.int"; r_type="A"; value=ip_priv; server=true;} + {record=ip_priv; r_type="PTR"; value=hostname_int;} + ]; + + services.skynet_backup = { + host = { + ip = ip_priv; + name = name; + }; + }; + + # allow more than admins access + services.skynet_ldap_client = { + groups = [ + "skynet-admins-linux" + "skynet-users-linux" + ]; + }; + + proxmoxLXC.manageNetwork = true; + networking.hostName = name; + networking.interfaces = { + eth0.ipv4.addresses = [ + { + address = ip_priv; + prefixLength = 26; + } + ]; + eth1.ipv4.addresses = [ + { + address = ip_pub; + prefixLength = 28; + } + ]; }; services.skynet = { - host = host; - backup.enable = true; - website_users.enable = true; + host = { + ip = ip_priv; + name = name; + }; }; + + # from https://discourse.nixos.org/t/second-default-gateway/22220/5 and https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System + networking = { + iproute2 = { + enable = true; + rttablesExtraConfig = + ''1 rt2''; + }; + }; + + systemd.services.secondGateway = { + description = "External route."; + path = [pkgs.bash pkgs.iproute]; + script = '' + ip route add 193.1.96.160/28 dev eth1 src 193.1.96.165 table rt2 + ip route add default via 193.1.96.161 dev eth1 table rt2 + ip rule add from 193.1.96.165/28 table rt2 + ip rule add to 193.1.96.165/28 table rt2 + ''; + serviceConfig = { + Type= "oneshot"; + User = "root"; + Restart = "no"; + }; + }; + } diff --git a/machines/vendetta.nix b/machines/vendetta.nix index 3244ba6..0f87579 100644 --- a/machines/vendetta.nix +++ b/machines/vendetta.nix @@ -1,53 +1,70 @@ /* -Name: https://masseffect.fandom.com/wiki/Vendetta -Why: Vendetta held troves of important data waiting for folks to request it. -Type: Physical -Hardware: PowerEdge r210 -From: 2011 (?) -Role: DNS Server -Notes: Using the server that used to be called Earth + Name: https://masseffect.fandom.com/wiki/Vendetta + Why: Vendetta held troves of important data waiting for folks to request it. + Type: Physical + Hardware: PowerEdge r210 + From: 2011 (?) + Role: DNS Server + Notes: Using the server that used to be called Earth + */ -{ - pkgs, - lib, - nodes, - ... -}: let + +{ pkgs, lib, nodes, ... }: +let # name of the server, sets teh hostname and record for it - name = "vendetta"; - ip_pub = "193.1.99.120"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - # only required for physical servers - interface = "eno1"; - }; + name = "vendetta"; + ip_pub = "193.1.99.120"; + hostname = "${name}.skynet.ie"; in { imports = [ + ./hardware/_base.nix ./hardware/RM002.nix ]; deployment = { targetHost = ip_pub; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active-dns" "dns"]; + tags = [ "active-dns" "dns" ]; }; - services.skynet = { - host = host; - backup.enable = true; - dns = { - server = { - enable = true; - # primary dns server (ns1) - primary = true; - ip = ip_pub; + networking = { + # needs to have an address statically assigned + interfaces = { + eno1 = { + ipv4.addresses = [ + { + address = "193.1.99.120"; + prefixLength = 26; + } + ]; }; }; }; + + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; + }; + }; + + skynet_dns = { + server = { + enable = true; + # primary dns server (ns1) + primary = true; + ip = ip_pub; + }; + + records = [ + # vendetta IN A 193.1.99.120 + {record=name; r_type="A"; value=ip_pub; server=true;} + # 120 IN PTR vendetta.skynet.ie. + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + }; + } diff --git a/machines/vigil.nix b/machines/vigil.nix index 421ebaa..8a73e42 100644 --- a/machines/vigil.nix +++ b/machines/vigil.nix @@ -1,49 +1,55 @@ /* -Name: https://masseffect.fandom.com/wiki/Vigil -Why: Counterpart to Vendetta -Type: VM -Hardware: - -From: 2023 -Role: DNS Server -Notes: + Name: https://masseffect.fandom.com/wiki/Vigil + Why: Counterpart to Vendetta + Type: VM + Hardware: - + From: 2023 + Role: DNS Server + Notes: + */ -{ - pkgs, - lib, - nodes, - ... -}: let - name = "vigil"; - ip_pub = "193.1.99.109"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; + +{ pkgs, lib, nodes, ... }: +let + name = "vigil"; + ip_pub = "193.1.99.109"; + hostname = "${name}.skynet.ie"; in { imports = [ + ]; deployment = { targetHost = ip_pub; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active-dns" "dns"]; + tags = [ "active-dns" "dns" ]; }; - services.skynet = { - host = host; - backup.enable = true; - dns = { - server = { - enable = true; - # secondary dns server (ns2) - primary = false; - ip = ip_pub; - }; + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; }; }; + + skynet_dns = { + server = { + enable = true; + # secondary dns server (ns2) + primary = false; + ip = ip_pub; + }; + + # this server will have to have dns records + records = [ + # vigil IN A 193.1.99.109 + {record=name; r_type="A"; value=ip_pub; server=true;} + # 109 IN PTR vigil.skynet.ie. + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + }; + } diff --git a/machines/wheatly.nix b/machines/wheatly.nix index cb9cdb6..69f556c 100644 --- a/machines/wheatly.nix +++ b/machines/wheatly.nix @@ -1,47 +1,51 @@ /* -Name: https://theportalwiki.com/wiki/Wheatley -Why: Whereever GLaDOS is Wheatly is not too far away -Type: VM -Hardware: - -From: 2023 -Role: Gitlab Runner -Notes: + Name: https://theportalwiki.com/wiki/Wheatley + Why: Whereever GLaDOS is Wheatly is not too far away + Type: VM + Hardware: - + From: 2023 + Role: Gitlab Runner + Notes: + */ -{ - pkgs, - lib, - nodes, - ... -}: let + +{ pkgs, lib, nodes, ... }: +let # name of the server, sets teh hostname and record for it - name = "wheatly"; - ip_pub = "193.1.99.78"; - hostname = "${name}.skynet.ie"; - host = { - ip = ip_pub; - name = name; - hostname = hostname; - }; + name = "wheatly"; + ip_pub = "193.1.99.78"; + hostname = "${name}.skynet.ie"; + in { imports = [ - ../applications/git/forgejo_runner.nix + ../applications/gitlab_runner.nix ]; deployment = { targetHost = hostname; targetPort = 22; - targetUser = null; + targetUser = "root"; - tags = ["active-git"]; + tags = [ "active-gitlab" ]; }; - services.skynet = { - host = host; - backup.enable = true; - forgejo_runner = { - enable = true; - secret = ../secrets/forgejo/runners/token1.age; + + skynet_dns.records = [ + {record=name; r_type="A"; value=ip_pub; server=true;} + {record=ip_pub; r_type="PTR"; value=hostname;} + ]; + + services.skynet_backup = { + host = { + ip = ip_pub; + name = name; }; }; -} + + services.skynet_gitlab_runner = { + enable = true; + runner.name = "runner01"; + }; + +} \ No newline at end of file diff --git a/secrets/backup/restic.age b/secrets/backup/restic.age index 00a5b35..944ad4b 100644 Binary files a/secrets/backup/restic.age and b/secrets/backup/restic.age differ diff --git a/secrets/backup/restic_pw.age b/secrets/backup/restic_pw.age index 356b719..3ee1a8e 100644 --- a/secrets/backup/restic_pw.age +++ b/secrets/backup/restic_pw.age @@ -1,21 +1,13 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA kWC0Tr0nlHEelEzS9xAzZ5UwI1vTgeaBS+zQJCxHe1A -dcVKgK28SA4abje/xfC2bqlDzrkThJh0hpsyCtfGPDM --> ssh-ed25519 4PzZog H/hrMeDv4EmuSvR79vX7spZyF6t506ZKVHWHl4HN1wQ -E4+skv4K1fTqG1cIbRqRr89Ti6D78wxEzap3Sl0UZU8 --> ssh-ed25519 dA0vRg SgmoRqftGwIG34Py02bfdEv2HlI6fPBiKmcBmz2VaiI -DKzlODXbQf9xzUzJHlwtIZbGw3qG2ApfssEF1/nZe+Q --> ssh-ed25519 5Nd93w Q8fxVcYwxbeXJzpKCOWH4/D3t8bWSUm9E4spASzIKnQ -80fe2FiI+5OTojxu32OfFJwS3l/cMPr+5tErOr5wmcM --> ssh-ed25519 q8eJgg zgw/JH1HOdTE38Cr/61gcGo6OruuFUCAUJ4wmNHSXWs -l7ta9JGOwCZCjnfui2Zo3PVF+Ge/UoPL0xm5lZ0GGF8 --> ssh-ed25519 KVr8rw CcJymhaWM76X91C0ECPlZqaN2IARwxo1WMZRmlevnzA -syAw8YySWxtDonZ5txKVNynCdziInCzy4u5kv6mH8PU --> ssh-ed25519 fia1eQ 0ocrOjhQ+CEJK8Li3rDegYkMXkBpjAAStjgvVHGQx3Q -YORVM3sEbE6PLVuwfMkxe9gYqTVVT7DGoG+kQcxaPiQ --> ssh-ed25519 Km71ZA 9W2stpyr/9osFppfqBDjeDzZ6ltU+spmBoeWJ+I8sys -C6DGgwvbwW0r1E3L6o7LUOnPo/n8Sl8tGzm3NlsXGcw --> ssh-ed25519 3pl/Kw pm1noozCEdPbd4f8rkSD/gicvfWTEN1kvYp7TLb68Uo -VH2XUbhIf4nYTmp6rkGt99RcI2xxa7F9QXmDp88r1CY ---- lNlQ5pwix455easITfJ8dztlPYg8Pi77sbAsOQF19dI -#@3|K%kxL,5x/QTbz j.7-]2b_>NJam^ C]Vvh|D̀" \ No newline at end of file +-> ssh-ed25519 V1pwNA 5icNZy9IB42T2Xnph6z0VGznaxiB0MHtC4yBUEOM534 +avacsmljAR4DA0pdHq42o2YunyLweTjaX91QiuO7/0U +-> ssh-ed25519 rIwlvw r7IUmFs46NLNgITxj2hNMv2neldFI/OXlzpQOOZ/XD0 +MkBLRr4uXWXW/xTo0EtkX2y5nbSwEfc6ChkaiIu8VoM +-> ssh-ed25519 q8eJgg jetnUDWCkX8P4fcvb3hA12TJolDKO2ZqcdmxUmx5myA +Ru2q2Y8+iIe7imaXeb9MTZyOoCv4P45SNgxGGxQlVRI +-> ssh-ed25519 mKj+iw wwsRXk+Wn3u+y+b/b3Fg6hSmJiV38tmYgRJqsStMnU0 +avS7XgN/GYVi+2pjNTG+CZOLcKo+cPpCEPCVZV3DHF4 +-> '$-grease y' +VGZ3E4+qHDVztqvY45Bo65M +--- u6b8TLW9fI2nKMvP1HCIRk8vIHWLrY3U1K8wse/s72s +vTK&|l4.~o C&0̤9Iƈwڐ^ sH=3|E-CoC8Mp 6kLoM \ No newline at end of file diff --git a/secrets/base/root_pass.age b/secrets/base/root_pass.age deleted file mode 100644 index 9269768..0000000 Binary files a/secrets/base/root_pass.age and /dev/null differ diff --git a/secrets/bitwarden/details.age b/secrets/bitwarden/details.age deleted file mode 100644 index 173c7e3..0000000 Binary files a/secrets/bitwarden/details.age and /dev/null differ diff --git a/secrets/bitwarden/id.age b/secrets/bitwarden/id.age deleted file mode 100644 index a2c3bc7..0000000 --- a/secrets/bitwarden/id.age +++ /dev/null @@ -1,21 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA 79HhvqifubFk4bhlUPgKbgSplC41o8/uZV27eaeM0SA -mSJ2rkmOlgXyQAXj6pbFoajxCwPzKDBUWRPXqvHrW+8 --> ssh-ed25519 4PzZog w+6c3JxUfEkgvDz7pq+451XSGC64TCNWau9zOGajpjQ -mEdXqG+GpaYVj6ICYPkCyA9ZRNmMtNsxWNeOpYOhkF0 --> ssh-ed25519 dA0vRg Iy3bkGWSkMvk3wH05ETCFqZzUIc835XyJGHXlfmG2VI -ShexjmkSwsEgHR3uj+sftcB49zbp2z40Mi7NN7VYcII --> ssh-ed25519 5Nd93w TM6CtcmxkTqQTP5UVD/1HPijQhMQsYdPrknDREwxtFw -+ld4GvbKQSKAUwMYzDSxtZqiN3OdnWlszYVzOrMbU0Q --> ssh-ed25519 q8eJgg UgE7W6Lf/jdlSs2TpZNX2wRTY3iwQ1MzZE7zAN5Abz0 -oYf9iiAeoVg4RLYWEvw5xyGevxYQiiqELw/NLiBCZWI --> ssh-ed25519 KVr8rw ZtAdKYXNsNCo7MzfBlQrax/sWItsFQtEo/tESJaviXs -Njql6s/+QtIbBmsbMYllDxodpIaBnRaMoojap4jUVwQ --> ssh-ed25519 fia1eQ nIgFm64i5MPK/GvKl35nnXOO4hoD6+mFzJsFeB/6ICw -bJoDOMX3ek/5lVLeI1v99C24l4EwFcXIFAAlTMJb+Co --> ssh-ed25519 Km71ZA sTHVMQlRs5/xewuUa6yFjuqCEqmWlekSwab0z4OWJRc -ExJw8np5XfBSSLo4cwwYoDoi/GxSGKkTn5rcKdMmI34 --> ssh-ed25519 IzAMqA N6d6EYxr2LUzuHrH83h06JE5MGPcqdAMixJH3GZed0Q -+dE0EBX7jPvMv2qMI3mIuiM9TrhFYQwwC/+Ta+DiCNY ---- g8A4+bzRE56xnD8tVagvXopX6VlcS5iJcOcKTxC0ZGk -K!'_*VEJɇ?{&\AurAXwgzƠXÚzؤeN0&ɵ$$&Ɉ: \ No newline at end of file diff --git a/secrets/bitwarden/secret.age b/secrets/bitwarden/secret.age deleted file mode 100644 index 2b24b47..0000000 --- a/secrets/bitwarden/secret.age +++ /dev/null @@ -1,21 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA UWCmhr1Mj4BVH+0MJ2zBCRQMVYFK+eEp2AhdYTWSRiw -EL7DlSXyemeZtJw+1SO+vSf2NGg/sPEz5r+p3OntrFo --> ssh-ed25519 4PzZog HIqzyRkhsIgOgxBNZK1HBTBUIpHPDZEhIfo9zmXEqzU -2m9H93js26tJJHwM4ce+8DH7oLf3zEBeQ3sT3zHpOP0 --> ssh-ed25519 dA0vRg 1W13Q5mX61EH31BM/FEk7l92Lo/5WuoMLo39wmwVjW4 -raNdTsgJcKlwqmBE+zVEjfL6VPyzHhcMpNrcl6Y6DmY --> ssh-ed25519 5Nd93w 2gYsG5vFoosuvJo+O+eQscfyoLqYBxOReiT5kdV+bBE -82ghrnctaXECGxn77VT6YfGPuDKwfh+dJ/+3/SBTA8Y --> ssh-ed25519 q8eJgg vzSwKw4EzJksqujeJqfg+1YNM3sgp5Zw7Qld+XNS21Y -65wJiSlqdjZm3Ps2Dg4DB0LzPLgwcYQvJgRvRkeblBw --> ssh-ed25519 KVr8rw f2MjAAqmuw4UcgvjkRku9XX+SYqY6oAfgS1ayVDVa3Y -m1nl/CW9GYaCyShT28JZdECirBJdfBoiK3V2tRBrj5o --> ssh-ed25519 fia1eQ Zkvg9fYBubmg81c7NqEp9fRbSLm2WKVDil+DwnfuPlw -NN+1CMVxAstqBT7qqAhL9whaEvyWgsNXgBOSWmjTqtA --> ssh-ed25519 Km71ZA kfU2W/uwQORahVWcg1qYQ5Q2QhZnAkbzjv9As4fJfis -w+rVDQ0oyLGqTT8yVr7mCOV+55dItAcALIa4ABw5bDI --> ssh-ed25519 IzAMqA Ir8ygCowpY6f4egB9xqplPzP4mJFL1sh+JaQVZrtZEk -y679U8nCE9L8seAvVypssgj2p7aZlIW2Q2TgQqHhpoU ---- Dh0JCQdTvVZYtwnzgqEl+WHxOTXmOzr4/TaHz45r+fc -T.0zY'oa.e-%5?(|us;*/˩wУ0Vp \ No newline at end of file diff --git a/secrets/discord/ldap.age b/secrets/discord/ldap.age index fff7875..df1fa6e 100644 Binary files a/secrets/discord/ldap.age and b/secrets/discord/ldap.age differ diff --git a/secrets/discord/t-800.age b/secrets/discord/t-800.age deleted file mode 100644 index f9e4878..0000000 Binary files a/secrets/discord/t-800.age and /dev/null differ diff --git a/secrets/discord/token.age b/secrets/discord/token.age index 71485f4..767cc12 100644 --- a/secrets/discord/token.age +++ b/secrets/discord/token.age @@ -1,21 +1,14 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA ZmQJhSsBijnPyy9g8sevoYI18vapGSd7vJEk5i6oQFg -3PiR70vhl9bNEasbKS95eAslG6FXTzf5zv3bvup7lGk --> ssh-ed25519 4PzZog owlHOHv+kwFw5d39zBs5sIUgNCuvzfLd4dlSYmEbxH4 -AgRbOyxjZQJqOF48buY5HGLl40Od/EcoLgRWy0wWUmk --> ssh-ed25519 dA0vRg BFa20JXsy8A5oSp4uVPx4A1et+R16QEUVO2pu+88BzA -+MyPvk3j3fSWZCQugjqViMX0NC/6UTytC9u0sEZlGv8 --> ssh-ed25519 5Nd93w QKJg+FXCJocbH8KYqYv55Jdd594jlrmkUfiEDS7KnQ0 -9ztGS6I4oQxIXTCWIMzeuKDq1WFdsiPzU+SXfDCWNFw --> ssh-ed25519 q8eJgg eR+Qq87fdU7bBN5+z30+v8xCMW6HZWfUn7XPSq93jjU -uw8cFeKOnL65VmVwH380onmHmGXQ7g8VNNBBFYq5Z0I --> ssh-ed25519 KVr8rw 6e1x7tMiDSQSiHMOqce6XtarIUxB8IJH4BOP0Gre5Ds -eDmu2kLyeCu99FFGVOUsNhc6wfTGpdYRM2eAd6wChgE --> ssh-ed25519 fia1eQ ObshdBHUyxu2nOUjiCwZzdHgQ+ZPUxQpntn9vTDDt2o -RofPfltKZbwl47iNazej45Y6BdMy2OcHxMgx/SW79zg --> ssh-ed25519 Km71ZA iGUcuJS2p6W6HEAdMxtyTcBzjK2Cn36IV69Vyix1aVA -9t1c7CALGHKIl32bU/Kcnnia3IBX1UUxNNRKCqHOnQw --> ssh-ed25519 IzAMqA tL7x2ArzpKQfJUazHt7/dyXo3m7i/0j5cirw1ZKfNTQ -IPWqmXZvEQBh0EfUZGfA2pKaCjrZH1ZRGfXW9udEJu0 ---- S2eIVWpdL+G2AzQbu82N23DP9Mey4DV6Zu9DuBdEZ60 -QWeu3|Jd}1\ړԓF)$x.t4]دT-^^"I^ddI@ޯ@]63< f%S8vLP u],4L;gVĄ⩦Hʋ"ut%O2Uz{L Y| \ No newline at end of file +-> ssh-ed25519 V1pwNA wF/IvDrcLFTxYAauDal7+Gz1V++n67HYmojv+NS2wwY +2JlEICPHzgXGSLT7t36htE46YZ0fJsdjrT6NnCFVLLc +-> ssh-ed25519 rIwlvw tk13mY+KwEys50YTX9bbEv4324BXpWh+3G1y6MrQrRY +sOc+kY1qqtT99TbbxPFuMIpcn72may5fERhCWgV7RDU +-> ssh-ed25519 q8eJgg YJpV/03pvcZdQjQBecnP4LZUG+2Qiz1/3COTmNBNOXw +7qRtCRYSaXzcx5xZ/I9xAdsKz9QRaObpFQdRkLDi9lQ +-> ssh-ed25519 IzAMqA 5odTY81LRr8ZMmFbAB8K5xgaWBr/50xdDNPJ/n1URG8 +pYpYgKxnWQ4xXgudtS43yp+X/wf0pLiMgASsrT6QCRE +-> P`-grease >u}h_O$ +aRLumKxsQDFmx3TQTp4UVJU4RdB3DdiikrHSKX44AVH3gk41CZXFPc7EiCcafONw +2yXUhseX6EdlUz+JfNuU5fTOfck +--- BlNT3gxZ877Ln8DVUtidwmekRUIKOjaU4lbJYd/NGFQ +Y O zD& ^\ nbqG6MdU)q|栀[<_y 5|<XU \K_tM0@C'[ɈYNJn \ No newline at end of file diff --git a/secrets/dns_certs.secret.age b/secrets/dns_certs.secret.age index 507273e..87966ac 100644 Binary files a/secrets/dns_certs.secret.age and b/secrets/dns_certs.secret.age differ diff --git a/secrets/dns_dnskeys.conf.age b/secrets/dns_dnskeys.conf.age index dc88913..2c44b75 100644 Binary files a/secrets/dns_dnskeys.conf.age and b/secrets/dns_dnskeys.conf.age differ diff --git a/secrets/email/details.age b/secrets/email/details.age deleted file mode 100644 index e38bd00..0000000 --- a/secrets/email/details.age +++ /dev/null @@ -1,29 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA sW9NG3ZnVZ7XN4iMceA+WNwEmGp5mB8fYRML4JMxTx4 -Ugwsmg4yXfq9YH99RoV2MymOyhHn+WEFbhSq3jOS+Jk --> ssh-ed25519 4PzZog ncbPVDYkLeBV89U+YKVSGRyNDIdLDuN/YV9AiGcYfkY -rifseFii9IZI6t2cDfhi1GXQQRngI8IM+3H8znbMA/0 --> ssh-ed25519 dA0vRg ZU44BDl8VU2ri+qNYEEj8GF4x4gGUQPnr6YlFA5itGk -zV29wfmrtyxEU1JFEm5P7pfkWwzmNpXflfLRsyZ3vCA --> ssh-ed25519 5Nd93w BCqKxqNscTU2iEm4h/78KCzMjRWtHlO3rwZZjq2lJFQ -Y9yLQ33RvcO1g3a1q3w47Y0kgg1NZpdlYk34LrZ69mw --> ssh-ed25519 q8eJgg lWbDTedbgvxvGpMPDWdrghAKO3duh85kaOR+7xsPd3E -MzwcVM+gzJ/IApGVZNNM+RuYp7EKZyxCDjRkipL3aYU --> ssh-ed25519 KVr8rw 8vJTA9ABfwuZyFwhFZD4n187b6gmq7zCLALqp56mFyw -iQ4MtJ1YtYycFi8qCs4N0/nIXccaw2swi9yIvOLmVmA --> ssh-ed25519 fia1eQ hZzB90WDGom3oaOlWlcBg8iAMAfbZGyosgFIa8AiTWI -HekDEc26Y121KRtKLavDD1xKcaClVgn2tGPrgQYWQBo --> ssh-ed25519 Km71ZA uunwnxdg7A6ZGTbV51r5XL/2hJN/VFIUas0TVxid0Xc -zGx6iHfu+rZ9WbtIITtzDk0nzkFCeIRQpdRVoj7dj0E --> ssh-ed25519 IzAMqA 17lTeNgkOhX6iOPix/YeKZyztDHYLu6OIjZOctANpmQ -fu8VIba1ZNy3QvnVk3bPmCA1n6/dcB02epAs0GLb6zE --> ssh-ed25519 uZzB3g I0QOJAnUor5hnoKDlFeSuW82o94zcWcs6VvKTq37lVo -S6o+cem4L12E8V/DzbvL75azwrhLgZJXkxWXuCd4+Z4 --> ssh-ed25519 Hb0ipQ cEsppH2jMi71R0513L/vq7MaFYYWiRrWZKricdhW/H8 -IvRQejJ2AOQAeWUumh4an0LUSBJYMMnOIr9PU8FjYiA --> ssh-ed25519 IzAMqA cL7V3gfdSkpHtkcDhaH0ATTWUzBir09Xhe91wlaGJ14 -GU8IQvHlwyBBONJKufQRwEr7nZy6y36XszV+E97VA94 ---- Nq7IuDZY4GM8UBq0wdEnn/kZEJRdUlmqR75SlX75Q7w -oTjo(RZlmђ&f7;a8B|ӔB/l -g#L"/* ,a.f.Q -ՓoEMV=2q;IawkF\" Q7$.`MRX۰ \ No newline at end of file diff --git a/secrets/forgejo/runners/ssh.age b/secrets/forgejo/runners/ssh.age deleted file mode 100644 index ec1e6ff..0000000 Binary files a/secrets/forgejo/runners/ssh.age and /dev/null differ diff --git a/secrets/forgejo/runners/token1.age b/secrets/forgejo/runners/token1.age deleted file mode 100644 index 723b2c9..0000000 --- a/secrets/forgejo/runners/token1.age +++ /dev/null @@ -1,23 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA ZZzPHXiieqnKeatxqOpOyJJdPCSrpU151rNY3PgewCc -usq82uQE6qxnwb5EYHlfXSl1A+oqV/DZcKlHmheNrLs --> ssh-ed25519 4PzZog GPaAefwdrHHdkDJT4OHYFdmjUbXEQz3lLkGfu2M/c30 -hoWO80LE9PEMkqlQLD4WXIDc9rgX0uMbNzHkiXcVWRM --> ssh-ed25519 dA0vRg 1WCuZ91cuKBZi7gFFVArvvAvMh6aU0AufX2vDHiXvTI -yUUbM5kXyyiNlvV7UWXNNhBe3JZ+ZxdoXf1FRwQiHt4 --> ssh-ed25519 5Nd93w 8HkcjdSrVbg3TQFn/ldlqYEU3aPHFBIcXnzovwMv2Vc -+2kX+X1uYoUnyUyLYLLWeRw99OC3St30ky6Xsf7ls+Y --> ssh-ed25519 q8eJgg moUF6G0Qsz6+vJTMFoKIusiCfapHvaRBdOoB9r2uP00 -limKEFL+4G28+jc5pOiNt1OkpQRzSXKq+3If8/Dfe+E --> ssh-ed25519 KVr8rw /G4TpEFysiCx/eF25IA9gjmX4w1yGM6m2Lx1mTmf0mU -nXIuYPbV3S+0+3Ce45iPeAzZlIr1i0RnGWSLg3KBH5I --> ssh-ed25519 fia1eQ tXV4gH4gIjFYWNxLV0AQVOvahTtvFWK5W6tNZTjA9ig -pxpIIZ4+/ItpG6nolOS7lxGwSkhwq1XvdxePxWsJYCE --> ssh-ed25519 Km71ZA QRM3tBeZJGVMwZ51ZBlxGIzwGOyMB9ppGNq4pUyRsHo -+0QO4JlKaOUH5MY+w02Rq0DDNk76eSD2EVIAvQeiZ9Y --> ssh-ed25519 CqOTGQ Ystm+4YnAlTTYPiHBXVa8lM/MGEfZ3OcmxiT8QcdKSY -F2b5grk6m2sVnhhWF68WxUemgtZHYSIJZ9e7eBKtIjA --> ssh-ed25519 uZzB3g PepFlWAg+221m5eOVoNl1TIRVrS6lpkrQ9Dgce+Grwc -6/8sTiO+P/HgNbB8YyRVylAPPp3lwF4D6FbWWaPSxtE ---- 0PQ3rJZdbEfye9mLMrQJ0jGvJSiZ+9dh9Bv6bpGEBNs -^;Yh=p3>F:2b6+CE63TE.[,['3P 6_| *AQ*jc \ No newline at end of file diff --git a/secrets/forgejo/runners/token2.age b/secrets/forgejo/runners/token2.age deleted file mode 100644 index 5360a17..0000000 --- a/secrets/forgejo/runners/token2.age +++ /dev/null @@ -1,23 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA Lw89KnIDDurZQ0UaqDS1utTrKCGXR+Uxs3od/5n09io -1JECYcXRBNWwzoagvEKeoWoW2d8da15eWPfTD8nKqX0 --> ssh-ed25519 4PzZog LB5CnkEPX2RH8vWdD15KMs/qgNbw3e7G8qCV1CMf8kE -pO77W91WR/8MRPLIuJrLk5ib9CPp7xHuUmTS8fmQ3KM --> ssh-ed25519 dA0vRg QhtuGTY1MEpEjRahnU3WtON6Xda7y3HvGXpB3HcDfBk -6sCAQhU4K2nQ5pMbGYY75TKUXxZ4BKHCb6sOHMAuNEA --> ssh-ed25519 5Nd93w 2QcbhnmxOkTrRUMrHR4X3spMUnsLXN9DDnh49qFAYx0 -SD47vo7tOPWmvXR2wTj+BSsxJUqnlXOu8HlTEOExeC4 --> ssh-ed25519 q8eJgg 9TqmbSDG4KOl14FNZmZKFZ5Q/60K657phquz+qpIgyU -odOvsccHqgXoC7WgKcFjJDm5it9ZGm5ifjU2pt5hQZ4 --> ssh-ed25519 KVr8rw w0fZq3VUrN8wi4UrhMUfrviUiaWl4Ol+tbTXN/urISs -TY+dO2Z6TmN9DBPuo1vyxgeXbDcqZlRoP+Q1IN6O/ks --> ssh-ed25519 fia1eQ 5Aqk1jkUQkomeBioV7LAPMzurJ1dHdYHbzLHXH7mrRQ -j+7aPUOeJAI10FL4DjXKlYEkC25gM7TNy/X5vFk68+8 --> ssh-ed25519 Km71ZA S9le6/bZxnkPVuCLqiYc8VMk8LXlk0BVJUtJYc/CmB4 -DTjvS3wBo+RHy0klprrgKS1wYAMAkfzPkpw/ip7KwpE --> ssh-ed25519 CqOTGQ xba3GuenbljaFEcgaX5UknPWjJSyQOMBaJSGk4VHZg4 -uzGnhgquJHT4+0zop9wNg6Fm8ka/9Ri1yPjw65VnGtA --> ssh-ed25519 uZzB3g WaU+50ui82IQHobA1QB62WX7bnjgxSVy9LAGjYifuHI -H0O4GIRchLil79zqim5v46RT8Xbu5zi0dKSRPiT6kHc ---- vg0SOy4LbcYEcxJMe6lbREFPPcxrRI/dJM7Lx3VC1rQ -bxmV^h0l@^RyS\rյ;@t~UYM)A?ƲW˹m,1I \ No newline at end of file diff --git a/secrets/gitlab/db_pw.age b/secrets/gitlab/db_pw.age index 2c4ae22..d030ca7 100644 --- a/secrets/gitlab/db_pw.age +++ b/secrets/gitlab/db_pw.age @@ -1,22 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA eBmTDM8WFdWOVP2Le1Y4+CZOeSg7e4xcxz0eYuxUWkQ -kXjJVAipfCM1Dp8bsbGK8oul9M0P6BLfR6uAC/MQEQI --> ssh-ed25519 4PzZog Q8DfBkyfVx6p5mrG4yrg7KGJCDoNzWdK7p9p/01OsTM -xEf80sJAlQXlIVngSZJWI/TNG+EXonJoR32duCOXByI --> ssh-ed25519 dA0vRg 5BeYWRbucBHgT2idvjbvffbsx+74xbVRk05f2Qg0Cl4 -56nJgkCp46o0XbBCwcrF5pyEHnlbvZ37tfYbKVjxTOQ --> ssh-ed25519 5Nd93w gL9Qox74O8yoM/a111CKQLaZDXkfwhrjth1PzaGrnTs -F9uyWwr0VO+87bejL4vBsuLko9bHNS626IH5hyPBkoQ --> ssh-ed25519 q8eJgg ql4rSMWPNB+MXNl4cUNC5TuJFYjRv6G6RvXqRLDdtHw -vmJbCOvWOM31FScQQgZXSBNEYh7O08RD8ZO4TZtgu5U --> ssh-ed25519 KVr8rw oE4h+ZaE+/VDLAuvBDsMmXSHDM89vgnFiomODKRGGU0 -j7Xh0YMOhNGhYnl8K1L+mhkuZqHV3oi0noVirHIV6sc --> ssh-ed25519 fia1eQ guH1BFGIkSyaKjP5QTOLIYgtdMdrHTChZdv2uXD6qgY -SHlvS6Xdzsld//ANiSDHbGMrBp4oUztRqRJyVaUw+no --> ssh-ed25519 Km71ZA xP0F1MFUkOZ1yNdBbHj1+qA/E6xM6YJjcBccVkV3rlg -A4JFqXV27j0yju5irMf3lBBQE3fIj7WHK9bzvxZhJxU --> ssh-ed25519 uZzB3g Aikhv5OldExETFRpxoeTx5NoHsZJAm2TAzne9KBr8wM -2BSDOfseGgPiHtAHWUIA/rp9uWAPdCvMsvWHRkkFPro ---- gYotGSlSz4Z/ZrzBWpDlP5Pv+Br8WKNrbibDsvAk1uo -;Ko"C -sOs E&&JGʋm">riӦNlQs.bj 8K4@hAֵʵ(߳YمǝqwU Z$L\Z:K'"ۀ_\'^Th;{ܵ. ssh-ed25519 V1pwNA TjC5DbimRqNNh0UQsk2YMgxoVZOQkWsNB10TmlPZLUM +H2H0Jpztcbn15L1Ff1teeWgZaoeKszVWG2GJKkBFuWA +-> ssh-ed25519 rIwlvw 9wk9lmhZBsiM5ifMGxlo+8YAKy325ru7u/MZA6gEzng +cAZ0/OqScj9x6vt4gvsrtqi36iIbT+n+iTySssKh3Fg +-> ssh-ed25519 q8eJgg Jn7hc5D6m/P7qxdpfQ2hRKKQPchrwtKhV6crxW05RTs +jM16eEteWG2ezgVnBB5t5JrhwnsAKr4cz8srqiWKzR8 +-> ssh-ed25519 uZzB3g qC7Mr+9evdjoSka/x5criNYkuha4SuAp/yrCK6dcUWQ +JPHRq5iV9aP2/tBPAuq8wI3eQN2JHH6jNZfK2Fckshk +-> ):,9TlwC-grease d?Jj?5>< +I0u2aN62wlBng0jlPPGRwXz5zJbcxW7PLOwHkRkLuHcNNtimd5QpRcr984eBa2hD +HF7n +--- 09T0lHOZiky+5dFYWvhtP6iEHrhHaub8bymCKwzOJmY +`>b_x+{1d%g5li]y܊!$h6AGn3SwNLR1LЊt +q]A arȎDד;Mnk 41W؟֌c2Ywo>}7PW()MWʺMʯls< )E{$j] \ No newline at end of file diff --git a/secrets/gitlab/ldap_pw.age b/secrets/gitlab/ldap_pw.age index 9679193..6fba186 100644 --- a/secrets/gitlab/ldap_pw.age +++ b/secrets/gitlab/ldap_pw.age @@ -1,22 +1,14 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA dHoon26BhGIqe6TjYS7Q93OC2vhr64B7ofHzX8FiJxk -EcH7j44+zOHBcJOw0AwpziXtUPxOH//MGacSa7rDNT0 --> ssh-ed25519 4PzZog CrrMq81Ep/Gm9qYcZjRJ1IpXtFGp/1XDfBCB6OSGbiY -gJ+PFL0Sx7izMk54jJr3LPvfZ9DMQP5/FjAXkRw/mkc --> ssh-ed25519 dA0vRg r5S3Fqlmqeeeu75r9COpp4mS07YWY0HP11zby9AjCyY -DGkeIp0M6dIA4WM4KYVZiwalHjou6qzLOFUnksIPU2Q --> ssh-ed25519 5Nd93w bm2DM8tuydnEqbcM7/aMgHtU/cnnfENGHgMgXPft414 -7bFV4Mx/gSaEM7+rJbqjjuod0U7tl8ODbK1+qY7gtmE --> ssh-ed25519 q8eJgg 35Ce/4wweXHadDG1ryl1d53G7IxEOwOFQATYgC6WzBY -5va0fHjZXbH/2ZAFioTcmyeFCid8vrgTFXK6wR/ranA --> ssh-ed25519 KVr8rw dyfXPAGfWlbmjpiol87idweWsU/c1v4gwq18Y/4oZBo -MiuhfBeQeMlHsi7hz0OgOiLIbFjeSaUoJ+xlIHkAmpY --> ssh-ed25519 fia1eQ +GTfP3+0hcdmM9qtZvUw2bZ+32guClfXwRTfvOg5Tzc -8gSAdoh1DRoiD6KTpm5F/hFvT02/3bf4ayD/dICjpTs --> ssh-ed25519 Km71ZA g3doqjZJ0GP9PgkZ5l/ePPxI3gyvILvrQAx4En6r2kA -O2lJGGq/LLsjtzwnfyUSD8Avw+5KbuNGd5XA8FwWJOw --> ssh-ed25519 uZzB3g 79FGgQhIwzLPTKUBhv6RdT3RqBe+JRb3DYLPt5mAPDg -gp9dUDfNPnhAX75SJhFxBmyNdaH8umAQcYzjBHkPEoo ---- XZ+0tCvAK9SgY5daynCjTqE5M0N3ip+wVIg8o/18AEs -`T6,NH]*qzC'T -#\Lb0zB F̽H@ s! "z֫8j} %FEi 䅎Bf@AJq}cUC=%s&lbpˀ\ ssh-ed25519 V1pwNA D1opPiqtt5raCD0PE2+On/Zgw+lavSHgYKbtJF+1xhc +jIN+eavLzY3UB8qCBWOOr/r6IZX1MZ0RTlKfJTtSbcE +-> ssh-ed25519 rIwlvw z1zGn7NX5x9n75SM8oXOkvRwoAwyCXvzqZhWMXOGImE +NWsqkm+nDv2dQDCnhfaWpKaBaF9nrQA5PKFl3FthtI8 +-> ssh-ed25519 q8eJgg icVubOVJOSB3Wd7vnvEShwy7CsAMJchY/vuIMt0+p2E +OBz5wsfT3STCzzgmBgPdSQWr+xc91Dfo+ulleLK9l1k +-> ssh-ed25519 uZzB3g gkyX8KZKJ6NL4OpsxKVKVK37ikAp9yAGxUjd0iLWzXQ +Nuk8JFO6wrjmDKiLnDaqBqW+AY7+DHYLSeV9gf5H5Aw +-> V8-grease #% :0txQ > +CP/AZC0nCj41Lly+GryRa2gmYFG8lsY30DtG7NgqY6AVj0bVHbwwOzx9oGA3xtu1 ++KsWhWAcvxc +--- LL4fxXc9VX5VeGj5epHEIkLmpab/t7x8YMyNgkYsFLQ +b^NXq8 *:ѥ QYb~ %c?bϛ[1EH؈C}+0~av Prj#KP`Ő; P13툃_m=L#dr*vúp"8<]th,D [`- \ No newline at end of file diff --git a/secrets/gitlab/pw.age b/secrets/gitlab/pw.age index e629115..1f96682 100644 Binary files a/secrets/gitlab/pw.age and b/secrets/gitlab/pw.age differ diff --git a/secrets/gitlab/runners/runner01.age b/secrets/gitlab/runners/runner01.age index 802b8a2..81f1aca 100644 Binary files a/secrets/gitlab/runners/runner01.age and b/secrets/gitlab/runners/runner01.age differ diff --git a/secrets/gitlab/runners/runner02.age b/secrets/gitlab/runners/runner02.age index d1517c4..2413980 100644 Binary files a/secrets/gitlab/runners/runner02.age and b/secrets/gitlab/runners/runner02.age differ diff --git a/secrets/gitlab/secrets_db.age b/secrets/gitlab/secrets_db.age index 12efa5d..6934358 100644 Binary files a/secrets/gitlab/secrets_db.age and b/secrets/gitlab/secrets_db.age differ diff --git a/secrets/gitlab/secrets_jws.age b/secrets/gitlab/secrets_jws.age index df1c17f..5ec637e 100644 Binary files a/secrets/gitlab/secrets_jws.age and b/secrets/gitlab/secrets_jws.age differ diff --git a/secrets/gitlab/secrets_otp.age b/secrets/gitlab/secrets_otp.age index e2f666b..aa25623 100644 --- a/secrets/gitlab/secrets_otp.age +++ b/secrets/gitlab/secrets_otp.age @@ -1,23 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 V1pwNA J1jWaKTbHWMnVgEolYSNcSzFmrcQOQayJDpRkHJ7MWQ -OFgeS65lX054wVIRQz5jG0GtCc6hPIIK6UZYHRi8VzM --> ssh-ed25519 4PzZog 5HNLv8tCY9JiVJ3X8oPTeHgRwD33hM1/N2L1GANipjA -uwySZVFGz7Qjsc8kJ46U2HToy5jBA187xiqHSOCT/Ao --> ssh-ed25519 dA0vRg s8dyhKymv+79jScLPaLmENxcE2iSCc3HjcJa6CQrr38 -iIM4YuQKyj5YfWXQ/tYSgsYyZou7n3f61jX71qSiwBQ --> ssh-ed25519 5Nd93w fcjdT92p4deSP3ZsnQ6k7BIWXu6uKz2mwXS0fx3THFk -soCst9iuNKTRHRC1KgENCVbmN6iwqgg1/Dzctwfy2ZU --> ssh-ed25519 q8eJgg 2N/lQK86ZU/2ErBbeukdLOmcW355nvj+9T/KoWLCpQY -BmG/Sz13zz46PcfW+X4wttyk3ZVlvEeJUM10Ccmq6i4 --> ssh-ed25519 KVr8rw 9iel00EwlZ3Z8eBUZAa7s9I8fxk2MweS5Iyx4VSe1xU -on0S237moIC0lTpnh46e18vvz5ITQi/06qEsnG/Uk1o --> ssh-ed25519 fia1eQ T1S/lOFewcon85uDA/I0bs7j30JuyGKeOwGEwp7ERmE -nGDC5k6m8fRe+pl/L3day2Nm6/mESMhuAPUC8K/qqv0 --> ssh-ed25519 Km71ZA DBynnijHNpvl9io5B8/d4MrSG93kXeSuaXHnziAJLwI -+fKdY2xtEjymLCtr7f3/SYFmNImFy7qLsd8z8AGfIC8 --> ssh-ed25519 uZzB3g /fQzYviDKnu39yzSXd9uLiJYUyNV+qPQfh0NUKG76wM -DZbQl7Ztc+eZ1bZTTEnQwvR7K3uqI1l+NSYECLO+Ntw ---- Nxord4eFVt/0iQ5gmyEkefwUnCd74aRtbp9oX3KuXyQ -&XVy3%}3j#@GjS> - Țϖ+>uB%/UR pnE~ j[2LkB`н)\"~G -#wrƾa=> \ No newline at end of file +-> ssh-ed25519 V1pwNA n+nAfsTposX7lyNEDSYfPrAEdLEgLx4Jj2Y00yVfk3E +NrtcL/FaaFKpXgUITbNby6ePXCeKALdhsAY/wIYji3g +-> ssh-ed25519 rIwlvw x3e5S+n59DmdjRoRwwnPrnCjJU86s21f+sGM8ACczgk +r4ucjan1nqdJ8oMC/AGGxDYLQKNllCSNUJHvXTYzkEQ +-> ssh-ed25519 q8eJgg buPBic/APo3xcrUaGlxdtOyzV5I3fSZ9xL/+SXgcDWY +lMe216HpOdOSQ+7bdrFASmCP1kEeW7viOpqEerBrWUs +-> ssh-ed25519 uZzB3g vugTWgwhcrJFVLdKLzOX/Q5VgLpShPd2AEP9/G2QPnE +YXeFw3C+fdC9V0iMxq+QdEllG6AsRi3j0YaoRKCZFXA +-> v4gvO-grease '9WE x$#:\zh 2 `/< +uz9eGfsOZoXGI5CS4SuVsgbX2T32Xb6dNIAgR0LPQq+cuUDRMHITAGnI5uMTykOp +lU9KufA/IBIRrIKar8Ke16N2AuJMjrLjV/w +--- Ovf178SvMCjueE2y1Wc2ABfTdYX0xXyKJjKvjfle0L8 +/^Y} U6as2Eٖw^g.wټ" 2 +% E72 #3b \ No newline at end of file diff --git a/secrets/gitlab/secrets_secret.age b/secrets/gitlab/secrets_secret.age index 54feb45..3bf916e 100644 Binary files a/secrets/gitlab/secrets_secret.age and b/secrets/gitlab/secrets_secret.age differ diff --git a/secrets/grafana/pw.age b/secrets/grafana/pw.age deleted file mode 100644 index f9285e2..0000000 --- a/secrets/grafana/pw.age +++ /dev/null @@ -1,21 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA sIoha/7vcAIuauOaV8gQA1spz0NZWfcc4rr2zgUP2k8 -+XELN1EFpMnDsVYgPnSaRm4qduSY+80RCfEFnBPCj/0 --> ssh-ed25519 4PzZog ffub2ZpZEkysUNemtue5UroJj+/Oxi+nIstX7/txi2w -MsvvInOvekc27UTViomCZbeikTKm1vqTKsanOpeSQ8c --> ssh-ed25519 dA0vRg ymDF91ZONYNjDV5Gktf0at2kUkfYbPSja9iWOqcBxVk -gw7IgyRSVKfxeebADqYH7z+TZJcWIMS3g14U3FrDS7c --> ssh-ed25519 5Nd93w n17TARvCsIOmSp0WjZQEczLCFsAVYf9lDlJDdZeqzFU -gRRE87qCSiKevHShj1k0bw+kwOVblwhMGh94WRYdqIM --> ssh-ed25519 q8eJgg 7ZJM3hSRIaQSpMnE594tD3qsufP0IwI5ngmitx/SW34 -Yibvj3cTOT6TOHSFBgeBwpXbGNFjeYs+oNjbfP3GRgc --> ssh-ed25519 KVr8rw O8njcmXqC4uurmzk0MLECH/pVlVqA0dqM9uL00vKlls -h1dhNulCkCc3O8GmNSt67dxK2XhibTJHxx2loo2Y26s --> ssh-ed25519 fia1eQ NE6qJvq6AK7bIlbq7QSJqQwpGv6cgQFv/L/6MXOQUzI -uk1G8a1cECFkjbt7bjcXOYQDHcTBCQwhyqcTg3pIC0o --> ssh-ed25519 Km71ZA wQh+XFb10AF8fdeDGM3mMJG6N43ej48QML69Xa+xFHQ -eDuMG3MT8EuzS+QCAHLUi1NhRWp67jJamSL5iUQKi9c --> ssh-ed25519 IpLDOw wTE9a1YrhG1NqYTOBoihrNH3xt2fKOmGHvx5liEfeHM -Rv9+kBZamBTDS8XGRaTsuUW/t6p5kYnbfNyyZY5n590 ---- 2HVyulzZ1Z3kQSSDH6HN/mu8uT+u8yohmt0bpe/VNQw -M\$0giSmlgJJ_yJ<.l< c~84vGP$ ˉN{5c \ No newline at end of file diff --git a/secrets/keycloak/pw.age b/secrets/keycloak/pw.age deleted file mode 100644 index 6165130..0000000 --- a/secrets/keycloak/pw.age +++ /dev/null @@ -1,22 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA lV3ABJKTunaYK+s7681CNJBvp0JM/OhSSnkQ2pF5lGk -VokFm+m3stF3HjebxOBmIiWTQqmBaSR+RiWQE6dMQJw --> ssh-ed25519 4PzZog EDXgO1cHPd8xxDbmL/lunkG3McC4a/wzBlFe16ByHS0 -eTNXJMKNSCesEXT0XAuZEhhCyX7eumglnIJ/00y+WTk --> ssh-ed25519 dA0vRg sKq17tK9/rB+VNTYQ/aoTzEcfzeMJTkN+a/Oz0+g9ks -TNrHE3fFaAEMrrJ1264rh3UbJ8jBTxGSaeVPWzX3y3o --> ssh-ed25519 5Nd93w UkQintKS9V/5QH4arHtPKPe33ktNhE4Jl7illmlNuXQ -u0t1110eebk8SYm5e4jI+d1vOSvUCZRJGIqNZ/WmdPs --> ssh-ed25519 q8eJgg uBJUJaR7prW8b/jjhXBjax5lVsnGYpifqZVqExVivyo -hp2Y6RPzNaPZaX4sgOWVStdVWHe8taocUhToaojni4I --> ssh-ed25519 KVr8rw /j1ASDGc0GM7/Rt6RgBj2u2rlARs+iJixYR2gGFvshU -JRPezd9xI6o89hX74agVVLAtX1Lp7dgjkr5ndQfDjSw --> ssh-ed25519 fia1eQ +NO/LIWFudIdovclnaX55jr/x52Rs4sHbP4jxepYHEk -0ykDlD2um8a9gUea1JXrGfP6QsPV+DWIPqfD5cbvCCo --> ssh-ed25519 Km71ZA lAJq3SkNxUWZcmwMWyWrCaCrzyjnJK2A4G2kysZdvGU -wmxgYru5pzJkfkTP8CmI9z8GeqpJdgGO4BmbLWPJ4Jw --> ssh-ed25519 IzAMqA 0yLa+jpL+6w8TvvbFM5IUUrpUncc8HLxuDjKM4t7mC8 -QeeibbBquSOjVimgtszMPTxzgsVUNui1euB4knkzwL0 ---- K9L+f43VUTIuWWMG8Zuzw+27zIPe6l/ortS4i+XhdHc -$sey^$"+ӂM;x?a23/ k'NXiV ",V - @`G% \ No newline at end of file diff --git a/secrets/ldap/details.age b/secrets/ldap/details.age deleted file mode 100644 index da4439d..0000000 --- a/secrets/ldap/details.age +++ /dev/null @@ -1,29 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA QL6Ov/gY2LGGxdb2lBmAO5TWpSM6Lu7lrDoRAjpt8Xk -Y/N8e/lbtGq8x5XKEArhGB24sylZg28CUDy1ZPMEB6E --> ssh-ed25519 4PzZog edg0jd91dvzl7GCpYhcXae+1/J/S7Gg7oB8K9qUKZUw -vBWclnGBVsTqiU5CvyufRsNNcoOEuEsYshO4a57e0XI --> ssh-ed25519 dA0vRg JZhFcar8MPdXQqWZb1MPFDBefI8WxouCZVzvZ+igeDo -b7R3MyTA5+PlAj4BwtXkTCJbePocqpjuKj0zQpG87Rc --> ssh-ed25519 5Nd93w raDPqiw/0CK8as7sZPRIWE1XY+V5koTvnoc5l9NdhUY -VwLkfOyCLQVoh36x8E5u5Dg+o2t9qewebT1LTPRV7hg --> ssh-ed25519 q8eJgg TubfJ7d+08VQbYFfffHxbvhYhckzyz9uQ5HHGse/Bxc -SP2/NKROJ4NBAXdCCkatR1NxlW8A9IVZp3FjuVXGNhs --> ssh-ed25519 KVr8rw Y0bWtD5FMzN+XqOzX0GYxjPAfeL/ZTLsK7mENlaDVHo -32oRZds/6yzxrElqqcJruLPm7Xbn0bcA2ppwmVar4aQ --> ssh-ed25519 fia1eQ Iv0l4N/M7OtcJaIOl7aYkKXEW0JT1LLcj57Gb+P6bEw -1L4QHCzndPVMR3d2QxZJpGBFWkkWVzv82T0Jmy25kU0 --> ssh-ed25519 Km71ZA bsyk9/F9MsQ03wk9WSfr/Iq/EqZRbgE6GFAdsF/FXCM -eM3IYnk2eV6qAmQSLlNcSXrDjvsKYWj3tJwqsQeE9ts --> ssh-ed25519 IzAMqA DDn7GvKbl6QCccy++gIDIkuH1r8GhpbI53yIj1VxyxE -EVXTTiXXhgZCEQ8re0bgMZF+uNr7iRAk65ibxz4iyYA --> ssh-ed25519 uZzB3g rtqfhmxAGTYy01kY2dZfhGpN1PaElLRzvFNGkQnJzyc -W5o3/PyNCOwZ1t/XHVakAvNzj3ldBw7cGVa+70a0dp4 --> ssh-ed25519 Hb0ipQ nZpBkwWQyy1x5AgVA048LCwHsSsrH5fmWBjQBH3dNF8 -eGNcytct1cZC141au5Unv8rFPlfrxhCTOs8iHq5IIwk --> ssh-ed25519 IzAMqA QI7Ce9DZ94RAmB9928z5Gq7z56fSvxNPdfsRfHIVrgM -+GswWufQ9qHx2xCOoaI5k1uf585J7jb2I+7TFkjnzhw --> ssh-ed25519 IzAMqA ZQX4lsE9Rx35VOnmfcQe0VdZsusK+kJXTSfEMkzAC10 -Bhx9zoOlyRqfxDMKmqtyFfc0VCWdIf3Any0MySMaDTI ---- 3iKU0fXNNfC1wSSA0O5dSyTLtTdE7YWlaN17LyUnMhQ - uc Oh^UMI 7O&wh|LhVhhY`\hGoʤ=jQI]hὈa W|d!>aX7rNv:Y"DAG=jLd֢C"0va##͗X-RPv$|ܱ1ޞ0>eix9>VzH^JlU \ No newline at end of file diff --git a/secrets/ldap/pw.age b/secrets/ldap/pw.age index 565793e..7a10dd4 100644 Binary files a/secrets/ldap/pw.age and b/secrets/ldap/pw.age differ diff --git a/secrets/ldap/self_service.age b/secrets/ldap/self_service.age new file mode 100644 index 0000000..20bf9a6 Binary files /dev/null and b/secrets/ldap/self_service.age differ diff --git a/secrets/nextcloud/pw.age b/secrets/nextcloud/pw.age deleted file mode 100644 index 047db6e..0000000 --- a/secrets/nextcloud/pw.age +++ /dev/null @@ -1,21 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 V1pwNA enzHbYyPDDgq9WliLne6mFBxUJcIGl2lO0EOob+smn0 -+p8zsbFpe5NkZ6ly3mzmwFzLPT6VPCOxCUCMbPzgZeM --> ssh-ed25519 4PzZog hufrzwSjVHi5fI8vhFdqzuJOnabcVkP08RhocQcy2F8 -rkW1//bKw7PDEAsUqHR1RKmB8WJUmb64Tp7XpRgueJs --> ssh-ed25519 dA0vRg u+TEdkFb1kcboFRD2lseVIgwxRPA2UHKKEuY0UAj9G8 -m5RFvFSrr8wJP/3FuUEY4unRHCdcGeNZGy0yd7TmAB4 --> ssh-ed25519 5Nd93w YZGOEyMxBYfiUzSbq+TL6IaZXlrclAFqwJ2ui0AeqQM -L1cQpnMWh/1bI608iNQBQqAWtHuw0oAvew4kFaffM4E --> ssh-ed25519 q8eJgg lGpgxRy5zmacWvhZFJMPArG9xrUaW2pWFDj9i9k68AA -voaccSRi7JRvslMQb184V+GGhLGndfK0MyVy5WdXDVs --> ssh-ed25519 KVr8rw +cDqGXb/EWa3u04LL7SvXUh/bCkkoql0RGNXiqhbVSk -KxgfXCYOuUbUeuGW+bt/+VFC3vLZnKjaZte7tKVlai8 --> ssh-ed25519 fia1eQ AVGkBzg031Pye0QDxoQnw/D2bfaCPTJCTG4vtfZU0DY -3ag9Cg7zlxLcNG0sN9VQfFQNrHnVOrEz4ayYApzy3Iw --> ssh-ed25519 Km71ZA 60en2Z9LvPiEKb6CWbY8V/XO53ABXKOdC/wfk6aSiHI -9E+Pt5I0nRzA7TRXwtEaHR6BsBP15xcQ8mr9kd66PrA --> ssh-ed25519 YFaxCg L2D66ArXKuoZUdYRr5kycmRgs6EG1h1Z/fg+/TjZam8 -DJF4mVbgSqjJxHkhVUv+7e9vTnPtSa4zAa6N18z+CoE ---- fbOoRpYqRSR88ma5/QLdnhzDq91VJfGMapg6BTBl6tw -VQdʾqԥøgϦU)?b;v$V,oxZ67TȚm:X< \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 08d748a..1d84f6d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,60 +1,50 @@ let admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"; - silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg silver@helios"; - silver_laptop_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmm4CCnpT+tF7vecSrku0+7aDA1z3pQ+PDqZvoCynCR silver@aether"; - silver_desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop"; - thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"; - eliza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJaVEGPDxG/0gbYJovPB+tiODgBDUABlgc1OokmF3WA eliza-skynet"; - esy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINS2UR/o+nK8lNHHTj5I84ZAAp6P+ZhXqhedMfx0KHE4 "; - esy_root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDxHpsApRyCvuP2ToGm46G308Og8lO7BYPuz+EqHVU5w esy root"; + silver_laptop_wsl = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEHNLroAjCVR9Tx382cqdxPZ5KY32r/yoQH1mgsYNqpm Silver_Laptop_WSL_Deb"; + thenobrainer ="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"; users = [ admin - silver_laptop - silver_laptop_2 - silver_desktop + silver_laptop_wsl thenobrainer - eliza - esy - esy_root ]; - agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHOxA3uYcqS5gTrG1hS8XXwehzQYAI2I4iULtU8cXft root@agentjones"; - vendetta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvcxiSYE38V1IopHj7Z7ZWP1IqnskYCdhj8yCQohVUM root@vendetta"; + # change this when its properly set up + agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAbqYQrdVHmGgXZJoMWWRDGVEIj775Zrf4PxB5hoth+k root@agentjones"; + + ash = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGJDVQGjIwMQmkElGshgKDAlChM2xdNN6iI5Ap2IbAs5"; + # dns servers + vendetta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxTrUPZPqttuxfmmP8BTACTAkv1yY1nfzEd64hN4LT+ root@vendetta"; vigil = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDsz1bjNAThqwF48dKIJGOECsCKHTj/Gn5Gh9XyzoSO root@vigil"; + galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea"; + + optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus"; + glados = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6go7ScvOga9vYqC5HglPfh2Nu8wQTpEKpvIZuMAZom root@glados"; - wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPlgCGtyvd3xwYg9ZNyjTJNB/LvUSJO01SzN8PGcDLP root@wheatly"; + wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEehcrWqZbTr4+do1ONE9Il/SayP0xXMvhozm845tonN root@wheatly"; + kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt"; + gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir"; - neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFAs6lBJSUBRhtZO3zGKhEIlWvqnHFGAQuQ//9FdAn6 root@neuromancer"; + + neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7NRDOGzSO4XVEezMS/9pI3chKbOH0fw2aikLRvea2P root@neuromancer"; + skynet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAIFPXJswth8H1k8+zrg8vCnPkfG1hIIa3wR9DBmjpB5 root@skynet"; - earth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpvgQcvK7iAm0QrIp5qSvUJzDhOrSBN9MJn9JUSI31I root@earth"; - cadie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACcwg27wzzFVvzuTytcnzRmCfGkhULwlHJA/3BeVtgf root@cadie"; - marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAme2vuVpGYX4La/JtXm3zunsWNDP+SlGmBk/pWmYkH root@marvin"; - calculon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsmeBfh4Jw2GOL7Iyswzn4TVNzalDbxDgh7WuQotFxR root@calculon"; - ariia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF/x7Zsp9jqxXxxRGLq7ng4HaiZ9o043Bwy4TFPXSs5S root@ariia"; - optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFv0Hb4qfzXUll+Hct1NQOE0bCf0MpE24Cqskd8vAFyj root@optimus"; - bumblebee = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINF31tsOZTEpPFCu4wZvJjxxvgFhRpxvo9SKyDMNWHZu root@bumblebee"; systems = [ agentjones + ash vendetta vigil galatea optimus - bumblebee glados wheatly kitt gir neuromancer skynet - earth - cadie - marvin - calculon - ariia ]; dns = [ @@ -66,12 +56,11 @@ let gir ]; - ldap = - [ - kitt - ] - ++ gitlab - ++ email; + ldap = [ + kitt + ] + ++ gitlab + ++ email; gitlab = [ glados @@ -79,12 +68,20 @@ let gitlab_runners = [ wheatly - glados ]; - grafana = [ - ariia - ]; + # these need dns stuff + webservers = [ + # ULFM + galatea + # Games + optimus + # skynet is a webserver + skynet + ] + # ldap servers are web facing + ++ ldap + ++ gitlab; restic = [ neuromancer @@ -93,27 +90,16 @@ let discord = [ kitt ]; - - nextcloud = [ - cadie - ]; - - bitwarden = [ - kitt - ]; - - sso = [ - kitt - ]; -in { +in +{ # nix run github:ryantm/agenix -- -e secret1.age - "base/root_pass.age".publicKeys = users ++ systems; - "dns_certs.secret.age".publicKeys = users ++ systems; + "dns_certs.secret.age".publicKeys = users ++ webservers; "dns_dnskeys.conf.age".publicKeys = users ++ dns; "stream_ulfm.age".publicKeys = users ++ [galatea]; + "gitlab/pw.age".publicKeys = users ++ gitlab; "gitlab/db_pw.age".publicKeys = users ++ gitlab; "gitlab/secrets_db.age".publicKeys = users ++ gitlab; @@ -125,40 +111,15 @@ in { "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners; - "forgejo/runners/token1.age".publicKeys = users ++ gitlab_runners; - "forgejo/runners/token2.age".publicKeys = users ++ gitlab_runners; - "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners; - # for ldap - "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden; - # for use connectring to teh ldap - "ldap/details.age".publicKeys = users ++ ldap ++ discord ++ bitwarden; + "ldap/pw.age".publicKeys = users ++ ldap; + "ldap/self_service.age".publicKeys = users ++ ldap; # everyone has access to this "backup/restic.age".publicKeys = users ++ systems; "backup/restic_pw.age".publicKeys = users ++ restic; # discord bot and discord + "discord/ldap.age".publicKeys = users ++ ldap ++ discord; "discord/token.age".publicKeys = users ++ discord; - "discord/t-800.age".publicKeys = users ++ discord; - - # email stuff - "email/details.age".publicKeys = users ++ ldap ++ discord; - - # nextcloud - "nextcloud/pw.age".publicKeys = users ++ nextcloud; - - # handles pulling in data from teh wolves api - "wolves/details.age".publicKeys = users ++ ldap ++ discord; - - # for bitwarden connector - "bitwarden/id.age".publicKeys = users ++ bitwarden; - "bitwarden/secret.age".publicKeys = users ++ bitwarden; - "bitwarden/details.age".publicKeys = users ++ bitwarden; - - # Keycloak/sso - "keycloak/pw.age".publicKeys = users ++ sso; - - # grafana - "grafana/pw.age".publicKeys = users ++ grafana; -} +} \ No newline at end of file diff --git a/secrets/stream_ulfm.age b/secrets/stream_ulfm.age index b014d5f..9d284cd 100644 Binary files a/secrets/stream_ulfm.age and b/secrets/stream_ulfm.age differ diff --git a/secrets/wolves/details.age b/secrets/wolves/details.age deleted file mode 100644 index 857f7e5..0000000 Binary files a/secrets/wolves/details.age and /dev/null differ diff --git a/sync/.gitignore b/sync/.gitignore deleted file mode 100644 index a153487..0000000 --- a/sync/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -/.idea -.env -repos_active.csv -repos_diff.csv \ No newline at end of file diff --git a/sync/README.md b/sync/README.md deleted file mode 100644 index ab02597..0000000 --- a/sync/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Repo Sync -This subdir is intended for syncing repos on with - -## CSV file -This file is in the format of local id and remote link. -It must end on a newline - -## Tokens -Tokens have a lifetime of a year. - -| Site | User | Location | Scopes | Expiry | -|--------|-----------|-------------------------------------------------------------------|--------|------------| -| Gitlab | ulcompsoc | https://gitlab.com/-/user_settings/personal_access_tokens | api | 2024-12-26 | -| Skynet | compsoc | https://gitlab.skynet.ie/groups/compsoc1/-/settings/access_tokens | api | 2024-12-26 | - -They are then stored in https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/settings/ci_cd as ``TOKEN`` and ``TOKEN_REMOTE`` - -After the tokens have been regenerated head to https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/pipelines/new and use the var ``SYNC_OVERRIDE`` with value ``true`` to force an update of all the links. \ No newline at end of file diff --git a/sync/repos.csv b/sync/repos.csv deleted file mode 100644 index 53ca74b..0000000 --- a/sync/repos.csv +++ /dev/null @@ -1,13 +0,0 @@ -id_local, remote_url -4, https://gitlab.com/compsoc1/skynet/nixos.git -9, https://gitlab.com/compsoc1/skynet/ldap/backend.git -10, https://gitlab.com/compsoc1/skynet/ldap/frontend.git -13, https://gitlab.com/compsoc1/skynet/website/2023.git -14, https://gitlab.com/compsoc1/skynet/website/2016.git -17, https://gitlab.com/compsoc1/skynet/website/alumni-renew.git -18, https://gitlab.com/compsoc1/compsoc/constitution.git -20, https://gitlab.com/compsoc1/compsoc/presentations/presentations.git -21, https://gitlab.com/compsoc1/skynet/discord-bot.git -22, https://gitlab.com/compsoc1/skynet/scripts.git -29, https://gitlab.com/compsoc1/skynet/website/games.skynet.ie.git -44, https://gitlab.com/compsoc1/compsoc/presentations/python_catchup.git diff --git a/sync/sync.sh b/sync/sync.sh deleted file mode 100644 index 87c27e5..0000000 --- a/sync/sync.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -Get-Existing(){ - curl -s "https://gitlab.skynet.ie/compsoc1/skynet/nixos/-/raw/main/sync/repos.csv" -o "./repos_active.csv" -} - -Get-Diff(){ - diff --changed-group-format='%<' --unchanged-group-format='' repos.csv repos_active.csv > repos_diff.csv -} - -Mirror-Clear(){ - # existing remotes - local id=$(tr -d '\n\t\r ' <<<"${1}" ) - local token=$(tr -d '\n\t\r ' <<<"$TOKEN" ) - local response=$(curl -s -X "GET" "https://gitlab.skynet.ie/api/v4/projects/$id/remote_mirrors" --header "PRIVATE-TOKEN: $token") - - # https://stackoverflow.com/a/67638584 - readarray -t my_array < <(jq -c '.[]' <<< $response) - # iterate through the Bash array - for item in "${my_array[@]}"; do - local id_mirror=$(jq --raw-output '.id' <<< "$item") - curl -s -X "DELETE" "https://gitlab.skynet.ie/api/v4/projects/$id/remote_mirrors/$id_mirror" --header "PRIVATE-TOKEN: $token" - done -} - -Mirror-Create(){ - # make sure the values are clean of extra characters - local id=$(tr -d '\n\t\r ' <<<"${1}" ) - local REPO_TMP=$(tr -d '\n\t\r ' <<<"${2}" ) - local REPO=${REPO_TMP#"https://"} - local token=$(tr -d '\n\t\r ' <<<"$TOKEN" ) - local token_remote=$(tr -d '\n\t\r ' <<<"$TOKEN_REMOTE" ) - - local body="url=https://oauth2:$token_remote@$REPO&enabled=true&only_protected_branches=false&keep_divergent_refs=false" - local uri="https://gitlab.skynet.ie/api/v4/projects/$id/remote_mirrors" - echo $uri - curl -s -X "POST" "$uri" --header "PRIVATE-TOKEN: $token" --data $body - # to put output on a new line - echo "" -} - -Main() { - # for local dev - source .env - - # if SYNC_OVERRIDE is not set then - if [ -z "${SYNC_OVERRIDE}" ]; then - Get-Existing - Get-Diff - else - cp repos.csv repos_diff.csv - fi - - while IFS="," read -r id remote - do - Mirror-Clear $id - Mirror-Create $id $remote - done < <(tail -n +2 ./repos_diff.csv) -} - -Main \ No newline at end of file