Skynet/nixos
6
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Compare commits

base: Skynet:main
Branches Tags
Skynet:main
Skynet:test-nixos-pelican
Skynet:#76-Nuked-Backup
Skynet:#70-logging-dns
Skynet:#56-external-dns
Skynet:#52-dns-for-non-nixos
Skynet:second-interface-routing
Skynet:add_automx2
..
compare: Skynet:#56-external-dns
Branches Tags
Skynet:main
Skynet:test-nixos-pelican
Skynet:#76-Nuked-Backup
Skynet:#70-logging-dns
Skynet:#56-external-dns
Skynet:#52-dns-for-non-nixos
Skynet:second-interface-routing
Skynet:add_automx2

7 commits
main ... #56-extern

Author SHA1 Message Date
Brendan Golden
8e355bab9a feat: I think i got external/non-nixos domains working pretty solidly 2024-03-12 00:59:02 +00:00
Brendan Golden
a000bcc66d feat: simplified the dns a tad by passing through vars to functions 2024-03-12 00:13:11 +00:00
Brendan Golden
5141b57eb5 feat: simplified the dns a tad by passing through vars to functions 2024-03-12 00:12:47 +00:00
Brendan Golden
97e18e5514 feat: no need for the extra config 2024-03-11 23:47:21 +00:00
Brendan Golden
752194eb61 fix: slight cleanup of the dns file 2024-03-11 23:29:07 +00:00
Brendan Golden
fce75fde73 feat: made the custom dns a tad more general 2024-03-11 23:27:09 +00:00
Brendan Golden
ed43da872c feat: figured out how to share types across files 2024-03-11 23:14:29 +00:00
108 changed files with 2321 additions and 3915 deletions
Show stats Expand all files Collapse all files

59
.forgejo/workflows/deploy.yaml
View file

@ -1,59 +0,0 @@
name: Build_Deploy
on:
workflow_run:
workflows: [ "Update_Flake" ]
types:
- completed
push:
branches:
- 'main'
paths:
- applications/**/*
- machines/**/*
- secrets/**/*
- flake.*
- config/**/*
- .forgejo/**/*
jobs:
linter:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- run: nix --version
#if: github.repository == 'Skynet/nixos'
build:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: nix develop -v
# - name: Archive Test Results
# if: always()
# run: sleep 100m
# - run: colmena build -v --on @active-dns
# - run: colmena build -v --on @active-core
# - run: colmena build -v --on @active
# - run: colmena build -v --on @active-ext
# - run: colmena build -v --on @active-git
deploy_dns:
runs-on: nix
needs: [ linter, build ]
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @active-dns --show-trace
shell: bash
deploy_active:
strategy:
matrix:
batch: [ active-core, active, active-ext ]
runs-on: nix
needs: [ deploy_dns ]
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @${{ matrix.batch }} --show-trace
shell: bash

12
.forgejo/workflows/deploy_forgejo.yaml
View file

@ -1,12 +0,0 @@
name: Update_Forgejo
on:
workflow_dispatch:
jobs:
deploy:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @active-git --show-trace
shell: bash

31
.forgejo/workflows/update_input.yaml
View file

@ -1,31 +0,0 @@
name: Update_Flake
run-name: "[Update Flake] ${{ inputs.input_to_update }}"
on:
workflow_dispatch:
inputs:
input_to_update:
description: 'Flake input to update'
required: false
type: string
jobs:
update:
runs-on: nix
permissions:
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.PIPELINE_TOKEN }}
- run: nix flake update ${{ inputs.input_to_update }}
shell: bash
- uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Updated flake for ${{ inputs.input_to_update }}"

3
.gitignore vendored
View file

@ -6,9 +6,6 @@
*.tmp
tmp
# open office tmp lockfiles
.~lock.*
# Test files
test.*
*.test.*

28
.gitlab-ci.yml
View file

@ -30,7 +30,7 @@ update:
# the part that updates the flake
- nix --experimental-features 'nix-command flakes' flake lock --update-input $PACKAGE_NAME
- git add flake.lock
- git commit -m "Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
- git commit -m "[skip ci] Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
# we have a custom domain
- git remote rm origin && git remote add origin ssh://git@gitlab.skynet.ie:2222/compsoc1/skynet/nixos.git
- git push origin HEAD:$CI_COMMIT_REF_NAME
@ -48,14 +48,13 @@ sync_repos:
- chmod +x ./sync.sh
- ./sync.sh
rules:
- if: $UPDATE_FLAKE == "yes"
when: never
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
changes:
- if: '$SYNC_OVERRIDE == "true"'
- changes:
- sync/repos.csv
.scripts_base: &scripts_base
# load nix environment
- git pull origin $CI_COMMIT_REF_NAME
- . "$HOME/.nix-profile/etc/profile.d/nix.sh"
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#colmena
@ -66,23 +65,13 @@ sync_repos:
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
.scripts_cache: &scripts_cache
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#attic-client
- attic login skynet https://nix-cache.skynet.ie/ $CACHE_KEY
- attic use skynet-cache
# add any new items to the cache
- attic watch-store skynet-cache &
# every commit on main will build and deploy
.build_template: &builder
tags:
- nix
before_script:
- *scripts_base
- *scripts_cache
rules:
- if: $UPDATE_FLAKE == "yes"
when: never
- changes:
- applications/**/*
- machines/**/*
@ -96,10 +85,7 @@ sync_repos:
before_script:
- *scripts_deploy
- *scripts_base
- *scripts_cache
rules:
- if: $UPDATE_FLAKE == "yes"
when: never
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
changes:
- flake.nix
@ -119,12 +105,11 @@ build:
<<: *builder
stage: test
script:
- nix --extra-experimental-features 'nix-command flakes' develop
- colmena build -v --on @active-dns
- colmena build -v --on @active-core
- colmena build -v --on @active
- colmena build -v --on @active-ext
- colmena build -v --on @active-git
- colmena build -v --on @active-gitlab
# dns always has to be deployed first
deploy_dns:
@ -161,11 +146,12 @@ deploy_ext:
- deploy_dns
script:
- colmena apply -v --on @active-ext
allow_failure: true
deploy_gitlab:
<<: *builder
<<: *deployment
stage: deploy_gitlab
script:
- colmena apply -v --on @active-git
- colmena apply -v --on @active-gitlab
when: manual

45
ITD/Firewall_Rules.csv
View file

@ -1,45 +0,0 @@
Rule,Action,Ticket,Status,Source_IP,Source_Server,Destination_IP,Destination_Server,Port_TCP,Port_UDP,Notes
SKYNET_FIREWALL_00000,Add,,Complete,VPN,-,93.1.99.71 - 193.1.99.126,All,22,-,sftp/ssh required from vpn to servers for admins
SKYNET_FIREWALL_00001,Add,,Complete,All,-,193.1.99.109,SKYNET00004,-,53,Nameserver for skynet.ie
SKYNET_FIREWALL_00002,Add,,Complete,All,-,193.1.99.111,SKYNET00005,"80, 443, 8000",-,"ULFM, http(s) for internet streaming, 8000 for connecting to the server."
SKYNET_FIREWALL_00003,Add,,Complete,All,-,193.1.99.112,SKYNET00006,"80, 443, 25565",-,"Games host, Minecraft uses 25565 (will have more ports in the future)"
SKYNET_FIREWALL_00004,Add,,Complete,All,-,193.1.99.120,SKYNET00002,-,53,Nameserver for skynet.ie
SKYNET_FIREWALL_00005,Add,i23-01-19_681,Complete,193.1.99.72,SKYNET00001,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00006,Add,i23-01-19_681,Complete,193.1.99.75,SKYNET00008,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00007,Add,i23-01-19_681,Complete,193.1.99.109,SKYNET00004,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00008,Add,i23-01-19_681,Complete,193.1.99.111,SKYNET00005,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00009,Add,i23-01-19_681,Complete,193.1.99.112,SKYNET00006,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00010,Add,i23-01-19_681,Complete,193.1.99.120,SKYNET00002,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00011,Add,i23-05-18_249,Complete,All,-,193.1.99.75,SKYNET00008,"80, 443",-,For gitlab Access
SKYNET_FIREWALL_00012,Add,i23-05-18_249,Complete,193.1.99.72 - 193.1.99.126,-,All,-,-,-,"I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages).
I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones.
In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control.
Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured."
SKYNET_FIREWALL_00013,Add,i23-05-18_249,Complete,All,-,193.1.99.76,SKYNET00009,"143, 993, 587, 465",-,Email Server
SKYNET_FIREWALL_00014,Add,i23-06-19_525,Complete,All,-,193.1.99.76,SKYNET00009,"80, 443, 25",-,"Mailserver here, SPF, DKIM and DMARC are all set up"
SKYNET_FIREWALL_00015,Add,i23-06-19_525,Complete,All,-,193.1.99.79,SKYNET00011,"80, 443",-,Main Skynet webserver
SKYNET_FIREWALL_00016,Add,i23-06-30_024,Complete,All,-,193.1.96.165,SKYNET00012,22,-,"Skynet user's server
Outlet is 131 or 132"
SKYNET_FIREWALL_00017,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.120,SKYNET00002,-,53,Allow Skynet server to use our own internal DNS
SKYNET_FIREWALL_00018,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.74,SKYNET00007,389/636,-,Allow Skynet server to access LDAP
,Add,i23-07-28_010,Denied,All,-,193.1.99.74,SKYNET00007,"80, 443",-,Self Service site for Skynet accounts Only 443 on account modification pages
SKYNET_FIREWALL_00019,Add,i23-07-28_010,Complete,All,-,193.1.99.74,SKYNET00007,443,-,Self Service site for Skynet accounts
SKYNET_FIREWALL_00020,Add,i23-09-05_639,Complete,All,-,193.1.96.165,SKYNET00012,"80, 443",-,Web hosting for user sites
SKYNET_FIREWALL_00021,Add,i23-10-27_014,Complete,All,-,193.1.99.77,SKYNET00014,"80, 443",-,"Nextcloud, selfhosted google services, filestorage and documents"
SKYNET_FIREWALL_00022,Add,i24-02-01_102,Complete,193.1.96.165,SKYNET00012,103.1.99.109,SKYNET00004,-,53,Give the Skynet server access to ur secondary DNS
SKYNET_FIREWALL_00023,Add,i24-02-01_102,Complete,193.1.99.78,SKYNET00010,193.1.96.165,SKYNET00012,22,-,Allow our gitlab runner to access and deploy to teh external server
SKYNET_FIREWALL_00024,Add,i24-02-16_065,Complete,All,-,193.1.99.90,SKYNET00016,"80, 443",-,Games Server Administrative panel
SKYNET_FIREWALL_00025,Add,i24-02-16_065,Complete,All,-,193.1.99.91,SKYNET00017,25518-25525,"19132, 24418-24425",Minecraft Games server
SKYNET_FIREWALL_00026,Add,i24-06-04_017,Complete,All,-,193.1.99.76,SKYNET00009,4190,-,"Email sieve to allow members to add email filters to their
skynet mail."
SKYNET_FIREWALL_00027,Add,i24-06-04_017,Complete,All,-,193.1.99.82,SKYNET00018,80/443,-,"Public services such as a binary cache, open governance and keyserver"
,Add,i24-06-04_017,Denied,All,-,193.1.99.90,SKYNET00016,8080,-,"Websocket for admin panel on games management server
Denied because more information on wat it was for was requested"
,Add,i24-06-04_017,Denied,193.1.99.74,SKYNET00007,193.1.96.165,SKYNET00012,9000-9020,-,"Metrics collection, not done because not enough info provided"
SKYNET_FIREWALL_00028,Remove,i24-06-04_017,Complete,-,-,193.1.99.112,SKYNET00019,25565,-,No longer the minecraft game host
SKYNET_FIREWALL_00029,Add,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Websocket for admin panel on games management server
SKYNET_FIREWALL_00030,Add,i24-06-04_017,Complete,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection
SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server
SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel
SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
1 Rule Action Ticket Status Source_IP Source_Server Destination_IP Destination_Server Port_TCP Port_UDP Notes
2 SKYNET_FIREWALL_00000 Add Complete VPN - 93.1.99.71 - 193.1.99.126 All 22 - sftp/ssh required from vpn to servers for admins
3 SKYNET_FIREWALL_00001 Add Complete All - 193.1.99.109 SKYNET00004 - 53 Nameserver for skynet.ie
4 SKYNET_FIREWALL_00002 Add Complete All - 193.1.99.111 SKYNET00005 80, 443, 8000 - ULFM, http(s) for internet streaming, 8000 for connecting to the server.
5 SKYNET_FIREWALL_00003 Add Complete All - 193.1.99.112 SKYNET00006 80, 443, 25565 - Games host, Minecraft uses 25565 (will have more ports in the future)
6 SKYNET_FIREWALL_00004 Add Complete All - 193.1.99.120 SKYNET00002 - 53 Nameserver for skynet.ie
7 SKYNET_FIREWALL_00005 Add i23-01-19_681 Complete 193.1.99.72 SKYNET00001 All - - - Allow outbound access
8 SKYNET_FIREWALL_00006 Add i23-01-19_681 Complete 193.1.99.75 SKYNET00008 All - - - Allow outbound access
9 SKYNET_FIREWALL_00007 Add i23-01-19_681 Complete 193.1.99.109 SKYNET00004 All - - - Allow outbound access
10 SKYNET_FIREWALL_00008 Add i23-01-19_681 Complete 193.1.99.111 SKYNET00005 All - - - Allow outbound access
11 SKYNET_FIREWALL_00009 Add i23-01-19_681 Complete 193.1.99.112 SKYNET00006 All - - - Allow outbound access
12 SKYNET_FIREWALL_00010 Add i23-01-19_681 Complete 193.1.99.120 SKYNET00002 All - - - Allow outbound access
13 SKYNET_FIREWALL_00011 Add i23-05-18_249 Complete All - 193.1.99.75 SKYNET00008 80, 443 - For gitlab Access
14 SKYNET_FIREWALL_00012 Add i23-05-18_249 Complete 193.1.99.72 - 193.1.99.126 - All - - - I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages). I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones. In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control. Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured.
15 SKYNET_FIREWALL_00013 Add i23-05-18_249 Complete All - 193.1.99.76 SKYNET00009 143, 993, 587, 465 - Email Server
16 SKYNET_FIREWALL_00014 Add i23-06-19_525 Complete All - 193.1.99.76 SKYNET00009 80, 443, 25 - Mailserver here, SPF, DKIM and DMARC are all set up
17 SKYNET_FIREWALL_00015 Add i23-06-19_525 Complete All - 193.1.99.79 SKYNET00011 80, 443 - Main Skynet webserver
18 SKYNET_FIREWALL_00016 Add i23-06-30_024 Complete All - 193.1.96.165 SKYNET00012 22 - Skynet user's server Outlet is 131 or 132
19 SKYNET_FIREWALL_00017 Add i23-06-30_024 Complete 193.1.96.165 SKYNET00012 193.1.99.120 SKYNET00002 - 53 Allow Skynet server to use our own internal DNS
20 SKYNET_FIREWALL_00018 Add i23-06-30_024 Complete 193.1.96.165 SKYNET00012 193.1.99.74 SKYNET00007 389/636 - Allow Skynet server to access LDAP
21 Add i23-07-28_010 Denied All - 193.1.99.74 SKYNET00007 80, 443 - Self Service site for Skynet accounts – Only 443 on account modification pages
22 SKYNET_FIREWALL_00019 Add i23-07-28_010 Complete All - 193.1.99.74 SKYNET00007 443 - Self Service site for Skynet accounts
23 SKYNET_FIREWALL_00020 Add i23-09-05_639 Complete All - 193.1.96.165 SKYNET00012 80, 443 - Web hosting for user sites
24 SKYNET_FIREWALL_00021 Add i23-10-27_014 Complete All - 193.1.99.77 SKYNET00014 80, 443 - Nextcloud, selfhosted google services, filestorage and documents
25 SKYNET_FIREWALL_00022 Add i24-02-01_102 Complete 193.1.96.165 SKYNET00012 103.1.99.109 SKYNET00004 - 53 Give the Skynet server access to ur secondary DNS
26 SKYNET_FIREWALL_00023 Add i24-02-01_102 Complete 193.1.99.78 SKYNET00010 193.1.96.165 SKYNET00012 22 - Allow our gitlab runner to access and deploy to teh external server
27 SKYNET_FIREWALL_00024 Add i24-02-16_065 Complete All - 193.1.99.90 SKYNET00016 80, 443 - Games Server Administrative panel
28 SKYNET_FIREWALL_00025 Add i24-02-16_065 Complete All - 193.1.99.91 SKYNET00017 25518-25525 19132, 24418-24425 Minecraft Games server
29 SKYNET_FIREWALL_00026 Add i24-06-04_017 Complete All - 193.1.99.76 SKYNET00009 4190 - Email sieve to allow members to add email filters to their skynet mail.
30 SKYNET_FIREWALL_00027 Add i24-06-04_017 Complete All - 193.1.99.82 SKYNET00018 80/443 - Public services such as a binary cache, open governance and keyserver
31 Add i24-06-04_017 Denied All - 193.1.99.90 SKYNET00016 8080 - Websocket for admin panel on games management server Denied because more information on wat it was for was requested
32 Add i24-06-04_017 Denied 193.1.99.74 SKYNET00007 193.1.96.165 SKYNET00012 9000-9020 - Metrics collection, not done because not enough info provided
33 SKYNET_FIREWALL_00028 Remove i24-06-04_017 Complete - - 193.1.99.112 SKYNET00019 25565 - No longer the minecraft game host
34 SKYNET_FIREWALL_00029 Add i24-06-04_017 Complete All - 193.1.99.90 SKYNET00016 8080 - Websocket for admin panel on games management server
35 SKYNET_FIREWALL_00030 Add i24-06-04_017 Complete 193.1.99.83 SKYNET00020 193.1.96.165 SKYNET00012 9000-9010 - Metrics Collection
36 SKYNET_FIREWALL_00031 Add i24-06-04_017 Complete All - 193.1.99.83 SKYNET00020 80, 443 - Web interface for Metrics server
37 SKYNET_FIREWALL_00032 Remove i24-06-04_017 Complete All - 193.1.99.90 SKYNET00016 8080 - Had incorrectly opened 8080 on the main panel
38 SKYNET_FIREWALL_00033 Add i24-06-04_017 Complete All - 193.1.99.91 SKYNET00017 8080 - Websocket for admin panel on games management server
39 Add i24-07-15_112 Denied 193.1.99.75 - - - 22 - Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'

24
ITD/Server_Inventory.csv
View file

@ -1,24 +0,0 @@
Index,Name,Status,IP_Address,OS,Description
SKYNET00001,agentjones,Active,193.1.99.072,Nixos-24.05,Firewall (currently not active)
SKYNET00002,vendetta,Active,193.1.99.120,Nixos-24.05,DNS Nameserver 1
SKYNET00003,jarvis,Active,193.1.99.073,Proxmox,VM Host
SKYNET00004,vigil,Active,193.1.99.109,Nixos-24.05,DNS Nameserver 2
SKYNET00005,galatea,Active,193.1.99.111,Nixos-24.05,ULFM Radio
SKYNET00006,optimus,Retired,193.1.99.112,Nixos-24.05,Retired Games server
SKYNET00007,kitt,Active,193.1.99.074,Nixos-24.05,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
SKYNET00008,glados,Active,193.1.99.075,Nixos-24.05,Gitlab server
SKYNET00009,gir,Active,193.1.99.076,Nixos-24.05,Email and Webmail
SKYNET00010,wheatly,Active,193.1.99.078,Nixos-24.05,Gitlab Runner
SKYNET00011,earth,Active,193.1.99.079,Nixos-24.05,Offical website host
SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ)
SKYNET00013,neuromancer,Active,193.1.99.080,Nixos-24.05,Local Backup Server
SKYNET00014,cadie,Active,193.1.99.077,Nixos-24.05,"Services VM, has nextcloud to start with"
SKYNET00015,marvin,Active,193.1.99.081,Nixos-24.05,Trainee testing server
SKYNET00016,optimus,Active,193.1.99.090,Debian-12,Games server manager (replacing SKYNET00006 soon)
SKYNET00017,bumblebee,Active,193.1.99.091,Debian-12,Game server - Minecraft
SKYNET00018,calculon,Active,193.1.99.082,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver"
SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic
SKYNET00020,ariia,Active,193.1.99.083,Nixos-24.05,"Metrics, Grafana and Prometheus"
SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access
SKYNET00022,ultron,Active,193.1.99.084,Proxmox,VM Host
SKYNET00023,optimus-test,Active,193.1.99.085,Nixos,Testing flake for Pelecian
1 Index Name Status IP_Address OS Description
2 SKYNET00001 agentjones Active 193.1.99.072 Nixos-24.05 Firewall (currently not active)
3 SKYNET00002 vendetta Active 193.1.99.120 Nixos-24.05 DNS Nameserver 1
4 SKYNET00003 jarvis Active 193.1.99.073 Proxmox VM Host
5 SKYNET00004 vigil Active 193.1.99.109 Nixos-24.05 DNS Nameserver 2
6 SKYNET00005 galatea Active 193.1.99.111 Nixos-24.05 ULFM Radio
7 SKYNET00006 optimus Retired 193.1.99.112 Nixos-24.05 Retired Games server
8 SKYNET00007 kitt Active 193.1.99.074 Nixos-24.05 LDAP and Self-Service Password/Account management, also hosts our Discord bot
9 SKYNET00008 glados Active 193.1.99.075 Nixos-24.05 Gitlab server
10 SKYNET00009 gir Active 193.1.99.076 Nixos-24.05 Email and Webmail
11 SKYNET00010 wheatly Active 193.1.99.078 Nixos-24.05 Gitlab Runner
12 SKYNET00011 earth Active 193.1.99.079 Nixos-24.05 Offical website host
13 SKYNET00012 skynet Active 193.1.96.165 Nixos-24.05 Skynet server. (DMZ)
14 SKYNET00013 neuromancer Active 193.1.99.080 Nixos-24.05 Local Backup Server
15 SKYNET00014 cadie Active 193.1.99.077 Nixos-24.05 Services VM, has nextcloud to start with
16 SKYNET00015 marvin Active 193.1.99.081 Nixos-24.05 Trainee testing server
17 SKYNET00016 optimus Active 193.1.99.090 Debian-12 Games server manager (replacing SKYNET00006 soon)
18 SKYNET00017 bumblebee Active 193.1.99.091 Debian-12 Game server - Minecraft
19 SKYNET00018 calculon Active 193.1.99.082 Nixos-24.05 Public Services such as binary cache, Open Governance and Keyserver
20 SKYNET00019 deepthought Active 193.1.99.112 Nixos-24.05 Backup Test Server using restic
21 SKYNET00020 ariia Active 193.1.99.083 Nixos-24.05 Metrics, Grafana and Prometheus
22 SKYNET00021 ash Active 193.1.99.114 NA Server Room Network access
23 SKYNET00022 ultron Active 193.1.99.084 Proxmox VM Host
24 SKYNET00023 optimus-test Active 193.1.99.085 Nixos Testing flake for Pelecian

6
ITD/VPN_Admins.csv
View file

@ -1,6 +0,0 @@
Index,First Name,Surname,UL Student Email
SKYNET_VPN_ADM_001,Brendan,Golden,12136891@studentmail.ul.ie
SKYNET_VPN_ADM_002,Evan,Cassidy,External
SKYNET_VPN_ADM_003,Eoghan,Conlon,21310262@studentmail.ul.ie
SKYNET_VPN_ADM_004,Eliza,Macovei,23382619@studentmail.ul.ie
SKYNET_VPN_ADM_005,Daragh,Downes,22351159@studentmail.ul.ie
1 Index First Name Surname UL Student Email
2 SKYNET_VPN_ADM_001 Brendan Golden 12136891@studentmail.ul.ie
3 SKYNET_VPN_ADM_002 Evan Cassidy External
4 SKYNET_VPN_ADM_003 Eoghan Conlon 21310262@studentmail.ul.ie
5 SKYNET_VPN_ADM_004 Eliza Macovei 23382619@studentmail.ul.ie
6 SKYNET_VPN_ADM_005 Daragh Downes 22351159@studentmail.ul.ie

7
ITD/VPN_Admins_changes.csv
View file

@ -1,7 +0,0 @@
Date,Date Modified,Action,Ticket,ID
SKYNET_VPN_ADM_CHANGE_001,2023/04/04,Added,,SKYNET_VPN_ADM_001
SKYNET_VPN_ADM_CHANGE_002,2023/04/04,Added,,SKYNET_VPN_ADM_002
SKYNET_VPN_ADM_CHANGE_003,2023/04/04,Added,,SKYNET_VPN_ADM_003
SKYNET_VPN_ADM_CHANGE_003,2024/07/21,Removed,i24-07-22_760,SKYNET_VPN_ADM_003
SKYNET_VPN_ADM_CHANGE_004,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_004
SKYNET_VPN_ADM_CHANGE_005,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_005
1 Date Date Modified Action Ticket ID
2 SKYNET_VPN_ADM_CHANGE_001 2023/04/04 Added SKYNET_VPN_ADM_001
3 SKYNET_VPN_ADM_CHANGE_002 2023/04/04 Added SKYNET_VPN_ADM_002
4 SKYNET_VPN_ADM_CHANGE_003 2023/04/04 Added SKYNET_VPN_ADM_003
5 SKYNET_VPN_ADM_CHANGE_003 2024/07/21 Removed i24-07-22_760 SKYNET_VPN_ADM_003
6 SKYNET_VPN_ADM_CHANGE_004 2024/07/21 Added i24-07-22_760 SKYNET_VPN_ADM_004
7 SKYNET_VPN_ADM_CHANGE_005 2024/07/21 Added i24-07-22_760 SKYNET_VPN_ADM_005

18
ITD_Firewall.csv Normal file
View file

@ -0,0 +1,18 @@
Index,Name,IP_Address,DNS_Name,Ports_Current,Ports_Requested,Related_Tickets,Description
SKYNET00001,agentjones,193.1.99.72,agentjones,"","","",Firewall (currently not active)
SKYNET00002,vendetta,193.1.99.120,vendetta/ns1,53,"","",DNS Nameserver 1
SKYNET00003,jarvis,193.1.99.73,jarvis,"","","",VM Host
SKYNET00004,vigil,193.1.99.109,vigil/ns2,53,"","",DNS Nameserver 2
SKYNET00005,galatea,193.1.99.111,galatea/stream,80/443 8000,"","",ULFM Radio
SKYNET00006,optimus,193.1.99.112,optimus/games/*.games,80/443 25565,"","",Games server
SKYNET00007,kitt,193.1.99.74,kitt/account/api.account,443,"",i23-07-28_010,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
SKYNET00008,glados,193.1.99.75,glados/gitlab/*.pages.gitlab,80/443,2222,i23-05-18_249,Gitlab server
SKYNET00009,gir,193.1.99.76,gir/mail/imap/pop3/smtp,80/443 25/143/993/587/465,"",i23-06-19_525/i23-06-19_525,Email and Webmail
SKYNET00010,wheatly,193.1.99.78,wheatly,"","","",Gitlab Runner
SKYNET00011,earth,193.1.99.79,earth,80/443,"",i23-06-19_525,Offical website host
SKYNET00012,skynet,193.1.96.165,skynet/*.users,22 80/443,"",i23-06-30_024,Skynet server. (DMZ)
SKYNET00013,neuromancer,193.1.99.80,neuromancer,"","","",Local Backup Server
SKYNET00014,cadie,193.1.99.77,cadie/nextcloud/onlyoffice.nextcloud,80/443,"",i23-10-27_014,"Services VM, has nextcloud to start with"
SKYNET00015,marvin,193.1.99.81,marvin,,,,Trainee testing server
SKYNET00016,optimus,193.1.99.99,,,,,Games server manager (replacing SKYNET00006 soon)
SKYNET00017,bumblebee,193.1.99.100,,,,,Game server - Minecraft
1 Index Name IP_Address DNS_Name Ports_Current Ports_Requested Related_Tickets Description
2 SKYNET00001 agentjones 193.1.99.72 agentjones Firewall (currently not active)
3 SKYNET00002 vendetta 193.1.99.120 vendetta/ns1 53 DNS Nameserver 1
4 SKYNET00003 jarvis 193.1.99.73 jarvis VM Host
5 SKYNET00004 vigil 193.1.99.109 vigil/ns2 53 DNS Nameserver 2
6 SKYNET00005 galatea 193.1.99.111 galatea/stream 80/443 8000 ULFM Radio
7 SKYNET00006 optimus 193.1.99.112 optimus/games/*.games 80/443 25565 Games server
8 SKYNET00007 kitt 193.1.99.74 kitt/account/api.account 443 i23-07-28_010 LDAP and Self-Service Password/Account management, also hosts our Discord bot
9 SKYNET00008 glados 193.1.99.75 glados/gitlab/*.pages.gitlab 80/443 2222 i23-05-18_249 Gitlab server
10 SKYNET00009 gir 193.1.99.76 gir/mail/imap/pop3/smtp 80/443 25/143/993/587/465 i23-06-19_525/i23-06-19_525 Email and Webmail
11 SKYNET00010 wheatly 193.1.99.78 wheatly Gitlab Runner
12 SKYNET00011 earth 193.1.99.79 earth 80/443 i23-06-19_525 Offical website host
13 SKYNET00012 skynet 193.1.96.165 skynet/*.users 22 80/443 i23-06-30_024 Skynet server. (DMZ)
14 SKYNET00013 neuromancer 193.1.99.80 neuromancer Local Backup Server
15 SKYNET00014 cadie 193.1.99.77 cadie/nextcloud/onlyoffice.nextcloud 80/443 i23-10-27_014 Services VM, has nextcloud to start with
16 SKYNET00015 marvin 193.1.99.81 marvin Trainee testing server
17 SKYNET00016 optimus 193.1.99.99 Games server manager (replacing SKYNET00006 soon)
18 SKYNET00017 bumblebee 193.1.99.100 Game server - Minecraft

9
LICENSE
View file

@ -1,9 +0,0 @@
MIT License
Copyright (c) 2024 Skynet
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

1
Possible_Server_Names.md
View file

@ -1,6 +1,5 @@
https://web.archive.org/web/20180815150202/https://wiki.skynet.ie/Admin/SkynetMachines
https://en.m.wikipedia.org/wiki/Category:Fictional_artificial_intelligences
https://en.wikipedia.org/wiki/List_of_artificial_intelligence_films
* agentsmith
* skynet

6
README.md
View file

@ -43,7 +43,7 @@ colmena build --on @active-dns
Deploying is putting (apply-ing) the config tat was built onto the server, there is no need to build first, it will automatically do so.
While the ***recommended way of deploying is using the CI/CD process*** there are times when you will have to manually deploy the config.
One such case is the ``@active-git`` group if either Gitlab or Gitlab-runner got updated.
One such case is the ``@active-gitlab`` group if either Gitlab or Gitlab-runner got updated.
Another is if ye have fecked up DNS.
Your ``~/.ssh/config`` should be set up as follows and you should be a member of ``skynet-admins-linux``
@ -60,10 +60,10 @@ Then you can run the following commands like so:
```shell
colmena apply
colmena apply --on @active-dns
colmena apply --on @active-git
colmena apply --on @active-gitlab
```
The CI/CD pipeline has a manual job that can be triggered to update ``@active-git`` if you know it wont cause issues.
The CI/CD pipeline has a manual job that can be triggered to update ``@active-gitlab`` if you know it wont cause issues.
### Agenix

19
_types/dns_object.nix Normal file
View file

@ -0,0 +1,19 @@
{lib, ...}:
with lib; {
options = {
record = mkOption {
type = types.str;
};
r_type = mkOption {
type = types.enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
};
value = mkOption {
type = types.str;
};
server = mkOption {
description = "Core record for a server";
type = types.bool;
default = false;
};
};
}

74
applications/_base.nix
View file

@ -1,74 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
# root service
cfg = config.services.skynet;
in {
imports = [
# every server needs to have a dns record
./dns/dns.nix
# every server should have proper certs
./acme.nix
./nginx.nix
# every server may need the firewall config stuff
./firewall.nix
# every server needs teh ldap client for admins
./ldap/client.nix
# every server will need the config to backup to
./restic.nix
# every server will be monitored for grafana
./prometheus.nix
];
options.services.skynet = {
# since we use this basically everywhere provide a standard way to set it
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
hostname = mkOption {
type = types.str;
default = "${cfg.host.name}.skynet.ie";
};
};
};
config = {
services.skynet.dns.records = [
{
record = cfg.host.name;
r_type = "A";
value = cfg.host.ip;
server = true;
}
{
record = cfg.host.ip;
r_type = "PTR";
value = cfg.host.hostname;
}
];
services.nginx = {
virtualHosts = {
# for every server unless explisitly defined redirect the ip to skynet.ie
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
};
};
};
}

165
applications/_retired/games/minecraft.nix
View file

@ -1,165 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "games_minecraft";
cfg = config.services.skynet."${name}";
# got tired of how long this is so I created a var for it.
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
imports = [
inputs.arion.nixosModules.arion
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Games Minecraft";
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
default = "minecraft.games";
};
};
};
config = mkIf cfg.enable {
skynet_firewall.forward = [
"ip daddr ${config.services.skynet.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
"ip daddr ${config.services.skynet.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
"ip daddr ${config.services.skynet.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept"
];
services.skynet.acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
services.skynet.dns.records = [
# the minecraft (web) config server
{
record = "config.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
# our own minecraft hosts
{
record = "compsoc_classic.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "compsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
# gsoc servers
{
record = "gsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "gsoc_abridged.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
# phildeb
{
record = "phildeb.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
networking.firewall.allowedTCPPorts = [
# for the proxy
25565
];
services.nginx.virtualHosts = {
# https://config.minecraft.games.skynet.ie
"config.${short_domain}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "https://localhost:8443";
proxyWebsockets = true;
};
};
# https://compsoc_classic.minecraft.games.skynet.ie/map/
"compsoc_classic.${short_domain}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/";
};
};
# arion is one way to use docker on nixos
# see https://gitlab.com/c2842/computer_society/nixos/-/blob/733b867f4782afa795848135a83e97a5cafaf16a/applications/games/minecraft.nix
# for an example of a single compose file with multiple services
virtualisation.arion = {
backend = "docker";
projects = {
minecraft.settings.services = {
mc_proxy.service = {
image = "itzg/mc-router:1.18.0";
ports = ["25565:25565/tcp"];
expose = ["25565"];
command = [
"--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003,phildeb.${short_domain}=mc_config:20004"
];
};
mc_config.service = {
image = "registry.gitlab.com/crafty-controller/crafty-4:4.1.1";
environment = {
TZ = "Etc/UTC";
};
volumes = [
"/etc/games/minecraft/craftycontrol/backups:/crafty/backups"
"/etc/games/minecraft/craftycontrol/logs:/crafty/logs"
"/etc/games/minecraft/craftycontrol/servers:/crafty/servers"
"/etc/games/minecraft/craftycontrol/config:/crafty/app/config"
"/etc/games/minecraft/craftycontrol/import:/crafty/import"
];
ports = [
# this ius https only
"8443:8443/tcp"
# compsoc classic
"20000:20000/tcp"
# compsoc
"20001:20001/tcp"
# games
"20002:20002/tcp"
"20003:20003/tcp"
# phildeb
"20004:20004/tcp"
];
};
};
};
};
};
}

24
applications/acme.nix
View file

@ -5,21 +5,21 @@
...
}:
with lib; let
name = "acme";
cfg = config.services.skynet."${name}";
cfg = config.skynet_acme;
in {
imports = [];
options.services.skynet."${name}" = {
domains = lib.mkOption {
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of domains to use for this server.
'';
options = {
skynet_acme = {
domains = lib.mkOption {
default = [];
type = lib.types.listOf lib.types.str;
description = ''
A list of domains to use for this server.
'';
};
};
};
config = {
# group that will own the certificates
users.groups.acme = {};
@ -32,15 +32,15 @@ in {
defaults = {
email = "admin_acme@skynet.ie";
credentialsFile = config.age.secrets.acme.path;
# we use our own dns authorative server for verifying we own the domain.
dnsProvider = "rfc2136";
credentialsFile = config.age.secrets.acme.path;
};
certs = {
"skynet" = {
domain = "skynet.ie";
extraDomainNames = lists.naturalSort cfg.domains;
extraDomainNames = cfg.domains;
};
};
};

324
applications/bitwarden/bitwarden-directory-connector-cli.nix Normal file
View file

@ -0,0 +1,324 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.bitwarden-directory-connector-cli;
in {
disabledModules = ["services/security/bitwarden-directory-connector-cli.nix"];
options.services.bitwarden-directory-connector-cli = {
enable = mkEnableOption "Bitwarden Directory Connector";
package = mkPackageOption pkgs "bitwarden-directory-connector-cli" {};
domain = mkOption {
type = types.str;
description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on.";
example = "https://vaultwarden.example.com";
};
user = mkOption {
type = types.str;
description = lib.mdDoc "User to run the program.";
default = "bwdc";
};
interval = mkOption {
type = types.str;
default = "*:0,15,30,45";
description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax.";
};
ldap = mkOption {
description = lib.mdDoc ''
Options to configure the LDAP connection.
If you used the desktop application to test the configuration you can find the settings by searching for `ldap` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
'';
default = {};
type = types.submodule ({
config,
options,
...
}: {
freeformType = types.attrsOf (pkgs.formats.json {}).type;
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
options = {
finalJSON = mkOption {
type = (pkgs.formats.json {}).type;
internal = true;
readOnly = true;
visible = false;
};
ssl = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to use TLS.";
};
startTls = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to use STARTTLS.";
};
hostname = mkOption {
type = types.str;
description = lib.mdDoc "The host the LDAP is accessible on.";
example = "ldap.example.com";
};
port = mkOption {
type = types.port;
default = 389;
description = lib.mdDoc "Port LDAP is accessible on.";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether the LDAP Server is an Active Directory.";
};
pagedSearch = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether the LDAP server paginates search results.";
};
rootPath = mkOption {
type = types.str;
description = lib.mdDoc "Root path for LDAP.";
example = "dc=example,dc=com";
};
username = mkOption {
type = types.str;
description = lib.mdDoc "The user to authenticate as.";
example = "cn=admin,dc=example,dc=com";
};
};
});
};
sync = mkOption {
description = lib.mdDoc ''
Options to configure what gets synced.
If you used the desktop application to test the configuration you can find the settings by searching for `sync` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
'';
default = {};
type = types.submodule ({
config,
options,
...
}: {
freeformType = types.attrsOf (pkgs.formats.json {}).type;
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
options = {
finalJSON = mkOption {
type = (pkgs.formats.json {}).type;
internal = true;
readOnly = true;
visible = false;
};
removeDisabled = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
};
overwriteExisting = mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
};
largeImport = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
};
memberAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists members in a LDAP group.";
example = "uniqueMember";
};
creationDateAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists a user's creation date.";
example = "whenCreated";
};
useEmailPrefixSuffix = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
};
emailPrefixAttribute = mkOption {
type = types.str;
description = lib.mdDoc "The attribute that contains the users username.";
example = "accountName";
};
emailSuffix = mkOption {
type = types.str;
description = lib.mdDoc "Suffix for the email, normally @example.com.";
example = "@example.com";
};
users = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Sync users.";
};
userPath = mkOption {
type = types.str;
description = lib.mdDoc "User directory, relative to root.";
default = "ou=users";
};
userObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "Class that users must have.";
default = "inetOrgPerson";
};
userEmailAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a users email.";
default = "mail";
};
userFilter = mkOption {
type = types.str;
description = lib.mdDoc "LDAP filter for users.";
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
default = "";
};
groups = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to sync ldap groups into BitWarden.";
};
groupPath = mkOption {
type = types.str;
description = lib.mdDoc "Group directory, relative to root.";
default = "ou=groups";
};
groupObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "A class that groups will have.";
default = "groupOfNames";
};
groupNameAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a name of group.";
default = "cn";
};
groupFilter = mkOption {
type = types.str;
description = lib.mdDoc "LDAP filter for groups.";
example = "(cn=sales)";
default = "";
};
};
});
};
secrets = {
ldap = mkOption {
type = types.str;
description = "Path to file that contains LDAP password for user in {option}`ldap.username";
};
bitwarden = {
client_path_id = mkOption {
type = types.str;
description = "Path to file that contains Client ID.";
};
client_path_secret = mkOption {
type = types.str;
description = "Path to file that contains Client Secret.";
};
};
};
};
config = mkIf cfg.enable {
users.groups."${cfg.user}" = {};
users.users."${cfg.user}" = {
isSystemUser = true;
group = cfg.user;
};
systemd = {
timers.bitwarden-directory-connector-cli = {
description = "Sync timer for Bitwarden Directory Connector";
wantedBy = ["timers.target"];
after = ["network-online.target"];
timerConfig = {
OnCalendar = cfg.interval;
Unit = "bitwarden-directory-connector-cli.service";
Persistent = true;
};
};
services.bitwarden-directory-connector-cli = {
description = "Main process for Bitwarden Directory Connector";
environment = {
BITWARDENCLI_CONNECTOR_APPDATA_DIR = "/tmp";
BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
};
serviceConfig = {
Type = "oneshot";
User = "${cfg.user}";
PrivateTmp = true;
ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
set -eo pipefail
# create the config file
${lib.getExe cfg.package} data-file
touch /tmp/data.json.tmp
chmod 600 /tmp/data.json{,.tmp}
${lib.getExe cfg.package} config server ${cfg.domain}
# now login to set credentials
export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
${lib.getExe cfg.package} login
${lib.getExe pkgs.jq} '.authenticatedAccounts[0] as $account
| .[$account].directoryConfigurations.ldap |= $ldap_data
| .[$account].directorySettings.organizationId |= $orgID
| .[$account].directorySettings.sync |= $sync_data' \
--argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \
--arg orgID "''${BW_CLIENTID//organization.}" \
--argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \
/tmp/data.json \
> /tmp/data.json.tmp
mv -f /tmp/data.json.tmp /tmp/data.json
# final config
${lib.getExe cfg.package} config directory 0
${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap}
'';
ExecStart = "${lib.getExe cfg.package} sync";
};
};
};
};
meta.maintainers = with maintainers; [Silver-Golden];
}

4
applications/bitwarden/bitwarden_sync.nix
View file

@ -6,7 +6,9 @@
}: let
user = "bwdc";
in {
imports = [];
imports = [
./bitwarden-directory-connector-cli.nix
];
options = {};

31
applications/bitwarden/vaultwarden.nix
View file

@ -6,36 +6,53 @@
...
}:
with lib; let
name = "vaultwarden";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_vaultwarden;
domain_sub = "pw";
domain = "${domain_sub}.skynet.ie";
in {
imports = [
../acme.nix
../dns.nix
../nginx.nix
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet VaultWarden server";
options.services.skynet_vaultwarden = {
enable = mkEnableOption "Skynet vaultwarden server";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
};
config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ];
# Website config
services.skynet.acme.domains = [
skynet_acme.domains = [
domain
];
services.skynet.dns.records = [
skynet_dns.records = [
{
record = domain_sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
];
services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
"${domain}" = {
forceSSL = true;
useACMEHost = "skynet";

10
applications/discord.nix
View file

@ -6,14 +6,13 @@
...
}:
with lib; let
name = "discord_bot";
cfg = config.services.skynet."${name}";
cfg = config.services.discord_bot;
in {
imports = [
inputs.skynet_discord_bot.nixosModule."x86_64-linux"
];
options.services.skynet."${name}" = {
options.services.discord_bot = {
enable = mkEnableOption "Skynet LDAP backend server";
};
@ -21,18 +20,21 @@ in {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.discord_token.file = ../secrets/discord/token.age;
age.secrets.discord_ldap.file = ../secrets/discord/ldap.age;
age.secrets.discord_mail.file = ../secrets/email/details.age;
age.secrets.discord_wolves.file = ../secrets/wolves/details.age;
# this is what was imported
services.skynet_discord_bot = {
enable = true;
env = {
discord = config.age.secrets.discord_token.path;
ldap = config.age.secrets.discord_ldap.path;
mail = config.age.secrets.discord_mail.path;
wolves = config.age.secrets.discord_wolves.path;
};
discord.server = "689189992417067052";
};
};
}

297
applications/dns/dns.nix → applications/dns.nix
View file

@ -3,42 +3,18 @@
pkgs,
config,
nodes,
self,
...
}: let
name = "dns";
cfg = config.services.skynet."${name}";
cfg = config.skynet_dns;
# reads that date to a string (will need to be fixed in 2038)
current_date = self.lastModified;
# this gets a list of all domains we have records for
domains = lib.lists.naturalSort (lib.lists.unique (
lib.lists.forEach records (x: x.domain)
));
# get the ip's of our servers
servers = lib.lists.naturalSort (lib.lists.unique (
lib.lists.forEach (sort_records_a_server records) (x: x.value)
));
domains_owned = [
# for historic reasons we own this
"csn.ul.ie"
# the main one we use now
"skynet.ie"
# a backup
"ulcompsoc.ie"
];
current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}";
# gets a list of records that match this type
filter_records_type = records: r_type: builtins.filter (x: x.r_type == r_type) records;
# Get all the A records that are for servers (base record for them)
filter_records_a_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
# Every other A record
filter_records_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
filter_records_a = records: builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type records "A");
# These functions are to get the final 3 digits of an IP address so we can use them for reverse pointer
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
process_ptr_sub = record: {
record = builtins.substring 9 3 record.record;
@ -47,56 +23,35 @@
};
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
# filter and sort records so we cna group them in the right place later
sort_records_a_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_a_server records);
sort_records_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_server records);
sort_records_a = records: builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) (filter_records_a records);
sort_records_cname = records: builtins.sort (a: b: a.value < b.value) (filter_records_type records "CNAME");
sort_records_ptr = records: builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type records "PTR"));
sort_records_srv = records: builtins.sort (a: b: a.record < b.record) (filter_records_type records "SRV");
# a tad overkill but type guarding is useful
max = x: y:
assert builtins.isInt x;
assert builtins.isInt y;
if x < y
then y
else x;
format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
# get teh max length of a list of strings
max_len = records: lib.lists.foldr (a: b: (max a b)) 0 (lib.lists.forEach records (record: lib.strings.stringLength record.record));
# Now that we can get teh max lenth of a list of strings
# we can pad it out to the max len +1
# this is so that teh generated file is easier for a human to read
format_records = records: let
offset = (max_len records) + 1;
in
lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
# small function to add spaces until it reaches teh required length
# small function to trim it down a tad
padString = text: length: fixedWidthString_post length " " text;
# like lib.strings.fixedWidthString but postfix
# recursive function to extend a string up to a limit
fixedWidthString_post = width: filler: str: let
strw = lib.stringLength str;
reqWidth = width - (lib.stringLength filler);
in
# this is here because we were manually setting teh length, now max_len does that for us
assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
if strw == width
then str
else (fixedWidthString_post reqWidth filler str) + filler;
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
# ";" are comments in this file
get_config_file = (
domain: records: ''
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${toString current_date}
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
@ -107,48 +62,54 @@
@ NS ns1.skynet.ie.
@ NS ns2.skynet.ie.
; can have multiple mailserves
@ MX 10 mail.skynet.ie.
; ------------------------------------------
; Server Names (A Records)
; ------------------------------------------
${format_records (sort_records_a_server records)}
${format_records (sort_records_server records) 31}
; ------------------------------------------
; A (non server names
; ------------------------------------------
${format_records (sort_records_a records)}
${format_records (sort_records_a records) 31}
; ------------------------------------------
; CNAMES
; ------------------------------------------
${format_records (sort_records_cname records)}
${format_records (sort_records_cname records) 31}
; ------------------------------------------
; TXT
; ------------------------------------------
${format_records (filter_records_type records "TXT")}
${format_records (filter_records_type records "TXT") 31}
; ------------------------------------------
; MX
; ------------------------------------------
${format_records (filter_records_type records "MX")}
${format_records (filter_records_type records "MX") 31}
; ------------------------------------------
; SRV
; ------------------------------------------
${format_records (sort_records_srv records)}
${format_records (sort_records_srv records) 65}
''
);
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
# config for our reverse dns pointers (not properly working)
# config for our reverse dnspointers (not properly working)
get_config_file_rev = (
domain: ''
domain: records: ''
$ORIGIN 64-64.99.1.193.in-addr.arpa.
$TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${toString current_date}
${current_date}
600 ; Refresh (10 minutes)
300 ; Retry (5 minutes)
604800 ; Expire (1 week)
@ -161,37 +122,35 @@
; ------------------------------------------
; PTR
; ------------------------------------------
${format_records (sort_records_ptr records)}
${format_records (sort_records_ptr records) 3}
''
);
# arrays of teh two nameservers
nameserver_1 = ["193.1.99.109"];
nameserver_2 = ["193.1.99.120"];
# arrys of teh two nameservers
tmp1 = ["193.1.99.109"];
tmp2 = ["193.1.99.120"];
primaries = (
if cfg.server.primary
then
# primary servers have no primaries (ones they listen to)
[]
else if builtins.elem cfg.server.ip nameserver_1
then nameserver_2
else nameserver_1
else if builtins.elem cfg.server.ip tmp1
then tmp2
else tmp1
);
secondaries = (
if cfg.server.primary
then
if builtins.elem cfg.server.ip nameserver_1
then nameserver_2
else nameserver_1
if builtins.elem cfg.server.ip tmp1
then tmp2
else tmp1
else []
);
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
# now limited explicitly to servers that we are administering
# See i24-09-30_050 for more information
create_cache_networks = map (x: "${toString x}/32") servers;
create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
# standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc_sub = domain: text: {
@ -203,38 +162,37 @@
# The UNIX file mode bits
mode = "0664";
# content of the file
text = text;
};
};
# (text.owned "csn.ul.ie")
# standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc = domain: type: let
domain_records = lib.lists.filter (x: x.domain == domain) records;
in
# this is the main type of record that most folks are used to
create_entry_etc = domain: type: records:
if type == "owned"
then create_entry_etc_sub domain (get_config_file domain domain_records)
# reverse lookups allow for using an IP to find domains pointing to it
then create_entry_etc_sub domain (text.owned domain records)
else if type == "reverse"
then create_entry_etc_sub domain (get_config_file_rev domain)
then create_entry_etc_sub domain (text.reverse domain records)
else {};
create_entry_zone = domain: let
if_primary_and_owned =
if cfg.server.primary && (lib.lists.any (item: item == domain) domains_owned)
then ''
allow-update { key rfc2136key.skynet.ie.; };
dnssec-policy default;
inline-signing yes;
''
else "";
in {
create_entry_zone_names = builtins.attrNames (removeAttrs config.skynet.records ["skynet.ie"]);
create_entry_zone_mapped = map (x: (create_entry_zone x)) create_entry_zone_names;
create_entry_zone_attr = lib.mkMerge create_entry_zone_mapped;
create_entry_etc_mapped = map (x: (create_entry_etc x "owned" config.skynet.records.${x})) create_entry_zone_names;
create_entry_etc_attr = lib.mkMerge create_entry_etc_mapped;
create_entry_zone = domain: {
"${domain}" = {
extraConfig = ''
${if_primary_and_owned}
allow-update {
key rfc2136key.${domain}.;
};
dnssec-policy default;
inline-signing yes;
// for bumping the config
// ${toString current_date}
// ${current_date}
'';
# really wish teh nixos config didnt use master/slave
master = cfg.server.primary;
@ -247,16 +205,51 @@
};
};
text = {
owned = domain: records: get_config_file domain records;
reverse = domain: records: get_config_file_rev domain records;
};
records =
config.skynet.records
/*
Need to "manually" grab it from each server.
Nix is laxy evalusted so if it does not need to open a file it wont.
This is to iterate through each server (node) and evaluate the dns records for that server.
*/
config.skynet.records."skynet.ie"
++ builtins.concatLists (
lib.attrsets.mapAttrsToList (
key: value: value.config.services.skynet.dns.records
key: value: let
details_server = value.config.skynet_dns.server;
details_records = value.config.skynet_dns.records;
in
if builtins.hasAttr "skynet_dns" value.config
then
(
# got to handle habing a dns record for the dns serves themselves.
if details_server.enable
then
(
if details_server.primary
then
details_records
++ [
{
record = "ns1";
r_type = "A";
value = details_server.ip;
server = false;
}
]
else
details_records
++ [
{
record = "ns2";
r_type = "A";
value = details_server.ip;
server = false;
}
]
)
else details_records
)
else []
)
nodes
);
@ -267,46 +260,43 @@
else "ns2";
in {
imports = [
../../config/dns.nix
./firewall.nix
../config/dns.nix
];
options.services.skynet."${name}" = {
server = {
enable = lib.mkEnableOption {
default = false;
description = "Skynet DNS server";
type = lib.types.bool;
options = {
skynet_dns = {
server = {
enable = lib.mkEnableOption {
default = false;
description = "Skynet DNS server";
type = lib.types.bool;
};
primary = lib.mkOption {
type = lib.types.bool;
default = false;
};
ip = lib.mkOption {
type = lib.types.str;
description = ''
ip of this server
'';
};
};
primary = lib.mkOption {
type = lib.types.bool;
default = false;
records = lib.mkOption {
description = "Records, sorted based on therir type";
type = lib.types.listOf (lib.types.submodule (import ../_types/dns_object.nix {
inherit lib;
}));
};
ip = lib.mkOption {
type = lib.types.str;
description = ''
ip of this server
'';
};
};
records = lib.mkOption {
description = "Records, sorted based on therir type";
type = lib.types.listOf (lib.types.submodule (import ./options-records.nix {
inherit lib;
}));
};
};
config = lib.mkIf cfg.server.enable {
# logging
services.prometheus.exporters.bind = {
enable = true;
openFirewall = true;
};
# services.skynet.backup.normal.backups = ["/etc/skynet/dns"];
# services.skynet_backup.normal.backups = ["/etc/skynet/dns"];
# open the firewall for this
skynet_firewall.forward = [
@ -314,40 +304,29 @@ in {
"ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept"
];
services.skynet.dns.records = [
{
record = nameserver;
r_type = "A";
value = config.services.skynet.host.ip;
}
services.bind.zones = lib.mkMerge [
(create_entry_zone "csn.ul.ie")
(create_entry_zone "skynet.ie")
(create_entry_zone "ulcompsoc.ie")
(create_entry_zone "64-64.99.1.193.in-addr.arpa")
create_entry_zone_attr
];
services.bind.zones = lib.attrsets.mergeAttrsList (
# uses teh domains lsited in teh records
(lib.lists.forEach domains (domain: (create_entry_zone domain)))
# we have to do a reverse dns
++ [
(create_entry_zone "64-64.99.1.193.in-addr.arpa")
]
);
environment.etc = lib.attrsets.mergeAttrsList (
# uses teh domains lsited in teh records
(lib.lists.forEach domains (domain: (create_entry_etc domain "owned")))
# we have to do a reverse dns
++ [
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
]
);
environment.etc = lib.mkMerge [
(create_entry_etc "csn.ul.ie" "owned" records)
(create_entry_etc "skynet.ie" "owned" records)
(create_entry_etc "ulcompsoc.ie" "owned" records)
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse" records)
create_entry_etc_attr
];
# secrets required
age.secrets.dns_dnskeys = {
file = ../../secrets/dns_dnskeys.conf.age;
file = ../secrets/dns_dnskeys.conf.age;
owner = "named";
group = "named";
};
# basic but ensure teh dns ports are open
networking.firewall = {
allowedTCPPorts = [53];
allowedUDPPorts = [53];
@ -361,10 +340,6 @@ in {
# need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
extraConfig = ''
include "/run/agenix/dns_dnskeys";
statistics-channels {
inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};
'';
# piles of no valid RRSIG resolving 'com/DS/IN' errors

31
applications/dns/options-records.nix
View file

@ -1,31 +0,0 @@
/*
Define the options for dns records here.
They are imported into anything that needs to use them
*/
{lib, ...}:
with lib; {
options = {
domain = lib.mkOption {
description = "Domain this record is for";
type = lib.types.str;
default = "skynet.ie";
};
record = lib.mkOption {
description = "What you want to name the subdomain.";
type = lib.types.str;
};
r_type = lib.mkOption {
description = "Type of record that this is.";
type = lib.types.enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
};
value = lib.mkOption {
description = "What the record points to, normally ip or another record.";
type = lib.types.str;
};
server = lib.mkOption {
description = "Core record for a server";
type = lib.types.bool;
default = false;
};
};
}

284
applications/email.nix
View file

@ -6,8 +6,7 @@
...
}:
with lib; let
name = "email";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_email;
# create teh new strings
create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
@ -92,7 +91,7 @@ with lib; let
}
];
sieveConfigFile =
configFile =
# https://doc.dovecot.org/configuration_manual/sieve/examples/#plus-addressed-mail-filtering
pkgs.writeText "basic_sieve"
''
@ -105,47 +104,45 @@ with lib; let
# this should be close to teh last step
if allof (
address :localpart ["To", "Cc"] ["${toString create_config_to}"],
address :domain ["To", "Cc"] "skynet.ie"
){
if address :matches ["To", "Cc"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk";
stop;
} else {
fileinto :create "''${1}";
stop;
address :localpart ["To"] ["${toString create_config_to}"],
address :domain ["To"] "skynet.ie"
){
if address :matches ["To"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk";
stop;
} else {
fileinto :create "''${1}";
}
}
}
}
if allof (
address :localpart ["From"] ["${toString create_config_to}"],
address :domain ["From"] "skynet.ie"
){
if address :matches ["From"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk";
stop;
} else {
fileinto :create "''${1}";
stop;
}
}
}
'';
in {
imports = [
./dns.nix
./acme.nix
./nginx.nix
inputs.simple-nixos-mailserver.nixosModule
# for teh config
../config/users.nix
];
options.services.skynet."${name}" = {
options.services.skynet_email = {
# options that need to be passed in to make this work
enable = mkEnableOption "Skynet Email";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = mkOption {
type = types.str;
default = "skynet.ie";
@ -201,8 +198,8 @@ in {
};
config = mkIf cfg.enable {
services.skynet.backup.normal.backups = [
#"/var/vmail"
services.skynet_backup.normal.backups = [
"/var/vmail"
"/var/dkim"
];
@ -248,6 +245,12 @@ in {
# to provide the certs
services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
"mail.skynet.ie" = {
forceSSL = true;
useACMEHost = "mail";
@ -282,109 +285,95 @@ in {
};
# set up dns record for it
services.skynet.dns.records =
[
# core record
{
record = "@";
r_type = "MX";
# the number is the priority in teh case of multiple mailservers
value = "10 mail.${cfg.domain}.";
}
skynet_dns.records = [
# basic one
{
record = "mail";
r_type = "A";
value = cfg.host.ip;
}
#DNS config for K-9 Mail
{
record = "imap";
r_type = "CNAME";
value = "mail";
}
{
record = "pop3";
r_type = "CNAME";
value = "mail";
}
{
record = "smtp";
r_type = "CNAME";
value = "mail";
}
# basic one
{
record = "mail";
r_type = "A";
value = config.services.skynet.host.ip;
}
#DNS config for K-9 Mail
{
record = "imap";
r_type = "CNAME";
value = "mail";
}
{
record = "pop3";
r_type = "CNAME";
value = "mail";
}
{
record = "smtp";
r_type = "CNAME";
value = "mail";
}
# TXT records, all tehse are inside escaped strings to allow using ""
# reverse pointer
{
record = config.services.skynet.host.ip;
r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}.";
}
# SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie
# https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406
# response should be:
# _imap._tcp SRV 0 1 143 imap.example.com.
{
record = "_imaps._tcp";
r_type = "SRV";
value = "0 1 993 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_imap._tcp";
r_type = "SRV";
value = "0 1 143 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submissions._tcp";
r_type = "SRV";
value = "0 1 465 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submission._tcp";
r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
}
]
# TXT records, all tehse are inside escaped strings to allow using ""
# SPF record
++ [
{
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} ip4:${config.services.skynet.host.ip} -all"'';
}
]
{
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
}
# DKIM keys
++ [
{
record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
domain = "ulcompsoc.ie";
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
]
{
record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
# DMARC
++ [
{
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
# p : quarantine => sends to spam, reject => never sent
# rua : mail that receives reports about DMARC activity
# pct : percentage of unathenticated messages that DMARC stops
# adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=quarantine"'';
}
];
{
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
# p : quarantine => sends to spam, reject => never sent
# rua : mail that receives reports about DMARC activity
# pct : percentage of unathenticated messages that DMARC stops
# adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=none"'';
}
# reverse pointer
{
record = cfg.host.ip;
r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}.";
}
# SRV records to help gmail on android etc find the correct mail.skynet.ie domain for config rather than just defaulting to skynet.ie
# https://serverfault.com/questions/935192/how-to-setup-auto-configure-email-for-android-mail-app-on-your-server/1018406#1018406
# response should be:
# _imap._tcp SRV 0 1 143 imap.example.com.
{
record = "_imaps._tcp";
r_type = "SRV";
value = "0 1 993 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_imap._tcp";
r_type = "SRV";
value = "0 1 143 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submissions._tcp";
r_type = "SRV";
value = "0 1 465 ${cfg.sub}.${cfg.domain}.";
}
{
record = "_submission._tcp";
r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
}
];
#https://nixos-mailserver.readthedocs.io/en/latest/add-roundcube.html
users.groups.nginx = {};
@ -477,40 +466,7 @@ in {
};
services.dovecot2.sieve.scripts = {
before = sieveConfigFile;
};
# This is to add a bcc to outgoing mail
# this then interacts with teh filters to put it in the right folder
# we can directly add to the postfix service here
services.postfix = let
# mostly copied from the upstream mailserver config/functions
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
sender_bcc_maps_file = let
content = lookupTableToString create_skynet_service_bcc;
in
builtins.toFile "sender_bcc_maps" content;
lookupTableToString = attrs: let
valueToString = value: lib.concatStringsSep ", " value;
in
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
# convert the mailboxes config to something that can be used here
create_skynet_email_bcc = mailbox: {
name = "${mailbox}@skynet.ie";
value = ["${mailbox}@skynet.ie"];
};
create_skynet_service_bcc = builtins.listToAttrs (map (mailbox: (create_skynet_email_bcc mailbox.account)) service_mailboxes);
in {
mapFiles."sender_bcc_maps" = sender_bcc_maps_file;
config = {
sender_bcc_maps = [
(mappedFile "sender_bcc_maps")
];
};
before = configFile;
};
# tune the spam filter

35
applications/_retired/games.nix → applications/games.nix
View file

@ -6,17 +6,27 @@
...
}:
with lib; let
name = "games";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_games;
in {
imports = [
./dns.nix
./nginx.nix
./games/minecraft.nix
];
options.services.skynet."${name}" = {
options.services.skynet_games = {
enable = mkEnableOption "Skynet Games";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
@ -36,20 +46,26 @@ in {
};
config = mkIf cfg.enable {
services.skynet.dns.records = [
skynet_dns.records = [
# need a base domain
{
record = cfg.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
];
services.skynet.acme.domains = [
skynet_acme.domains = [
"${cfg.domain.sub}.skynet.ie"
];
services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
"${cfg.domain.sub}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
@ -58,9 +74,14 @@ in {
};
# the minecraft servers
services.skynet.games_minecraft = {
services.skynet_games_minecraft = {
enable = true;
host = {
ip = cfg.host.ip;
name = cfg.domain.sub;
};
domain = {
sub = "minecraft.${cfg.domain.sub}";
};

218
applications/games/minecraft.nix
View file

@ -4,57 +4,181 @@
lib,
inputs,
...
}: let
# function to create the cname record for eachs erver
create_cname = configs:
lib.lists.forEach configs (
c: {
record = "${c.address}.games";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
);
}:
with lib; let
cfg = config.services.skynet_games_minecraft;
# function to create the srv record
# this allows us to change the port without impacting (java) users
create_srv = configs:
lib.lists.forEach configs (c: {
record = "_minecraft._tcp.${c.address}.games.skynet.ie.";
r_type = "SRV";
value = "0 10 ${c.port} ${config.services.skynet.host.name}.skynet.ie.";
});
servers = [
{
address = "minecraft.compsoc";
port = "25518";
}
{
address = "minecraft-classic.compsoc";
port = "25518";
}
{
address = "minecraft-aged.compsoc";
port = "25519";
}
{
address = "minecraft.gsoc";
port = "25521";
}
{
address = "minecraft.phildeb";
port = "25522";
}
{
address = "minecraft.anime";
port = "25523";
}
];
# got tired of how long this is so I created a var for it.
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
imports = [
../acme.nix
../dns.nix
../firewall.nix
../nginx.nix
inputs.arion.nixosModules.arion
];
config = {
services.skynet.dns.records = (create_cname servers) ++ (create_srv servers);
options.services.skynet_games_minecraft = {
enable = mkEnableOption "Skynet Games Minecraft";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
default = "minecraft.games";
};
};
};
config = mkIf cfg.enable {
skynet_firewall.forward = [
"ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
"ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
"ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept"
];
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
skynet_dns.records = [
# the minecraft (web) config server
{
record = "config.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# our own minecraft hosts
{
record = "compsoc_classic.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "compsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# gsoc servers
{
record = "gsoc.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "gsoc_abridged.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
# phildeb
{
record = "phildeb.${cfg.domain.sub}";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [
# for the proxy
25565
];
services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
# https://config.minecraft.games.skynet.ie
"config.${short_domain}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "https://localhost:8443";
proxyWebsockets = true;
};
};
# https://compsoc_classic.minecraft.games.skynet.ie/map/
"compsoc_classic.${short_domain}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/map/".alias = "/etc/games/minecraft/craftycontrol/servers/f4c5eb33-c6d6-421c-81ab-ded31f6e8750/plugins/dynmap/web/";
};
};
# arion is one way to use docker on nixos
# see https://gitlab.com/c2842/computer_society/nixos/-/blob/733b867f4782afa795848135a83e97a5cafaf16a/applications/games/minecraft.nix
# for an example of a single compose file with multiple services
virtualisation.arion = {
backend = "docker";
projects = {
minecraft.settings.services = {
mc_proxy.service = {
image = "itzg/mc-router:1.18.0";
ports = ["25565:25565/tcp"];
expose = ["25565"];
command = [
"--mapping=compsoc_classic.${short_domain}=mc_config:20000,compsoc.${short_domain}=mc_config:20001,gsoc.${short_domain}=mc_config:20002,gsoc.${short_domain}=mc_config:20002,gsoc_abridged.${short_domain}=mc_config:20003,phildeb.${short_domain}=mc_config:20004"
];
};
mc_config.service = {
image = "registry.gitlab.com/crafty-controller/crafty-4:4.1.1";
environment = {
TZ = "Etc/UTC";
};
volumes = [
"/etc/games/minecraft/craftycontrol/backups:/crafty/backups"
"/etc/games/minecraft/craftycontrol/logs:/crafty/logs"
"/etc/games/minecraft/craftycontrol/servers:/crafty/servers"
"/etc/games/minecraft/craftycontrol/config:/crafty/app/config"
"/etc/games/minecraft/craftycontrol/import:/crafty/import"
];
ports = [
# this ius https only
"8443:8443/tcp"
# compsoc classic
"20000:20000/tcp"
# compsoc
"20001:20001/tcp"
# games
"20002:20002/tcp"
"20003:20003/tcp"
# phildeb
"20004:20004/tcp"
];
};
};
};
};
};
}

129
applications/git/forgejo.nix
View file

@ -1,129 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
name = "forgejo";
cfg = config.services.skynet."${name}";
domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
domain_full = "${cfg.domain.sub}.${domain_base}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Forgejo";
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
default = name;
};
};
forgejo = {
port = mkOption {
type = types.port;
default = 3000;
};
};
};
config = mkIf cfg.enable {
# age.secrets.forgejo-mailer-password = {
# file = ../../secrets/forgejo/mailer-password.age;
# mode = "400";
# owner = "forgejo";
# };
services.skynet.acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [
{
record = cfg.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx.virtualHosts = {
# main site
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:${toString cfg.forgejo.port}";
extraConfig = ''
client_max_body_size 1000M;
'';
};
};
};
# for signing reasons
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
services.forgejo = {
enable = true;
package = pkgs.forgejo;
database.type = "sqlite3";
# Enable support for Git Large File Storage
lfs.enable = true;
settings = {
server = {
DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# You need to specify this to remove the port from URLs in the web UI.
ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
HTTP_PORT = cfg.forgejo.port;
};
# You can temporarily allow registration to create an admin user.
service.DISABLE_REGISTRATION = true;
# Add support for actions, based on act: https://github.com/nektos/act
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
# Allow for signing off merge requests
# "repository.signing" = {
# SIGNING_KEY = "5B2DED0FE9F8627A";
# SIGNING_NAME = "Skynet";
# SIGNING_EMAIL = "forgejo@glados.skynet.ie";
# MERGES = "always";
# };
# Sending emails is completely optional
# You can send a test email from the web UI at:
# Profile Picture > Site Administration > Configuration > Mailer Configuration
# mailer = {
# ENABLED = true;
# SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
# FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# };
};
# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
};
};
}

159
applications/git/forgejo_runner.nix
View file

@ -1,159 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "forgejo_runner";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet ForgeJo Runner";
runner = {
name = mkOption {
type = types.str;
default = config.networking.hostName;
};
website = mkOption {
default = "https://forgejo.skynet.ie";
type = types.str;
};
user = mkOption {
default = "gitea-runner";
type = types.str;
};
};
};
config = mkIf cfg.enable {
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
environment.systemPackages = with pkgs; [
forgejo-actions-runner
];
age.secrets.forgejo_runner_token = {
file = ../../secrets/forgejo/runners/token.age;
owner = cfg.runner.user;
group = cfg.runner.user;
};
# make sure the ssh config stuff is in teh right palce
systemd.tmpfiles.rules = [
#"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}"
"L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}"
];
age.secrets.forgejo_runner_ssh = {
file = ../../secrets/forgejo/runners/ssh.age;
mode = "600";
owner = "${cfg.runner.user}";
group = "${cfg.runner.user}";
symlink = false;
path = "/home/${cfg.runner.user}/.ssh/skynet/root";
};
nix = {
settings = {
trusted-users = [
# allow the runner to build nix stuff and to use the cache
"gitea-runner"
];
trusted-public-keys = [
"skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
substituters = [
"https://nix-cache.skynet.ie/skynet-cache/"
"https://cache.nixos.org/"
];
trusted-substituters = [
"https://nix-cache.skynet.ie/skynet-cache/"
"https://cache.nixos.org/"
];
};
};
# very basic setup to always be watching for changes in teh cache
systemd.services.attic-uploader = {
enable = true;
serviceConfig = {
ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
User = "root";
Restart = "always";
RestartSec = 1;
};
};
# give teh runner user a home to store teh ssh config stuff
systemd.services.gitea-runner-default.serviceConfig = {
DynamicUser = lib.mkForce false;
User = lib.mkForce cfg.runner.user;
};
users = {
groups."${cfg.runner.user}" = {};
users."${cfg.runner.user}" = {
#isSystemUser = true;
isNormalUser = true;
group = cfg.runner.user;
createHome = true;
shell = pkgs.bash;
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
virtualisation.docker.enable = true;
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
# the actual runner
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = cfg.runner.name;
url = cfg.runner.website;
tokenFile = config.age.secrets.forgejo_runner_token.path;
labels = [
## optionally provide native execution on the host:
"nix:host"
"docker:docker://node:22-bookworm"
"ubuntu-latest:docker://node:22-bookworm"
];
hostPackages = with pkgs; [
# default ones
bash
coreutils
curl
gawk
git
gnused
nodejs
wget
# useful to have in path
jq
which
dpkg
zip
git-lfs
# used in deployments
inputs.colmena.defaultPackage."x86_64-linux"
attic-client
lix
openssh
sudo
];
};
};
};
}

5
applications/git/ssh_config
View file

@ -1,5 +0,0 @@
Host *.skynet.ie 193.1.99.* 193.1.96.165
User root
IdentityFile ~/.ssh/skynet/root
IdentitiesOnly yes

58
applications/git/gitlab.nix → applications/gitlab.nix
View file

@ -5,18 +5,31 @@
...
}:
with lib; let
name = "gitlab";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_gitlab;
domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
domain_full = "${cfg.domain.sub}.${domain_base}";
in {
imports = [
./acme.nix
./dns.nix
./firewall.nix
./nginx.nix
];
options.services.skynet."${name}" = {
options.services.skynet_gitlab = {
enable = mkEnableOption "Skynet Gitlab";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
@ -30,7 +43,7 @@ in {
sub = mkOption {
type = types.str;
default = name;
default = "gitlab";
};
};
@ -56,54 +69,54 @@ in {
# grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab /
age.secrets.gitlab_pw = {
file = ../../secrets/gitlab/pw.age;
file = ../secrets/gitlab/pw.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_db = {
file = ../../secrets/gitlab/secrets_db.age;
file = ../secrets/gitlab/secrets_db.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_secret = {
file = ../../secrets/gitlab/secrets_secret.age;
file = ../secrets/gitlab/secrets_secret.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_otp = {
file = ../../secrets/gitlab/secrets_otp.age;
file = ../secrets/gitlab/secrets_otp.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_secrets_jws = {
file = ../../secrets/gitlab/secrets_jws.age;
file = ../secrets/gitlab/secrets_jws.age;
owner = cfg.user;
group = cfg.user;
};
age.secrets.gitlab_db_pw = {
file = ../../secrets/gitlab/db_pw.age;
file = ../secrets/gitlab/db_pw.age;
owner = cfg.user;
group = cfg.user;
};
services.skynet.acme.domains = [
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
# Lets Encrypt seems to have a 4 levels limit for certs
"*.pages.${cfg.domain.base}.${cfg.domain.tld}"
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [
skynet_dns.records = [
{
record = cfg.domain.sub;
r_type = "A";
value = config.services.skynet.host.ip;
value = cfg.host.ip;
}
# for gitlab pages
{
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
r_type = "A";
value = config.services.skynet.host.ip;
value = cfg.host.ip;
}
# for email
@ -113,7 +126,7 @@ in {
value = ''10 ${domain_full}.'';
}
{
record = config.services.skynet.host.ip;
record = cfg.host.ip;
r_type = "PTR";
value = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}.";
}
@ -137,16 +150,17 @@ in {
services.openssh.ports = [22 2222];
services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
# main site
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
extraConfig = ''
client_max_body_size 1000M;
'';
};
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
# pages
@ -244,7 +258,7 @@ in {
# default for pages is set to 8090 but that leaves an "ugly" port in the url,
# override it here to make it look good
port = 80;
#external_http = ["${config.services.skynet.host.ip}:80"];
#external_http = ["${cfg.host.ip}:80"];
};
};
};

121
applications/gitlab_runner.nix Normal file
View file

@ -0,0 +1,121 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_gitlab_runner;
in {
imports = [
];
options.services.skynet_gitlab_runner = {
enable = mkEnableOption "Skynet Gitlab Runner";
runner = {
name = mkOption {
type = types.str;
};
gitlab = mkOption {
default = "https://gitlab.skynet.ie";
type = types.str;
};
description = mkOption {
default = cfg.runner.name;
type = types.str;
};
docker = {
image = mkOption {
default = "alpine:3.18.4";
type = types.str;
};
cleanup_dates = mkOption {
# https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS
# it will use a lot of storage so clear it daily, may change to hourly if required
default = "daily";
type = types.str;
};
};
};
};
config = mkIf cfg.enable {
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
environment.systemPackages = [
pkgs.gitlab-runner
];
age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age;
age.secrets.runner_02_general.file = ../secrets/gitlab/runners/runner02.age;
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
virtualisation.docker.enable = true;
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
services.gitlab-runner = {
enable = true;
# clear-docker-cache = {
# enable = true;
# dates = cfg.runner.docker.cleanup_dates;
# };
services = {
# might make a function later to have multiple runners, might never need it though
runner_nix = {
cloneUrl = cfg.runner.gitlab;
description = "For Nix only";
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_01_nix.path;
dockerImage = cfg.runner.docker.image;
# from https://nixos.wiki/wiki/Gitlab_runner
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3
${pkgs.nix}/bin/nix-channel --update nixpkgs
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = ["nix"];
};
runner_general = {
cloneUrl = cfg.runner.gitlab;
description = "General Runner";
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_02_general.path;
dockerImage = cfg.runner.docker.image;
};
};
};
};
}

79
applications/grafana.nix
View file

@ -1,79 +0,0 @@
{
lib,
config,
...
}:
with lib; let
name = "grafana";
cfg = config.services.skynet."${name}";
port = 4444;
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Grafana Server";
datasource = {
name = mkOption {
type = types.str;
};
url = mkOption {
type = types.str;
};
};
};
config = mkIf cfg.enable {
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
age.secrets.grafana_pw = {
file = ../secrets/grafana/pw.age;
owner = "grafana";
group = "grafana";
};
services.grafana = {
enable = true;
domain = "${name}.skynet.ie";
port = port;
settings.security.admin_password = "$__file{${config.age.secrets.grafana_pw.path}}";
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://localhost:${toString config.services.skynet.prometheus.server.port}";
isDefault = true;
editable = true;
}
];
};
};
services.nginx.virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true;
};
};
};
};
}

27
applications/ldap/backend.nix
View file

@ -6,18 +6,30 @@
...
}:
with lib; let
name = "ldap_backend";
cfg = config.services.skynet."${name}";
cfg = config.services.ldap_backend;
port_backend = "8087";
in {
imports = [
../acme.nix
../dns.nix
../nginx.nix
inputs.skynet_ldap_backend.nixosModule."x86_64-linux"
../../config/users.nix
];
options.services.skynet."${name}" = {
options.services.ldap_backend = {
enable = mkEnableOption "Skynet LDAP backend server";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
@ -40,18 +52,19 @@ in {
#backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
age.secrets.ldap_discord.file = ../../secrets/discord/ldap.age;
age.secrets.ldap_mail.file = ../../secrets/email/details.age;
age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age;
services.skynet.acme.domains = [
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
services.skynet.dns.records = [
skynet_dns.records = [
{
record = cfg.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
];
@ -61,13 +74,13 @@ in {
locations."/".proxyPass = "http://localhost:${port_backend}";
};
# this got imported
services.skynet_ldap_backend = {
enable = true;
# contains teh password in env form
env = {
ldap = config.age.secrets.ldap_details.path;
discord = config.age.secrets.ldap_discord.path;
mail = config.age.secrets.ldap_mail.path;
wolves = config.age.secrets.ldap_wolves.path;
};

7
applications/ldap/client.nix
View file

@ -5,8 +5,7 @@
...
}:
with lib; let
name = "ldap_client";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_ldap_client;
# always ensure the admin group has access
create_filter_check_admin = x:
@ -28,9 +27,9 @@ in {
imports = [];
# give users access to this server
#services.skynet.ldap_client.groups = ["skynet-users-linux"];
#services.skynet_ldap_client.groups = ["skynet-users-linux"];
options.services.skynet."${name}" = {
options.services.skynet_ldap_client = {
# options that need to be passed in to make this work
enable = mkEnableOption "Skynet LDAP client";

32
applications/ldap/server.nix
View file

@ -9,19 +9,32 @@ Gonna use a priper nixos module for this
...
}:
with lib; let
name = "ldap";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_ldap;
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
# these are needed for teh program in question
imports = [
../acme.nix
../dns.nix
../nginx.nix
./backend.nix
];
options.services.skynet."${name}" = {
options.services.skynet_ldap = {
# options that need to be passed in to make this work
enable = mkEnableOption "Skynet LDAP service";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
@ -51,6 +64,13 @@ in {
};
config = mkIf cfg.enable {
# passthrough to the backend
services.ldap_backend = {
enable = true;
host.ip = cfg.host.ip;
host.name = cfg.host.name;
};
# after changing teh password openldap.service has to be restarted
age.secrets.ldap_pw = {
file = ../../secrets/ldap/pw.age;
@ -59,15 +79,15 @@ in {
group = "openldap";
};
services.skynet.acme.domains = [
skynet_acme.domains = [
domain
];
services.skynet.dns.records = [
skynet_dns.records = [
{
record = cfg.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
];

69
applications/nextcloud.nix
View file

@ -5,16 +5,28 @@
...
}:
with lib; let
name = "nextcloud";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_nextcloud;
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in {
imports = [
./acme.nix
./dns.nix
./nginx.nix
];
options.services.skynet."${name}" = {
options.services.skynet_nextcloud = {
enable = mkEnableOption "Skynet Nextcloud";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
@ -28,7 +40,7 @@ in {
sub = mkOption {
type = types.str;
default = name;
default = "nextcloud";
};
};
};
@ -42,27 +54,21 @@ in {
group = "nextcloud";
};
services.skynet.acme.domains = [
skynet_acme.domains = [
domain
"onlyoffice.${domain}"
"whiteboard.${domain}"
];
services.skynet.dns.records = [
skynet_dns.records = [
{
record = cfg.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
{
record = "onlyoffice.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "whiteboard.${cfg.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
];
@ -70,7 +76,7 @@ in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud30;
package = pkgs.nextcloud28;
hostName = domain;
https = true;
@ -84,10 +90,9 @@ in {
appstoreEnable = true;
extraApps = {
inherit (config.services.nextcloud.package.packages.apps) richdocuments;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit forms groupfolders maps notes onlyoffice polls;
};
extraAppsEnable = true;
settings = {
trusted_proxies = ["193.1.99.65"];
@ -97,23 +102,17 @@ in {
};
};
environment.etc."nextcloud-whiteboard-secret".text = ''
JWT_SECRET_KEY=test123
'';
services.nextcloud-whiteboard-server = {
nixpkgs.config.allowUnfree = true;
services.onlyoffice = {
enable = true;
settings.NEXTCLOUD_URL = "https://nextcloud.skynet.ie";
secrets = ["/etc/nextcloud-whiteboard-secret"];
};
nixpkgs.config.allowUnfree = true;
# impacted by https://github.com/NixOS /nixpkgs/issues/352443
# services.onlyoffice = {
# enable = true;
# };
services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
${domain} = {
forceSSL = true;
useACMEHost = "skynet";
@ -123,14 +122,6 @@ in {
useACMEHost = "skynet";
locations."/".proxyPass = "http://127.0.0.1:8000";
};
"whiteboard.${domain}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:3002";
proxyWebsockets = true;
};
};
};
};
}

2
applications/nginx.nix
View file

@ -9,6 +9,8 @@
recommendedGzipSettings = true;
recommendedProxySettings = true;
statusPage = true;
# give Nginx access to our certs
group = "acme";
};

98
applications/nix_cache/nix_cache.nix
View file

@ -1,98 +0,0 @@
/*
A nix cache for our use
atticd-atticadm make-token --sub "admin_username" --validity "10y" --pull "*" --push "*" --create-cache "*" --delete "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*"
# for the gitlab runner, done eyarly
atticd-atticadm make-token --sub "wheatly-runner" --validity "1y" --pull "skynet-cache" --push "skynet-cache"
Documentation:
https://docs.attic.rs/introduction.html
*/
{
lib,
config,
pkgs,
...
}:
with lib; let
name = "nix-cache";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Nix Cache";
};
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
users.groups."nix-serve" = {};
users.users."nix-serve" = {
isSystemUser = true;
group = "nix-serve";
};
services.atticd = {
enable = true;
# Replace with absolute path to your credentials file
environmentFile = "/etc/atticd.env";
settings = {
listen = "127.0.0.1:8080";
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
clientMaxBodySize = "500m";
virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
};
};
};
};
};
}

17
applications/open_governance/README.md
View file

@ -1,17 +0,0 @@
# Open Governance
Started by DCU this is an initiative to make the running of (computer) societies more open and resilient.
The goal is to back these up in multiple locations.
| Uni | Tag | Repo | Notes |
|-----|----------|----------------------------------------------------------|-------|
| DCU | redbrick | https://github.com/redbrick/open-governance | |
| UL | skynet | https://gitlab.skynet.ie/compsoc1/compsoc/open-goverance | |
| | | | |
## Keys
We host our own keyserver: https://keyserver.skynet.ie
Use it in commands like so:
``gpg --keyserver hkp://keyserver.skynet.ie:80 --send-key KEY_ID``

62
applications/open_governance/keyserver.nix
View file

@ -1,62 +0,0 @@
/*
This file is for hosting teh open governance for other societies
*/
{
lib,
config,
pkgs,
...
}:
with lib; let
name = "keyserver";
cfg = config.services.skynet."${name}";
port = 11371;
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Public Keyserver";
};
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.hockeypuck = {
enable = true;
port = port;
};
# hockeypuck needs a database backend
services.postgresql = {
enable = true;
ensureDatabases = ["hockeypuck"];
ensureUsers = [
{
name = "hockeypuck";
ensureDBOwnership = true;
}
];
};
services.nginx.virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:${toString port}";
};
};
};
};
}

61
applications/open_governance/open_governance.nix
View file

@ -1,61 +0,0 @@
/*
This file is for hosting teh open governance for other societies
*/
{
lib,
config,
pkgs,
...
}:
with lib; let
# - instead of _ for dns reasons
name = "open-governance";
cfg = config.services.skynet."${name}";
folder = "/var/skynet/${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Open Governance";
};
config = {
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
# create a folder to store the archives
systemd.tmpfiles.rules = [
"d ${folder} 0755 ${config.services.nginx.user} ${config.services.nginx.group}"
"L+ ${folder}/README.md - - - - ${./README.md}"
];
services.nginx.virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = folder;
locations = {
"/".extraConfig = "autoindex on;";
# show md files as plain text
"~ \.md".extraConfig = ''
types {
text/plain md;
}
'';
};
};
};
};
}

6
applications/pelican/Notes.md
View file

@ -1,6 +0,0 @@
# Notes on Pelican
## Panel
* ``pelican-install`` is in env that can be used to isntall
* then go to ``panel-address.skynet.ie/installer`` to finish the setup

30
applications/pelican/pelican-panel-install.nix
View file

@ -1,30 +0,0 @@
{
pkgs,
dir,
}:
pkgs.writeShellScriptBin "pelican-install" ''
DIR=${dir}
echo "Installing Pelican panel to $DIR ..."
if [ -d $DIR ]; then
echo "Directory $DIR already exists, exiting"
exit 1
fi
echo "Creating directory ..."
mkdir -p $DIR
cd $DIR
echo "Downloading Pelican panel ..."
curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv
echo "Installing Pelican panel using composer ..."
yes | composer install --no-dev --optimize-autoloader
echo "Setting up the environment ..."
yes "" | php artisan p:environment:setup
echo "Setting permissions ..."
chmod -R 755 storage/* bootstrap/cache/
chown -R nginx:acme $DIR
echo "Pelican panel installed successfully"
''

48
applications/pelican/pelican-panel-update.nix
View file

@ -1,48 +0,0 @@
{
pkgs,
dir,
}:
pkgs.writeShellScriptBin "pelican-update" ''
DIR=${dir}
echo "Updateing Pelican panel in $DIR ..."
if [ -d $DIR ]; then
echo "Directory $DIR found, entering maintenance mode ..."
else
echo "Directory $DIR does not exist, exiting"
exit 1
fi
cd $DIR
php artisan down
echo "Downloading Pelican panel update ..."
curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv
echo "Setting permissions ..."
chmod -R 755 storage/* bootstrap/cache
echo "Updating Pelican panel using composer ..."
yes | composer install --no-dev --optimize-autoloader
echo "Clearing compiled template cache ..."
php artisan view:clear
php artisan config:clear
echo "Optimizing Pelican panel ..."
php artisan filament:optimize
echo "Updating the database ..."
php artisan migrate --seed --force
echo "Setting permissions ..."
chown -R nginx:acme $DIR
echo "Restart Pelican queue service ..."
systemctl restart pelican-queue.service
echo "Exiting maintenance mode ..."
php artisan up
echo "Pelican panel updated successfully"
''

24
applications/pelican/pelican-wing-package.nix
View file

@ -1,24 +0,0 @@
{
stdenv,
lib,
fetchurl,
docker,
gnutar,
}:
stdenv.mkDerivation rec {
pname = "pelican-wings";
version = "v1.0.0-beta9";
src = fetchurl {
url = "https://github.com/pelican-dev/wings/releases/download/${version}/wings_linux_amd64";
hash = "sha256-YaS1bthNSeWXH5drc2yensRqsRAOa2VXvivJOaPybqc=";
};
buildInputs = [docker gnutar];
phases = ["installPhase"];
installPhase = ''
install -D $src $out/bin/wings
'';
}

323
applications/pelican/pelican.nix
View file

@ -1,323 +0,0 @@
{
inputs,
pkgs,
lib,
config,
...
}:
with lib; let
name = "pelican";
cfg = config.services.skynet."${name}";
php_pool = name;
domain_panel = "${cfg.panel.domain.sub}.${cfg.panel.domain.base}.${cfg.panel.domain.tld}";
packages = let
dir = cfg.panel.dir;
in [
pkgs.curl
pkgs.gnutar
pkgs.unzip
pkgs.gzip
pkgs.php83
pkgs.php83Packages.composer
pkgs.php83Extensions.gd
pkgs.php83Extensions.mysqli
pkgs.php83Extensions.mbstring
pkgs.php83Extensions.bcmath
pkgs.php83Extensions.xml
pkgs.php83Extensions.curl
pkgs.php83Extensions.zip
pkgs.php83Extensions.intl
pkgs.php83Extensions.sqlite3
(import ./pelican-panel-update.nix {
inherit pkgs;
inherit dir;
})
];
in {
imports = [
];
options.services.skynet."${name}" = {
panel = {
enable = mkEnableOption "Pelican Panel";
dir = mkOption {
type = types.str;
default = "/var/lib/pelican_panel";
};
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
#default = name;
default = "panel.games";
};
};
};
wing = {
enable = mkEnableOption "Pelican Wing";
node_name = mkOption {
type = types.str;
};
};
};
config = mkMerge [
(mkIf cfg.panel.enable {
services.skynet.acme.domains = [
domain_panel
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [
{
record = cfg.panel.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
environment.systemPackages = packages;
systemd.timers."pelican-cron" = {
wantedBy = ["timers.target"];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "1m";
Unit = "pelican-cron.service";
};
};
systemd.services."pelican-cron" = {
script = ''
${pkgs.php83}/bin/php ${cfg.panel.dir}/artisan schedule:run >> /dev/null 2>&1
'';
serviceConfig = {
Type = "oneshot";
};
};
systemd.services.pelican-queue = {
wantedBy = ["multi-user.target"];
serviceConfig = {
User = config.services.nginx.user;
Group = config.services.nginx.group;
Restart = "always";
ExecStart = "${pkgs.php83}/bin/php -q ${cfg.panel.dir}/artisan queue:work --tries=3";
startLimitInterval = 180;
startLimitBurst = 30;
RestartSec = "5";
};
};
systemd.services.pelican-panel-setup = {
wantedBy = ["pelican-queue.target" "pelican-cron.target"];
partOf = [];
path = packages;
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
TimeoutSec = "infinity";
Restart = "on-failure";
RemainAfterExit = true;
ExecStart = pkgs.writeShellScript "pelican-panel-install" ''
DIR=${cfg.panel.dir}
echo "Installing Pelican panel to $DIR ..."
if [ -d $DIR ]; then
echo "Directory $DIR already exists, exiting"
exit 1
fi
echo "Creating directory ..."
mkdir -p $DIR
cd $DIR
echo "Downloading Pelican panel ..."
curl -L https://github.com/pelican-dev/panel/releases/latest/download/panel.tar.gz | tar -xzv
echo "Installing Pelican panel using composer ..."
yes | composer install --no-dev --optimize-autoloader
echo "Setting up the environment ..."
yes "" | php artisan p:environment:setup
echo "Setting permissions ..."
chmod -R 755 storage/* bootstrap/cache/
chown -R ${config.services.nginx.user}:${config.services.nginx.group} $DIR
echo "Pelican panel installed successfully"
'';
};
};
services.phpfpm.pools.${php_pool} = {
user = config.services.nginx.user;
group = config.services.nginx.group;
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"listen.mode" = "0600";
"pm" = "dynamic";
"pm.max_children" = 75;
"pm.start_servers" = 10;
"pm.min_spare_servers" = 5;
"pm.max_spare_servers" = 20;
"pm.max_requests" = 500;
"catch_workers_output" = 1;
};
};
services.nginx.virtualHosts."${domain_panel}" = {
root = "${cfg.panel.dir}/public";
forceSSL = true;
useACMEHost = "skynet";
extraConfig = ''
index index.html index.htm index.php;
charset utf-8;
access_log off;
error_log /var/log/nginx/pelican.app-error.log error;
client_max_body_size 100m;
client_body_timeout 120s;
sendfile off;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header X-Frame-Options DENY;
add_header Referrer-Policy same-origin;
'';
locations = {
"/" = {
extraConfig = ''
try_files $uri $uri/ /index.php?$query_string;
'';
};
"/favicon.ico".extraConfig = ''
access_log off;
log_not_found off;
'';
"/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
"~ \\.php$" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};
fastcgi_index index.php;
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param PHP_VALUE "upload_max_filesize = 100M \n post_max_size=100M";
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTP_PROXY "";
fastcgi_intercept_errors off;
fastcgi_buffer_size 16k;
fastcgi_buffers 4 16k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
'';
};
"~ /\\.ht".extraConfig = ''
deny all;
'';
};
};
})
(mkIf cfg.wing.enable {
services.skynet.acme.domains = [
"${cfg.wing.node_name}.${domain_panel}"
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [
{
record = "${cfg.wing.node_name}.${cfg.panel.domain.sub}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx.virtualHosts = {
"${cfg.wing.node_name}.${domain_panel}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".proxyPass = "http://127.0.0.1:8080";
};
};
networking.firewall.allowedTCPPorts = [8080 8443];
virtualisation.docker.enable = true;
environment.systemPackages = [
(pkgs.callPackage ./pelican-wing-package.nix {})
];
users.groups.pelican = {};
users.users.pelican = {
#createHome = true;
isSystemUser = true;
#home = "/etc/pelican";
group = "pelican";
extraGroups = ["docker" "acme"];
# X11 is to ensure the directory can be traversed
#homeMode = "711";
};
systemd.services.pelican-wings = {
description = "Wings Daemon";
after = ["docker.service"];
requires = ["docker.service"];
partOf = ["docker.service"];
serviceConfig = {
User = "root";
WorkingDirectory = "/etc/pelican";
LimitNOFILE = 4096;
PIDFile = "/var/run/wings/daemon.pid";
ExecStart = "/run/current-system/sw/bin/wings";
Restart = "on-failure";
startLimitInterval = 180;
startLimitBurst = 30;
RestartSec = "5";
};
wantedBy = ["multi-user.target"];
};
systemd.tmpfiles.rules = [
"L+ /etc/letsencrypt/live/${cfg.wing.node_name}.${domain_panel}/fullchain.pem - pelican acme - /var/lib/acme/skynet/fullchain.pem"
"L+ /etc/letsencrypt/live/${cfg.wing.node_name}.${domain_panel}/privkey.pem - pelican acme - /var/lib/acme/skynet/key.pem"
];
})
];
}

95
applications/prometheus.nix
View file

@ -1,95 +0,0 @@
{
nodes,
lib,
config,
...
}:
with lib; let
name = "prometheus";
cfg = config.services.skynet."${name}";
# dont have to worry about any external addresses for this
# create a list of either "ip@port" or ""
# the ""s then get filtered out by filter_empty
exporters = {
dns = (
lib.attrsets.mapAttrsToList (
key: value:
if value.config.services.skynet.dns.server.enable
then "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.bind.port}"
else ""
)
nodes
);
node = lib.attrsets.mapAttrsToList (key: value: "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.node.port}") nodes;
};
# clears any invalid entries
filter_empty = inputs: (builtins.filter (value: value != "") inputs);
in {
imports = [];
options.services.skynet."${name}" = {
server = {
enable = mkEnableOption "Prometheus Server";
port = mkOption {
type = types.port;
default = 9001;
};
};
external = {
node = mkOption {
type = types.listOf types.str;
default = [];
description = ''
To add other nodes outside of nix, specify ip and port that server should listen to here
'';
};
};
ports = {
node = mkOption {
type = types.port;
default = 9100;
};
};
};
config = mkMerge [
{
services.prometheus.exporters.node = {
enable = true;
port = cfg.ports.node;
openFirewall = true;
# most collectors are on by default see https://github.com/prometheus/node_exporter for more options
enabledCollectors = ["systemd" "processes"];
};
}
(mkIf cfg.server.enable {
services.prometheus = {
enable = true;
port = cfg.server.port;
scrapeConfigs = [
{
job_name = "node_exporter";
static_configs = [
{
targets = filter_empty (exporters.node ++ cfg.external.node);
}
];
}
{
job_name = "bind";
static_configs = [
{
targets = filter_empty exporters.dns;
}
];
}
];
};
})
];
}

19
applications/proxmox-lxc.nix
View file

@ -12,19 +12,19 @@ with lib; {
enable = mkOption {
default = true;
type = types.bool;
description = lib.mdDoc "Whether to enable the Proxmox VE LXC module.";
description = lib.mdDoc "Whether to enable the ProxmoxLXC.";
};
privileged = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether to enable privileged mounts
'';
};
manageNetwork = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether to manage network interfaces through nix options
When false, systemd-networkd is enabled to accept network
configuration from proxmox.
@ -33,7 +33,7 @@ with lib; {
manageHostName = mkOption {
type = types.bool;
default = false;
description = ''
description = lib.mdDoc ''
Whether to manage hostname through nix options
When false, the hostname is picked up from /etc/hostname
populated by proxmox.
@ -68,8 +68,6 @@ with lib; {
loader.initScript.enable = true;
};
console.enable = true;
networking = mkIf (!cfg.manageNetwork) {
useDHCP = false;
useHostResolvConf = false;
@ -83,14 +81,13 @@ with lib; {
startWhenNeeded = mkDefault true;
};
systemd = {
mounts = mkIf (!cfg.privileged) [
systemd.mounts =
mkIf (!cfg.privileged)
[
{
enable = false;
where = "/sys/kernel/debug";
enable = false;
}
];
services."getty@".unitConfig.ConditionPathExists = ["" "/dev/%I"];
};
};
}

58
applications/restic.nix
View file

@ -7,8 +7,7 @@
...
}:
with lib; let
name = "backup";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_backup;
enable_client = cfg.normal.backups != null && cfg.normal.backups != [];
@ -38,24 +37,22 @@ with lib; let
ownServers = builtins.listToAttrs (builtins.concatLists (
lib.attrsets.mapAttrsToList (
key: value: let
backup = value.config.services.skynet.backup;
backup_host = value.config.services.skynet.host;
backup = value.config.services.skynet_backup;
in
if
(
(builtins.hasAttr "backup" value.config.services.skynet)
(builtins.hasAttr "skynet_backup" value.config.services)
&& backup.server.enable
# chgeck that its not itself
&& backup_host.name != config.services.skynet.host.name
&& backup.host.name != cfg.host.name
&& !backup.server.appendOnly
)
then [
{
name = backup_host.name;
name = backup.host.name;
value =
base
// {
repositoryFile = "/etc/skynet/restic/${backup_host.name}";
repositoryFile = "/etc/skynet/restic/${backup.host.name}";
backupPrepareCommand = ''
#!${pkgs.stdenv.shell}
@ -66,13 +63,13 @@ with lib; let
mkdir -p $baseDir
cd $baseDir
echo -n "rest:http://root:password@${backup_host.ip}:${toString backup.server.port}/root/${config.services.skynet.host.name}" > ${backup_host.name}
echo -n "rest:http://root:password@${backup.host.ip}:${toString backup.server.port}/root/${cfg.host.name}" > ${backup.host.name}
# read in teh password
#PW = `cat ${config.age.secrets.restic.path}`
line=$(head -n 1 ${config.age.secrets.restic.path})
sed -i "s/password/$line/g" ${backup_host.name}
sed -i "s/password/$line/g" ${backup.host.name}
'';
};
}
@ -88,8 +85,9 @@ in {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
# https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
# will eb enabled on every server
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet backup";
options.services.skynet_backup = {
# backup is enabled by default
# enable = mkEnableOption "Skynet backup";
# what folders to backup
normal = {
@ -129,6 +127,16 @@ in {
};
};
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
server = {
enable = mkEnableOption "Skynet backup Server";
@ -144,15 +152,14 @@ in {
};
};
config = mkMerge [
config =
{
# these values are anabled for every client
environment.systemPackages = with pkgs; [
restic
];
}
(mkIf cfg.server.enable {
// mkIf cfg.server.enable {
networking.firewall.allowedTCPPorts = [
cfg.server.port
];
@ -168,13 +175,12 @@ in {
services.restic.server = {
enable = true;
listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
listenAddress = "${cfg.host.ip}:${toString cfg.server.port}";
appendOnly = cfg.server.appendOnly;
privateRepos = true;
};
})
(mkIf enable_client {
}
// mkIf enable_client {
# client stuff here
# A list of all login accounts. To create the password hashes, use
@ -183,17 +189,15 @@ in {
age.secrets.restic.file = ../secrets/backup/restic.age;
services.restic.backups = mkMerge [
services.restic.backups =
ownServers
{
// {
# merge teh two configs together
# backblaze = base // {
# # backupos for each server are stored in a folder under their name
# repository = "b2:NixOS-Main2:/${config.services.skynet.host.name}";
# repository = "b2:NixOS-Main2:/${cfg.host.name}";
# #environmentFile = config.age.secrets.backblaze.path;
# };
}
];
})
];
};
};
}

108
applications/skynet.ie.nix Normal file
View file

@ -0,0 +1,108 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet;
in {
imports = [
./acme.nix
./dns.nix
];
options.services.skynet = {
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
};
config = {
skynet_acme.domains = [
# the root one is already covered by teh certificate
"2016.skynet.ie"
"discord.skynet.ie"
"public.skynet.ie"
"renew.skynet.ie"
];
skynet_dns.records = [
# means root domain, so skynet.ie
{
record = "@";
r_type = "A";
value = cfg.host.ip;
}
{
record = "2016";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "discord";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "public";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "renew";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
group = "acme";
virtualHosts = {
# main site
"skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
};
# archive of teh site as it was ~2012 to 2016
"2016.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_2016.defaultPackage."x86_64-linux"}";
};
# a custom discord url, because we are too cheap otehrwise
"discord.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
};
"public.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.compsoc_public.packages.x86_64-linux.default}";
locations."/".extraConfig = "autoindex on;";
};
# for alumni members to renew their account
"renew.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_renew.defaultPackage."x86_64-linux"}";
};
};
};
};
}

34
applications/skynet.ie/old_site.nix
View file

@ -1,34 +0,0 @@
{year}: {
config,
pkgs,
lib,
inputs,
...
}:
with lib; {
imports = [];
config = {
services.skynet.acme.domains = [
"${year}.skynet.ie"
];
services.skynet.dns.records = [
{
record = year;
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = {
"${year}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs."skynet_website_${year}".defaultPackage."x86_64-linux"}";
};
};
};
};
}

91
applications/skynet.ie/skynet.ie.nix
View file

@ -1,91 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "website";
cfg = config.services.skynet."${name}";
in {
imports = [
# import in past website versions, available at $year.skynet.ie
# at teh end of teh year add it here
(import ./old_site.nix {year = "2023";})
(import ./old_site.nix {year = "2017";})
(import ./old_site.nix {year = "2009";})
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Main Website";
};
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"www.skynet.ie"
"discord.skynet.ie"
"public.skynet.ie"
];
services.skynet.dns.records = [
# means root domain, so skynet.ie
{
record = "@";
r_type = "A";
value = config.services.skynet.host.ip;
}
{
record = "www";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "discord";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "public";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = let
main_site = {
forceSSL = true;
useACMEHost = "skynet";
locations = {
"/".root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
# this redirects old links to new format
"~* ~(?<username>[a-z_0-9]*)(?<files>\\S*)$" = {
priority = 1;
return = "307 https://$username.users.skynet.ie$files";
};
};
};
in {
# main site
"www.skynet.ie" = main_site;
"skynet.ie" = main_site;
# a custom discord url, because we are too cheap otehrwise
"discord.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
};
"public.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.compsoc_public.packages.x86_64-linux.default}";
locations."/".extraConfig = "autoindex on;";
};
};
};
};
}

64
applications/skynet.ie/wiki.nix
View file

@ -1,64 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "wiki";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Wiki";
};
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"renew.skynet.ie"
"wiki.skynet.ie"
];
services.skynet.dns.records = [
{
record = "renew";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "wiki";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = {
"wiki.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_wiki.defaultPackage."x86_64-linux"}";
# https://stackoverflow.com/a/38238001/11964934
extraConfig = ''
location / {
if ($request_uri ~ ^/(.*)\.html) {
return 302 /$1;
}
try_files $uri $uri.html $uri/ =404;
}
'';
};
# redirect old links to the new wiki
"renew.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://wiki.skynet.ie";
};
};
};
};
}

94
applications/skynet_users.nix
View file

@ -6,25 +6,30 @@
...
}:
with lib; let
name = "website_users";
cfg = config.services.skynet."${name}";
php_pool = name;
cfg = config.services.skynet_users;
in {
imports = [
./acme.nix
./dns.nix
./nginx.nix
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet User Linux Server";
options.services.skynet_users = {
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
};
config = {
# we havea more limited ports range on the skynet server
services.skynet.prometheus.ports = {
node = 9000;
};
# ssh access
# allow more than admins access
services.skynet.ldap_client = {
services.skynet_ldap_client = {
groups = [
"skynet-admins-linux"
"skynet-users-linux"
@ -32,21 +37,21 @@ in {
};
# Website config
services.skynet.acme.domains = [
skynet_acme.domains = [
"users.skynet.ie"
"*.users.skynet.ie"
];
services.skynet.dns.records = [
skynet_dns.records = [
{
record = "users";
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
{
record = "*.users";
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
];
@ -64,41 +69,14 @@ in {
# normally services cannot read home dirs
systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
systemd.services."phpfpm-${php_pool}".serviceConfig.ProtectHome = lib.mkForce "read-only";
services.phpfpm.pools.${php_pool} = {
user = config.services.nginx.user;
group = config.services.nginx.group;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [pkgs.php];
};
services.nginx.virtualHosts = {
"outinul.ie" = {
"${cfg.host.ip}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
alias = "/home/outinul/public_html/";
index = "index.html";
extraConfig = ''
autoindex on;
'';
tryFiles = "$uri$args $uri$args/ /index.html";
};
};
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
# main site
"*.users.skynet.ie" = {
forceSSL = true;
@ -110,27 +88,11 @@ in {
# chmod 711 ~
# chmod -R 755 ~/public_html
locations = {
"/" = {
alias = "/home/$user/public_html/";
index = "index.html";
extraConfig = ''
autoindex on;
'';
tryFiles = "$uri$args $uri$args/ /index.html";
};
"~ ^(.+\\.php)(.*)$" = {
root = "/home/$user/public_html/";
index = "index.php";
extraConfig = ''
autoindex on;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
tryFiles = "$uri$args $uri$args/ /index.php";
};
locations."/" = {
alias = "/home/$user/public_html/";
index = "index.html";
extraConfig = "autoindex on;";
tryFiles = "$uri$args $uri$args/ /index.html";
};
};
};

39
applications/ulfm.nix
View file

@ -5,15 +5,28 @@
...
}:
with lib; let
name = "ulfm";
cfg = config.services.skynet."${name}";
cfg = config.services.skynet_ulfm;
in {
imports = [
./acme.nix
./dns.nix
./firewall.nix
./nginx.nix
];
options.services.skynet."${name}" = {
options.services.skynet_ulfm = {
enable = mkEnableOption "ULFM service";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = {
tld = mkOption {
type = types.str;
@ -40,22 +53,22 @@ in {
8000
];
services.skynet.acme.domains = [
skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
services.skynet.dns.records = [
skynet_dns.records = [
{
record = cfg.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
value = cfg.host.name;
}
];
skynet_firewall.forward = [
"ip daddr ${config.services.skynet.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
"ip daddr ${config.services.skynet.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
"ip daddr ${config.services.skynet.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept"
"ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
"ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
"ip daddr ${cfg.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept"
];
users.groups."icecast" = {};
@ -81,12 +94,20 @@ in {
};
services.nginx = {
enable = true;
group = "acme";
virtualHosts = {
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:8000";
};
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
};
};
};

75
config/dns.nix
View file

@ -1,59 +1,58 @@
{lib, ...}: {
imports = [
];
imports = [];
options.skynet.records = lib.mkOption {
description = "Records, sorted based on therir type";
type = lib.types.listOf (lib.types.submodule (import ../applications/dns/options-records.nix {
inherit lib;
}));
options.skynet = {
records = lib.mkOption {
description = "Records, sorted based on therir type";
type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule (import ../_types/dns_object.nix {
inherit lib;
})));
};
};
config = {
skynet.records =
[
# Proxmox hosts
skynet.records = {
"skynet.ie" = [
{
record = "jarvis";
record = "optimus-reborn";
r_type = "A";
value = "193.1.99.73";
value = "193.1.99.90";
server = true;
}
{
record = "ultron";
record = "panel.games";
r_type = "CNAME";
value = "optimus-reborn";
}
{
record = "bumblebee";
r_type = "A";
value = "193.1.99.84";
value = "193.1.99.91";
server = true;
}
# wifi in server room
{
record = "ash";
r_type = "A";
value = "193.1.99.114";
server = true;
}
]
# non skynet domains
++ [
{
domain = "conradcollins.net";
record = "www";
record = "minecraft.compsoc.games";
r_type = "CNAME";
value = "skynet.skynet.ie.";
}
{
domain = "edelharty.net";
record = "www";
r_type = "CNAME";
value = "skynet.skynet.ie.";
value = "bumblebee";
}
{
domain = "damienconroy.com";
record = "www";
r_type = "CNAME";
value = "skynet.skynet.ie.";
record = "_minecraft._tcp.minecraft.compsoc.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25518 minecraft.compsoc.games.skynet.ie.";
}
];
# some space to avoid conflicts
"conradcollins.net" = [];
"edelharty.net" = [];
"outinul.ie" = [
{
record = "@";
r_type = "CNAME";
value = "users.skynet.ie.";
}
];
};
};
}

52
config/users.nix
View file

@ -1,11 +1,6 @@
{
lib,
config,
...
}:
{lib, ...}:
with lib; let
port_backend = "8087";
cfg = config.skynet.users;
in {
options.skynet = {
users = {
@ -49,43 +44,34 @@ in {
config.skynet = {
users = {
committee = lib.lists.unique (
# Committee - Core
[
"silver"
"eoghanconlon73"
"nanda"
"emily1999"
"dgr"
]
# Committee - OCM
++ [
"skyapples"
"eliza"
"amymucko"
"archiedms"
"kaiden"
]
# Committee - SISTEM
++ [
"peace"
]
# Admins are part of Committee as well
++ cfg.admin
);
committee = [
"silver"
"eoghanconlon73"
"sidhiel"
"maksimsger1"
"kaiden"
"pine"
"nanda"
"sourabh1805"
"kronsy"
"skyapples"
];
admin = [
"silver"
"evanc"
"eoghanconlon73"
"eliza"
"esy"
];
trainee = [];
trainee = [
"milan"
"esy"
"kronsy"
];
lifetime = [];
banned = [];
clubs_societies = [
"outinul"
"gamesdev"
];
restricted =

949
flake.lock
View file

File diff suppressed because it is too large Load diff

122
flake.nix
View file

@ -7,71 +7,83 @@
# Return to using unstable once the current master is merged in
# nixpkgs.url = "nixpkgs/nixos-unstable";
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
# utility stuff
flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix";
arion.url = "github:hercules-ci/arion";
alejandra = {
url = "github:kamadorueda/alejandra";
url = "github:kamadorueda/alejandra/3.0.0";
inputs.nixpkgs.follows = "nixpkgs";
};
colmena.url = "github:zhaofengli/colmena";
# we host our own
# email
# simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
simple-nixos-mailserver = {
inputs.nixpkgs.follows = "nixpkgs";
url = "git+https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver";
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "misc%2Fnixos-mailserver";
};
######################
### skynet backend ###
######################
skynet_ldap_backend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_backend";
skynet_ldap_frontend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_frontend";
skynet_website_wiki.url = "git+https://forgejo.skynet.ie/Skynet/wiki";
skynet_website_games.url = "git+https://forgejo.skynet.ie/Skynet/website_games";
skynet_discord_bot.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot";
# for testing a local build
# skynet_discord_bot.url = "git+file:/_college/CompSoc/Skynet/discord_bot?shallow=1";
#####################
### compsoc stuff ###
#####################
compsoc_public.url = "git+https://forgejo.skynet.ie/Computer_Society/presentations_compsoc";
#################
### skynet.ie ###
#################
# this should always point to teh current website
skynet_website.url = "git+https://forgejo.skynet.ie/Skynet/website_2017";
# these are past versions of teh website
skynet_website_2023.url = "git+https://forgejo.skynet.ie/Skynet/website_2017?rev=c4d61c753292bf73ed41b47b1607cfc92a82a191";
# this is not 100% right since this is from teh archive from 2022 or so
skynet_website_2017.url = "git+https://forgejo.skynet.ie/Skynet/website_2017?rev=edd922c5b13fa1f520e8e265a3d6e4e189852b99";
# this is more of 2012 than 2009 but started in 2009
skynet_website_2009.url = "git+https://forgejo.skynet.ie/Skynet/website_2009";
# account.skynet.ie
skynet_ldap_backend = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "ldap%2Fbackend";
};
skynet_ldap_frontend = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "ldap%2Ffrontend";
};
skynet_website = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2F2023";
};
skynet_website_2016 = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2F2016";
};
skynet_website_renew = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2Falumni-renew";
};
skynet_website_games = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2Fgames.skynet.ie";
};
skynet_discord_bot = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "discord-bot";
};
compsoc_public = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fcompsoc";
repo = "presentations%2Fpresentations";
};
};
nixConfig = {
bash-prompt-suffix = "[Skynet Dev] ";
extra-substituters = "https://nix-cache.skynet.ie/skynet-cache";
extra-trusted-public-keys = "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo=";
};
nixConfig.bash-prompt-suffix = "[Skynet Dev] ";
outputs = {
self,
nixpkgs,
agenix,
alejandra,
colmena,
...
} @ inputs: let
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
@ -82,8 +94,7 @@
name = "Skynet build env";
nativeBuildInputs = [
pkgs.buildPackages.git
colmena.defaultPackage."x86_64-linux"
pkgs.attic-client
pkgs.buildPackages.colmena
pkgs.buildPackages.nmap
];
buildInputs = [agenix.packages.x86_64-linux.default];
@ -97,7 +108,7 @@
overlays = [];
};
specialArgs = {
inherit inputs self;
inherit inputs;
};
};
@ -116,6 +127,9 @@
# icecast - ULFM
galatea = import ./machines/galatea.nix;
# Game host
optimus = import ./machines/optimus.nix;
# LDAP host
kitt = import ./machines/kitt.nix;
@ -142,18 +156,6 @@
# trainee server
marvin = import ./machines/marvin.nix;
# Public Services
calculon = import ./machines/calculon.nix;
# metrics
ariia = import ./machines/ariia.nix;
# games server - panel
optimus = import ./machines/optimus.nix;
# games server - host
bumblebee = import ./machines/bumblebee.nix;
};
};
}

39
machines/_base.nix
View file

@ -18,11 +18,17 @@ in {
# for the secrets
inputs.agenix.nixosModules.default
# base application config for all servers
../applications/_base.nix
# every sever may need the firewall config stuff
../applications/firewall.nix
#
inputs.lix-module.nixosModules.default
# every sever needs to have a dns record
../applications/dns.nix
# every server needs teh ldap client for admins
../applications/ldap/client.nix
# every server will need the config to backup to
../applications/restic.nix
];
options.skynet = {
@ -89,7 +95,7 @@ in {
};
# skynet-admin-linux will always be added, individual servers can override the groups option
services.skynet.ldap_client.enable = true;
services.skynet_ldap_client.enable = true;
networking = {
# every sever needs to be accessable over ssh for admin use at least
@ -120,20 +126,19 @@ in {
# https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9
systemd.network.wait-online.enable = false;
environment.systemPackages = with pkgs; [
environment.systemPackages = [
# for flakes
git
git-lfs
pkgs.git
# useful tools
ncdu_2
htop
nano
nmap
bind
zip
traceroute
openldap
screen
pkgs.ncdu_2
pkgs.htop
pkgs.nano
pkgs.nmap
pkgs.bind
pkgs.zip
pkgs.traceroute
pkgs.openldap
pkgs.screen
];
};
}

56
machines/_template.nix
View file

@ -1,56 +0,0 @@
/*
Name: Link to where information on the name can be found
Why: Why is it named this
Type: VM/Physical
Hardware: - if its a VM, the hardware (PowerEdge r210) if its physical
From: 2023/2024/2025/...
Role: What role does it have in teh cluster
Notes:
*/
{
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "name";
# Assigned IP address
ip_pub = "193.1.99.000";
# dont need to change these
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
# what configurrations to import, email in this example
imports = [
../applications/email.nix
];
deployment = {
# dont need to change these
targetHost = hostname;
targetPort = 22;
targetUser = null;
# deployment option: active-dns/active-core/active-ext/active
tags = [
"active"
];
};
services.skynet = {
# pass in the details of the host server
host = host;
# enable the backup service
backup.enable = true;
# enable the imported service
email.enable = true;
};
}

27
machines/agentjones.nix
View file

@ -17,11 +17,6 @@ Notes: Used to have Agent Smith as a partner but it died (Ironically)
name = "agentjones";
ip_pub = "193.1.99.72";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
./hardware/RM001.nix
@ -36,9 +31,25 @@ in {
tags = ["active-firewall"];
};
services.skynet = {
host = host;
backup.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
# keep the wired usb connection alive (front panel)

47
machines/ariia.nix
View file

@ -1,47 +0,0 @@
/*
Name: https://en.wikipedia.org/wiki/Eagle_Eye
Why: ARIIA - Autonomous Reconnaissance Intelligence Integration Analyst
Type: VM
Hardware: -
From: 2024
Role: Metrics gathering and Analysis
Notes:
*/
{
config,
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "ariia";
ip_pub = "193.1.99.83";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/grafana.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = null;
tags = ["active-core"];
};
services.skynet = {
host = host;
backup.enable = true;
prometheus.server.enable = true;
grafana.enable = true;
};
}

51
machines/bumblebee.nix
View file

@ -1,51 +0,0 @@
/*
Name: https://en.wikipedia.org/wiki/Bumblebee_(Transformers)
Why: Created to sell toys so this vm is for games
Type: VM
Hardware: -
From: 2024
Role: Game host
Notes:
*/
{
pkgs,
lib,
nodes,
arion,
...
}: let
# name of the server, sets teh hostname and record for it
name = "bumblebee";
ip_pub = "193.1.99.91";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/pelican/pelican.nix
../applications/games/minecraft.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = null;
tags = ["active"];
};
services.skynet = {
host = host;
backup.enable = true;
pelican = {
wing = {
enable = true;
node_name = "node01";
};
};
};
}

36
machines/cadie.nix
View file

@ -18,11 +18,6 @@ Notes:
name = "cadie";
ip_pub = "193.1.99.77";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/nextcloud.nix
@ -36,10 +31,33 @@ in {
tags = ["active"];
};
services.skynet = {
host = host;
backup.enable = true;
nextcloud.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_nextcloud = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
};
# this was causing a conflict for some reason

49
machines/calculon.nix
View file

@ -1,49 +0,0 @@
/*
Name: https://futurama.fandom.com/wiki/Calculon
Why: Public Service server
Type: VM
Hardware: -
From: 2024
Role: Public services such as Nix Cache, Open governance stuff.
Notes:
*/
{
pkgs,
lib,
nodes,
inputs,
...
}: let
name = "calculon";
ip_pub = "193.1.99.82";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/nix_cache/nix_cache.nix
../applications/open_governance/open_governance.nix
../applications/open_governance/keyserver.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = null;
tags = ["active"];
};
services.skynet = {
host = host;
backup.enable = true;
nix-cache.enable = true;
open-governance.enable = true;
keyserver.enable = true;
};
}

40
machines/earth.nix
View file

@ -18,29 +18,45 @@ Notes:
name = "earth";
ip_pub = "193.1.99.79";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/skynet.ie/skynet.ie.nix
../applications/skynet.ie/wiki.nix
../applications/skynet.ie.nix
];
deployment = {
targetHost = hostname;
targetHost = ip_pub;
targetPort = 22;
targetUser = null;
tags = ["active-core"];
};
# it has two network devices so two
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet = {
host = host;
backup.enable = true;
website.enable = true;
wiki.enable = true;
host = {
ip = ip_pub;
name = name;
};
};
}

36
machines/galatea.nix
View file

@ -19,11 +19,6 @@ Notes:
name = "galatea";
ip_pub = "193.1.99.111";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/ulfm.nix
@ -37,9 +32,32 @@ in {
tags = ["active"];
};
services.skynet = {
host = host;
backup.enable = true;
ulfm.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_ulfm = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
};
}

40
machines/gir.nix
View file

@ -18,11 +18,7 @@ Notes:
name = "gir";
ip_pub = "193.1.99.76";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
#hostname = ip_pub;
in {
imports = [
../applications/email.nix
@ -36,9 +32,35 @@ in {
tags = ["active-core"];
};
services.skynet = {
host = host;
backup.enable = true;
email.enable = true;
# add this server to dns
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
# we use this to pass in teh relevent infomation to the
services.skynet_email = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
domain = "skynet.ie";
};
}

42
machines/glados.nix
View file

@ -19,15 +19,9 @@ Notes: Each user has roughly 20gb os storage
name = "glados";
ip_pub = "193.1.99.75";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/git/gitlab.nix
../applications/git/forgejo.nix
../applications/gitlab.nix
];
deployment = {
@ -35,13 +29,35 @@ in {
targetPort = 22;
targetUser = null;
tags = ["active-git"];
tags = ["active-gitlab"];
};
services.skynet = {
host = host;
backup.enable = true;
gitlab.enable = true;
forgejo.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_gitlab = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
};
}

56
machines/kitt.nix
View file

@ -9,7 +9,6 @@ Role: LDAP Server
Notes:
*/
{
config,
pkgs,
lib,
nodes,
@ -19,15 +18,10 @@ Notes:
name = "kitt";
ip_pub = "193.1.99.74";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
#hostname = ip_pub;
in {
imports = [
../applications/ldap/server.nix
../applications/ldap/backend.nix
../applications/discord.nix
../applications/bitwarden/vaultwarden.nix
../applications/bitwarden/bitwarden_sync.nix
@ -41,18 +35,46 @@ in {
tags = ["active-core"];
};
services.skynet = {
host = host;
backup.enable = true;
# add this server to dns
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
# ldap setup
ldap.enable = true;
ldap_backend.enable = true;
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
# private member services
discord_bot.enable = true;
services.skynet_ldap = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
};
# committee/admin services
vaultwarden.enable = true;
services.discord_bot = {
enable = true;
};
services.skynet_vaultwarden = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
};
}

31
machines/marvin.nix
View file

@ -17,11 +17,6 @@ Notes:
name = "marvin";
ip_pub = "193.1.99.81";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
groups = [
"skynet-admins-linux"
@ -49,13 +44,31 @@ in {
++ groups_trusted;
# allow trainees access
services.skynet.ldap_client = {
services.skynet_ldap_client = {
groups = groups;
sudo_groups = groups;
};
services.skynet = {
host = host;
backup.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
# Put test services below this
}

28
machines/neuromancer.nix
View file

@ -18,11 +18,6 @@ Notes:
name = "neuromancer";
ip_pub = "193.1.99.80";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
./hardware/RM007.nix
@ -49,8 +44,25 @@ in {
tags = ["active-core"];
};
services.skynet = {
host = host;
backup.server.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
server.enable = true;
host = {
ip = ip_pub;
name = name;
};
};
}

40
machines/optimus.nix
View file

@ -17,16 +17,11 @@ Notes:
}: let
# name of the server, sets teh hostname and record for it
name = "optimus";
ip_pub = "193.1.99.90";
ip_pub = "193.1.99.112";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/pelican/pelican.nix
../applications/games.nix
];
deployment = {
@ -37,11 +32,32 @@ in {
tags = ["active"];
};
services.skynet = {
host = host;
backup.enable = true;
pelican = {
panel.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_games = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
};
}

5
machines/retired/ash.nix
View file

@ -22,6 +22,9 @@ Notes: Thius vpn is for admin use only, to give access to all the servers via
hostname = ip_pub;
in {
imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
];
deployment = {
@ -36,7 +39,7 @@ in {
"ip daddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
];
services.skynet.dns.records = {
skynet_dns.records = {
external = [
"${name} A ${ip_pub}"
];

37
machines/skynet.nix
View file

@ -18,19 +18,16 @@ Notes: Does not host offical sites
name = "skynet";
# DMZ that ITD provided
ip_pub = "193.1.96.165";
# for internal network connectivity
ip_int = "193.1.99.82";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/skynet_users.nix
];
deployment = {
targetHost = hostname;
targetHost = ip_pub;
targetPort = 22;
targetUser = null;
@ -38,9 +35,29 @@ in {
tags = ["active-ext"];
};
services.skynet = {
host = host;
backup.enable = true;
website_users.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup.host = {
ip = ip_pub;
name = name;
};
services.skynet_users = {
host = {
ip = ip_pub;
name = name;
};
};
}

44
machines/vendetta.nix
View file

@ -18,11 +18,6 @@ Notes: Using the server that used to be called Earth
name = "vendetta";
ip_pub = "193.1.99.120";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
./hardware/RM002.nix
@ -50,16 +45,35 @@ in {
];
};
services.skynet = {
host = host;
backup.enable = true;
dns = {
server = {
enable = true;
# primary dns server (ns1)
primary = true;
ip = ip_pub;
};
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
skynet_dns = {
server = {
enable = true;
# primary dns server (ns1)
primary = true;
ip = ip_pub;
};
records = [
# vendetta IN A 193.1.99.120
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 120 IN PTR vendetta.skynet.ie.
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
};
}

45
machines/vigil.nix
View file

@ -17,11 +17,6 @@ Notes:
name = "vigil";
ip_pub = "193.1.99.109";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
];
@ -34,16 +29,36 @@ in {
tags = ["active-dns" "dns"];
};
services.skynet = {
host = host;
backup.enable = true;
dns = {
server = {
enable = true;
# secondary dns server (ns2)
primary = false;
ip = ip_pub;
};
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
skynet_dns = {
server = {
enable = true;
# secondary dns server (ns2)
primary = false;
ip = ip_pub;
};
# this server will have to have dns records
records = [
# vigil IN A 193.1.99.109
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 109 IN PTR vigil.skynet.ie.
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
};
}

37
machines/wheatly.nix
View file

@ -18,14 +18,9 @@ Notes:
name = "wheatly";
ip_pub = "193.1.99.78";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/git/forgejo_runner.nix
../applications/gitlab_runner.nix
];
deployment = {
@ -33,12 +28,32 @@ in {
targetPort = 22;
targetUser = null;
tags = ["active-git"];
tags = ["active-gitlab"];
};
services.skynet = {
host = host;
backup.enable = true;
forgejo_runner.enable = true;
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_gitlab_runner = {
enable = true;
runner.name = "runner01";
};
}

0
.mailmap → mailmap
View file

BIN
secrets/backup/restic.age
View file

Binary file not shown.

35
secrets/backup/restic_pw.age
View file

@ -1,20 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA mGy7a3SPHMxFaJ5S68jaRkPk16Ahxqp7C2YGnK6A4nM
TrEf7fz6yY7G2HXNxhnM4v7QkVrR5D6vdh+eUVbWbdQ
-> ssh-ed25519 4PzZog 5ixIvICVbbk2z8gqvodMAhCevBWdnfmpskWupnpMm04
r33h6oeu1jQQGs3mP15xtbRq50FGpKwtbbqWbSTQ1jE
-> ssh-ed25519 dA0vRg gUxwHHDBhxpYMxBE+UfTYJ4I8nY7cEdWG1XBSLLWtlY
pNawroXlES4EyNZSUUiEPNy+WNdG9AnHnUl+7qLB5Os
-> ssh-ed25519 5Nd93w AchMesYdEdLHtphyfCumqrdCRFABzNOEf7KfFgQWFAk
Xnier5jnPDl9n8F5r/R4CjBoEvmwAJRLQWnoWoAudec
-> ssh-ed25519 q8eJgg AgmUpmYT5z1qAFZ+uUY5a7huZ8Bhifs1ZuDBlg7ZJxU
kgaKF9t8cEKBc715dNocxA3o+2dwpK8erRo42NzeP9A
-> ssh-ed25519 KVr8rw AafFkG0axLsqGVs/k0DrzLFsKk4uXtqRbJIFhuAmj18
shiQFq5ZznBovnNXWfTNvSVX/O1X47hK6g13P8r6xN4
-> ssh-ed25519 fia1eQ AKbaMyAtdDHSpP5taXQQjaunzvO6yZuCOUjgV2+4iDc
yDFZ54QNklvVHUD1AkiaQ0sntqiRxkMGZw9yos/IvcI
-> ssh-ed25519 3pl/Kw KD86EfxdUwpfFW7wqf283Wmdw8o/qnVzXxTCrtNPsWI
L1a9WXktp4a9s1GxF6O7VV14ZPQOp/VqwS286Dqa3Tk
--- +jytGaOhLk0unuAlkbbtAFNde8Z+tKJ/3l3Y3tBgcFQ
€¡VV÷õÍ7 =ñOý]àbZêëj§p¸QKaXIúµNl¢_
ŠÐHsh3~<7E>ŒW/¿Ÿ<>ÝÌ ^áa\´¼Ô #/¤Ú‡i[÷Üfbó¶•áúXøØ
-> ssh-ed25519 V1pwNA LoF1ddALOVnrPikVoFfIO/Hrydrqoh/4W5DaSMZHkUs
Fla3oxohjlE6oUkx9tsroXcbDqQoQfi4qixrEqy2+/4
-> ssh-ed25519 4PzZog tojPturHggZ54bUlyCbr0hwLbhTPpBR/o90XT9DYf0Y
it+mlc2OKzxnEF08ao0J+aJezA20eAaRBW+ODgiX09k
-> ssh-ed25519 5Nd93w W5FDJ7geDB27elGpL6SHBA54Al3uTU67FNsTt63E5H4
1N3NVwEC3QqjpwdFk/SRWFpTUk1tTH7YPQdV2MmF/II
-> ssh-ed25519 q8eJgg yJj2ImpyTpjLGiPqxQ/03tGFDnDN08Gr93rPRUYLLyk
PLSFba8JFM2na4h6XIzVeKKEw61/ZwlpQdesIHPtggY
-> ssh-ed25519 3pl/Kw Zu5dWL1GkgL8ZhmFuTg56GRGTvTTDXYOXGN75/h37wQ
nvNXCSa/VsjchPWRMoFNCRLe6SK/trUrGgKa7iJkprA
-> vZ[z@fHA-grease
mAV/h887fY2ispnlxuTZ+LR/EIYhV6LqbyuDpEc4p0jnwdpYhEAfU4KKZtnxae22
q/IM3g
--- QXUMgsJS6LdbF4du60HslLfcBq5xNsazlzAHb7jSeDI
|á©eC Ÿ® ¶>,ÎVÄ•Ë<E280A2>3Mb<4D>$iœ¥IŽsÒ=qk܃œDi
ÖŸîè;S¸´)ßÄ<+€ÔÆìò)¨uRê²—[ÍðŒ4©}¢{61Wr ÈEíëPI

BIN
secrets/bitwarden/details.age
View file

Binary file not shown.

BIN
secrets/bitwarden/id.age
View file

Binary file not shown.

32
secrets/bitwarden/secret.age
View file

@ -1,19 +1,15 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA ud7vkafWPnZmwU0gvby16a/lB4VVkUhVpqnwvkMdKig
/PR7w91ONFOWIvObEKI+wD9XTxbjqQoMjlar9yqN8D0
-> ssh-ed25519 4PzZog nttwEm+xO2qLIkb+FqRmDeqbdidUune5CdS9AvHCmUs
raINPneffb9cQ6Zq3Jpwfz0MiIaTtoOI6s+1wB/S5t4
-> ssh-ed25519 dA0vRg uuSSiAgzEPgfh+VqE2QfB+8fkJlnUJsffF5/3C4Ovx0
1oFB/dDSQRpcETXb5IxYSqSG7oI8Y0i/myB6IaJqtUc
-> ssh-ed25519 5Nd93w ZZA2ylM3mB4xjxMzLmrYNujWTcjVsgKRzIYVsmPSqXI
30g14yh+pO4moRvnd9Xxe1/QQxmE2h2zHP9mqn8dULc
-> ssh-ed25519 q8eJgg lkPUz5/vn10nmk03AeA1W/6fp3tfyrdLq+kgoR5Cjy0
fHtjZtjYG18wWhhvZY3cn3FxxJiY41zQg16ltudBue8
-> ssh-ed25519 KVr8rw E2OijEik9tPfGCeRe+XDV+tKHTOOxojVbG0esTKuLCk
wXIOcUGlmF9GinF+Z81KQNiVACN2pthS1nwCK41IHMA
-> ssh-ed25519 fia1eQ VIfFJCbkM8ZvKKXN3+ZjxXIgK2y9vHpFdQopX25kUAk
utaTUdI2GBRxkDJT6qmxsdbGqjgSRP0ss4ZgQRQhQBM
-> ssh-ed25519 IzAMqA WX0QlrMPSMMvv3KnbOedpKcQrarKBQLHRXThmvveGmU
uz/jl2Ze8sdlCv5G6U1Dn5EiucQ1wlK4+/wwezX6jTI
--- fLAcK+fEa833GdqAvbD+sIr2ViSHQat1WQgPook94Ag
¬¬Á­°xçšáI¯ê¿i*ÿÂXÊ|ÔŸ‹*ž>€é!þK•GŸƒ£Ù7îoÍà)EU¡‰7ÛU<C39B>ˆ<EFBFBD>
-> ssh-ed25519 V1pwNA BxPb6d6nlJHiTkbcwOoPrvAPBuR1iJSFAXIp9n23Ix0
hl0X3RjOEYp2G1QU4SC6CBF5YVlCWiakMsRbGTBYkzs
-> ssh-ed25519 4PzZog Nf/tUysmhTfzaoHhubwdQ5NKZw5SBd3CEs129FGkuio
750oaBtfeBEpDuasZFr7RY5uBzFZZNMNGQkRyFfEGCo
-> ssh-ed25519 5Nd93w fI9TNLWkDkvLCDA8eTMfVw7fRPylWHPGzPupya737xY
wQcz+yf+EqDNmRWqldNuQjjy9tKc1zN//yumtGpGbaM
-> ssh-ed25519 q8eJgg T9Iv+fRwmOLYMXe3ur6dqudA1z2wQsKQX6ogkyQT3Fw
LBYKL2OtLiwq25FkvZjT4H3tu8fOA+KFmFp5vjbncLI
-> ssh-ed25519 IzAMqA O9JfKAlOUao2S14iczlnTzT2sTSAM1vOR5KjO8eJMG0
ioTSe6X4E6jE4c9Utl2d6EUHZYilnbtRnB5QJg3S3Q4
-> 6&-grease
BkWorA2LiphyWLmdV3AeKsI
--- +MO1wX7pJf7eq4MkiWSP+xyxThI5jnfseS8jd7LbFoY
¿ÕWV¥—>ådD­"ð`ûi+ €Ç¸ÃæÕ¬ã<C2AC>ÂSмk°H¨Ojt<6A>±Ç*âòkßäŒØ<C592>ŒÔ¢9Ë×P

46
secrets/discord/ldap.age
View file

@ -1,26 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA 6NKUbOSUbwVjzW/ZUpl8qEiUTTegFlji4+tVJyqY3SE
fRQvaKnLMkVBboTEriQpWlGY9VBAP3ppsEbAB2QTScs
-> ssh-ed25519 4PzZog mp/+b5LpB+DvRduqAZiKWqkZq6+tlyQgVTZz7Oge2Us
OycqmZyDr3levWSfRFxypJOkITLDix0Q15Todya6BNc
-> ssh-ed25519 dA0vRg yp/4LvS9DbdatHFWFsP5qhH8CP8Bs0IjVSenUtG4+Xs
hHiJEtl1ffYXltsJzuEMLGUl2i/i3pFzv4bjbx/cbOI
-> ssh-ed25519 5Nd93w BTngmy4NGLGKhC8lPos63QEVBKoQT82KswQ22EypcQQ
OCnJMkOwwXQVbtCitUizXM4nynC6a1tiPSkm7MxulWA
-> ssh-ed25519 q8eJgg NaEjVcDBVICRgXuJchEdE4vg3qmkNmJAbDDxLq1fX0M
YFwUmEPwJIik5YJ2SV5IAmqGlY+h24voJJlrBaoCBwA
-> ssh-ed25519 KVr8rw ZnyVITZFkuozEs/rbTdxXDQNS3Nggo+JkBL1Icht2SM
B4jVVts5lK1kIlOWMl0eiN7TpsTeJZWIu7NqildxeGE
-> ssh-ed25519 fia1eQ kvzARRScl/eypC2a5cY66sXcH+TZqz4sYg4W/k9iJxQ
Ga+4TVvXiQ6i5/+fgUQ3E5tJiLqdBsEsXjenXEpRV/A
-> ssh-ed25519 IzAMqA 5sizvlhLhAhAR1bViHJtRJ8fAIO56TAuLVSOwE177QE
b9oJ8BC2xiBjvc3D0H0EF7bSNDlpvIidyBCTf04ndJI
-> ssh-ed25519 uZzB3g g9y66zNmQbqP6Rbhg2t06W3YOgy8DkRvJZbWVegT71s
2dH7E76tDMrWQJbLPefyORP66iaPHQnSjwu8NCdSyJo
-> ssh-ed25519 Hb0ipQ azOzBLXfshInlFVpV0PzIBidL/VzA/+kKRXFFVD6ZF4
iXBF/Wcv4KWo5qUXUlyimuo0l6aClKxOCtkm3MxAIBc
-> ssh-ed25519 IzAMqA EWitYyV8RsPIB6HEFE2OI/C1zcC6WfBEeDI62rGVmkk
Bk9tdSqIjLjat21J2LM8RXAt9GwdQxYdfPzqDtCjunE
--- waY7j+HMEOdqEZs/TcLEhUY9gJs6ZSc51VNfuCmCxJ4
Ý;dÙ9A‡vÔé±nq<“ê;TèáƒB؇$ÐGÌvï¯h
»\^Žé§lÖ¯`š¼ÄÎ?l¸ <0C>au~üЧ×yâ[ךju²ü;]!œ6Ëè±ãXIs4ÇŒ!Ù@ß϶û¬‘|›úïª">eÈÿ[Vž´,ÿ5˜ý8N§¹Œh<04><>[ƒ×´ZD,&âñíó¡”õIØ>ŠØù¡<C3B9>|ÎézÉm
-> ssh-ed25519 V1pwNA icye7bxeLugaCuSwMYAZQOrI7tcG8uc9XR5lTYBkWQ4
HRsRB0GVkMPS0afDz0ybcTZ/oexA7zV9U6hYyyVm/hQ
-> ssh-ed25519 4PzZog ihJwwtlgiICUNgrpwVVKAAcDP9JxPgBmcruW1em8RU4
/c6JJDzrHwyEelgMaoDeADVD/yL+ptrDdgSSMFceuXs
-> ssh-ed25519 5Nd93w aLRd09zpjgCnj84pFFfPd9FrJGsnemOb99EG/TPe+UM
hEM/T5j4oZI05597dI148eRbRU0P/E02RAD5ypsl1eo
-> ssh-ed25519 q8eJgg dwCo6ph1KTMDgFnJLrGFtzscrHxog6WGRUaPdBOuCSo
WCxgbOjZy9vkgcYTa4t/bgc5qfxlpFOiQ3vtCvb+uWM
-> ssh-ed25519 IzAMqA Q+XUnmVUAstlxgZTiXXGZN7Nzo6G0zgS3jtil8MKd0w
1VFkeEGLZLh+j7e1RJW1iCx8ueLNTljTsxpujkhwBPI
-> ssh-ed25519 uZzB3g FeuGUR8zcPUHkev9PVARM2ac4Ezk9EjO3gWL15kkjjM
W7DXwMWrIKEzs2IJ4MH/diaqkUK+lYE5ocJ3qD26NyU
-> ssh-ed25519 Hb0ipQ +hueeoIxI4+E0bkElclszUoD4ftHLkiqe6XGcMNbAn4
mS/SFhLfjQYa76qhDXvMijkvbWkGRGcv7HWlszArX14
-> ssh-ed25519 IzAMqA CLf1vDYSLjW2InHfHCEfq/b7j3zyRH0TTcLSQ0Evmn4
tuq2+h0UVzt/lTFdpLn+fr5rIYdf8mgdDny8Cak+k3c
-> x-grease
Eeo9UQ7LVOjORlpR2Jf7K6P2OEdc6HWWQ6/Yt//KHWxKStUtMv2fPIHu3A8h8mHl
iQT/Xmlg
--- 0/OGiJqIu2aFUO8vqJ936PvDDNiohDSVkqpsiCxzfiE
—Z ¥lŽ.§j¥õßZöE‡¤ääóÓ´ì€Fx®6Mœ!ã:øö‘×û¼ÁzbªùÎ.tDΊz#:xãc}<r0n£°/èþ*?·ÿÓ*;Ûò؈kzùûîAõÑO"†”|K>?cF£/ÑÅÎ؉Õ;Ë<>¤"´eJM_Gv·©e7ôck»\E9<45>³à&öOúž+â< ÁÚ“+ýÕŠ 2«Hm<48>½

BIN
secrets/discord/token.age
View file

Binary file not shown.

83
secrets/dns_certs.secret.age
View file

@ -1,51 +1,34 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA nMGYHPjBRQ+8FE2j3JLTb2gfqxFvEDSF5XKvVYILgS4
xoFB5NeaXLMQhM9ELoooDNNnrjJWFCA+f45Y+YtAOBs
-> ssh-ed25519 4PzZog zuhv6HbfpcIlcueD6SyHD7hRcrPnvMDy1hvXcXTLEBY
VI6ZX5745Tsv1AMvjPKrHWEI2YO4rCVtAMDWLQrzsFs
-> ssh-ed25519 dA0vRg U1zhPjiM0ANz4i9iRSaX9ut/kACtrH/uk4VYk/Cmtx4
DryI/XiQeggMAIBu4Qb9P7Od4cnQUNFFuim2OKwib5M
-> ssh-ed25519 5Nd93w VICIqg3swkEAagNzDppCX2/lDMh5D/pYqi8wjL9ilH8
DLcvw4k9r1RDrueCD/vqX1iEL55hxld3eJr5MCS7YNE
-> ssh-ed25519 q8eJgg DyH3qYX/PfoltL0P2lBzP4wwH/VmYusidfD7MaS1PBQ
ilj+oIaQwj6jSsDNagpLTJXZywWB2IeLUa6pKlcEvIw
-> ssh-ed25519 KVr8rw +JGGMHN2zMPN4leJIZkBTOrhzb8BYQKMbSrAuIpCU2k
Sa2V0qsQbKPLvuVewBjTdIgv1acTYIN+CMIlB+ExIok
-> ssh-ed25519 fia1eQ jG4Lr4j3f0QNucooo80HUJAOnLiTAg8mxzYRDnjXrFQ
C+cZWCaRemvsiCMJ7wn/6g/12ABvKEaYIaU6b3Fpo8g
-> ssh-ed25519 /Gb5gQ QO7t0R8SjnfqZZ6upxKXALytoi6OFZZ4mFpS7XgnlDQ
+yQd4GdflWOzRutCAplDqvee+0dCNdd/ScT8QZyioNQ
-> ssh-ed25519 NtlN/A Y56En/7BcL9IIzBWbOfPzuAah/nPFANXxu3iN6+q8XM
gqw6EsuuDx49aTb6DWtI1ZACDAGL1VnsKB6LAOH6F0U
-> ssh-ed25519 v2Y09A 9MgpxeQcQDGvHkEyb0+f0vRZfyXE7EUUcBXCyw8w7mk
sdM/6DwpC5kv8yg39edGpm6YV3VzkFLRkIleiwhOKew
-> ssh-ed25519 XSrA6w tp83J4GXjFjQFq14M+Z+PDCmO4ZjJ1qufdQEO6GHzkk
KVri/HL0E/byrA0C3iM8+AMsR0x46pdMrRKipvliSzw
-> ssh-ed25519 MhHMYA Pwi4Tq4iJv8/ylaI4VAEzcGAPPfl+T2S/oUp3JsPTVo
8Q0DSQMe9gunPGxYv6M4ilBapKfNx7qacddEc39lgNY
-> ssh-ed25519 3erWHw vo6DeH1ub4VcT3dnvPYZC95MHxaABkZ4MW8NRxqOBUw
6yHGAoHq/u9pSi06jWCkcN230ntCkYADsCB//ISO+0Q
-> ssh-ed25519 uZzB3g FbeDwGg3Se/SVIVVAhgtRAO9wZM72M4ulGcXKBtw51k
+T7O+KNr/QXoGUG8uULBYgDXRWhrwv4ZImjWp8ltxRk
-> ssh-ed25519 CqOTGQ yG/8YtD4tRo8X5Q4kDyIr0xT5JwBg/Wk9NrkJMMCqgI
ZszCJYQGN1eRnRJ9KLpLrxy7j45bL5CtRTfLt4KwRt4
-> ssh-ed25519 IzAMqA 9AIaFKdsA4yqORM9NNlFkp4TI2q14uy1dtUUP31a6A8
9FwzT1ZQABt3om9OTodEKgxxgVU9H+VlV8X9AucxndY
-> ssh-ed25519 Hb0ipQ 2jhZm+mZoKzeBRjt0q5+T2HX+VM/H2Zy/7SyXuTeGxY
J6ds5gRKFv754f7NrbGGCXKLTcad8YGVrM0ndDHlFZ8
-> ssh-ed25519 3pl/Kw IrzcYOatmG1O2I0CbNz2Phs32G3nz5Jv9Uizj4cqhAE
YDFNtbNUVpAQXyWIZssNANKEc4LoG4cEdmKBRWMFdas
-> ssh-ed25519 SqDBmA erRarQNCMp2QrQBAThQ23RoTAK0Uzz9//SqgBdldFDI
bi/LlSWcaPDHc7lxXuzMJUf6tAlv/6oF/go6NcQEcmA
-> ssh-ed25519 UE6fcQ QjWmHf2lgJ5QctSg9WlvLRueeE1N9WQdV1ZRrDIGsWA
K2IdKT9WpS6bsONh44h28i3Vm64YxhJFDas+rFPRbs0
-> ssh-ed25519 YFaxCg wUWp3BvPpjSKKySmCb3gsO06P+F6GiYJU/wwfTAqTU4
1D1+FEXxZES4cVbl/tSaMfiVk5yJlb9y9RsThyaK13A
-> ssh-ed25519 elCEeg jyijilsUuQ14LYrZPzE6CAMxgVmGFaxR2EbIP48l5Cw
kdEeI5a8gfh5d1mVbiMWOgGP9qmxc01EEifN00l51yM
-> ssh-ed25519 8vZ9CQ k55pfEEYf/3sC7M9YyA0zlQdv69N324fvNgW7/0/hxQ
EPJ0Bv///iKOz0y1dVT/jGTobSYjKGW8+Os1lLBMDtc
-> ssh-ed25519 rmrvjw kqTB4IBJ/wr6P2g21TmbqdNQB5XDxCSU9lwVRAPiZhM
3d9tjv3l3ws74DW+LeHVYUDViJWg+zv93mFv1C3mS2c
--- cUHw7QjEwLsUCL+1WhhNByWzfOIFrRmA/4JPbYgukCE
é *8ÿ¶QÙËš=R™=Å<>yg¯<67>u Œü"¸eSI<53>\ÑË[šŒ¤ŠÏG3.UzÜ Ã»4±—½ïEÊŒýÀ ß\»ý) eðï¼X}H°f§¬X1 ç“Sá¸Ç){¹x+Úcø1ãùù3mc³k?œ ïh:ý„bô2“¤¾gB@Ï<>-á'âÄÿ°åÎF/Žœ #ÿŠÆH+Ô¼s¸•<øå™êÞîþK†ìCÁÁšQ˧ie;¥Â-kžˆRx= (#}i¢<69>à<EFBFBD>°nße
-> ssh-ed25519 V1pwNA 2QqdIJOBGkHQYLkNX0NRvazb6IBk4SYYps1lAC8N+WM
GkubePEafiWi3SfR8GXeXU8+HH4PxdwHPd9GOgvzhWw
-> ssh-ed25519 4PzZog WEUGHm/9UeG0iFVKxFkaZYRtmqlVF3b3ikRQlA4Jgyw
yl/pe3c9C147jQj/uNIN5QMkFiVSAG9CQHMEOmK8UUQ
-> ssh-ed25519 5Nd93w glFj1OmRcPMfXX8ZNklv3Lpoq27u9pK7LNtFWVUwjio
FeNTpW3aqxYE84kGRze9BMR2hDRsBj9a9+439fqp23A
-> ssh-ed25519 q8eJgg 2GCD+0xk/pRUefV/qWv5GKsTS/vu5hGtr7lOPteWSS8
M4Fsni71ockMvu669XMHM9++hXiz7TdFLf6o1izc0bc
-> ssh-ed25519 XSrA6w yaCOzzT0GnCzdrARp2FQHV7npbD/JnuV4tSYwIprdXE
iEIgUn1+aDXN6+qDBNj4ltdCXYqxEmXXql645cGSyrE
-> ssh-ed25519 DVzSig kQJIpvtSZSw1IUDIb3z7HNRz4dw5H3jb8ozcynSe5Bk
aHT8f8DncqP8pgE9oL70619xyNtDBzxB29Hq/ma2rt8
-> ssh-ed25519 SqDBmA QDrZMYCMSsqmhFIMaNi/keyPOry3YHwS0dMGGumJLzs
Tj0oKWFsU2aR7CQSyeDYWq7nY/vbcOkMD9JrLFaq2Uo
-> ssh-ed25519 UE6fcQ Hb0Bp60va2pYytRaSaLbT9sKcosbcezSJs7DNiS7jgw
41IjrgNOPB69pabq3JRhdFNocy661JSCmXLdk988Hyw
-> ssh-ed25519 IzAMqA 54sUUDUo1EurSpAIHhwUYWUF4jabHauQqzdaZv+q6WU
14C6ao5GUpicJrdIzP0YibKO0xoY3ehc1GDEWdWA3Mg
-> ssh-ed25519 uZzB3g I/XkpzTDdYac5rJjElfNpD9gh70hnzImBBtBnEse5z8
9SzTUatocYlqsyoNJ3oPaA6nZ4gZaRzUUs/zSXTPLM0
-> ssh-ed25519 Hb0ipQ h/VbRE/4QmlDmxl0nuzV828L75zK14FJTlxucIgw5Fc
EbTPH0ma+TA+tbfluXrvNU7mfqrK3Onn1riikEA3t08
-> ssh-ed25519 uZzB3g M0z7FxgMYUNi5CMRYnpTueyx5RwhJtArrv8o6pj+LEI
JjlkieTaJ+kz4CxdyPN4MDR1IUoWJf/uCGZj9jc+csY
-> ssh-ed25519 YFaxCg 1C4qRq/rM5B36KZ3MkGl1wT9NwsSQBoefccxiBi3qVc
TKz4Ok/TVANl7cQ5sySccxWySWBXPtvJDM+eV1dsTz4
-> !s-grease j^W+6, Ab
Io86Mr5+tdtC+WUnf7YWjuOE9oHm2iLwyRRiEKgjxDIvNtDgdiZ+0nZ7yDRmuO48
6OKmc9Wc2nsqknT6odS8hAgR2jIPXvg
--- 4YBEXs7Qucs2NbbyqhTgQrWZhejQa4XmK1mgd5eW4yc
<EFBFBD>ë~#ñ)¤Œ+s?ÐYy>Ï_b?ÝL+)cÙ(8õ$HmMâ<U†
ß<EFBFBD>­F•a§Ä˜Ô, zøæ>`7'ö†cÿÐð¾&cO¯hõJs|xW6±kâHw7¾õ@4„N´P ¢zW<7A>m„  >"?JÿP 8Kaç—óU^±.×ô"Ì=¯gìµ6(j†AEîPÅàÁ.—yòWšŠl¼ç ° —ÇÀò-£3¯<14> <0C>¦aãã<C3A3>
M"lkÌûyº Ó¨ì 9#og`p÷<70>unïÜÒ·™Ïý„C¯Š

39
secrets/dns_dnskeys.conf.age
View file

@ -1,23 +1,18 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA UBWTUleT3gH3VTd/ahMfx1iSc1JTTlZWKxD4Sx61Dmk
rGgE6UbDrVFRBbCfw2+o49aIlk4qOHDNYD5nQnt97vU
-> ssh-ed25519 4PzZog OGYMrxkoi+q8ysF/6+HYm+RQshv6jhZyjqQr+d5/vlk
1PY3xrn9dHVnXOOlEukTwnF0S5KL6AsDRXh5MvWioyo
-> ssh-ed25519 dA0vRg eVrtU8/e3XSCjOHFeujDNIZHPWDq3qcot/+RXmBwYyk
mOFaEqWEnYtKxlilozF2QRyKPsOP3HvNWnQ3KLRON9Q
-> ssh-ed25519 5Nd93w WXvBheSNZ8CJOtyxeK6GBLRgt3n1hgYGGnksp4pUhBM
0mr6EjSJnnJezPk1nXIEpaIMmn30tAFJj7pmpS7vHzc
-> ssh-ed25519 q8eJgg SLkAt5hvW2niDBIqeKjcYZvDR9CkJzu4wf1y+0Fizzo
ZNm7qSf+Bl981GJuZPPjRL1HcCJbZ58eOUQe+jFE7K0
-> ssh-ed25519 KVr8rw xfJAoIGIRNVyRsPxjlARAFXm3jDnYxBZws0/8mkqr2E
w//2SGsPl3BjEgGIWAsomH8jGwnOKCpn0SJsbb4y2EU
-> ssh-ed25519 fia1eQ MjtOJN21srAeob/eGpKQON1FGebBqvZo1bKfQFz2bhY
eSRZ3DTQ/HfueI4k56nkAmUdy7MARgcNYgPGD5amCTM
-> ssh-ed25519 NtlN/A n5uN0giDnRaRrfa0jCpqkDnzx1x6hQipumVP/dM9Sw0
J5Z3ETAYMQbugOUsak+k0suWd3SInz2kfRDrJhP5ObA
-> ssh-ed25519 v2Y09A KxmOke5LEOx90sSm3W5gdNHTxk9Smrwya36g8rxFyhw
2FUiiEe5v1CUG/Gkyu1Gw0/tmo64wCIq/vsCjevL3l8
--- eFkoeakUQHfc0nofk2Sm/k0ujxlkKkahdm/MmMqPHrg
Å  
üúa
Î5ùäÁ'?åc0øí ¿5SÚîh hª mÈ<6D>fœZGõ¢+>6øçu½¹Ï¿rèôâ«ïzYÐ<59>á•Þ¯ÇѦJé|ä·a>îò»˜Å7iÕ݃‡Y«˜a‰.P&ðÖdKZS£Ì©/J±r;ñ×¾ioÜå±9hN¸Ã¦çË
-> ssh-ed25519 V1pwNA 4DenEF3jiCxCBa/F8ehgk13NlKvLzEfIxeQVTlMvM3Y
czXCvVsOMZDmAzqxT6z0mCsGntVeLNAJX+IIz/5XS6Q
-> ssh-ed25519 4PzZog 1fBsKWaKTGW1gioyrDoRsCqFhGfIThj1cq3GaPDlIjs
BFcSRxbrO3n91pEXNV7pInCRAH3W4NHFOYPDlvpPqkc
-> ssh-ed25519 5Nd93w 4vy51/o4XExQqMRP3DyeVK0GJO71jYCm17qH5tC230k
UgDrJ2xPGL0O16g+BFOw/kEso19lB3QD35vLhxmQ2h4
-> ssh-ed25519 q8eJgg tAGYnvVu5NAlrs9UoEIUb6H898V5y/st/lnGm3w2o1Q
SYK1mWCClDoK3dj2KYmicOLRvgDC0qdOmhE/AFFWa+s
-> ssh-ed25519 NtlN/A iXJJI8ILFcZvIPaHkWOYSUVwFJOEB5GPpZX/5EcWJlQ
XpiJUa+J2rjsAhhQT4szCwDMudGjuveslcsLs3wVSA4
-> ssh-ed25519 v2Y09A SkswYtVP5bn6FJZwL9AxxONpEyB44Oct+tz+eP4bUwE
0rDV7iOQI7GAJ0VkqozwgA3guoCRvCb5e3lgPAmhlXo
-> ~=-grease
xBfYaHlWp09gHdR9CQ
--- wrlmOZpShrH1kgr4cDBNDjPk/zLA5Ro94cpUy06cH34
hsõIC
s‡1¶…ßø5k|`3rˆUŠV»öÚŒ†`©”ÿ¬{×¢1Õ´€ù˜¶ÇHï¿ùÔ¡<C394>Ó¥Y+N‰ÒªÃs浓ÏC+„±&0"VØìyíjVù¤â <C3A2>Ï¿ªÿ¯ã“pܽ$Ÿ¢-8$­@<40>Õ¥á{‰«ˆÇTFºFî ñÒd|±

45
secrets/email/details.age
View file

@ -1,25 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA rR7/KSP2skc5HZDN98g30IIXuNDJsghQWfyVF57glW0
oSpYnVqLObrE/MQNHonzOmpGk/BcDyMxwPPQauUB8Zo
-> ssh-ed25519 4PzZog bUKm5Fqx40JQ/8BdJvP15xQvIjwTAxuAqsoPIAyRDi0
xGvp4hTdaiqD7cxjJTjmJHgehY8VCOVqvvXNIQoGrRU
-> ssh-ed25519 dA0vRg Ty2EEwt35A8ZigOkVmYlLgXbMePI3WALtM1McsFtQnQ
ygu01cCNYlaW9e0APNrDGPjfJE1KkNq1nqi5d6fwqm8
-> ssh-ed25519 5Nd93w UwOXbO00n1/2pxpz98BZ7yIaEr1PXEvOg7F3Nl80yTY
+E2VbVQXngXUHUQlc2P6ebU0/anioRu/EZgpdf/N8/Q
-> ssh-ed25519 q8eJgg 82IpLMlE/9Wp4fD8PHIiKsff9jJYJtoPF58xCnb6GAU
Ip27egoy6jMgvvTRg6q5NXeTlv9EFhK9PM8rCFu8LhU
-> ssh-ed25519 KVr8rw xEE59aHcuIIB/5pbH3bZuZQ7W2CDUCoyT6EmdOWiZ2s
2uaA7Nx8DNbmGvY/ns/DRHZ1zTZ+JifkR4eVtSzCRd8
-> ssh-ed25519 fia1eQ /YtGDHVjZTzDO7baOphkGvY0zCgElNT9UMpMhhjFCEw
03+ungOpBCqgTj/kyH1hz1LWTHSlkZ6Qb0c4i9bwOZ0
-> ssh-ed25519 IzAMqA kSa3Kbz9SyIe1pXTBi39RxVMi6QQV0rjAPgdbEmmJRA
SO7M5B6LR1aZ8r7mFjFAF+Zl1tlsq3j/3/BVkSPWFcE
-> ssh-ed25519 uZzB3g 1WjjfJ50NZO2C7qKp4WOtDHEUlkF0CFmiehMsY8/6Wk
TP6FwDJp0nKd+FaB0tnZa9XoD8tQponT8wK2xZ/k/A4
-> ssh-ed25519 Hb0ipQ vRwS9w7tO0yryHoip+sqbsD67lqXLD+6hJDNi9YClAU
NiIy//77gNuQ9UJgvt1UPqD99QJzfbh4WFld7Ln0GtE
-> ssh-ed25519 IzAMqA J5spaIE4OAKJsvd1hOy3M2cCbmAG0/9l0dsnKlZfxi4
RT95kFe4vKr0HQVz+6Gfm7pat7HvSahle2zMhEaQ8DM
--- ag6/92VREDBr8oQUKcFbj25qK4gcMdHa+ej3hf+igbc
År:ºûÛÓfÆ)sºûß;˲fI[±g<'­òª3rûÃrœõÅk×™‡âÝB™º+c‡WÌç|÷䘨~ŒË”7ÓãªãϵU<C2B5> ECò ýʺžq!jÉ7¬Å1VŽ¥Î®<>SØ4ÿG8i9:™ßíHl9VµDmnvS¹Š
-> ssh-ed25519 V1pwNA /YhGxaH+uVC4EXVNEpY6akQ3cyOFTCvbqnQDobPGbHE
pcRmdrS2h6GOmhiUQmbDncgAhfBMsI7pVc/8MrCQeiM
-> ssh-ed25519 4PzZog dsRhlBiY7h+WrKqU7KlCYQ5Ypwz76uH9AjZlfLwf/3M
wNvcPHNISI5y0eGQpAv2jSZbTbA9C8LGzI8/dnMn3ZY
-> ssh-ed25519 5Nd93w 5z8u2rWibJcfnkKJmtIv/toSUgkJdxk2HiBJ5yi1F34
jXWyd2UcJgQLKHyl8/SbtR5uKEBPS1TWcSV+uQ6sudQ
-> ssh-ed25519 q8eJgg puPp2e3TvJOmqF68x25NsZftZOjXoQRAfT3d6dulOwE
DMKRvgnqQKJbUcKlFvFPnIWQF48v/AhR0sRG7R01LMg
-> ssh-ed25519 IzAMqA bkxqFYf3QFk4Bg+ax6l2B2/qEC1Sc2v1oNIXRxA942E
TYk7gMneWdKdx9PMJoROZy6k0A9smhQGoenypCiSSjE
-> ssh-ed25519 uZzB3g ouKif0gJlk8Ijg4htLxS6V9kDm1oO10pgoIDGHlnKg0
TtChPqbY4BWc6320hBVsdjOYsN8FZ7+kK+gAa8cPrXU
-> ssh-ed25519 Hb0ipQ GQu3BHKFNOffCTgN6v/9dciTpSDOPHSD9L1R6OG74Hw
j9r+idSNJR0w6XgVZCGOdVsvsFPVbyc1/Nno4uqBCUw
-> ssh-ed25519 IzAMqA cQNK62FYAGQY9+0YhVvVuKMaqB9IBPLUPCnM2nSUQzI
NOMoBDtIN9w1WlxuYHTLORS2xA//D8jIip4SidBUNog
-> QjVPV-grease z #u>.AWX
ZAgcrfjgpw5J778jd9fRtQUns32SsiEybe/VTFKZw7P4J9STzRlt8/KDn8EJQ2Dh
K22xl+ENBo/+YuN1UQ
--- TYTyl621sRrBSPvYgf8uC3auUXL2ytoFi0ob6+NUSOw
Žpns1 èž”{ ìjÏ7iˆ™'™WÓÍWôÈ<C388> ðË¿ú©²?+Óê/P\ú~B}æ<Ú…ƒwIü.Wâ;ÚórF‡Ä‡d³HgÎ>™åþõ?Õ½ŒÙÜTl"ïÞ-1_äñõKz¾ÁómEÕÜ™¼×A”Y{d0,VÕñ8YV 

21
secrets/forgejo/runners/ssh.age
View file

@ -1,21 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA EiRnc8zfDCi967uONlFaqhMRz7IvL46RPzXshMa/OXI
6QS20RCZm8NJUURK0LX7TYtdO3tqZ+RMHLF/kvhVIvs
-> ssh-ed25519 4PzZog 8rgxGN03Mz96nPHanIQvOckstmhTgOkN1DRo2Uly2As
qMe+yPWSIG/o0i/6U/0y2q13NUICHiwnjj8byN1oFxY
-> ssh-ed25519 dA0vRg 4zMtlLeWQz3i9md+fmHt/JOYpok2oe7a4TgTU5VKoDY
GTC7VnQ/hXR8qVFKV0DInAx0NmLEMh+RlGFrURbVJUU
-> ssh-ed25519 5Nd93w wihWssLONatQLpXcLTk35E2dCuQ/KwEn5Fr40fSMDgc
xSdbcJVETSr2aUUAuMbbMqjrE3GigBZgViJ03QwDN/8
-> ssh-ed25519 q8eJgg zkdxmoghRUdp5vi04AnNc3DRaGBrTIybaoLqgZY1Kyo
i2ZvHIQH/+Pv0zLcz2GC2QmnvI4NcqGc4hEHlZTi9lc
-> ssh-ed25519 KVr8rw ueWGIZvtlBR90Brt5EfxdN4GVTCYwlav+5pv9RV/33g
pvzHIVe42wuMpTVCZINI7IURkPMAisvlnSOsW7dhhjo
-> ssh-ed25519 fia1eQ BDwGY8xWwCyQ1+yoVcz5eP9GZBEsOjqDK3IWQAVeaEM
5pPdRCPHdNhkCXri/ZGVHU1s5xIsKJar23wZVQJDfzk
-> ssh-ed25519 CqOTGQ IFEEpuieC/oKfrwvmXHTe7f/9cPWNo+0oTOqtysI4RE
y5mBTGBw/aIx5K4jfHlrLOWcNAm1DgpXDmNGQ9Yeo7E
--- uRX6sh2kk/EFQwiX6PbxMOhohwzkhnmG965eL1NKE8s
<EFBFBD>íïzb‰)DpŒÃ@0òP§Í÷.õ†Ë¡¡ëöMÂ|õyµP3À‘Í/ñvyvÖÅý#u‡åWÄ oæf«ê
r@ð$£Ž«+‚¼ÿ* TO $H­e=½Â0bò)<29>±ã àáòØ{¯«·Å/wZ˜4æRAh³£fCê·à¡]·zî7¹ÉÆæóÖ•YåÅ
ZO7?[Ý*Z+†:Ò?ÈL<C388>ë <0C>í¦<>ÁvéQÏÉÕ/[¨ª÷P—÷QÎ?qôþ7²Å¾ÆvQY<FL=O²©r•¯eíÃ?XùÆc¬ËI‡ÄA ì~Ú¿¶‰êÃV¡ž\Š5å¯]p³´R5¼hI&4\ñ~HxèöŸ5C†)BíÌ@è'f»<c#zdßÈ<Ü2ÊÑ{'EÞ©îˆêÍ<C3AA>\5—¤ay´Ö…Æ1Y"^”½ø/&ú~î殨'´!¡ä´$!´\yÚ¢I7AÊ‚ËÅÄG‰¤#ôui™W7è“`&1<Å7.×:†X÷ {Ã(<28> -Möþu`Å•×`‡Xr

19
secrets/forgejo/runners/token.age
View file

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA kZ6MC1GXuminn2Hlomkep1wIv1lp6KpJOJcpXkhQWWM
K1B58FSyb4QpINlhuvVv4dGFNjTChU1KNoezZcS/a6Y
-> ssh-ed25519 4PzZog pbxwzRvcsOgY9hd48BZEOH6VHFLn93gJ8yDHQyNIiSI
Fa/Z6si9vyox/pmPvWTndyYCQxo7tcvdlRuTgw6IY9g
-> ssh-ed25519 dA0vRg OW2y/LkN/287NVuRRlSpihR+k/MZ+a0R5cIrHFne6RI
U0ZqipfDlpz9LeXKNWkl7tYCnsBjSQz8q4mETBVEalI
-> ssh-ed25519 5Nd93w jDy3i1Z1NWYqdVdw4h+maaBjokVWNrSfHtSQotb2bWg
PtgX9L78wpJHiX4lmP+H0bfRZd/tNfHrUEAShJ38ss8
-> ssh-ed25519 q8eJgg BCaUEZ3H3BglgKPAbl/ITQaEv9Jc2rRAoFuPXhy4WFI
DMqJu0vjDJ8rIXLSL17Dx4Aoq8Uhdo4jU8g1jTSvMK4
-> ssh-ed25519 KVr8rw dKk0SN9SXTQsPwMFiKKMuoRwzTHJB8kr33nadRzBoDc
m2xPKYFMC/y5fKkgaBc+5TVg9ZH+zVSM9I4I3htSm7I
-> ssh-ed25519 fia1eQ NGl1o/38iTm6QiQB7pl0NBkohMZGLMeaXZ37TV184B4
zk/DTLhuGfhDU3gNA7S0BjGOowteEhR9v5oNmOkWTGU
-> ssh-ed25519 CqOTGQ JbZYKqGfWeVu/JEAAeC6wE4QvKLEeidvggQnm6beJxA
ArogOkTDAnvC1SKPkSGapNix2W6yvku1QFOFs9bvuGA
--- yWZoUAOfSIL4FbWSAvhVkOEbUA1u3XPGKB1gNka/xfo
Á¡þzòõ´lÐþÈ L´C$’ì?Hc´®ìì|¥çÛ¹„.-øýÜå¡jõ ©lÂ}9:KÓ®U…Á^§<>í¯Ì“ôŽIO6µ

BIN
secrets/gitlab/db_pw.age
View file

Binary file not shown.

33
secrets/gitlab/ldap_pw.age
View file

@ -1,19 +1,16 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA 2mRcx22kddqldRvOQY7i32z0sMwCuGlbCkJJ8vlJKDY
aL+OgWP6uTute1b5dlPG5Tz12KHeFlCG/Su9+MBTceo
-> ssh-ed25519 4PzZog 67PxsXDuqXhmcyvNAu2jZrDtd+XgUQnEakPw4pR150Y
nOCZQmAhHCptlAz134hin/UKKpuIL+ueRJ7Kzhf5Aiw
-> ssh-ed25519 dA0vRg tiN/eg2X6g4x6KndLJs6ze8i8brhXcsBqP1ZWq2s0T4
1lx0Qqo81L12eIG4XfQUWYgpimEfgaPweZQ65GTHSaI
-> ssh-ed25519 5Nd93w Iq6wxlnODEkmZaYpf1s3XxKmROa/JwXLdXOtCpXuM3g
0oENjjsAh2c5tIHNEghw1TE50xRfU5yWHnZenYT2UgA
-> ssh-ed25519 q8eJgg HrJ8YlZTp7YhRpKpv5ZBUbxv/777ATRtYzcbGH1JVhI
Cytu763lKuwmLLUhFJo8VunzHxYn75YRLiN3vnhxyL0
-> ssh-ed25519 KVr8rw s60G0Eusw0rEW3woOFeE++5C4vI8L6NOUXATml2egBo
tPGsNcE3H9crSOCXCkktBzjRq5JyaGvgmx0ZIs3ehOQ
-> ssh-ed25519 fia1eQ P7oFu5pYYdJu2fcqTYbKuENBWiFnNVQxg2N8QAXNVhg
aZUyPG6FpfFo7GixaofYbCeajExpKFME6PBb6fTzk6s
-> ssh-ed25519 uZzB3g hP2SPeZNhsmePX55N6g4Y8q2KIwRONPBEAqSp273Mzk
y2c9S06vYQl9v0G/7IrbEx+kGv3DOnpz6+9+vo1o1wA
--- 7prlMrCmXuXHtiD1+44Pg0LV05OvyIEF9fYkCiLEv1k
_Á2¾":GË<01>‰*çë.TÀ5 .Ð(Nö£4OS6U1ø ÅCáíµ§ÂÒcO§á·[Q èýä¥ZÈäŒ#IŸ1 <09>cÓ<>M;÷/~Ä`=ñ'ü?ºn}<7D>e#ž/°›µ ÎÛ±`xj¨¦¹hŠ:û¸?´Î¥Â/±æÜJ3 .‰ÞÿÀ+ÓOxkÑYâbk<64>¿Ï
-> ssh-ed25519 V1pwNA 82JAj5XsvsKT8sIuARe4FTmSiCygEhTive+jIJ7h/R8
M3U8He0axy2HLdKnmKDyvilT99LQPEkw27FF2hUI3tI
-> ssh-ed25519 4PzZog c45jK9DTUO6sXTbhs8UrUjLIELIL8XVdYiOYZsR/4yY
HS4ng3Sb4J0f9OYHZLmWHWS/c3uetn3w6HG80uZNdUY
-> ssh-ed25519 5Nd93w fBv3U1fx4kIQcPWAMl1xRUeIwiM1+0FpfhJZrHQMww4
8ANUGKVp5Tpq/wbIgXhpi5cPsxFALOuOsisMEN5A4j0
-> ssh-ed25519 q8eJgg HTr8SCqna6YrbpdEWdXf3vcR/ohxQStlXabHjZN+zW8
vyoLfNsO0zW+S2+nIHfB1s8GaD/XjfqnPq/i3G4IJqs
-> ssh-ed25519 uZzB3g f6+fXpF/3aP36u+G1sDOhaQtdaWXwxoW2aWWC5E8X0Y
KRDi36ChFupksZMkxWEnUkaNBgZujYsXEhS7ngueo8E
-> /Q|[]_7-grease WOAZ6f R~_\$m7
e0+qF+9VouiUjHXF8coBkESl7COpdlPlBQYamcTsTto6CgZUZkYqWQ
--- n0CQNPMTO1iiR+zt+dDvj0FocVteXkclIlI0EXoKV7w
OÐâr€é¥ÜP¼K]PK<>ðxò>ÿe3rðd™¹Éçž¿¢½÷ôÝÆÀŸݦ9d¾Ñ4¿G cά<C38E>|T7gÕ7ßz
P”¤º´ôó02ïïÀb¶Ú<C2B6>„fäÇ,ÔÒ¨<C392>Ñâ2Åm  ‰ŽÌz^»]M$jùƒñÒi7uYŒØ_lNPuÌA%·<ô@Ž« €c„²ÿõ{7

BIN
secrets/gitlab/pw.age
View file

Binary file not shown.

33
secrets/gitlab/runners/runner01.age
View file

@ -1,19 +1,16 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA XYyPJyYihZ3p/Ek6fKEvaNU4BmXGdL4Wb0uXH+T3nSI
o8XtYFyvOLA9gDkfKzTNMzu03V74f+6NBcatQFniKAI
-> ssh-ed25519 4PzZog aqB7IflSlMr2iQKxB5WeCFa0RI1KqZC8OTcAlMg0YHI
VHW+ch2hxiYAJcWFzF/RCQRui9j5UtV3orzLHa6of8g
-> ssh-ed25519 dA0vRg sgcNg8aztkTWaoDtEtS8veMwaWiKy8Pmn7ygBEE+C08
/BPatZiqv+Eh9yvhwgQKomAfQ0wL10oFQfEDT+hkndM
-> ssh-ed25519 5Nd93w djTbwVGuMqPwb2xqmwQswlFcmKk9ggb2MaJk3lNYRFc
sL5qedtBepneL0JdEzAy4n+wpan2qOxqMSBOoSy0+VM
-> ssh-ed25519 q8eJgg ct6G0ocB105he0n1b1Dp0okYKjwCHk/uf3dVmR/eohA
yzuUTQsUw2Fzkcin/an9kOC0CJnF4+7TCW3250DR19U
-> ssh-ed25519 KVr8rw UU47Xvfy1s2VQbtluzafT/Yor3bEjl70F/aCC7RqYEQ
wnP/vYiHmrlmnJ3XL5Qdq89MjEfdKfLdj7S/KTFd9CU
-> ssh-ed25519 fia1eQ p2upqBgZt7m93Kliu3vYWqCWLIOGhfI5y8s/AmNIb0k
DQ7vGs3UQ4Ewn3PabqpekiuaQaPIGxtNO9+h2p829Ww
-> ssh-ed25519 CqOTGQ hwUkZAFhPQL4ixYGPPeryGYUKddeAbDE3lQvJNdwhVo
Hghp1zBDYxaqXpRbxSjsUOuIxxwFZywEMCYp/6EnAhQ
--- WY6ZRscxKUyXzyTqSHNjtLrNkNJA91epJcZ8889yucU
´zz;¦°sºN+ó3bÉ*³<¤áç[®i¿±4%:<3A>g—îìê6À”fBWºýârÐFÈó»Ù¢v1ü k<³ðl¤n†FS&[òÇæ<C387>SkŽÄbÉjæ)N`£‘ h‡ÄÉÚ_kè_ºô Ô%g
-> ssh-ed25519 V1pwNA vl6hCSolsMTLhEZIULcAfC4NjdQQ6lM1RHolfb32QjE
TdNwIPNw4bLLRjuRDNQMPtURnugRXAkn8mPK0er/2Tg
-> ssh-ed25519 4PzZog uV8JiYN+n2iwNlqgFXdTYq+rd/02N6rfJXWbwGB7RHw
Q3DEh1ZOA988AVcfvD4jS074moLFiyVtuODphSPdO+8
-> ssh-ed25519 5Nd93w jkipTx2XbXtGCVZkzPcZ2NRFNApwJ/ft+FDvMRGohUY
5f4H1R/O4m3VQeforLh+aScJF+R4tj/UsdrRCjlrC/8
-> ssh-ed25519 q8eJgg 8IquiucwRvEgUk60vdJF3gZET0GiYjnyDAZn0MSGvSk
itdW6zBWmKC4Nhza7gWq4VKpKx93q+8DyINYzIQ4W68
-> ssh-ed25519 yvS9bw 1Ckf/oLVICw05X/ExxJp3fZXW3+KuK3QQRzqzjGfDEg
N+czA8yQTRCM7tluIVJsBHKJkA2o8gdOBMcFbRf2jjE
-> U.CH}-grease a44Mf8
Cl54HCa268vinKDQwl9B/lbaex8DOrLJdwbufhycBEZVGwIhxPQwlmUz3swlhInV
JBoJEpY2aTo8gih6abT2ePpzgL+J1jPfYTe6pqbAQM0b51Qdo9ub+A
--- P7OeYiH+fpWCXUVv4Om7YdnFMh+sUXBmZE6AOldDXTc
<EFBFBD>q€®µ®¡Ø ¿ãõ <0C>6Û™é¤oQ "Ï>Å5+N¿WA?]­¹+/vÙÅ—xå;Êœ˜ô ^&$_ZvÎì¢9Òà/ä8x~%A<>¦Äc•Glq58Ppêxzš»…55AMv!2ÖX$

BIN
secrets/gitlab/runners/runner02.age
View file

Binary file not shown.

BIN
secrets/gitlab/secrets_db.age
View file

Binary file not shown.

BIN
secrets/gitlab/secrets_jws.age
View file

Binary file not shown.

BIN
secrets/gitlab/secrets_otp.age
View file

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show more