Compare commits

..

7 commits

99 changed files with 2138 additions and 3173 deletions

View file

@ -1,59 +0,0 @@
name: Build_Deploy
on:
workflow_run:
workflows: [ "Update_Flake" ]
types:
- completed
push:
branches:
- 'main'
paths:
- applications/**/*
- machines/**/*
- secrets/**/*
- flake.*
- config/**/*
- .forgejo/**/*
jobs:
linter:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: nix fmt -- --check .
- run: nix --version
#if: github.repository == 'Skynet/nixos'
build:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: nix develop -v
# - name: Archive Test Results
# if: always()
# run: sleep 100m
# - run: colmena build -v --on @active-dns
# - run: colmena build -v --on @active-core
# - run: colmena build -v --on @active
# - run: colmena build -v --on @active-ext
# - run: colmena build -v --on @active-gitlab
deploy_dns:
runs-on: nix
needs: [ linter, build ]
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @active-dns --show-trace
shell: bash
deploy_active:
strategy:
matrix:
batch: [ active-core, active, active-ext ]
runs-on: nix
needs: [ deploy_dns ]
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @${{ matrix.batch }} --show-trace
shell: bash

View file

@ -1,12 +0,0 @@
name: Update_Forgejo
on:
workflow_dispatch:
jobs:
deploy:
runs-on: nix
steps:
- uses: actions/checkout@v4
- run: colmena apply -v --on @active-gitlab --show-trace
shell: bash

View file

@ -1,31 +0,0 @@
name: Update_Flake
run-name: "[Update Flake] ${{ inputs.input_to_update }}"
on:
workflow_dispatch:
inputs:
input_to_update:
description: 'Flake input to update'
required: false
type: string
jobs:
update:
runs-on: nix
permissions:
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents: write
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.PIPELINE_TOKEN }}
- run: nix flake update ${{ inputs.input_to_update }}
shell: bash
- uses: https://github.com/stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "Updated flake for ${{ inputs.input_to_update }}"

3
.gitignore vendored
View file

@ -6,9 +6,6 @@
*.tmp *.tmp
tmp tmp
# open office tmp lockfiles
.~lock.*
# Test files # Test files
test.* test.*
*.test.* *.test.*

View file

@ -30,7 +30,7 @@ update:
# the part that updates the flake # the part that updates the flake
- nix --experimental-features 'nix-command flakes' flake lock --update-input $PACKAGE_NAME - nix --experimental-features 'nix-command flakes' flake lock --update-input $PACKAGE_NAME
- git add flake.lock - git add flake.lock
- git commit -m "Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit" - git commit -m "[skip ci] Updated flake for $PACKAGE_NAME" || echo "No changes, nothing to commit"
# we have a custom domain # we have a custom domain
- git remote rm origin && git remote add origin ssh://git@gitlab.skynet.ie:2222/compsoc1/skynet/nixos.git - git remote rm origin && git remote add origin ssh://git@gitlab.skynet.ie:2222/compsoc1/skynet/nixos.git
- git push origin HEAD:$CI_COMMIT_REF_NAME - git push origin HEAD:$CI_COMMIT_REF_NAME
@ -48,14 +48,13 @@ sync_repos:
- chmod +x ./sync.sh - chmod +x ./sync.sh
- ./sync.sh - ./sync.sh
rules: rules:
- if: $UPDATE_FLAKE == "yes" - if: '$SYNC_OVERRIDE == "true"'
when: never - changes:
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
changes:
- sync/repos.csv - sync/repos.csv
.scripts_base: &scripts_base .scripts_base: &scripts_base
# load nix environment # load nix environment
- git pull origin $CI_COMMIT_REF_NAME
- . "$HOME/.nix-profile/etc/profile.d/nix.sh" - . "$HOME/.nix-profile/etc/profile.d/nix.sh"
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#colmena - nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#colmena
@ -66,23 +65,13 @@ sync_repos:
- mkdir -p ~/.ssh - mkdir -p ~/.ssh
- chmod 700 ~/.ssh - chmod 700 ~/.ssh
.scripts_cache: &scripts_cache
- nix --extra-experimental-features 'nix-command flakes' profile install nixpkgs#attic-client
- attic login skynet https://nix-cache.skynet.ie/ $CACHE_KEY
- attic use skynet-cache
# add any new items to the cache
- attic watch-store skynet-cache &
# every commit on main will build and deploy # every commit on main will build and deploy
.build_template: &builder .build_template: &builder
tags: tags:
- nix - nix
before_script: before_script:
- *scripts_base - *scripts_base
- *scripts_cache
rules: rules:
- if: $UPDATE_FLAKE == "yes"
when: never
- changes: - changes:
- applications/**/* - applications/**/*
- machines/**/* - machines/**/*
@ -96,10 +85,7 @@ sync_repos:
before_script: before_script:
- *scripts_deploy - *scripts_deploy
- *scripts_base - *scripts_base
- *scripts_cache
rules: rules:
- if: $UPDATE_FLAKE == "yes"
when: never
- if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' - if: '$CI_PROJECT_NAMESPACE == "compsoc1/skynet" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
changes: changes:
- flake.nix - flake.nix
@ -119,7 +105,6 @@ build:
<<: *builder <<: *builder
stage: test stage: test
script: script:
- nix --extra-experimental-features 'nix-command flakes' develop
- colmena build -v --on @active-dns - colmena build -v --on @active-dns
- colmena build -v --on @active-core - colmena build -v --on @active-core
- colmena build -v --on @active - colmena build -v --on @active
@ -161,6 +146,7 @@ deploy_ext:
- deploy_dns - deploy_dns
script: script:
- colmena apply -v --on @active-ext - colmena apply -v --on @active-ext
allow_failure: true
deploy_gitlab: deploy_gitlab:
<<: *builder <<: *builder

View file

@ -1,45 +0,0 @@
Rule,Action,Ticket,Status,Source_IP,Source_Server,Destination_IP,Destination_Server,Port_TCP,Port_UDP,Notes
SKYNET_FIREWALL_00000,Add,,Complete,VPN,-,93.1.99.71 - 193.1.99.126,All,22,-,sftp/ssh required from vpn to servers for admins
SKYNET_FIREWALL_00001,Add,,Complete,All,-,193.1.99.109,SKYNET00004,-,53,Nameserver for skynet.ie
SKYNET_FIREWALL_00002,Add,,Complete,All,-,193.1.99.111,SKYNET00005,"80, 443, 8000",-,"ULFM, http(s) for internet streaming, 8000 for connecting to the server."
SKYNET_FIREWALL_00003,Add,,Complete,All,-,193.1.99.112,SKYNET00006,"80, 443, 25565",-,"Games host, Minecraft uses 25565 (will have more ports in the future)"
SKYNET_FIREWALL_00004,Add,,Complete,All,-,193.1.99.120,SKYNET00002,-,53,Nameserver for skynet.ie
SKYNET_FIREWALL_00005,Add,i23-01-19_681,Complete,193.1.99.72,SKYNET00001,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00006,Add,i23-01-19_681,Complete,193.1.99.75,SKYNET00008,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00007,Add,i23-01-19_681,Complete,193.1.99.109,SKYNET00004,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00008,Add,i23-01-19_681,Complete,193.1.99.111,SKYNET00005,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00009,Add,i23-01-19_681,Complete,193.1.99.112,SKYNET00006,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00010,Add,i23-01-19_681,Complete,193.1.99.120,SKYNET00002,All,-,-,-,Allow outbound access
SKYNET_FIREWALL_00011,Add,i23-05-18_249,Complete,All,-,193.1.99.75,SKYNET00008,"80, 443",-,For gitlab Access
SKYNET_FIREWALL_00012,Add,i23-05-18_249,Complete,193.1.99.72 - 193.1.99.126,-,All,-,-,-,"I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages).
I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones.
In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control.
Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured."
SKYNET_FIREWALL_00013,Add,i23-05-18_249,Complete,All,-,193.1.99.76,SKYNET00009,"143, 993, 587, 465",-,Email Server
SKYNET_FIREWALL_00014,Add,i23-06-19_525,Complete,All,-,193.1.99.76,SKYNET00009,"80, 443, 25",-,"Mailserver here, SPF, DKIM and DMARC are all set up"
SKYNET_FIREWALL_00015,Add,i23-06-19_525,Complete,All,-,193.1.99.79,SKYNET00011,"80, 443",-,Main Skynet webserver
SKYNET_FIREWALL_00016,Add,i23-06-30_024,Complete,All,-,193.1.96.165,SKYNET00012,22,-,"Skynet user's server
Outlet is 131 or 132"
SKYNET_FIREWALL_00017,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.120,SKYNET00002,-,53,Allow Skynet server to use our own internal DNS
SKYNET_FIREWALL_00018,Add,i23-06-30_024,Complete,193.1.96.165,SKYNET00012,193.1.99.74,SKYNET00007,389/636,-,Allow Skynet server to access LDAP
,Add,i23-07-28_010,Denied,All,-,193.1.99.74,SKYNET00007,"80, 443",-,Self Service site for Skynet accounts Only 443 on account modification pages
SKYNET_FIREWALL_00019,Add,i23-07-28_010,Complete,All,-,193.1.99.74,SKYNET00007,443,-,Self Service site for Skynet accounts
SKYNET_FIREWALL_00020,Add,i23-09-05_639,Complete,All,-,193.1.96.165,SKYNET00012,"80, 443",-,Web hosting for user sites
SKYNET_FIREWALL_00021,Add,i23-10-27_014,Complete,All,-,193.1.99.77,SKYNET00014,"80, 443",-,"Nextcloud, selfhosted google services, filestorage and documents"
SKYNET_FIREWALL_00022,Add,i24-02-01_102,Complete,193.1.96.165,SKYNET00012,103.1.99.109,SKYNET00004,-,53,Give the Skynet server access to ur secondary DNS
SKYNET_FIREWALL_00023,Add,i24-02-01_102,Complete,193.1.99.78,SKYNET00010,193.1.96.165,SKYNET00012,22,-,Allow our gitlab runner to access and deploy to teh external server
SKYNET_FIREWALL_00024,Add,i24-02-16_065,Complete,All,-,193.1.99.90,SKYNET00016,"80, 443",-,Games Server Administrative panel
SKYNET_FIREWALL_00025,Add,i24-02-16_065,Complete,All,-,193.1.99.91,SKYNET00017,25518-25525,"19132, 24418-24425",Minecraft Games server
SKYNET_FIREWALL_00026,Add,i24-06-04_017,Complete,All,-,193.1.99.76,SKYNET00009,4190,-,"Email sieve to allow members to add email filters to their
skynet mail."
SKYNET_FIREWALL_00027,Add,i24-06-04_017,Complete,All,-,193.1.99.82,SKYNET00018,80/443,-,"Public services such as a binary cache, open governance and keyserver"
,Add,i24-06-04_017,Denied,All,-,193.1.99.90,SKYNET00016,8080,-,"Websocket for admin panel on games management server
Denied because more information on wat it was for was requested"
,Add,i24-06-04_017,Denied,193.1.99.74,SKYNET00007,193.1.96.165,SKYNET00012,9000-9020,-,"Metrics collection, not done because not enough info provided"
SKYNET_FIREWALL_00028,Remove,i24-06-04_017,Complete,-,-,193.1.99.112,SKYNET00019,25565,-,No longer the minecraft game host
SKYNET_FIREWALL_00029,Add,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Websocket for admin panel on games management server
SKYNET_FIREWALL_00030,Add,i24-06-04_017,Complete,193.1.99.83,SKYNET00020,193.1.96.165,SKYNET00012,9000-9010,-,Metrics Collection
SKYNET_FIREWALL_00031,Add,i24-06-04_017,Complete,All,-,193.1.99.83,SKYNET00020,"80, 443",-,Web interface for Metrics server
SKYNET_FIREWALL_00032,Remove,i24-06-04_017,Complete,All,-,193.1.99.90,SKYNET00016,8080,-,Had incorrectly opened 8080 on the main panel
SKYNET_FIREWALL_00033,Add,i24-06-04_017,Complete,All,-,193.1.99.91,SKYNET00017,8080,-,Websocket for admin panel on games management server
,Add,i24-07-15_112,Denied,193.1.99.75,-,-,-,22,-,Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'
1 Rule Action Ticket Status Source_IP Source_Server Destination_IP Destination_Server Port_TCP Port_UDP Notes
2 SKYNET_FIREWALL_00000 Add Complete VPN - 93.1.99.71 - 193.1.99.126 All 22 - sftp/ssh required from vpn to servers for admins
3 SKYNET_FIREWALL_00001 Add Complete All - 193.1.99.109 SKYNET00004 - 53 Nameserver for skynet.ie
4 SKYNET_FIREWALL_00002 Add Complete All - 193.1.99.111 SKYNET00005 80, 443, 8000 - ULFM, http(s) for internet streaming, 8000 for connecting to the server.
5 SKYNET_FIREWALL_00003 Add Complete All - 193.1.99.112 SKYNET00006 80, 443, 25565 - Games host, Minecraft uses 25565 (will have more ports in the future)
6 SKYNET_FIREWALL_00004 Add Complete All - 193.1.99.120 SKYNET00002 - 53 Nameserver for skynet.ie
7 SKYNET_FIREWALL_00005 Add i23-01-19_681 Complete 193.1.99.72 SKYNET00001 All - - - Allow outbound access
8 SKYNET_FIREWALL_00006 Add i23-01-19_681 Complete 193.1.99.75 SKYNET00008 All - - - Allow outbound access
9 SKYNET_FIREWALL_00007 Add i23-01-19_681 Complete 193.1.99.109 SKYNET00004 All - - - Allow outbound access
10 SKYNET_FIREWALL_00008 Add i23-01-19_681 Complete 193.1.99.111 SKYNET00005 All - - - Allow outbound access
11 SKYNET_FIREWALL_00009 Add i23-01-19_681 Complete 193.1.99.112 SKYNET00006 All - - - Allow outbound access
12 SKYNET_FIREWALL_00010 Add i23-01-19_681 Complete 193.1.99.120 SKYNET00002 All - - - Allow outbound access
13 SKYNET_FIREWALL_00011 Add i23-05-18_249 Complete All - 193.1.99.75 SKYNET00008 80, 443 - For gitlab Access
14 SKYNET_FIREWALL_00012 Add i23-05-18_249 Complete 193.1.99.72 - 193.1.99.126 - All - - - I would also like to extend the outbound access to cover our entire range (193.1.99.72 to 193.1.99.126) to allow for setup for more servers on those ip's (need to download updates and packages). I have a few servers I plan to setup over the next two weeks, one after another as the later ones depend on earlier ones. In such a case asking for permission for each individual IP would induce several tickets and a few weeks of paperwork going through change control. Only a few of these sevices will need inbound ports opened on ITD's firewall, which can be requested when the systems are up, running and secured.
15 SKYNET_FIREWALL_00013 Add i23-05-18_249 Complete All - 193.1.99.76 SKYNET00009 143, 993, 587, 465 - Email Server
16 SKYNET_FIREWALL_00014 Add i23-06-19_525 Complete All - 193.1.99.76 SKYNET00009 80, 443, 25 - Mailserver here, SPF, DKIM and DMARC are all set up
17 SKYNET_FIREWALL_00015 Add i23-06-19_525 Complete All - 193.1.99.79 SKYNET00011 80, 443 - Main Skynet webserver
18 SKYNET_FIREWALL_00016 Add i23-06-30_024 Complete All - 193.1.96.165 SKYNET00012 22 - Skynet user's server Outlet is 131 or 132
19 SKYNET_FIREWALL_00017 Add i23-06-30_024 Complete 193.1.96.165 SKYNET00012 193.1.99.120 SKYNET00002 - 53 Allow Skynet server to use our own internal DNS
20 SKYNET_FIREWALL_00018 Add i23-06-30_024 Complete 193.1.96.165 SKYNET00012 193.1.99.74 SKYNET00007 389/636 - Allow Skynet server to access LDAP
21 Add i23-07-28_010 Denied All - 193.1.99.74 SKYNET00007 80, 443 - Self Service site for Skynet accounts – Only 443 on account modification pages
22 SKYNET_FIREWALL_00019 Add i23-07-28_010 Complete All - 193.1.99.74 SKYNET00007 443 - Self Service site for Skynet accounts
23 SKYNET_FIREWALL_00020 Add i23-09-05_639 Complete All - 193.1.96.165 SKYNET00012 80, 443 - Web hosting for user sites
24 SKYNET_FIREWALL_00021 Add i23-10-27_014 Complete All - 193.1.99.77 SKYNET00014 80, 443 - Nextcloud, selfhosted google services, filestorage and documents
25 SKYNET_FIREWALL_00022 Add i24-02-01_102 Complete 193.1.96.165 SKYNET00012 103.1.99.109 SKYNET00004 - 53 Give the Skynet server access to ur secondary DNS
26 SKYNET_FIREWALL_00023 Add i24-02-01_102 Complete 193.1.99.78 SKYNET00010 193.1.96.165 SKYNET00012 22 - Allow our gitlab runner to access and deploy to teh external server
27 SKYNET_FIREWALL_00024 Add i24-02-16_065 Complete All - 193.1.99.90 SKYNET00016 80, 443 - Games Server Administrative panel
28 SKYNET_FIREWALL_00025 Add i24-02-16_065 Complete All - 193.1.99.91 SKYNET00017 25518-25525 19132, 24418-24425 Minecraft Games server
29 SKYNET_FIREWALL_00026 Add i24-06-04_017 Complete All - 193.1.99.76 SKYNET00009 4190 - Email sieve to allow members to add email filters to their skynet mail.
30 SKYNET_FIREWALL_00027 Add i24-06-04_017 Complete All - 193.1.99.82 SKYNET00018 80/443 - Public services such as a binary cache, open governance and keyserver
31 Add i24-06-04_017 Denied All - 193.1.99.90 SKYNET00016 8080 - Websocket for admin panel on games management server Denied because more information on wat it was for was requested
32 Add i24-06-04_017 Denied 193.1.99.74 SKYNET00007 193.1.96.165 SKYNET00012 9000-9020 - Metrics collection, not done because not enough info provided
33 SKYNET_FIREWALL_00028 Remove i24-06-04_017 Complete - - 193.1.99.112 SKYNET00019 25565 - No longer the minecraft game host
34 SKYNET_FIREWALL_00029 Add i24-06-04_017 Complete All - 193.1.99.90 SKYNET00016 8080 - Websocket for admin panel on games management server
35 SKYNET_FIREWALL_00030 Add i24-06-04_017 Complete 193.1.99.83 SKYNET00020 193.1.96.165 SKYNET00012 9000-9010 - Metrics Collection
36 SKYNET_FIREWALL_00031 Add i24-06-04_017 Complete All - 193.1.99.83 SKYNET00020 80, 443 - Web interface for Metrics server
37 SKYNET_FIREWALL_00032 Remove i24-06-04_017 Complete All - 193.1.99.90 SKYNET00016 8080 - Had incorrectly opened 8080 on the main panel
38 SKYNET_FIREWALL_00033 Add i24-06-04_017 Complete All - 193.1.99.91 SKYNET00017 8080 - Websocket for admin panel on games management server
39 Add i24-07-15_112 Denied 193.1.99.75 - - - 22 - Response from ITD - 'Our IT Security team have advised that port 22 and port 2222 are only to be allowed through the VPN and will not be opened to allow inbound ssh connections directly from the internet'

View file

@ -1,22 +0,0 @@
Index,Name,Status,IP_Address,OS,Description
SKYNET00001,agentjones,Active,193.1.99.72,Nixos-24.05,Firewall (currently not active)
SKYNET00002,vendetta,Active,193.1.99.120,Nixos-24.05,DNS Nameserver 1
SKYNET00003,jarvis,Active,193.1.99.73,Nixos-24.05,VM Host
SKYNET00004,vigil,Active,193.1.99.109,Nixos-24.05,DNS Nameserver 2
SKYNET00005,galatea,Active,193.1.99.111,Nixos-24.05,ULFM Radio
SKYNET00006,optimus,Retired,193.1.99.112,Nixos-24.05,Retired Games server
SKYNET00007,kitt,Active,193.1.99.74,Nixos-24.05,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
SKYNET00008,glados,Active,193.1.99.75,Nixos-24.05,Gitlab server
SKYNET00009,gir,Active,193.1.99.76,Nixos-24.05,Email and Webmail
SKYNET00010,wheatly,Active,193.1.99.78,Nixos-24.05,Gitlab Runner
SKYNET00011,earth,Active,193.1.99.79,Nixos-24.05,Offical website host
SKYNET00012,skynet,Active,193.1.96.165,Nixos-24.05,Skynet server. (DMZ)
SKYNET00013,neuromancer,Active,193.1.99.80,Nixos-24.05,Local Backup Server
SKYNET00014,cadie,Active,193.1.99.77,Nixos-24.05,"Services VM, has nextcloud to start with"
SKYNET00015,marvin,Active,193.1.99.81,Nixos-24.05,Trainee testing server
SKYNET00016,optimus,Active,193.1.99.90,Debian-12,Games server manager (replacing SKYNET00006 soon)
SKYNET00017,bumblebee,Active,193.1.99.91,Debian-12,Game server - Minecraft
SKYNET00018,calculon,Active,193.1.99.82,Nixos-24.05,"Public Services such as binary cache, Open Governance and Keyserver"
SKYNET00019,deepthought,Active,193.1.99.112,Nixos-24.05,Backup Test Server using restic
SKYNET00020,ariia,Active,193.1.99.83,Nixos-24.05,"Metrics, Grafana and Prometheus"
SKYNET00021,ash,Active,193.1.99.114,NA,Server Room Network access
1 Index Name Status IP_Address OS Description
2 SKYNET00001 agentjones Active 193.1.99.72 Nixos-24.05 Firewall (currently not active)
3 SKYNET00002 vendetta Active 193.1.99.120 Nixos-24.05 DNS Nameserver 1
4 SKYNET00003 jarvis Active 193.1.99.73 Nixos-24.05 VM Host
5 SKYNET00004 vigil Active 193.1.99.109 Nixos-24.05 DNS Nameserver 2
6 SKYNET00005 galatea Active 193.1.99.111 Nixos-24.05 ULFM Radio
7 SKYNET00006 optimus Retired 193.1.99.112 Nixos-24.05 Retired Games server
8 SKYNET00007 kitt Active 193.1.99.74 Nixos-24.05 LDAP and Self-Service Password/Account management, also hosts our Discord bot
9 SKYNET00008 glados Active 193.1.99.75 Nixos-24.05 Gitlab server
10 SKYNET00009 gir Active 193.1.99.76 Nixos-24.05 Email and Webmail
11 SKYNET00010 wheatly Active 193.1.99.78 Nixos-24.05 Gitlab Runner
12 SKYNET00011 earth Active 193.1.99.79 Nixos-24.05 Offical website host
13 SKYNET00012 skynet Active 193.1.96.165 Nixos-24.05 Skynet server. (DMZ)
14 SKYNET00013 neuromancer Active 193.1.99.80 Nixos-24.05 Local Backup Server
15 SKYNET00014 cadie Active 193.1.99.77 Nixos-24.05 Services VM, has nextcloud to start with
16 SKYNET00015 marvin Active 193.1.99.81 Nixos-24.05 Trainee testing server
17 SKYNET00016 optimus Active 193.1.99.90 Debian-12 Games server manager (replacing SKYNET00006 soon)
18 SKYNET00017 bumblebee Active 193.1.99.91 Debian-12 Game server - Minecraft
19 SKYNET00018 calculon Active 193.1.99.82 Nixos-24.05 Public Services such as binary cache, Open Governance and Keyserver
20 SKYNET00019 deepthought Active 193.1.99.112 Nixos-24.05 Backup Test Server using restic
21 SKYNET00020 ariia Active 193.1.99.83 Nixos-24.05 Metrics, Grafana and Prometheus
22 SKYNET00021 ash Active 193.1.99.114 NA Server Room Network access

View file

@ -1,6 +0,0 @@
Index,First Name,Surname,UL Student Email
SKYNET_VPN_ADM_001,Brendan,Golden,12136891@studentmail.ul.ie
SKYNET_VPN_ADM_002,Evan,Cassidy,External
SKYNET_VPN_ADM_003,Eoghan,Conlon,21310262@studentmail.ul.ie
SKYNET_VPN_ADM_004,Eliza,Macovei,23382619@studentmail.ul.ie
SKYNET_VPN_ADM_005,Daragh,Downes,22351159@studentmail.ul.ie
1 Index First Name Surname UL Student Email
2 SKYNET_VPN_ADM_001 Brendan Golden 12136891@studentmail.ul.ie
3 SKYNET_VPN_ADM_002 Evan Cassidy External
4 SKYNET_VPN_ADM_003 Eoghan Conlon 21310262@studentmail.ul.ie
5 SKYNET_VPN_ADM_004 Eliza Macovei 23382619@studentmail.ul.ie
6 SKYNET_VPN_ADM_005 Daragh Downes 22351159@studentmail.ul.ie

View file

@ -1,7 +0,0 @@
Date,Date Modified,Action,Ticket,ID
SKYNET_VPN_ADM_CHANGE_001,2023/04/04,Added,,SKYNET_VPN_ADM_001
SKYNET_VPN_ADM_CHANGE_002,2023/04/04,Added,,SKYNET_VPN_ADM_002
SKYNET_VPN_ADM_CHANGE_003,2023/04/04,Added,,SKYNET_VPN_ADM_003
SKYNET_VPN_ADM_CHANGE_003,2024/07/21,Removed,i24-07-22_760,SKYNET_VPN_ADM_003
SKYNET_VPN_ADM_CHANGE_004,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_004
SKYNET_VPN_ADM_CHANGE_005,2024/07/21,Added,i24-07-22_760,SKYNET_VPN_ADM_005
1 Date Date Modified Action Ticket ID
2 SKYNET_VPN_ADM_CHANGE_001 2023/04/04 Added SKYNET_VPN_ADM_001
3 SKYNET_VPN_ADM_CHANGE_002 2023/04/04 Added SKYNET_VPN_ADM_002
4 SKYNET_VPN_ADM_CHANGE_003 2023/04/04 Added SKYNET_VPN_ADM_003
5 SKYNET_VPN_ADM_CHANGE_003 2024/07/21 Removed i24-07-22_760 SKYNET_VPN_ADM_003
6 SKYNET_VPN_ADM_CHANGE_004 2024/07/21 Added i24-07-22_760 SKYNET_VPN_ADM_004
7 SKYNET_VPN_ADM_CHANGE_005 2024/07/21 Added i24-07-22_760 SKYNET_VPN_ADM_005

18
ITD_Firewall.csv Normal file
View file

@ -0,0 +1,18 @@
Index,Name,IP_Address,DNS_Name,Ports_Current,Ports_Requested,Related_Tickets,Description
SKYNET00001,agentjones,193.1.99.72,agentjones,"","","",Firewall (currently not active)
SKYNET00002,vendetta,193.1.99.120,vendetta/ns1,53,"","",DNS Nameserver 1
SKYNET00003,jarvis,193.1.99.73,jarvis,"","","",VM Host
SKYNET00004,vigil,193.1.99.109,vigil/ns2,53,"","",DNS Nameserver 2
SKYNET00005,galatea,193.1.99.111,galatea/stream,80/443 8000,"","",ULFM Radio
SKYNET00006,optimus,193.1.99.112,optimus/games/*.games,80/443 25565,"","",Games server
SKYNET00007,kitt,193.1.99.74,kitt/account/api.account,443,"",i23-07-28_010,"LDAP and Self-Service Password/Account management, also hosts our Discord bot"
SKYNET00008,glados,193.1.99.75,glados/gitlab/*.pages.gitlab,80/443,2222,i23-05-18_249,Gitlab server
SKYNET00009,gir,193.1.99.76,gir/mail/imap/pop3/smtp,80/443 25/143/993/587/465,"",i23-06-19_525/i23-06-19_525,Email and Webmail
SKYNET00010,wheatly,193.1.99.78,wheatly,"","","",Gitlab Runner
SKYNET00011,earth,193.1.99.79,earth,80/443,"",i23-06-19_525,Offical website host
SKYNET00012,skynet,193.1.96.165,skynet/*.users,22 80/443,"",i23-06-30_024,Skynet server. (DMZ)
SKYNET00013,neuromancer,193.1.99.80,neuromancer,"","","",Local Backup Server
SKYNET00014,cadie,193.1.99.77,cadie/nextcloud/onlyoffice.nextcloud,80/443,"",i23-10-27_014,"Services VM, has nextcloud to start with"
SKYNET00015,marvin,193.1.99.81,marvin,,,,Trainee testing server
SKYNET00016,optimus,193.1.99.99,,,,,Games server manager (replacing SKYNET00006 soon)
SKYNET00017,bumblebee,193.1.99.100,,,,,Game server - Minecraft
1 Index Name IP_Address DNS_Name Ports_Current Ports_Requested Related_Tickets Description
2 SKYNET00001 agentjones 193.1.99.72 agentjones Firewall (currently not active)
3 SKYNET00002 vendetta 193.1.99.120 vendetta/ns1 53 DNS Nameserver 1
4 SKYNET00003 jarvis 193.1.99.73 jarvis VM Host
5 SKYNET00004 vigil 193.1.99.109 vigil/ns2 53 DNS Nameserver 2
6 SKYNET00005 galatea 193.1.99.111 galatea/stream 80/443 8000 ULFM Radio
7 SKYNET00006 optimus 193.1.99.112 optimus/games/*.games 80/443 25565 Games server
8 SKYNET00007 kitt 193.1.99.74 kitt/account/api.account 443 i23-07-28_010 LDAP and Self-Service Password/Account management, also hosts our Discord bot
9 SKYNET00008 glados 193.1.99.75 glados/gitlab/*.pages.gitlab 80/443 2222 i23-05-18_249 Gitlab server
10 SKYNET00009 gir 193.1.99.76 gir/mail/imap/pop3/smtp 80/443 25/143/993/587/465 i23-06-19_525/i23-06-19_525 Email and Webmail
11 SKYNET00010 wheatly 193.1.99.78 wheatly Gitlab Runner
12 SKYNET00011 earth 193.1.99.79 earth 80/443 i23-06-19_525 Offical website host
13 SKYNET00012 skynet 193.1.96.165 skynet/*.users 22 80/443 i23-06-30_024 Skynet server. (DMZ)
14 SKYNET00013 neuromancer 193.1.99.80 neuromancer Local Backup Server
15 SKYNET00014 cadie 193.1.99.77 cadie/nextcloud/onlyoffice.nextcloud 80/443 i23-10-27_014 Services VM, has nextcloud to start with
16 SKYNET00015 marvin 193.1.99.81 marvin Trainee testing server
17 SKYNET00016 optimus 193.1.99.99 Games server manager (replacing SKYNET00006 soon)
18 SKYNET00017 bumblebee 193.1.99.100 Game server - Minecraft

View file

@ -1,9 +0,0 @@
MIT License
Copyright (c) 2024 Skynet
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

View file

@ -1,6 +1,5 @@
https://web.archive.org/web/20180815150202/https://wiki.skynet.ie/Admin/SkynetMachines https://web.archive.org/web/20180815150202/https://wiki.skynet.ie/Admin/SkynetMachines
https://en.m.wikipedia.org/wiki/Category:Fictional_artificial_intelligences https://en.m.wikipedia.org/wiki/Category:Fictional_artificial_intelligences
https://en.wikipedia.org/wiki/List_of_artificial_intelligence_films
* agentsmith * agentsmith
* skynet * skynet

19
_types/dns_object.nix Normal file
View file

@ -0,0 +1,19 @@
{lib, ...}:
with lib; {
options = {
record = mkOption {
type = types.str;
};
r_type = mkOption {
type = types.enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
};
value = mkOption {
type = types.str;
};
server = mkOption {
description = "Core record for a server";
type = types.bool;
default = false;
};
};
}

View file

@ -1,74 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
# root service
cfg = config.services.skynet;
in {
imports = [
# every server needs to have a dns record
./dns/dns.nix
# every server should have proper certs
./acme.nix
./nginx.nix
# every server may need the firewall config stuff
./firewall.nix
# every server needs teh ldap client for admins
./ldap/client.nix
# every server will need the config to backup to
./restic.nix
# every server will be monitored for grafana
./prometheus.nix
];
options.services.skynet = {
# since we use this basically everywhere provide a standard way to set it
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
hostname = mkOption {
type = types.str;
default = "${cfg.host.name}.skynet.ie";
};
};
};
config = {
services.skynet.dns.records = [
{
record = cfg.host.name;
r_type = "A";
value = cfg.host.ip;
server = true;
}
{
record = cfg.host.ip;
r_type = "PTR";
value = cfg.host.hostname;
}
];
services.nginx = {
virtualHosts = {
# for every server unless explisitly defined redirect the ip to skynet.ie
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
};
};
};
}

View file

@ -5,12 +5,12 @@
... ...
}: }:
with lib; let with lib; let
name = "acme"; cfg = config.skynet_acme;
cfg = config.services.skynet."${name}";
in { in {
imports = []; imports = [];
options.services.skynet."${name}" = { options = {
skynet_acme = {
domains = lib.mkOption { domains = lib.mkOption {
default = []; default = [];
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
@ -19,7 +19,7 @@ in {
''; '';
}; };
}; };
};
config = { config = {
# group that will own the certificates # group that will own the certificates
users.groups.acme = {}; users.groups.acme = {};
@ -32,15 +32,15 @@ in {
defaults = { defaults = {
email = "admin_acme@skynet.ie"; email = "admin_acme@skynet.ie";
credentialsFile = config.age.secrets.acme.path;
# we use our own dns authorative server for verifying we own the domain. # we use our own dns authorative server for verifying we own the domain.
dnsProvider = "rfc2136"; dnsProvider = "rfc2136";
credentialsFile = config.age.secrets.acme.path;
}; };
certs = { certs = {
"skynet" = { "skynet" = {
domain = "skynet.ie"; domain = "skynet.ie";
extraDomainNames = lists.naturalSort cfg.domains; extraDomainNames = cfg.domains;
}; };
}; };
}; };

View file

@ -0,0 +1,324 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.bitwarden-directory-connector-cli;
in {
disabledModules = ["services/security/bitwarden-directory-connector-cli.nix"];
options.services.bitwarden-directory-connector-cli = {
enable = mkEnableOption "Bitwarden Directory Connector";
package = mkPackageOption pkgs "bitwarden-directory-connector-cli" {};
domain = mkOption {
type = types.str;
description = lib.mdDoc "The domain the Bitwarden/Vaultwarden is accessible on.";
example = "https://vaultwarden.example.com";
};
user = mkOption {
type = types.str;
description = lib.mdDoc "User to run the program.";
default = "bwdc";
};
interval = mkOption {
type = types.str;
default = "*:0,15,30,45";
description = lib.mdDoc "The interval when to run the connector. This uses systemd's OnCalendar syntax.";
};
ldap = mkOption {
description = lib.mdDoc ''
Options to configure the LDAP connection.
If you used the desktop application to test the configuration you can find the settings by searching for `ldap` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
'';
default = {};
type = types.submodule ({
config,
options,
...
}: {
freeformType = types.attrsOf (pkgs.formats.json {}).type;
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
options = {
finalJSON = mkOption {
type = (pkgs.formats.json {}).type;
internal = true;
readOnly = true;
visible = false;
};
ssl = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to use TLS.";
};
startTls = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to use STARTTLS.";
};
hostname = mkOption {
type = types.str;
description = lib.mdDoc "The host the LDAP is accessible on.";
example = "ldap.example.com";
};
port = mkOption {
type = types.port;
default = 389;
description = lib.mdDoc "Port LDAP is accessible on.";
};
ad = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether the LDAP Server is an Active Directory.";
};
pagedSearch = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether the LDAP server paginates search results.";
};
rootPath = mkOption {
type = types.str;
description = lib.mdDoc "Root path for LDAP.";
example = "dc=example,dc=com";
};
username = mkOption {
type = types.str;
description = lib.mdDoc "The user to authenticate as.";
example = "cn=admin,dc=example,dc=com";
};
};
});
};
sync = mkOption {
description = lib.mdDoc ''
Options to configure what gets synced.
If you used the desktop application to test the configuration you can find the settings by searching for `sync` in `~/.config/Bitwarden\ Directory\ Connector/data.json`.
'';
default = {};
type = types.submodule ({
config,
options,
...
}: {
freeformType = types.attrsOf (pkgs.formats.json {}).type;
config.finalJSON = builtins.toJSON (removeAttrs config (filter (x: x == "finalJSON" || ! options.${x}.isDefined or false) (attrNames options)));
options = {
finalJSON = mkOption {
type = (pkgs.formats.json {}).type;
internal = true;
readOnly = true;
visible = false;
};
removeDisabled = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc "Remove users from bitwarden groups if no longer in the ldap group.";
};
overwriteExisting = mkOption {
type = types.bool;
default = false;
description =
lib.mdDoc "Remove and re-add users/groups, See https://bitwarden.com/help/user-group-filters/#overwriting-syncs for more details.";
};
largeImport = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Enable if you are syncing more than 2000 users/groups.";
};
memberAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists members in a LDAP group.";
example = "uniqueMember";
};
creationDateAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute that lists a user's creation date.";
example = "whenCreated";
};
useEmailPrefixSuffix = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "If a user has no email address, combine a username prefix with a suffix value to form an email.";
};
emailPrefixAttribute = mkOption {
type = types.str;
description = lib.mdDoc "The attribute that contains the users username.";
example = "accountName";
};
emailSuffix = mkOption {
type = types.str;
description = lib.mdDoc "Suffix for the email, normally @example.com.";
example = "@example.com";
};
users = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Sync users.";
};
userPath = mkOption {
type = types.str;
description = lib.mdDoc "User directory, relative to root.";
default = "ou=users";
};
userObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "Class that users must have.";
default = "inetOrgPerson";
};
userEmailAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a users email.";
default = "mail";
};
userFilter = mkOption {
type = types.str;
description = lib.mdDoc "LDAP filter for users.";
example = "(memberOf=cn=sales,ou=groups,dc=example,dc=com)";
default = "";
};
groups = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Whether to sync ldap groups into BitWarden.";
};
groupPath = mkOption {
type = types.str;
description = lib.mdDoc "Group directory, relative to root.";
default = "ou=groups";
};
groupObjectClass = mkOption {
type = types.str;
description = lib.mdDoc "A class that groups will have.";
default = "groupOfNames";
};
groupNameAttribute = mkOption {
type = types.str;
description = lib.mdDoc "Attribute for a name of group.";
default = "cn";
};
groupFilter = mkOption {
type = types.str;
description = lib.mdDoc "LDAP filter for groups.";
example = "(cn=sales)";
default = "";
};
};
});
};
secrets = {
ldap = mkOption {
type = types.str;
description = "Path to file that contains LDAP password for user in {option}`ldap.username";
};
bitwarden = {
client_path_id = mkOption {
type = types.str;
description = "Path to file that contains Client ID.";
};
client_path_secret = mkOption {
type = types.str;
description = "Path to file that contains Client Secret.";
};
};
};
};
config = mkIf cfg.enable {
users.groups."${cfg.user}" = {};
users.users."${cfg.user}" = {
isSystemUser = true;
group = cfg.user;
};
systemd = {
timers.bitwarden-directory-connector-cli = {
description = "Sync timer for Bitwarden Directory Connector";
wantedBy = ["timers.target"];
after = ["network-online.target"];
timerConfig = {
OnCalendar = cfg.interval;
Unit = "bitwarden-directory-connector-cli.service";
Persistent = true;
};
};
services.bitwarden-directory-connector-cli = {
description = "Main process for Bitwarden Directory Connector";
environment = {
BITWARDENCLI_CONNECTOR_APPDATA_DIR = "/tmp";
BITWARDENCLI_CONNECTOR_PLAINTEXT_SECRETS = "true";
};
serviceConfig = {
Type = "oneshot";
User = "${cfg.user}";
PrivateTmp = true;
ExecStartPre = pkgs.writeShellScript "bitwarden_directory_connector-config" ''
set -eo pipefail
# create the config file
${lib.getExe cfg.package} data-file
touch /tmp/data.json.tmp
chmod 600 /tmp/data.json{,.tmp}
${lib.getExe cfg.package} config server ${cfg.domain}
# now login to set credentials
export BW_CLIENTID="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_id})"
export BW_CLIENTSECRET="$(< ${escapeShellArg cfg.secrets.bitwarden.client_path_secret})"
${lib.getExe cfg.package} login
${lib.getExe pkgs.jq} '.authenticatedAccounts[0] as $account
| .[$account].directoryConfigurations.ldap |= $ldap_data
| .[$account].directorySettings.organizationId |= $orgID
| .[$account].directorySettings.sync |= $sync_data' \
--argjson ldap_data ${escapeShellArg cfg.ldap.finalJSON} \
--arg orgID "''${BW_CLIENTID//organization.}" \
--argjson sync_data ${escapeShellArg cfg.sync.finalJSON} \
/tmp/data.json \
> /tmp/data.json.tmp
mv -f /tmp/data.json.tmp /tmp/data.json
# final config
${lib.getExe cfg.package} config directory 0
${lib.getExe cfg.package} config ldap.password --secretfile ${cfg.secrets.ldap}
'';
ExecStart = "${lib.getExe cfg.package} sync";
};
};
};
};
meta.maintainers = with maintainers; [Silver-Golden];
}

View file

@ -6,7 +6,9 @@
}: let }: let
user = "bwdc"; user = "bwdc";
in { in {
imports = []; imports = [
./bitwarden-directory-connector-cli.nix
];
options = {}; options = {};

View file

@ -6,36 +6,53 @@
... ...
}: }:
with lib; let with lib; let
name = "vaultwarden"; cfg = config.services.skynet_vaultwarden;
cfg = config.services.skynet."${name}";
domain_sub = "pw"; domain_sub = "pw";
domain = "${domain_sub}.skynet.ie"; domain = "${domain_sub}.skynet.ie";
in { in {
imports = [ imports = [
../acme.nix
../dns.nix
../nginx.nix
]; ];
options.services.skynet."${name}" = { options.services.skynet_vaultwarden = {
enable = mkEnableOption "Skynet VaultWarden server"; enable = mkEnableOption "Skynet vaultwarden server";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
#backups = [ "/etc/silver_ul_ical/database.db" ]; #backups = [ "/etc/silver_ul_ical/database.db" ];
# Website config # Website config
services.skynet.acme.domains = [ skynet_acme.domains = [
domain domain
]; ];
services.skynet.dns.records = [ skynet_dns.records = [
{ {
record = domain_sub; record = domain_sub;
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
]; ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
"${domain}" = { "${domain}" = {
forceSSL = true; forceSSL = true;
useACMEHost = "skynet"; useACMEHost = "skynet";

View file

@ -6,14 +6,13 @@
... ...
}: }:
with lib; let with lib; let
name = "discord_bot"; cfg = config.services.discord_bot;
cfg = config.services.skynet."${name}";
in { in {
imports = [ imports = [
inputs.skynet_discord_bot.nixosModule."x86_64-linux" inputs.skynet_discord_bot.nixosModule."x86_64-linux"
]; ];
options.services.skynet."${name}" = { options.services.discord_bot = {
enable = mkEnableOption "Skynet LDAP backend server"; enable = mkEnableOption "Skynet LDAP backend server";
}; };
@ -21,18 +20,21 @@ in {
#backups = [ "/etc/silver_ul_ical/database.db" ]; #backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.discord_token.file = ../secrets/discord/token.age; age.secrets.discord_token.file = ../secrets/discord/token.age;
age.secrets.discord_ldap.file = ../secrets/discord/ldap.age;
age.secrets.discord_mail.file = ../secrets/email/details.age; age.secrets.discord_mail.file = ../secrets/email/details.age;
age.secrets.discord_wolves.file = ../secrets/wolves/details.age; age.secrets.discord_wolves.file = ../secrets/wolves/details.age;
# this is what was imported
services.skynet_discord_bot = { services.skynet_discord_bot = {
enable = true; enable = true;
env = { env = {
discord = config.age.secrets.discord_token.path; discord = config.age.secrets.discord_token.path;
ldap = config.age.secrets.discord_ldap.path;
mail = config.age.secrets.discord_mail.path; mail = config.age.secrets.discord_mail.path;
wolves = config.age.secrets.discord_wolves.path; wolves = config.age.secrets.discord_wolves.path;
}; };
discord.server = "689189992417067052";
}; };
}; };
} }

View file

@ -3,42 +3,18 @@
pkgs, pkgs,
config, config,
nodes, nodes,
self,
... ...
}: let }: let
name = "dns"; cfg = config.skynet_dns;
cfg = config.services.skynet."${name}";
# reads that date to a string (will need to be fixed in 2038) # reads that date to a string (will need to be fixed in 2038)
current_date = self.lastModified; current_date = lib.readFile "${pkgs.runCommand "timestamp" {} "echo -n `date +%s` > $out"}";
# this gets a list of all domains we have records for
domains = lib.lists.naturalSort (lib.lists.unique (
lib.lists.forEach records (x: x.domain)
));
# get the ip's of our servers
servers = lib.lists.naturalSort (lib.lists.unique (
lib.lists.forEach (sort_records_a_server records) (x: x.value)
));
domains_owned = [
# for historic reasons we own this
"csn.ul.ie"
# the main one we use now
"skynet.ie"
# a backup
"ulcompsoc.ie"
];
# gets a list of records that match this type # gets a list of records that match this type
filter_records_type = records: r_type: builtins.filter (x: x.r_type == r_type) records; filter_records_type = records: r_type: builtins.filter (x: x.r_type == r_type) records;
# Get all the A records that are for servers (base record for them) filter_records_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
filter_records_a_server = records: builtins.filter (x: builtins.hasAttr "server" x && x.server) (filter_records_type records "A");
# Every other A record
filter_records_a = records: builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type records "A"); filter_records_a = records: builtins.filter (x: builtins.hasAttr "server" x && !x.server) (filter_records_type records "A");
# These functions are to get the final 3 digits of an IP address so we can use them for reverse pointer
process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x); process_ptr = records: lib.lists.forEach records (x: process_ptr_sub x);
process_ptr_sub = record: { process_ptr_sub = record: {
record = builtins.substring 9 3 record.record; record = builtins.substring 9 3 record.record;
@ -47,56 +23,35 @@
}; };
ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip); ip_ptr_to_int = ip: lib.strings.toInt (builtins.substring 9 3 ip);
# filter and sort records so we cna group them in the right place later sort_records_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_server records);
sort_records_a_server = records: builtins.sort (a: b: a.record < b.record) (filter_records_a_server records);
sort_records_a = records: builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) (filter_records_a records); sort_records_a = records: builtins.sort (a: b: (ip_ptr_to_int a.value) < (ip_ptr_to_int b.value)) (filter_records_a records);
sort_records_cname = records: builtins.sort (a: b: a.value < b.value) (filter_records_type records "CNAME"); sort_records_cname = records: builtins.sort (a: b: a.value < b.value) (filter_records_type records "CNAME");
sort_records_ptr = records: builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type records "PTR")); sort_records_ptr = records: builtins.sort (a: b: (lib.strings.toInt a.record) < (lib.strings.toInt b.record)) (process_ptr (filter_records_type records "PTR"));
sort_records_srv = records: builtins.sort (a: b: a.record < b.record) (filter_records_type records "SRV"); sort_records_srv = records: builtins.sort (a: b: a.record < b.record) (filter_records_type records "SRV");
# a tad overkill but type guarding is useful format_records = records: offset: lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
max = x: y:
assert builtins.isInt x;
assert builtins.isInt y;
if x < y
then y
else x;
# get teh max length of a list of strings # small function to trim it down a tad
max_len = records: lib.lists.foldr (a: b: (max a b)) 0 (lib.lists.forEach records (record: lib.strings.stringLength record.record));
# Now that we can get teh max lenth of a list of strings
# we can pad it out to the max len +1
# this is so that teh generated file is easier for a human to read
format_records = records: let
offset = (max_len records) + 1;
in
lib.strings.concatMapStrings (x: "${padString x.record offset} IN ${padString x.r_type 5} ${x.value}\n") records;
# small function to add spaces until it reaches teh required length
padString = text: length: fixedWidthString_post length " " text; padString = text: length: fixedWidthString_post length " " text;
# like lib.strings.fixedWidthString but postfix # like lib.strings.fixedWidthString but postfix
# recursive function to extend a string up to a limit
fixedWidthString_post = width: filler: str: let fixedWidthString_post = width: filler: str: let
strw = lib.stringLength str; strw = lib.stringLength str;
reqWidth = width - (lib.stringLength filler); reqWidth = width - (lib.stringLength filler);
in in
# this is here because we were manually setting teh length, now max_len does that for us
assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})"; assert lib.assertMsg (strw <= width) "fixedWidthString_post: requested string length (${toString width}) must not be shorter than actual length (${toString strw})";
if strw == width if strw == width
then str then str
else (fixedWidthString_post reqWidth filler str) + filler; else (fixedWidthString_post reqWidth filler str) + filler;
# base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie) # base config for domains we own (skynet.ie, csn.ul.ie, ulcompsoc.ie)
# ";" are comments in this file
get_config_file = ( get_config_file = (
domain: records: '' domain: records: ''
$TTL 60 ; 1 minute $TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${toString current_date} ${current_date}
600 ; Refresh (10 minutes) 600 ; Refresh (10 minutes)
300 ; Retry (5 minutes) 300 ; Retry (5 minutes)
604800 ; Expire (1 week) 604800 ; Expire (1 week)
@ -107,48 +62,54 @@
@ NS ns1.skynet.ie. @ NS ns1.skynet.ie.
@ NS ns2.skynet.ie. @ NS ns2.skynet.ie.
; can have multiple mailserves
@ MX 10 mail.skynet.ie.
; ------------------------------------------ ; ------------------------------------------
; Server Names (A Records) ; Server Names (A Records)
; ------------------------------------------ ; ------------------------------------------
${format_records (sort_records_a_server records)} ${format_records (sort_records_server records) 31}
; ------------------------------------------ ; ------------------------------------------
; A (non server names ; A (non server names
; ------------------------------------------ ; ------------------------------------------
${format_records (sort_records_a records)} ${format_records (sort_records_a records) 31}
; ------------------------------------------ ; ------------------------------------------
; CNAMES ; CNAMES
; ------------------------------------------ ; ------------------------------------------
${format_records (sort_records_cname records)} ${format_records (sort_records_cname records) 31}
; ------------------------------------------ ; ------------------------------------------
; TXT ; TXT
; ------------------------------------------ ; ------------------------------------------
${format_records (filter_records_type records "TXT")} ${format_records (filter_records_type records "TXT") 31}
; ------------------------------------------ ; ------------------------------------------
; MX ; MX
; ------------------------------------------ ; ------------------------------------------
${format_records (filter_records_type records "MX")} ${format_records (filter_records_type records "MX") 31}
; ------------------------------------------ ; ------------------------------------------
; SRV ; SRV
; ------------------------------------------ ; ------------------------------------------
${format_records (sort_records_srv records)} ${format_records (sort_records_srv records) 65}
'' ''
); );
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/4/html/reference_guide/s2-bind-configuration-zone-reverse
# config for our reverse dnspointers (not properly working) # config for our reverse dnspointers (not properly working)
get_config_file_rev = ( get_config_file_rev = (
domain: '' domain: records: ''
$ORIGIN 64-64.99.1.193.in-addr.arpa. $ORIGIN 64-64.99.1.193.in-addr.arpa.
$TTL 60 ; 1 minute $TTL 60 ; 1 minute
; hostmaster@skynet.ie is an email address that recieves stuff related to dns ; hostmaster@skynet.ie is an email address that recieves stuff related to dns
@ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. ( @ IN SOA ${nameserver}.skynet.ie. hostmaster.skynet.ie. (
; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated ; Serial (YYYYMMDDCC) this has to be updated for each time the record is updated
${toString current_date} ${current_date}
600 ; Refresh (10 minutes) 600 ; Refresh (10 minutes)
300 ; Retry (5 minutes) 300 ; Retry (5 minutes)
604800 ; Expire (1 week) 604800 ; Expire (1 week)
@ -161,37 +122,35 @@
; ------------------------------------------ ; ------------------------------------------
; PTR ; PTR
; ------------------------------------------ ; ------------------------------------------
${format_records (sort_records_ptr records)} ${format_records (sort_records_ptr records) 3}
'' ''
); );
# arrays of teh two nameservers # arrys of teh two nameservers
nameserver_1 = ["193.1.99.109"]; tmp1 = ["193.1.99.109"];
nameserver_2 = ["193.1.99.120"]; tmp2 = ["193.1.99.120"];
primaries = ( primaries = (
if cfg.server.primary if cfg.server.primary
then then
# primary servers have no primaries (ones they listen to) # primary servers have no primaries (ones they listen to)
[] []
else if builtins.elem cfg.server.ip nameserver_1 else if builtins.elem cfg.server.ip tmp1
then nameserver_2 then tmp2
else nameserver_1 else tmp1
); );
secondaries = ( secondaries = (
if cfg.server.primary if cfg.server.primary
then then
if builtins.elem cfg.server.ip nameserver_1 if builtins.elem cfg.server.ip tmp1
then nameserver_2 then tmp2
else nameserver_1 else tmp1
else [] else []
); );
# small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router # small function to tidy up the spam of the cache networks, would use teh subnet except all external traffic has the ip of teh router
# now limited explicitly to servers that we are administering create_cache_networks = map (x: "193.1.99.${toString x}/32") (lib.lists.range 71 126);
# See i24-09-30_050 for more information
create_cache_networks = map (x: "${toString x}/32") servers;
# standard function to create the etc file, pass in the text and domain and it makes it # standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc_sub = domain: text: { create_entry_etc_sub = domain: text: {
@ -203,38 +162,37 @@
# The UNIX file mode bits # The UNIX file mode bits
mode = "0664"; mode = "0664";
# content of the file
text = text; text = text;
}; };
}; };
# (text.owned "csn.ul.ie")
# standard function to create the etc file, pass in the text and domain and it makes it # standard function to create the etc file, pass in the text and domain and it makes it
create_entry_etc = domain: type: let create_entry_etc = domain: type: records:
domain_records = lib.lists.filter (x: x.domain == domain) records;
in
# this is the main type of record that most folks are used to
if type == "owned" if type == "owned"
then create_entry_etc_sub domain (get_config_file domain domain_records) then create_entry_etc_sub domain (text.owned domain records)
# reverse lookups allow for using an IP to find domains pointing to it
else if type == "reverse" else if type == "reverse"
then create_entry_etc_sub domain (get_config_file_rev domain) then create_entry_etc_sub domain (text.reverse domain records)
else {}; else {};
create_entry_zone = domain: let create_entry_zone_names = builtins.attrNames (removeAttrs config.skynet.records ["skynet.ie"]);
if_primary_and_owned = create_entry_zone_mapped = map (x: (create_entry_zone x)) create_entry_zone_names;
if cfg.server.primary && (lib.lists.any (item: item == domain) domains_owned) create_entry_zone_attr = lib.mkMerge create_entry_zone_mapped;
then ''
allow-update { key rfc2136key.skynet.ie.; }; create_entry_etc_mapped = map (x: (create_entry_etc x "owned" config.skynet.records.${x})) create_entry_zone_names;
dnssec-policy default; create_entry_etc_attr = lib.mkMerge create_entry_etc_mapped;
inline-signing yes;
'' create_entry_zone = domain: {
else "";
in {
"${domain}" = { "${domain}" = {
extraConfig = '' extraConfig = ''
${if_primary_and_owned} allow-update {
key rfc2136key.${domain}.;
};
dnssec-policy default;
inline-signing yes;
// for bumping the config // for bumping the config
// ${toString current_date} // ${current_date}
''; '';
# really wish teh nixos config didnt use master/slave # really wish teh nixos config didnt use master/slave
master = cfg.server.primary; master = cfg.server.primary;
@ -247,16 +205,51 @@
}; };
}; };
text = {
owned = domain: records: get_config_file domain records;
reverse = domain: records: get_config_file_rev domain records;
};
records = records =
config.skynet.records config.skynet.records."skynet.ie"
/*
Need to "manually" grab it from each server.
Nix is laxy evalusted so if it does not need to open a file it wont.
This is to iterate through each server (node) and evaluate the dns records for that server.
*/
++ builtins.concatLists ( ++ builtins.concatLists (
lib.attrsets.mapAttrsToList ( lib.attrsets.mapAttrsToList (
key: value: value.config.services.skynet.dns.records key: value: let
details_server = value.config.skynet_dns.server;
details_records = value.config.skynet_dns.records;
in
if builtins.hasAttr "skynet_dns" value.config
then
(
# got to handle habing a dns record for the dns serves themselves.
if details_server.enable
then
(
if details_server.primary
then
details_records
++ [
{
record = "ns1";
r_type = "A";
value = details_server.ip;
server = false;
}
]
else
details_records
++ [
{
record = "ns2";
r_type = "A";
value = details_server.ip;
server = false;
}
]
)
else details_records
)
else []
) )
nodes nodes
); );
@ -267,10 +260,12 @@
else "ns2"; else "ns2";
in { in {
imports = [ imports = [
../../config/dns.nix ./firewall.nix
../config/dns.nix
]; ];
options.services.skynet."${name}" = { options = {
skynet_dns = {
server = { server = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
default = false; default = false;
@ -293,20 +288,15 @@ in {
records = lib.mkOption { records = lib.mkOption {
description = "Records, sorted based on therir type"; description = "Records, sorted based on therir type";
type = lib.types.listOf (lib.types.submodule (import ./options-records.nix { type = lib.types.listOf (lib.types.submodule (import ../_types/dns_object.nix {
inherit lib; inherit lib;
})); }));
}; };
}; };
config = lib.mkIf cfg.server.enable {
# logging
services.prometheus.exporters.bind = {
enable = true;
openFirewall = true;
}; };
# services.skynet.backup.normal.backups = ["/etc/skynet/dns"]; config = lib.mkIf cfg.server.enable {
# services.skynet_backup.normal.backups = ["/etc/skynet/dns"];
# open the firewall for this # open the firewall for this
skynet_firewall.forward = [ skynet_firewall.forward = [
@ -314,40 +304,29 @@ in {
"ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept" "ip daddr ${cfg.server.ip} udp dport 53 counter packets 0 bytes 0 accept"
]; ];
services.skynet.dns.records = [ services.bind.zones = lib.mkMerge [
{ (create_entry_zone "csn.ul.ie")
record = nameserver; (create_entry_zone "skynet.ie")
r_type = "A"; (create_entry_zone "ulcompsoc.ie")
value = config.services.skynet.host.ip; (create_entry_zone "64-64.99.1.193.in-addr.arpa")
} create_entry_zone_attr
]; ];
services.bind.zones = lib.attrsets.mergeAttrsList ( environment.etc = lib.mkMerge [
# uses teh domains lsited in teh records (create_entry_etc "csn.ul.ie" "owned" records)
(lib.lists.forEach domains (domain: (create_entry_zone domain))) (create_entry_etc "skynet.ie" "owned" records)
# we have to do a reverse dns (create_entry_etc "ulcompsoc.ie" "owned" records)
++ [ (create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse" records)
(create_entry_zone "64-64.99.1.193.in-addr.arpa") create_entry_etc_attr
] ];
);
environment.etc = lib.attrsets.mergeAttrsList (
# uses teh domains lsited in teh records
(lib.lists.forEach domains (domain: (create_entry_etc domain "owned")))
# we have to do a reverse dns
++ [
(create_entry_etc "64-64.99.1.193.in-addr.arpa" "reverse")
]
);
# secrets required # secrets required
age.secrets.dns_dnskeys = { age.secrets.dns_dnskeys = {
file = ../../secrets/dns_dnskeys.conf.age; file = ../secrets/dns_dnskeys.conf.age;
owner = "named"; owner = "named";
group = "named"; group = "named";
}; };
# basic but ensure teh dns ports are open
networking.firewall = { networking.firewall = {
allowedTCPPorts = [53]; allowedTCPPorts = [53];
allowedUDPPorts = [53]; allowedUDPPorts = [53];
@ -361,10 +340,6 @@ in {
# need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns # need to take a look at https://nixos.org/manual/nixos/unstable/#module-security-acme-config-dns
extraConfig = '' extraConfig = ''
include "/run/agenix/dns_dnskeys"; include "/run/agenix/dns_dnskeys";
statistics-channels {
inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};
''; '';
# piles of no valid RRSIG resolving 'com/DS/IN' errors # piles of no valid RRSIG resolving 'com/DS/IN' errors

View file

@ -1,31 +0,0 @@
/*
Define the options for dns records here.
They are imported into anything that needs to use them
*/
{lib, ...}:
with lib; {
options = {
domain = lib.mkOption {
description = "Domain this record is for";
type = lib.types.str;
default = "skynet.ie";
};
record = lib.mkOption {
description = "What you want to name the subdomain.";
type = lib.types.str;
};
r_type = lib.mkOption {
description = "Type of record that this is.";
type = lib.types.enum ["A" "CNAME" "TXT" "PTR" "SRV" "MX"];
};
value = lib.mkOption {
description = "What the record points to, normally ip or another record.";
type = lib.types.str;
};
server = lib.mkOption {
description = "Core record for a server";
type = lib.types.bool;
default = false;
};
};
}

View file

@ -6,8 +6,7 @@
... ...
}: }:
with lib; let with lib; let
name = "email"; cfg = config.services.skynet_email;
cfg = config.services.skynet."${name}";
# create teh new strings # create teh new strings
create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})"); create_filter_array = map (x: "(memberOf=cn=${x},ou=groups,${cfg.ldap.base})");
@ -92,7 +91,7 @@ with lib; let
} }
]; ];
sieveConfigFile = configFile =
# https://doc.dovecot.org/configuration_manual/sieve/examples/#plus-addressed-mail-filtering # https://doc.dovecot.org/configuration_manual/sieve/examples/#plus-addressed-mail-filtering
pkgs.writeText "basic_sieve" pkgs.writeText "basic_sieve"
'' ''
@ -105,47 +104,45 @@ with lib; let
# this should be close to teh last step # this should be close to teh last step
if allof ( if allof (
address :localpart ["To", "Cc"] ["${toString create_config_to}"], address :localpart ["To"] ["${toString create_config_to}"],
address :domain ["To", "Cc"] "skynet.ie" address :domain ["To"] "skynet.ie"
){ ){
if address :matches ["To", "Cc"] "*@skynet.ie" { if address :matches ["To"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" { if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk"; fileinto :create "''${1}.Junk";
stop; stop;
} else { } else {
fileinto :create "''${1}"; fileinto :create "''${1}";
stop;
}
}
}
if allof (
address :localpart ["From"] ["${toString create_config_to}"],
address :domain ["From"] "skynet.ie"
){
if address :matches ["From"] "*@skynet.ie" {
if header :is "X-Spam" "Yes" {
fileinto :create "''${1}.Junk";
stop;
} else {
fileinto :create "''${1}";
stop;
} }
} }
} }
''; '';
in { in {
imports = [ imports = [
./dns.nix
./acme.nix
./nginx.nix
inputs.simple-nixos-mailserver.nixosModule inputs.simple-nixos-mailserver.nixosModule
# for teh config # for teh config
../config/users.nix ../config/users.nix
]; ];
options.services.skynet."${name}" = { options.services.skynet_email = {
# options that need to be passed in to make this work # options that need to be passed in to make this work
enable = mkEnableOption "Skynet Email"; enable = mkEnableOption "Skynet Email";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = mkOption { domain = mkOption {
type = types.str; type = types.str;
default = "skynet.ie"; default = "skynet.ie";
@ -201,8 +198,8 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.skynet.backup.normal.backups = [ services.skynet_backup.normal.backups = [
#"/var/vmail" "/var/vmail"
"/var/dkim" "/var/dkim"
]; ];
@ -248,6 +245,12 @@ in {
# to provide the certs # to provide the certs
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
"mail.skynet.ie" = { "mail.skynet.ie" = {
forceSSL = true; forceSSL = true;
useACMEHost = "mail"; useACMEHost = "mail";
@ -282,21 +285,12 @@ in {
}; };
# set up dns record for it # set up dns record for it
services.skynet.dns.records = skynet_dns.records = [
[
# core record
{
record = "@";
r_type = "MX";
# the number is the priority in teh case of multiple mailservers
value = "10 mail.${cfg.domain}.";
}
# basic one # basic one
{ {
record = "mail"; record = "mail";
r_type = "A"; r_type = "A";
value = config.services.skynet.host.ip; value = cfg.host.ip;
} }
#DNS config for K-9 Mail #DNS config for K-9 Mail
{ {
@ -316,10 +310,41 @@ in {
} }
# TXT records, all tehse are inside escaped strings to allow using "" # TXT records, all tehse are inside escaped strings to allow using ""
# SPF record
{
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} -all"'';
}
# DKIM keys
{
record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
# DMARC
{
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
# p : quarantine => sends to spam, reject => never sent
# rua : mail that receives reports about DMARC activity
# pct : percentage of unathenticated messages that DMARC stops
# adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=none"'';
}
# reverse pointer # reverse pointer
{ {
record = config.services.skynet.host.ip; record = cfg.host.ip;
r_type = "PTR"; r_type = "PTR";
value = "${cfg.sub}.${cfg.domain}."; value = "${cfg.sub}.${cfg.domain}.";
} }
@ -348,42 +373,6 @@ in {
r_type = "SRV"; r_type = "SRV";
value = "0 1 587 ${cfg.sub}.${cfg.domain}."; value = "0 1 587 ${cfg.sub}.${cfg.domain}.";
} }
]
# SPF record
++ [
{
record = "${cfg.domain}.";
r_type = "TXT";
value = ''"v=spf1 a:${cfg.sub}.${cfg.domain} ip4:${config.services.skynet.host.ip} -all"'';
}
]
# DKIM keys
++ [
{
record = "mail._domainkey.skynet.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxju1Ie60BdHwyFVPNQKovL/cX9IFPzBKgjnHZf+WBzDCFKSBpf7NvnfXajtFDQN0poaN/Qfifid+V55ZCNDBn8Y3qZa4Y69iNiLw2DdvYf0HdnxX6+pLpbmj7tikGGLJ62xnhkJhoELnz5gCOhpyoiv0tSQVaJpaGZmoll861/QIDAQAB"'';
}
{
domain = "ulcompsoc.ie";
record = "mail._domainkey.ulcompsoc.ie.";
r_type = "TXT";
value = ''"v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDl8ptSASx37t5sfmU2d2Y6yi9AVrsNFBZDmJ2uaLa4NuvAjxGQCw4wx+1Jui/HOuKYLpntLsjN851wgPR+3i51g4OblqBDvcHn9NYgWRZfHj9AASANQjdsaAbkXuyKuO46hZqeWlpESAcD6a4Evam4fkm+kiZC0+rccb4cWgsuLwIDAQAB"'';
}
]
# DMARC
++ [
{
record = "_dmarc.${cfg.domain}.";
r_type = "TXT";
# p : quarantine => sends to spam, reject => never sent
# rua : mail that receives reports about DMARC activity
# pct : percentage of unathenticated messages that DMARC stops
# adkim : alignment policy for DKIM, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# aspf : alignment policy for SPF, s => Strict, subdomains arent allowed, r => relaxed, subdomains allowed
# sp : DMARC policy for subdomains, none => no action, reports to rua, quarantine => spam, reject => never sent
value = ''"v=DMARC1; p=quarantine; rua=mailto:mailman@skynet.ie; pct=100; adkim=s; aspf=s; sp=quarantine"'';
}
]; ];
#https://nixos-mailserver.readthedocs.io/en/latest/add-roundcube.html #https://nixos-mailserver.readthedocs.io/en/latest/add-roundcube.html
@ -477,40 +466,7 @@ in {
}; };
services.dovecot2.sieve.scripts = { services.dovecot2.sieve.scripts = {
before = sieveConfigFile; before = configFile;
};
# This is to add a bcc to outgoing mail
# this then interacts with teh filters to put it in the right folder
# we can directly add to the postfix service here
services.postfix = let
# mostly copied from the upstream mailserver config/functions
mappedFile = name: "hash:/var/lib/postfix/conf/${name}";
sender_bcc_maps_file = let
content = lookupTableToString create_skynet_service_bcc;
in
builtins.toFile "sender_bcc_maps" content;
lookupTableToString = attrs: let
valueToString = value: lib.concatStringsSep ", " value;
in
lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: "${name} ${valueToString value}") attrs);
# convert the mailboxes config to something that can be used here
create_skynet_email_bcc = mailbox: {
name = "${mailbox}@skynet.ie";
value = ["${mailbox}@skynet.ie"];
};
create_skynet_service_bcc = builtins.listToAttrs (map (mailbox: (create_skynet_email_bcc mailbox.account)) service_mailboxes);
in {
mapFiles."sender_bcc_maps" = sender_bcc_maps_file;
config = {
sender_bcc_maps = [
(mappedFile "sender_bcc_maps")
];
};
}; };
# tune the spam filter # tune the spam filter

View file

@ -6,17 +6,27 @@
... ...
}: }:
with lib; let with lib; let
name = "games"; cfg = config.services.skynet_games;
cfg = config.services.skynet."${name}";
in { in {
imports = [ imports = [
./dns.nix
./nginx.nix ./nginx.nix
./games/minecraft.nix ./games/minecraft.nix
]; ];
options.services.skynet."${name}" = { options.services.skynet_games = {
enable = mkEnableOption "Skynet Games"; enable = mkEnableOption "Skynet Games";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = { domain = {
tld = mkOption { tld = mkOption {
type = types.str; type = types.str;
@ -36,20 +46,26 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.skynet.dns.records = [ skynet_dns.records = [
# need a base domain # need a base domain
{ {
record = cfg.domain.sub; record = cfg.domain.sub;
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
]; ];
services.skynet.acme.domains = [ skynet_acme.domains = [
"${cfg.domain.sub}.skynet.ie" "${cfg.domain.sub}.skynet.ie"
]; ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
"${cfg.domain.sub}.skynet.ie" = { "${cfg.domain.sub}.skynet.ie" = {
forceSSL = true; forceSSL = true;
useACMEHost = "skynet"; useACMEHost = "skynet";
@ -58,9 +74,14 @@ in {
}; };
# the minecraft servers # the minecraft servers
services.skynet.games_minecraft = { services.skynet_games_minecraft = {
enable = true; enable = true;
host = {
ip = cfg.host.ip;
name = cfg.domain.sub;
};
domain = { domain = {
sub = "minecraft.${cfg.domain.sub}"; sub = "minecraft.${cfg.domain.sub}";
}; };

View file

@ -6,19 +6,32 @@
... ...
}: }:
with lib; let with lib; let
name = "games_minecraft"; cfg = config.services.skynet_games_minecraft;
cfg = config.services.skynet."${name}";
# got tired of how long this is so I created a var for it. # got tired of how long this is so I created a var for it.
short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; short_domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in { in {
imports = [ imports = [
../acme.nix
../dns.nix
../firewall.nix
../nginx.nix
inputs.arion.nixosModules.arion inputs.arion.nixosModules.arion
]; ];
options.services.skynet."${name}" = { options.services.skynet_games_minecraft = {
enable = mkEnableOption "Skynet Games Minecraft"; enable = mkEnableOption "Skynet Games Minecraft";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = { domain = {
tld = mkOption { tld = mkOption {
type = types.str; type = types.str;
@ -39,53 +52,53 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
skynet_firewall.forward = [ skynet_firewall.forward = [
"ip daddr ${config.services.skynet.host.ip} tcp dport 80 counter packets 0 bytes 0 accept" "ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
"ip daddr ${config.services.skynet.host.ip} tcp dport 443 counter packets 0 bytes 0 accept" "ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
"ip daddr ${config.services.skynet.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept" "ip daddr ${cfg.host.ip} tcp dport 25565 counter packets 0 bytes 0 accept"
]; ];
services.skynet.acme.domains = [ skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
"*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "*.${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
]; ];
services.skynet.dns.records = [ skynet_dns.records = [
# the minecraft (web) config server # the minecraft (web) config server
{ {
record = "config.${cfg.domain.sub}"; record = "config.${cfg.domain.sub}";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
# our own minecraft hosts # our own minecraft hosts
{ {
record = "compsoc_classic.${cfg.domain.sub}"; record = "compsoc_classic.${cfg.domain.sub}";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
{ {
record = "compsoc.${cfg.domain.sub}"; record = "compsoc.${cfg.domain.sub}";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
# gsoc servers # gsoc servers
{ {
record = "gsoc.${cfg.domain.sub}"; record = "gsoc.${cfg.domain.sub}";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
{ {
record = "gsoc_abridged.${cfg.domain.sub}"; record = "gsoc_abridged.${cfg.domain.sub}";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
# phildeb # phildeb
{ {
record = "phildeb.${cfg.domain.sub}"; record = "phildeb.${cfg.domain.sub}";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
]; ];
@ -95,6 +108,12 @@ in {
]; ];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
# https://config.minecraft.games.skynet.ie # https://config.minecraft.games.skynet.ie
"config.${short_domain}" = { "config.${short_domain}" = {
forceSSL = true; forceSSL = true;

View file

@ -1,129 +0,0 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
name = "forgejo";
cfg = config.services.skynet."${name}";
domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
domain_full = "${cfg.domain.sub}.${domain_base}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Forgejo";
domain = {
tld = mkOption {
type = types.str;
default = "ie";
};
base = mkOption {
type = types.str;
default = "skynet";
};
sub = mkOption {
type = types.str;
default = name;
};
};
forgejo = {
port = mkOption {
type = types.port;
default = 3000;
};
};
};
config = mkIf cfg.enable {
# age.secrets.forgejo-mailer-password = {
# file = ../../secrets/forgejo/mailer-password.age;
# mode = "400";
# owner = "forgejo";
# };
services.skynet.acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [
{
record = cfg.domain.sub;
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx.virtualHosts = {
# main site
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:${toString cfg.forgejo.port}";
extraConfig = ''
client_max_body_size 1000M;
'';
};
};
};
# for signing reasons
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
services.forgejo = {
enable = true;
package = pkgs.forgejo;
database.type = "sqlite3";
# Enable support for Git Large File Storage
lfs.enable = true;
settings = {
server = {
DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# You need to specify this to remove the port from URLs in the web UI.
ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
HTTP_PORT = cfg.forgejo.port;
};
# You can temporarily allow registration to create an admin user.
service.DISABLE_REGISTRATION = true;
# Add support for actions, based on act: https://github.com/nektos/act
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
# Allow for signing off merge requests
# "repository.signing" = {
# SIGNING_KEY = "5B2DED0FE9F8627A";
# SIGNING_NAME = "Skynet";
# SIGNING_EMAIL = "forgejo@glados.skynet.ie";
# MERGES = "always";
# };
# Sending emails is completely optional
# You can send a test email from the web UI at:
# Profile Picture > Site Administration > Configuration > Mailer Configuration
# mailer = {
# ENABLED = true;
# SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
# FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
# };
};
# mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
};
};
}

View file

@ -1,159 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "forgejo_runner";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet ForgeJo Runner";
runner = {
name = mkOption {
type = types.str;
default = config.networking.hostName;
};
website = mkOption {
default = "https://forgejo.skynet.ie";
type = types.str;
};
user = mkOption {
default = "gitea-runner";
type = types.str;
};
};
};
config = mkIf cfg.enable {
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
environment.systemPackages = with pkgs; [
forgejo-actions-runner
];
age.secrets.forgejo_runner_token = {
file = ../../secrets/forgejo/runners/token.age;
owner = cfg.runner.user;
group = cfg.runner.user;
};
# make sure the ssh config stuff is in teh right palce
systemd.tmpfiles.rules = [
#"d /home/${cfg.runner.user} 0755 ${cfg.runner.user} ${cfg.runner.user}"
"L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user} - ${./ssh_config}"
];
age.secrets.forgejo_runner_ssh = {
file = ../../secrets/forgejo/runners/ssh.age;
mode = "600";
owner = "${cfg.runner.user}";
group = "${cfg.runner.user}";
symlink = false;
path = "/home/${cfg.runner.user}/.ssh/skynet/root";
};
nix = {
settings = {
trusted-users = [
# allow the runner to build nix stuff and to use the cache
"gitea-runner"
];
trusted-public-keys = [
"skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
substituters = [
"https://nix-cache.skynet.ie/skynet-cache/"
"https://cache.nixos.org/"
];
trusted-substituters = [
"https://nix-cache.skynet.ie/skynet-cache/"
"https://cache.nixos.org/"
];
};
};
# very basic setup to always be watching for changes in teh cache
systemd.services.attic-uploader = {
enable = true;
serviceConfig = {
ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
User = "root";
Restart = "always";
RestartSec = 1;
};
};
# give teh runner user a home to store teh ssh config stuff
systemd.services.gitea-runner-default.serviceConfig = {
DynamicUser = lib.mkForce false;
User = lib.mkForce cfg.runner.user;
};
users = {
groups."${cfg.runner.user}" = {};
users."${cfg.runner.user}" = {
#isSystemUser = true;
isNormalUser = true;
group = cfg.runner.user;
createHome = true;
shell = pkgs.bash;
};
};
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
virtualisation.docker.enable = true;
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
# the actual runner
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = cfg.runner.name;
url = cfg.runner.website;
tokenFile = config.age.secrets.forgejo_runner_token.path;
labels = [
## optionally provide native execution on the host:
"nix:host"
"docker:docker://node:22-bookworm"
"ubuntu-latest:docker://node:22-bookworm"
];
hostPackages = with pkgs; [
# default ones
bash
coreutils
curl
gawk
git
gnused
nodejs
wget
# useful to have in path
jq
which
dpkg
zip
git-lfs
# used in deployments
inputs.colmena.defaultPackage."x86_64-linux"
attic-client
lix
openssh
sudo
];
};
};
};
}

View file

@ -1,5 +0,0 @@
Host *.skynet.ie 193.1.99.* 193.1.96.165
User root
IdentityFile ~/.ssh/skynet/root
IdentitiesOnly yes

View file

@ -5,18 +5,31 @@
... ...
}: }:
with lib; let with lib; let
name = "gitlab"; cfg = config.services.skynet_gitlab;
cfg = config.services.skynet."${name}";
domain_base = "${cfg.domain.base}.${cfg.domain.tld}"; domain_base = "${cfg.domain.base}.${cfg.domain.tld}";
domain_full = "${cfg.domain.sub}.${domain_base}"; domain_full = "${cfg.domain.sub}.${domain_base}";
in { in {
imports = [ imports = [
./acme.nix
./dns.nix
./firewall.nix
./nginx.nix
]; ];
options.services.skynet."${name}" = { options.services.skynet_gitlab = {
enable = mkEnableOption "Skynet Gitlab"; enable = mkEnableOption "Skynet Gitlab";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = { domain = {
tld = mkOption { tld = mkOption {
type = types.str; type = types.str;
@ -30,7 +43,7 @@ in {
sub = mkOption { sub = mkOption {
type = types.str; type = types.str;
default = name; default = "gitlab";
}; };
}; };
@ -56,54 +69,54 @@ in {
# grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab / # grep -r --exclude-dir={docker,containers,log,sys,nix,proc} gitlab /
age.secrets.gitlab_pw = { age.secrets.gitlab_pw = {
file = ../../secrets/gitlab/pw.age; file = ../secrets/gitlab/pw.age;
owner = cfg.user; owner = cfg.user;
group = cfg.user; group = cfg.user;
}; };
age.secrets.gitlab_secrets_db = { age.secrets.gitlab_secrets_db = {
file = ../../secrets/gitlab/secrets_db.age; file = ../secrets/gitlab/secrets_db.age;
owner = cfg.user; owner = cfg.user;
group = cfg.user; group = cfg.user;
}; };
age.secrets.gitlab_secrets_secret = { age.secrets.gitlab_secrets_secret = {
file = ../../secrets/gitlab/secrets_secret.age; file = ../secrets/gitlab/secrets_secret.age;
owner = cfg.user; owner = cfg.user;
group = cfg.user; group = cfg.user;
}; };
age.secrets.gitlab_secrets_otp = { age.secrets.gitlab_secrets_otp = {
file = ../../secrets/gitlab/secrets_otp.age; file = ../secrets/gitlab/secrets_otp.age;
owner = cfg.user; owner = cfg.user;
group = cfg.user; group = cfg.user;
}; };
age.secrets.gitlab_secrets_jws = { age.secrets.gitlab_secrets_jws = {
file = ../../secrets/gitlab/secrets_jws.age; file = ../secrets/gitlab/secrets_jws.age;
owner = cfg.user; owner = cfg.user;
group = cfg.user; group = cfg.user;
}; };
age.secrets.gitlab_db_pw = { age.secrets.gitlab_db_pw = {
file = ../../secrets/gitlab/db_pw.age; file = ../secrets/gitlab/db_pw.age;
owner = cfg.user; owner = cfg.user;
group = cfg.user; group = cfg.user;
}; };
services.skynet.acme.domains = [ skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
# Lets Encrypt seems to have a 4 levels limit for certs # Lets Encrypt seems to have a 4 levels limit for certs
"*.pages.${cfg.domain.base}.${cfg.domain.tld}" "*.pages.${cfg.domain.base}.${cfg.domain.tld}"
]; ];
# using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide # using https://nixos.org/manual/nixos/stable/index.html#module-services-gitlab as a guide
services.skynet.dns.records = [ skynet_dns.records = [
{ {
record = cfg.domain.sub; record = cfg.domain.sub;
r_type = "A"; r_type = "A";
value = config.services.skynet.host.ip; value = cfg.host.ip;
} }
# for gitlab pages # for gitlab pages
{ {
record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}."; record = "*.pages.${cfg.domain.base}.${cfg.domain.tld}.";
r_type = "A"; r_type = "A";
value = config.services.skynet.host.ip; value = cfg.host.ip;
} }
# for email # for email
@ -113,7 +126,7 @@ in {
value = ''10 ${domain_full}.''; value = ''10 ${domain_full}.'';
} }
{ {
record = config.services.skynet.host.ip; record = cfg.host.ip;
r_type = "PTR"; r_type = "PTR";
value = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}."; value = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}.";
} }
@ -137,16 +150,17 @@ in {
services.openssh.ports = [22 2222]; services.openssh.ports = [22 2222];
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
# main site # main site
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true; forceSSL = true;
useACMEHost = "skynet"; useACMEHost = "skynet";
locations."/" = { locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
extraConfig = ''
client_max_body_size 1000M;
'';
};
}; };
# pages # pages
@ -244,7 +258,7 @@ in {
# default for pages is set to 8090 but that leaves an "ugly" port in the url, # default for pages is set to 8090 but that leaves an "ugly" port in the url,
# override it here to make it look good # override it here to make it look good
port = 80; port = 80;
#external_http = ["${config.services.skynet.host.ip}:80"]; #external_http = ["${cfg.host.ip}:80"];
}; };
}; };
}; };

View file

@ -0,0 +1,121 @@
{
config,
pkgs,
lib,
...
}:
with lib; let
cfg = config.services.skynet_gitlab_runner;
in {
imports = [
];
options.services.skynet_gitlab_runner = {
enable = mkEnableOption "Skynet Gitlab Runner";
runner = {
name = mkOption {
type = types.str;
};
gitlab = mkOption {
default = "https://gitlab.skynet.ie";
type = types.str;
};
description = mkOption {
default = cfg.runner.name;
type = types.str;
};
docker = {
image = mkOption {
default = "alpine:3.18.4";
type = types.str;
};
cleanup_dates = mkOption {
# https://man.archlinux.org/man/systemd.time.7#CALENDAR_EVENTS
# it will use a lot of storage so clear it daily, may change to hourly if required
default = "daily";
type = types.str;
};
};
};
};
config = mkIf cfg.enable {
# https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
environment.systemPackages = [
pkgs.gitlab-runner
];
age.secrets.runner_01_nix.file = ../secrets/gitlab/runners/runner01.age;
age.secrets.runner_02_general.file = ../secrets/gitlab/runners/runner02.age;
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
virtualisation.docker.enable = true;
# taken from https://github.com/NixOS/nixpkgs/issues/245365#issuecomment-1663854128
virtualisation.docker.listenOptions = ["/run/docker.sock" "127.0.0.1:2375"];
services.gitlab-runner = {
enable = true;
# clear-docker-cache = {
# enable = true;
# dates = cfg.runner.docker.cleanup_dates;
# };
services = {
# might make a function later to have multiple runners, might never need it though
runner_nix = {
cloneUrl = cfg.runner.gitlab;
description = "For Nix only";
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_01_nix.path;
dockerImage = cfg.runner.docker.image;
# from https://nixos.wiki/wiki/Gitlab_runner
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-unstable nixpkgs # 3
${pkgs.nix}/bin/nix-channel --update nixpkgs
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
};
tagList = ["nix"];
};
runner_general = {
cloneUrl = cfg.runner.gitlab;
description = "General Runner";
registrationFlags = ["--docker-host" "tcp://127.0.0.1:2375"];
registrationConfigFile = config.age.secrets.runner_02_general.path;
dockerImage = cfg.runner.docker.image;
};
};
};
};
}

View file

@ -1,79 +0,0 @@
{
lib,
config,
...
}:
with lib; let
name = "grafana";
cfg = config.services.skynet."${name}";
port = 4444;
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Grafana Server";
datasource = {
name = mkOption {
type = types.str;
};
url = mkOption {
type = types.str;
};
};
};
config = mkIf cfg.enable {
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
age.secrets.grafana_pw = {
file = ../secrets/grafana/pw.age;
owner = "grafana";
group = "grafana";
};
services.grafana = {
enable = true;
domain = "${name}.skynet.ie";
port = port;
settings.security.admin_password = "$__file{${config.age.secrets.grafana_pw.path}}";
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://localhost:${toString config.services.skynet.prometheus.server.port}";
isDefault = true;
editable = true;
}
];
};
};
services.nginx.virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true;
};
};
};
};
}

View file

@ -6,18 +6,30 @@
... ...
}: }:
with lib; let with lib; let
name = "ldap_backend"; cfg = config.services.ldap_backend;
cfg = config.services.skynet."${name}";
port_backend = "8087"; port_backend = "8087";
in { in {
imports = [ imports = [
../acme.nix
../dns.nix
../nginx.nix
inputs.skynet_ldap_backend.nixosModule."x86_64-linux" inputs.skynet_ldap_backend.nixosModule."x86_64-linux"
../../config/users.nix ../../config/users.nix
]; ];
options.services.skynet."${name}" = { options.services.ldap_backend = {
enable = mkEnableOption "Skynet LDAP backend server"; enable = mkEnableOption "Skynet LDAP backend server";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = { domain = {
tld = mkOption { tld = mkOption {
type = types.str; type = types.str;
@ -40,18 +52,19 @@ in {
#backups = [ "/etc/silver_ul_ical/database.db" ]; #backups = [ "/etc/silver_ul_ical/database.db" ];
age.secrets.ldap_details.file = ../../secrets/ldap/details.age; age.secrets.ldap_details.file = ../../secrets/ldap/details.age;
age.secrets.ldap_discord.file = ../../secrets/discord/ldap.age;
age.secrets.ldap_mail.file = ../../secrets/email/details.age; age.secrets.ldap_mail.file = ../../secrets/email/details.age;
age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age; age.secrets.ldap_wolves.file = ../../secrets/wolves/details.age;
services.skynet.acme.domains = [ skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
]; ];
services.skynet.dns.records = [ skynet_dns.records = [
{ {
record = cfg.domain.sub; record = cfg.domain.sub;
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
]; ];
@ -61,13 +74,13 @@ in {
locations."/".proxyPass = "http://localhost:${port_backend}"; locations."/".proxyPass = "http://localhost:${port_backend}";
}; };
# this got imported
services.skynet_ldap_backend = { services.skynet_ldap_backend = {
enable = true; enable = true;
# contains teh password in env form # contains teh password in env form
env = { env = {
ldap = config.age.secrets.ldap_details.path; ldap = config.age.secrets.ldap_details.path;
discord = config.age.secrets.ldap_discord.path;
mail = config.age.secrets.ldap_mail.path; mail = config.age.secrets.ldap_mail.path;
wolves = config.age.secrets.ldap_wolves.path; wolves = config.age.secrets.ldap_wolves.path;
}; };

View file

@ -5,8 +5,7 @@
... ...
}: }:
with lib; let with lib; let
name = "ldap_client"; cfg = config.services.skynet_ldap_client;
cfg = config.services.skynet."${name}";
# always ensure the admin group has access # always ensure the admin group has access
create_filter_check_admin = x: create_filter_check_admin = x:
@ -28,9 +27,9 @@ in {
imports = []; imports = [];
# give users access to this server # give users access to this server
#services.skynet.ldap_client.groups = ["skynet-users-linux"]; #services.skynet_ldap_client.groups = ["skynet-users-linux"];
options.services.skynet."${name}" = { options.services.skynet_ldap_client = {
# options that need to be passed in to make this work # options that need to be passed in to make this work
enable = mkEnableOption "Skynet LDAP client"; enable = mkEnableOption "Skynet LDAP client";

View file

@ -9,19 +9,32 @@ Gonna use a priper nixos module for this
... ...
}: }:
with lib; let with lib; let
name = "ldap"; cfg = config.services.skynet_ldap;
cfg = config.services.skynet."${name}";
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in { in {
# these are needed for teh program in question # these are needed for teh program in question
imports = [ imports = [
../acme.nix
../dns.nix
../nginx.nix
./backend.nix
]; ];
options.services.skynet."${name}" = { options.services.skynet_ldap = {
# options that need to be passed in to make this work # options that need to be passed in to make this work
enable = mkEnableOption "Skynet LDAP service"; enable = mkEnableOption "Skynet LDAP service";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = { domain = {
tld = mkOption { tld = mkOption {
type = types.str; type = types.str;
@ -51,6 +64,13 @@ in {
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
# passthrough to the backend
services.ldap_backend = {
enable = true;
host.ip = cfg.host.ip;
host.name = cfg.host.name;
};
# after changing teh password openldap.service has to be restarted # after changing teh password openldap.service has to be restarted
age.secrets.ldap_pw = { age.secrets.ldap_pw = {
file = ../../secrets/ldap/pw.age; file = ../../secrets/ldap/pw.age;
@ -59,15 +79,15 @@ in {
group = "openldap"; group = "openldap";
}; };
services.skynet.acme.domains = [ skynet_acme.domains = [
domain domain
]; ];
services.skynet.dns.records = [ skynet_dns.records = [
{ {
record = cfg.domain.sub; record = cfg.domain.sub;
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
]; ];

View file

@ -5,16 +5,28 @@
... ...
}: }:
with lib; let with lib; let
name = "nextcloud"; cfg = config.services.skynet_nextcloud;
cfg = config.services.skynet."${name}";
domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"; domain = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
in { in {
imports = [ imports = [
./acme.nix
./dns.nix
./nginx.nix
]; ];
options.services.skynet."${name}" = { options.services.skynet_nextcloud = {
enable = mkEnableOption "Skynet Nextcloud"; enable = mkEnableOption "Skynet Nextcloud";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = { domain = {
tld = mkOption { tld = mkOption {
type = types.str; type = types.str;
@ -28,7 +40,7 @@ in {
sub = mkOption { sub = mkOption {
type = types.str; type = types.str;
default = name; default = "nextcloud";
}; };
}; };
}; };
@ -42,35 +54,29 @@ in {
group = "nextcloud"; group = "nextcloud";
}; };
services.skynet.acme.domains = [ skynet_acme.domains = [
domain domain
"onlyoffice.${domain}" "onlyoffice.${domain}"
"whiteboard.${domain}"
]; ];
services.skynet.dns.records = [ skynet_dns.records = [
{ {
record = cfg.domain.sub; record = cfg.domain.sub;
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
{ {
record = "onlyoffice.${cfg.domain.sub}"; record = "onlyoffice.${cfg.domain.sub}";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
# {
# record = "whiteboard.${cfg.domain.sub}";
# r_type = "CNAME";
# value = config.services.skynet.host.name;
# }
]; ];
# /var/lib/nextcloud/data # /var/lib/nextcloud/data
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud30; package = pkgs.nextcloud28;
hostName = domain; hostName = domain;
https = true; https = true;
@ -84,8 +90,8 @@ in {
appstoreEnable = true; appstoreEnable = true;
extraApps = { extraApps = with config.services.nextcloud.package.packages.apps; {
inherit (config.services.nextcloud.package.packages.apps) richdocuments; inherit forms groupfolders maps notes onlyoffice polls;
}; };
settings = { settings = {
@ -96,23 +102,17 @@ in {
}; };
}; };
# environment.etc."nextcloud-whiteboard-secret".text = ''
# JWT_SECRET_KEY=test123
# '';
#
# services.nextcloud-whiteboard-server = {
# enable = true;
# settings.NEXTCLOUD_URL = "https://nextcloud.skynet.ie";
# secrets = ["/etc/nextcloud-whiteboard-secret"];
# };
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# impacted by https://github.com/NixOS /nixpkgs/issues/352443 services.onlyoffice = {
# services.onlyoffice = { enable = true;
# enable = true; };
# };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
${domain} = { ${domain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "skynet"; useACMEHost = "skynet";
@ -122,14 +122,6 @@ in {
useACMEHost = "skynet"; useACMEHost = "skynet";
locations."/".proxyPass = "http://127.0.0.1:8000"; locations."/".proxyPass = "http://127.0.0.1:8000";
}; };
# "whiteboard.${domain}" = {
# forceSSL = true;
# useACMEHost = "skynet";
# locations."/" = {
# proxyPass = "http://localhost:3002";
# proxyWebsockets = true;
# };
# };
}; };
}; };
} }

View file

@ -9,6 +9,8 @@
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
statusPage = true;
# give Nginx access to our certs # give Nginx access to our certs
group = "acme"; group = "acme";
}; };

View file

@ -1,98 +0,0 @@
/*
A nix cache for our use
atticd-atticadm make-token --sub "admin_username" --validity "10y" --pull "*" --push "*" --create-cache "*" --delete "*" --configure-cache "*" --configure-cache-retention "*" --destroy-cache "*"
# for the gitlab runner, done eyarly
atticd-atticadm make-token --sub "wheatly-runner" --validity "1y" --pull "skynet-cache" --push "skynet-cache"
Documentation:
https://docs.attic.rs/introduction.html
*/
{
lib,
config,
pkgs,
...
}:
with lib; let
name = "nix-cache";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Nix Cache";
};
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
users.groups."nix-serve" = {};
users.users."nix-serve" = {
isSystemUser = true;
group = "nix-serve";
};
services.atticd = {
enable = true;
# Replace with absolute path to your credentials file
environmentFile = "/etc/atticd.env";
settings = {
listen = "127.0.0.1:8080";
# Data chunking
#
# Warning: If you change any of the values here, it will be
# difficult to reuse existing chunks for newly-uploaded NARs
# since the cutpoints will be different. As a result, the
# deduplication ratio will suffer for a while after the change.
chunking = {
# The minimum NAR size to trigger chunking
#
# If 0, chunking is disabled entirely for newly-uploaded NARs.
# If 1, all NARs are chunked.
nar-size-threshold = 64 * 1024; # 64 KiB
# The preferred minimum size of a chunk, in bytes
min-size = 16 * 1024; # 16 KiB
# The preferred average size of a chunk, in bytes
avg-size = 64 * 1024; # 64 KiB
# The preferred maximum size of a chunk, in bytes
max-size = 256 * 1024; # 256 KiB
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
clientMaxBodySize = "500m";
virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
};
};
};
};
};
}

View file

@ -1,17 +0,0 @@
# Open Governance
Started by DCU this is an initiative to make the running of (computer) societies more open and resilient.
The goal is to back these up in multiple locations.
| Uni | Tag | Repo | Notes |
|-----|----------|----------------------------------------------------------|-------|
| DCU | redbrick | https://github.com/redbrick/open-governance | |
| UL | skynet | https://gitlab.skynet.ie/compsoc1/compsoc/open-goverance | |
| | | | |
## Keys
We host our own keyserver: https://keyserver.skynet.ie
Use it in commands like so:
``gpg --keyserver hkp://keyserver.skynet.ie:80 --send-key KEY_ID``

View file

@ -1,62 +0,0 @@
/*
This file is for hosting teh open governance for other societies
*/
{
lib,
config,
pkgs,
...
}:
with lib; let
name = "keyserver";
cfg = config.services.skynet."${name}";
port = 11371;
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Public Keyserver";
};
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.hockeypuck = {
enable = true;
port = port;
};
# hockeypuck needs a database backend
services.postgresql = {
enable = true;
ensureDatabases = ["hockeypuck"];
ensureUsers = [
{
name = "hockeypuck";
ensureDBOwnership = true;
}
];
};
services.nginx.virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/" = {
proxyPass = "http://localhost:${toString port}";
};
};
};
};
}

View file

@ -1,61 +0,0 @@
/*
This file is for hosting teh open governance for other societies
*/
{
lib,
config,
pkgs,
...
}:
with lib; let
# - instead of _ for dns reasons
name = "open-governance";
cfg = config.services.skynet."${name}";
folder = "/var/skynet/${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Open Governance";
};
config = {
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
# create a folder to store the archives
systemd.tmpfiles.rules = [
"d ${folder} 0755 ${config.services.nginx.user} ${config.services.nginx.group}"
"L+ ${folder}/README.md - - - - ${./README.md}"
];
services.nginx.virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = folder;
locations = {
"/".extraConfig = "autoindex on;";
# show md files as plain text
"~ \.md".extraConfig = ''
types {
text/plain md;
}
'';
};
};
};
};
}

View file

@ -1,95 +0,0 @@
{
nodes,
lib,
config,
...
}:
with lib; let
name = "prometheus";
cfg = config.services.skynet."${name}";
# dont have to worry about any external addresses for this
# create a list of either "ip@port" or ""
# the ""s then get filtered out by filter_empty
exporters = {
dns = (
lib.attrsets.mapAttrsToList (
key: value:
if value.config.services.skynet.dns.server.enable
then "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.bind.port}"
else ""
)
nodes
);
node = lib.attrsets.mapAttrsToList (key: value: "${value.config.deployment.targetHost}:${toString value.config.services.prometheus.exporters.node.port}") nodes;
};
# clears any invalid entries
filter_empty = inputs: (builtins.filter (value: value != "") inputs);
in {
imports = [];
options.services.skynet."${name}" = {
server = {
enable = mkEnableOption "Prometheus Server";
port = mkOption {
type = types.port;
default = 9001;
};
};
external = {
node = mkOption {
type = types.listOf types.str;
default = [];
description = ''
To add other nodes outside of nix, specify ip and port that server should listen to here
'';
};
};
ports = {
node = mkOption {
type = types.port;
default = 9100;
};
};
};
config = mkMerge [
{
services.prometheus.exporters.node = {
enable = true;
port = cfg.ports.node;
openFirewall = true;
# most collectors are on by default see https://github.com/prometheus/node_exporter for more options
enabledCollectors = ["systemd" "processes"];
};
}
(mkIf cfg.server.enable {
services.prometheus = {
enable = true;
port = cfg.server.port;
scrapeConfigs = [
{
job_name = "node_exporter";
static_configs = [
{
targets = filter_empty (exporters.node ++ cfg.external.node);
}
];
}
{
job_name = "bind";
static_configs = [
{
targets = filter_empty exporters.dns;
}
];
}
];
};
})
];
}

View file

@ -12,19 +12,19 @@ with lib; {
enable = mkOption { enable = mkOption {
default = true; default = true;
type = types.bool; type = types.bool;
description = lib.mdDoc "Whether to enable the Proxmox VE LXC module."; description = lib.mdDoc "Whether to enable the ProxmoxLXC.";
}; };
privileged = mkOption { privileged = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Whether to enable privileged mounts Whether to enable privileged mounts
''; '';
}; };
manageNetwork = mkOption { manageNetwork = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Whether to manage network interfaces through nix options Whether to manage network interfaces through nix options
When false, systemd-networkd is enabled to accept network When false, systemd-networkd is enabled to accept network
configuration from proxmox. configuration from proxmox.
@ -33,7 +33,7 @@ with lib; {
manageHostName = mkOption { manageHostName = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
description = '' description = lib.mdDoc ''
Whether to manage hostname through nix options Whether to manage hostname through nix options
When false, the hostname is picked up from /etc/hostname When false, the hostname is picked up from /etc/hostname
populated by proxmox. populated by proxmox.
@ -68,8 +68,6 @@ with lib; {
loader.initScript.enable = true; loader.initScript.enable = true;
}; };
console.enable = true;
networking = mkIf (!cfg.manageNetwork) { networking = mkIf (!cfg.manageNetwork) {
useDHCP = false; useDHCP = false;
useHostResolvConf = false; useHostResolvConf = false;
@ -83,14 +81,13 @@ with lib; {
startWhenNeeded = mkDefault true; startWhenNeeded = mkDefault true;
}; };
systemd = { systemd.mounts =
mounts = mkIf (!cfg.privileged) [ mkIf (!cfg.privileged)
[
{ {
enable = false;
where = "/sys/kernel/debug"; where = "/sys/kernel/debug";
enable = false;
} }
]; ];
services."getty@".unitConfig.ConditionPathExists = ["" "/dev/%I"];
};
}; };
} }

View file

@ -7,8 +7,7 @@
... ...
}: }:
with lib; let with lib; let
name = "backup"; cfg = config.services.skynet_backup;
cfg = config.services.skynet."${name}";
enable_client = cfg.normal.backups != null && cfg.normal.backups != []; enable_client = cfg.normal.backups != null && cfg.normal.backups != [];
@ -38,24 +37,22 @@ with lib; let
ownServers = builtins.listToAttrs (builtins.concatLists ( ownServers = builtins.listToAttrs (builtins.concatLists (
lib.attrsets.mapAttrsToList ( lib.attrsets.mapAttrsToList (
key: value: let key: value: let
backup = value.config.services.skynet.backup; backup = value.config.services.skynet_backup;
backup_host = value.config.services.skynet.host;
in in
if if
( (
(builtins.hasAttr "backup" value.config.services.skynet) (builtins.hasAttr "skynet_backup" value.config.services)
&& backup.server.enable && backup.server.enable
# chgeck that its not itself && backup.host.name != cfg.host.name
&& backup_host.name != config.services.skynet.host.name
&& !backup.server.appendOnly && !backup.server.appendOnly
) )
then [ then [
{ {
name = backup_host.name; name = backup.host.name;
value = value =
base base
// { // {
repositoryFile = "/etc/skynet/restic/${backup_host.name}"; repositoryFile = "/etc/skynet/restic/${backup.host.name}";
backupPrepareCommand = '' backupPrepareCommand = ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
@ -66,13 +63,13 @@ with lib; let
mkdir -p $baseDir mkdir -p $baseDir
cd $baseDir cd $baseDir
echo -n "rest:http://root:password@${backup_host.ip}:${toString backup.server.port}/root/${config.services.skynet.host.name}" > ${backup_host.name} echo -n "rest:http://root:password@${backup.host.ip}:${toString backup.server.port}/root/${cfg.host.name}" > ${backup.host.name}
# read in teh password # read in teh password
#PW = `cat ${config.age.secrets.restic.path}` #PW = `cat ${config.age.secrets.restic.path}`
line=$(head -n 1 ${config.age.secrets.restic.path}) line=$(head -n 1 ${config.age.secrets.restic.path})
sed -i "s/password/$line/g" ${backup_host.name} sed -i "s/password/$line/g" ${backup.host.name}
''; '';
}; };
} }
@ -88,8 +85,9 @@ in {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
# https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix # https://git.hrnz.li/Ulli/nixos/src/commit/5edca2dfdab3ce52208e4dfd2b92951e500f8418/profiles/server/restic.nix
# will eb enabled on every server # will eb enabled on every server
options.services.skynet."${name}" = { options.services.skynet_backup = {
enable = mkEnableOption "Skynet backup"; # backup is enabled by default
# enable = mkEnableOption "Skynet backup";
# what folders to backup # what folders to backup
normal = { normal = {
@ -129,6 +127,16 @@ in {
}; };
}; };
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
server = { server = {
enable = mkEnableOption "Skynet backup Server"; enable = mkEnableOption "Skynet backup Server";
@ -144,15 +152,14 @@ in {
}; };
}; };
config = mkMerge [ config =
{ {
# these values are anabled for every client # these values are anabled for every client
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
restic restic
]; ];
} }
// mkIf cfg.server.enable {
(mkIf cfg.server.enable {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
cfg.server.port cfg.server.port
]; ];
@ -168,13 +175,12 @@ in {
services.restic.server = { services.restic.server = {
enable = true; enable = true;
listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}"; listenAddress = "${cfg.host.ip}:${toString cfg.server.port}";
appendOnly = cfg.server.appendOnly; appendOnly = cfg.server.appendOnly;
privateRepos = true; privateRepos = true;
}; };
}) }
// mkIf enable_client {
(mkIf enable_client {
# client stuff here # client stuff here
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
@ -183,17 +189,15 @@ in {
age.secrets.restic.file = ../secrets/backup/restic.age; age.secrets.restic.file = ../secrets/backup/restic.age;
services.restic.backups = mkMerge [ services.restic.backups =
ownServers ownServers
{ // {
# merge teh two configs together # merge teh two configs together
# backblaze = base // { # backblaze = base // {
# # backupos for each server are stored in a folder under their name # # backupos for each server are stored in a folder under their name
# repository = "b2:NixOS-Main2:/${config.services.skynet.host.name}"; # repository = "b2:NixOS-Main2:/${cfg.host.name}";
# #environmentFile = config.age.secrets.backblaze.path; # #environmentFile = config.age.secrets.backblaze.path;
# }; # };
} };
]; };
})
];
} }

108
applications/skynet.ie.nix Normal file
View file

@ -0,0 +1,108 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
cfg = config.services.skynet;
in {
imports = [
./acme.nix
./dns.nix
];
options.services.skynet = {
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
};
config = {
skynet_acme.domains = [
# the root one is already covered by teh certificate
"2016.skynet.ie"
"discord.skynet.ie"
"public.skynet.ie"
"renew.skynet.ie"
];
skynet_dns.records = [
# means root domain, so skynet.ie
{
record = "@";
r_type = "A";
value = cfg.host.ip;
}
{
record = "2016";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "discord";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "public";
r_type = "CNAME";
value = cfg.host.name;
}
{
record = "renew";
r_type = "CNAME";
value = cfg.host.name;
}
];
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
group = "acme";
virtualHosts = {
# main site
"skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
};
# archive of teh site as it was ~2012 to 2016
"2016.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_2016.defaultPackage."x86_64-linux"}";
};
# a custom discord url, because we are too cheap otehrwise
"discord.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
};
"public.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.compsoc_public.packages.x86_64-linux.default}";
locations."/".extraConfig = "autoindex on;";
};
# for alumni members to renew their account
"renew.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_renew.defaultPackage."x86_64-linux"}";
};
};
};
};
}

View file

@ -1,34 +0,0 @@
{year}: {
config,
pkgs,
lib,
inputs,
...
}:
with lib; {
imports = [];
config = {
services.skynet.acme.domains = [
"${year}.skynet.ie"
];
services.skynet.dns.records = [
{
record = year;
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = {
"${year}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs."skynet_website_${year}".defaultPackage."x86_64-linux"}";
};
};
};
};
}

View file

@ -1,82 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "website";
cfg = config.services.skynet."${name}";
in {
imports = [
# import in past website versions, available at $year.skynet.ie
# at teh end of teh year add it here
(import ./old_site.nix {year = "2023";})
(import ./old_site.nix {year = "2017";})
(import ./old_site.nix {year = "2009";})
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Main Website";
};
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"discord.skynet.ie"
"public.skynet.ie"
];
services.skynet.dns.records = [
# means root domain, so skynet.ie
{
record = "@";
r_type = "A";
value = config.services.skynet.host.ip;
}
{
record = "discord";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "public";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = {
# main site
"skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations = {
"/".root = "${inputs.skynet_website.defaultPackage."x86_64-linux"}";
# this redirects old links to new format
"~* ~(?<username>[a-z_0-9]*)(?<files>\\S*)$" = {
priority = 1;
return = "307 https://$username.users.skynet.ie$files";
};
};
};
# a custom discord url, because we are too cheap otehrwise
"discord.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://discord.gg/mkuKJkCuyM";
};
"public.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.compsoc_public.packages.x86_64-linux.default}";
locations."/".extraConfig = "autoindex on;";
};
};
};
};
}

View file

@ -1,64 +0,0 @@
{
config,
pkgs,
lib,
inputs,
...
}:
with lib; let
name = "wiki";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Skynet Wiki";
};
config = mkIf cfg.enable {
services.skynet.acme.domains = [
"renew.skynet.ie"
"wiki.skynet.ie"
];
services.skynet.dns.records = [
{
record = "renew";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
{
record = "wiki";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.nginx = {
virtualHosts = {
"wiki.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
root = "${inputs.skynet_website_wiki.defaultPackage."x86_64-linux"}";
# https://stackoverflow.com/a/38238001/11964934
extraConfig = ''
location / {
if ($request_uri ~ ^/(.*)\.html) {
return 302 /$1;
}
try_files $uri $uri.html $uri/ =404;
}
'';
};
# redirect old links to the new wiki
"renew.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://wiki.skynet.ie";
};
};
};
};
}

View file

@ -6,25 +6,30 @@
... ...
}: }:
with lib; let with lib; let
name = "website_users"; cfg = config.services.skynet_users;
cfg = config.services.skynet."${name}";
php_pool = name;
in { in {
imports = [ imports = [
./acme.nix
./dns.nix
./nginx.nix
]; ];
options.services.skynet."${name}" = { options.services.skynet_users = {
enable = mkEnableOption "Skynet User Linux Server"; host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
}; };
config = { config = {
# we havea more limited ports range on the skynet server # ssh access
services.skynet.prometheus.ports = {
node = 9000;
};
# allow more than admins access # allow more than admins access
services.skynet.ldap_client = { services.skynet_ldap_client = {
groups = [ groups = [
"skynet-admins-linux" "skynet-admins-linux"
"skynet-users-linux" "skynet-users-linux"
@ -32,21 +37,21 @@ in {
}; };
# Website config # Website config
services.skynet.acme.domains = [ skynet_acme.domains = [
"users.skynet.ie" "users.skynet.ie"
"*.users.skynet.ie" "*.users.skynet.ie"
]; ];
services.skynet.dns.records = [ skynet_dns.records = [
{ {
record = "users"; record = "users";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
{ {
record = "*.users"; record = "*.users";
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
]; ];
@ -64,41 +69,14 @@ in {
# normally services cannot read home dirs # normally services cannot read home dirs
systemd.services.nginx.serviceConfig.ProtectHome = "read-only"; systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
systemd.services."phpfpm-${php_pool}".serviceConfig.ProtectHome = lib.mkForce "read-only";
services.phpfpm.pools.${php_pool} = {
user = config.services.nginx.user;
group = config.services.nginx.group;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
};
phpEnv."PATH" = lib.makeBinPath [pkgs.php];
};
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"outinul.ie" = { "${cfg.host.ip}" = {
forceSSL = true; forceSSL = true;
enableACME = true; useACMEHost = "skynet";
locations = { locations."/".return = "307 https://skynet.ie";
"/" = {
alias = "/home/outinul/public_html/";
index = "index.html";
extraConfig = ''
autoindex on;
'';
tryFiles = "$uri$args $uri$args/ /index.html";
};
};
}; };
# main site # main site
"*.users.skynet.ie" = { "*.users.skynet.ie" = {
forceSSL = true; forceSSL = true;
@ -110,28 +88,12 @@ in {
# chmod 711 ~ # chmod 711 ~
# chmod -R 755 ~/public_html # chmod -R 755 ~/public_html
locations = { locations."/" = {
"/" = {
alias = "/home/$user/public_html/"; alias = "/home/$user/public_html/";
index = "index.html"; index = "index.html";
extraConfig = '' extraConfig = "autoindex on;";
autoindex on;
'';
tryFiles = "$uri$args $uri$args/ /index.html"; tryFiles = "$uri$args $uri$args/ /index.html";
}; };
"~ ^(.+\\.php)(.*)$" = {
root = "/home/$user/public_html/";
index = "index.php";
extraConfig = ''
autoindex on;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.${php_pool}.socket};
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
tryFiles = "$uri$args $uri$args/ /index.php";
};
};
}; };
}; };
}; };

View file

@ -5,15 +5,28 @@
... ...
}: }:
with lib; let with lib; let
name = "ulfm"; cfg = config.services.skynet_ulfm;
cfg = config.services.skynet."${name}";
in { in {
imports = [ imports = [
./acme.nix
./dns.nix
./firewall.nix
./nginx.nix
]; ];
options.services.skynet."${name}" = { options.services.skynet_ulfm = {
enable = mkEnableOption "ULFM service"; enable = mkEnableOption "ULFM service";
host = {
ip = mkOption {
type = types.str;
};
name = mkOption {
type = types.str;
};
};
domain = { domain = {
tld = mkOption { tld = mkOption {
type = types.str; type = types.str;
@ -40,22 +53,22 @@ in {
8000 8000
]; ];
services.skynet.acme.domains = [ skynet_acme.domains = [
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
]; ];
services.skynet.dns.records = [ skynet_dns.records = [
{ {
record = cfg.domain.sub; record = cfg.domain.sub;
r_type = "CNAME"; r_type = "CNAME";
value = config.services.skynet.host.name; value = cfg.host.name;
} }
]; ];
skynet_firewall.forward = [ skynet_firewall.forward = [
"ip daddr ${config.services.skynet.host.ip} tcp dport 80 counter packets 0 bytes 0 accept" "ip daddr ${cfg.host.ip} tcp dport 80 counter packets 0 bytes 0 accept"
"ip daddr ${config.services.skynet.host.ip} tcp dport 443 counter packets 0 bytes 0 accept" "ip daddr ${cfg.host.ip} tcp dport 443 counter packets 0 bytes 0 accept"
"ip daddr ${config.services.skynet.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept" "ip daddr ${cfg.host.ip} tcp dport 8000 counter packets 0 bytes 0 accept"
]; ];
users.groups."icecast" = {}; users.groups."icecast" = {};
@ -81,12 +94,20 @@ in {
}; };
services.nginx = { services.nginx = {
enable = true;
group = "acme";
virtualHosts = { virtualHosts = {
"${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = { "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}" = {
forceSSL = true; forceSSL = true;
useACMEHost = "skynet"; useACMEHost = "skynet";
locations."/".proxyPass = "http://localhost:8000"; locations."/".proxyPass = "http://localhost:8000";
}; };
"${cfg.host.ip}" = {
forceSSL = true;
useACMEHost = "skynet";
locations."/".return = "307 https://skynet.ie";
};
}; };
}; };
}; };

View file

@ -1,26 +1,20 @@
{lib, ...}: { {lib, ...}: {
imports = [ imports = [];
];
options.skynet.records = lib.mkOption { options.skynet = {
records = lib.mkOption {
description = "Records, sorted based on therir type"; description = "Records, sorted based on therir type";
type = lib.types.listOf (lib.types.submodule (import ../applications/dns/options-records.nix { type = lib.types.attrsOf (lib.types.listOf (lib.types.submodule (import ../_types/dns_object.nix {
inherit lib; inherit lib;
})); })));
};
}; };
config = { config = {
skynet.records = skynet.records = {
[ "skynet.ie" = [
# wifi in server room
{ {
record = "ash"; record = "optimus-reborn";
r_type = "A";
value = "193.1.99.114";
server = true;
}
{
record = "optimus";
r_type = "A"; r_type = "A";
value = "193.1.99.90"; value = "193.1.99.90";
server = true; server = true;
@ -28,7 +22,7 @@
{ {
record = "panel.games"; record = "panel.games";
r_type = "CNAME"; r_type = "CNAME";
value = "optimus"; value = "optimus-reborn";
} }
{ {
record = "bumblebee"; record = "bumblebee";
@ -44,70 +38,21 @@
{ {
record = "_minecraft._tcp.minecraft.compsoc.games.skynet.ie."; record = "_minecraft._tcp.minecraft.compsoc.games.skynet.ie.";
r_type = "SRV"; r_type = "SRV";
value = "0 10 25518 bumblebee.skynet.ie."; value = "0 10 25518 minecraft.compsoc.games.skynet.ie.";
}
{
record = "minecraft-classic.compsoc.games";
r_type = "CNAME";
value = "bumblebee";
}
{
record = "_minecraft._tcp.minecraft-classic.compsoc.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25518 bumblebee.skynet.ie.";
}
{
record = "minecraft.gsoc.games";
r_type = "CNAME";
value = "bumblebee";
}
{
record = "_minecraft._tcp.minecraft.gsoc.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25521 bumblebee.skynet.ie.";
}
{
record = "minecraft.phildeb.games";
r_type = "CNAME";
value = "bumblebee";
}
{
record = "_minecraft._tcp.minecraft.phildeb.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25522 bumblebee.skynet.ie.";
}
{
record = "minecraft-aged.compsoc.games";
r_type = "CNAME";
value = "bumblebee";
}
{
record = "_minecraft._tcp.minecraft-aged.compsoc.games.skynet.ie.";
r_type = "SRV";
value = "0 10 25519 bumblebee.skynet.ie.";
}
]
# non skynet domains
++ [
{
domain = "conradcollins.net";
record = "www";
r_type = "CNAME";
value = "skynet.skynet.ie.";
} }
];
# some space to avoid conflicts
"conradcollins.net" = [];
"edelharty.net" = [];
"outinul.ie" = [
{ {
domain = "edelharty.net"; record = "@";
record = "www";
r_type = "CNAME"; r_type = "CNAME";
value = "skynet.skynet.ie."; value = "users.skynet.ie.";
}
{
domain = "damienconroy.com";
record = "www";
r_type = "CNAME";
value = "skynet.skynet.ie.";
} }
]; ];
}; };
};
} }

View file

@ -1,11 +1,6 @@
{ {lib, ...}:
lib,
config,
...
}:
with lib; let with lib; let
port_backend = "8087"; port_backend = "8087";
cfg = config.skynet.users;
in { in {
options.skynet = { options.skynet = {
users = { users = {
@ -49,43 +44,34 @@ in {
config.skynet = { config.skynet = {
users = { users = {
committee = lib.lists.unique ( committee = [
# Committee - Core
[
"silver" "silver"
"eoghanconlon73" "eoghanconlon73"
"nanda"
"emily1999"
"dgr"
]
# Committee - OCM
++ [
"sidhiel" "sidhiel"
"maksimsger1"
"kaiden"
"pine"
"nanda"
"sourabh1805"
"kronsy"
"skyapples" "skyapples"
"eliza" ];
"amymucko"
"archiedms"
]
# Committee - SISTEM
++ [
"peace"
]
# Admins are part of Committee as well
++ cfg.admin
);
admin = [ admin = [
"silver" "silver"
"evanc" "evanc"
"eoghanconlon73"
"eliza" "eliza"
"esy"
]; ];
trainee = []; trainee = [
"milan"
"esy"
"kronsy"
];
lifetime = []; lifetime = [];
banned = []; banned = [];
clubs_societies = [ clubs_societies = [
"outinul" "outinul"
"gamesdev"
]; ];
restricted = restricted =

File diff suppressed because it is too large Load diff

114
flake.nix
View file

@ -7,69 +7,83 @@
# Return to using unstable once the current master is merged in # Return to using unstable once the current master is merged in
# nixpkgs.url = "nixpkgs/nixos-unstable"; # nixpkgs.url = "nixpkgs/nixos-unstable";
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.1-1.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
# utility stuff # utility stuff
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
arion.url = "github:hercules-ci/arion"; arion.url = "github:hercules-ci/arion";
alejandra = { alejandra = {
url = "github:kamadorueda/alejandra"; url = "github:kamadorueda/alejandra/3.0.0";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
colmena.url = "github:zhaofengli/colmena";
# we host our own # email
# simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver";
simple-nixos-mailserver = { simple-nixos-mailserver = {
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
url = "git+https://forgejo.skynet.ie/Skynet/misc_nixos-mailserver"; type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "misc%2Fnixos-mailserver";
}; };
###################### # account.skynet.ie
### skynet backend ### skynet_ldap_backend = {
###################### type = "gitlab";
skynet_ldap_backend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_backend"; host = "gitlab.skynet.ie";
skynet_ldap_frontend.url = "git+https://forgejo.skynet.ie/Skynet/ldap_frontend"; owner = "compsoc1%2Fskynet";
skynet_website_wiki.url = "git+https://forgejo.skynet.ie/Skynet/wiki"; repo = "ldap%2Fbackend";
skynet_website_games.url = "git+https://forgejo.skynet.ie/Skynet/website_games"; };
skynet_discord_bot.url = "git+https://forgejo.skynet.ie/Skynet/discord-bot"; skynet_ldap_frontend = {
type = "gitlab";
##################### host = "gitlab.skynet.ie";
### compsoc stuff ### owner = "compsoc1%2Fskynet";
##################### repo = "ldap%2Ffrontend";
compsoc_public.url = "git+https://forgejo.skynet.ie/Computer_Society/presentations_compsoc"; };
skynet_website = {
################# type = "gitlab";
### skynet.ie ### host = "gitlab.skynet.ie";
################# owner = "compsoc1%2Fskynet";
repo = "website%2F2023";
# this should always point to teh current website };
skynet_website.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/main.tar.gz"; skynet_website_2016 = {
type = "gitlab";
# these are past versions of teh website host = "gitlab.skynet.ie";
skynet_website_2023.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/c4d61c753292bf73ed41b47b1607cfc92a82a191.tar.gz"; owner = "compsoc1%2Fskynet";
# this is not 100% right since this is from teh archive from 2022 or so repo = "website%2F2016";
skynet_website_2017.url = "https://forgejo.skynet.ie/Skynet/website_2017/archive/edd922c5b13fa1f520e8e265a3d6e4e189852b99.tar.gz"; };
skynet_website_renew = {
# this is more of 2012 than 2009 but started in 2009 type = "gitlab";
skynet_website_2009.url = "https://forgejo.skynet.ie/Skynet/website_2009/archive/main.tar.gz"; host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2Falumni-renew";
};
skynet_website_games = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "website%2Fgames.skynet.ie";
};
skynet_discord_bot = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fskynet";
repo = "discord-bot";
};
compsoc_public = {
type = "gitlab";
host = "gitlab.skynet.ie";
owner = "compsoc1%2Fcompsoc";
repo = "presentations%2Fpresentations";
};
}; };
nixConfig = { nixConfig.bash-prompt-suffix = "[Skynet Dev] ";
bash-prompt-suffix = "[Skynet Dev] ";
extra-substituters = "https://nix-cache.skynet.ie/skynet-cache";
extra-trusted-public-keys = "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo=";
};
outputs = { outputs = {
self, self,
nixpkgs, nixpkgs,
agenix, agenix,
alejandra, alejandra,
colmena,
... ...
} @ inputs: let } @ inputs: let
pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs; pkgs = nixpkgs.legacyPackages.x86_64-linux.pkgs;
@ -80,8 +94,7 @@
name = "Skynet build env"; name = "Skynet build env";
nativeBuildInputs = [ nativeBuildInputs = [
pkgs.buildPackages.git pkgs.buildPackages.git
colmena.defaultPackage."x86_64-linux" pkgs.buildPackages.colmena
pkgs.attic-client
pkgs.buildPackages.nmap pkgs.buildPackages.nmap
]; ];
buildInputs = [agenix.packages.x86_64-linux.default]; buildInputs = [agenix.packages.x86_64-linux.default];
@ -95,7 +108,7 @@
overlays = []; overlays = [];
}; };
specialArgs = { specialArgs = {
inherit inputs self; inherit inputs;
}; };
}; };
@ -114,6 +127,9 @@
# icecast - ULFM # icecast - ULFM
galatea = import ./machines/galatea.nix; galatea = import ./machines/galatea.nix;
# Game host
optimus = import ./machines/optimus.nix;
# LDAP host # LDAP host
kitt = import ./machines/kitt.nix; kitt = import ./machines/kitt.nix;
@ -140,12 +156,6 @@
# trainee server # trainee server
marvin = import ./machines/marvin.nix; marvin = import ./machines/marvin.nix;
# Public Services
calculon = import ./machines/calculon.nix;
# metrics
ariia = import ./machines/ariia.nix;
}; };
}; };
} }

View file

@ -18,11 +18,17 @@ in {
# for the secrets # for the secrets
inputs.agenix.nixosModules.default inputs.agenix.nixosModules.default
# base application config for all servers # every sever may need the firewall config stuff
../applications/_base.nix ../applications/firewall.nix
# # every sever needs to have a dns record
inputs.lix-module.nixosModules.default ../applications/dns.nix
# every server needs teh ldap client for admins
../applications/ldap/client.nix
# every server will need the config to backup to
../applications/restic.nix
]; ];
options.skynet = { options.skynet = {
@ -89,7 +95,7 @@ in {
}; };
# skynet-admin-linux will always be added, individual servers can override the groups option # skynet-admin-linux will always be added, individual servers can override the groups option
services.skynet.ldap_client.enable = true; services.skynet_ldap_client.enable = true;
networking = { networking = {
# every sever needs to be accessable over ssh for admin use at least # every sever needs to be accessable over ssh for admin use at least
@ -120,20 +126,19 @@ in {
# https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9 # https://discourse.nixos.org/t/systemd-networkd-wait-online-934764-timeout-occurred-while-waiting-for-network-connectivity/33656/9
systemd.network.wait-online.enable = false; systemd.network.wait-online.enable = false;
environment.systemPackages = with pkgs; [ environment.systemPackages = [
# for flakes # for flakes
git pkgs.git
git-lfs
# useful tools # useful tools
ncdu_2 pkgs.ncdu_2
htop pkgs.htop
nano pkgs.nano
nmap pkgs.nmap
bind pkgs.bind
zip pkgs.zip
traceroute pkgs.traceroute
openldap pkgs.openldap
screen pkgs.screen
]; ];
}; };
} }

View file

@ -17,11 +17,6 @@ Notes: Used to have Agent Smith as a partner but it died (Ironically)
name = "agentjones"; name = "agentjones";
ip_pub = "193.1.99.72"; ip_pub = "193.1.99.72";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
./hardware/RM001.nix ./hardware/RM001.nix
@ -36,9 +31,25 @@ in {
tags = ["active-firewall"]; tags = ["active-firewall"];
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.enable = true; record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
}; };
# keep the wired usb connection alive (front panel) # keep the wired usb connection alive (front panel)

View file

@ -1,47 +0,0 @@
/*
Name: https://en.wikipedia.org/wiki/Eagle_Eye
Why: ARIIA - Autonomous Reconnaissance Intelligence Integration Analyst
Type: VM
Hardware: -
From: 2024
Role: Metrics gathering and Analysis
Notes:
*/
{
config,
pkgs,
lib,
nodes,
...
}: let
# name of the server, sets teh hostname and record for it
name = "ariia";
ip_pub = "193.1.99.83";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/grafana.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = null;
tags = ["active-core"];
};
services.skynet = {
host = host;
backup.enable = true;
prometheus.server.enable = true;
grafana.enable = true;
};
}

View file

@ -18,11 +18,6 @@ Notes:
name = "cadie"; name = "cadie";
ip_pub = "193.1.99.77"; ip_pub = "193.1.99.77";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/nextcloud.nix ../applications/nextcloud.nix
@ -36,10 +31,33 @@ in {
tags = ["active"]; tags = ["active"];
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.enable = true; record = name;
nextcloud.enable = true; r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_nextcloud = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
}; };
# this was causing a conflict for some reason # this was causing a conflict for some reason

View file

@ -1,49 +0,0 @@
/*
Name: https://futurama.fandom.com/wiki/Calculon
Why: Public Service server
Type: VM
Hardware: -
From: 2024
Role: Public services such as Nix Cache, Open governance stuff.
Notes:
*/
{
pkgs,
lib,
nodes,
inputs,
...
}: let
name = "calculon";
ip_pub = "193.1.99.82";
hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in {
imports = [
../applications/nix_cache/nix_cache.nix
../applications/open_governance/open_governance.nix
../applications/open_governance/keyserver.nix
];
deployment = {
targetHost = hostname;
targetPort = 22;
targetUser = null;
tags = ["active"];
};
services.skynet = {
host = host;
backup.enable = true;
nix-cache.enable = true;
open-governance.enable = true;
keyserver.enable = true;
};
}

View file

@ -18,29 +18,45 @@ Notes:
name = "earth"; name = "earth";
ip_pub = "193.1.99.79"; ip_pub = "193.1.99.79";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/skynet.ie/skynet.ie.nix ../applications/skynet.ie.nix
../applications/skynet.ie/wiki.nix
]; ];
deployment = { deployment = {
targetHost = hostname; targetHost = ip_pub;
targetPort = 22; targetPort = 22;
targetUser = null; targetUser = null;
tags = ["active-core"]; tags = ["active-core"];
}; };
# it has two network devices so two
skynet_dns.records = [
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet = { services.skynet = {
host = host; host = {
backup.enable = true; ip = ip_pub;
website.enable = true; name = name;
wiki.enable = true; };
}; };
} }

View file

@ -19,11 +19,6 @@ Notes:
name = "galatea"; name = "galatea";
ip_pub = "193.1.99.111"; ip_pub = "193.1.99.111";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/ulfm.nix ../applications/ulfm.nix
@ -37,9 +32,32 @@ in {
tags = ["active"]; tags = ["active"];
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.enable = true; record = name;
ulfm.enable = true; r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_ulfm = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
}; };
} }

View file

@ -18,11 +18,7 @@ Notes:
name = "gir"; name = "gir";
ip_pub = "193.1.99.76"; ip_pub = "193.1.99.76";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = { #hostname = ip_pub;
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/email.nix ../applications/email.nix
@ -36,9 +32,35 @@ in {
tags = ["active-core"]; tags = ["active-core"];
}; };
services.skynet = { # add this server to dns
host = host; skynet_dns.records = [
backup.enable = true; {
email.enable = true; record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
# we use this to pass in teh relevent infomation to the
services.skynet_email = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
domain = "skynet.ie";
}; };
} }

View file

@ -19,15 +19,9 @@ Notes: Each user has roughly 20gb os storage
name = "glados"; name = "glados";
ip_pub = "193.1.99.75"; ip_pub = "193.1.99.75";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/git/gitlab.nix ../applications/gitlab.nix
../applications/git/forgejo.nix
]; ];
deployment = { deployment = {
@ -38,10 +32,32 @@ in {
tags = ["active-gitlab"]; tags = ["active-gitlab"];
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.enable = true; record = name;
gitlab.enable = true; r_type = "A";
forgejo.enable = true; value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_gitlab = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
}; };
} }

View file

@ -9,7 +9,6 @@ Role: LDAP Server
Notes: Notes:
*/ */
{ {
config,
pkgs, pkgs,
lib, lib,
nodes, nodes,
@ -19,15 +18,10 @@ Notes:
name = "kitt"; name = "kitt";
ip_pub = "193.1.99.74"; ip_pub = "193.1.99.74";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = { #hostname = ip_pub;
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/ldap/server.nix ../applications/ldap/server.nix
../applications/ldap/backend.nix
../applications/discord.nix ../applications/discord.nix
../applications/bitwarden/vaultwarden.nix ../applications/bitwarden/vaultwarden.nix
../applications/bitwarden/bitwarden_sync.nix ../applications/bitwarden/bitwarden_sync.nix
@ -41,18 +35,46 @@ in {
tags = ["active-core"]; tags = ["active-core"];
}; };
services.skynet = { # add this server to dns
host = host; skynet_dns.records = [
backup.enable = true; {
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
# ldap setup services.skynet_backup = {
ldap.enable = true; host = {
ldap_backend.enable = true; ip = ip_pub;
name = name;
};
};
# private member services services.skynet_ldap = {
discord_bot.enable = true; enable = true;
host = {
ip = ip_pub;
name = name;
};
};
# committee/admin services services.discord_bot = {
vaultwarden.enable = true; enable = true;
};
services.skynet_vaultwarden = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
}; };
} }

View file

@ -17,11 +17,6 @@ Notes:
name = "marvin"; name = "marvin";
ip_pub = "193.1.99.81"; ip_pub = "193.1.99.81";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
groups = [ groups = [
"skynet-admins-linux" "skynet-admins-linux"
@ -49,13 +44,31 @@ in {
++ groups_trusted; ++ groups_trusted;
# allow trainees access # allow trainees access
services.skynet.ldap_client = { services.skynet_ldap_client = {
groups = groups; groups = groups;
sudo_groups = groups; sudo_groups = groups;
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.enable = true; record = name;
}; r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
# Put test services below this
} }

View file

@ -18,11 +18,6 @@ Notes:
name = "neuromancer"; name = "neuromancer";
ip_pub = "193.1.99.80"; ip_pub = "193.1.99.80";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
./hardware/RM007.nix ./hardware/RM007.nix
@ -49,8 +44,25 @@ in {
tags = ["active-core"]; tags = ["active-core"];
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.server.enable = true; record = name;
r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
server.enable = true;
host = {
ip = ip_pub;
name = name;
};
}; };
} }

View file

@ -19,11 +19,6 @@ Notes:
name = "optimus"; name = "optimus";
ip_pub = "193.1.99.112"; ip_pub = "193.1.99.112";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/games.nix ../applications/games.nix
@ -37,9 +32,32 @@ in {
tags = ["active"]; tags = ["active"];
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.enable = true; record = name;
games.enable = true; r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_games = {
enable = true;
host = {
ip = ip_pub;
name = name;
};
}; };
} }

View file

@ -22,6 +22,9 @@ Notes: Thius vpn is for admin use only, to give access to all the servers via
hostname = ip_pub; hostname = ip_pub;
in { in {
imports = [ imports = [
# applications for this particular server
../applications/firewall.nix
../applications/dns.nix
]; ];
deployment = { deployment = {
@ -36,7 +39,7 @@ in {
"ip daddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept" "ip daddr ${ip_pub} udp dport 51820 counter packets 0 bytes 0 accept"
]; ];
services.skynet.dns.records = { skynet_dns.records = {
external = [ external = [
"${name} A ${ip_pub}" "${name} A ${ip_pub}"
]; ];

View file

@ -18,19 +18,16 @@ Notes: Does not host offical sites
name = "skynet"; name = "skynet";
# DMZ that ITD provided # DMZ that ITD provided
ip_pub = "193.1.96.165"; ip_pub = "193.1.96.165";
# for internal network connectivity
ip_int = "193.1.99.82";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/skynet_users.nix ../applications/skynet_users.nix
]; ];
deployment = { deployment = {
targetHost = hostname; targetHost = ip_pub;
targetPort = 22; targetPort = 22;
targetUser = null; targetUser = null;
@ -38,9 +35,29 @@ in {
tags = ["active-ext"]; tags = ["active-ext"];
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.enable = true; record = name;
website_users.enable = true; r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup.host = {
ip = ip_pub;
name = name;
};
services.skynet_users = {
host = {
ip = ip_pub;
name = name;
};
}; };
} }

View file

@ -18,11 +18,6 @@ Notes: Using the server that used to be called Earth
name = "vendetta"; name = "vendetta";
ip_pub = "193.1.99.120"; ip_pub = "193.1.99.120";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
./hardware/RM002.nix ./hardware/RM002.nix
@ -50,16 +45,35 @@ in {
]; ];
}; };
services.skynet = { services.skynet_backup = {
host = host; host = {
backup.enable = true; ip = ip_pub;
dns = { name = name;
};
};
skynet_dns = {
server = { server = {
enable = true; enable = true;
# primary dns server (ns1) # primary dns server (ns1)
primary = true; primary = true;
ip = ip_pub; ip = ip_pub;
}; };
};
records = [
# vendetta IN A 193.1.99.120
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 120 IN PTR vendetta.skynet.ie.
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
}; };
} }

View file

@ -17,11 +17,6 @@ Notes:
name = "vigil"; name = "vigil";
ip_pub = "193.1.99.109"; ip_pub = "193.1.99.109";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
]; ];
@ -34,16 +29,36 @@ in {
tags = ["active-dns" "dns"]; tags = ["active-dns" "dns"];
}; };
services.skynet = { services.skynet_backup = {
host = host; host = {
backup.enable = true; ip = ip_pub;
dns = { name = name;
};
};
skynet_dns = {
server = { server = {
enable = true; enable = true;
# secondary dns server (ns2) # secondary dns server (ns2)
primary = false; primary = false;
ip = ip_pub; ip = ip_pub;
}; };
};
# this server will have to have dns records
records = [
# vigil IN A 193.1.99.109
{
record = name;
r_type = "A";
value = ip_pub;
server = true;
}
# 109 IN PTR vigil.skynet.ie.
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
}; };
} }

View file

@ -18,14 +18,9 @@ Notes:
name = "wheatly"; name = "wheatly";
ip_pub = "193.1.99.78"; ip_pub = "193.1.99.78";
hostname = "${name}.skynet.ie"; hostname = "${name}.skynet.ie";
host = {
ip = ip_pub;
name = name;
hostname = hostname;
};
in { in {
imports = [ imports = [
../applications/git/forgejo_runner.nix ../applications/gitlab_runner.nix
]; ];
deployment = { deployment = {
@ -36,9 +31,29 @@ in {
tags = ["active-gitlab"]; tags = ["active-gitlab"];
}; };
services.skynet = { skynet_dns.records = [
host = host; {
backup.enable = true; record = name;
forgejo_runner.enable = true; r_type = "A";
value = ip_pub;
server = true;
}
{
record = ip_pub;
r_type = "PTR";
value = hostname;
}
];
services.skynet_backup = {
host = {
ip = ip_pub;
name = name;
};
};
services.skynet_gitlab_runner = {
enable = true;
runner.name = "runner01";
}; };
} }

View file

Binary file not shown.

View file

@ -1,19 +1,17 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA d/AgQuQidsB5+UMBxg3/YIA/4EVMF9+BeZrEMzgU52Y -> ssh-ed25519 V1pwNA LoF1ddALOVnrPikVoFfIO/Hrydrqoh/4W5DaSMZHkUs
gPmTDd4oeIwwJ5ZdnWp/s6cEupsYPY08TBvmL5fe3NE Fla3oxohjlE6oUkx9tsroXcbDqQoQfi4qixrEqy2+/4
-> ssh-ed25519 4PzZog iR02KGER5WMrs4djPPpMRc3v5qN5FpcpjTkB+O4GyV0 -> ssh-ed25519 4PzZog tojPturHggZ54bUlyCbr0hwLbhTPpBR/o90XT9DYf0Y
ibvzSePq1ruF03QBsHRr40VCZ6ZcnWjvcJzybB5vt4g it+mlc2OKzxnEF08ao0J+aJezA20eAaRBW+ODgiX09k
-> ssh-ed25519 dA0vRg pVsTTA9yknN8gl6K/CkY/HnUc8eW1F/pSqXq/Upq3SE -> ssh-ed25519 5Nd93w W5FDJ7geDB27elGpL6SHBA54Al3uTU67FNsTt63E5H4
3ymQH0jBAk9ktwBUvth8G9ZdDzr9Ozqi9YNVB8fyvGE 1N3NVwEC3QqjpwdFk/SRWFpTUk1tTH7YPQdV2MmF/II
-> ssh-ed25519 5Nd93w fSPTiW3c4va0F5IYoFF+QoN4u1tFGRBrMO9lypICiXo -> ssh-ed25519 q8eJgg yJj2ImpyTpjLGiPqxQ/03tGFDnDN08Gr93rPRUYLLyk
8MgZPPUXJGGOdmGknXhaV0xgJl76dg9B1e5r0Ud/iW8 PLSFba8JFM2na4h6XIzVeKKEw61/ZwlpQdesIHPtggY
-> ssh-ed25519 q8eJgg UFiK3B6YB3YR8fVOWOPLlpGuo5pWpK6b7zteIngC2Cc -> ssh-ed25519 3pl/Kw Zu5dWL1GkgL8ZhmFuTg56GRGTvTTDXYOXGN75/h37wQ
K+e9B1V7AdimOMdy7YCJ7tJnHsHoQChAmWmOJDIdwMU nvNXCSa/VsjchPWRMoFNCRLe6SK/trUrGgKa7iJkprA
-> ssh-ed25519 KVr8rw FeMibaL1ITDNByDL26VRXVz6d2FP13SpKoN87RgTYDo -> vZ[z@fHA-grease
e0LPmpAe9wRRvgKTYq96Qk+WiUhfixiatuWPPi72Nlk mAV/h887fY2ispnlxuTZ+LR/EIYhV6LqbyuDpEc4p0jnwdpYhEAfU4KKZtnxae22
-> ssh-ed25519 fia1eQ i5+7lIZDOm48wywy6CRMOLVhHWnmV71WM0QLSbyhqV4 q/IM3g
S5nAEPHEmAn3AGxN04FpVKwVHrWtZS2s/dPeVv4ryCE --- QXUMgsJS6LdbF4du60HslLfcBq5xNsazlzAHb7jSeDI
-> ssh-ed25519 3pl/Kw Mhc4y4szabQQaeBWtZ7mVdDnZYRwtninrBhcyHoUm24 |á©eC Ÿ® ¶>,ÎVÄ•Ë<E280A2>3Mb<4D>$iœ¥IŽsÒ=qk܃œDi
lQpLgpgU0ak9WDQIJxd5Yz/DUe14szLvsUGxAil+5dk ÖŸîè;S¸´)ßÄ<+€ÔÆìò)¨uRê²—[ÍðŒ4©}¢{61Wr ÈEíëPI
--- eUzkrzEEXETs3FXa2YqSW4yqQiRLFC8Umr1D+Bq334c
ڙءm“ }ïÁý9Ž.û”I^éY%Kcö¨SšÒÈ®¤hVó„Á{þ7Z'i ¸<¡Z#s<E28093>íÆ<C3AD>šs. Þ<>„zÒIW=†WÀuþ±ÚàX

Binary file not shown.

Binary file not shown.

View file

@ -1,19 +1,15 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA LbYb1XP9bLe1lcsAfGwPkK2/r2+TnkkEgfS9fi1YKRo -> ssh-ed25519 V1pwNA BxPb6d6nlJHiTkbcwOoPrvAPBuR1iJSFAXIp9n23Ix0
Z20C/zQluu+Qanf4d9GSj4pLirCyqJpa60H9hodMt5k hl0X3RjOEYp2G1QU4SC6CBF5YVlCWiakMsRbGTBYkzs
-> ssh-ed25519 4PzZog IFlhg/gbQpiMugcQZUHwfAnSvhxCwW67XmfSNmYOSQE -> ssh-ed25519 4PzZog Nf/tUysmhTfzaoHhubwdQ5NKZw5SBd3CEs129FGkuio
nOp4xPFMvIhUH9OUVz8B3L8GI+Um2egjHV0FgmdNwwM 750oaBtfeBEpDuasZFr7RY5uBzFZZNMNGQkRyFfEGCo
-> ssh-ed25519 dA0vRg OAmV1KiprjoIgOPHCYcme2uLiU1xEdohTWA5CiN0yG8 -> ssh-ed25519 5Nd93w fI9TNLWkDkvLCDA8eTMfVw7fRPylWHPGzPupya737xY
4/LHk5LCGrpMISvpjfo7QuhnRrE3ycFGwGTQ1i6VaZE wQcz+yf+EqDNmRWqldNuQjjy9tKc1zN//yumtGpGbaM
-> ssh-ed25519 5Nd93w jv27aiNze8Nxp2ohY7NIRtZv5lBxAdKYGWdqWD12zU0 -> ssh-ed25519 q8eJgg T9Iv+fRwmOLYMXe3ur6dqudA1z2wQsKQX6ogkyQT3Fw
E5Rk0r8To4B39UsaZavEkAZlIPiaXswsShMgsyNPMoY LBYKL2OtLiwq25FkvZjT4H3tu8fOA+KFmFp5vjbncLI
-> ssh-ed25519 q8eJgg /o798N6b1KlQfMM9gQf48TF9V7nXORxW4SOpcpYCuhI -> ssh-ed25519 IzAMqA O9JfKAlOUao2S14iczlnTzT2sTSAM1vOR5KjO8eJMG0
RVYXWwZLFL6ZUjGbmXBzEj0+Pe2wpZFPIj5yH9kRIwY ioTSe6X4E6jE4c9Utl2d6EUHZYilnbtRnB5QJg3S3Q4
-> ssh-ed25519 KVr8rw +N2w/8vvD7/uG3TMYb+9vml/vZhLkoS+03KEDlQWNhs -> 6&-grease
Hne+3S6vVc5Sx7QJ+OCrPCt4s5usZ7B7WwusnFQLmSo BkWorA2LiphyWLmdV3AeKsI
-> ssh-ed25519 fia1eQ PJYYKfL1GolRt90KC52dvUyZ/HjWRJm9vMTjBvrCOkQ --- +MO1wX7pJf7eq4MkiWSP+xyxThI5jnfseS8jd7LbFoY
Xc7SpT5TZLTOORLO3uE8tPXKx7thUwaJi3ixngLRljM ¿ÕWV¥—>ådD­"ð`ûi+ €Ç¸ÃæÕ¬ã<C2AC>ÂSмk°H¨Ojt<6A>±Ç*âòkßäŒØ<C592>ŒÔ¢9Ë×P
-> ssh-ed25519 IzAMqA AtoNahZ3dTQasdfP3wf7U1RJyx//Kt82e1TMSIkW6QA
neLAeCvnsl4RDq2H1slZJ+5i3JErqy4aRGoscpRUi/0
--- W8B6kla08fEkl4Kpp+0eAHj7B1j3WYCDcuwJvAIEW58
)8ýG(ž¶ ìò<C3AC><C3B2>žÛær_št¤Ö©zµ¥|>¢od…ð×ù6µø*0j»…r´ñTü«\*v^#

View file

@ -1,26 +1,22 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 6NKUbOSUbwVjzW/ZUpl8qEiUTTegFlji4+tVJyqY3SE -> ssh-ed25519 V1pwNA icye7bxeLugaCuSwMYAZQOrI7tcG8uc9XR5lTYBkWQ4
fRQvaKnLMkVBboTEriQpWlGY9VBAP3ppsEbAB2QTScs HRsRB0GVkMPS0afDz0ybcTZ/oexA7zV9U6hYyyVm/hQ
-> ssh-ed25519 4PzZog mp/+b5LpB+DvRduqAZiKWqkZq6+tlyQgVTZz7Oge2Us -> ssh-ed25519 4PzZog ihJwwtlgiICUNgrpwVVKAAcDP9JxPgBmcruW1em8RU4
OycqmZyDr3levWSfRFxypJOkITLDix0Q15Todya6BNc /c6JJDzrHwyEelgMaoDeADVD/yL+ptrDdgSSMFceuXs
-> ssh-ed25519 dA0vRg yp/4LvS9DbdatHFWFsP5qhH8CP8Bs0IjVSenUtG4+Xs -> ssh-ed25519 5Nd93w aLRd09zpjgCnj84pFFfPd9FrJGsnemOb99EG/TPe+UM
hHiJEtl1ffYXltsJzuEMLGUl2i/i3pFzv4bjbx/cbOI hEM/T5j4oZI05597dI148eRbRU0P/E02RAD5ypsl1eo
-> ssh-ed25519 5Nd93w BTngmy4NGLGKhC8lPos63QEVBKoQT82KswQ22EypcQQ -> ssh-ed25519 q8eJgg dwCo6ph1KTMDgFnJLrGFtzscrHxog6WGRUaPdBOuCSo
OCnJMkOwwXQVbtCitUizXM4nynC6a1tiPSkm7MxulWA WCxgbOjZy9vkgcYTa4t/bgc5qfxlpFOiQ3vtCvb+uWM
-> ssh-ed25519 q8eJgg NaEjVcDBVICRgXuJchEdE4vg3qmkNmJAbDDxLq1fX0M -> ssh-ed25519 IzAMqA Q+XUnmVUAstlxgZTiXXGZN7Nzo6G0zgS3jtil8MKd0w
YFwUmEPwJIik5YJ2SV5IAmqGlY+h24voJJlrBaoCBwA 1VFkeEGLZLh+j7e1RJW1iCx8ueLNTljTsxpujkhwBPI
-> ssh-ed25519 KVr8rw ZnyVITZFkuozEs/rbTdxXDQNS3Nggo+JkBL1Icht2SM -> ssh-ed25519 uZzB3g FeuGUR8zcPUHkev9PVARM2ac4Ezk9EjO3gWL15kkjjM
B4jVVts5lK1kIlOWMl0eiN7TpsTeJZWIu7NqildxeGE W7DXwMWrIKEzs2IJ4MH/diaqkUK+lYE5ocJ3qD26NyU
-> ssh-ed25519 fia1eQ kvzARRScl/eypC2a5cY66sXcH+TZqz4sYg4W/k9iJxQ -> ssh-ed25519 Hb0ipQ +hueeoIxI4+E0bkElclszUoD4ftHLkiqe6XGcMNbAn4
Ga+4TVvXiQ6i5/+fgUQ3E5tJiLqdBsEsXjenXEpRV/A mS/SFhLfjQYa76qhDXvMijkvbWkGRGcv7HWlszArX14
-> ssh-ed25519 IzAMqA 5sizvlhLhAhAR1bViHJtRJ8fAIO56TAuLVSOwE177QE -> ssh-ed25519 IzAMqA CLf1vDYSLjW2InHfHCEfq/b7j3zyRH0TTcLSQ0Evmn4
b9oJ8BC2xiBjvc3D0H0EF7bSNDlpvIidyBCTf04ndJI tuq2+h0UVzt/lTFdpLn+fr5rIYdf8mgdDny8Cak+k3c
-> ssh-ed25519 uZzB3g g9y66zNmQbqP6Rbhg2t06W3YOgy8DkRvJZbWVegT71s -> x-grease
2dH7E76tDMrWQJbLPefyORP66iaPHQnSjwu8NCdSyJo Eeo9UQ7LVOjORlpR2Jf7K6P2OEdc6HWWQ6/Yt//KHWxKStUtMv2fPIHu3A8h8mHl
-> ssh-ed25519 Hb0ipQ azOzBLXfshInlFVpV0PzIBidL/VzA/+kKRXFFVD6ZF4 iQT/Xmlg
iXBF/Wcv4KWo5qUXUlyimuo0l6aClKxOCtkm3MxAIBc --- 0/OGiJqIu2aFUO8vqJ936PvDDNiohDSVkqpsiCxzfiE
-> ssh-ed25519 IzAMqA EWitYyV8RsPIB6HEFE2OI/C1zcC6WfBEeDI62rGVmkk —Z ¥lŽ.§j¥õßZöE‡¤ääóÓ´ì€Fx®6Mœ!ã:øö‘×û¼ÁzbªùÎ.tDΊz#:xãc}<r0n£°/èþ*?·ÿÓ*;Ûò؈kzùûîAõÑO"†”|K>?cF£/ÑÅÎ؉Õ;Ë<>¤"´eJM_Gv·©e7ôck»\E9<45>³à&öOúž+â< ÁÚ“+ýÕŠ 2«Hm<48>½
Bk9tdSqIjLjat21J2LM8RXAt9GwdQxYdfPzqDtCjunE
--- waY7j+HMEOdqEZs/TcLEhUY9gJs6ZSc51VNfuCmCxJ4
Ý;dÙ9A‡vÔé±nq<“ê;TèáƒB؇$ÐGÌvï¯h
»\^Žé§lÖ¯`š¼ÄÎ?l¸ <0C>au~üЧ×yâ[ךju²ü;]!œ6Ëè±ãXIs4ÇŒ!Ù@ß϶û¬‘|›úïª">eÈÿ[Vž´,ÿ5˜ý8N§¹Œh<04><>[ƒ×´ZD,&âñíó¡”õIØ>ŠØù¡<C3B9>|ÎézÉm

Binary file not shown.

View file

@ -1,49 +1,34 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 5xvtgxFvEOX/bVAOdBBF2Fyb0euGt95YjhOcfpGgHk4 -> ssh-ed25519 V1pwNA 2QqdIJOBGkHQYLkNX0NRvazb6IBk4SYYps1lAC8N+WM
6oN4Xba0W5g/d3EX2aC4N6UFVf/oHGgdTxBcMbjIdHo GkubePEafiWi3SfR8GXeXU8+HH4PxdwHPd9GOgvzhWw
-> ssh-ed25519 4PzZog SjAcOftaZBEAAZ/P+Z9OTira4/QLSMRefC+JkQcf0G8 -> ssh-ed25519 4PzZog WEUGHm/9UeG0iFVKxFkaZYRtmqlVF3b3ikRQlA4Jgyw
zG0R3/r+PBjWj7WBABmHPXpqx18uLyuFMJKB2az9i2E yl/pe3c9C147jQj/uNIN5QMkFiVSAG9CQHMEOmK8UUQ
-> ssh-ed25519 dA0vRg k8fekPA7w/QFMVnDfCrpOlfv531/nw9tO7B0d+mWHiA -> ssh-ed25519 5Nd93w glFj1OmRcPMfXX8ZNklv3Lpoq27u9pK7LNtFWVUwjio
jp+DndebWEdk9+wt/nvS0LfRsFf8T7+dMffWmx3tPw8 FeNTpW3aqxYE84kGRze9BMR2hDRsBj9a9+439fqp23A
-> ssh-ed25519 5Nd93w dYe/tZ5qHoacI1IBa7yvDL/grZU7Lc40gU8boQY8Wj0 -> ssh-ed25519 q8eJgg 2GCD+0xk/pRUefV/qWv5GKsTS/vu5hGtr7lOPteWSS8
eBs8fYre18RGW8+RH4J4AleG3kNpCZ0agAfcojSCy2Y M4Fsni71ockMvu669XMHM9++hXiz7TdFLf6o1izc0bc
-> ssh-ed25519 q8eJgg 9UZdBq2oZ29U/kzeNOGn+q8RbkLbJwM0eSJHqSLV6Ek -> ssh-ed25519 XSrA6w yaCOzzT0GnCzdrARp2FQHV7npbD/JnuV4tSYwIprdXE
vqa610t5XxHiKBSf7veOc09ZFYW7EF1KpIbCpdCsegw iEIgUn1+aDXN6+qDBNj4ltdCXYqxEmXXql645cGSyrE
-> ssh-ed25519 KVr8rw 1CkykLAC3c615TDRlOeI4GHmqu0VT2kclWkr+DT9dSM -> ssh-ed25519 DVzSig kQJIpvtSZSw1IUDIb3z7HNRz4dw5H3jb8ozcynSe5Bk
0MyPNEmkHICQZxpKt0jBZpce13c+jn4WC7IJL4uWZHo aHT8f8DncqP8pgE9oL70619xyNtDBzxB29Hq/ma2rt8
-> ssh-ed25519 fia1eQ OtFYStmc1y+yqYNaNgHxEheIIVykYAa/uR0dKS4xX3Y -> ssh-ed25519 SqDBmA QDrZMYCMSsqmhFIMaNi/keyPOry3YHwS0dMGGumJLzs
c2HYDyrD6Db3FNLP8tebLngtS2S8LHsmHovbofsUk3U Tj0oKWFsU2aR7CQSyeDYWq7nY/vbcOkMD9JrLFaq2Uo
-> ssh-ed25519 /Gb5gQ rAc4CqbqdkIAFystL0rLqGNH56GrKxOBamqhiIFAY3c -> ssh-ed25519 UE6fcQ Hb0Bp60va2pYytRaSaLbT9sKcosbcezSJs7DNiS7jgw
RR+NsZe0HQdQv6SgeIqy9IcIChXdvrsspNDBngW6Byw 41IjrgNOPB69pabq3JRhdFNocy661JSCmXLdk988Hyw
-> ssh-ed25519 NtlN/A 93citgkp9Aj1LDK5UdzJqYVVYaWgt/Cc6yMJka+ccyY -> ssh-ed25519 IzAMqA 54sUUDUo1EurSpAIHhwUYWUF4jabHauQqzdaZv+q6WU
KTcyd/SygOLp4mPI1zGDTKCNT7LfVUw12Bw/qnTnMpE 14C6ao5GUpicJrdIzP0YibKO0xoY3ehc1GDEWdWA3Mg
-> ssh-ed25519 v2Y09A +fWNE2zU+lz5KGu2Ed2MHb9UXzJPUAUuBWilF/AS1Qo -> ssh-ed25519 uZzB3g I/XkpzTDdYac5rJjElfNpD9gh70hnzImBBtBnEse5z8
UVJWnAjRcD7X6iA/heoWdZTcsUS+1VMG5leIHxWZGNA 9SzTUatocYlqsyoNJ3oPaA6nZ4gZaRzUUs/zSXTPLM0
-> ssh-ed25519 XSrA6w fft3i85PNprS9QqQo2yKr3lx3qHuSVFeVYuT5Gtfyng -> ssh-ed25519 Hb0ipQ h/VbRE/4QmlDmxl0nuzV828L75zK14FJTlxucIgw5Fc
lNOo2jQXvaMElQawI9x8vnQN5bnnNefEyYXD3YqwOwM EbTPH0ma+TA+tbfluXrvNU7mfqrK3Onn1riikEA3t08
-> ssh-ed25519 DVzSig a5q+imjqWqTzyM3aU+UvvGv3wH3RLTPl+kva+qVSSFs -> ssh-ed25519 uZzB3g M0z7FxgMYUNi5CMRYnpTueyx5RwhJtArrv8o6pj+LEI
Pobzi/5ZVyfGhVK4cMqvMqaAol9X4+P3hEaUeHdiacY JjlkieTaJ+kz4CxdyPN4MDR1IUoWJf/uCGZj9jc+csY
-> ssh-ed25519 uZzB3g B1D2S87+yPr66EikAqLw7s5pazfQeQUxAj4FFnk0nAE -> ssh-ed25519 YFaxCg 1C4qRq/rM5B36KZ3MkGl1wT9NwsSQBoefccxiBi3qVc
3lEw0t99aSGqkZdi+ILl3+s+JWRKpY4BHLXdrHfFxng TKz4Ok/TVANl7cQ5sySccxWySWBXPtvJDM+eV1dsTz4
-> ssh-ed25519 CqOTGQ urZpNzMYvDnGR1UgjgrRYp06gKWcTEWUDjyb4fdDTD0 -> !s-grease j^W+6, Ab
7jeFeoMBitwGFQLSynYVyIYsEhHe7A8mdl65goiX5c8 Io86Mr5+tdtC+WUnf7YWjuOE9oHm2iLwyRRiEKgjxDIvNtDgdiZ+0nZ7yDRmuO48
-> ssh-ed25519 IzAMqA QmtcH5afcef4NMRX4AMrUHW1tCPGOlJ+gIhhDFkUCSY 6OKmc9Wc2nsqknT6odS8hAgR2jIPXvg
I4Yg8vgoYGcsV43qq04+nrhzMJ20eaQjOD4EJM0z2xw --- 4YBEXs7Qucs2NbbyqhTgQrWZhejQa4XmK1mgd5eW4yc
-> ssh-ed25519 Hb0ipQ CO7nQSSKrmkQ/C6DuJxesIMJmm99eQytLzJ+3/Q38AI <EFBFBD>ë~#ñ)¤Œ+s?ÐYy>Ï_b?ÝL+)cÙ(8õ$HmMâ<U†
/kBnqeivoQLMaAA7nX0t4/UAvcOIchEu9bJWxIuUOV0 ß<EFBFBD>­F•a§Ä˜Ô, zøæ>`7'ö†cÿÐð¾&cO¯hõJs|xW6±kâHw7¾õ@4„N´P ¢zW<7A>m„  >"?JÿP 8Kaç—óU^±.×ô"Ì=¯gìµ6(j†AEîPÅàÁ.—yòWšŠl¼ç ° —ÇÀò-£3¯<14> <0C>¦aãã<C3A3>
-> ssh-ed25519 3pl/Kw qUD++i8FGbEAuqa+/v6f664tlVTwHGYF3AmTo0cuZyA M"lkÌûyº Ó¨ì 9#og`p÷<70>unïÜÒ·™Ïý„C¯Š
vjImiKQm0SHiuO7jZTKRg/3MKzDExfE+p9ZT2nHZr4M
-> ssh-ed25519 SqDBmA BGwTqAeEptBFRbwwVkHZWX+OKQpALqrPvA2+Cl356D4
Gg69WAtr+AAfYT1G+WcTSIlCbNqS5DyxsZw81DaBSkk
-> ssh-ed25519 UE6fcQ 4JZzLWThfgJQSNDDtDp8ayM7N9o5tQ6PVwKMj28inC8
RyEWRmMbuXezYZntsTdVIbjy/YEbrflqMpirdg08UVQ
-> ssh-ed25519 YFaxCg LTsikBkuBwOuc2qrnTAMVtRawZyBosZScefH8qWIqzQ
aLiVK7XFI8iDRTCGH2yJnUpydjTp7NF1Ygok6D2Fo44
-> ssh-ed25519 elCEeg TKQKeAvY3kn5IuvHoS0SWtX647nEn1txDftt7pPQEG8
OPAFqPGdSS3Ud+gFtMXG0shrXSmVrIBzvwc19Ac1NJQ
-> ssh-ed25519 8vZ9CQ NGLF9epPqcfbQWcbtMeYIcH0jAZMvO4P7UbKtl8lGRY
ZJ5afGOI32OYBpWs6pe15z2IB+5xgO04/OsKp6ixT5o
-> ssh-ed25519 rmrvjw tfgMxvtTE2vv2qQJtQk1J+YV2UC/2iZSs0nvbVzV1Hc
HW86DML/9MXoTs0WWn/zNi4Rh9SBhaHl2WC2bkiLbmw
--- Q4amxZgWmdHcf7aqav2TpKA8KX8B8ZHuBhzIcKwbFTs
E¾ã™r<0F><\Å?ë @î}ËkRÕ(ƒù­;È^3PÐJäO“ãSÜØ â`¶¦ sb?9ø¢¯Âÿx$ñû/<2F>ø~4ÊF v_¨þp4{5 GZ²f"<<3C>x×"q‹ºbj¯:cTuWå>BͶ'<27>ã)/¥×]«ôÁÈëöà•wžÉK%þo B*&Þ׫{\ZŒ•pë£KöŒƒ³Î¯k}Ïåíß Ô}P=Œ¸û·?<õ¬ºyB…‡sbŠ„<C5A0>ÿѪ%â$¢#"

View file

@ -1,21 +1,18 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA +Ug8WtIQLZK1chInj0113Okqae8ImSdTvQYYDD558ig -> ssh-ed25519 V1pwNA 4DenEF3jiCxCBa/F8ehgk13NlKvLzEfIxeQVTlMvM3Y
ao7w/Uow6sCtoqRDr3Y8NjuF6f9P62sKfx5+5+3yV8k czXCvVsOMZDmAzqxT6z0mCsGntVeLNAJX+IIz/5XS6Q
-> ssh-ed25519 4PzZog KZwHoIkqMTVHcHma22+hG19oBgCNZ3zZ9fgs0i3NMx8 -> ssh-ed25519 4PzZog 1fBsKWaKTGW1gioyrDoRsCqFhGfIThj1cq3GaPDlIjs
hxgtsHVx2KATvEQM790y7foAaWVBFnqXz72CovkbcyU BFcSRxbrO3n91pEXNV7pInCRAH3W4NHFOYPDlvpPqkc
-> ssh-ed25519 dA0vRg QORz3gYpB5PiM5Dgm4s2JNyJSBFTzY15tlC0JNMtoTE -> ssh-ed25519 5Nd93w 4vy51/o4XExQqMRP3DyeVK0GJO71jYCm17qH5tC230k
1AuUbuw4YSoyly/iHY2DGBOhRijWoXjsFfFM1pKKlUY UgDrJ2xPGL0O16g+BFOw/kEso19lB3QD35vLhxmQ2h4
-> ssh-ed25519 5Nd93w glPMyqAhDvJSOgief6VEWflVervhftUbNgnDOVtKX1I -> ssh-ed25519 q8eJgg tAGYnvVu5NAlrs9UoEIUb6H898V5y/st/lnGm3w2o1Q
xDSl0Oe0UPiWRnFythx/6ErNSy04paTWWKrlheEEzLo SYK1mWCClDoK3dj2KYmicOLRvgDC0qdOmhE/AFFWa+s
-> ssh-ed25519 q8eJgg 4Xs8DKl5BV5E8oGE9MrhBanGuTltQZz3JsCI57UYwiU -> ssh-ed25519 NtlN/A iXJJI8ILFcZvIPaHkWOYSUVwFJOEB5GPpZX/5EcWJlQ
c99NCU+f8vbvFq9T+P4Gi51ae5xygzuyLMFGf8px9CQ XpiJUa+J2rjsAhhQT4szCwDMudGjuveslcsLs3wVSA4
-> ssh-ed25519 KVr8rw mPvw8t8On+jnc97m5f8x79Kcx9ZhHWyL/YW2zVllqUU -> ssh-ed25519 v2Y09A SkswYtVP5bn6FJZwL9AxxONpEyB44Oct+tz+eP4bUwE
X8CuzLbLfT6sDhZp4rGif9RDD0zHQzjEp+v5PHX2BAk 0rDV7iOQI7GAJ0VkqozwgA3guoCRvCb5e3lgPAmhlXo
-> ssh-ed25519 fia1eQ CRUdnRPTZQtB/YlTqGcghTUjUlN7avoJ3iip5rNgcEo -> ~=-grease
IX1fAfmdteXLwXF7S4aFidVmzr7ClQE5Dlh5siyQZPM xBfYaHlWp09gHdR9CQ
-> ssh-ed25519 NtlN/A BRTimkF1zqBp4N1cep8+Mzet7cX45ZHTz9NekWNaNTw --- wrlmOZpShrH1kgr4cDBNDjPk/zLA5Ro94cpUy06cH34
//1gIudKHmPM5A/1fJNPaQO5TqbZzV7FDFM8EhEFzIk hsõIC
-> ssh-ed25519 v2Y09A U0jsaGMHVO2LpKActT5oYiJrbw6oLeSwzgzR7ufQpF8 s‡1¶…ßø5k|`3rˆUŠV»öÚŒ†`©”ÿ¬{×¢1Õ´€ù˜¶ÇHï¿ùÔ¡<C394>Ó¥Y+N‰ÒªÃs浓ÏC+„±&0"VØìyíjVù¤â <C3A2>Ï¿ªÿ¯ã“pܽ$Ÿ¢-8$­@<40>Õ¥á{‰«ˆÇTFºFî ñÒd|±
CfB7xVWpyMHsRZbfwhtlBdZyUwAuLic9R0LBm6vXNUo
--- wiRWKVnnLoriKkk//al7FuIGYKru0nO1/XGhpz6yWls
§$r¶£üþlÁk=n†CxªgA3Ö•^%ÛõøÚÚ8ùs€±öúJº&<26><>  -×&Yõ(Íe(jðv€“ù¦Ž¥!¢ä€ ¤?å9^çU·¿ñ>fA¼ê(ŸÝò­„Ó1Ûìæ#<23>\³0c"Zš†Íû³‰^œ4_ÌÜÙ&Zø»•ÏX°¯6+Fÿ<C383>

Binary file not shown.

Binary file not shown.

View file

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA 8acWnck16a9QK194orAzlQgQKINum/cyUzJqO6i0rkg
In2UpSbBR6QoTMTZR/GpZJN3x+5CK3hZcEvr5fORoOI
-> ssh-ed25519 4PzZog /YeuXUmWrWFohgOSEmUygaTax668bLZpYO2T7KXl8n8
mgnBBIsPycR6RMhLk4HQei5xQLzVHiBHaooOzZdb4YA
-> ssh-ed25519 dA0vRg DidrxIBYvAfPkwNzQXy2+f6inafUafoX8cfUChA7l2Q
/wfxyJAyrQ3Uycxwov+0b9pKKOxPP9mySRK5g4BzMnY
-> ssh-ed25519 5Nd93w i+oP7x/eHY/Roj4mdpOFHrBe5rxUL7/4617F4O3jPh8
yTVD0dR3ljoUSv1qyuKcOvr1fMRm9C8YAZKKjURtCPk
-> ssh-ed25519 q8eJgg Y0yxgrLm9/E8nYBg6Yvd0GPbY7PwCJCumQ9CtgWFxxo
9BfGPSP7pTTM8Dm9qXagKaw95hbqvvp7qsFkhQgQco4
-> ssh-ed25519 KVr8rw pXha2ebkoIFX9dMX3uRz+0rcbwcQ1mwPnLWp/wCzx10
BQQ77pXJl75c6myecmKlEpqHtWB/rSdG6Pwpbxzcfbk
-> ssh-ed25519 fia1eQ gCgas1CqGNZ7n09J7iXOvh2xeGgoszn36ABZwiskBBw
3a7WMN9aB6ZvwFyP98At9V9K99hD1vkvSJgnY16/JKY
-> ssh-ed25519 CqOTGQ DU1oon3RPo4MCdzigrM2+b3KnTzzTSG/WDSvtBaF1VE
zwKaQnXT004dMojYFXPz9UERL4ULe7mPZ+vwlZMxFvY
--- FWICxx8MWe7awI8P5t0XsbA4Ye0zbxCdMbapTs325HI
wûùÿŒ­-”¥d!Ñ×=gŸ&ÜžH¬©ó?÷IçÛÚᕪªêÏ<C3AA>Ò¢Ù„öLÒLË-<08>Ù¸ÏñU¿? )ûVýJæb®éÄÎC

Binary file not shown.

View file

@ -1,19 +1,16 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA aYjPUkjZHoQm86XHx3VbGswLy6VdKNaaHe3f3CGa1ls -> ssh-ed25519 V1pwNA 82JAj5XsvsKT8sIuARe4FTmSiCygEhTive+jIJ7h/R8
HMuWoZj4tY/nWj1nrgOxob1hJJD/mPD3kQnDgJJafeI M3U8He0axy2HLdKnmKDyvilT99LQPEkw27FF2hUI3tI
-> ssh-ed25519 4PzZog GojGaXIg5RK7WjJSCZxJksXvsm9TZTlbHITuksMivBY -> ssh-ed25519 4PzZog c45jK9DTUO6sXTbhs8UrUjLIELIL8XVdYiOYZsR/4yY
4oAuKXtJ4ksvusFX3OM3VpdzfArrglxJTN8kCdhIjrU HS4ng3Sb4J0f9OYHZLmWHWS/c3uetn3w6HG80uZNdUY
-> ssh-ed25519 dA0vRg AzGx90D7iz93gHtSvV5oIbBkwgQEpVY7DTRQIZ16IiQ -> ssh-ed25519 5Nd93w fBv3U1fx4kIQcPWAMl1xRUeIwiM1+0FpfhJZrHQMww4
GlMsor4NxuhHs1HJg62O3ZtPF6CHHFc46din6fm89G8 8ANUGKVp5Tpq/wbIgXhpi5cPsxFALOuOsisMEN5A4j0
-> ssh-ed25519 5Nd93w oAyaZjUSGC9moA7pLR4+dzoKAggFuKUNMnRbn/fm2FQ -> ssh-ed25519 q8eJgg HTr8SCqna6YrbpdEWdXf3vcR/ohxQStlXabHjZN+zW8
eHa/2iLWrqv/pPXjgfxtk68MgBX6EYW1YWfs1kXkazU vyoLfNsO0zW+S2+nIHfB1s8GaD/XjfqnPq/i3G4IJqs
-> ssh-ed25519 q8eJgg xBdXNLjZqKi2o+cbCXGdOOSFnlfPgaxjQb+IK60MYHw -> ssh-ed25519 uZzB3g f6+fXpF/3aP36u+G1sDOhaQtdaWXwxoW2aWWC5E8X0Y
dxV3kTuaJ1ANFgRaYchwAa0kjGZHZ3POc/Wrw/per+w KRDi36ChFupksZMkxWEnUkaNBgZujYsXEhS7ngueo8E
-> ssh-ed25519 KVr8rw TR3AjhWy5K1ntzMx3mZZZWGYi7EvcWiFpTHyU/+pV3Q -> /Q|[]_7-grease WOAZ6f R~_\$m7
Y/xu0hrhaFZdO9YY8vINp3796HZ+LAL+QvBmIWmoS7A e0+qF+9VouiUjHXF8coBkESl7COpdlPlBQYamcTsTto6CgZUZkYqWQ
-> ssh-ed25519 fia1eQ zF6CArF4sVXzIRenfDq7WHz06WXFdo7vMgD15NI/sR4 --- n0CQNPMTO1iiR+zt+dDvj0FocVteXkclIlI0EXoKV7w
m3sGJNMtAeY/yIq+D2nNncGNxX+KKXt0wCO1WMZmSTI OÐâr€é¥ÜP¼K]PK<>ðxò>ÿe3rðd™¹Éçž¿¢½÷ôÝÆÀŸݦ9d¾Ñ4¿G cά<C38E>|T7gÕ7ßz
-> ssh-ed25519 uZzB3g pTocgT3gT7VHD7BWt+rGRIqUZYuh2G+1VeTJxyb7Xxs P”¤º´ôó02ïïÀb¶Ú<C2B6>„fäÇ,ÔÒ¨<C392>Ñâ2Åm  ‰ŽÌz^»]M$jùƒñÒi7uYŒØ_lNPuÌA%·<ô@Ž« €c„²ÿõ{7
q5UYfrUVbgaqJCxWKegc0q0PvPR6AZ7AlI5ff4ePfjM
--- 9KS9xFBleYVsxyktikZ+TX9++1wqXmDBZxU3g7vwwLU
<{r<>U/˜½Œ°ßR¦*°Jd)¥<>“»,#ø9ns!LsÈW#_ÙwÒ<77> ¤äÃéÐMÃM‰Ãýð8sÏØ]ß•üƒ—8ð3ˆ¤7@·YNØçXlÿ¸æÜåº š¾Il^0p"aºMf«¬çG SÂdBŸ/»sêéÌ×,¡4!ãÌ<C3A3>rPÖ¢Ñ-Cáòky<H˜ƒÆ ÞZì'

View file

@ -1,20 +1,17 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA RT5AJD4kBHmv0pPNB9TASl4j8h4cIS418P3V9rUUjWs -> ssh-ed25519 V1pwNA zbwJFS2QBIHZRiE4K5BdN7eGfbQlmRtLuLeoEpyFCFM
tupAAUlbIdszxHMO3T/LgFcl0LlyxnSmu2E7MWuCFDI OndU3qfYY+iT/nYdOtas7p1dYi39xCUMb1Nj+YVJSJk
-> ssh-ed25519 4PzZog Vq8xPSUr64TjNwWY/5aV9tw2UqmCcflWphHQgl1qNmM -> ssh-ed25519 4PzZog 5aTl6FlbnR1pZpULLw+jlNW0rowRIuyGO/96DXbxvD8
WBWAJUfJ5+otsz5ubRqIMPvk5p0/h/yQhyg+sV41hBE d8Yg+Qz65ovpmHTITfaNR1htvi1uHpgWD4pLNJSVMIE
-> ssh-ed25519 dA0vRg Hkzhdyy2NueyE6zrVxzkXvPBzPiczjCYsT63XpqcSHY -> ssh-ed25519 5Nd93w hhQ2hSlt4zwb3Fd+yn5xf6n/AgYfKduNwfErOl1h0iI
bP2gd7I43q9vjKdyvrxddxxlG9b3mRq+NS8gC6NXc78 lLDJeVxVHXxDVitPEO1khWp/naBS01PRhghqdwGX7/o
-> ssh-ed25519 5Nd93w SLwM7TepNucy+RZJpEHm6ZffUInNzsNVqbqYz1QcGFo -> ssh-ed25519 q8eJgg 0685al0XDu1n4mW/V8XOissXUZpZWsRY2gwoPaDLx2w
nnxkYPOQkHkDFIBOVoB0/96NblBpy3sBwSf4JHjQWMA Q4FBE0pRvOk46vPHurWEquxIVmUT8VNyoy1r6NE3po4
-> ssh-ed25519 q8eJgg GZpY0Ya99WQl+SaQ9+uROl00vRnQ7AKfAL7L/f2UEjc -> ssh-ed25519 uZzB3g J3o3a8ZacO5Da98//sQuBpIesKnRqMTX8sr0utvsllM
Ylvcy7f/6whLkWW8a9V7cFHQynznmoiK59d1KouN+nA PLRxThLCtvk5UStENFzLR1MwG4icX7skmA4SQrrhIiQ
-> ssh-ed25519 KVr8rw dkq2lBd6MX7QwX7VLYoERu0TH1kl5mQps+oPtrwcUBc -> mv-grease O \ Y.]cK_N
gAdFa9ycxKUDErboYQRgIs1B6QK9ExWLkl6bzwHjOcE LQ04Y00qPx5cYrRotw/pR9ROOBtKr9JdruuC0UbPcyTMXImMGmU5rboZ2u269aq7
-> ssh-ed25519 fia1eQ PBbnQ2fhPW2GB5y8DpYAu9Kugb3sdWb86h0bSYwXRzc 6ik
1HVvMRgb7c9V53ApEasPXetfBvsz9GSArJOxGtRXbMM --- ObM3b2VMeI10gASzAkq/H7poz5NBh1eGAKq5EI2z2TA
-> ssh-ed25519 uZzB3g BMRR0RZLtsSAzI1EsQzeeLx1JyCZ7QzhnGvn255rlyk &KË;îm#F·©ěX"HN•ZéŻ
jPWO8HsZFX2TGtRbxwHV6x2OWwbCJb+sPl45f0mAHp0 Űy"Ń\%ĄíDşDw'Ü˝l«ň«p«Je¦Q©Jˇp¸îKínxÉćáśřĄá;“0ZňWÜlś±?őŚx‰ľ_h_w1§»îwďá|"şj]Zö>Č9]iłľNxmDť ĽĂĐÍ<C490>mUr«xčZ_<*„ý4ů9´v¬0;Ö@Ô ľűŕr
--- J1ejh1XpuAwFhOdWUga4WiJzgFmFdAgLpp2pe0K7cnA
ÒEзP¯s¬*ãÇw´€Þ⎲[ ~Äž6H=].ú!C?‰#$å5ëáóàAv <0C> øEïý§asöxKñd ÉVÑ¿·ï¹DQ¼ײ$Ü;µé-S;‡ƒ%0Òï<C392>ÍËEˆ•œÛ•ŠÿR0äô¢ø½<C3B8>)ÐFéˆÒ)¦§ãb<C3A3>¦ê1åD¸ è›
¡yʪ<ÙßñG®7Ð@åMú

Binary file not shown.

View file

@ -1,20 +1,17 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA 28zceeGyLaA02L8gNeGtC4kaGMJYZ+ATchzxrI1idAQ -> ssh-ed25519 V1pwNA Hym08jdz0fAk4kfbwmNrYrzc6p/Kenkx2u1nUmiLsiA
G8mCYZvVdVL0ZLdhpsvjreLd7RfOe2iGdEkoVHTddl8 gCHJvbBXSp+KQz7/2V7CvKEyCanQAuF1NEFdZy/1YCE
-> ssh-ed25519 4PzZog 1Hb7J2Ya0UhC5A8zGDkI4WesR/LrQRrM7hNHtRvUYE4 -> ssh-ed25519 4PzZog eZRTh03b4vYeFgXxlrBYlIiJhxOJ4l14Sj+DyAfryCo
QhviN1YQ63yi32rd3dRX+wYfCjYET+XOq4eRR5nzKmE zj/kPI+cZ1G4kuAFEhAY6wGPuugVivGsM9vNj3RYhCk
-> ssh-ed25519 dA0vRg +GHqKkHt/WqrwaZo17FDEtgAOd+pGS4FKWJ8Cbfa/xE -> ssh-ed25519 5Nd93w NhMYMSY9jCFHgiwUfiwrVykTUyqPvRgwz3ZruUk9VEg
1PRGkDWtdFEYQB+0TziC7umhbRBt6PNNTI3YWNBj5Ew ADo089uYJxxOXEkppmjQrI8NsLZi4RTk0aiR5wX1jjk
-> ssh-ed25519 5Nd93w ebfKVKjzUnyRpNuV0M5vQ5GiU1r2/wQcEVJIyvoykz8 -> ssh-ed25519 q8eJgg Fcy5/ngWteFDEDc71YCsQibn08zeorGMadUmEg2SPHk
KxsegupR/9iIpSXrD1A6FCcSf5mEiVr7DQL2TUXhqaQ K21yelJUAHQFhwg7/k+1VoU+drNBR+gtM53T1GRZ9JQ
-> ssh-ed25519 q8eJgg ul8MazD9isC+MPT1JEAnjL0dZ2r12WUyYwvgPi726j0 -> ssh-ed25519 yvS9bw uYEhuPR9HEwPdPpIQENcwfv1sMx780daREkNBBzlOQk
5Csc4hiPxLaIYK6v+zRZPPctqsLMfJ4U8lKQS082viM DBvCCCbcu5Qap0fjRRNQbWHm+/AkljiEUnqK6UJUS5c
-> ssh-ed25519 KVr8rw keye4xiStda7ZUTSAFBFL170jR0b8E3Fj2WpEy66qVM -> }Ac.6c-grease u'7G>w_6 "Q~=R
Lxu15JXZWqommKNiqan2uXJj8hSnpBnbNka2rOtH5R8 cGf5wLTJwI5rCzuPdjMzzlJit6mK3vVFBKnXV1iiItNG7LNAyP9NsgUrvj3cudke
-> ssh-ed25519 fia1eQ bfJsTYdcsdTNqkLd3KKIoH9WqsdrAx3OWlk6wpqm/Sc cp7noppOtSk+N09mZBNEVOeLkae6Og
yXIhT4OX4iaLKttkOP5njFML8ZNCloz8H0pjzF64qWE --- M8RKavL3FOtBhuVcCyrbykLVsFkN7MSku7yrUtA6Fu8
-> ssh-ed25519 CqOTGQ jx8KLE8ejaRLnhV48jRN4muKClVCiPzFE6ibHzVCayc
E3bBriDPT6FLdR8XoDLxkch0Pgroyfk5unZcQu50y9A ÏRú6î<EFBFBD>ýñ<>Ó ^‰JXÐݲ{|¹bó]¬wìðŒ°°¾$~ýdœŠ8ö½á”Žl¨+UèG×ã©súøñú;Ì\GÜÄÃV•<56>AM¢èpë Lɤ×ë±´¬3ÅhÎ2ÊÇ dþæI'ïê©Ä*s
--- fj3blhJZXxvg8Ecvk5/e4+0Mg6gwRrWlhQ1z0aXExjY
4<EFBFBD>æâðJâ˜=ìÏØ/c<>î<EFBFBD>ªB¶QáȇˆÃúd9«<>úúÐ<C3BA>ò»I¼¶¶eëÊ£†IæÌ<õ7VaL~Ÿ¡®âœ”r
ŸQ~<7E>Úæ,²anñIl°#NHdª^ª)\Ú<'šwScÏqzÝ

Binary file not shown.

Binary file not shown.

Binary file not shown.

View file

@ -1,19 +1,15 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA J3U7/2AXc6au88y6cZ1ottq7ZY/dU/N6xDg0LRPbXxo -> ssh-ed25519 V1pwNA pHgtxpGfmBvYNwvFM/pXYzXeXQ+52trMIB/uAC5i4g8
0haZ3EvhpeeeT0cISY6tjxcE6VpDJqGLX+68m071gn8 HJ3p6wZ9J95UiRJ6Q2soNNlJnTG7KGMsnPwGsyVT19A
-> ssh-ed25519 4PzZog oXXG203aCEltjB9FZx/H4W/QMPG1MiixW3a4nV1kPyg -> ssh-ed25519 4PzZog V3M3WeMD4mF3gabCDToU9R3eydxxEq/7mMtSQSO9mSg
WxUvEWcDF3XFP4YkXceRx00SWY7adxCZ2nmGsytBDEU /GOoWyEN5LUbw2MkYUxhDBnHaTBY6KBx2mV2B3rKGdI
-> ssh-ed25519 dA0vRg MTQucbTSFClxM1NM/LS0128AESkGjkVPOdpTsGbEEFM -> ssh-ed25519 5Nd93w k5yjgOyeQnc51NN6HXMyokfR9yU/ONKCoJ/3RBPfn10
X1xEivyUoxu/Par6uBXD37f0/GeXodHuagFqguuHQco DH4npc8GNl3AfWRsiqKu3kPfpZKxamqUgmjnKXsGgiA
-> ssh-ed25519 5Nd93w rZzdZrjSce5JhPTPPCzHJxKIUFcDJY9mccA6/QnCa3A -> ssh-ed25519 q8eJgg 81lltYkEyM9WqSFNASOA/OdfBuZ0vRyICG9B9+6YdBE
Wo+eoxbZZ3m82w5bywcvrpHxnyn8in6TDUb0oaglADo VHFm0DiOmDh+SJGhnuuwXobHxl6xC3mYOPu4DvxrGEQ
-> ssh-ed25519 q8eJgg Xs7oARCYw4wmA9p1L36jRwp1r0KRZ9+XePaYIoQITRI -> ssh-ed25519 uZzB3g aysXj+Bgow4aTPxBtB3sazBvwc5V2dO/1i+ZyW2mqH4
AWpIl5i7TjgJK2WPz3VZR0UVEeK0u77V6pTTRSgvGas fbzuL1lXT8STLEXidyzPhoqkb53NMNBMzczr4FvhTlM
-> ssh-ed25519 KVr8rw 7viimD+3AhhCl+ORBApuvtnrjY2bNsEbUqGoM0R9q1g -> pgy-grease AS<jNLT
vylA7Zx4eVkI4kg+lKx/D+Ro5Bbn2wWP36Hnxas7Z4I LjHqAM3sepswVBIl0O+++Bqia2znH/2+BnBYd3eTM4FCG1IdyMRFFtM
-> ssh-ed25519 fia1eQ LYO7HMLlyXRpJJJgJ1uyrYrsfdCbRYqxXgeBtTyrn2w --- ZAAqXOmA/JaqHCcaGJF3Aag0rUsRYqwLG986FS0oQGE
5oNtkzAoPWg1JY9aoXVYWByCMqEuQ1QDs7Jw6/VEEiw M@,4«<$iőżaÝĐz<C490>)Ăž 7<>*v 2$k“Dă)c¦„e(±‰ÝĄÍqmą»`JGęăŰw˝SŮ?ť@y·L•ă‰)ÜßŇž^Hń€ö.˘jru¨G`zăłçy}ÉńžYÚÂĚËř[·ĎR-MĽ”Ů 4;CŢ˧AŰČň;Rv^‹á~=Zm ^ă]4Âčo:dď3
-> ssh-ed25519 uZzB3g GKbJ3OU6hN4u0hS+601Hau09sq6q5ZCNwlFJhVeEEiM
LcN5eHSOgEFxR2rmC10RkHMllbQW9ZDARUG+9XeX24E
--- siGgnCjaHw6TOAYR4mjwfLjtQRxFjnjGN2/MRAkIdeY
<EFBFBD>}+3'ýY †[/*û†ÒÉo¿Ìãcbyê<79>û RÃ!¤ŽS\ÿ‡@N4‰®æPŒ=`N7<µ‚àaãbšÑ²ÛUN7Ã9­ dµ%~òæ{Çý éñºJ¾›ú`ÉH|™È,îë[·»4Êb¿=œ“ÿûÒFÁI¹ímÀëbM„Û¥4Ùšnz-<2D>9£OIu„µFó

View file

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA Je94T4psgEbYV6YBZ2BSQ4JZbKubHtPEKNuVjL9CaSk
Fp8uHwymTnjkFQBfezrFj2ycXsYrnqqW2+KeKfsjONY
-> ssh-ed25519 4PzZog paDltxaTs3odGMIkWFMuTfe+LnO2RqvRTqAi7pK8EB0
+ZtGVOK71gSGzgY6nSlDT32Q6IQFFvZd8xMp42GD/xg
-> ssh-ed25519 dA0vRg 2ZGLw9dW0qbzkJb+M1DhhEaW19VaPdgy9YvzxeEuZzw
Gycx9hEatq1jOQpE7EqF4G8y3+XvRnIC8oNK3hJmOzw
-> ssh-ed25519 5Nd93w uyUnDy48bjq4cfG/HfIF57bnCxNGSFze18MTW2XmDmc
TWCJRIC3J9KyjbCaM/WmCoD0x2MtrGGKVgHCA/TBe0I
-> ssh-ed25519 q8eJgg qPb7JIMkwOWIWw4yIhQku0u6d09QqFKtOXx1gC3XowA
8+YLpW8xzEzq02zKFhlbjOggEWfMZ6j2G5RGIq/TE/o
-> ssh-ed25519 KVr8rw zcZRh0qTa55ENUWXRIPk/kAv3tKB0+anEQ+IuEhsFjY
8oN0U8jD1BA07XOS4idvHgu8LA7/E5aciLZOshsZJJY
-> ssh-ed25519 fia1eQ gkdxv6Uda41PT9GhALDwPCfzzSiCDWluZG5m3WRwKAQ
5YSmnIYFXmBgTur0Z7PcLOT9ANvLJgIech5gp4Pqwjk
-> ssh-ed25519 rmrvjw H0ZmvmeUIpb4ZAUvh+7k47mUmZidcsKxDHC2oC/100A
IjYufbdJxMMANqicCHQQAU0Vh/NvROfCfaxJBM3rai8
--- TrZyyHaK0o4ot71wVxZzBT+3mVrVUQ3jKv6FuWNO4Mc
R3±g ”GÛVðgñX3cÅœëñÕPÌ\ÚygûqÐqÒ·"KO(ôÜ.ý© ÷8Í·&Ò3Äpëù)‡‹4:MRS¦³pK

Binary file not shown.

Binary file not shown.

View file

@ -1,20 +1,15 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 V1pwNA wC7Nch41YKEjrwpf/sDR+SUWKm1porqP2DyQhz/MLh0 -> ssh-ed25519 V1pwNA DqbnodZkTmARvGsqUcwZJ6Z6dRJw+Pc/u/OyvLUXNlI
Mu8NGcxWphZZLgb0F7h10EJGCPiontn6y2lWNSldNGw ra9Q9EprYEJELcQi7yS/2+AvyrEDehZ2XjIE4SD3K4Q
-> ssh-ed25519 4PzZog 6H6fsEDq6xiIkmIy6gUUGL+Mm03HSEaSGnjel3EO8EU -> ssh-ed25519 4PzZog 1bLboYJt4kTh2oYIkPtBWOKyCdQQYY7Z/NMhdWRr7Bg
xzqv1RZijhQqeiWIFq7ReVzh2JLtBoo9HmZJ1VXrMPU XYX6Sj2dfHJdVr52vy7F5SLNudmPw0l+qX4VXkxo5Zw
-> ssh-ed25519 dA0vRg UC9Vm0pLH8N9XGxKAZ/3Efe/9SRvx/rlxCYx0u5oljg -> ssh-ed25519 5Nd93w 1V+Zb7AmYGLbBnMLy/yEuC+vUdWq8no/X6j+7Zykbw0
gF4IFYdCIXfvPPrOsJFvGMf1PzrSyureKpOP66ZHB1Q Cu9av/RkbqGfE31UO1HobDcemy0C52WYt3F3ZJuPD0c
-> ssh-ed25519 5Nd93w 338ts/scFEwjZ+3f4Vcd8C9Q//E/ZGoSxIutAxKgpAo -> ssh-ed25519 q8eJgg JkrqxwHOf7vch7sa5iERrPS6GtH7SOz6vkiJZ9iejhM
C0vs3fiisD9FsZ8gYJZj/I81mT3Psw3g1jN5ztyuDQ4 G0OBTxAN1Ip3vv5loXQPejnv25tK6Xu6xNqYIBQch0Y
-> ssh-ed25519 q8eJgg eIHEYfE/50IRNy+gnNmqQD4jtVgJRla4ilAQp2gYfjE -> ssh-ed25519 YFaxCg ZjtuzeSNBZLGykOpsyxmeRLF8GE2eIhZBhn84bN8X08
bFNJA6KPlBiZWrB5vjyTilXC+rkW+xqVSWcvHln9H/8 WXQsIs4Are7WVJhkDafrMm+FwyWfWTOHR6JYUg7nzPY
-> ssh-ed25519 KVr8rw Kq/0pxm2r136ezrKRugC1So2cIIx2VTShPv6WTc6m1E -> O1CHe-grease <`%L
W7VrsPf9jkkxqndVjrFuGBwqJR3v4hwig7Fed9xJSAI yfN8CioGGgvdsecROJgtsRw1BVyHtPcNgKMk1bGsNry37eY0/8PIQA
-> ssh-ed25519 fia1eQ 1sA1YfEKVatTzHV5Wd/tzqwRiIPUBQlfoKZkJpxRYig --- jVQDWIOkjduvoYdMFhEl2Y8do4IsplwELZ1N1dlEv2E
lLtPzvg8H0y+FpfGfF/Q5g1nCap1TgW2wipIKU+Q+WA ЈØ>p¢ÿN0Àô¯<C2AF>jˆÚ{<7B>Ò qLÔÔÜ;{× {¼±‚%OJÁ€â_“άí3N†R#ì4® í
-> ssh-ed25519 YFaxCg zUYYpsC6BXvPRcIignITwUmvBhfhy9EnxFeCFg1niQk
QcmAhpDajw2lJyttDX9kn+0bdugmYYifSl1esaa3xpU
--- 0sQ4g4YxMBe/VBe39F9ZfwVh9XEOHYHqgiX5oakBzPU
¦cò±hðWÚp@å "L·<4C>åÒ[)ØtŠ¼/<2F>+”MyÍä¾ò'
8K¼ƒ[©m}·qÿÈ1«{²µ¯]·OS%ᙯ>»

View file

@ -1,20 +1,14 @@
let let
admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin"; admin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK6DjXTAxesXpQ65l659iAjzEb6VpRaWKSg4AXxifPw9 Skynet Admin";
silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg silver@helios"; silver_laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWfVKls31yK1aZeAu5mCE+xycI9Kt3Xoj+gfvEonDg NixOS Laptop";
silver_laptop_2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmm4CCnpT+tF7vecSrku0+7aDA1z3pQ+PDqZvoCynCR silver@aether";
silver_desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop"; silver_desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN34yTh0nk7HAz8id5Z/wiIX3H7ptleDyXy5bfbemico Desktop";
thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer"; thenobrainer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKjaKI97NY7bki07kxAvo95196NXCaMvI1Dx7dMW05Q1 thenobrainer";
eliza = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIJaVEGPDxG/0gbYJovPB+tiODgBDUABlgc1OokmF3WA eliza-skynet";
esy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINS2UR/o+nK8lNHHTj5I84ZAAp6P+ZhXqhedMfx0KHE4 <Skynet>";
users = [ users = [
admin admin
silver_laptop silver_laptop
silver_laptop_2
silver_desktop silver_desktop
thenobrainer thenobrainer
eliza
esy
]; ];
agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHOxA3uYcqS5gTrG1hS8XXwehzQYAI2I4iULtU8cXft root@agentjones"; agentjones = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHOxA3uYcqS5gTrG1hS8XXwehzQYAI2I4iULtU8cXft root@agentjones";
@ -23,7 +17,7 @@ let
galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea"; galatea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII3Mke5YtaMkLvXJxJ3y7YAIEBesoJk3qJyJsnoLUWgW root@galatea";
optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus"; optimus = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqYbbWy3WWtxvD96Hx+RfTx7fJPPirIEa5bOvUILi9r root@optimus";
glados = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6go7ScvOga9vYqC5HglPfh2Nu8wQTpEKpvIZuMAZom root@glados"; glados = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ6go7ScvOga9vYqC5HglPfh2Nu8wQTpEKpvIZuMAZom root@glados";
wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIPlgCGtyvd3xwYg9ZNyjTJNB/LvUSJO01SzN8PGcDLP root@wheatly"; wheatly = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEehcrWqZbTr4+do1ONE9Il/SayP0xXMvhozm845tonN root@wheatly";
kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt"; kitt = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPble6JA2O/Wwv0Fztl/kiV0qj+QMjS+jTTj1Sz8k9xK root@kitt";
gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir"; gir = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINL2qk/e0QBqpTQ2xDjF7Cv4c92jJ53jW2fuu88hAF/u root@gir";
neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFAs6lBJSUBRhtZO3zGKhEIlWvqnHFGAQuQ//9FdAn6 root@neuromancer"; neuromancer = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFAs6lBJSUBRhtZO3zGKhEIlWvqnHFGAQuQ//9FdAn6 root@neuromancer";
@ -31,8 +25,6 @@ let
earth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpvgQcvK7iAm0QrIp5qSvUJzDhOrSBN9MJn9JUSI31I root@earth"; earth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMpvgQcvK7iAm0QrIp5qSvUJzDhOrSBN9MJn9JUSI31I root@earth";
cadie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACcwg27wzzFVvzuTytcnzRmCfGkhULwlHJA/3BeVtgf root@cadie"; cadie = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIACcwg27wzzFVvzuTytcnzRmCfGkhULwlHJA/3BeVtgf root@cadie";
marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAme2vuVpGYX4La/JtXm3zunsWNDP+SlGmBk/pWmYkH root@marvin"; marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIAme2vuVpGYX4La/JtXm3zunsWNDP+SlGmBk/pWmYkH root@marvin";
calculon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsmeBfh4Jw2GOL7Iyswzn4TVNzalDbxDgh7WuQotFxR root@calculon";
ariia = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA4kV6W1/tP/nf2ZWNhRoV1mK04R4pS+c5vdsA1n5gpN root@ariia";
systems = [ systems = [
agentjones agentjones
@ -49,8 +41,6 @@ let
earth earth
cadie cadie
marvin marvin
calculon
ariia
]; ];
dns = [ dns = [
@ -77,10 +67,6 @@ let
wheatly wheatly
]; ];
grafana = [
ariia
];
# these need dns stuff # these need dns stuff
webservers = webservers =
[ [
@ -92,10 +78,6 @@ let
skynet skynet
# our offical server # our offical server
earth earth
# nix
calculon
] ]
# ldap servers are web facing # ldap servers are web facing
++ ldap ++ ldap
@ -120,7 +102,7 @@ let
in { in {
# nix run github:ryantm/agenix -- -e secret1.age # nix run github:ryantm/agenix -- -e secret1.age
"dns_certs.secret.age".publicKeys = users ++ systems; "dns_certs.secret.age".publicKeys = users ++ webservers;
"dns_dnskeys.conf.age".publicKeys = users ++ dns; "dns_dnskeys.conf.age".publicKeys = users ++ dns;
"stream_ulfm.age".publicKeys = users ++ [galatea]; "stream_ulfm.age".publicKeys = users ++ [galatea];
@ -136,9 +118,6 @@ in {
"gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
"gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners; "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
"forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
"forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
# for ldap # for ldap
"ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden; "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
# for use connectring to teh ldap # for use connectring to teh ldap
@ -149,6 +128,7 @@ in {
"backup/restic_pw.age".publicKeys = users ++ restic; "backup/restic_pw.age".publicKeys = users ++ restic;
# discord bot and discord # discord bot and discord
"discord/ldap.age".publicKeys = users ++ ldap ++ discord;
"discord/token.age".publicKeys = users ++ discord; "discord/token.age".publicKeys = users ++ discord;
# email stuff # email stuff
@ -164,7 +144,4 @@ in {
"bitwarden/id.age".publicKeys = users ++ bitwarden; "bitwarden/id.age".publicKeys = users ++ bitwarden;
"bitwarden/secret.age".publicKeys = users ++ bitwarden; "bitwarden/secret.age".publicKeys = users ++ bitwarden;
"bitwarden/details.age".publicKeys = users ++ bitwarden; "bitwarden/details.age".publicKeys = users ++ bitwarden;
# grafana
"grafana/pw.age".publicKeys = users ++ grafana;
} }

Binary file not shown.

Binary file not shown.