From 7a73028ad232ceb75d7eb74a9721bdeda1431620 Mon Sep 17 00:00:00 2001 From: niten Date: Tue, 16 Jan 2024 19:08:38 -0800 Subject: [PATCH] Tons of stuff, including 23.05 -> 23.11 --- config/domain-config/fudo.org.nix | 109 ++- config/domain-config/fudo.org/authentik.nix | 28 +- config/domain-config/fudo.org/mail-server.nix | 26 +- config/domain-config/fudo.org/matrix.nix | 38 +- config/domain-config/fudo.org/nextcloud.nix | 4 +- config/domain-config/sea.fudo.org.nix | 22 +- config/hardware/germany.nix | 38 +- config/host-config/fimbria.nix | 27 +- config/host-config/france.nix | 193 ++-- config/host-config/germany.nix | 19 +- config/host-config/jazz.nix | 2 +- config/host-config/legatus.nix | 64 +- config/host-config/limina.nix | 4 + config/host-config/nostromo.nix | 19 +- config/host-config/nutboy3.nix | 11 - config/host-config/nutboy3/cashew.nix | 1 + config/host-config/system3.nix | 32 +- config/host-config/toothless.nix | 1 + config/profile-config/common.nix | 2 - config/service/authoritative-dns.nix | 6 +- config/service/gitea-container.nix | 25 +- config/service/mail-server.nix | 22 +- config/service/metrics.nix | 350 +++----- config/site-config/seattle.nix | 48 +- config/user-config.nix | 39 +- config/users.nix | 4 +- flake.lock | 842 ++++++++---------- flake.nix | 24 +- 28 files changed, 837 insertions(+), 1163 deletions(-) diff --git a/config/domain-config/fudo.org.nix b/config/domain-config/fudo.org.nix index f96acd1..6628be4 100644 --- a/config/domain-config/fudo.org.nix +++ b/config/domain-config/fudo.org.nix @@ -4,7 +4,8 @@ with lib; let hostname = config.instance.hostname; localDomain = "fudo.org"; - serviceSecrets = config.fudo.secrets.files.service-secrets."${hostname}"; + + domainSecrets = config.fudo.secrets.files.domain-secrets."${localDomain}"; inherit (pkgs.lib) getDomainHosts getHostIpv4 getHostIpv6 getHostFqdn; @@ -16,7 +17,10 @@ let defaultHost = "germany"; - mastodonHostname = "mastodon.fudo.org"; + mastodonHostname = "fudo.live"; + + lemmyHost = "germany"; + lemmyHostname = "fudo.social"; servedDomains = [ "fudo.org" @@ -24,86 +28,117 @@ let "selby.ca" "fudo.ca" "fudo.im" + "fudo.live" + "fudo.social" "stewartsoundservices.ca" ]; in { imports = [ - (import ./fudo.org/authentik.nix { inherit authentikHost; }) + (import ./fudo.org/authentik.nix { + inherit authentikHost; + authentikImage = "ghcr.io/goauthentik/server:2023.10.6"; + }) (import ./fudo.org/mastodon.nix { - mastodonHost = "legatus"; + mastodonHost = "germany"; mastodonHostname = mastodonHostname; - mastodonWebDomain = "fudo.org"; - mastodonOidcClientId = serviceSecrets."mastodon-oidc.clientid"; - mastodonOidcClientSecret = serviceSecrets."mastodon-oidc.secret"; + mastodonWebDomain = mastodonHostname; + mastodonOidcClientId = domainSecrets."mastodon-oidc.clientid"; + mastodonOidcClientSecret = domainSecrets."mastodon-oidc.secret"; }) (import ./fudo.org/nextcloud.nix { nextcloudHost = "legatus"; nextcloudHostname = "cloud.fudo.org"; - nextcloudPackage = pkgs.nextcloud27; + nextcloudPackage = pkgs.nextcloud28; }) (import ./fudo.org/matrix.nix { - matrixHost = "legatus"; - matrixServerName = "fudo.org"; - openIdClientId = readFile serviceSecrets."matrix-oidc.clientid"; - openIdClientSecret = readFile serviceSecrets."matrix-oidc.secret"; + matrixHost = "germany"; + matrixServerName = "fudo.im"; + openIdClientId = readFile domainSecrets."matrix-oidc.clientid"; + openIdClientSecret = readFile domainSecrets."matrix-oidc.secret"; }) (import ./fudo.org/mail-server.nix (rec { - primaryMailserver = "germany"; - primaryDomain = "test.fudo.org"; + primaryMailserver = "france"; + primaryDomain = "fudo.org"; authentikServer = "authentik.fudo.org"; ldapBase = "dc=fudo,dc=org"; ldapBindDn = "cn=userdb,ou=users,${ldapBase}"; - ldapBindPwFile = - config.fudo.secrets.files.domain-secrets."${primaryDomain}"."ldap-bind.passwd"; + ldapBindPwFile = domainSecrets."ldap-bind.passwd"; saslDomain = "FUDO.ORG"; - authentikOutpostToken = - config.fudo.secrets.files.domain-secrets."${primaryDomain}"."authentik-ldap.token"; + authentikOutpostToken = domainSecrets."authentik-ldap.token"; inherit servedDomains; - # TODO: FIXME! - dkimRecord = ""; + dkimRecord = '' + mail._domainkey IN TXT ( "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwoCgHwsfuu0lhj9Ayj4ntoy0bdcGBNsV46qoKbd8E8FKsJF5rL4EoytwXEFcKJwT3E+o3/BsZGi9J5irtjlfIhnxnPlhVRS3R/834NDSQyuwGTxAfhPOklhA0cTYA+4x2oGwAuraz+On2REDeSymMccXFDsTugEHVvn6qaeqkJwIDAQAB" );''; })) ]; config = { # All Fudo hosts should redirect selby.ca to the selbyhomecentre website. - services.nginx.virtualHosts = { - # Pass requests to selby on to selbyhomecentre - "selby.ca".locations."/".return = - "301 https://selbyhomecentre.com$request_uri"; - "www.selby.ca".locations."/".return = - "301 https://selbyhomecentre.com$request_uri"; + services = { + nginx.virtualHosts = { + # Pass requests to selby on to selbyhomecentre + "selby.ca".locations."/".return = + "301 https://selbyhomecentre.com$request_uri"; + "www.selby.ca".locations."/".return = + "301 https://selbyhomecentre.com$request_uri"; - # For Mastodon - "fudo.org".locations = { - "/.well-known/webfinger" = { - return = "301 http://${mastodonHostname}"; - extraConfig = "add_header Access-Control-Allow-Origin '*';"; + # For Mastodon + "fudo.org".locations = { + "/.well-known/webfinger" = { + return = "301 http://${mastodonHostname}"; + extraConfig = "add_header Access-Control-Allow-Origin '*';"; + }; + "/.well-known/host-meta" = { + return = "301 https://${mastodonHostname}$request_uri"; + }; }; - "/.well-known/host-meta" = { - return = "301 https://${mastodonHostname}$request_uri"; + }; + + lemmyDocker = { + enable = config.instance.hostname == lemmyHost; + hostname = lemmyHostname; + site-name = "Fudo Lemmy"; + version = "0.19.2"; + smtp-server = "mail.fudo.org:587"; + docker-images = { + pictrs = "asonix/pictrs:0.5.1"; + postgres = "postgres:15-alpine"; }; }; }; fudo = { services = { + # TEMPORARY + mail-server.enable = false; + jabber = { domain = "jabber.fudo.org"; ldap.servers = map (host: "${host}.${localDomain}") domain.ldap-servers; }; + metrics.grafana = { + oauth = { + hostname = "authentik.fudo.org"; + client-id = domainSecrets."grafana-oid-client-id"; + client-secret = domainSecrets."grafana-oid-client-secret"; + slug = "grafana-metrics"; + }; + }; + authoritative-dns = { enable = hostname == primaryNameserver; + enable-notifications = true; + container = { hostname = "nameserver"; interface = "enp5s0f0"; }; nameservers = { - primary = primaryNameserver; + primary = "nameserver"; external = map (hostname: { inherit (config.fudo.zones."fudo.org".hosts."${hostname}") ipv4-address ipv6-address description; @@ -124,9 +159,10 @@ in { description = "fudo.org"; }; + # TODO: Fix email FFS! fudoMailservers = { - smtp-servers = [ "smtp.fudo.org." ]; - imap-servers = [ "imap.fudo.org." ]; + smtp-servers = [ "mail.fudo.org." ]; + imap-servers = [ "mail.fudo.org." ]; }; mkDomain = domain: extraConfig: @@ -147,6 +183,7 @@ in { "stewartsoundservices.ca" = mkDomain "stewartsoundservices.ca" { mail = fudoMailservers; }; "fudo.live" = mkDomain "fudo.live" { mail = fudoMailservers; }; + "fudo.social" = mkDomain "fudo.social" { mail = fudoMailservers; }; }; }; }; diff --git a/config/domain-config/fudo.org/authentik.nix b/config/domain-config/fudo.org/authentik.nix index 832e009..46b6158 100644 --- a/config/domain-config/fudo.org/authentik.nix +++ b/config/domain-config/fudo.org/authentik.nix @@ -1,4 +1,4 @@ -{ authentikHost, ... }: +{ authentikHost, authentikImage, ... }: { config, lib, pkgs, ... }: @@ -24,7 +24,7 @@ in { authentikContainer = mkIf isAuthentik { enable = true; images = { - authentik = "ghcr.io/goauthentik/server:2023.8.3"; + authentik = authentikImage; postgres = "docker.io/library/postgres:12-alpine"; redis = "docker.io/library/redis:alpine"; }; @@ -50,32 +50,8 @@ in { proxyWebsockets = true; }; }; - "fudo.ldap.fudo.org" = { - enableACME = true; - forceSSL = true; - locations."/".return = "403 Forbidden"; - }; - "selby.ldap.fudo.org" = { - enableACME = true; - forceSSL = true; - locations."/".return = "403 Forbidden"; - }; }; }; }; - - security.acme.certs = mkIf isAuthentik - (genAttrs [ authentikHostname "fudo.ldap.fudo.org" "selby.ldap.fudo.org" ] - (domain: { - postRun = let - dst = - "${config.services.authentikContainer.state-directory}/certs/${domain}"; - in '' - mkdir -p ${dst} - cp -v {cert,chain,fullchain,full,key}.pem ${dst}/ - cp -v key.pem ${dst}/privkey.pem - chown -R authentik ${dst} - ''; - })); }; } diff --git a/config/domain-config/fudo.org/mail-server.nix b/config/domain-config/fudo.org/mail-server.nix index 0838535..86b0a58 100644 --- a/config/domain-config/fudo.org/mail-server.nix +++ b/config/domain-config/fudo.org/mail-server.nix @@ -16,19 +16,17 @@ in { after = [ "podman.service" ]; }; - fudo = { - acme.host-domains = { - "imap.${primaryDomain}".extra-domain = [ "mail.${primaryDomain}" ]; - "smtp.${primaryDomain}".extra-domain = [ "mail.${primaryDomain}" ]; - }; + # security.acme.certs = { + # "imap.${primaryDomain}".extraDomainNames = [ "mail.${primaryDomain}" ]; + # "smtp.${primaryDomain}".extraDomainNames = [ "mail.${primaryDomain}" ]; + # }; + fudo = { zones."${primaryDomain}" = let mailserverDomain = config.fudo.hosts."${primaryMailserver}".domain; - mailserver = - config.fudo.domains."${mailserverDomain}".primary-mailserver; mailserverIps = { - ipv4-address = getHostIpv4 mailserver; - ipv6-address = getHostIpv6 mailserver; + ipv4-address = getHostIpv4 primaryMailserver; + ipv6-address = getHostIpv6 primaryMailserver; }; srvRecord = host: port: [{ inherit host port; }]; in { @@ -66,6 +64,7 @@ in { enable = hostname == primaryMailserver; debug = true; primary-domain = primaryDomain; + extra-domains = servedDomains; sasl-domain = saslDomain; trusted-networks = config.instance.local-networks; smtp = { @@ -110,12 +109,17 @@ in { services.nginx = mkIf (hostname == primaryMailserver) { enable = true; virtualHosts = { - "smtp.${primaryDomain}" = { + "imap.${primaryDomain}" = { enableACME = true; forceSSL = true; locations."/".return = "301 https://webmail.${primaryDomain}"; }; - "imap.${primaryDomain}" = { + "mail.${primaryDomain}" = { + enableACME = true; + forceSSL = true; + locations."/".return = "301 https://webmail.${primaryDomain}"; + }; + "smtp.${primaryDomain}" = { enableACME = true; forceSSL = true; locations."/".return = "301 https://webmail.${primaryDomain}"; diff --git a/config/domain-config/fudo.org/matrix.nix b/config/domain-config/fudo.org/matrix.nix index 0874d19..27ca9b3 100644 --- a/config/domain-config/fudo.org/matrix.nix +++ b/config/domain-config/fudo.org/matrix.nix @@ -5,17 +5,19 @@ with lib; let hostname = config.instance.hostname; - domainName = "fudo.org"; + domainName = "fudo.im"; zoneName = config.fudo.domains."${domainName}".zone; isMatrix = hostname == matrixHost; matrixFqdn = "matrix.${domainName}"; in { config = { fudo = { - zones."${zoneName}".aliases = { - element = matrixHost; - matrix = matrixHost; - }; + zones."${zoneName}".aliases = + let matrixHostFqdn = pkgs.lib.getHostFqdn matrixHost; + in { + web = "${matrixHostFqdn}."; + matrix = "${matrixHostFqdn}."; + }; services.matrix = mkIf isMatrix { enable = true; @@ -31,7 +33,7 @@ in { }; }; - networking.firewall.allowedTCPPorts = [ 8008 8448 ]; + networking.firewall.allowedTCPPorts = [ 80 443 8008 8448 ]; services.nginx.virtualHosts = mkIf isMatrix { "${domainName}" = let @@ -42,6 +44,7 @@ in { ''; in { enableACME = true; + forceSSL = true; listen = [ { addr = "0.0.0.0"; @@ -64,15 +67,20 @@ in { ssl = true; } ]; - locations."/.well-known/matrix/server".extraConfig = - mkWellKnown { "m.server" = "${matrixFqdn}:443"; }; - locations."/.well-known/matrix/client".extraConfig = - mkWellKnown { "m.homeserver".base_url = "https://${matrixFqdn}"; }; + locations = { + "/.well-known/matrix/server".extraConfig = + mkWellKnown { "m.server" = "${matrixFqdn}:443"; }; + "/.well-known/matrix/client".extraConfig = mkWellKnown { + "m.homeserver".base_url = "https://${matrixFqdn}:443"; + }; + "/.well-known/acme-challenge" = { + root = "/var/lib/acme/acme-challenge/"; + extraConfig = "auth_basic off;"; + }; + "/".return = "301 https://web.${domainName}"; + }; }; - # "${matrixFqdn}" = { - # locations."^/$".return = "301 https://element.${domainName}"; - # }; - "element.${domainName}" = { + "web.${domainName}" = { enableACME = true; forceSSL = true; root = pkgs.element-web.override { @@ -82,7 +90,7 @@ in { "https://${matrixFqdn}"; brand = "Fudo"; room_directory.servers = - [ "fudo.org" "matrix.org" "libera.chat" "gitter.im" ]; + [ matrixFqdn "matrix.org" "libera.chat" "gitter.im" ]; map_style_url = "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx"; }; diff --git a/config/domain-config/fudo.org/nextcloud.nix b/config/domain-config/fudo.org/nextcloud.nix index 9943743..9715a36 100644 --- a/config/domain-config/fudo.org/nextcloud.nix +++ b/config/domain-config/fudo.org/nextcloud.nix @@ -20,8 +20,8 @@ in { package = nextcloudPackage; extra-apps = with config.services.nextcloudContainer.package.packages.apps; { - inherit news contacts calendar tasks maps memories mail bookmarks - files_markdown notes unsplash user_saml; + inherit contacts calendar tasks maps mail bookmarks notes user_saml; + # files_markdown memories news unsplash }; timezone = "America/Winnipeg"; }; diff --git a/config/domain-config/sea.fudo.org.nix b/config/domain-config/sea.fudo.org.nix index 1a0c63f..ab8b011 100644 --- a/config/domain-config/sea.fudo.org.nix +++ b/config/domain-config/sea.fudo.org.nix @@ -14,11 +14,25 @@ let in { config = { - fudo.zones."sea.fudo.org".aliases."frigate" = "zbox"; + fudo.zones."sea.fudo.org".aliases = { "frigate" = "zbox"; }; fudo = { - services.mqtt.private.users.frigate = { - password-file = frigateMqttPassword; - acl = [ "frigate/#" ]; + services = { + metrics = { + private-network = true; + grafana.oauth = { + hostname = "authentik.fudo.org"; + client-id = + config.fudo.secrets.files.domain-secrets."fudo.org"."grafana-oid-client-id"; + client-secret = + config.fudo.secrets.files.domain-secrets."fudo.org"."grafana-oid-client-secret"; + slug = "grafana-metrics"; + }; + }; + + mqtt.private.users.frigate = { + password-file = frigateMqttPassword; + acl = [ "frigate/#" ]; + }; }; }; diff --git a/config/hardware/germany.nix b/config/hardware/germany.nix index 1770e6b..6800bef 100644 --- a/config/hardware/germany.nix +++ b/config/hardware/germany.nix @@ -73,6 +73,18 @@ in { fsType = "btrfs"; options = [ "subvol=@acme" "compress=zstd" "noatime" "noexec" ]; }; + + "/state/services/mail/mail" = { + device = "/dev/disk/by-label/germany-data"; + fsType = "btrfs"; + options = [ "subvol=@mail" "compress=zstd" "noatime" "noexec" ]; + }; + + "/var/lib/containers/storage" = { + device = "/dev/disk/by-label/germany-data"; + fsType = "btrfs"; + options = [ "subvol=@container-data" "noatime" "compress=zstd" "noexec" ]; + }; }; swapDevices = [{ device = "/dev/disk/by-label/germany-swap"; }]; @@ -87,30 +99,4 @@ in { cpu.intel.updateMicrocode = true; enableAllFirmware = true; }; - - networking = { - useDHCP = false; - - macvlans = { - extif0 = { - interface = "enp5s0f0"; - mode = "bridge"; - }; - - dnsif0 = { - interface = "enp5s0f0"; - mode = "bridge"; - }; - - extif1 = { - interface = "enp5s0f1"; - mode = "bridge"; - }; - }; - - interfaces = { - extif0.macAddress = generateMac config.instance.hostname "extif0"; - extif1.macAddress = generateMac config.instance.hostname "extif1"; - }; - }; } diff --git a/config/host-config/fimbria.nix b/config/host-config/fimbria.nix index 0412d0d..e068717 100644 --- a/config/host-config/fimbria.nix +++ b/config/host-config/fimbria.nix @@ -93,6 +93,8 @@ in { hosts.fimbria.external-interfaces = [ "enp1s0" ]; client.dns.external-interface = "enp1s0"; + local-network.state-directory = "/state/services/local-network"; + secrets.host-secrets."${hostname}" = { sea-cam-auth-proxy-env = { source-file = let @@ -135,7 +137,16 @@ in { security.acme.defaults.email = "niten@fudo.org"; - systemd.services.nginx.requires = [ "bind.service" ]; + systemd.services = { + nginx = { + after = [ "bind.service" ]; + requires = [ "bind.service" ]; + }; + + podman-sea-cam-auth-proxy.after = [ "network-online.service" ]; + + podman-sea-red-auth-proxy.after = [ "network-online.service" ]; + }; services = { ## TODO: enable when ready @@ -223,6 +234,20 @@ in { target = "http://node-red.sea.fudo.org/"; authPort = 9001; }; + + "metrics.fudo.link" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://prometheus.sea.fudo.org"; + extraConfig = let + trustedNetworkClauses = map (nw: "allow ${nw};") + (config.instance.local-networks + ++ config.fudo.domains."fudo.org".local-networks); + in concatStringsSep "\n" + (trustedNetworkClauses ++ [ "deny all;" ]); + }; + }; }; }; diff --git a/config/host-config/france.nix b/config/host-config/france.nix index 18f1b4f..ced9cc6 100644 --- a/config/host-config/france.nix +++ b/config/host-config/france.nix @@ -14,14 +14,15 @@ let secrets = config.fudo.secrets.host-secrets.france; secret-files = config.fudo.secrets.files; - letsencrypt-full-chain = name: chain: pkgs.stdenv.mkDerivation { - name = "${name}-letsencrypt-full-chain.pem"; - phases = "installPhase"; - installPhase = '' - cat ${chain} > $out - cat ${pkgs.letsencrypt-ca}/ca.pem >> $out - ''; - }; + letsencrypt-full-chain = name: chain: + pkgs.stdenv.mkDerivation { + name = "${name}-letsencrypt-full-chain.pem"; + phases = "installPhase"; + installPhase = '' + cat ${chain} > $out + cat ${pkgs.letsencrypt-ca}/ca.pem >> $out + ''; + }; in { # imports = let @@ -88,21 +89,17 @@ in { }; fudo = let - backplane-dns-password-file = pkgs.lib.passwd.stablerandom-passwd-file - "dns-service-backplane-passwd" + backplane-dns-password-file = + pkgs.lib.passwd.stablerandom-passwd-file "dns-service-backplane-passwd" "dns-service-backplane-passwd-${config.instance.build-seed}"; in { hosts.france.external-interfaces = [ "extif0" ]; acme.host-domains.france."france.fudo.org" = { - email = "admin@fudo.org"; + admin-email = "admin@fudo.org"; local-copies = { - postgres = { - user = "postgres"; - }; - openldap = { - user = config.services.openldap.user; - }; + postgres = { user = "postgres"; }; + openldap = { user = config.services.openldap.user; }; }; }; @@ -142,93 +139,93 @@ in { external-interface = "extif0"; }; - # france = { - # ldap = let - # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap; - # chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}"; - # in { - # ssl-certificate = cert-copy.certificate; - # ssl-private-key = cert-copy.private-key; - # ssl-ca-certificate = chain; - # keytab = secrets.ldap-keytab.target-file; - # root-password-file = secrets.ldap-root-passwd.target-file; - # }; + # france = { + # ldap = let + # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.openldap; + # chain = "${letsencrypt-full-chain "openldap-france" cert-copy.chain}"; + # in { + # ssl-certificate = cert-copy.certificate; + # ssl-private-key = cert-copy.private-key; + # ssl-ca-certificate = chain; + # keytab = secrets.ldap-keytab.target-file; + # root-password-file = secrets.ldap-root-passwd.target-file; + # }; - # kdc = { - # state-directory = "/state/kerberos"; - # master-key-file = secret-files.realm-master-keys."FUDO.ORG"; - # listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; - # }; + # kdc = { + # state-directory = "/state/kerberos"; + # master-key-file = secret-files.realm-master-keys."FUDO.ORG"; + # listen-ips = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ]; + # }; - # jabber = { - # ldap-servers = [ "france.fudo.org" ]; - # listen-ips = [ primary-ip ]; + # jabber = { + # ldap-servers = [ "france.fudo.org" ]; + # listen-ips = [ primary-ip ]; - # backplane = { - # host-passwd-files = let - # hosts = attrNames config.fudo.hosts; - # in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file) - # config.fudo.hosts; - # service-passwd-files = { - # dns = backplane-dns-password-file; - # }; - # }; - # }; + # backplane = { + # host-passwd-files = let + # hosts = attrNames config.fudo.hosts; + # in mapAttrs (hostname: hostOpts: hostOpts.backplane-password-file) + # config.fudo.hosts; + # service-passwd-files = { + # dns = backplane-dns-password-file; + # }; + # }; + # }; - # backplane-server = { - # listen-ips = [ primary-ip ]; - # backplane-dns-password-file = - # secrets.backplane-dns-password.target-file; - # }; + # backplane-server = { + # listen-ips = [ primary-ip ]; + # backplane-dns-password-file = + # secrets.backplane-dns-password.target-file; + # }; - # mail = { - # mail-directory = "${mail-directory}/mailboxes"; - # state-directory = "${mail-directory}/var"; - # ldap-server-urls = [ - # "ldap://france.fudo.org" - # ]; - # }; + # mail = { + # mail-directory = "${mail-directory}/mailboxes"; + # state-directory = "${mail-directory}/var"; + # ldap-server-urls = [ + # "ldap://france.fudo.org" + # ]; + # }; - # webmail = { - # mail-server = mail-hostname; - # database.hostname = "localhost"; - # }; + # webmail = { + # mail-server = mail-hostname; + # database.hostname = "localhost"; + # }; - # git = { - # repository-directory = "/state/gitea/repo"; - # state-directory = "/state/gitea/state"; - # ssh.listen-ip = git-server-ip; - # database-host = "localhost"; - # }; + # git = { + # repository-directory = "/state/gitea/repo"; + # state-directory = "/state/gitea/state"; + # ssh.listen-ip = git-server-ip; + # database-host = "localhost"; + # }; - # postgresql = let - # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres; - # in { - # keytab = secrets.postgres-keytab.target-file; - # ssl-certificate = cert-copy.certificate; - # ssl-private-key = cert-copy.private-key; - # }; + # postgresql = let + # cert-copy = config.fudo.acme.host-domains.france."france.fudo.org".local-copies.postgres; + # in { + # keytab = secrets.postgres-keytab.target-file; + # ssl-certificate = cert-copy.certificate; + # ssl-private-key = cert-copy.private-key; + # }; - # dns = { - # default-host = primary-ip; - # listen-ip = primary-ip; - # mail-hosts = [ "mail.fudo.org" ]; - # }; + # dns = { + # default-host = primary-ip; + # listen-ip = primary-ip; + # mail-hosts = [ "mail.fudo.org" ]; + # }; - # chat = { - # chat-hostname = "chat.fudo.org"; - # mail-server = "mail.fudo.org"; - # database-host = "localhost"; - # }; - # }; + # chat = { + # chat-hostname = "chat.fudo.org"; + # mail-server = "mail.fudo.org"; + # database-host = "localhost"; + # }; + # }; - # minecraft-server = { - # enable = true; - # package = pkgs.minecraft-current; - # data-dir = "/state/minecraft/selbyland"; - # world-name = "selbyland"; - # motd = "Welcome to the Selby Minecraft server."; - # }; + # minecraft-server = { + # enable = true; + # package = pkgs.minecraft-current; + # data-dir = "/state/minecraft/selbyland"; + # world-name = "selbyland"; + # motd = "Welcome to the Selby Minecraft server."; + # }; }; networking = { @@ -240,12 +237,10 @@ in { }]; }; extif0 = { - ipv4.addresses = [ - { - address = primary-ip; - prefixLength = 28; - } - ]; + ipv4.addresses = [{ + address = primary-ip; + prefixLength = 28; + }]; }; }; }; diff --git a/config/host-config/germany.nix b/config/host-config/germany.nix index a5c66ec..0a9ba80 100644 --- a/config/host-config/germany.nix +++ b/config/host-config/germany.nix @@ -14,20 +14,25 @@ let in { config = { networking = { - enableIPv6 = true; + enableIPv6 = false; + useDHCP = false; nameservers = [ "1.1.1.1" ]; defaultGateway = { - interface = "extif0"; + interface = "enp5s0f0"; address = site.gateway-v4; }; interfaces = { - extif0 = { + enp5s0f0 = { ipv4.addresses = [{ address = primary-ip; prefixLength = 28; }]; }; }; + firewall = { + enable = false; + interfaces."podman+".allowedUDPPorts = [ 53 ]; + }; }; systemd = { @@ -80,17 +85,19 @@ in { arion.backend = "podman-socket"; }; + services.lemmyDocker.state-directory = "/state/services/lemmy"; + fudo = { client.dns = { ipv4 = true; ipv6 = true; user = "fudo-client"; - external-interface = "extif0"; + external-interface = "enp5s0f0"; }; mail.state-directory = "/state/services/mail"; - nsd.zones."fudo.org".outgoingInterface = "extif0"; + nsd.zones."fudo.org".outgoingInterface = "enp5s0f0"; # Necessary because germany isn't the default yet postgresql = { @@ -106,6 +113,7 @@ in { authoritative-dns.state-directory = "/state/services/dns"; jabber.state-directory = "/state/services/jabber"; logging.loki.state-directory = "/state/services/loki"; + mail-server.state-directory = "/state/services/mail"; metrics = { prometheus.state-directory = "/state/services/prometheus"; grafana.state-directory = "/state/services/grafana"; @@ -117,6 +125,7 @@ in { principals = [ "postgres/${hostFqdn}" ]; }; }; + matrix.state-directory = "/state/services/matrix"; }; }; }; diff --git a/config/host-config/jazz.nix b/config/host-config/jazz.nix index c25b358..38660f4 100644 --- a/config/host-config/jazz.nix +++ b/config/host-config/jazz.nix @@ -41,7 +41,7 @@ in { fonts.fontconfig = { hinting = { enable = true; - style = "hintfull"; + style = "full"; }; subpixel.lcdfilter = "default"; antialias = true; diff --git a/config/host-config/legatus.nix b/config/host-config/legatus.nix index 4026ded..b96dc73 100644 --- a/config/host-config/legatus.nix +++ b/config/host-config/legatus.nix @@ -35,9 +35,9 @@ in { security.acme.defaults.email = "admin@legatus.fudo.org"; systemd.tmpfiles.rules = [ - "L /etc/adjtime - - - - /state/etc/adjtime" + "L /etc/adjtime - - - - /state/etc/adjtime" "d /state/services/podman/volumes 0700 root root - -" - "d /state/services/acme 0755 acme acme - -" + "d /state/services/acme 0755 acme acme - -" ]; fileSystems = { @@ -49,8 +49,6 @@ in { environment.systemPackages = local-packages; - # networking.firewall.allowedTCPPorts = [ 80 443 ]; - # informis.cl-gemini = { # enable = true; @@ -63,24 +61,8 @@ in { services = { mastodonContainer.state-directory = "/state/services/mastodon"; - lemmyDocker = { - enable = true; - hostname = "lemmy.fudo.org"; - site-name = "Fudo Lemmy"; - version = "0.18"; - state-directory = "/state/services/lemmy"; - smtp-server = "mail.fudo.org:587"; - docker-images = { - pictrs = "asonix/pictrs:0.4"; - postgres = "postgres:15-alpine"; - }; - }; authentikContainer.state-directory = "/state/services/authentik"; nextcloudContainer.state-directory = "/state/services/nextcloud"; - nginx.virtualHosts."fudo.org" = { - enableACME = true; - forceSSL = true; - }; }; virtualisation = { @@ -98,12 +80,8 @@ in { services = { auth = { - ldap.state-directory = "/state/auth/ldap"; - kerberos = { - state-directory = "/state/auth/kerberos"; - # master-key-file = host-secrets.heimdal-master-key.target-file; - # ipropd-keytab = host-secrets.heimdal-ipropd-keytab.target-file; - }; + ldap.state-directory = "/state/services/ldap"; + kerberos.state-directory = "/state/services/heimdal-kdc"; }; chat = { @@ -112,40 +90,6 @@ in { }; nexus.dns-server.listen-addresses = [ host-ipv4 ]; - - # lemmy = { - # enable = true; - # hostname = "lemmy.fudo.org"; - # }; - - matrix.state-directory = "/state/services/matrix"; - }; - - secrets.host-secrets.legatus = let files = config.fudo.secrets.files; - in { - # postgres-keytab = { - # source-file = files.service-keytabs.procul.postgres; - # target-file = "/srv/postgres/secure/postgres.keytab"; - # user = "root"; - # }; - - # gitea-database-password = { - # source-file = files.service-passwords.procul.gitea-database; - # target-file = "/srv/gitea/secure/database.passwd"; - # user = config.fudo.git.user; - # }; - - # heimdal-master-key = { - # source-file = files.realm-master-keys."FUDO.ORG"; - # target-file = "/run/heimdal/master-key"; - # user = config.fudo.auth.kdc.user; - # }; - - # heimdal-ipropd-keytab = { - # source-file = files.service-keytabs.legatus.ipropd; - # target-file = "/run/heimdal/ipropd.keytab"; - # user = config.fudo.auth.kdc.user; - # }; }; client.dns = { diff --git a/config/host-config/limina.nix b/config/host-config/limina.nix index b93f43b..88032cf 100644 --- a/config/host-config/limina.nix +++ b/config/host-config/limina.nix @@ -58,8 +58,12 @@ in { # }; firewall = { + enable = true; allowedTCPPorts = [ 80 443 25565 config.services.murmur.port ]; allowedUDPPorts = [ 25565 34197 ]; + extraCommands = '' + iptables -A INPUT -s 141.98.7.36 -j DROP + ''; }; nat.forwardPorts = [ diff --git a/config/host-config/nostromo.nix b/config/host-config/nostromo.nix index 8749c99..f21c0f6 100644 --- a/config/host-config/nostromo.nix +++ b/config/host-config/nostromo.nix @@ -75,20 +75,10 @@ in { "export-projects.mount" ]; }; - - grafana = { - requires = [ "postgresql.service" ]; - bindsTo = [ "postgresql.service" ]; - }; }; }; - fudo = let - grafana-database-passwd-file = pkgs.lib.passwd.stablerandom-passwd-file - "grafana-database-nostromo-password" - "grafana-database-nostromo-password-${config.instance.build-seed}"; - - host-secrets = config.fudo.secrets.host-secrets.${hostname}; + fudo = let host-secrets = config.fudo.secrets.host-secrets."${hostname}"; in { secrets.host-secrets.${hostname} = { pricebot-auth-token = { @@ -117,7 +107,6 @@ in { metrics.grafana = { state-directory = "/state/services/grafana"; smtp.hostname = "mail.fudo.org"; - ldap.base-dn = "dc=fudo,dc=org"; }; postgresql = { @@ -135,8 +124,6 @@ in { enable = true; local-networks = config.instance.local-networks; state-directory = "/state/services/postgresql"; - - databases.grafana.users = config.instance.local-admins; }; services.gitea-container = { @@ -146,10 +133,6 @@ in { state-directory = "/state/services/gitea"; trusted-networks = config.instance.local-networks; openid-urls = [ "https://authentik.fudo.org/" ]; - secret-key-file = - pkgs.lib.passwd.stablerandom-passwd-file "gitea-seattle-secret-key" - config.instance.build-seed; - networking = { interface = "eno2"; ipv4 = { diff --git a/config/host-config/nutboy3.nix b/config/host-config/nutboy3.nix index f06b001..e085a08 100644 --- a/config/host-config/nutboy3.nix +++ b/config/host-config/nutboy3.nix @@ -193,16 +193,5 @@ in { # loadLatestSave = true; # package = pkgs.factorio-headless-experimental; # }; - - services.nginx.virtualHosts = { - "selby.ca" = { - enableACME = true; - locations."/".return = "301 https://selbyhomecentre.com$request_uri"; - }; - "www.selby.ca" = { - enableACME = true; - locations."/".return = "301 https://selbyhomecentre.com$request_uri"; - }; - }; }; } diff --git a/config/host-config/nutboy3/cashew.nix b/config/host-config/nutboy3/cashew.nix index e86cdd9..065ad58 100644 --- a/config/host-config/nutboy3/cashew.nix +++ b/config/host-config/nutboy3/cashew.nix @@ -138,6 +138,7 @@ in { groups = { wheel.members = [ "niten" "reaper" ]; dns = { members = [ "niten" "reaper" "named" ]; }; + fudo.members = [ "niten" "reaper" ]; }; }; diff --git a/config/host-config/system3.nix b/config/host-config/system3.nix index 7f6e9f9..2a10e95 100644 --- a/config/host-config/system3.nix +++ b/config/host-config/system3.nix @@ -10,17 +10,23 @@ let config = { containers.tester = { autoStart = true; - # hostAddress = "10.0.0.14"; + # localAddress = "10.0.0.14"; additionalCapabilities = [ "CAP_NET_ADMIN" ]; # privateNetwork = true; macvlans = [ "enp7s0" ]; - # hostBridge = "tester0"; + #hostBridge = "tester0"; + #hostAddress = "10.0.0.14"; + #privateNetwork = true; config = { imports = [ pkgs.moduleRegistry.authoritativeDns ]; services.openssh.enable = true; - users.users.niten = config.users.users.niten; + users = let groupName = config.users.users.niten.group; + in { + users.niten = config.users.users.niten; + groups."${groupName}" = config.users.groups."${groupName}"; + }; services.authoritative-dns = { enable = true; @@ -40,12 +46,16 @@ let allowedTCPPorts = [ 22 53 ]; allowedUDPPorts = [ 53 ]; }; - interfaces = { - mv-enp7s0.ipv4.addresses = [{ - address = "10.0.0.14"; - prefixLength = 24; - }]; - }; + # interfaces.eth0 = { + # ipv4.addresses = [{ + # address = "10.0.0.14"; + # prefixLength = 24; + # }]; + # }; + interfaces.mv-enp7s0.ipv4.addresses = [{ + address = "10.0.0.14"; + prefixLength = 24; + }]; }; }; }; @@ -118,7 +128,7 @@ in { fonts.fontconfig = { hinting = { enable = true; - style = "hintfull"; + style = "full"; }; subpixel.lcdfilter = "default"; antialias = true; @@ -132,7 +142,7 @@ in { hardware = { bluetooth = { enable = true; - package = pkgs.bluezFull; + package = pkgs.bluez; }; xpadneo.enable = true; }; diff --git a/config/host-config/toothless.nix b/config/host-config/toothless.nix index 44d12af..f6b4cf0 100644 --- a/config/host-config/toothless.nix +++ b/config/host-config/toothless.nix @@ -20,6 +20,7 @@ in { prefixLength = 16; }]; }; + firewall.enable = false; }; security.sudo.extraConfig = '' diff --git a/config/profile-config/common.nix b/config/profile-config/common.nix index 4f49e92..22caef2 100644 --- a/config/profile-config/common.nix +++ b/config/profile-config/common.nix @@ -47,8 +47,6 @@ in { }; }; - nixpkgs.config.allowUnfree = true; - hardware.enableAllFirmware = true; services = { diff --git a/config/service/authoritative-dns.nix b/config/service/authoritative-dns.nix index daa378d..951a522 100644 --- a/config/service/authoritative-dns.nix +++ b/config/service/authoritative-dns.nix @@ -46,6 +46,7 @@ let imports = [ pkgs.moduleRegistry.authoritativeDns ]; nixpkgs.pkgs = pkgs; networking = { + enableIPv6 = false; defaultGateway = { address = getSiteGatewayV4 siteName; interface = "mv-${cfg.container.interface}"; @@ -57,8 +58,7 @@ let }; interfaces."mv-${cfg.container.interface}" = { ipv4.addresses = optional (nameserverDeets.ipv4-address != null) { - address = trace "IP ADDRESS: ${nameserverDeets.ipv4-address}" - nameserverDeets.ipv4-address; + address = nameserverDeets.ipv4-address; prefixLength = getSiteV4PrefixLength siteName; }; ipv6.addresses = optional (nameserverDeets.ipv6-address != null) { @@ -224,6 +224,7 @@ in { }; }; }); + default = null; }; enable-notifications = @@ -283,7 +284,6 @@ in { nameValuePair (zoneKeySecret zone) { source-file = zoneCfg.ksk.private-key; target-file = "/run/nsd/${baseNameOf zoneCfg.ksk.private-key}"; - user = config.fudo.nsd.user; }) (filterAttrs (_: zoneCfg: zoneCfg.ksk != null) cfg.zones); zones = mapAttrs (zone-name: zoneCfg: diff --git a/config/service/gitea-container.nix b/config/service/gitea-container.nix index 6e4a544..c60b6f7 100644 --- a/config/service/gitea-container.nix +++ b/config/service/gitea-container.nix @@ -22,12 +22,6 @@ in { description = "Path at which to store Gitea state."; }; - secret-key-file = mkOption { - type = str; - description = - "Path to file containing Gitea secret key, for encrypting secrets."; - }; - trusted-networks = mkOption { type = listOf str; description = @@ -131,7 +125,6 @@ in { service.DISABLE_REGISTRATION = true; security = { INSTALL_LOCK = true; - SECRET_KEY = "file:${cfg.secret-key-file}"; LOGIN_REMEMBER_DAYS = 30; }; metrics.ENABLED = cfg.trusted-networks != [ ]; @@ -153,11 +146,12 @@ in { }; openid = { ENABLE_OPENID_SIGNIN = true; - WHITELISTED_URIS = cfg.openid-urls; + WHITELISTED_URIS = concatStringsSep "," cfg.openid-urls; }; oauth2_client = { REGISTER_EMAIL_CONFIRM = false; - OPENID_CONNECT_SCOPES = [ "email" "profile" ]; + OPENID_CONNECT_SCOPES = + concatStringsSep "," [ "email" "profile" ]; ENABLE_AUTO_REGISTRATION = true; USERNAME = "email"; UPDATE_AVATAR = true; @@ -194,11 +188,14 @@ in { # enableACME = true; # forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:8080"; - locations."/metrics" = mkIf (cfg.trusted-networks != [ ]) (let - networkAllowClauses = - map (net: "allow ${net};") cfg.trusted-networks; - in concatStringsSep "\n" - (networkAllowClauses ++ [ "deny all;" ])); + locations."/metrics" = mkIf (cfg.trusted-networks != [ ]) { + proxyPass = "http://127.0.0.1:8080/metrics"; + extraConfig = let + networkAllowClauses = + map (net: "allow ${net};") cfg.trusted-networks; + in concatStringsSep "\n" + (networkAllowClauses ++ [ "deny all;" ]); + }; }; }; }; diff --git a/config/service/mail-server.nix b/config/service/mail-server.nix index 246e73e..4b18a5d 100644 --- a/config/service/mail-server.nix +++ b/config/service/mail-server.nix @@ -20,7 +20,7 @@ let isLocalMailserver = domain-name == mailserver-domain-name; - metricsEnabled = mailserver-domain.prometheus-hosts != [ ]; + metricsEnabled = !isNull mailserver-domain.metrics; host-certs = config.fudo.acme.host-domains.${hostname}; @@ -28,13 +28,20 @@ in { options.fudo.services.mail-server = with types; { debug = mkEnableOption "Enable debug options for mailserver."; + enable = mkOption { + type = bool; + default = true; + description = + "Temporary -- allow disabling mail server (in favor of mail container)."; + }; + state-directory = mkOption { type = str; description = "Directory at which to store mailserver state."; }; }; - config = mkIf hasMailServer { + config = mkIf (hasMailServer && cfg.enable) { services.nginx = mkIf (isMailServer && metricsEnabled) { enable = true; recommendedOptimisation = true; @@ -106,17 +113,6 @@ in { in { aliases = mkIf metricsEnabled { mail-stats = "${mailserver-fqdn}."; }; - # srv-records.tcp = { - # pop3 = srv-record mailserver-fqdn 110; - # pop3s = srv-record mailserver-fqdn 995; - - # imap = srv-record mailserver-fqdn 143; - # imaps = srv-record mailserver-fqdn 993; - - # smtp = srv-record mailserver-fqdn 25; - # submission = srv-record mailserver-fqdn 587; - # }; - metric-records = mkIf metricsEnabled (genAttrs [ "dovecot" "postfix" "rspamd" ] (_: srv-record "mail-stats" 443)); diff --git a/config/service/metrics.nix b/config/service/metrics.nix index 7d69998..a938791 100644 --- a/config/service/metrics.nix +++ b/config/service/metrics.nix @@ -3,54 +3,28 @@ with lib; let hostname = config.instance.hostname; - domain-name = config.fudo.hosts."${hostname}".domain; - domain = config.fudo.domains."${domain-name}"; + domainName = config.fudo.hosts."${hostname}".domain; + domain = config.fudo.domains."${domainName}"; - host-secrets = config.fudo.secrets.host-secrets."${hostname}"; + inherit (pkgs.lib) getHostIpv4 getHostIpv6 getHostFqdn; - notEmpty = lst: (length lst) > 0; + hostSecrets = config.fudo.secrets.host-secrets."${hostname}"; - metricsEnabled = notEmpty domain.prometheus-hosts; - metricsScraper = elem hostname domain.prometheus-hosts; - metricsMonitor = elem hostname domain.grafana-hosts; + metricsEnabled = !isNull domain.metrics; + isPrometheus = hostname == domain.metrics.prometheus-host; + isGrafana = hostname == domain.metrics.grafana-host; - prometheus-cfg = config.fudo.services.metrics.prometheus; - grafana-cfg = config.fudo.services.metrics.grafana; + grafanaHost = domain.metrics.grafana-host; + prometheusHost = domain.metrics.prometheus-host; - host-fqdn = hostname: - let host-domain = config.fudo.hosts.${hostname}.domain; - in "${hostname}.${host-domain}"; - - host-auth-fqdn = hostname: "${host-fqdn hostname}."; - - make-alias-map = type: hosts: - listToAttrs - (imap0 (i: hostname: nameValuePair hostname "${type}-${toString i}") hosts); - - headOrNull = lst: if notEmpty lst then head lst else null; - - metrics-master = headOrNull domain.prometheus-hosts; - - monitor-master = headOrNull domain.grafana-hosts; - - metrics-alias-map = make-alias-map "metrics" domain.prometheus-hosts; - - monitor-alias-map = make-alias-map "monitor" domain.grafana-hosts; - - alias-map-to-cnames = - mapAttrs' (hostname: alias: nameValuePair alias (host-auth-fqdn hostname)); - - alias-map-to-hostnames = - mapAttrsToList (hostname: alias: "${alias}.${domain-name}"); + prometheusCfg = config.fudo.services.metrics.prometheus; + grafanaCfg = config.fudo.services.metrics.grafana; + privateNetwork = config.fudo.services.metrics.private-network; grafana-smtp-password-file = pkgs.lib.passwd.stablerandom-passwd-file "grafana-smtp-passwd" config.instance.build-seed; - grafana-auth-password-file = - pkgs.lib.passwd.stablerandom-passwd-file "grafana-auth-passwd" - config.instance.build-seed; - grafana-admin-password-file = pkgs.lib.passwd.stablerandom-passwd-file "grafana-admin-passwd" config.instance.build-seed; @@ -59,25 +33,14 @@ let pkgs.lib.passwd.stablerandom-passwd-file "grafana-secret-key" config.instance.build-seed; - grafana-database-password-file = - pkgs.lib.passwd.stablerandom-passwd-file "grafana-database-postgres" - config.instance.build-seed; - - site = let site-name = config.fudo.hosts."${hostname}".site; - in config.fudo.sites."${site-name}"; - - is-private-network = site.local-gateway != null; - - domainToBaseDn = domain: - concatStringsSep "," (map (el: "dc=${el}") (splitString "." domain)); - - ldapEnabled = domain.ldap-servers != [ ]; - - isPostgresServer = config.instance.hostname == domain.postgresql-server; - postgresServer = pkgs.lib.getHostFqdn domain.postgresql-server; - in { options.fudo.services.metrics = with types; { + private-network = mkOption { + type = bool; + description = "Network is private, encryption not required."; + default = false; + }; + prometheus = { static-targets = mkOption { type = attrsOf (listOf str); @@ -86,6 +49,7 @@ in { example = { dovecot = [ "my.host.name:1111" ]; }; default = { }; }; + state-directory = mkOption { type = str; description = "Path at which to store Prometheus state."; @@ -99,6 +63,7 @@ in { description = "Username from which to send Grafana alerts."; default = "monitor"; }; + hostname = mkOption { type = str; description = "Hostname of the SMTP host."; @@ -106,50 +71,35 @@ in { }; }; - ldap = let base-dn = domainToBaseDn config.instance.local-domain; - in { - base-dn = mkOption { - type = str; - description = "DN under which to search for users."; - default = base-dn; - }; + oauth = let + oauthOpts.options = { + hostname = mkOption { + type = str; + description = "Host of the OAuth server."; + }; - bind-user = mkOption { - type = str; - description = "DN as which to bind to the LDAP server."; - default = "grafana_reader"; - }; + client-id = mkOption { + type = str; + description = + "Path to file containing the Grafana OAuth client ID."; + }; - bind-passwd = mkOption { - type = nullOr str; - description = "Path to file with bind password. Generated if null."; - default = null; + client-secret = mkOption { + type = str; + description = + "Path to file containing the Grafana OAuth client secret."; + }; + + slug = mkOption { + type = str; + description = "The application slug on the OAuth server."; + }; }; + in mkOption { + type = nullOr (submodule oauthOpts); + default = null; }; - # database = { - # hostname = mkOption { - # type = str; - # description = "Hostname of the postgresql database."; - # default = "localhost"; - # }; - # user = mkOption { - # type = str; - # description = - # "Username as which to authenticate to the postgresql database."; - # }; - # password-file = mkOption { - # type = str; - # description = - # "Password file (on the target host) which to authenticate to the postgresql database."; - # }; - # name = mkOption { - # type = str; - # description = "Database name."; - # default = "grafana"; - # }; - # }; - state-directory = mkOption { type = str; description = "Path at which to store Grafana state."; @@ -159,189 +109,131 @@ in { }; config = mkIf metricsEnabled { + fudo = { - system-users = { - "${grafana-cfg.smtp.username}" = { - description = "Grafana Alerts"; - ldap-hashed-password = - pkgs.lib.passwd.hash-ldap-passwd "grafana-smtp-passwd" - grafana-smtp-password-file; - }; - - "${grafana-cfg.ldap.bind-user}" = mkIf ((domain.ldap-servers != [ ]) - && (grafana-cfg.ldap.bind-passwd == null)) { - description = "Grafana Authentication Reader"; - ldap-hashed-password = - pkgs.lib.passwd.hash-ldap-passwd "grafana-auth-passwd" - grafana-auth-password-file; - }; - }; - secrets.host-secrets = let grafana-user = config.systemd.services.grafana.serviceConfig.User; in { "${hostname}" = { - grafana-smtp-password = mkIf metricsMonitor { - source-file = grafana-smtp-password-file; - target-file = "/run/metrics/grafana/smtp.passwd"; - user = grafana-user; - }; - - grafana-admin-password = mkIf metricsMonitor { + grafana-admin-password = mkIf isGrafana { source-file = grafana-admin-password-file; target-file = "/run/metrics/grafana/admin.passwd"; user = grafana-user; }; - grafana-secret-key = mkIf metricsMonitor { + grafana-secret-key = mkIf isGrafana { source-file = grafana-secret-key-file; target-file = "/run/metrics/grafana/secret.key"; user = grafana-user; }; - grafana-postgresql-password = mkIf metricsMonitor { - source-file = grafana-database-password-file; - target-file = "/run/metrics/grafana/postgres.passwd"; + grafana-client-id = mkIf (isGrafana && !isNull grafanaCfg.oauth) { + source-file = grafanaCfg.oauth.client-id; + target-file = "/run/metrics/grafana/oauth-client-id"; user = grafana-user; }; - postgresql-grafana-password = mkIf isPostgresServer { - source-file = grafana-database-password-file; - target-file = "/run/postgres-users/grafana.passwd"; - user = config.systemd.services.postgresql.serviceConfig.User; - }; + grafana-client-secret = + mkIf (isGrafana && !isNull grafanaCfg.oauth) { + source-file = grafanaCfg.oauth.client-secret; + target-file = "/run/metrics/grafana/oauth-client-secret"; + user = grafana-user; + }; }; }; zones."${domain.zone}" = { - aliases = let - metrics-aliases = alias-map-to-cnames metrics-alias-map; - monitor-aliases = alias-map-to-cnames monitor-alias-map; - metrics-master-cname = optionalAttrs (metrics-master != null) { - metrics = "${metrics-master}.${domain-name}."; + hosts = { + grafana = { + ipv4-address = getHostIpv4 grafanaHost; + ipv6-address = getHostIpv6 grafanaHost; + description = "Grafana Metrics Analysis on ${grafanaHost}."; }; - monitor-master-cname = optionalAttrs (monitor-master != null) { - monitor = "${monitor-master}.${domain-name}."; + prometheus = { + ipv4-address = getHostIpv4 prometheusHost; + ipv6-address = getHostIpv6 prometheusHost; + description = "Prometheus Metrics Aggregator on ${prometheusHost}."; }; - in metrics-aliases // monitor-aliases // metrics-master-cname - // monitor-master-cname; + }; + + aliases = { + metrics = "prometheus.${domainName}"; + monitor = "grafana.${domainName}"; + }; metric-records = let - domain-hosts = filterAttrs (hostname: hostOpts: - hostOpts.domain == domain-name && hostOpts.nixos-system) + domainHosts = filterAttrs (hostname: hostOpts: + hostOpts.domain == domainName && hostOpts.nixos-system) config.fudo.hosts; in { node = map (hostname: { - host = "${hostname}.${domain-name}"; - port = if is-private-network then 80 else 443; - }) (attrNames domain-hosts); + host = getHostFqdn hostname; + port = if privateNetwork then 80 else 443; + }) (attrNames domainHosts); }; }; - postgresql = mkIf isPostgresServer { - users.grafana = { - password-file = host-secrets.postgresql-grafana-password.target-file; - databases.grafana = { - access = "CONNECT"; - entity-access = { - "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; - # "SELECT,INSERT,UPDATE,DELETE"; - "ALL SEQUENCES IN SCHEMA public" = "ALL PRIVILEGES"; - # "SELECT, UPDATE"; - }; - }; - }; - databases.grafana.users = config.instance.local-admins; - }; - metrics = { node-exporter = { enable = true; - hostname = host-fqdn hostname; - private-network = is-private-network; + hostname = getHostFqdn hostname; + private-network = privateNetwork; }; - prometheus = mkIf metricsScraper { + prometheus = mkIf isPrometheus { enable = true; service-discovery-dns = { - node = [ "node._metrics._tcp.${domain-name}" ]; + node = [ "node._metrics._tcp.${domainName}" ]; }; - static-targets = prometheus-cfg.static-targets; - hostname = let alias = metrics-alias-map.${hostname}; - in "${alias}.${domain-name}"; - state-directory = prometheus-cfg.state-directory; - private-network = is-private-network; + static-targets = prometheusCfg.static-targets; + hostname = "prometheus.${domainName}"; + state-directory = prometheusCfg.state-directory; + private-network = privateNetwork; }; + }; - grafana = mkIf metricsMonitor { - enable = true; - hostname = let alias = monitor-alias-map.${hostname}; - in "${alias}.${domain-name}"; - smtp = let cfg = grafana-cfg.smtp; - in { - username = cfg.username; - password-file = host-secrets.grafana-smtp-password.target-file; - hostname = cfg.hostname; - email = "${cfg.username}@${domain-name}"; + services.grafana = mkIf isGrafana { + enable = true; + state-directory = grafanaCfg.state-directory; + base-url = let scheme = if privateNetwork then "http" else "https"; + in "${scheme}://grafana.${domainName}"; + admin-password-file = hostSecrets.grafana-admin-password.target-file; + secret-key-file = hostSecrets.grafana-secret-key.target-file; + datasources = { + "${domainName}" = { + url = let scheme = if privateNetwork then "http" else "https"; + in "${scheme}://prometheus.${domainName}"; + type = "prometheus"; + default = true; }; - database = let cfg = grafana-cfg.database; - in { - name = "grafana"; - user = "grafana"; - password-file = - host-secrets.grafana-postgresql-password.target-file; - hostname = postgresServer; - }; - ldap = mkIf (domain.ldap-servers != [ ]) { - hosts = map host-fqdn domain.ldap-servers; - base-dn = grafana-cfg.ldap.base-dn; - bind-dn = - "cn=${grafana-cfg.ldap.bind-user},${grafana-cfg.ldap.base-dn}"; - bind-passwd = if (grafana-cfg.ldap.bind-passwd != null) then - grafana-cfg.ldap.bind-passwd - else - (readFile grafana-auth-password-file); - }; - admin-password-file = host-secrets.grafana-admin-password.target-file; - secret-key-file = host-secrets.grafana-secret-key.target-file; - datasources = let - scheme = if is-private-network then "http" else "https"; - host-config = hostname: { - url = "${scheme}://${hostname}.${domain-name}"; - type = "prometheus"; - default = hostname == "metrics-0"; - }; - in listToAttrs - (map (host: nameValuePair "prometheus-${host}" (host-config host)) - (attrValues metrics-alias-map)); - state-directory = grafana-cfg.state-directory; - private-network = is-private-network; + }; + oauth = mkIf (!isNull grafanaCfg.oauth) { + inherit (grafanaCfg.oauth) hostname slug; + client-id = hostSecrets.grafana-client-id.target-file; + client-secret = hostSecrets.grafana-client-secret.target-file; }; }; }; - services.nginx = - mkIf (hostname == metrics-master || hostname == monitor-master) { - enable = true; - recommendedOptimisation = true; - recommendedProxySettings = true; + services.nginx = mkIf (isPrometheus || isGrafana) { + enable = true; + recommendedOptimisation = true; + recommendedProxySettings = true; - virtualHosts = - let scheme = if is-private-network then "http" else "https"; - in { - "metrics.${domain-name}" = mkIf (hostname == metrics-master) { - enableACME = !is-private-network; - forceSSL = !is-private-network; - locations."/".return = let alias = metrics-alias-map.${hostname}; - in "301 ${scheme}://${alias}.${domain-name}$request_uri"; - }; - "monitor.${domain-name}" = mkIf (hostname == monitor-master) { - enableACME = !is-private-network; - forceSSL = !is-private-network; - locations."/".return = let alias = monitor-alias-map.${hostname}; - in "301 ${scheme}://${alias}.${domain-name}$request_uri"; - }; - }; + virtualHosts = let scheme = if privateNetwork then "http" else "https"; + in { + "metrics.${domainName}".locations."/".return = + "302 http://prometheus.${domainName}"; + "monitor.${domainName}".locations."/".return = + "302 http://grafana.${domainName}"; + + "grafana.${domainName}" = { + enableACME = !privateNetwork; + forceSSL = !privateNetwork; + locations."/".proxyPass = + "http://localhost:${toString config.fudo.services.grafana.port}"; + }; }; + }; }; } diff --git a/config/site-config/seattle.nix b/config/site-config/seattle.nix index ae75e06..71180fd 100644 --- a/config/site-config/seattle.nix +++ b/config/site-config/seattle.nix @@ -3,14 +3,6 @@ with lib; let local-domain = "sea.fudo.org"; in { - # imports = [ ./seattle/authelia.nix ./seattle/keycloak.nix ]; - imports = [ - # (import ./seattle/authentik.nix { - # authentikHost = "nostromo"; - # proxyHost = "limina"; - # externalHostname = "authentik.fudo.link"; - # }) - ]; config = { fudo = { @@ -63,16 +55,6 @@ in { }; fileSystems = { - # "/mnt/documents" = { - # device = "whitedwarf.${local-domain}:/volume1/Documents"; - # fsType = "nfs4"; - # options = [ "comment=systemd.automount" ]; - # }; - # "/mnt/downloads" = { - # device = "whitedwarf.${local-domain}:/volume1/Downloads"; - # fsType = "nfs4"; - # options = [ "comment=systemd.automount" ]; - # }; "/mnt/music" = { device = "doraemon.${local-domain}:/volume1/Music"; fsType = "nfs"; @@ -83,10 +65,6 @@ in { fsType = "nfs"; options = [ "comment=systemd.automount" ]; }; - # fileSystems."/mnt/security" = { - # device = "panopticon.${local-domain}:/srv/kerberos/data"; - # fsType = "nfs4"; - # }; "/mnt/cargo_video" = { device = "cargo.${local-domain}:/volume1/video"; fsType = "nfs4"; @@ -98,41 +76,21 @@ in { options = [ "sec=krb5i" "x-systemd.automount" ]; }; - # "proto=tcp" - # # NOTE: these are pointing directly to nostromo so the krb lookup works "/net/documents" = { device = "nostromo.${local-domain}:/export/documents"; fsType = "nfs4"; - options = [ - "sec=krb5p" - "x-systemd.automount" - # "vers=4" - # "minorversion=2" - # "proto=tcp" - ]; + options = [ "sec=krb5p" "x-systemd.automount" ]; }; "/net/downloads" = { device = "nostromo.${local-domain}:/export/downloads"; fsType = "nfs4"; - options = [ - "sec=krb5i" - "x-systemd.automount" - # "vers=4" - # "minorversion=2" - # "proto=tcp" - ]; + options = [ "sec=krb5i" "x-systemd.automount" ]; }; "/net/projects" = { device = "nostromo.${local-domain}:/export/projects"; fsType = "nfs4"; - options = [ - "sec=krb5p" - "x-systemd.automount" - # "vers=4" - # "minorversion=2" - # "proto=tcp" - ]; + options = [ "sec=krb5p" "x-systemd.automount" ]; }; }; diff --git a/config/user-config.nix b/config/user-config.nix index d40869a..45d3cb4 100644 --- a/config/user-config.nix +++ b/config/user-config.nix @@ -1,12 +1,10 @@ { config, lib, pkgs, ... }: -with lib; -{ +with lib; { config = let filterExistingUsers = users: group-members: let user-list = attrNames users; - in filter (username: elem username user-list) - group-members; + in filter (username: elem username user-list) group-members; hostname = config.instance.hostname; host-cfg = config.fudo.hosts.${hostname}; @@ -14,8 +12,8 @@ with lib; sys = config.instance; in { fudo.auth.ldap-server = { - users = filterAttrs - (username: userOpts: userOpts.ldap-hashed-passwd != null) + users = + filterAttrs (username: userOpts: userOpts.ldap-hashed-passwd != null) config.fudo.users; groups = config.fudo.groups; @@ -29,14 +27,10 @@ with lib; ''; environment.etc = mapAttrs' (username: userOpts: - nameValuePair - "ssh/private_keys.d/${username}" - { - text = concatStringsSep "\n" - (map (keypair: readFile keypair.public-key) - userOpts.ssh-keys); - }) - sys.local-users; + nameValuePair "ssh/private_keys.d/${username}" { + text = concatStringsSep "\n" + (map (keypair: readFile keypair.public-key) userOpts.ssh-keys); + }) sys.local-users; users = { users = mapAttrs (username: userOpts: { @@ -47,8 +41,8 @@ with lib; group = userOpts.primary-group; home = if (userOpts.home-directory != null) then userOpts.home-directory - else - "/home/${userOpts.primary-group}/${username}"; + else + "/home/${userOpts.primary-group}/${username}"; hashedPassword = userOpts.login-hashed-passwd; openssh.authorizedKeys.keys = userOpts.ssh-authorized-keys; }) sys.local-users; @@ -57,8 +51,7 @@ with lib; gid = groupOpts.gid; members = filterExistingUsers sys.local-users groupOpts.members; }) sys.local-groups) // { - wheel = { members = sys.local-admins; }; - docker = mkIf (host-cfg.docker-server) { members = sys.local-admins; }; + wheel.members = sys.local-admins; }; }; @@ -73,9 +66,7 @@ with lib; # Domain = local-domain; "Local-Realms" = local-realm; }; - Translation = { - GSS-Methods = "static"; - }; + Translation = { GSS-Methods = "static"; }; Static = let generate-admin-entry = admin: userOpts: nameValuePair "${admin}/root@${local-realm}" "root"; @@ -84,8 +75,7 @@ with lib; admin-entries = mapAttrs' generate-admin-entry (getAttrs local-admins local-users); - user-entries = - mapAttrs' generate-user-entry local-users; + user-entries = mapAttrs' generate-user-entry local-users; in admin-entries // user-entries; }; @@ -94,6 +84,7 @@ with lib; groups-with-members = attrNames (filterAttrs (group: groupOpts: (length groupOpts.members) > 0) sys.local-groups); - in map (group: "d /home/${group} 550 root ${group} - -") groups-with-members; + in map (group: "d /home/${group} 550 root ${group} - -") + groups-with-members; }; } diff --git a/config/users.nix b/config/users.nix index 0f02896..0f07948 100644 --- a/config/users.nix +++ b/config/users.nix @@ -5,7 +5,7 @@ with lib; { users = { niten = { uid = 10000; - primary-group = "admin"; + primary-group = "fudo"; common-name = "Peter Selby"; given-name = "Peter"; surname = "Selby"; @@ -139,7 +139,7 @@ with lib; { reaper = { uid = 10049; - primary-group = "admin"; + primary-group = "fudo"; common-name = "Jonathan Stewart"; given-name = "Jonathan"; surname = "Stewart"; diff --git a/flake.lock b/flake.lock index 45bd4aa..13a3901 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ ] }, "locked": { - "lastModified": 1701196744, - "narHash": "sha256-ZCuplnqMIIPs5zCPgYEp+m7mHqFh8Fy0lJD3ybZ/h0w=", + "lastModified": 1703950660, + "narHash": "sha256-GgynJdQ6KngwFBd4YbMYbwesyOiMTZAFymsStE0PSfM=", "owner": "hercules-ci", "repo": "arion", - "rev": "39030b95666e018230dc9b85d76dc6e5b617ab87", + "rev": "f295eabd25b7c894ab405be784e2a010f83fde55", "type": "github" }, "original": { @@ -25,17 +25,17 @@ }, "arion_2": { "inputs": { - "flake-parts": "flake-parts_4", - "haskell-flake": "haskell-flake_3", + "flake-parts": "flake-parts_3", + "haskell-flake": "haskell-flake_2", "hercules-ci-effects": "hercules-ci-effects_2", - "nixpkgs": "nixpkgs_5" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1701196744, - "narHash": "sha256-ZCuplnqMIIPs5zCPgYEp+m7mHqFh8Fy0lJD3ybZ/h0w=", + "lastModified": 1703950660, + "narHash": "sha256-GgynJdQ6KngwFBd4YbMYbwesyOiMTZAFymsStE0PSfM=", "owner": "hercules-ci", "repo": "arion", - "rev": "39030b95666e018230dc9b85d76dc6e5b617ab87", + "rev": "f295eabd25b7c894ab405be784e2a010f83fde55", "type": "github" }, "original": { @@ -46,17 +46,37 @@ }, "arion_3": { "inputs": { - "flake-parts": "flake-parts_7", - "haskell-flake": "haskell-flake_5", + "flake-parts": "flake-parts_5", + "haskell-flake": "haskell-flake_3", "hercules-ci-effects": "hercules-ci-effects_3", - "nixpkgs": "nixpkgs_19" + "nixpkgs": "nixpkgs_16" }, "locked": { - "lastModified": 1701196744, - "narHash": "sha256-ZCuplnqMIIPs5zCPgYEp+m7mHqFh8Fy0lJD3ybZ/h0w=", + "lastModified": 1703950660, + "narHash": "sha256-GgynJdQ6KngwFBd4YbMYbwesyOiMTZAFymsStE0PSfM=", "owner": "hercules-ci", "repo": "arion", - "rev": "39030b95666e018230dc9b85d76dc6e5b617ab87", + "rev": "f295eabd25b7c894ab405be784e2a010f83fde55", + "type": "github" + }, + "original": { + "id": "arion", + "type": "indirect" + } + }, + "arion_4": { + "inputs": { + "flake-parts": "flake-parts_7", + "haskell-flake": "haskell-flake_4", + "hercules-ci-effects": "hercules-ci-effects_4", + "nixpkgs": "nixpkgs_17" + }, + "locked": { + "lastModified": 1703950660, + "narHash": "sha256-GgynJdQ6KngwFBd4YbMYbwesyOiMTZAFymsStE0PSfM=", + "owner": "hercules-ci", + "repo": "arion", + "rev": "f295eabd25b7c894ab405be784e2a010f83fde55", "type": "github" }, "original": { @@ -75,11 +95,11 @@ ] }, "locked": { - "lastModified": 1701468840, - "narHash": "sha256-g20HI6QFYCm9+QSvqith/2nHOr8w6u6/8t+Su5bOgy4=", + "lastModified": 1704566338, + "narHash": "sha256-ofTCDtJwR2xoLlCVQpA4f1pO0sOrz3SCB5CniP3NU8g=", "ref": "refs/heads/master", - "rev": "799fd044465e903120df2ae33a315cc752eda0d6", - "revCount": 20, + "rev": "6d14ff1999b4f5767bddcc1fea1e9138ef9f8ff5", + "revCount": 21, "type": "git", "url": "https://git.fudo.org/fudo-nix/authentik-container.git" }, @@ -556,7 +576,7 @@ "clj2nix": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "utils": "utils" }, "locked": { @@ -576,7 +596,7 @@ "clj2nix_10": { "inputs": { "flake-compat": "flake-compat_11", - "nixpkgs": "nixpkgs_21", + "nixpkgs": "nixpkgs_19", "utils": "utils_25" }, "locked": { @@ -596,7 +616,7 @@ "clj2nix_11": { "inputs": { "flake-compat": "flake-compat_12", - "nixpkgs": "nixpkgs_22", + "nixpkgs": "nixpkgs_20", "utils": "utils_28" }, "locked": { @@ -616,7 +636,7 @@ "clj2nix_12": { "inputs": { "flake-compat": "flake-compat_13", - "nixpkgs": "nixpkgs_24", + "nixpkgs": "nixpkgs_22", "utils": "utils_34" }, "locked": { @@ -636,7 +656,7 @@ "clj2nix_13": { "inputs": { "flake-compat": "flake-compat_14", - "nixpkgs": "nixpkgs_25", + "nixpkgs": "nixpkgs_23", "utils": "utils_37" }, "locked": { @@ -656,7 +676,7 @@ "clj2nix_14": { "inputs": { "flake-compat": "flake-compat_15", - "nixpkgs": "nixpkgs_26", + "nixpkgs": "nixpkgs_24", "utils": "utils_40" }, "locked": { @@ -676,7 +696,7 @@ "clj2nix_15": { "inputs": { "flake-compat": "flake-compat_16", - "nixpkgs": "nixpkgs_27", + "nixpkgs": "nixpkgs_25", "utils": "utils_42" }, "locked": { @@ -696,7 +716,7 @@ "clj2nix_2": { "inputs": { "flake-compat": "flake-compat_2", - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_2", "utils": "utils_3" }, "locked": { @@ -716,7 +736,7 @@ "clj2nix_3": { "inputs": { "flake-compat": "flake-compat_4", - "nixpkgs": "nixpkgs_6", + "nixpkgs": "nixpkgs_4", "utils": "utils_5" }, "locked": { @@ -736,7 +756,7 @@ "clj2nix_4": { "inputs": { "flake-compat": "flake-compat_5", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_6", "utils": "utils_7" }, "locked": { @@ -756,7 +776,7 @@ "clj2nix_5": { "inputs": { "flake-compat": "flake-compat_6", - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_9", "utils": "utils_9" }, "locked": { @@ -776,7 +796,7 @@ "clj2nix_6": { "inputs": { "flake-compat": "flake-compat_7", - "nixpkgs": "nixpkgs_13", + "nixpkgs": "nixpkgs_11", "utils": "utils_11" }, "locked": { @@ -796,7 +816,7 @@ "clj2nix_7": { "inputs": { "flake-compat": "flake-compat_8", - "nixpkgs": "nixpkgs_14", + "nixpkgs": "nixpkgs_12", "utils": "utils_14" }, "locked": { @@ -816,7 +836,7 @@ "clj2nix_8": { "inputs": { "flake-compat": "flake-compat_9", - "nixpkgs": "nixpkgs_15", + "nixpkgs": "nixpkgs_13", "utils": "utils_17" }, "locked": { @@ -836,7 +856,7 @@ "clj2nix_9": { "inputs": { "flake-compat": "flake-compat_10", - "nixpkgs": "nixpkgs_20", + "nixpkgs": "nixpkgs_18", "utils": "utils_22" }, "locked": { @@ -1332,8 +1352,8 @@ "dnssec-ksks": { "flake": false, "locked": { - "lastModified": 1701289728, - "narHash": "sha256-BLTUmmiXcMwsKcU30myaBMnq1VfulNchzorPshlaBxQ=", + "lastModified": 1705301167, + "narHash": "sha256-5P3/MrvGDx1fAdowvKW9EelBIYqO6VIfff8dMMY3ctE=", "path": "/secrets/dnssec", "type": "path" }, @@ -1345,8 +1365,8 @@ "domain-secrets": { "flake": false, "locked": { - "lastModified": 1701451798, - "narHash": "sha256-Pk2zKPHHaOkToQ+ZkCpNdQTWlOVdldrijwTHYIYQiyI=", + "lastModified": 1705264542, + "narHash": "sha256-XnMrmFtapnkPHYHQPXuA8ceAijWDUv55XpM/yQVUVPo=", "path": "/secrets/domain-secrets", "type": "path" }, @@ -1469,14 +1489,14 @@ "entities": { "inputs": { "fudo-lib": "fudo-lib_4", - "nixpkgs": "nixpkgs_10" + "nixpkgs": "nixpkgs_8" }, "locked": { - "lastModified": 1701289452, - "narHash": "sha256-zQ9HNhGHR6HBBwcqJsesLsCG/CTFRer2Jyd4PvLERvo=", + "lastModified": 1705300819, + "narHash": "sha256-OvYO4+dJwWMOOPVU7MH1gDXyza8UN8RjjsTL+rzUJtA=", "ref": "refs/heads/master", - "rev": "2702e5b50fbcec8b69995bb5f2cc7b41189338bb", - "revCount": 207, + "rev": "1cb9f7805b8e69619410c44159a5c0d404cca81a", + "revCount": 225, "type": "git", "url": "https://git.fudo.org/fudo-nix/entities.git" }, @@ -1842,11 +1862,11 @@ ] }, "locked": { - "lastModified": 1675933616, - "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=", + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "47478a4a003e745402acf63be7f9a092d51b83d7", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", "type": "github" }, "original": { @@ -1857,14 +1877,18 @@ }, "flake-parts_2": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib" + "nixpkgs-lib": [ + "arion", + "hercules-ci-effects", + "nixpkgs" + ] }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", "type": "github" }, "original": { @@ -1875,18 +1899,17 @@ "flake-parts_3": { "inputs": { "nixpkgs-lib": [ + "frigate-container", "arion", - "hercules-ci-effects", - "hercules-ci-agent", "nixpkgs" ] }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", "type": "github" }, "original": { @@ -1900,33 +1923,16 @@ "nixpkgs-lib": [ "frigate-container", "arion", + "hercules-ci-effects", "nixpkgs" ] }, "locked": { - "lastModified": 1675933616, - "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=", + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "47478a4a003e745402acf63be7f9a092d51b83d7", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_5": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_2" - }, - "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", "type": "github" }, "original": { @@ -1934,22 +1940,20 @@ "type": "indirect" } }, - "flake-parts_6": { + "flake-parts_5": { "inputs": { "nixpkgs-lib": [ - "frigate-container", + "grafana-module", "arion", - "hercules-ci-effects", - "hercules-ci-agent", "nixpkgs" ] }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", "type": "github" }, "original": { @@ -1958,6 +1962,28 @@ "type": "github" } }, + "flake-parts_6": { + "inputs": { + "nixpkgs-lib": [ + "grafana-module", + "arion", + "hercules-ci-effects", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", + "type": "github" + }, + "original": { + "id": "flake-parts", + "type": "indirect" + } + }, "flake-parts_7": { "inputs": { "nixpkgs-lib": [ @@ -1967,11 +1993,11 @@ ] }, "locked": { - "lastModified": 1675933616, - "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=", + "lastModified": 1701473968, + "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "47478a4a003e745402acf63be7f9a092d51b83d7", + "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", "type": "github" }, "original": { @@ -1982,14 +2008,19 @@ }, "flake-parts_8": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib_3" + "nixpkgs-lib": [ + "mail-server", + "arion", + "hercules-ci-effects", + "nixpkgs" + ] }, "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", + "lastModified": 1696343447, + "narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", + "rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4", "type": "github" }, "original": { @@ -1997,30 +2028,6 @@ "type": "indirect" } }, - "flake-parts_9": { - "inputs": { - "nixpkgs-lib": [ - "mail-server", - "arion", - "hercules-ci-effects", - "hercules-ci-agent", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1688466019, - "narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "flake-utils": { "inputs": { "systems": "systems" @@ -2340,11 +2347,11 @@ ] }, "locked": { - "lastModified": 1701668465, - "narHash": "sha256-BbvMoFJIwfNtjLfHYbwVjJ/ImNcOB74nkJQ+kQ6Oa/E=", + "lastModified": 1705300819, + "narHash": "sha256-OvYO4+dJwWMOOPVU7MH1gDXyza8UN8RjjsTL+rzUJtA=", "ref": "refs/heads/master", - "rev": "17edbe8436aeb23bd5f8a22cabfa837bcd913955", - "revCount": 212, + "rev": "1cb9f7805b8e69619410c44159a5c0d404cca81a", + "revCount": 225, "type": "git", "url": "https://git.fudo.org/fudo-nix/entities.git" }, @@ -2365,11 +2372,11 @@ ] }, "locked": { - "lastModified": 1701721194, - "narHash": "sha256-wGO4YajCCJKxvSZfa099didLmL90cySLB9FYhBNaU3o=", + "lastModified": 1705010387, + "narHash": "sha256-SAQz8BYOAmRAXYQ4SmZzNP9tcvImF3VkSNFwVRlv94I=", "ref": "refs/heads/master", - "rev": "e341ba3b2236de5a109d10dfbb2aa7cd7e29d283", - "revCount": 407, + "rev": "814780b6d8cd767aa6725b67d804b53d1e8c30d2", + "revCount": 456, "type": "git", "url": "https://git.fudo.org/fudo-nix/home.git" }, @@ -2410,11 +2417,11 @@ }, "fudo-lib_3": { "locked": { - "lastModified": 1701117898, - "narHash": "sha256-tw8fml3PTK4lJNd79ZBbzR5nnepoXHX1i/hFpKjWsyU=", + "lastModified": 1705184348, + "narHash": "sha256-d44DVCpKPTQ9Tdbc6s/sPoA6qVbLCPBxYzwZYP02jB8=", "ref": "refs/heads/master", - "rev": "cf4b24da9941d208ff67868f52b2b1c97313e380", - "revCount": 178, + "rev": "16a105a24e51db9e962f5d85ff7779a7925ba0a9", + "revCount": 215, "type": "git", "url": "https://git.fudo.org/fudo-nix/lib.git" }, @@ -2444,11 +2451,11 @@ "unstableNixpkgs": "unstableNixpkgs" }, "locked": { - "lastModified": 1700531038, - "narHash": "sha256-AAAYO9Skf78FiTkMLyUlQ14dBKCWO8CNW/OdGr6GK1k=", + "lastModified": 1703103386, + "narHash": "sha256-+hQr7V6rVfG1wt49kkC3BgbLnsOkSfuJLCEo/ERjIfE=", "ref": "refs/heads/master", - "rev": "dfc2c766878dc27ddf7cac8e241fa62238a3883d", - "revCount": 250, + "rev": "f975b9b4d0c0187cf70ff3f533486ca30c471083", + "revCount": 260, "type": "git", "url": "https://git.fudo.org/fudo-nix/pkgs.git" }, @@ -2463,11 +2470,11 @@ "unstableNixpkgs": "unstableNixpkgs_2" }, "locked": { - "lastModified": 1700531038, - "narHash": "sha256-AAAYO9Skf78FiTkMLyUlQ14dBKCWO8CNW/OdGr6GK1k=", + "lastModified": 1703103386, + "narHash": "sha256-+hQr7V6rVfG1wt49kkC3BgbLnsOkSfuJLCEo/ERjIfE=", "ref": "refs/heads/master", - "rev": "dfc2c766878dc27ddf7cac8e241fa62238a3883d", - "revCount": 250, + "rev": "f975b9b4d0c0187cf70ff3f533486ca30c471083", + "revCount": 260, "type": "git", "url": "https://git.fudo.org/fudo-nix/pkgs.git" }, @@ -2482,11 +2489,11 @@ "unstableNixpkgs": "unstableNixpkgs_3" }, "locked": { - "lastModified": 1700531038, - "narHash": "sha256-AAAYO9Skf78FiTkMLyUlQ14dBKCWO8CNW/OdGr6GK1k=", + "lastModified": 1703103386, + "narHash": "sha256-+hQr7V6rVfG1wt49kkC3BgbLnsOkSfuJLCEo/ERjIfE=", "ref": "refs/heads/master", - "rev": "dfc2c766878dc27ddf7cac8e241fa62238a3883d", - "revCount": 250, + "rev": "f975b9b4d0c0187cf70ff3f533486ca30c471083", + "revCount": 260, "type": "git", "url": "https://git.fudo.org/fudo-nix/pkgs.git" }, @@ -2506,7 +2513,7 @@ "filesystem-keys": "filesystem-keys", "fudo-pkgs": "fudo-pkgs_3", "nexus": "nexus", - "nixpkgs": "nixpkgs_17", + "nixpkgs": "nixpkgs_15", "service-passwords": "service-passwords", "service-secrets": "service-secrets", "site-secrets": "site-secrets", @@ -2514,8 +2521,8 @@ "utils": "utils_21" }, "locked": { - "lastModified": 1701464793, - "narHash": "sha256-uZX5EqmiAYxzfVbmHdaV4LiwPSVWvcLcaYy8aIfKvak=", + "lastModified": 1705426503, + "narHash": "sha256-OYtk0UKb7qb+9SdGlswLQjugIO6aQ3IgdAIntXd9tx0=", "path": "/secrets", "type": "path" }, @@ -2588,6 +2595,27 @@ "type": "github" } }, + "grafana-module": { + "inputs": { + "arion": "arion_3", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1702251866, + "narHash": "sha256-z9PQEk/1iIkS8rGSW8NIo6WpE4eTKPPAdRx2ANE/NeE=", + "ref": "refs/heads/master", + "rev": "f3b43259a40b2b46ca87614c590bf8d7d4fbbb8a", + "revCount": 7, + "type": "git", + "url": "https://git.fudo.org/fudo-public/grafana-module.git" + }, + "original": { + "type": "git", + "url": "https://git.fudo.org/fudo-public/grafana-module.git" + } + }, "haskell-flake": { "locked": { "lastModified": 1675296942, @@ -2606,16 +2634,16 @@ }, "haskell-flake_2": { "locked": { - "lastModified": 1684780604, - "narHash": "sha256-2uMZsewmRn7rRtAnnQNw1lj0uZBMh4m6Cs/7dV5YF08=", + "lastModified": 1675296942, + "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=", "owner": "srid", "repo": "haskell-flake", - "rev": "74210fa80a49f1b6f67223debdbf1494596ff9f2", + "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e", "type": "github" }, "original": { "owner": "srid", - "ref": "0.3.0", + "ref": "0.1.0", "repo": "haskell-flake", "type": "github" } @@ -2637,22 +2665,6 @@ } }, "haskell-flake_4": { - "locked": { - "lastModified": 1684780604, - "narHash": "sha256-2uMZsewmRn7rRtAnnQNw1lj0uZBMh4m6Cs/7dV5YF08=", - "owner": "srid", - "repo": "haskell-flake", - "rev": "74210fa80a49f1b6f67223debdbf1494596ff9f2", - "type": "github" - }, - "original": { - "owner": "srid", - "ref": "0.3.0", - "repo": "haskell-flake", - "type": "github" - } - }, - "haskell-flake_5": { "locked": { "lastModified": 1675296942, "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=", @@ -2668,27 +2680,11 @@ "type": "github" } }, - "haskell-flake_6": { - "locked": { - "lastModified": 1684780604, - "narHash": "sha256-2uMZsewmRn7rRtAnnQNw1lj0uZBMh4m6Cs/7dV5YF08=", - "owner": "srid", - "repo": "haskell-flake", - "rev": "74210fa80a49f1b6f67223debdbf1494596ff9f2", - "type": "github" - }, - "original": { - "owner": "srid", - "ref": "0.3.0", - "repo": "haskell-flake", - "type": "github" - } - }, "helpers": { "inputs": { "clj-nix": "clj-nix", "clj2nix": "clj2nix_3", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_5", "utils": "utils_6" }, "locked": { @@ -2808,7 +2804,7 @@ "inputs": { "clj-nix": "clj-nix_2", "clj2nix": "clj2nix_4", - "nixpkgs": "nixpkgs_9", + "nixpkgs": "nixpkgs_7", "utils": "utils_8" }, "locked": { @@ -2829,7 +2825,7 @@ "inputs": { "clj-nix": "clj-nix_3", "clj2nix": "clj2nix_5", - "nixpkgs": "nixpkgs_12", + "nixpkgs": "nixpkgs_10", "utils": "utils_10" }, "locked": { @@ -2999,78 +2995,20 @@ "url": "https://git.fudo.org/fudo-public/nix-helpers.git" } }, - "hercules-ci-agent": { - "inputs": { - "flake-parts": "flake-parts_3", - "haskell-flake": "haskell-flake_2", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1688568579, - "narHash": "sha256-ON0M56wtY/TIIGPkXDlJboAmuYwc73Hi8X9iJGtxOhM=", - "owner": "hercules-ci", - "repo": "hercules-ci-agent", - "rev": "367dd8cd649b57009a6502e878005a1e54ad78c5", - "type": "github" - }, - "original": { - "id": "hercules-ci-agent", - "type": "indirect" - } - }, - "hercules-ci-agent_2": { - "inputs": { - "flake-parts": "flake-parts_6", - "haskell-flake": "haskell-flake_4", - "nixpkgs": "nixpkgs_4" - }, - "locked": { - "lastModified": 1688568579, - "narHash": "sha256-ON0M56wtY/TIIGPkXDlJboAmuYwc73Hi8X9iJGtxOhM=", - "owner": "hercules-ci", - "repo": "hercules-ci-agent", - "rev": "367dd8cd649b57009a6502e878005a1e54ad78c5", - "type": "github" - }, - "original": { - "id": "hercules-ci-agent", - "type": "indirect" - } - }, - "hercules-ci-agent_3": { - "inputs": { - "flake-parts": "flake-parts_9", - "haskell-flake": "haskell-flake_6", - "nixpkgs": "nixpkgs_18" - }, - "locked": { - "lastModified": 1688568579, - "narHash": "sha256-ON0M56wtY/TIIGPkXDlJboAmuYwc73Hi8X9iJGtxOhM=", - "owner": "hercules-ci", - "repo": "hercules-ci-agent", - "rev": "367dd8cd649b57009a6502e878005a1e54ad78c5", - "type": "github" - }, - "original": { - "id": "hercules-ci-agent", - "type": "indirect" - } - }, "hercules-ci-effects": { "inputs": { "flake-parts": "flake-parts_2", - "hercules-ci-agent": "hercules-ci-agent", "nixpkgs": [ "arion", "nixpkgs" ] }, "locked": { - "lastModified": 1689397210, - "narHash": "sha256-fVxZnqxMbsDkB4GzGAs/B41K0wt/e+B/fLxmTFF/S20=", + "lastModified": 1701009247, + "narHash": "sha256-GuX16rzRze2y7CsewJLTV6qXkXWyEwp6VCZXi8HLruU=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "0a63bfa3f00a3775ea3a6722b247880f1ffe91ce", + "rev": "31b6cd7569191bfcd0a548575b0e2ef953ed7d09", "type": "github" }, "original": { @@ -3081,8 +3019,7 @@ }, "hercules-ci-effects_2": { "inputs": { - "flake-parts": "flake-parts_5", - "hercules-ci-agent": "hercules-ci-agent_2", + "flake-parts": "flake-parts_4", "nixpkgs": [ "frigate-container", "arion", @@ -3090,11 +3027,11 @@ ] }, "locked": { - "lastModified": 1689397210, - "narHash": "sha256-fVxZnqxMbsDkB4GzGAs/B41K0wt/e+B/fLxmTFF/S20=", + "lastModified": 1701009247, + "narHash": "sha256-GuX16rzRze2y7CsewJLTV6qXkXWyEwp6VCZXi8HLruU=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "0a63bfa3f00a3775ea3a6722b247880f1ffe91ce", + "rev": "31b6cd7569191bfcd0a548575b0e2ef953ed7d09", "type": "github" }, "original": { @@ -3104,9 +3041,31 @@ } }, "hercules-ci-effects_3": { + "inputs": { + "flake-parts": "flake-parts_6", + "nixpkgs": [ + "grafana-module", + "arion", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1701009247, + "narHash": "sha256-GuX16rzRze2y7CsewJLTV6qXkXWyEwp6VCZXi8HLruU=", + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "rev": "31b6cd7569191bfcd0a548575b0e2ef953ed7d09", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "hercules-ci-effects", + "type": "github" + } + }, + "hercules-ci-effects_4": { "inputs": { "flake-parts": "flake-parts_8", - "hercules-ci-agent": "hercules-ci-agent_3", "nixpkgs": [ "mail-server", "arion", @@ -3114,11 +3073,11 @@ ] }, "locked": { - "lastModified": 1689397210, - "narHash": "sha256-fVxZnqxMbsDkB4GzGAs/B41K0wt/e+B/fLxmTFF/S20=", + "lastModified": 1701009247, + "narHash": "sha256-GuX16rzRze2y7CsewJLTV6qXkXWyEwp6VCZXi8HLruU=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "0a63bfa3f00a3775ea3a6722b247880f1ffe91ce", + "rev": "31b6cd7569191bfcd0a548575b0e2ef953ed7d09", "type": "github" }, "original": { @@ -3135,16 +3094,16 @@ ] }, "locked": { - "lastModified": 1700392168, - "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=", + "lastModified": 1704980875, + "narHash": "sha256-IPZmMjk5f4TBbEpzUFBc3OC1W6OwDNEXk2w/0uVXX1o=", "owner": "nix-community", "repo": "home-manager", - "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e", + "rev": "5f0ab0eedc6ede69beb8f45561ffefa54edc6e65", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.05", + "ref": "release-23.11", "repo": "home-manager", "type": "github" } @@ -3159,11 +3118,11 @@ ] }, "locked": { - "lastModified": 1697145645, - "narHash": "sha256-9C8XTQCGqtU743ucveCp+i9fJcwlS1Cbq1zHowWBWCw=", + "lastModified": 1705445346, + "narHash": "sha256-W/8I9550ZvO4XKNeInM6M1L3GhJQFU8SYNGy/g56T4c=", "ref": "refs/heads/master", - "rev": "cfbb9007a79210147cc714876d6353ca2fc16ab4", - "revCount": 85, + "rev": "15781aebfed726faea25bf929777d082677ce9f7", + "revCount": 87, "type": "git", "url": "https://git.fudo.org/fudo-public/lemmy-docker.git" }, @@ -3174,17 +3133,17 @@ }, "mail-server": { "inputs": { - "arion": "arion_3", + "arion": "arion_4", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1697483748, - "narHash": "sha256-ISHzsRnuISnDzmCqxjfD/RIaHVV0CyenLll/dQHjEDo=", + "lastModified": 1705092647, + "narHash": "sha256-gTD5KIC8+gOY5BMyfRky+g4R2jmQ4EwA9Vb7V1Jg6Rc=", "ref": "refs/heads/master", - "rev": "bed75d392bf2829cdd674a608e74f0167a36e8b2", - "revCount": 250, + "rev": "7a9e23425975916ab7c6836c75f2c41a0c03d0b1", + "revCount": 257, "type": "git", "url": "https://git.fudo.org/fudo-public/mail-server.git" }, @@ -3203,11 +3162,11 @@ ] }, "locked": { - "lastModified": 1697731780, - "narHash": "sha256-J0cobvMii2EaS282zqkZ4dWnS43Rf31bSQl4taFlKbs=", + "lastModified": 1705448666, + "narHash": "sha256-TUIMJWUG27YuoJ5jiFVHfEVYX3mCyCFnsSiv9kYaSRk=", "ref": "refs/heads/master", - "rev": "628c81b2320cb19dafcc3a025588bc67e90a972a", - "revCount": 41, + "rev": "cbec5fe9e4dd0635f44cd343887eced846676921", + "revCount": 43, "type": "git", "url": "https://git.fudo.org/fudo-public/mastodon-container.git" }, @@ -3223,11 +3182,11 @@ ] }, "locked": { - "lastModified": 1695019560, - "narHash": "sha256-rS+Qs3FjEWOIdUDwG1SYbeS3o1GcQuUa9a21HCkYZHo=", + "lastModified": 1705436347, + "narHash": "sha256-oG617Kg8oTIKeRo3Tj4nt3Kwej4k0NH136Te4bPIMos=", "ref": "refs/heads/master", - "rev": "a086511d5dc0a5f780fbcd64879e6b3d9f939ccf", - "revCount": 18, + "rev": "1c1034ffe33e48ea02ca58a2d9fdbf37c8fc220f", + "revCount": 20, "type": "git", "url": "https://git.fudo.org/fudo-public/matrix-module.git" }, @@ -3246,11 +3205,11 @@ ] }, "locked": { - "lastModified": 1694028461, - "narHash": "sha256-wrxydLcHwHUi9nFirw/d/tzStuVrNoxnELZuR07zLrc=", + "lastModified": 1704673558, + "narHash": "sha256-OjVdyzSNbIK+i0PVepW+OQwtlUIWH2WrIqvf646WXK4=", "ref": "refs/heads/master", - "rev": "ae7bccb0c4d85f4c7877e4f0139236c152729211", - "revCount": 33, + "rev": "5a7ec9d47c2b68da24ce5e42ee5bf749a7306856", + "revCount": 34, "type": "git", "url": "https://git.fudo.org/fudo-public/nextcloud-container.git" }, @@ -3264,7 +3223,7 @@ "nexus-client": "nexus-client", "nexus-crypto": "nexus-crypto", "nexus-server": "nexus-server", - "nixpkgs": "nixpkgs_16", + "nixpkgs": "nixpkgs_14", "utils": "utils_20" }, "locked": { @@ -3449,11 +3408,11 @@ "niten-doom-config": { "flake": false, "locked": { - "lastModified": 1701721033, - "narHash": "sha256-CKiF65CntCah8xtxdc1eodzvo2G6RHI/PkK2Gd5ZPj0=", + "lastModified": 1704436447, + "narHash": "sha256-gGWK8aif/oe6LDheFgUtlicnSrnKL3NFpwd1S5jrops=", "ref": "refs/heads/master", - "rev": "f4ad408a0043b77ca1158fe0bed61f0dceb9b866", - "revCount": 70, + "rev": "97148ddf8ff2a2a70af1f08b38dd457e0384bd41", + "revCount": 87, "type": "git", "url": "https://git.fudo.org/niten/doom-emacs.git" }, @@ -3480,96 +3439,26 @@ }, "nixpkgs": { "locked": { - "lastModified": 1688322751, - "narHash": "sha256-eW62dC5f33oKZL7VWlomttbUnOTHrAbte9yNUNW8rbk=", + "lastModified": 1637881340, + "narHash": "sha256-/meU5CTm8GnaETZrJa0UqBQvk9T/jKp1+MLIQQ7FTTo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0fbe93c5a7cac99f90b60bdf5f149383daaa615f", + "rev": "d460f48ddb884f7270b7f7bfcbf8a7b91140caa5", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-lib": { - "locked": { - "dir": "lib", - "lastModified": 1688049487, - "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", - "type": "github" - }, - "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib_2": { - "locked": { - "dir": "lib", - "lastModified": 1688049487, - "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", - "type": "github" - }, - "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib_3": { - "locked": { - "dir": "lib", - "lastModified": 1688049487, - "narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9", - "type": "github" - }, - "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs2111": { - "locked": { - "lastModified": 1659446231, - "narHash": "sha256-hekabNdTdgR/iLsgce5TGWmfIDZ86qjPhxDg/8TlzhE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "eabc38219184cc3e04a974fe31857d8e0eac098d", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-21.11", - "type": "indirect" - } - }, "nixpkgsUnstable": { "locked": { - "lastModified": 1701436327, - "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=", + "lastModified": 1705316053, + "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "91050ea1e57e50388fa87a3302ba12d188ef723a", + "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370", "type": "github" }, "original": { @@ -3580,14 +3469,16 @@ }, "nixpkgs_10": { "locked": { - "lastModified": 1699291058, - "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=", - "path": "/nix/store/3s69yxbbl116zwga3i6cy7prplywq0bn-source", - "rev": "41de143fda10e33be0f47eab2bfe08a50f234267", - "type": "path" + "lastModified": 1677624842, + "narHash": "sha256-4DF9DbDuK4/+KYx0L6XcPBeDHUFVCtzok2fWtwXtb5w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d70f5cd5c3bef45f7f52698f39e7cc7a89daa7f0", + "type": "github" }, "original": { "id": "nixpkgs", + "ref": "nixos-22.11", "type": "indirect" } }, @@ -3608,17 +3499,17 @@ }, "nixpkgs_12": { "locked": { - "lastModified": 1677624842, - "narHash": "sha256-4DF9DbDuK4/+KYx0L6XcPBeDHUFVCtzok2fWtwXtb5w=", + "lastModified": 1673785507, + "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d70f5cd5c3bef45f7f52698f39e7cc7a89daa7f0", + "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs_13": { @@ -3637,36 +3528,6 @@ } }, "nixpkgs_14": { - "locked": { - "lastModified": 1673785507, - "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_15": { - "locked": { - "lastModified": 1673785507, - "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_16": { "locked": { "lastModified": 1693771906, "narHash": "sha256-32EnPCaVjOiEERZ+o/2Ir7JH9pkfwJZJ27SKHNvt4yk=", @@ -3681,28 +3542,28 @@ "type": "indirect" } }, - "nixpkgs_17": { + "nixpkgs_15": { "locked": { - "lastModified": 1685573264, - "narHash": "sha256-Zffu01pONhs/pqH07cjlF10NnMDLok8ix5Uk4rhOnZQ=", + "lastModified": 1705183652, + "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "380be19fbd2d9079f677978361792cb25e8a3635", + "rev": "428544ae95eec077c7f823b422afae5f174dee4b", "type": "github" }, "original": { "id": "nixpkgs", - "ref": "nixos-22.05", + "ref": "nixos-23.11", "type": "indirect" } }, - "nixpkgs_18": { + "nixpkgs_16": { "locked": { - "lastModified": 1688322751, - "narHash": "sha256-eW62dC5f33oKZL7VWlomttbUnOTHrAbte9yNUNW8rbk=", + "lastModified": 1701436327, + "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0fbe93c5a7cac99f90b60bdf5f149383daaa615f", + "rev": "91050ea1e57e50388fa87a3302ba12d188ef723a", "type": "github" }, "original": { @@ -3712,18 +3573,48 @@ "type": "github" } }, + "nixpkgs_17": { + "locked": { + "lastModified": 1701436327, + "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "91050ea1e57e50388fa87a3302ba12d188ef723a", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_18": { + "locked": { + "lastModified": 1673785507, + "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_19": { "locked": { - "lastModified": 1676300157, - "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=", + "lastModified": 1673785507, + "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462", + "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -3760,17 +3651,17 @@ }, "nixpkgs_21": { "locked": { - "lastModified": 1673785507, - "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", + "lastModified": 1705331948, + "narHash": "sha256-qjQXfvrAT1/RKDFAMdl8Hw3m4tLVvMCc8fMqzJv0pP4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", + "rev": "b8dd8be3c790215716e7c12b247f45ca525867e2", "type": "github" }, "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "ref": "nixos-23.11", + "type": "indirect" } }, "nixpkgs_22": { @@ -3790,17 +3681,17 @@ }, "nixpkgs_23": { "locked": { - "lastModified": 1701540982, - "narHash": "sha256-5ajSy6ODgGmAbmymRdHnjfVnuVrACjI8wXoGVvrtvww=", + "lastModified": 1673785507, + "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6386d8aafc28b3a7ed03880a57bdc6eb4465491d", + "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", "type": "github" }, "original": { - "id": "nixpkgs", - "ref": "nixos-23.05", - "type": "indirect" + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" } }, "nixpkgs_24": { @@ -3833,81 +3724,50 @@ "type": "github" } }, - "nixpkgs_26": { - "locked": { - "lastModified": 1673785507, - "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_27": { - "locked": { - "lastModified": 1673785507, - "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs_3": { "locked": { - "lastModified": 1637881340, - "narHash": "sha256-/meU5CTm8GnaETZrJa0UqBQvk9T/jKp1+MLIQQ7FTTo=", + "lastModified": 1701436327, + "narHash": "sha256-tRHbnoNI8SIM5O5xuxOmtSLnswEByzmnQcGGyNRjxsE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d460f48ddb884f7270b7f7bfcbf8a7b91140caa5", + "rev": "91050ea1e57e50388fa87a3302ba12d188ef723a", "type": "github" }, "original": { "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_4": { "locked": { - "lastModified": 1688322751, - "narHash": "sha256-eW62dC5f33oKZL7VWlomttbUnOTHrAbte9yNUNW8rbk=", + "lastModified": 1673785507, + "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0fbe93c5a7cac99f90b60bdf5f149383daaa615f", + "rev": "d06d765eeac716d8f1ca80f0935fd6fc951816ad", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_5": { "locked": { - "lastModified": 1676300157, - "narHash": "sha256-1HjRzfp6LOLfcj/HJHdVKWAkX9QRAouoh6AjzJiIerU=", + "lastModified": 1677624842, + "narHash": "sha256-4DF9DbDuK4/+KYx0L6XcPBeDHUFVCtzok2fWtwXtb5w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "545c7a31e5dedea4a6d372712a18e00ce097d462", + "rev": "d70f5cd5c3bef45f7f52698f39e7cc7a89daa7f0", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "ref": "nixos-22.11", + "type": "indirect" } }, "nixpkgs_6": { @@ -3941,6 +3801,19 @@ } }, "nixpkgs_8": { + "locked": { + "lastModified": 1699291058, + "narHash": "sha256-5ggduoaAMPHUy4riL+OrlAZE14Kh7JWX4oLEs22ZqfU=", + "path": "/nix/store/3s69yxbbl116zwga3i6cy7prplywq0bn-source", + "rev": "41de143fda10e33be0f47eab2bfe08a50f234267", + "type": "path" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_9": { "locked": { "lastModified": 1673785507, "narHash": "sha256-EPUT8yVdvJhhjhbgnFWXXd4IUPKSOmww2+z4AmOdyPI=", @@ -3955,21 +3828,6 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1677624842, - "narHash": "sha256-4DF9DbDuK4/+KYx0L6XcPBeDHUFVCtzok2fWtwXtb5w=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d70f5cd5c3bef45f7f52698f39e7cc7a89daa7f0", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-22.11", - "type": "indirect" - } - }, "nose": { "flake": false, "locked": { @@ -4162,14 +4020,14 @@ "fudo-lib": "fudo-lib_3", "fudo-pkgs": "fudo-pkgs_2", "fudo-secrets": "fudo-secrets", + "grafana-module": "grafana-module", "lemmy-docker": "lemmy-docker", "mail-server": "mail-server", "mastodon-container": "mastodon-container", "matrix-module": "matrix-module", "nextcloud-container": "nextcloud-container", "nexus": "nexus_2", - "nixpkgs": "nixpkgs_23", - "nixpkgs2111": "nixpkgs2111", + "nixpkgs": "nixpkgs_21", "nixpkgsUnstable": "nixpkgsUnstable", "objectifier": "objectifier", "pricebot": "pricebot", @@ -4213,8 +4071,8 @@ "service-secrets": { "flake": false, "locked": { - "lastModified": 1695507841, - "narHash": "sha256-qrvwisQhc5S89OlJK99QHvwAIo7dNBINHwernAMVURQ=", + "lastModified": 1705264542, + "narHash": "sha256-7CBc+x58VD5a+7b7LUm0AslGRDuKcYlvScZrDYIC6/s=", "path": "/secrets/service-secrets", "type": "path" }, @@ -4507,11 +4365,11 @@ ] }, "locked": { - "lastModified": 1701222400, - "narHash": "sha256-qOPB34MZVDGlcnRzvAgaYL/VW/7JFvMCtRj5n2Z0XmU=", + "lastModified": 1704503498, + "narHash": "sha256-7BP/hbdkwq8N4hryrG0/hz6BLhtD57XwkGetZttxluA=", "ref": "refs/heads/master", - "rev": "ebf75ad5a32766c49b7d0bec4511c682efaae635", - "revCount": 19, + "rev": "9252d6940b5ef6760e0c8be060562a68dde7f9ba", + "revCount": 20, "type": "git", "url": "https://git.fudo.org/fudo-public/tesla-mate-container.git" }, @@ -4806,11 +4664,11 @@ "systems": "systems_5" }, "locked": { - "lastModified": 1694529238, - "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 74347e7..7bd94b9 100644 --- a/flake.nix +++ b/flake.nix @@ -2,7 +2,7 @@ description = "Fudo Host Configuration"; inputs = { - nixpkgs.url = "nixpkgs/nixos-23.05"; + nixpkgs.url = "nixpkgs/nixos-23.11"; fudo-home = { url = "git+https://git.fudo.org/fudo-nix/home.git"; @@ -39,8 +39,6 @@ nixpkgsUnstable.url = "nixpkgs/nixos-unstable"; - nixpkgs2111.url = "nixpkgs/nixos-21.11"; - wallfly = { url = "git+https://git.fudo.org/fudo-public/wallfly.git"; inputs.nixpkgs.follows = "nixpkgs"; @@ -136,6 +134,11 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + grafana-module = { + url = "git+https://git.fudo.org/fudo-public/grafana-module.git"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + textfiles = { url = "git+https://git.informis.land/informis/textfiles.git"; flake = false; @@ -143,11 +146,11 @@ }; outputs = { self, nixpkgs, fudo-home, fudo-lib, fudo-entities, fudo-pkgs - , fudo-secrets, chute, chuteUnstable, nixpkgsUnstable, nixpkgs2111, pricebot - , wallfly, objectifier, nexus, suanni, snooper, tattler, lemmy-docker + , fudo-secrets, chute, chuteUnstable, nixpkgsUnstable, pricebot, wallfly + , objectifier, nexus, suanni, snooper, tattler, lemmy-docker , tesla-mate-container, mastodon-container, authentik-container , nextcloud-container, textfiles, matrix-module, mail-server - , authoritative-dns, frigate-container, ... }@inputs: + , authoritative-dns, frigate-container, grafana-module, ... }@inputs: with nixpkgs.lib; let fudo-nixos-hosts = filterAttrs (hostname: hostOpts: hostOpts.nixos-system) @@ -185,13 +188,7 @@ chute = chute.packages.${arch}.chute; chuteUnstable = chuteUnstable.packages.${arch}.chute; }) - (final: prev: { - pkgs2111 = import nixpkgs2111 { - system = arch; - config.allowUnfree = true; - }; - pkgsUnstable = unstable; - }) + (final: prev: { pkgsUnstable = unstable; }) (final: prev: { signal-desktop = unstable.signal-desktop; factorio-experimental = unstable.factorio-experimental; @@ -234,6 +231,7 @@ mail-server.nixosModules.default authoritative-dns.nixosModules.default frigate-container.nixosModules.default + grafana-module.nixosModules.default nexus.nixosModules.nexus-client nexus.nixosModules.nexus-server