diff --git a/config/default.nix b/config/default.nix index bf7a76a..aa4939c 100644 --- a/config/default.nix +++ b/config/default.nix @@ -6,7 +6,7 @@ ./backplane-client.nix ./bash.nix ./common.nix - ./dns.nix + # ./dns.nix ./groups.nix ./instance.nix # ./kerberos.nix @@ -15,7 +15,8 @@ ./user-config.nix ./wireless-networks.nix - ./service/auth.nix + ./service/dns.nix + ./service/fudo-auth.nix ./service/jabber.nix ]; } diff --git a/config/hardware/zbox.nix b/config/hardware/zbox.nix index d969791..8650ec4 100644 --- a/config/hardware/zbox.nix +++ b/config/hardware/zbox.nix @@ -66,12 +66,6 @@ opengl = { driSupport = true; driSupport32Bit = true; - extraPackages = with pkgs; [ - rocm-opencl-icd - rocm-opencl-runtime - amdvlk - driversi686Linux.amdvlk - ]; setLdLibraryPath = true; }; diff --git a/config/host-config/legatus.nix b/config/host-config/legatus.nix index e1b8ff9..dbe7141 100644 --- a/config/host-config/legatus.nix +++ b/config/host-config/legatus.nix @@ -11,7 +11,7 @@ let local-packages = with pkgs; [ ldns.examples ]; - secrets = config.fudo.secrets.host-secrets.${hostname}; + host-secrets = config.fudo.secrets.host-secrets.${hostname}; in { networking = { @@ -61,12 +61,6 @@ in { hosts.legatus.external-interfaces = [ "extif0" ]; services = { - jabber = { - enable = true; - hostname = "jabber.fudo.org"; - ldap.servers = [ "nutboy3.fudo.org" ]; - state-directory = "/state/ejabberd"; - }; auth = { ldap.state-directory = "/state/auth/ldap"; kerberos = { @@ -98,7 +92,7 @@ in { user = config.fudo.auth.kdc.user; }; - hemidal-ipropd-keytab = { + heimdal-ipropd-keytab = { source-file = files.service-keytabs.legatus.ipropd; target-file = "/run/heimdal/ipropd.keytab"; user = config.fudo.auth.kdc.user; @@ -136,93 +130,5 @@ in { }; dns.state-directory = "/state/nsd"; - - # mail-server = { - # enable = true; - # debug = true; - - # domain = domain-name; - # mail-hostname = "${host-fqdn}"; - # monitoring = false; - # mail-user = "mailuser"; - # mail-user-id = 525; - # mail-group = "mailgroup"; - # clamav.enable = true; - # dkim.signing = true; - - # dovecot = { - # ssl-certificate = acme-certificate "imap.${domain-name}"; - # ssl-private-key = acme-private-key "imap.${domain-name}"; - # }; - - # postfix = { - # ssl-certificate = acme-certificate "smtp.${domain-name}"; - # ssl-private-key = acme-private-key "smtp.${domain-name}"; - # }; - - # # This should NOT include the primary domain - # local-domains = [ host-fqdn "smtp.${domain-name}" ]; - - # mail-directory = "/srv/mailserver/mail"; - # state-directory = "/srv/mailserver/state"; - - # trusted-networks = [ "172.86.179.16/29" "127.0.0.0/16" ]; - - # alias-users = { - # root = [ "niten" ]; - # postmaster = [ "niten" ]; - # hostmaster = [ "niten" ]; - # webmaster = [ "niten" ]; - # system = [ "niten" ]; - # admin = [ "niten" ]; - # dmarc-report = [ "niten" ]; - # }; - # }; - - # postgresql = { - # enable = true; - # ssl-certificate = (acme-certificate host-fqdn); - # ssl-private-key = (acme-private-key host-fqdn); - # keytab = secrets.postgres-keytab.target-file; - # local-networks = local-networks; - - # users = { - # gituser = { - # password-file = - # secrets.gitea-database-password.target-file; - # databases = { - # git = { - # access = "CONNECT"; - # entity-access = { - # "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE"; - # "ALL SEQUENCES IN SCHEMA public" = "SELECT, UPDATE"; - # }; - # }; - # }; - # }; - # }; - - # databases = { git = { users = [ "niten" ]; }; }; - # }; - - # git = { - # enable = true; - # hostname = "git.informis.land"; - # site-name = "informis git"; - # user = "gituser"; - # repository-dir = /srv/git/repo; - # state-dir = /srv/git/state; - # database = { - # user = "gituser"; - # password-file = - # secrets.gitea-database-password.target-file; - # hostname = "127.0.0.1"; - # name = "git"; - # }; - # ssh = { - # listen-ip = host-ipv4; - # listen-port = 2222; - # }; - # }; }; } diff --git a/config/host-config/nutboy3.nix b/config/host-config/nutboy3.nix index e534e7d..7e99583 100644 --- a/config/host-config/nutboy3.nix +++ b/config/host-config/nutboy3.nix @@ -12,7 +12,7 @@ let local-packages = with pkgs; [ ldns.examples ]; - secrets = config.fudo.secrets.host-secrets.${hostname}; + host-secrets = config.fudo.secrets.host-secrets.${hostname}; postgresql-user = config.systemd.services.postgresql.serviceConfig.User; @@ -23,6 +23,10 @@ let in { + imports = [ + ./nutboy3/forum_selby_ca.nix + ]; + config = { networking = { nameservers = [ "1.1.1.1" ]; @@ -37,9 +41,7 @@ in { }]; }; - systemd.tmpfiles.rules = [ - "L /etc/adjtime - - - - /state/etc/adjtime" - ]; + systemd.tmpfiles.rules = [ "L /etc/adjtime - - - - /state/etc/adjtime" ]; environment.systemPackages = local-packages; @@ -68,17 +70,19 @@ in { }; }; - acme.host-domains.${hostname}.${host-fqdn}.local-copies = { - openldap = { - user = config.services.openldap.user; - dependent-services = [ "openldap.service" ]; - part-of = [ config.fudo.auth.ldap-server.systemd-target ]; - }; + acme.host-domains.${hostname} = { + ${host-fqdn}.local-copies = { + openldap = { + user = config.services.openldap.user; + dependent-services = [ "openldap.service" ]; + part-of = [ config.fudo.auth.ldap-server.systemd-target ]; + }; - postgresql = { - user = postgresql-user; - dependent-services = [ "postgresql.service" ]; - part-of = [ config.fudo.postgresql.systemd-target ]; + postgresql = { + user = postgresql-user; + dependent-services = [ "postgresql.service" ]; + part-of = [ config.fudo.postgresql.systemd-target ]; + }; }; }; @@ -89,11 +93,19 @@ in { external-interface = "extif0"; }; - services.auth = { - ldap.state-directory = "/state/auth/ldap"; - kerberos = { - state-directory = "/state/auth/kerberos"; - master-key-file = host-secrets.heimdal-master-key.target-file; + services = { + jabber = { + enable = true; + hostname = "jabber.fudo.org"; + ldap.servers = [ "nutboy3.fudo.org" ]; + state-directory = "/state/ejabberd"; + }; + auth = { + ldap.state-directory = "/state/auth/ldap"; + kerberos = { + state-directory = "/state/auth/kerberos"; + master-key-file = host-secrets.heimdal-master-key.target-file; + }; }; }; @@ -142,16 +154,15 @@ in { # }; postgresql = let - cert-copy = - config.fudo.acme.host-domains.${hostname}.${host-fqdn}.local-copies.postgresql; + cert-copy = acme-copies.${host-fqdn}.local-copies.postgresql; in { enable = true; ssl-certificate = cert-copy.full-certificate; ssl-private-key = cert-copy.private-key; - keytab = secrets.postgresql-keytab.target-file; + keytab = host-secrets.postgresql-keytab.target-file; local-networks = config.instance.local-networks; state-directory = "/state/postgresql"; - required-services = [ cert-copy.service ]; + required-services = [ cert-copy.service config.fudo.secrets.secret-target ]; }; # git = { @@ -164,7 +175,7 @@ in { # database = { # user = "gituser"; # password-file = - # secrets.gitea-database-password.target-file; + # host-secrets.gitea-database-password.target-file; # hostname = "127.0.0.1"; # name = "git"; # }; diff --git a/config/host-config/nutboy3/forum_selby_ca.nix b/config/host-config/nutboy3/forum_selby_ca.nix new file mode 100644 index 0000000..31bb7d2 --- /dev/null +++ b/config/host-config/nutboy3/forum_selby_ca.nix @@ -0,0 +1,194 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + site = "forum.test.selby.ca"; + hostname = config.instance.hostname; + host-secrets = config.fudo.secrets.host-secrets.${hostname}; + + discourse-user = config.systemd.services.discourse.serviceConfig.User; + + database-name = "forum_selby_ca"; + database-user = "forum_selby_ca"; + + state-directory = "/state/selby/forum"; + + password-injector-sql = csv-file: pkgs.stdenv.mkDerivation { + name = "${site}-password-injector-sql"; + phases = [ "installPhase" ]; + buildInputs = [ pkgs.ruby ]; + installPhase = '' + ${password-convert-script csv-file} + ''; + }; + + password-convert-script = csv-file: pkgs.writeScript "vanilla-forum-password-convert.rb" '' + #!${pkgs.ruby}/bin/ruby + + require 'csv' + + data = CSV::readlines("${csv-file}") + File::open(ENV["out"], "w") { |sql| + data.each { |row| + sql.puts("UPDATE users SET import_pass='#{row[2]}' FROM user_emails WHERE users.id = user_emails.user_id AND user_emails.email = '#{row[1]}';") + } + } + ''; + +in { + config = { + services.discourse = { + enable = true; + hostname = site; + enableACME = true; + plugins = with config.services.discourse.package.plugins; [ + discourse-migratepassword + ]; + + admin = { + username = "admin"; + fullName = "Admin"; + email = "admin@selby.ca"; + passwordFile = host-secrets.selby-discourse-admin.target-file; + }; + + database = { + name = database-name; + host = "localhost"; + username = database-user; + passwordFile = + host-secrets.selby-discourse-database-passwd.target-file; + }; + }; + + fudo = { + secrets.host-secrets.${hostname} = let + selby-discourse-db-password = + pkgs.lib.passwd.stablerandom-passwd-file + "selby-discourse-database-password" + "selby-discourse-database-password-${config.instance.build-seed}"; + + files = config.fudo.secrets.files; + in { + selby-discourse-database-passwd = { + source-file = selby-discourse-db-password; + target-file = "/run/selby/forum/database.passwd"; + user = discourse-user; + }; + + postgresql-selby-discourse-password = { + source-file = selby-discourse-db-password; + target-file = "/run/postgres/selby-discourse.passwd"; + user = config.services.postgresql.superUser; + }; + + selby-discourse-admin = { + source-file = pkgs.lib.passwd.stablerandom-passwd-file + "selby-discourse-admin" + "selby-discourse-admin-${config.instance.build-seed}"; + target-file = "/run/selby/forum/admin.passwd"; + user = discourse-user; + }; + + selby-forum-data = { + source-file = files.blobs."selby-forum-2021-12-14.clean"; + target-file = "/run/selby/forum/forum-data.txt"; + user = discourse-user; + }; + + selby-forum-passwords-sql = { + source-file = "${password-injector-sql files.blobs."forum_selby_ca-passwd.csv"}"; + target-file = "/run/postgres/selby/forum-passwords.sql"; + user = config.services.postgresql.superUser; + }; + }; + + postgresql = { + databases.${database-name}.users = [ "niten" ]; + users.${database-user} = { + password-file = host-secrets.postgresql-selby-discourse-password.target-file; + databases.${database-name} = { + access = "CONNECT,CREATE"; + entity-access = { + "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE"; + "ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE"; + }; + }; + }; + }; + }; + + security.acme.certs.${site}.email = "admin@selby.ca"; + + systemd = { + tmpfiles.rules = [ + "d ${state-directory} 750 ${discourse-user} - - -" + "L /var/lib/discourse - - - - ${state-directory}" + ]; + + services = { + discourse = { + bindsTo = [ "postgresql.service" ]; + after = [ + config.fudo.postgresql.systemd-target + "postgresql.service" + ]; + }; + + discourse-prepare = { + description = "Do discourse's superuser-requiring database work for it."; + wantedBy = [ "discourse.service" ]; + before = [ "discourse.service" ]; + requires = [ config.fudo.postgresql.systemd-target ]; + after = [ config.fudo.postgresql.systemd-target ]; + path = with pkgs; [ postgresql ]; + serviceConfig = { + User = config.services.postgresql.superUser; + ExecStart = pkgs.writeShellScript "discourse-prepare.sh" '' + psql -d ${database-name} -c "CREATE EXTENSION IF NOT EXISTS hstore;" + psql -d ${database-name} -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;" + ''; + }; + }; + + discourse-import-vanilla = let + env-without-path = + filterAttrs (attr: _: attr != "PATH") + config.systemd.services.discourse.environment; + selby-forum-data = host-secrets.selby-forum-data.target-file; + in { + description = "One-off job to import Vanilla forum."; + path = config.systemd.services.discourse.path; + environment = env-without-path; + serviceConfig = { + User = config.systemd.services.discourse.serviceConfig.User; + Group = config.systemd.services.discourse.serviceConfig.Group; + Type = "oneshot"; + WorkingDirectory = config.systemd.services.discourse.serviceConfig.WorkingDirectory; + ExecStart = pkgs.writeShellScript "import-vanilla-forum.sh" '' + ruby script/import_scripts/vanilla.rb ${selby-forum-data} + ''; + }; + }; + + discourse-add-password-hash = let + alter-user-script = pkgs.writeText "create-password-column.sql" '' + ALTER TABLE users ADD COLUMN IF NOT EXISTS import_pass VARCHAR (64); + ''; + in { + description = "One-off job to add user password hashes from Vanilla forum."; + path = with pkgs; [ postgresql ]; + wantedBy = [ "discourse.service" ]; + serviceConfig = { + User = config.services.postgresql.superUser; + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "import-vanilla-passwords.sh" '' + psql -d ${database-name} -f ${alter-user-script} + psql -d ${database-name} -f ${host-secrets.selby-forum-passwords-sql.target-file} + ''; + }; + }; + }; + }; + }; +} diff --git a/config/host-config/procul.nix b/config/host-config/procul.nix index eb87d85..125cfbc 100644 --- a/config/host-config/procul.nix +++ b/config/host-config/procul.nix @@ -17,7 +17,7 @@ let local-packages = with pkgs; [ ldns.examples ]; - secrets = config.fudo.secrets.host-secrets.procul; + host-secrets = config.fudo.secrets.host-secrets.procul; passwd = pkgs.lib.fudo.passwd; @@ -65,20 +65,35 @@ in { groups = { acme = { members = [ "nginx" ]; }; }; }; - informis.cl-gemini = { - enable = true; + informis = { + cl-gemini = { + enable = true; - hostname = "gemini.informis.land"; - server-ip = host-ipv4; - document-root = "/srv/gemini/root"; - textfiles-archive = "${pkgs.textfiles}"; - slynk-port = 4005; + hostname = "gemini.informis.land"; + server-ip = host-ipv4; + document-root = "/srv/gemini/root"; + textfiles-archive = "${pkgs.textfiles}"; + slynk-port = 4005; - feeds = { - viator = { - title = "viator's phlog"; - path = "/home/viator/gemini-public/feed/"; - url = "gemini://informis.land/user/viator/feed/"; + feeds = { + viator = { + title = "viator's phlog"; + path = "/home/viator/gemini-public/feed/"; + url = "gemini://informis.land/user/viator/feed/"; + }; + }; + }; + + chute = { + enable = true; + stages = { + staging = { + package = pkgs.chuteUnstable; + credential-file = host-secrets.chute-staging-credentials.target-file; + currencies = { + btc.stop-percentile = 98; + }; + }; }; }; }; @@ -135,6 +150,12 @@ in { target-file = "/run/heimdal/master-key"; user = config.fudo.auth.kdc.user; }; + + chute-staging-credentials = { + source-file = files.service-secrets.procul."chute-staging.env"; + target-file = "/run/chute/staging/credentials.env"; + user = "root"; + }; }; client.dns = { @@ -144,7 +165,14 @@ in { external-interface = "extif0"; }; - auth.kdc.master-key-file = secrets.heimdal-master-key.target-file; + services = { + auth = { + kerberos = { + state-directory = "/var/lib/kerberos"; + master-key-file = host-secrets.heimdal-master-key.target-file; + }; + }; + }; secure-dns-proxy = { enable = true; @@ -210,13 +238,13 @@ in { enable = true; ssl-certificate = cert-copy.full-certificate; ssl-private-key = cert-copy.private-key; - keytab = secrets.postgres-keytab.target-file; + keytab = host-secrets.postgres-keytab.target-file; local-networks = local-networks; users = { gituser = { password-file = - secrets.gitea-database-password.target-file; + host-secrets.gitea-database-password.target-file; databases = { git = { access = "CONNECT"; @@ -242,7 +270,7 @@ in { database = { user = "gituser"; password-file = - secrets.gitea-database-password.target-file; + host-secrets.gitea-database-password.target-file; hostname = "127.0.0.1"; name = "git"; }; diff --git a/config/service/dns.nix b/config/service/dns.nix new file mode 100644 index 0000000..86a2835 --- /dev/null +++ b/config/service/dns.nix @@ -0,0 +1,59 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + hostname = config.instance.hostname; + domain-name = config.instance.local-domain; + domain = config.fudo.domains.${domain-name}; + + served-domain = domain.primary-nameserver != null; + + is-primary-nameserver = hostname == domain.primary-nameserver; + + primary-nameserver = domain.primary-nameserver; + primary-nameserver-ip = pkgs.lib.network.host-ipv4 config primary-nameserver; + +in { + config = mkIf (served-domain) { + fudo.dns = { + enable = is-primary-nameserver; + + identity = "${hostname}.${domain-name}."; + + nameservers = { + ns1 = { + ipv4-address = primary-nameserver-ip; + description = "Primary ${domain-name} nameserver"; + }; + }; + + listen-ips = optionals is-primary-nameserver + (pkgs.lib.network.host-ips config hostname); + + domains = { + ${domain-name} = { + dnssec = true; + default-host = primary-nameserver-ip; + gssapi-realm = domain.gssapi-realm; + mx = optional (domain.primary-mailserver != null) + domain.primary-mailserver; + dmarc-report-address = "dmarc-report@${domain-name}"; + + zone-definition = let + zone = config.fudo.zones.${domain-name}; + + make-dns-srv-record = hostname: { + port = 53; + host = hostname; + }; + in zone // { + srv-records = { + tcp.domain = map make-dns-srv-record [ "ns1.${domain-name}" ]; + udp.domain = map make-dns-srv-record [ "ns1.${domain-name}" ]; + }; + }; + }; + }; + }; + }; +} diff --git a/config/service/fudo-auth.nix b/config/service/fudo-auth.nix index f041beb..8741166 100644 --- a/config/service/fudo-auth.nix +++ b/config/service/fudo-auth.nix @@ -3,7 +3,7 @@ with lib; let hostname = config.instance.hostname; - domain-name = config.instance.local-domain; + domain-name = config.fudo.services.auth.domain; domain = config.fudo.domains.${domain-name}; ldap-server = elem hostname domain.ldap-servers; @@ -13,8 +13,18 @@ let kerberized-domain = domain.kerberos-master != null; + optionalOrNull = pred: val: if pred then val else null; + + cfg = config.fudo.services.auth; + in { options.fudo.services.auth = with types; { + domain = mkOption { + type = str; + description = "Domain for which authentication server will operate."; + default = config.fudo.hosts.${hostname}.domain; + }; + ldap = { hostname = mkOption { type = str; @@ -44,12 +54,17 @@ in { type = str; description = "Path (on the build server) to the KDC master key file."; }; + + ipropd-keytab = mkOption { + type = nullOr str; + description = "ipropd keytab for kerberos database propagation."; + }; }; }; config.fudo = { acme.host-domains.${hostname} = mkIf (ldap-server) { - ${cfg.hostname}.local-copies.openldap = { + ${cfg.ldap.hostname}.local-copies.openldap = { user = config.services.openldap.user; part-of = [ config.fudo.auth.ldap-server.systemd-target ]; }; @@ -59,7 +74,7 @@ in { ldap-server = mkIf (ldap-server) (let ldap-cert-copy = - config.fudo.acme.host-domains.${hostname}.${cfg.hostname}.local-copies.openldap; + config.fudo.acme.host-domains.${hostname}.${cfg.ldap.hostname}.local-copies.openldap; in { enable = ldap-server; base = "dc=fudo,dc=org"; @@ -72,7 +87,7 @@ in { groups = config.fudo.groups; system-users = config.fudo.system-users; - state-directory = "${cfg.state-directory}/ldap"; + state-directory = "${cfg.ldap.state-directory}"; ssl-chain = ldap-cert-copy.chain; ssl-certificate = ldap-cert-copy.certificate; @@ -86,9 +101,11 @@ in { bind-addresses = (pkgs.lib.network.host-ips config hostname) ++ [ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1"); + state-directory = cfg.kerberos.state-directory; + master-key-file = cfg.kerberos.master-key-file; master-config = mkIf (kerberos-master) { acl = let - admin-entries = genAttrs cfg.local-admins + admin-entries = genAttrs config.instance.local-admins (admin: { perms = [ "add" "change-password" "list" ]; }); @@ -98,7 +115,7 @@ in { }; slave-config = mkIf (kerberos-slave) { master-host = domain.kerberos-master; - # TODO: Provide the keytab yourself... + ipropd-keytab = cfg.kerberos.ipropd-keytab; }; }; }; @@ -124,16 +141,16 @@ in { in { zone-definition.srv-records = { tcp = { - kerberos = map (create-srv-record 88) kerberos-servers; - kerberos-adm = map (create-srv-record 749) kerberos-masters; - ldap = map (create-srv-record 389) ldap-servers; - ldaps = map (create-srv-record 636) ldap-servers; + kerberos = map (make-srv-record 88) kerberos-servers; + kerberos-adm = map (make-srv-record 749) kerberos-masters; + ldap = map (make-srv-record 389) ldap-servers; + ldaps = map (make-srv-record 636) ldap-servers; }; udp = { - kerberos = map (create-srv-record 88) kerberos-servers; - kerberos-master = map (create-srv-record 88) kerberos-masters; - kpasswd = map (create-srv-record 464) kerberos-masters; + kerberos = map (make-srv-record 88) kerberos-servers; + kerberos-master = map (make-srv-record 88) kerberos-masters; + kpasswd = map (make-srv-record 464) kerberos-masters; }; }; }; diff --git a/config/service/jabber.nix b/config/service/jabber.nix index f86b685..329c9fb 100644 --- a/config/service/jabber.nix +++ b/config/service/jabber.nix @@ -74,7 +74,7 @@ in { site-config = { auth_method = "ldap"; ldap_servers = cfg.ldap.servers; - ldap_port = 636; + ldap_port = 389; ldap_rootdn = "cn=${cfg.ldap.user},dc=fudo,dc=org"; ldap_password = "__LDAP_PASSWORD__"; ldap_base = "ou=members,dc=fudo,dc=org"; diff --git a/flake.lock b/flake.lock index 42a56b8..ecec5c7 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,17 @@ { "nodes": { + "blobs": { + "flake": false, + "locked": { + "narHash": "sha256-bzJh3skCEKFM7KO9N6icOJsRqXmjbSo1s8uNh3t9mYI=", + "path": "/state/secrets/blobs", + "type": "path" + }, + "original": { + "path": "/state/secrets/blobs", + "type": "path" + } + }, "build-keypairs": { "flake": false, "locked": { @@ -24,6 +36,90 @@ "type": "path" } }, + "chute": { + "inputs": { + "clj2nix": "clj2nix", + "gitignore": "gitignore", + "nixpkgs": "nixpkgs_2", + "utils": "utils_2" + }, + "locked": { + "lastModified": 1639520373, + "narHash": "sha256-nJJpvdsL/D/gY8iFaacdoS9phz74wPh2Ta1fc/XfBMg=", + "ref": "stable", + "rev": "56438b1ee2856cb98781f4580a1c6cc0cc6e6f1e", + "revCount": 4, + "type": "git", + "url": "https://git.fudo.org/chute/chute.git" + }, + "original": { + "ref": "stable", + "type": "git", + "url": "https://git.fudo.org/chute/chute.git" + } + }, + "chuteUnstable": { + "inputs": { + "clj2nix": "clj2nix_2", + "gitignore": "gitignore_2", + "nixpkgs": "nixpkgs_4", + "utils": "utils_4" + }, + "locked": { + "lastModified": 1639617108, + "narHash": "sha256-8lwF4kcf/pigrNIrR4JXdTTFTCxgKyVGsYppVEt1rII=", + "ref": "master", + "rev": "0845e2e7eb44aefe38e3ae80ac237fd851733737", + "revCount": 6, + "type": "git", + "url": "https://git.fudo.org/chute/chute.git" + }, + "original": { + "ref": "master", + "type": "git", + "url": "https://git.fudo.org/chute/chute.git" + } + }, + "clj2nix": { + "inputs": { + "flake-compat": "flake-compat", + "nixpkgs": "nixpkgs", + "utils": "utils" + }, + "locked": { + "lastModified": 1637900288, + "narHash": "sha256-hQdSCIm1WpG5uK9hoe/iagyYc3Fhi8PJzfo1jFBa53g=", + "owner": "hlolli", + "repo": "clj2nix", + "rev": "3d0a38c954c8e0926f57de1d80d357df05fc2f94", + "type": "github" + }, + "original": { + "owner": "hlolli", + "repo": "clj2nix", + "type": "github" + } + }, + "clj2nix_2": { + "inputs": { + "flake-compat": "flake-compat_2", + "nixpkgs": "nixpkgs_3", + "utils": "utils_3" + }, + "locked": { + "lastModified": 1637900288, + "narHash": "sha256-hQdSCIm1WpG5uK9hoe/iagyYc3Fhi8PJzfo1jFBa53g=", + "owner": "hlolli", + "repo": "clj2nix", + "rev": "3d0a38c954c8e0926f57de1d80d357df05fc2f94", + "type": "github" + }, + "original": { + "owner": "hlolli", + "repo": "clj2nix", + "type": "github" + } + }, "dnssec-keys": { "flake": false, "locked": { @@ -48,7 +144,7 @@ "explain-pause-mode": "explain-pause-mode", "flake-utils": "flake-utils_2", "nix-straight": "nix-straight", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_5", "nose": "nose", "ob-racket": "ob-racket", "org": "org", @@ -213,6 +309,38 @@ "type": "path" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1627913399, + "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1627913399, + "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1638122382, @@ -252,11 +380,11 @@ ] }, "locked": { - "lastModified": 1639074482, - "narHash": "sha256-diaAXDKP89pdcmHV7sc/a4FAE7G4xL2qvKKcinI1K7g=", + "lastModified": 1639518935, + "narHash": "sha256-I3+jWNiGo6q3BtQHNgWK5aZ7K22L6YzNjQ5ZOfKgYwQ=", "ref": "master", - "rev": "7c094f43c4009d9e4d3e2588f50d93ca054eeb9a", - "revCount": 18, + "rev": "ee5bede8e9766bbdf7b9f093d8eb3d1c2eb27caa", + "revCount": 24, "type": "git", "url": "https://git.fudo.org/fudo-nix/entities.git" }, @@ -275,11 +403,11 @@ ] }, "locked": { - "lastModified": 1639073015, - "narHash": "sha256-F9KuMZNZjyQx4+JxH8QWhtPQlCJCRscjvWknsxYWus4=", + "lastModified": 1639853480, + "narHash": "sha256-FV9LBcA/hh0DIBb7JzmcDjXDq6wJP46NALsMW0orfbc=", "ref": "master", - "rev": "8ccd875d048ec7cad944a080a24d59d36b4f8cb8", - "revCount": 54, + "rev": "4954bd4e6c5d784740bee169aa7db7850fcfd5e0", + "revCount": 58, "type": "git", "url": "https://git.fudo.org/fudo-nix/home.git" }, @@ -305,17 +433,13 @@ }, "fudo-lib_2": { "locked": { - "lastModified": 1638990149, - "narHash": "sha256-p1T0GMJXIJvTpVdn5nK7RZJX8izkabADJ/LsaL442zI=", - "ref": "master", - "rev": "c87448ff1365c3d5230690f68d1ba246652581d1", - "revCount": 24, - "type": "git", - "url": "https://git.fudo.org/fudo-nix/lib.git" + "narHash": "sha256-teWuZmwu300Yop8z9AT9Fz+kFb6ZimzDCXhg0iyB3mA=", + "path": "/state/fudo-lib", + "type": "path" }, "original": { - "type": "git", - "url": "https://git.fudo.org/fudo-nix/lib.git" + "path": "/state/fudo-lib", + "type": "path" } }, "fudo-pkgs": { @@ -335,6 +459,7 @@ }, "fudo-secrets": { "inputs": { + "blobs": "blobs", "build-keypairs": "build-keypairs", "build-seed": "build-seed", "dnssec-keys": "dnssec-keys", @@ -343,10 +468,11 @@ "realm-master-keys": "realm-master-keys", "service-keytabs": "service-keytabs", "service-passwords": "service-passwords", + "service-secrets": "service-secrets", "ssh-keypairs": "ssh-keypairs" }, "locked": { - "narHash": "sha256-Q89s52d8KAMIbxh7aBoUwUTFAbgUBE5IaAIwd267k20=", + "narHash": "sha256-MHMKtDMz654T70gD5K+kP0CYnGsYlqO1J58fvs+GuNI=", "path": "/state/secrets", "type": "path" }, @@ -355,6 +481,48 @@ "type": "path" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "chute", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1635165013, + "narHash": "sha256-o/BdVjNwcB6jOmzZjOH703BesSkkS5O7ej3xhyO8hAY=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "5b9e0ff9d3b551234b4f3eb3983744fa354b17f1", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "chuteUnstable", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1635165013, + "narHash": "sha256-o/BdVjNwcB6jOmzZjOH703BesSkkS5O7ej3xhyO8hAY=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "5b9e0ff9d3b551234b4f3eb3983744fa354b17f1", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -380,7 +548,7 @@ "host-keytabs": { "flake": false, "locked": { - "narHash": "sha256-LzDfB9ubACWyQzjXzsPH6eNoESmSVcMFFb3V025Xgow=", + "narHash": "sha256-LAAZVfwD65yS6H7EcKmfiPXtLcfRQ80u3V4LFRjr7ko=", "path": "/state/secrets/kerberos/host-keytabs", "type": "path" }, @@ -392,11 +560,11 @@ "niten-doom-config": { "flake": false, "locked": { - "lastModified": 1633712607, - "narHash": "sha256-6PAw7Xvoj4JROeTqK1nhT2zv7bPpiQlm9t7H5HQ0f2k=", + "lastModified": 1639608722, + "narHash": "sha256-Ao+J7h/zE0X+G3frfxCkoY4hK7T1oNpTpwwv7n7pGaA=", "ref": "master", - "rev": "0a4f8ce4121ba3d64d29b0d52733c08febfb83d8", - "revCount": 35, + "rev": "8be77a42d7669fa71287c58ebaf210159f198b50", + "revCount": 36, "type": "git", "url": "https://git.fudo.org/niten/doom-emacs.git" }, @@ -423,6 +591,66 @@ } }, "nixpkgs": { + "locked": { + "lastModified": 1637881340, + "narHash": "sha256-/meU5CTm8GnaETZrJa0UqBQvk9T/jKp1+MLIQQ7FTTo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d460f48ddb884f7270b7f7bfcbf8a7b91140caa5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1638196344, + "narHash": "sha256-fkOqSkfOkl8tqxDd+zJU4kAgyLXp/ouaP+U9gpjEZZs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2553aee74fed8c2205a4aeb3ffd206ca14ede60f", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-21.05", + "type": "indirect" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1637881340, + "narHash": "sha256-/meU5CTm8GnaETZrJa0UqBQvk9T/jKp1+MLIQQ7FTTo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d460f48ddb884f7270b7f7bfcbf8a7b91140caa5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1638196344, + "narHash": "sha256-fkOqSkfOkl8tqxDd+zJU4kAgyLXp/ouaP+U9gpjEZZs=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2553aee74fed8c2205a4aeb3ffd206ca14ede60f", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-21.05", + "type": "indirect" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1626852498, "narHash": "sha256-lOXUJvi0FJUXHTVSiC5qsMRtEUgqM4mGZpMESLuGhmo=", @@ -437,13 +665,13 @@ "type": "indirect" } }, - "nixpkgs_2": { + "nixpkgs_6": { "locked": { - "lastModified": 1638922083, - "narHash": "sha256-IlQm69UmCfQBwccn+zZULwun0KRtdWFNYQ4jEA3VwW0=", + "lastModified": 1639611175, + "narHash": "sha256-13B6tgKXygEBWxwj9+vIjuWyzwNF1XPLjJiFAvE7A88=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fe56507bd3063a30f3a741a45bf3ba74a91cfac2", + "rev": "6d684ea3adef590a2174f2723134e1ea377272d2", "type": "github" }, "original": { @@ -578,12 +806,14 @@ }, "root": { "inputs": { + "chute": "chute", + "chuteUnstable": "chuteUnstable", "fudo-entities": "fudo-entities", "fudo-home": "fudo-home", "fudo-lib": "fudo-lib_2", "fudo-pkgs": "fudo-pkgs", "fudo-secrets": "fudo-secrets", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_6" } }, "rotate-text": { @@ -605,7 +835,7 @@ "service-keytabs": { "flake": false, "locked": { - "narHash": "sha256-9lw22Gh1IDX+MtXMLi+o3XbjvqEhOiZQG9FiG/xz/U0=", + "narHash": "sha256-0gpaf5j/Uxy6HUXDLt0T7vg4Z2aic1IHhuNUO5IcOhY=", "path": "/state/secrets/kerberos/service-keytabs", "type": "path" }, @@ -626,6 +856,18 @@ "type": "path" } }, + "service-secrets": { + "flake": false, + "locked": { + "narHash": "sha256-IfG9fX6qr+EKMfG6l/nzhrNYYXfKBtaNHHhiW6eCcGk=", + "path": "/state/secrets/service-secrets", + "type": "path" + }, + "original": { + "path": "/state/secrets/service-secrets", + "type": "path" + } + }, "ssh-keypairs": { "flake": false, "locked": { @@ -637,6 +879,66 @@ "path": "/state/secrets/ssh-keypairs", "type": "path" } + }, + "utils": { + "locked": { + "lastModified": 1637014545, + "narHash": "sha256-26IZAc5yzlD9FlDT54io1oqG/bBoyka+FJk5guaX4x4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_2": { + "locked": { + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_3": { + "locked": { + "lastModified": 1637014545, + "narHash": "sha256-26IZAc5yzlD9FlDT54io1oqG/bBoyka+FJk5guaX4x4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "utils_4": { + "locked": { + "lastModified": 1638122382, + "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "74f7e4319258e287b0f9cb95426c9853b282730b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 2183d14..b25335d 100644 --- a/flake.nix +++ b/flake.nix @@ -24,6 +24,10 @@ fudo-pkgs.url = "git+https://git.fudo.org/fudo-nix/pkgs.git"; fudo-secrets.url = "path:/state/secrets"; + + chute.url = "git+https://git.fudo.org/chute/chute.git?ref=stable"; + + chuteUnstable.url = "git+https://git.fudo.org/chute/chute.git?ref=master"; }; outputs = { self, @@ -33,6 +37,8 @@ fudo-entities, fudo-pkgs, fudo-secrets, + chute, + chuteUnstable, ... } @ inputs: with nixpkgs.lib; let @@ -53,6 +59,10 @@ overlays = [ fudo-lib.overlay fudo-pkgs.overlay + (final: prev: { + chute = chute.packages.${arch}.chute; + chuteUnstable = chuteUnstable.packages.${arch}.chute; + }) ]; };