nix
/
nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Mostly stuff for selby forum

This commit is contained in:
root 2021-12-18 12:10:42 -08:00
parent 5a0b508ecc
commit 806349c073
11 changed files with 711 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/default.nix
View File

@ -6,7 +6,7 @@
./backplane-client.nix ./backplane-client.nix
./bash.nix ./bash.nix
./common.nix ./common.nix
./dns.nix # ./dns.nix
./groups.nix ./groups.nix
./instance.nix ./instance.nix
# ./kerberos.nix # ./kerberos.nix
@ -15,7 +15,8 @@
./user-config.nix ./user-config.nix
./wireless-networks.nix ./wireless-networks.nix
./service/auth.nix ./service/dns.nix
./service/fudo-auth.nix
./service/jabber.nix ./service/jabber.nix
]; ];
} }

6
config/hardware/zbox.nix
View File

@ -66,12 +66,6 @@
opengl = { opengl = {
driSupport = true; driSupport = true;
driSupport32Bit = true; driSupport32Bit = true;
extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
amdvlk
driversi686Linux.amdvlk
];
setLdLibraryPath = true; setLdLibraryPath = true;
}; };

98
config/host-config/legatus.nix
View File

@ -11,7 +11,7 @@ let
local-packages = with pkgs; [ ldns.examples ]; local-packages = with pkgs; [ ldns.examples ];
secrets = config.fudo.secrets.host-secrets.${hostname}; host-secrets = config.fudo.secrets.host-secrets.${hostname};
in { in {
networking = { networking = {
@ -61,12 +61,6 @@ in {
hosts.legatus.external-interfaces = [ "extif0" ]; hosts.legatus.external-interfaces = [ "extif0" ];
services = { services = {
jabber = {
enable = true;
hostname = "jabber.fudo.org";
ldap.servers = [ "nutboy3.fudo.org" ];
state-directory = "/state/ejabberd";
};
auth = { auth = {
ldap.state-directory = "/state/auth/ldap"; ldap.state-directory = "/state/auth/ldap";
kerberos = { kerberos = {
@ -98,7 +92,7 @@ in {
user = config.fudo.auth.kdc.user; user = config.fudo.auth.kdc.user;
}; };
hemidal-ipropd-keytab = { heimdal-ipropd-keytab = {
source-file = files.service-keytabs.legatus.ipropd; source-file = files.service-keytabs.legatus.ipropd;
target-file = "/run/heimdal/ipropd.keytab"; target-file = "/run/heimdal/ipropd.keytab";
user = config.fudo.auth.kdc.user; user = config.fudo.auth.kdc.user;
@ -136,93 +130,5 @@ in {
}; };
dns.state-directory = "/state/nsd"; dns.state-directory = "/state/nsd";
# mail-server = {
# enable = true;
# debug = true;
# domain = domain-name;
# mail-hostname = "${host-fqdn}";
# monitoring = false;
# mail-user = "mailuser";
# mail-user-id = 525;
# mail-group = "mailgroup";
# clamav.enable = true;
# dkim.signing = true;
# dovecot = {
# ssl-certificate = acme-certificate "imap.${domain-name}";
# ssl-private-key = acme-private-key "imap.${domain-name}";
# };
# postfix = {
# ssl-certificate = acme-certificate "smtp.${domain-name}";
# ssl-private-key = acme-private-key "smtp.${domain-name}";
# };
# # This should NOT include the primary domain
# local-domains = [ host-fqdn "smtp.${domain-name}" ];
# mail-directory = "/srv/mailserver/mail";
# state-directory = "/srv/mailserver/state";
# trusted-networks = [ "172.86.179.16/29" "127.0.0.0/16" ];
# alias-users = {
# root = [ "niten" ];
# postmaster = [ "niten" ];
# hostmaster = [ "niten" ];
# webmaster = [ "niten" ];
# system = [ "niten" ];
# admin = [ "niten" ];
# dmarc-report = [ "niten" ];
# };
# };
# postgresql = {
# enable = true;
# ssl-certificate = (acme-certificate host-fqdn);
# ssl-private-key = (acme-private-key host-fqdn);
# keytab = secrets.postgres-keytab.target-file;
# local-networks = local-networks;
# users = {
# gituser = {
# password-file =
# secrets.gitea-database-password.target-file;
# databases = {
# git = {
# access = "CONNECT";
# entity-access = {
# "ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
# "ALL SEQUENCES IN SCHEMA public" = "SELECT, UPDATE";
# };
# };
# };
# };
# };
# databases = { git = { users = [ "niten" ]; }; };
# };
# git = {
# enable = true;
# hostname = "git.informis.land";
# site-name = "informis git";
# user = "gituser";
# repository-dir = /srv/git/repo;
# state-dir = /srv/git/state;
# database = {
# user = "gituser";
# password-file =
# secrets.gitea-database-password.target-file;
# hostname = "127.0.0.1";
# name = "git";
# };
# ssh = {
# listen-ip = host-ipv4;
# listen-port = 2222;
# };
# };
}; };
} }

33
config/host-config/nutboy3.nix
View File

@ -12,7 +12,7 @@ let
local-packages = with pkgs; [ ldns.examples ]; local-packages = with pkgs; [ ldns.examples ];
secrets = config.fudo.secrets.host-secrets.${hostname}; host-secrets = config.fudo.secrets.host-secrets.${hostname};
postgresql-user = postgresql-user =
config.systemd.services.postgresql.serviceConfig.User; config.systemd.services.postgresql.serviceConfig.User;
@ -23,6 +23,10 @@ let
in { in {
imports = [
./nutboy3/forum_selby_ca.nix
];
config = { config = {
networking = { networking = {
nameservers = [ "1.1.1.1" ]; nameservers = [ "1.1.1.1" ];
@ -37,9 +41,7 @@ in {
}]; }];
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [ "L /etc/adjtime - - - - /state/etc/adjtime" ];
"L /etc/adjtime - - - - /state/etc/adjtime"
];
environment.systemPackages = local-packages; environment.systemPackages = local-packages;
@ -68,7 +70,8 @@ in {
}; };
}; };
acme.host-domains.${hostname}.${host-fqdn}.local-copies = { acme.host-domains.${hostname} = {
${host-fqdn}.local-copies = {
openldap = { openldap = {
user = config.services.openldap.user; user = config.services.openldap.user;
dependent-services = [ "openldap.service" ]; dependent-services = [ "openldap.service" ];
@ -81,6 +84,7 @@ in {
part-of = [ config.fudo.postgresql.systemd-target ]; part-of = [ config.fudo.postgresql.systemd-target ];
}; };
}; };
};
client.dns = { client.dns = {
ipv4 = true; ipv4 = true;
@ -89,13 +93,21 @@ in {
external-interface = "extif0"; external-interface = "extif0";
}; };
services.auth = { services = {
jabber = {
enable = true;
hostname = "jabber.fudo.org";
ldap.servers = [ "nutboy3.fudo.org" ];
state-directory = "/state/ejabberd";
};
auth = {
ldap.state-directory = "/state/auth/ldap"; ldap.state-directory = "/state/auth/ldap";
kerberos = { kerberos = {
state-directory = "/state/auth/kerberos"; state-directory = "/state/auth/kerberos";
master-key-file = host-secrets.heimdal-master-key.target-file; master-key-file = host-secrets.heimdal-master-key.target-file;
}; };
}; };
};
# dns.state-directory = "/state/nsd"; # dns.state-directory = "/state/nsd";
@ -142,16 +154,15 @@ in {
# }; # };
postgresql = let postgresql = let
cert-copy = cert-copy = acme-copies.${host-fqdn}.local-copies.postgresql;
config.fudo.acme.host-domains.${hostname}.${host-fqdn}.local-copies.postgresql;
in { in {
enable = true; enable = true;
ssl-certificate = cert-copy.full-certificate; ssl-certificate = cert-copy.full-certificate;
ssl-private-key = cert-copy.private-key; ssl-private-key = cert-copy.private-key;
keytab = secrets.postgresql-keytab.target-file; keytab = host-secrets.postgresql-keytab.target-file;
local-networks = config.instance.local-networks; local-networks = config.instance.local-networks;
state-directory = "/state/postgresql"; state-directory = "/state/postgresql";
required-services = [ cert-copy.service ]; required-services = [ cert-copy.service config.fudo.secrets.secret-target ];
}; };
# git = { # git = {
@ -164,7 +175,7 @@ in {
# database = { # database = {
# user = "gituser"; # user = "gituser";
# password-file = # password-file =
# secrets.gitea-database-password.target-file; # host-secrets.gitea-database-password.target-file;
# hostname = "127.0.0.1"; # hostname = "127.0.0.1";
# name = "git"; # name = "git";
# }; # };

194
config/host-config/nutboy3/forum_selby_ca.nix Normal file
View File

@ -0,0 +1,194 @@
{ config, lib, pkgs, ... }:
with lib;
let
site = "forum.test.selby.ca";
hostname = config.instance.hostname;
host-secrets = config.fudo.secrets.host-secrets.${hostname};
discourse-user = config.systemd.services.discourse.serviceConfig.User;
database-name = "forum_selby_ca";
database-user = "forum_selby_ca";
state-directory = "/state/selby/forum";
password-injector-sql = csv-file: pkgs.stdenv.mkDerivation {
name = "${site}-password-injector-sql";
phases = [ "installPhase" ];
buildInputs = [ pkgs.ruby ];
installPhase = ''
${password-convert-script csv-file}
'';
};
password-convert-script = csv-file: pkgs.writeScript "vanilla-forum-password-convert.rb" ''
#!${pkgs.ruby}/bin/ruby
require 'csv'
data = CSV::readlines("${csv-file}")
File::open(ENV["out"], "w") { |sql|
data.each { |row|
sql.puts("UPDATE users SET import_pass='#{row[2]}' FROM user_emails WHERE users.id = user_emails.user_id AND user_emails.email = '#{row[1]}';")
}
}
'';
in {
config = {
services.discourse = {
enable = true;
hostname = site;
enableACME = true;
plugins = with config.services.discourse.package.plugins; [
discourse-migratepassword
];
admin = {
username = "admin";
fullName = "Admin";
email = "admin@selby.ca";
passwordFile = host-secrets.selby-discourse-admin.target-file;
};
database = {
name = database-name;
host = "localhost";
username = database-user;
passwordFile =
host-secrets.selby-discourse-database-passwd.target-file;
};
};
fudo = {
secrets.host-secrets.${hostname} = let
selby-discourse-db-password =
pkgs.lib.passwd.stablerandom-passwd-file
"selby-discourse-database-password"
"selby-discourse-database-password-${config.instance.build-seed}";
files = config.fudo.secrets.files;
in {
selby-discourse-database-passwd = {
source-file = selby-discourse-db-password;
target-file = "/run/selby/forum/database.passwd";
user = discourse-user;
};
postgresql-selby-discourse-password = {
source-file = selby-discourse-db-password;
target-file = "/run/postgres/selby-discourse.passwd";
user = config.services.postgresql.superUser;
};
selby-discourse-admin = {
source-file = pkgs.lib.passwd.stablerandom-passwd-file
"selby-discourse-admin"
"selby-discourse-admin-${config.instance.build-seed}";
target-file = "/run/selby/forum/admin.passwd";
user = discourse-user;
};
selby-forum-data = {
source-file = files.blobs."selby-forum-2021-12-14.clean";
target-file = "/run/selby/forum/forum-data.txt";
user = discourse-user;
};
selby-forum-passwords-sql = {
source-file = "${password-injector-sql files.blobs."forum_selby_ca-passwd.csv"}";
target-file = "/run/postgres/selby/forum-passwords.sql";
user = config.services.postgresql.superUser;
};
};
postgresql = {
databases.${database-name}.users = [ "niten" ];
users.${database-user} = {
password-file = host-secrets.postgresql-selby-discourse-password.target-file;
databases.${database-name} = {
access = "CONNECT,CREATE";
entity-access = {
"ALL TABLES IN SCHEMA public" = "SELECT,INSERT,UPDATE,DELETE";
"ALL SEQUENCES IN SCHEMA public" = "SELECT,UPDATE";
};
};
};
};
};
security.acme.certs.${site}.email = "admin@selby.ca";
systemd = {
tmpfiles.rules = [
"d ${state-directory} 750 ${discourse-user} - - -"
"L /var/lib/discourse - - - - ${state-directory}"
];
services = {
discourse = {
bindsTo = [ "postgresql.service" ];
after = [
config.fudo.postgresql.systemd-target
"postgresql.service"
];
};
discourse-prepare = {
description = "Do discourse's superuser-requiring database work for it.";
wantedBy = [ "discourse.service" ];
before = [ "discourse.service" ];
requires = [ config.fudo.postgresql.systemd-target ];
after = [ config.fudo.postgresql.systemd-target ];
path = with pkgs; [ postgresql ];
serviceConfig = {
User = config.services.postgresql.superUser;
ExecStart = pkgs.writeShellScript "discourse-prepare.sh" ''
psql -d ${database-name} -c "CREATE EXTENSION IF NOT EXISTS hstore;"
psql -d ${database-name} -c "CREATE EXTENSION IF NOT EXISTS pg_trgm;"
'';
};
};
discourse-import-vanilla = let
env-without-path =
filterAttrs (attr: _: attr != "PATH")
config.systemd.services.discourse.environment;
selby-forum-data = host-secrets.selby-forum-data.target-file;
in {
description = "One-off job to import Vanilla forum.";
path = config.systemd.services.discourse.path;
environment = env-without-path;
serviceConfig = {
User = config.systemd.services.discourse.serviceConfig.User;
Group = config.systemd.services.discourse.serviceConfig.Group;
Type = "oneshot";
WorkingDirectory = config.systemd.services.discourse.serviceConfig.WorkingDirectory;
ExecStart = pkgs.writeShellScript "import-vanilla-forum.sh" ''
ruby script/import_scripts/vanilla.rb ${selby-forum-data}
'';
};
};
discourse-add-password-hash = let
alter-user-script = pkgs.writeText "create-password-column.sql" ''
ALTER TABLE users ADD COLUMN IF NOT EXISTS import_pass VARCHAR (64);
'';
in {
description = "One-off job to add user password hashes from Vanilla forum.";
path = with pkgs; [ postgresql ];
wantedBy = [ "discourse.service" ];
serviceConfig = {
User = config.services.postgresql.superUser;
Type = "oneshot";
ExecStart = pkgs.writeShellScript "import-vanilla-passwords.sh" ''
psql -d ${database-name} -f ${alter-user-script}
psql -d ${database-name} -f ${host-secrets.selby-forum-passwords-sql.target-file}
'';
};
};
};
};
};
}

40
config/host-config/procul.nix
View File

@ -17,7 +17,7 @@ let
local-packages = with pkgs; [ ldns.examples ]; local-packages = with pkgs; [ ldns.examples ];
secrets = config.fudo.secrets.host-secrets.procul; host-secrets = config.fudo.secrets.host-secrets.procul;
passwd = pkgs.lib.fudo.passwd; passwd = pkgs.lib.fudo.passwd;
@ -65,7 +65,8 @@ in {
groups = { acme = { members = [ "nginx" ]; }; }; groups = { acme = { members = [ "nginx" ]; }; };
}; };
informis.cl-gemini = { informis = {
cl-gemini = {
enable = true; enable = true;
hostname = "gemini.informis.land"; hostname = "gemini.informis.land";
@ -83,6 +84,20 @@ in {
}; };
}; };
chute = {
enable = true;
stages = {
staging = {
package = pkgs.chuteUnstable;
credential-file = host-secrets.chute-staging-credentials.target-file;
currencies = {
btc.stop-percentile = 98;
};
};
};
};
};
fudo = { fudo = {
hosts.procul.external-interfaces = [ "extif0" ]; hosts.procul.external-interfaces = [ "extif0" ];
@ -135,6 +150,12 @@ in {
target-file = "/run/heimdal/master-key"; target-file = "/run/heimdal/master-key";
user = config.fudo.auth.kdc.user; user = config.fudo.auth.kdc.user;
}; };
chute-staging-credentials = {
source-file = files.service-secrets.procul."chute-staging.env";
target-file = "/run/chute/staging/credentials.env";
user = "root";
};
}; };
client.dns = { client.dns = {
@ -144,7 +165,14 @@ in {
external-interface = "extif0"; external-interface = "extif0";
}; };
auth.kdc.master-key-file = secrets.heimdal-master-key.target-file; services = {
auth = {
kerberos = {
state-directory = "/var/lib/kerberos";
master-key-file = host-secrets.heimdal-master-key.target-file;
};
};
};
secure-dns-proxy = { secure-dns-proxy = {
enable = true; enable = true;
@ -210,13 +238,13 @@ in {
enable = true; enable = true;
ssl-certificate = cert-copy.full-certificate; ssl-certificate = cert-copy.full-certificate;
ssl-private-key = cert-copy.private-key; ssl-private-key = cert-copy.private-key;
keytab = secrets.postgres-keytab.target-file; keytab = host-secrets.postgres-keytab.target-file;
local-networks = local-networks; local-networks = local-networks;
users = { users = {
gituser = { gituser = {
password-file = password-file =
secrets.gitea-database-password.target-file; host-secrets.gitea-database-password.target-file;
databases = { databases = {
git = { git = {
access = "CONNECT"; access = "CONNECT";
@ -242,7 +270,7 @@ in {
database = { database = {
user = "gituser"; user = "gituser";
password-file = password-file =
secrets.gitea-database-password.target-file; host-secrets.gitea-database-password.target-file;
hostname = "127.0.0.1"; hostname = "127.0.0.1";
name = "git"; name = "git";
}; };

59
config/service/dns.nix Normal file
View File

@ -0,0 +1,59 @@
{ config, lib, pkgs, ... }:
with lib;
let
hostname = config.instance.hostname;
domain-name = config.instance.local-domain;
domain = config.fudo.domains.${domain-name};
served-domain = domain.primary-nameserver != null;
is-primary-nameserver = hostname == domain.primary-nameserver;
primary-nameserver = domain.primary-nameserver;
primary-nameserver-ip = pkgs.lib.network.host-ipv4 config primary-nameserver;
in {
config = mkIf (served-domain) {
fudo.dns = {
enable = is-primary-nameserver;
identity = "${hostname}.${domain-name}.";
nameservers = {
ns1 = {
ipv4-address = primary-nameserver-ip;
description = "Primary ${domain-name} nameserver";
};
};
listen-ips = optionals is-primary-nameserver
(pkgs.lib.network.host-ips config hostname);
domains = {
${domain-name} = {
dnssec = true;
default-host = primary-nameserver-ip;
gssapi-realm = domain.gssapi-realm;
mx = optional (domain.primary-mailserver != null)
domain.primary-mailserver;
dmarc-report-address = "dmarc-report@${domain-name}";
zone-definition = let
zone = config.fudo.zones.${domain-name};
make-dns-srv-record = hostname: {
port = 53;
host = hostname;
};
in zone // {
srv-records = {
tcp.domain = map make-dns-srv-record [ "ns1.${domain-name}" ];
udp.domain = map make-dns-srv-record [ "ns1.${domain-name}" ];
};
};
};
};
};
};
}

43
config/service/fudo-auth.nix
View File

@ -3,7 +3,7 @@
with lib; with lib;
let let
hostname = config.instance.hostname; hostname = config.instance.hostname;
domain-name = config.instance.local-domain; domain-name = config.fudo.services.auth.domain;
domain = config.fudo.domains.${domain-name}; domain = config.fudo.domains.${domain-name};
ldap-server = elem hostname domain.ldap-servers; ldap-server = elem hostname domain.ldap-servers;
@ -13,8 +13,18 @@ let
kerberized-domain = domain.kerberos-master != null; kerberized-domain = domain.kerberos-master != null;
optionalOrNull = pred: val: if pred then val else null;
cfg = config.fudo.services.auth;
in { in {
options.fudo.services.auth = with types; { options.fudo.services.auth = with types; {
domain = mkOption {
type = str;
description = "Domain for which authentication server will operate.";
default = config.fudo.hosts.${hostname}.domain;
};
ldap = { ldap = {
hostname = mkOption { hostname = mkOption {
type = str; type = str;
@ -44,12 +54,17 @@ in {
type = str; type = str;
description = "Path (on the build server) to the KDC master key file."; description = "Path (on the build server) to the KDC master key file.";
}; };
ipropd-keytab = mkOption {
type = nullOr str;
description = "ipropd keytab for kerberos database propagation.";
};
}; };
}; };
config.fudo = { config.fudo = {
acme.host-domains.${hostname} = mkIf (ldap-server) { acme.host-domains.${hostname} = mkIf (ldap-server) {
${cfg.hostname}.local-copies.openldap = { ${cfg.ldap.hostname}.local-copies.openldap = {
user = config.services.openldap.user; user = config.services.openldap.user;
part-of = [ config.fudo.auth.ldap-server.systemd-target ]; part-of = [ config.fudo.auth.ldap-server.systemd-target ];
}; };
@ -59,7 +74,7 @@ in {
ldap-server = mkIf (ldap-server) ldap-server = mkIf (ldap-server)
(let (let
ldap-cert-copy = ldap-cert-copy =
config.fudo.acme.host-domains.${hostname}.${cfg.hostname}.local-copies.openldap; config.fudo.acme.host-domains.${hostname}.${cfg.ldap.hostname}.local-copies.openldap;
in { in {
enable = ldap-server; enable = ldap-server;
base = "dc=fudo,dc=org"; base = "dc=fudo,dc=org";
@ -72,7 +87,7 @@ in {
groups = config.fudo.groups; groups = config.fudo.groups;
system-users = config.fudo.system-users; system-users = config.fudo.system-users;
state-directory = "${cfg.state-directory}/ldap"; state-directory = "${cfg.ldap.state-directory}";
ssl-chain = ldap-cert-copy.chain; ssl-chain = ldap-cert-copy.chain;
ssl-certificate = ldap-cert-copy.certificate; ssl-certificate = ldap-cert-copy.certificate;
@ -86,9 +101,11 @@ in {
bind-addresses = bind-addresses =
(pkgs.lib.network.host-ips config hostname) ++ (pkgs.lib.network.host-ips config hostname) ++
[ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1"); [ "127.0.0.1" ] ++ (optional config.networking.enableIPv6 "::1");
state-directory = cfg.kerberos.state-directory;
master-key-file = cfg.kerberos.master-key-file;
master-config = mkIf (kerberos-master) { master-config = mkIf (kerberos-master) {
acl = let acl = let
admin-entries = genAttrs cfg.local-admins admin-entries = genAttrs config.instance.local-admins
(admin: { (admin: {
perms = [ "add" "change-password" "list" ]; perms = [ "add" "change-password" "list" ];
}); });
@ -98,7 +115,7 @@ in {
}; };
slave-config = mkIf (kerberos-slave) { slave-config = mkIf (kerberos-slave) {
master-host = domain.kerberos-master; master-host = domain.kerberos-master;
# TODO: Provide the keytab yourself... ipropd-keytab = cfg.kerberos.ipropd-keytab;
}; };
}; };
}; };
@ -124,16 +141,16 @@ in {
in { in {
zone-definition.srv-records = { zone-definition.srv-records = {
tcp = { tcp = {
kerberos = map (create-srv-record 88) kerberos-servers; kerberos = map (make-srv-record 88) kerberos-servers;
kerberos-adm = map (create-srv-record 749) kerberos-masters; kerberos-adm = map (make-srv-record 749) kerberos-masters;
ldap = map (create-srv-record 389) ldap-servers; ldap = map (make-srv-record 389) ldap-servers;
ldaps = map (create-srv-record 636) ldap-servers; ldaps = map (make-srv-record 636) ldap-servers;
}; };
udp = { udp = {
kerberos = map (create-srv-record 88) kerberos-servers; kerberos = map (make-srv-record 88) kerberos-servers;
kerberos-master = map (create-srv-record 88) kerberos-masters; kerberos-master = map (make-srv-record 88) kerberos-masters;
kpasswd = map (create-srv-record 464) kerberos-masters; kpasswd = map (make-srv-record 464) kerberos-masters;
}; };
}; };
}; };

2
config/service/jabber.nix
View File

@ -74,7 +74,7 @@ in {
site-config = { site-config = {
auth_method = "ldap"; auth_method = "ldap";
ldap_servers = cfg.ldap.servers; ldap_servers = cfg.ldap.servers;
ldap_port = 636; ldap_port = 389;
ldap_rootdn = "cn=${cfg.ldap.user},dc=fudo,dc=org"; ldap_rootdn = "cn=${cfg.ldap.user},dc=fudo,dc=org";
ldap_password = "__LDAP_PASSWORD__"; ldap_password = "__LDAP_PASSWORD__";
ldap_base = "ou=members,dc=fudo,dc=org"; ldap_base = "ou=members,dc=fudo,dc=org";

362
flake.lock
View File

@ -1,5 +1,17 @@
{ {
"nodes": { "nodes": {
"blobs": {
"flake": false,
"locked": {
"narHash": "sha256-bzJh3skCEKFM7KO9N6icOJsRqXmjbSo1s8uNh3t9mYI=",
"path": "/state/secrets/blobs",
"type": "path"
},
"original": {
"path": "/state/secrets/blobs",
"type": "path"
}
},
"build-keypairs": { "build-keypairs": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -24,6 +36,90 @@
"type": "path" "type": "path"
} }
}, },
"chute": {
"inputs": {
"clj2nix": "clj2nix",
"gitignore": "gitignore",
"nixpkgs": "nixpkgs_2",
"utils": "utils_2"
},
"locked": {
"lastModified": 1639520373,
"narHash": "sha256-nJJpvdsL/D/gY8iFaacdoS9phz74wPh2Ta1fc/XfBMg=",
"ref": "stable",
"rev": "56438b1ee2856cb98781f4580a1c6cc0cc6e6f1e",
"revCount": 4,
"type": "git",
"url": "https://git.fudo.org/chute/chute.git"
},
"original": {
"ref": "stable",
"type": "git",
"url": "https://git.fudo.org/chute/chute.git"
}
},
"chuteUnstable": {
"inputs": {
"clj2nix": "clj2nix_2",
"gitignore": "gitignore_2",
"nixpkgs": "nixpkgs_4",
"utils": "utils_4"
},
"locked": {
"lastModified": 1639617108,
"narHash": "sha256-8lwF4kcf/pigrNIrR4JXdTTFTCxgKyVGsYppVEt1rII=",
"ref": "master",
"rev": "0845e2e7eb44aefe38e3ae80ac237fd851733737",
"revCount": 6,
"type": "git",
"url": "https://git.fudo.org/chute/chute.git"
},
"original": {
"ref": "master",
"type": "git",
"url": "https://git.fudo.org/chute/chute.git"
}
},
"clj2nix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": "nixpkgs",
"utils": "utils"
},
"locked": {
"lastModified": 1637900288,
"narHash": "sha256-hQdSCIm1WpG5uK9hoe/iagyYc3Fhi8PJzfo1jFBa53g=",
"owner": "hlolli",
"repo": "clj2nix",
"rev": "3d0a38c954c8e0926f57de1d80d357df05fc2f94",
"type": "github"
},
"original": {
"owner": "hlolli",
"repo": "clj2nix",
"type": "github"
}
},
"clj2nix_2": {
"inputs": {
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_3",
"utils": "utils_3"
},
"locked": {
"lastModified": 1637900288,
"narHash": "sha256-hQdSCIm1WpG5uK9hoe/iagyYc3Fhi8PJzfo1jFBa53g=",
"owner": "hlolli",
"repo": "clj2nix",
"rev": "3d0a38c954c8e0926f57de1d80d357df05fc2f94",
"type": "github"
},
"original": {
"owner": "hlolli",
"repo": "clj2nix",
"type": "github"
}
},
"dnssec-keys": { "dnssec-keys": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -48,7 +144,7 @@
"explain-pause-mode": "explain-pause-mode", "explain-pause-mode": "explain-pause-mode",
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_2",
"nix-straight": "nix-straight", "nix-straight": "nix-straight",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_5",
"nose": "nose", "nose": "nose",
"ob-racket": "ob-racket", "ob-racket": "ob-racket",
"org": "org", "org": "org",
@ -213,6 +309,38 @@
"type": "path" "type": "path"
} }
}, },
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1627913399,
"narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1627913399,
"narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1638122382, "lastModified": 1638122382,
@ -252,11 +380,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1639074482, "lastModified": 1639518935,
"narHash": "sha256-diaAXDKP89pdcmHV7sc/a4FAE7G4xL2qvKKcinI1K7g=", "narHash": "sha256-I3+jWNiGo6q3BtQHNgWK5aZ7K22L6YzNjQ5ZOfKgYwQ=",
"ref": "master", "ref": "master",
"rev": "7c094f43c4009d9e4d3e2588f50d93ca054eeb9a", "rev": "ee5bede8e9766bbdf7b9f093d8eb3d1c2eb27caa",
"revCount": 18, "revCount": 24,
"type": "git", "type": "git",
"url": "https://git.fudo.org/fudo-nix/entities.git" "url": "https://git.fudo.org/fudo-nix/entities.git"
}, },
@ -275,11 +403,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1639073015, "lastModified": 1639853480,
"narHash": "sha256-F9KuMZNZjyQx4+JxH8QWhtPQlCJCRscjvWknsxYWus4=", "narHash": "sha256-FV9LBcA/hh0DIBb7JzmcDjXDq6wJP46NALsMW0orfbc=",
"ref": "master", "ref": "master",
"rev": "8ccd875d048ec7cad944a080a24d59d36b4f8cb8", "rev": "4954bd4e6c5d784740bee169aa7db7850fcfd5e0",
"revCount": 54, "revCount": 58,
"type": "git", "type": "git",
"url": "https://git.fudo.org/fudo-nix/home.git" "url": "https://git.fudo.org/fudo-nix/home.git"
}, },
@ -305,17 +433,13 @@
}, },
"fudo-lib_2": { "fudo-lib_2": {
"locked": { "locked": {
"lastModified": 1638990149, "narHash": "sha256-teWuZmwu300Yop8z9AT9Fz+kFb6ZimzDCXhg0iyB3mA=",
"narHash": "sha256-p1T0GMJXIJvTpVdn5nK7RZJX8izkabADJ/LsaL442zI=", "path": "/state/fudo-lib",
"ref": "master", "type": "path"
"rev": "c87448ff1365c3d5230690f68d1ba246652581d1",
"revCount": 24,
"type": "git",
"url": "https://git.fudo.org/fudo-nix/lib.git"
}, },
"original": { "original": {
"type": "git", "path": "/state/fudo-lib",
"url": "https://git.fudo.org/fudo-nix/lib.git" "type": "path"
} }
}, },
"fudo-pkgs": { "fudo-pkgs": {
@ -335,6 +459,7 @@
}, },
"fudo-secrets": { "fudo-secrets": {
"inputs": { "inputs": {
"blobs": "blobs",
"build-keypairs": "build-keypairs", "build-keypairs": "build-keypairs",
"build-seed": "build-seed", "build-seed": "build-seed",
"dnssec-keys": "dnssec-keys", "dnssec-keys": "dnssec-keys",
@ -343,10 +468,11 @@
"realm-master-keys": "realm-master-keys", "realm-master-keys": "realm-master-keys",
"service-keytabs": "service-keytabs", "service-keytabs": "service-keytabs",
"service-passwords": "service-passwords", "service-passwords": "service-passwords",
"service-secrets": "service-secrets",
"ssh-keypairs": "ssh-keypairs" "ssh-keypairs": "ssh-keypairs"
}, },
"locked": { "locked": {
"narHash": "sha256-Q89s52d8KAMIbxh7aBoUwUTFAbgUBE5IaAIwd267k20=", "narHash": "sha256-MHMKtDMz654T70gD5K+kP0CYnGsYlqO1J58fvs+GuNI=",
"path": "/state/secrets", "path": "/state/secrets",
"type": "path" "type": "path"
}, },
@ -355,6 +481,48 @@
"type": "path" "type": "path"
} }
}, },
"gitignore": {
"inputs": {
"nixpkgs": [
"chute",
"nixpkgs"
]
},
"locked": {
"lastModified": 1635165013,
"narHash": "sha256-o/BdVjNwcB6jOmzZjOH703BesSkkS5O7ej3xhyO8hAY=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "5b9e0ff9d3b551234b4f3eb3983744fa354b17f1",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"chuteUnstable",
"nixpkgs"
]
},
"locked": {
"lastModified": 1635165013,
"narHash": "sha256-o/BdVjNwcB6jOmzZjOH703BesSkkS5O7ej3xhyO8hAY=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "5b9e0ff9d3b551234b4f3eb3983744fa354b17f1",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -380,7 +548,7 @@
"host-keytabs": { "host-keytabs": {
"flake": false, "flake": false,
"locked": { "locked": {
"narHash": "sha256-LzDfB9ubACWyQzjXzsPH6eNoESmSVcMFFb3V025Xgow=", "narHash": "sha256-LAAZVfwD65yS6H7EcKmfiPXtLcfRQ80u3V4LFRjr7ko=",
"path": "/state/secrets/kerberos/host-keytabs", "path": "/state/secrets/kerberos/host-keytabs",
"type": "path" "type": "path"
}, },
@ -392,11 +560,11 @@
"niten-doom-config": { "niten-doom-config": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1633712607, "lastModified": 1639608722,
"narHash": "sha256-6PAw7Xvoj4JROeTqK1nhT2zv7bPpiQlm9t7H5HQ0f2k=", "narHash": "sha256-Ao+J7h/zE0X+G3frfxCkoY4hK7T1oNpTpwwv7n7pGaA=",
"ref": "master", "ref": "master",
"rev": "0a4f8ce4121ba3d64d29b0d52733c08febfb83d8", "rev": "8be77a42d7669fa71287c58ebaf210159f198b50",
"revCount": 35, "revCount": 36,
"type": "git", "type": "git",
"url": "https://git.fudo.org/niten/doom-emacs.git" "url": "https://git.fudo.org/niten/doom-emacs.git"
}, },
@ -423,6 +591,66 @@
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": {
"lastModified": 1637881340,
"narHash": "sha256-/meU5CTm8GnaETZrJa0UqBQvk9T/jKp1+MLIQQ7FTTo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d460f48ddb884f7270b7f7bfcbf8a7b91140caa5",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1638196344,
"narHash": "sha256-fkOqSkfOkl8tqxDd+zJU4kAgyLXp/ouaP+U9gpjEZZs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2553aee74fed8c2205a4aeb3ffd206ca14ede60f",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05",
"type": "indirect"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1637881340,
"narHash": "sha256-/meU5CTm8GnaETZrJa0UqBQvk9T/jKp1+MLIQQ7FTTo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d460f48ddb884f7270b7f7bfcbf8a7b91140caa5",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1638196344,
"narHash": "sha256-fkOqSkfOkl8tqxDd+zJU4kAgyLXp/ouaP+U9gpjEZZs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2553aee74fed8c2205a4aeb3ffd206ca14ede60f",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-21.05",
"type": "indirect"
}
},
"nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1626852498, "lastModified": 1626852498,
"narHash": "sha256-lOXUJvi0FJUXHTVSiC5qsMRtEUgqM4mGZpMESLuGhmo=", "narHash": "sha256-lOXUJvi0FJUXHTVSiC5qsMRtEUgqM4mGZpMESLuGhmo=",
@ -437,13 +665,13 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs_2": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1638922083, "lastModified": 1639611175,
"narHash": "sha256-IlQm69UmCfQBwccn+zZULwun0KRtdWFNYQ4jEA3VwW0=", "narHash": "sha256-13B6tgKXygEBWxwj9+vIjuWyzwNF1XPLjJiFAvE7A88=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "fe56507bd3063a30f3a741a45bf3ba74a91cfac2", "rev": "6d684ea3adef590a2174f2723134e1ea377272d2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -578,12 +806,14 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"chute": "chute",
"chuteUnstable": "chuteUnstable",
"fudo-entities": "fudo-entities", "fudo-entities": "fudo-entities",
"fudo-home": "fudo-home", "fudo-home": "fudo-home",
"fudo-lib": "fudo-lib_2", "fudo-lib": "fudo-lib_2",
"fudo-pkgs": "fudo-pkgs", "fudo-pkgs": "fudo-pkgs",
"fudo-secrets": "fudo-secrets", "fudo-secrets": "fudo-secrets",
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_6"
} }
}, },
"rotate-text": { "rotate-text": {
@ -605,7 +835,7 @@
"service-keytabs": { "service-keytabs": {
"flake": false, "flake": false,
"locked": { "locked": {
"narHash": "sha256-9lw22Gh1IDX+MtXMLi+o3XbjvqEhOiZQG9FiG/xz/U0=", "narHash": "sha256-0gpaf5j/Uxy6HUXDLt0T7vg4Z2aic1IHhuNUO5IcOhY=",
"path": "/state/secrets/kerberos/service-keytabs", "path": "/state/secrets/kerberos/service-keytabs",
"type": "path" "type": "path"
}, },
@ -626,6 +856,18 @@
"type": "path" "type": "path"
} }
}, },
"service-secrets": {
"flake": false,
"locked": {
"narHash": "sha256-IfG9fX6qr+EKMfG6l/nzhrNYYXfKBtaNHHhiW6eCcGk=",
"path": "/state/secrets/service-secrets",
"type": "path"
},
"original": {
"path": "/state/secrets/service-secrets",
"type": "path"
}
},
"ssh-keypairs": { "ssh-keypairs": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -637,6 +879,66 @@
"path": "/state/secrets/ssh-keypairs", "path": "/state/secrets/ssh-keypairs",
"type": "path" "type": "path"
} }
},
"utils": {
"locked": {
"lastModified": 1637014545,
"narHash": "sha256-26IZAc5yzlD9FlDT54io1oqG/bBoyka+FJk5guaX4x4=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_2": {
"locked": {
"lastModified": 1638122382,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_3": {
"locked": {
"lastModified": 1637014545,
"narHash": "sha256-26IZAc5yzlD9FlDT54io1oqG/bBoyka+FJk5guaX4x4=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"utils_4": {
"locked": {
"lastModified": 1638122382,
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

10
flake.nix
View File

@ -24,6 +24,10 @@
fudo-pkgs.url = "git+https://git.fudo.org/fudo-nix/pkgs.git"; fudo-pkgs.url = "git+https://git.fudo.org/fudo-nix/pkgs.git";
fudo-secrets.url = "path:/state/secrets"; fudo-secrets.url = "path:/state/secrets";
chute.url = "git+https://git.fudo.org/chute/chute.git?ref=stable";
chuteUnstable.url = "git+https://git.fudo.org/chute/chute.git?ref=master";
}; };
outputs = { self, outputs = { self,
@ -33,6 +37,8 @@
fudo-entities, fudo-entities,
fudo-pkgs, fudo-pkgs,
fudo-secrets, fudo-secrets,
chute,
chuteUnstable,
... } @ inputs: ... } @ inputs:
with nixpkgs.lib; with nixpkgs.lib;
let let
@ -53,6 +59,10 @@
overlays = [ overlays = [
fudo-lib.overlay fudo-lib.overlay
fudo-pkgs.overlay fudo-pkgs.overlay
(final: prev: {
chute = chute.packages.${arch}.chute;
chuteUnstable = chuteUnstable.packages.${arch}.chute;
})
]; ];
}; };