clerie/nixfiles
1
0
Fork 0
Code Activity

Compare commits

base: clerie:4a176482b4771d779abd00e1a52962e7d80da348
Branches Tags
clerie:master clerie:updated-inputs clerie:updated-inputs-2025-11-13-02-03 clerie:updated-inputs-2025-11-10-02-03 clerie:updated-inputs-2025-11-09-02-03 clerie:updated-inputs-2025-11-07-02-03 clerie:updated-inputs-2025-11-04-02-03 clerie:updated-inputs-2025-11-02-02-03 clerie:updated-inputs-2025-10-30-02-03 clerie:updated-inputs-2025-10-28-02-03 clerie:updated-inputs-2025-10-27-02-03 clerie:updated-inputs-2025-10-25-01-03 clerie:updated-inputs-2025-10-23-01-03 clerie:updated-inputs-2025-10-20-01-03 clerie:updated-inputs-2025-10-16-01-03 clerie:updated-inputs-2025-10-14-01-03 clerie:updated-inputs-2025-10-11-01-03 clerie:updated-inputs-2025-10-09-01-03 clerie:updated-inputs-2025-10-08-01-03 clerie:updated-inputs-2025-10-03-01-03 clerie:updated-inputs-2025-09-30-01-03 clerie:updated-inputs-2025-09-28-01-03 clerie:updated-inputs-2025-09-26-01-03 clerie:updated-inputs-2025-09-24-01-03 clerie:updated-inputs-2025-09-22-01-03 clerie:updated-inputs-2025-09-21-01-03 clerie:updated-inputs-2025-09-20-01-03 clerie:updated-inputs-2025-09-19-01-03 clerie:updated-inputs-2025-09-14-01-03 clerie:updated-inputs-2025-09-12-01-03 clerie:updated-inputs-2025-09-10-01-03 clerie:updated-inputs-2025-09-09-01-03 clerie:updated-inputs-2025-09-08-01-03 clerie:updated-inputs-2025-09-04-01-03 clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test
...
compare: clerie:updated-inputs-2025-09-12-01-03
Branches Tags
clerie:updated-inputs clerie:updated-inputs-2025-11-13-02-03 clerie:updated-inputs-2025-11-10-02-03 clerie:updated-inputs-2025-11-09-02-03 clerie:master clerie:updated-inputs-2025-11-07-02-03 clerie:updated-inputs-2025-11-04-02-03 clerie:updated-inputs-2025-11-02-02-03 clerie:updated-inputs-2025-10-30-02-03 clerie:updated-inputs-2025-10-28-02-03 clerie:updated-inputs-2025-10-27-02-03 clerie:updated-inputs-2025-10-25-01-03 clerie:updated-inputs-2025-10-23-01-03 clerie:updated-inputs-2025-10-20-01-03 clerie:updated-inputs-2025-10-16-01-03 clerie:updated-inputs-2025-10-14-01-03 clerie:updated-inputs-2025-10-11-01-03 clerie:updated-inputs-2025-10-09-01-03 clerie:updated-inputs-2025-10-08-01-03 clerie:updated-inputs-2025-10-03-01-03 clerie:updated-inputs-2025-09-30-01-03 clerie:updated-inputs-2025-09-28-01-03 clerie:updated-inputs-2025-09-26-01-03 clerie:updated-inputs-2025-09-24-01-03 clerie:updated-inputs-2025-09-22-01-03 clerie:updated-inputs-2025-09-21-01-03 clerie:updated-inputs-2025-09-20-01-03 clerie:updated-inputs-2025-09-19-01-03 clerie:updated-inputs-2025-09-14-01-03 clerie:updated-inputs-2025-09-12-01-03 clerie:updated-inputs-2025-09-10-01-03 clerie:updated-inputs-2025-09-09-01-03 clerie:updated-inputs-2025-09-08-01-03 clerie:updated-inputs-2025-09-04-01-03 clerie:updated-inputs-2025-08-31-01-03 clerie:updated-inputs-2025-08-30-01-03 clerie:updated-inputs-2025-08-28-01-03 clerie:updated-inputs-2025-08-27-01-03 clerie:updated-inputs-2025-08-21-01-03 clerie:updated-inputs-2025-08-18-01-03 clerie:updated-inputs-2025-08-17-01-03 clerie:updated-inputs-2025-08-16-01-03 clerie:updated-inputs-2025-08-15-01-03 clerie:migrate-to-lix clerie:gpg-test

51 Commits
4a176482b4 ... updated-in

Author SHA1 Message Date
Flake Update Bot
3edafb0950 Update nixpkgs 2025-09-12-01-03 2025-09-12 03:04:17 +02:00
clerie
539502cea0 flake.lock: Update mu5001tool 2025-09-12 00:10:03 +02:00
clerie
00a7eee2af hosts/astatine: Update mu5001tool and restart on failure 2025-09-11 12:39:04 +02:00
clerie
e82132b86e hosts/astatine: Add stack to monitor zte hypermobile 5g 2025-09-08 23:32:57 +02:00
clerie
503dca182e pkgs/curl-timings: Add curl shortcut to show connection timings 2025-09-03 13:05:55 +02:00
clerie
82f8064956 pkgs/grow-last-partition-and-filesystem: Add command to easily grow a filesystem on a disk resized by Proxmox 2025-08-30 11:11:57 +02:00
clerie
342d50d936 pkgs/bijwerken-system-upgrade: Copy system store path from any configured nix cache 2025-08-30 09:52:25 +02:00
clerie
dd76691f7d pkgs/bijwerken-*,modules/bijwerken: Consolidate system update management and refactor under the same name 2025-08-17 21:49:24 +02:00
clerie
72cdef91d9 profiles/common-nix: Remove guests group from trusted nix users 2025-08-17 20:02:34 +02:00
clerie
22c7cb451b pkgs/nixfiles: Add helper script to trigger system upgrades 2025-08-17 19:05:22 +02:00
clerie
9357981ff3 hosts/monitoring-3: Alert on fem.social unavailable 2025-08-17 10:39:01 +02:00
clerie
eddb365ae5 hosts/monitoring-3: Alert nadja.top down after 15min only 2025-08-17 10:17:43 +02:00
clerie
d01de7fc4a hosts/monitoring-3: Add dashboards to deployment 2025-08-16 22:01:06 +02:00
clerie
a1ca9313b9 hosts/monitoring-3: Add Nginx Grafana dashboard 2025-08-15 20:50:24 +02:00
clerie
217ede0307 modules/monitoring: Extract metrics from nginx logs 2025-08-15 18:14:41 +02:00
clerie
643478b724 pkgs/generate-blocked-prefixes: Deduplicate prefixes before generating firewall rules 2025-08-14 20:20:33 +02:00
clerie
13b8ccd087 hosts/krypton: don't use onlyoffice anymore 2025-08-09 14:59:03 +02:00
clerie
7c3a97a90a hosts/web-2: Update legal.clerie.de 2025-08-09 11:42:04 +02:00
clerie
40338d9b85 hosts/monitoring-3: Monitor alertmanager 2025-08-09 11:41:34 +02:00
clerie
7f6f6281cc profiles/desktop: Migrate from configuration 2025-07-29 23:03:58 +02:00
clerie
2d4acb5a49 flake.lock: Update lix 2025-07-29 18:04:22 +02:00
Flake Update Bot
905682cf17 Update nixpkgs 2025-07-29-01-03 2025-07-29 03:04:11 +02:00
clerie
f5ec777e9b flake/hydraJobs.nix: Track additional packages in hydra 2025-07-28 22:48:59 +02:00
clerie
944bced757 pkgs/pipewire-all-bluetooth: A pipewire audio sink that distributes to all Bluetooth speakers 2025-07-28 22:36:49 +02:00
clerie
5bd15927d5 hosts/web-2: Block Alibaba Cloud because of scraper bots 2025-07-18 23:55:33 +02:00
clerie
9b05a008bb configuration/desktop: Add helvum audio routing gui 2025-07-15 19:39:46 +02:00
clerie
871ba5ea43 pkgs/uptimestatus: Explicitly specify build system 2025-07-15 19:26:50 +02:00
clerie
560e53f77b hosts/krypton: Add drune3d program 2025-07-12 13:21:30 +02:00
clerie
03aa425038 hosts/web-2: Add traveldrafter.clerie.de 2025-07-06 18:17:31 +02:00
clerie
751efd02bb hosts/porter: Enable system auto upgrade 2025-07-05 20:16:01 +02:00
clerie
43d1133772 modules/clerie-system-upgrade: Always reboot after an update 2025-06-30 18:35:57 +02:00
clerie
4245ae84ed hosts/carbon: Don't make kea depend on non existend network-setup.service anymore 2025-06-29 22:25:19 +02:00
clerie
b9f47fc30c flake.nix: Use patched nixpkgs for carbon 2025-06-29 17:29:01 +02:00
clerie
ce54f06fd0 flake/nixosConfigurations.nix: Handle host specific nixpkgs input again 2025-06-29 17:28:38 +02:00
clerie
457fa2ca6f lib/mkNixpkgs.nix: Add function to import nixpkgs with overlays 2025-06-29 16:56:41 +02:00
clerie
60e80ab2e9 profiles/gpg-ssh: Move gpg-ssh to profiles 2025-06-29 11:51:27 +02:00
clerie
4bf030c006 profiles/common-nix: Migrate nix common config zu profile 2025-06-29 11:34:11 +02:00
clerie
0204773d27 lib/nixosSystem.nix: Wrap nixpkgs.lib.nixosSystem and include nixfiles modules and overlays by default 2025-06-28 16:43:03 +02:00
clerie
a66da6cac9 lib/link-local-wireguard.nix: Remove obsolete functions 2025-06-28 16:27:06 +02:00
clerie
691d671420 pkgs/clerie-ssh-known-hosts: Expose function as package 2025-06-28 16:25:38 +02:00
clerie
fef845117e flake/nixosConfigurations.nix: Pull localNixpkgs directly instead of creating nixpkgs with local overlays again 2025-06-28 16:10:46 +02:00
clerie
11970e287c pkgs/build-support: Move clerie-build-support attribute name to overlay 2025-06-28 15:32:58 +02:00
clerie
cdc1a1e6de flake.nix: Add unused helper variable 2025-06-28 15:31:38 +02:00
clerie
e9b5dce77f flake.nix: Common naming scheme for overlays and no default overlays anymore 2025-06-28 15:22:16 +02:00
clerie
23190f0777 pkgs/overlay.nix: Get rid of pkgs/pkgs.nix and move overrides to separate overlay 2025-06-28 15:14:36 +02:00
clerie
1d927638c5 flake.nix: Exclude build support from flake exported packages and make pkgs/pkgs.nix obsolete again 2025-06-28 15:03:46 +02:00
clerie
a754af1ee9 configuration/desktop: Update renamed option name 2025-06-28 14:14:11 +02:00
clerie
617a27d4fe flake.lock: Update lix 2025-06-28 14:05:39 +02:00
clerie
eace2fabb2 pkgs/build-support: Add writePytonScript helper function 2025-06-28 14:03:57 +02:00
Flake Update Bot
721f6681e1 Update nixpkgs 2025-06-27-01-03 2025-06-27 03:04:09 +02:00
clerie
86bfe85982 hosts/porter: Resolve nginx proxy upstreams via unbound 2025-06-24 16:42:03 +02:00
100 changed files with 2353 additions and 625 deletions
Expand all files Collapse all files

1
configuration/common/default.nix
View File

@@ -7,7 +7,6 @@
./initrd.nix ./initrd.nix
./locale.nix ./locale.nix
./networking.nix ./networking.nix
./nix.nix
./programs.nix ./programs.nix
./ssh.nix ./ssh.nix
./systemd.nix ./systemd.nix

70
configuration/common/nix.nix
View File

@@ -1,70 +0,0 @@
{ lib, pkgs, ... }:
{
clerie.nixfiles.enable = true;
clerie.system-auto-upgrade.enable = true;
nix.settings = {
trusted-users = [ "@wheel" "@guests" ];
auto-optimise-store = true;
# Keep buildtime dependencies
keep-outputs = true;
# Build local, when caches are broken
fallback = true;
};
nix.gc = lib.mkDefault {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
nix.settings = {
experimental-features = [
"flakes"
"nix-command"
];
substituters = [
"https://nix-cache.clerie.de"
];
trusted-public-keys = [
"nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
];
};
# Pin current nixpkgs channel and flake registry to the nixpkgs version
# the host got build with
nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
nix.registry = {
"nixpkgs" = lib.mkForce {
from = {
type = "indirect";
id = "nixpkgs";
};
to = {
type = "path";
path = lib.cleanSource pkgs.path;
};
exact = true;
};
"templates" = {
from = {
type = "indirect";
id = "templates";
};
to = {
type = "git";
url = "https://git.clerie.de/clerie/flake-templates.git";
};
};
};
documentation.doc.enable = false;
environment.systemPackages = with pkgs; [
nix-remove-result-links
];
}

1
configuration/common/programs.nix
View File

@@ -6,6 +6,7 @@
# My system is fucked # My system is fucked
gptfdisk gptfdisk
parted parted
grow-last-partition-and-filesystem
# Normal usage # Normal usage
htop htop

19
configuration/desktop/audio.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse = {
enable = true;
};
};
}

19
configuration/desktop/default.nix
View File

@@ -1,19 +0,0 @@
{ ... }:
{
imports = [
./audio.nix
./firmware.nix
./fonts.nix
./gnome.nix
./inputs.nix
./networking.nix
./polkit.nix
./power.nix
./printing.nix
./ssh.nix
./xserver.nix
];
security.sudo.wheelNeedsPassword = true;
}

7
configuration/desktop/firmware.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.fwupd.enable = true;
}

13
configuration/desktop/fonts.nix
View File

@@ -1,13 +0,0 @@
{ pkgs, ... }:
{
fonts.enableDefaultPackages = true;
fonts.packages = with pkgs; [
roboto
roboto-mono
noto-fonts
noto-fonts-emoji
comfortaa
] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
}

61
configuration/desktop/gnome.nix
View File

@@ -1,61 +0,0 @@
{ pkgs, ... }:
{
services.gnome = {
localsearch.enable = false;
tinysparql.enable = false;
};
environment.gnome.excludePackages = with pkgs; [
baobab
epiphany
gnome-calendar
gnome-clocks
gnome-console
gnome-contacts
gnome-logs
gnome-maps
gnome-music
gnome-tour
gnome-photos
gnome-weather
gnome-connections
simple-scan
yelp
geary
];
environment.systemPackages = with pkgs; [
evolution
gnome-terminal
gnome-tweaks
];
services.gnome.evolution-data-server.enable = true;
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/calendar" = {
show-weekdate = true;
};
"org/gnome/desktop/interface" = {
enable-hot-corners = false;
show-battery-percentage = true;
};
"org/gnome/desktop/notifications" = {
show-in-lock-screen = false;
};
"org/gnome/desktop/sound" = {
event-sounds = false;
};
"org/gnome/gnome-system-monitor" = {
network-in-bits = true;
network-total-in-bits = true;
};
};
}
];
};
}

43
configuration/desktop/inputs.nix
View File

@@ -1,43 +0,0 @@
{ ... }:
{
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
];
mic-mute = [ "<Control>Print" ];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
name = "Terminal";
binding = "<Primary><Alt>t";
command = "gnome-terminal";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
};
}
];
};
}

14
configuration/desktop/networking.nix
View File

@@ -1,14 +0,0 @@
{ ... }:
{
networking.networkmanager.settings = {
connectivity = {
uri = "http://ping.clerie.de/nm-check.txt";
};
global-dns = {
searches = "net.clerie.de";
};
};
}

7
configuration/desktop/polkit.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
security.polkit.enable = true;
}

42
configuration/desktop/power.nix
View File

@@ -1,42 +0,0 @@
{ lib, config, ... }:
{
boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
services.logind = {
lidSwitch = "suspend-then-hibernate";
};
systemd.sleep.extraConfig = ''
HibernateDelaySec=30m
'';
services.upower = {
percentageLow = 20;
percentageCritical = 10;
percentageAction = 8;
};
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
};
}

7
configuration/desktop/printing.nix
View File

@@ -1,7 +0,0 @@
{ ... }:
{
services.printing.enable = true;
services.avahi.enable = true;
services.avahi.nssmdns4 = true;
}

34
configuration/desktop/ssh.nix
View File

@@ -1,34 +0,0 @@
{ pkgs, ... }:
{
imports = [
../../configuration/gpg-ssh
];
programs.gnupg.agent = {
pinentryPackage = pkgs.pinentry-gtk2;
};
# Do not disable ssh-agent of gnome-keyring, because
# gnupg ssh-agent can't handle normal SSH keys properly
/*
# Disable ssh-agent of gnome-keyring
nixpkgs.overlays = [
(final: prev: {
gnome = prev.gnome // {
gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
mkdir -p $out
# Symlink all gnome-keyring binaries
${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
# Disable autostart for ssh
rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
'';
};
})
];
*/
}

11
configuration/desktop/xserver.nix
View File

@@ -1,11 +0,0 @@
{ pkgs, ... }:
{
services.xserver.enable = true;
services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
services.xserver.excludePackages = with pkgs; [
xterm
];
}

51
configuration/gpg-ssh/default.nix
View File

@@ -1,51 +0,0 @@
{ pkgs, lib, ... }:
let
custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
configureFlags = prev.configureFlags ++ [
# Make sure scdaemon never ever again tries to use its own ccid driver
"--disable-ccid-driver"
];
});
in {
programs.gnupg.package = custom_gnupg;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
};
environment.systemPackages = with pkgs; [
custom_gnupg
yubikey-personalization
openpgp-card-tools
# Add wrapper around ssh that takes the gnupg ssh-agent
# instead of gnome-keyring
ssh-gpg
];
services.pcscd.enable = true;
# pcscd sometimes breaks and seem to need a manual restart
# so we allow users to restart that service themself
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
action.id == "org.freedesktop.systemd1.manage-units"
&& action.lookup("unit") == "pcscd.service"
&& action.lookup("verb") == "restart"
&& subject.isInGroup("users")
) {
return polkit.Result.YES;
}
});
'';
services.udev.packages = with pkgs; [
yubikey-personalization
];
}

171
flake.lock generated
View File

@@ -269,11 +269,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1748520450, "lastModified": 1751801455,
"narHash": "sha256-thTwt6c/qdLg65urUWSENbmwf/ofvujpFNNTcF+iZvI=", "narHash": "sha256-hUJqtS88SbNQQSEJAPFyY2vLMh8yA8rQ6jbul50p64M=",
"ref": "lix-2.93", "ref": "lix-2.93",
"rev": "509c94cdb7e11d48e67a5a68c0d5fadfcda7bad5", "rev": "b940aca430a7ca41f70bdb320659dd62026fe0e9",
"revCount": 4257, "revCount": 4261,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/hydra.git" "url": "https://git.lix.systems/lix-project/hydra.git"
}, },
@@ -290,6 +290,9 @@
"flake-compat" "flake-compat"
], ],
"nix2container": "nix2container", "nix2container": "nix2container",
"nix_2_18": [
"hydra"
],
"nixpkgs": [ "nixpkgs": [
"hydra", "hydra",
"nixpkgs" "nixpkgs"
@@ -298,11 +301,11 @@
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks"
}, },
"locked": { "locked": {
"lastModified": 1747597901, "lastModified": 1751235704,
"narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=", "narHash": "sha256-Jzm3KPZ2gL+0Nl3Mw/2E0B3vqDDi1Xt5+9VCXghUDZ8=",
"ref": "release-2.93", "ref": "release-2.93",
"rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad", "rev": "f3a7bbe5f8d1a8504ddb6362d50106904523e440",
"revCount": 17846, "revCount": 17874,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/lix" "url": "https://git.lix.systems/lix-project/lix"
}, },
@@ -324,11 +327,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1748254718, "lastModified": 1753282722,
"narHash": "sha256-Uf6HNA0JctJH4ZdrZ/xb185mT0/XusLxnric9Xhg7Es=", "narHash": "sha256-KYMUrTV7H/RR5/HRnjV5R3rRIuBXMemyJzTLi50NFTs=",
"ref": "release-2.93", "ref": "release-2.93",
"rev": "3855614ceafe562393472cca5fb2005297889a75", "rev": "46a9e8fcfe4be72b4c7c8082ee11d2c42da1e873",
"revCount": 143, "revCount": 149,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git" "url": "https://git.lix.systems/lix-project/nixos-module.git"
}, },
@@ -342,6 +345,7 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"nix2container": "nix2container_2", "nix2container": "nix2container_2",
"nix_2_18": "nix_2_18",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
@@ -349,11 +353,11 @@
"pre-commit-hooks": "pre-commit-hooks_2" "pre-commit-hooks": "pre-commit-hooks_2"
}, },
"locked": { "locked": {
"lastModified": 1747597901, "lastModified": 1753306924,
"narHash": "sha256-jS+P57tXZEl+zvPfEIHFbd1j3xfuWcrcMrcnbm9wWbE=", "narHash": "sha256-jLCEW0FvjFhC+c4RHzH+xbkSOxrnpFHnhjOw6sudhx0=",
"ref": "release-2.93", "ref": "release-2.93",
"rev": "33eaaf02fd3f380e99032b25e741eeeb10573cad", "rev": "1a4393d0aac31aba21f5737ede1b171e11336d77",
"revCount": 17846, "revCount": 17884,
"type": "git", "type": "git",
"url": "https://git.lix.systems/lix-project/lix.git" "url": "https://git.lix.systems/lix-project/lix.git"
}, },
@@ -363,6 +367,22 @@
"url": "https://git.lix.systems/lix-project/lix.git" "url": "https://git.lix.systems/lix-project/lix.git"
} }
}, },
"lowdown-src": {
"flake": false,
"locked": {
"lastModified": 1633514407,
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
"owner": "kristapsdz",
"repo": "lowdown",
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
"type": "github"
},
"original": {
"owner": "kristapsdz",
"repo": "lowdown",
"type": "github"
}
},
"mitel-ommclient2": { "mitel-ommclient2": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -384,6 +404,26 @@
"url": "https://git.clerie.de/clerie/mitel_ommclient2.git" "url": "https://git.clerie.de/clerie/mitel_ommclient2.git"
} }
}, },
"mu5001tool": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1757627777,
"narHash": "sha256-NGUqHQ+/BaUhjgSYQauTihTtNyhhnQRMJ8t7ZSPNpmk=",
"ref": "refs/heads/main",
"rev": "b7b0f0d5191433bca1377f7d818b800627a83fda",
"revCount": 9,
"type": "git",
"url": "https://git.clerie.de/clerie/mu5001tool.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/mu5001tool.git"
}
},
"nix2container": { "nix2container": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -416,6 +456,34 @@
"type": "github" "type": "github"
} }
}, },
"nix_2_18": {
"inputs": {
"flake-compat": [
"lix",
"flake-compat"
],
"lowdown-src": "lowdown-src",
"nixpkgs": "nixpkgs_4",
"nixpkgs-regression": [
"lix",
"nixpkgs-regression"
]
},
"locked": {
"lastModified": 1730375271,
"narHash": "sha256-RrOFlDGmRXcVRV2p2HqHGqvzGNyWoD0Dado/BNlJ1SI=",
"owner": "NixOS",
"repo": "nix",
"rev": "0f665ff6779454f2117dcc32e44380cda7f45523",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "2.18.9",
"repo": "nix",
"type": "github"
}
},
"nixos-exporter": { "nixos-exporter": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -484,6 +552,22 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-carbon": {
"locked": {
"lastModified": 1751206202,
"narHash": "sha256-VjK8pEv4cfDpCTh4KW1go98kP25j7KdTNEce342Bh/Y=",
"owner": "clerie",
"repo": "nixpkgs",
"rev": "ac4ac98609c1b30c378458ab7207a9a5b5148457",
"type": "github"
},
"original": {
"owner": "clerie",
"ref": "clerie/always-setup-netdevs",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-regression": { "nixpkgs-regression": {
"locked": { "locked": {
"lastModified": 1643052045, "lastModified": 1643052045,
@@ -550,11 +634,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1748437600, "lastModified": 1751582995,
"narHash": "sha256-hYKMs3ilp09anGO7xzfGs3JqEgUqFMnZ8GMAqI6/k04=", "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7282cb574e0607e65224d33be8241eae7cfe0979", "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -566,11 +650,27 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1748190013, "lastModified": 1705033721,
"narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=", "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "62b852f6c6742134ade1abdd2a21685fd617a291", "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1757487488,
"narHash": "sha256-zwE/e7CuPJUWKdvvTCB7iunV4E/+G0lKfv4kk/5Izdg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ab0f3607a6c7486ea22229b92ed2d355f1482ee0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -663,16 +763,19 @@
"hydra": "hydra", "hydra": "hydra",
"lix": "lix_2", "lix": "lix_2",
"lix-module": "lix-module", "lix-module": "lix-module",
"mu5001tool": "mu5001tool",
"nixos-exporter": "nixos-exporter", "nixos-exporter": "nixos-exporter",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_5",
"nixpkgs-0dc1c7": "nixpkgs-0dc1c7", "nixpkgs-0dc1c7": "nixpkgs-0dc1c7",
"nixpkgs-carbon": "nixpkgs-carbon",
"nurausstieg": "nurausstieg", "nurausstieg": "nurausstieg",
"rainbowrss": "rainbowrss", "rainbowrss": "rainbowrss",
"scan-to-gpg": "scan-to-gpg", "scan-to-gpg": "scan-to-gpg",
"solid-xmpp-alarm": "solid-xmpp-alarm", "solid-xmpp-alarm": "solid-xmpp-alarm",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",
"ssh-to-age": "ssh-to-age" "ssh-to-age": "ssh-to-age",
"traveldrafter": "traveldrafter"
} }
}, },
"scan-to-gpg": { "scan-to-gpg": {
@@ -787,6 +890,26 @@
"type": "github" "type": "github"
} }
}, },
"traveldrafter": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1751817360,
"narHash": "sha256-HzOhsPvzCaFeiz8nPq5MkYnYHpUzVaU/P5sxG+Njt+8=",
"ref": "refs/heads/main",
"rev": "b6610d70f363ecf9704352b1ef39244a816bd34f",
"revCount": 22,
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
},
"original": {
"type": "git",
"url": "https://git.clerie.de/clerie/traveldrafter.git"
}
},
"treefmt-nix": { "treefmt-nix": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [

33
flake.nix
View File

@@ -1,6 +1,7 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-carbon.url = "github:clerie/nixpkgs/clerie/always-setup-netdevs";
# for etesync-dav # for etesync-dav
nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe"; nixpkgs-0dc1c7.url = "github:NixOS/nixpkgs/0dc1c7294c13f5d1dd6eccab4f75d268d7296efe";
nixos-hardware.url = "github:NixOS/nixos-hardware/master"; nixos-hardware.url = "github:NixOS/nixos-hardware/master";
@@ -39,6 +40,10 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git"; fieldpoc.url = "git+https://git.clerie.de/clerie/fieldpoc.git";
mu5001tool = {
url = "git+https://git.clerie.de/clerie/mu5001tool.git";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-exporter = { nixos-exporter = {
url = "git+https://git.clerie.de/clerie/nixos-exporter.git"; url = "git+https://git.clerie.de/clerie/nixos-exporter.git";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@@ -67,11 +72,13 @@
url = "github:Mic92/ssh-to-age"; url = "github:Mic92/ssh-to-age";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
traveldrafter = {
url = "git+https://git.clerie.de/clerie/traveldrafter.git";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let outputs = { self, nixpkgs, nixos-hardware, chaosevents, fernglas, nixos-exporter, solid-xmpp-alarm, ssh-to-age, ... }@inputs: let
lib = import ./lib inputs; lib = import ./lib inputs;
helper = lib.flake-helper;
localNixpkgs = import ./flake/nixpkgs.nix inputs;
in { in {
clerie.hosts = { clerie.hosts = {
aluminium = { aluminium = {
@@ -135,14 +142,24 @@
}; };
overlays = { overlays = {
nixfilesInputs = import ./flake/overlay.nix inputs; clerie-inputs = import ./flake/inputs-overlay.nix inputs;
clerie = import ./pkgs/overlay.nix; clerie-pkgs = import ./pkgs/overlay.nix;
default = self.overlays.clerie; clerie-build-support = import ./pkgs/build-support/overlay.nix;
clerie-overrides = import ./pkgs/overrides/overlay.nix;
}; };
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: let nixpkgs = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
pkgs = localNixpkgs.${system}; lib.mkNixpkgs {
in builtins.mapAttrs (name: value: pkgs."${name}") (import ./pkgs/pkgs.nix)); inherit system;
}
);
packages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs (
(builtins.attrNames (self.overlays.clerie-pkgs null null))
++ (builtins.attrNames (self.overlays.clerie-overrides null null))
) (name: self.nixpkgs."${system}"."${name}")
);
inherit lib self; inherit lib self;

6
flake/hydraJobs.nix
View File

@@ -10,6 +10,12 @@ let
in { in {
inherit (self) inherit (self)
packages; packages;
extraTrackedPackages = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system:
nixpkgs.lib.genAttrs [
"hydra"
"lix"
] (name: self.nixpkgs."${system}"."${name}")
);
nixosConfigurations = buildHosts self.nixosConfigurations; nixosConfigurations = buildHosts self.nixosConfigurations;
iso = self.nixosConfigurations._iso.config.system.build.isoImage; iso = self.nixosConfigurations._iso.config.system.build.isoImage;
} }

6
flake/overlay.nix → flake/inputs-overlay.nix
View File

@@ -5,10 +5,12 @@
, chaosevents , chaosevents
, harmonia , harmonia
, hydra , hydra
, mu5001tool
, nurausstieg , nurausstieg
, rainbowrss , rainbowrss
, scan-to-gpg , scan-to-gpg
, ssh-to-age , ssh-to-age
, traveldrafter
, ... , ...
}@inputs: }@inputs:
final: prev: { final: prev: {
@@ -24,6 +26,8 @@ final: prev: {
harmonia; harmonia;
inherit (hydra.packages.${final.system}) inherit (hydra.packages.${final.system})
hydra; hydra;
inherit (mu5001tool.packages.${final.system})
mu5001tool;
inherit (nurausstieg.packages.${final.system}) inherit (nurausstieg.packages.${final.system})
nurausstieg; nurausstieg;
inherit (rainbowrss.packages.${final.system}) inherit (rainbowrss.packages.${final.system})
@@ -32,4 +36,6 @@ final: prev: {
scan-to-gpg; scan-to-gpg;
inherit (ssh-to-age.packages.${final.system}) inherit (ssh-to-age.packages.${final.system})
ssh-to-age; ssh-to-age;
inherit (traveldrafter.packages.${final.system})
traveldrafter;
} }

23
flake/nixosConfigurations.nix
View File

@@ -11,33 +11,14 @@ let
modules ? [], modules ? [],
}: let }: let
localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs; localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
in localNixpkgs.lib.nixosSystem { in self.lib.nixosSystem {
system = system; system = system;
nixpkgs = localNixpkgs;
modules = modules ++ [ modules = modules ++ [
self.nixosModules.nixfilesInputs
self.nixosModules.clerie
self.nixosModules.profiles
({ config, lib, ... }: { ({ config, lib, ... }: {
# Set hostname # Set hostname
networking.hostName = lib.mkDefault name; networking.hostName = lib.mkDefault name;
# Apply overlays
nixpkgs.overlays = [
self.overlays.nixfilesInputs
self.overlays.clerie
];
/*
Make the contents of the flake availiable to modules.
Useful for having the monitoring server scraping the
target config from all other servers automatically.
*/
_module.args = {
inputs = inputs;
_nixfiles = self;
};
# Expose host group to monitoring # Expose host group to monitoring
clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; }; clerie.monitoring = nixpkgs.lib.attrsets.optionalAttrs (group != null) { serviceLevel = group; };

17
flake/nixpkgs.nix
View File

@@ -1,17 +0,0 @@
{ self
, nixpkgs
, ...
}@inputs:
let
mkNixpkgs = { system, ... }@args:
import nixpkgs {
inherit system;
overlays = [
self.overlays.nixfilesInputs
self.overlays.clerie
];
};
in
nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ] (system: mkNixpkgs { inherit system; })

2
hosts/_iso/configuration.nix
View File

@@ -3,9 +3,9 @@
{ {
imports = [ imports = [
(modulesPath + "/installer/cd-dvd/installation-cd-base.nix") (modulesPath + "/installer/cd-dvd/installation-cd-base.nix")
../../configuration/gpg-ssh
]; ];
profiles.clerie.gpg-ssh.enable = true;
profiles.clerie.network-fallback-dhcp.enable = true; profiles.clerie.network-fallback-dhcp.enable = true;
# systemd in initrd is broken with ISOs # systemd in initrd is broken with ISOs

14
hosts/astatine/configuration.nix
View File

@@ -4,6 +4,10 @@
imports = imports =
[ [
./hardware-configuration.nix ./hardware-configuration.nix
./grafana.nix
./mu5001tool.nix
./prometheus.nix
]; ];
profiles.clerie.network-fallback-dhcp.enable = true; profiles.clerie.network-fallback-dhcp.enable = true;
@@ -18,6 +22,16 @@
terminal_output serial terminal_output serial
"; ";
sops.secrets.monitoring-htpasswd = {
owner = "nginx";
group = "nginx";
};
services.nginx = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
profiles.clerie.wg-clerie = { profiles.clerie.wg-clerie = {
enable = true; enable = true;
ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ]; ipv6s = [ "2a01:4f8:c0c:15f1::8108/128" ];

45
hosts/astatine/grafana.nix Normal file
View File

@@ -0,0 +1,45 @@
{ config, ... }:
{
services.grafana = {
enable = true;
settings = {
server = {
domain = "grafana.astatine.net.clerie.de";
root_url = "https://grafana.astatine.net.clerie.de";
http_port = 3001;
http_addr = "::1";
};
"auth.anonymous" = {
enabled = true;
};
};
provision = {
enable = true;
datasources.settings.datasources = [
{
type = "prometheus";
name = "Prometheus";
url = "http://[::1]:9090";
isDefault = true;
}
];
};
};
services.nginx = {
virtualHosts = {
"grafana.astatine.net.clerie.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
locations."/".proxyPass = "http://[::1]:3001/";
locations."= /api/live/ws" = {
proxyPass = "http://[::1]:3001";
proxyWebsockets = true;
};
};
};
};
}

18
hosts/astatine/mu5001tool.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, pkgs, lib, ... }:
{
systemd.services."mu5001tool" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
DynamicUser = true;
LoadCredential = "zte-hypermobile-5g-password:${config.sops.secrets."zte-hypermobile-5g-password".path}";
Restart = "on-failure";
RestartSec = "15s";
};
script = ''
${lib.getExe pkgs.mu5001tool} --password-file ''${CREDENTIALS_DIRECTORY}/zte-hypermobile-5g-password prometheus-exporter --listen-port 9242
'';
};
}

46
hosts/astatine/prometheus.nix Normal file
View File

@@ -0,0 +1,46 @@
{ config, ... }:
{
services.prometheus = {
enable = true;
enableReload = true;
listenAddress = "[::1]";
scrapeConfigs = [
{
job_name = "prometheus";
scrape_interval = "20s";
scheme = "http";
static_configs = [
{
targets = [
"[::1]:9090"
];
}
];
}
{
job_name = "mu5001tool";
scrape_interval = "20s";
static_configs = [
{
targets = [
"[::1]:9242"
];
}
];
}
];
};
services.nginx = {
virtualHosts = {
"prometheus.astatine.net.clerie.de" = {
enableACME = true;
forceSSL = true;
basicAuthFile = config.sops.secrets.monitoring-htpasswd.path;
locations."/".proxyPass = "http://[::1]:9090/";
};
};
};
}

10
hosts/astatine/secrets.json
View File

@@ -1,19 +1,17 @@
{ {
"wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]", "wg-clerie": "ENC[AES256_GCM,data:DbchcO6GTmSFyoHrRAkfu2flaKYrQHPk+rIerekYO4Cto9sqaWLgaSigpS8=,iv:no1xNRVqsKzAN6ssYA0Ir+utOM9tg8OBUT9PY2v0HPA=,tag:lZj1wEPFWHaf52N7YHEQKQ==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:dTKKeieaGvECkHUpATLorhOgr9Re5CAH25y1WTcSqJZDsvnwD4CBbqMv2QQ=,iv:u1n1wyAW5aNcVYfGN8BmrEhIhtA3EfRDBNu65IdBZMI=,tag:RJYgOpel9uy6dC72MmqS5A==,type:str]",
"monitoring-htpasswd": "ENC[AES256_GCM,data:0uQ+Gwedi9kTaOzrwVzkNkS9qL0Dwmph1leK2sj/TndfSn3yaq7ur7ZHoPjWUl5Oy1poxU2rIUxWHajYC0n3yHv2AuGT,iv:FyH4MHcgW5iHkAsahNFtshnqqPOMlukg8aYfhcN9onw=,tag:q3BsnyKLrKYi/xDP6GmSkA==,type:str]",
"zte-hypermobile-5g-password": "ENC[AES256_GCM,data:lqxQICmWYwMejn8=,iv:TPYOs/cL/ETw7Ee0+YG/+Fhd7ASi0kr4rDLEiste+2Y=,tag:6O6AXIHkIjPm7hJVC4Y/1g==,type:str]",
"sops": { "sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [ "age": [
{ {
"recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv", "recipient": "age1fffvnazdv3ys9ww8v4g832hv5nkvnk6d728syerzvpgskfmfkq8q00whpv",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMQUF5dkRwdXRmUkJ1SXN5\nLzdOVkhWYUJGdFd4Qklsa1BXeVZlTGx0eDE0ClZmYWNLMEVzaVVXWGkwQUt5ZHF5\nS1c5OU9PWjBTelM5R2phNFdVNncxUUkKLS0tIDlwSXFyZWNVT1dtdGU5dVFSRHNE\nUUpJZHJZRTd6TnBUU2dCWW90UTRVb0UKCWrHWmQTNhez16wgEKj4EQA4+UBRmGQn\n+NHSjBCMBmmTdHb05nENYVK515Z0T/60+9N3VlNyHWS9IgC3mZRUBg==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2024-04-21T16:03:13Z", "lastmodified": "2025-09-08T21:03:41Z",
"mac": "ENC[AES256_GCM,data:fA8fhOZbX30TYgwZXB7sQDNmck0JRDyAnEXf5nCYtli/Qvs78fTs4DdC08VOpOni8uAVARkFsGSo6Fjo/MpTSDVA8VNYZig/we/bWF+LQlEMCmiqwOI1R6eQ3GPxcRXltlO2aPPlT9BpLwIVZjGGjIsmjpVE8xjkCbLUUqj+UxY=,iv:fHLyw96QLVRrAQky2kR7TDDxf8CNXDV9lVQ5RETzJEI=,tag:y+cG9u3d6vCUmPyNMDRWpA==,type:str]", "mac": "ENC[AES256_GCM,data:ztS/Z6mn8hFAPsks2evJRJFocw/3oz22O2HeSEkY7Mu+bfNvClsJuvuTbnDadB0IwKiLDFWRMGs/UPFmNP6J/euro4cFHDWXopdXg7eDFGDoJDKIg4fBUtofdXIqWvDoQ9LeZNvc5Z4EEQYhs3LwFnAU0x15acwIIxr5TB9l8g8=,iv:WVjavmcrEs2CyYTfoTTP44c9TqFubUdE+PBN2jRPR+s=,tag:fBXzU69Q9MwD3o/Nyu5OZA==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-04-21T16:02:41Z", "created_at": "2024-04-21T16:02:41Z",

6
hosts/carbon/configuration.nix
View File

@@ -63,10 +63,10 @@
systemd.services.kea-dhcp4-server = { systemd.services.kea-dhcp4-server = {
after = [ after = [
"network-setup.service" "network.target"
]; ];
requires = [ wants = [
"network-setup.service" "network.target"
]; ];
}; };

3
hosts/dn42-il-gw1/configuration.nix
View File

@@ -237,8 +237,7 @@
]; ];
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

3
hosts/dn42-il-gw5/configuration.nix
View File

@@ -111,8 +111,7 @@
''; '';
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
startAt = "*-*-* 06:22:00"; startAt = "*-*-* 06:22:00";
}; };

3
hosts/dn42-il-gw6/configuration.nix
View File

@@ -105,8 +105,7 @@
''; '';
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
startAt = "*-*-* 07:22:00"; startAt = "*-*-* 07:22:00";
}; };

3
hosts/dn42-ildix-clerie/configuration.nix
View File

@@ -161,8 +161,7 @@
} }
''; '';
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

3
hosts/dn42-ildix-service/configuration.nix
View File

@@ -70,8 +70,7 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

1
hosts/gatekeeper/configuration.nix
View File

@@ -131,6 +131,7 @@
clerie.nginx-port-forward = { clerie.nginx-port-forward = {
enable = true; enable = true;
resolver = "127.0.0.53";
tcpPorts."443" = { tcpPorts."443" = {
host = "localhost"; host = "localhost";
port = 22; port = 22;

4
hosts/krypton/configuration.nix
View File

@@ -5,8 +5,6 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/desktop
./android.nix ./android.nix
./backup.nix ./backup.nix
./etesync-dav.nix ./etesync-dav.nix
@@ -15,6 +13,8 @@
./programs.nix ./programs.nix
]; ];
profiles.clerie.desktop.enable = true;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;

3
hosts/krypton/programs.nix
View File

@@ -14,10 +14,11 @@
tio tio
xournalpp xournalpp
onlyoffice-bin libreoffice
krita krita
inkscape inkscape
dune3d
wireshark wireshark
tcpdump tcpdump

77
hosts/monitoring-3/dashboards/home.json Normal file
View File

@@ -0,0 +1,77 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 10,
"links": [],
"panels": [
{
"fieldConfig": {
"defaults": {},
"overrides": []
},
"gridPos": {
"h": 11,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"includeVars": false,
"keepTime": false,
"maxItems": 10,
"query": "",
"showFolderNames": true,
"showHeadings": false,
"showRecentlyViewed": false,
"showSearch": true,
"showStarred": false,
"tags": []
},
"pluginVersion": "12.0.2+security-01",
"title": "Dashboards",
"type": "dashlist"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-6h",
"to": "now"
},
"timepicker": {
"hidden": true
},
"timezone": "browser",
"title": "Home",
"uid": "OqTN9p2nz",
"version": 1
}

355
hosts/monitoring-3/dashboards/nginx-exporter.json Normal file
View File

@@ -0,0 +1,355 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 16,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 0
},
"id": 1,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Total requests",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 12,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, method) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: {{method}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Status codes",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 10,
"w": 12,
"x": 0,
"y": 10
},
"id": 3,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_PROMETHEUS}"
},
"disableTextWrap": false,
"editorMode": "builder",
"expr": "sum by(server_name, status) (rate(nginxlog_http_response_count_total{server_name=~\"$server_name\"}[5m]))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"legendFormat": "{{server_name}}: HTTP {{status}}",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Response codes",
"type": "timeseries"
}
],
"preload": false,
"refresh": "30s",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": [
"$__all"
]
},
"definition": "label_values(nginxlog_http_response_count_total,server_name)",
"includeAll": true,
"label": "vHost",
"multi": true,
"name": "server_name",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(nginxlog_http_response_count_total,server_name)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-3h",
"to": "now"
},
"timepicker": {},
"timezone": "browser",
"title": "Nginx Exporter",
"uid": "b042a880-3cb0-4dd3-ae48-4745a58af698",
"version": 7
}

135
hosts/monitoring-3/dashboards/nixos-status.json Normal file
View File

@@ -0,0 +1,135 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "grafana",
"uid": "-- Grafana --"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 15,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "continuous-RdYlGr"
},
"custom": {
"axisPlacement": "auto",
"fillOpacity": 70,
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineWidth": 0,
"spanNulls": false
},
"mappings": [
{
"options": {
"0": {
"index": 1,
"text": "mismatch"
},
"1": {
"index": 0,
"text": "sync"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "red"
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 23,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"alignValue": "left",
"legend": {
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"mergeValues": true,
"rowHeight": 0.9,
"showValue": "auto",
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "builder",
"expr": "nixos_current_system_is_sync",
"legendFormat": "{{instance}}",
"range": true,
"refId": "A"
}
],
"title": "Config is Sync",
"type": "state-timeline"
}
],
"preload": false,
"refresh": "5m",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": []
},
"time": {
"from": "now-7d",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "NixOS Status",
"uid": "W4j3nz1Vz",
"version": 3
}

211
hosts/monitoring-3/dashboards/smokeping.json Normal file
View File

@@ -0,0 +1,211 @@
{
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"editable": true,
"fiscalYearStartMonth": 0,
"graphTooltip": 0,
"id": 11,
"links": [],
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"barWidthFactor": 0.6,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green"
},
{
"color": "red",
"value": 80
}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {
"h": 22,
"w": 24,
"x": 0,
"y": 0
},
"id": 2,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"hideZeros": false,
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "12.0.2+security-01",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp6\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0 ",
"interval": "",
"legendFormat": "IPv6 {{target}} ({{instance}})",
"range": true,
"refId": "A"
},
{
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"editorMode": "code",
"exemplar": true,
"expr": "probe_icmp_duration_seconds{job=\"blackbox_icmp4\", target=~\"$target\", instance=~\"$instance\", phase=\"rtt\"} > 0",
"hide": false,
"interval": "",
"legendFormat": "IPv4 {{target}} ({{instance}})",
"range": true,
"refId": "B"
}
],
"title": "Smokeping",
"type": "timeseries"
}
],
"preload": false,
"refresh": "",
"schemaVersion": 41,
"tags": [],
"templating": {
"list": [
{
"current": {
"text": "All",
"value": "$__all"
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"includeAll": true,
"label": "Target:",
"multi": true,
"name": "target",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, target)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
},
{
"current": {
"text": [
"All"
],
"value": [
"$__all"
]
},
"datasource": {
"type": "prometheus",
"uid": "PBFA97CFB590B2093"
},
"definition": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"includeAll": true,
"label": "Instance:",
"multi": true,
"name": "instance",
"options": [],
"query": {
"query": "label_values(probe_icmp_duration_seconds{phase=\"rtt\"}, instance)",
"refId": "StandardVariableQuery"
},
"refresh": 1,
"regex": "",
"type": "query"
}
]
},
"time": {
"from": "now-30m",
"to": "now"
},
"timepicker": {},
"timezone": "",
"title": "Smokeping",
"uid": "IytTVZL7z",
"version": 9
}

35
hosts/monitoring-3/prometheus.nix
View File

@@ -52,6 +52,12 @@ let
attrByPath ["clerie" "monitoring" "blackbox"] false host.config) attrByPath ["clerie" "monitoring" "blackbox"] false host.config)
monitoringHosts); monitoringHosts);
nginxlogMonitoringTargets = mapAttrsToList (name: host:
"${host.config.networking.hostName}.mon.clerie.de:9117")
(filterAttrs (name: host:
attrByPath ["services" "prometheus" "exporters" "nginxlog" "enable"] false host.config)
monitoringHosts);
eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b)))); eachWithEachOther = (f: x: y: lib.lists.flatten (lib.lists.forEach x (a: lib.lists.forEach y (b: f a b))));
in { in {
@@ -104,6 +110,21 @@ in {
relabelAddressToInstance relabelAddressToInstance
]; ];
} }
{
job_name = "alertmanager";
scrape_interval = "20s";
scheme = "http";
static_configs = [
{
targets = [
"monitoring-3.mon.clerie.de:9093"
];
}
];
relabel_configs = [
relabelAddressToInstance
];
}
{ {
job_name = "node-exporter"; job_name = "node-exporter";
scrape_interval = "20s"; scrape_interval = "20s";
@@ -521,12 +542,24 @@ in {
} }
]; ];
} }
{
job_name = "nginxlog-exporter";
scrape_interval = "20s";
static_configs = [
{
targets = nginxlogMonitoringTargets;
}
];
relabel_configs = [
relabelAddressToInstance
];
}
]; ];
alertmanagers = [ alertmanagers = [
{ {
static_configs = [ { static_configs = [ {
targets = [ targets = [
"[::1]:9093" "monitoring-3.mon.clerie.de:9093"
]; ];
} ]; } ];
} }

17
hosts/monitoring-3/rules.yml
View File

@@ -89,9 +89,24 @@ groups:
description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks" description: "GPG with fingerprint {{ $labels.fingerprint }} is expiring in less then six weeks"
- alert: NadjaTopIPv4ProxyBroken - alert: NadjaTopIPv4ProxyBroken
expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"} expr: probe_success{job="blackbox_local_http6", target="blog.nadja.top"} != on (target) probe_success{job="blackbox_local_http4", target="blog.nadja.top"}
for: 5m for: 15m
labels: labels:
severity: critical severity: critical
annotations: annotations:
summary: "blog.nadja.top unreachable via IPv4" summary: "blog.nadja.top unreachable via IPv4"
description: "blog.nadja.top unreachable IPv4, but reachable via IPv6" description: "blog.nadja.top unreachable IPv4, but reachable via IPv6"
- alert: AlertmanagerNotificationRequestsFailed
expr: rate(alertmanager_notification_requests_failed_total[5m]) > 0
labels:
severity: critical
annotations:
summary: "Too many notification requests failed"
description: "Too many notification requests to Alertmanager integration {{ $labels.integration }} failed"
- alert: FemSocialDown
expr: min(probe_success{target="fem.social", job=~"blackbox_local_http.*"}) == 0
for: 5m
labels:
severity: critical
annotations:
summary: "fem.social unavailable via HTTP"
description: "fem.social is not fully reachable via HTTP"

3
hosts/nonat/configuration.nix
View File

@@ -41,8 +41,7 @@
networking.firewall.allowedUDPPorts = []; networking.firewall.allowedUDPPorts = [];
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

15
hosts/porter/configuration.nix
View File

@@ -28,8 +28,19 @@
profiles.clerie.common-webserver.httpDefaultVirtualHost = false; profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
services.unbound = {
enable = true;
resolveLocalQueries = false;
settings = {
server = {
interface = [ "127.0.0.1" ];
};
};
};
clerie.nginx-port-forward = { clerie.nginx-port-forward = {
enable = true; enable = true;
resolver = "127.0.0.1";
tcpPorts."80" = { tcpPorts."80" = {
host = "baikonur.dyn.weimarnetz.de"; host = "baikonur.dyn.weimarnetz.de";
port = 80; port = 80;
@@ -47,6 +58,10 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = []; networking.firewall.allowedUDPPorts = [];
services.bijwerken = {
autoUpgrade = true;
};
clerie.monitoring = { clerie.monitoring = {
enable = true; enable = true;
id = "102"; id = "102";

3
hosts/storage-2/configuration.nix
View File

@@ -52,8 +52,7 @@
}; };
}; };
clerie.system-auto-upgrade = { services.bijwerken = {
allowReboot = true;
autoUpgrade = true; autoUpgrade = true;
}; };

195
hosts/web-2/blocked-prefixes.txt Normal file
View File

@@ -0,0 +1,195 @@
ip6tables -I nixos-fw -s 2400:3200::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2400:3200:baba::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2400:b200:4100::/46 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2401:8680:4100::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2401:b180:4100::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:1000::/36 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:2000::/35 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2404:2280:4000::/36 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2408:4000:1000::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 2408:4009:500::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4000::/31 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4002::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4004::/31 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006:1000::/43 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4006:1020::/44 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4007::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4009::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:400b::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:400c::/30 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4011::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4012::/48 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4013::/32 -j nixos-fw-refuse
ip6tables -I nixos-fw -s 240b:4014::/32 -j nixos-fw-refuse
iptables -I nixos-fw -s 5.181.224.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.208.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.0.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.36.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.40.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.48.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.209.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.210.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.212.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.128.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.160.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.176.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.213.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.214.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.216.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.220.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.220.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.221.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 8.222.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 14.1.112.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.91.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.2.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.4.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.7.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.8.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.17.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.19.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.20.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.24.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.27.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.28.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.40.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.52.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.56.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.58.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.66.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.68.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.72.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.78.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.80.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.84.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.86.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.88.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.96.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.100.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.102.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.104.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.96.106.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.98.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.100.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.102.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.103.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.104.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 43.108.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 45.196.28.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 45.199.179.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.52.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.56.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.74.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.76.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.16.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.24.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.32.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.64.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.77.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.78.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.128.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.79.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.80.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.84.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.86.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.0.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.128.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.192.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.224.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.87.232.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.88.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.0.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.72.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.80.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.84.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.88.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.122.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.124.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.89.128.0/17 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.90.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.0.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.8.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.12.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.235.16.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.236.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.240.0.0/14 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.244.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.66.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.68.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.72.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.80.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.82.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.84.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.88.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.92.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.96.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.120.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.122.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.124.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.128.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.144.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.150.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.152.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.160.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.246.192.0/21 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.250.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.252.0.0/15 -j nixos-fw-refuse
iptables -I nixos-fw -s 47.254.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 59.82.136.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 103.81.186.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 110.76.21.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 110.76.23.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 116.251.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.16.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 139.95.64.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 140.205.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 140.205.122.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 147.139.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.0.0/20 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.16.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.32.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.64.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 149.129.192.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.227.20.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.236.12.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.236.17.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.240.76.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 156.245.1.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 161.117.0.0/16 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.24.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.29.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.30.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.32.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.64.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.66.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.68.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.72.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.76.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.80.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.84.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.86.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.88.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.90.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.92.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.104.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.136.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 170.33.138.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 185.78.106.0/23 -j nixos-fw-refuse
iptables -I nixos-fw -s 198.11.128.0/18 -j nixos-fw-refuse
iptables -I nixos-fw -s 202.144.199.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 203.107.64.0/22 -j nixos-fw-refuse
iptables -I nixos-fw -s 203.107.68.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 205.204.96.0/19 -j nixos-fw-refuse
iptables -I nixos-fw -s 223.5.5.0/24 -j nixos-fw-refuse
iptables -I nixos-fw -s 223.6.6.0/24 -j nixos-fw-refuse

5
hosts/web-2/clerie.nix
View File

@@ -27,7 +27,7 @@
root = pkgs.clerie-keys; root = pkgs.clerie-keys;
}; };
locations."= /ssh/known_hosts" = { locations."= /ssh/known_hosts" = {
alias = pkgs.writeText "known_hosts" (import ../../lib/ssh-known-hosts.nix); alias = pkgs.clerie-ssh-known-hosts + "/known_hosts";
extraConfig = '' extraConfig = ''
types { } types { }
default_type "text/plain; charset=utf-8"; default_type "text/plain; charset=utf-8";
@@ -53,9 +53,6 @@
''; '';
return = "200 ''"; return = "200 ''";
}; };
extraConfig = ''
access_log /var/log/nginx/clerie.de.log combined_anon;
'';
}; };
}; };
} }

3
hosts/web-2/configuration.nix
View File

@@ -24,6 +24,7 @@
./public.nix ./public.nix
./radicale.nix ./radicale.nix
./reichartstrasse.nix ./reichartstrasse.nix
./traveldrafter.nix
./uptimestatus.nix ./uptimestatus.nix
./wetter.nix ./wetter.nix
]; ];
@@ -51,6 +52,8 @@
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.extraCommands = builtins.readFile ./blocked-prefixes.txt;
services.postgresql = { services.postgresql = {
enable = true; enable = true;
package = pkgs.postgresql_16; package = pkgs.postgresql_16;

3
hosts/web-2/gitea.nix
View File

@@ -83,9 +83,6 @@
proxyPass = "http://[::1]:3000"; proxyPass = "http://[::1]:3000";
}; };
}; };
extraConfig = ''
access_log /var/log/nginx/git.clerie.de.log combined_anon;
'';
}; };
}; };
} }

9
hosts/web-2/ip.nix
View File

@@ -53,9 +53,6 @@
types { } default_type "text/html; charset=utf-8"; types { } default_type "text/html; charset=utf-8";
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
"ip4.clerie.de" = { "ip4.clerie.de" = {
enableACME = true; enableACME = true;
@@ -67,9 +64,6 @@
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
"ip6.clerie.de" = { "ip6.clerie.de" = {
enableACME = true; enableACME = true;
@@ -81,9 +75,6 @@
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
''; '';
}; };
extraConfig = ''
access_log /var/log/nginx/ip.clerie.de.log vcombined_anon;
'';
}; };
}; };
} }

4
hosts/web-2/legal.nix
View File

@@ -7,8 +7,8 @@
forceSSL = true; forceSSL = true;
root = pkgs.fetchgit { root = pkgs.fetchgit {
url = "https://git.clerie.de/clerie/legal.clerie.de.git"; url = "https://git.clerie.de/clerie/legal.clerie.de.git";
rev = "c6900226e3107a2e370a32759d83db472ab5450d"; rev = "b271b9729f4545c340ce9d16ecbca136031da409";
sha256 = "sha256-lOjbHqYc/85rjotwQ5Oj+MSWnDIfLx2w5mpiJkChbXU="; sha256 = "sha256-uw69o7LxK+JF1AojSyusU1urshBc63Bgva5lRBgQdKc=";
}; };
locations."/impressum" = { locations."/impressum" = {
return = ''301 https://legal.clerie.de/#impressum''; return = ''301 https://legal.clerie.de/#impressum'';

9
hosts/web-2/secrets.json
View File

@@ -4,19 +4,16 @@
"clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]", "clerie-backup-target-magenta": "ENC[AES256_GCM,data:zsPFXpnTWHL2b9/fZiW1fhpla8hTeZb1+O8oihnwDIAcC4Tgn8PrFDEYK7kuWYcdbIvL5XRJRR48erSACsntFA==,iv:lTlAyVl3ndgca4Mp9lSldXmhlP8ECPvE/CM7Zpzy9ao=,tag:LCNF1loABQpZ8Y5wfpXjkg==,type:str]",
"wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]", "wg-monitoring": "ENC[AES256_GCM,data:AfkytaHshFSyKkMdKVMdYaq3sKUC9dKYs5rKXN4Ouv5kjDGNXC18liEsRuc=,iv:4mMgsovdAJ++Myr+9GuhAaEBuzDBNZbGK6zfzoAEJ0E=,tag:/d0ZXNbpaMFyxyzov23kdQ==,type:str]",
"radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]", "radicale-htpasswd": "ENC[AES256_GCM,data:+FHsq5We/fc8gBNub/GV5Mfs2i0/7Qm9UPDhb3unEhak6XDAvMSUQb4eaX0wn7Yi3y/gFGmapd0eYilTjfoJnI9gVnvi,iv:lEV8kQh9RBL/xKcCLIRzUR6ADq4zoah1c8Z67Qrs3dQ=,tag:cw6jKYbZUXBD3Zio5CH+Hw==,type:str]",
"traveldrafter-htpasswd": "ENC[AES256_GCM,data:f29vVDofv2mJEyn/pMKWW8ZbVTKSofe1EEtcfuCaokdqAyxemcq/2hrXFw8cAGTV2hwVqlM2hzJcT32KBjO/wgUNfv4=,iv:5PdQ+bn/bXmfQstP5A/dLeDk7O0qTjoRTyr4D+AgiG0=,tag:gCBrSJ4cEnZHqePiUpPglA==,type:str]",
"sops": { "sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [ "age": [
{ {
"recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az", "recipient": "age1nn8dwl2avshdhwn66w92jvlvz2ugl5fdxc8dxz6lpru72hlq44uq5a88az",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n" "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlU2tEMHIvRUFxa24wMVcy\nb2lheGR2ekl6S0wzWUd5cTMwTC9HdFN1eVc0CkRjRHdJVUw3ZCtZSTlUOHZCV2J6\nYkxqdnNmU05LTTNmNFZiTzBxZVdkOTgKLS0tIEZUZ0svL2NhcTZPdFZrYUhwQ05Q\nWnZXRWIvRXBOMWNDTzQ4RDNKa3IwSUkKj+vI9dEEUQYN9uT6H1FdexComfbe+iA9\nVzLF970ASzptGiNYtdN9GYdXY7JGHoOfmYy3fpjZGN3p2KqiYyi3UA==\n-----END AGE ENCRYPTED FILE-----\n"
} }
], ],
"lastmodified": "2024-05-10T13:32:34Z", "lastmodified": "2025-07-06T16:08:39Z",
"mac": "ENC[AES256_GCM,data:lxfYT2TEO9KFx0x6DPRQ2mRy5Ft6syyyO1yV9my6GwvDxd1e7odXGRcFo3N1AFod8Y6z4+XaxqZ/GoqSp94Pk8aF4eEhyAFun/UUr8KhKGsnq6xnQA4p37oYccvTY4eohS5YHBr/+AMutddmQ7qiYtQhVViXAr6+dmOsV1Tfu+A=,iv:bC+z9SP2W048bR3aWIcPgRlfLB5n5ccst6OvH0NjYBk=,tag:qhoXUAl0nG4LYy6yXQP2/g==,type:str]", "mac": "ENC[AES256_GCM,data:6EbMSJAKOMgXtlwaVtsmPgrZVgraReAfVJWjZvhe965eLhhP5aeyZqPlA6a93h2FsShVFYWFPI57tdHy9Ymo53oXolSt8Docr2w2FL4BTWHHhkXal9+6aJZAZ+XOPEOUYurFxPOX44l+LDkecSz0NMCgrScWtpphjlkj3yP5GTo=,iv:5w8RC9IAuyEuO0QSZ0FBwW2/qqV56HNG7hZIkEeGEYU=,tag:Zosv1OSMtznnKkSYStu+oA==,type:str]",
"pgp": [ "pgp": [
{ {
"created_at": "2024-05-10T13:29:58Z", "created_at": "2024-05-10T13:29:58Z",

40
hosts/web-2/traveldrafter.nix Normal file
View File

@@ -0,0 +1,40 @@
{ pkgs, lib, config, ... }: {
services.update-from-hydra.paths.traveldrafter = {
enable = true;
hydraUrl = "https://hydra.clerie.de";
hydraProject = "clerie";
hydraJobset = "traveldrafter";
hydraJob = "packages.x86_64-linux.traveldrafter";
nixStoreUri = "https://nix-cache.clerie.de";
resultPath = "/srv/traveldrafter";
};
sops.secrets.traveldrafter-htpasswd = {
owner = "nginx";
group = "nginx";
};
services.nginx.virtualHosts = {
"traveldrafter.clerie.de" = {
enableACME = true;
forceSSL = true;
root = "/srv/traveldrafter/lib/node_modules/traveldrafter/web/";
basicAuthFile = config.sops.secrets.traveldrafter-htpasswd.path;
locations."/api" = {
proxyPass = "http://[::1]:3001";
};
};
};
systemd.services."traveldrafter" = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
RuntimeDirectory = "traveldrafter";
DynamicUser = true;
};
environment = {
HTTP_PORT = "3001";
};
script = lib.getExe pkgs.traveldrafter;
};
}

4
hosts/zinc/configuration.nix
View File

@@ -5,12 +5,12 @@
[ [
./hardware-configuration.nix ./hardware-configuration.nix
../../configuration/desktop
./initrd.nix ./initrd.nix
./programs.nix ./programs.nix
]; ];
profiles.clerie.desktop.enable = true;
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;

2
lib/default.nix
View File

@@ -8,6 +8,8 @@ let
lib = { lib = {
clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix; clerie-monitoring-ids = callLibs ./clerie-monitoring-ids.nix;
mkNixpkgs = callLibs ./mkNixpkgs.nix;
nixosSystem = callLibs ./nixosSystem.nix;
}; };
in in

22
lib/link-local-wireguard.nix
View File

@@ -1,22 +0,0 @@
{ ... }:
rec {
llIPv6 = localIP: peerIP: interface: {
ips = [
"${localIP}/128"
];
postSetup = ''
ip -6 route flush dev ${interface}
ip addr del dev ${interface} ${localIP}/128 && ip addr add dev ${interface} ${localIP}/128 peer ${peerIP}/128
'';
};
llIPv4 = localIP: peerIP: interface: {
ips = [
"${localIP}/32"
];
postSetup = ''
ip -4 route flush dev ${interface}
ip addr del dev ${interface} ${localIP}/32 && ip addr add dev ${interface} ${localIP}/32 peer ${peerIP}/32
'';
};
}

27
lib/mkNixpkgs.nix Normal file
View File

@@ -0,0 +1,27 @@
{
inputs,
self,
...
}:
/*
Loads a version of nixpkgs with nixfiles overlays loaded
*/
{
system,
nixpkgs ? inputs.nixpkgs,
overlays ? [],
...
}@args:
import nixpkgs {
inherit system;
overlays = [
self.overlays.clerie-inputs
self.overlays.clerie-pkgs
self.overlays.clerie-build-support
self.overlays.clerie-overrides
] ++ overlays;
}

42
lib/nixosSystem.nix Normal file
View File

@@ -0,0 +1,42 @@
{
inputs,
self,
...
}:
/*
nixfiles.lib.nixosSystem, like nixpkgs.lib.nixosSystem but
with nixfiles overlays and modules already populated
*/
{
system ? null,
nixpkgs ? inputs.nixpkgs,
pkgs ? null,
modules ? [],
...
}@args:
nixpkgs.lib.nixosSystem ({
system = system;
pkgs = if pkgs != null then pkgs else (self.lib.mkNixpkgs {
inherit system nixpkgs;
});
modules = [
self.nixosModules.nixfilesInputs
self.nixosModules.clerie
self.nixosModules.profiles
({ config, lib, ... }: {
/*
Make the contents of the flake availiable to modules.
Useful for having the monitoring server scraping the
target config from all other servers automatically.
*/
_module.args = {
inputs = inputs;
_nixfiles = self;
};
})
] ++ modules;
} // builtins.removeAttrs args [ "system" "nixpkgs" "pkgs" "modules" ] )

24
modules/clerie-system-upgrade/default.nix → modules/bijwerken/default.nix
View File

@@ -3,18 +3,13 @@
with lib; with lib;
let let
cfg = config.clerie.system-auto-upgrade; cfg = config.services.bijwerken;
in in
{ {
options = { options = {
clerie.system-auto-upgrade = { services.bijwerken = {
enable = mkEnableOption "clerie system upgrade"; enable = mkEnableOption "Automatic system upgrades";
allowReboot = mkOption {
type = types.bool;
default = false;
description = "Monitor NixOS";
};
autoUpgrade = mkOption { autoUpgrade = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@@ -25,10 +20,15 @@ in
default = null; default = null;
description = "Systemd time string for starting the unit"; description = "Systemd time string for starting the unit";
}; };
nodeExporterTextfilePath = mkOption {
type = with types; nullOr str;
default = null;
description = "Path to node exporter textfile for putting metrics";
};
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.services.clerie-system-auto-upgrade = { systemd.services.bijwerken-system-upgrade = {
requires = [ "network-online.target" ]; requires = [ "network-online.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
@@ -38,10 +38,10 @@ in
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = pkgs.clerie-system-upgrade + "/bin/clerie-system-upgrade --no-confirm${optionalString cfg.allowReboot " --allow-reboot"}${optionalString (config.clerie.monitoring.enable) " --node-exporter-metrics-path /var/lib/prometheus-node-exporter/textfiles/clerie-system-upgrade.prom"}"; ExecStart = (getExe pkgs.bijwerken-system-upgrade) + " --no-confirm${optionalString (cfg.nodeExporterTextfilePath != null) " --node-exporter-metrics-path ${cfg.nodeExporterTextfilePath}"}";
}; };
}; };
systemd.timers.clerie-system-auto-upgrade = mkIf cfg.autoUpgrade { systemd.timers.bijwerken-system-upgrade = mkIf cfg.autoUpgrade {
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt; OnCalendar = if cfg.startAt == null then "*-*-* 05:37:00" else cfg.startAt;
@@ -51,7 +51,7 @@ in
after = [ "network-online.target" ]; after = [ "network-online.target" ];
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
clerie-system-upgrade bijwerken-system-upgrade
]; ];
}; };
} }

2
modules/default.nix
View File

@@ -5,9 +5,9 @@
./policyrouting ./policyrouting
./akne ./akne
./backup ./backup
./bijwerken
./clerie-firewall ./clerie-firewall
./clerie-gc-dir ./clerie-gc-dir
./clerie-system-upgrade
./dhcpcd-prefixdelegation ./dhcpcd-prefixdelegation
./minecraft-server ./minecraft-server
./monitoring ./monitoring

31
modules/monitoring/default.nix
View File

@@ -75,6 +75,8 @@ in
systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ]; systemd.services."prometheus-node-exporter".serviceConfig.RestrictAddressFamilies = [ "AF_NETLINK" ];
services.bijwerken.nodeExporterTextfilePath = "/var/lib/prometheus-node-exporter/textfiles/bijwerken-system-upgrade.prom";
services.prometheus.exporters.bird = mkIf cfg.bird { services.prometheus.exporters.bird = mkIf cfg.bird {
enable = true; enable = true;
}; };
@@ -102,6 +104,33 @@ in
listen = "[::]:9152"; listen = "[::]:9152";
}; };
services.prometheus.exporters.nginxlog = mkIf config.services.nginx.enable {
enable = true;
settings = {
namespaces = [
{
name = "nginxlog";
format = ''$host: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$server_name" rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'';
source = {
files = [
"/var/log/nginx/access.log"
];
};
relabel_configs = [
{
target_label = "server_name";
from = "server_name";
}
];
}
];
};
};
systemd.services."prometheus-nginxlog-exporter".serviceConfig = {
SupplementaryGroups = "nginx";
};
networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [ networking.firewall.interfaces."wg-monitoring".allowedTCPPorts = [
9100 # node-exporter 9100 # node-exporter
9152 # nixos-exporter 9152 # nixos-exporter
@@ -109,6 +138,8 @@ in
9324 # bird-exporter 9324 # bird-exporter
] else []) ++ (if cfg.blackbox then [ ] else []) ++ (if cfg.blackbox then [
9115 # blackbox-exporter 9115 # blackbox-exporter
] else []) ++ (if config.services.prometheus.exporters.nginxlog.enable then [
config.services.prometheus.exporters.nginxlog.port
] else []); ] else []);
}; };
} }

6
modules/nginx-port-forward/default.nix
View File

@@ -9,7 +9,7 @@ let
mkServerBlock = isUDP: port: forward: '' mkServerBlock = isUDP: port: forward: ''
server { server {
resolver 127.0.0.53 ipv4=off valid=30s; resolver ${cfg.resolver} ipv4=off valid=30s;
listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"}; listen ${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"}; listen [::]:${port}${optionalString isUDP " udp"}${optionalString (forward.certName != null) " ssl"};
@@ -54,6 +54,10 @@ in
options = { options = {
clerie.nginx-port-forward = { clerie.nginx-port-forward = {
enable = mkEnableOption "Nginx Port Forward"; enable = mkEnableOption "Nginx Port Forward";
resolver = mkOption {
type = types.str;
description = "IP address of the resolver to use for upstream hostnames";
};
tcpPorts = mkOption { tcpPorts = mkOption {
type = with types; attrsOf (submodule portOpts); type = with types; attrsOf (submodule portOpts);
default = {}; default = {};

5
pkgs/bijwerken-poke/bijwerken-poke.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/usr/bin/env bash
TARGETS="$(nix --extra-experimental-features "nix-command flakes" eval --raw ".#nixosConfigurations" --apply "nixosConfigurations: builtins.concatStringsSep \"\\n\" (builtins.attrValues (builtins.mapAttrs (name: host: host.config.networking.fqdn) nixosConfigurations))")"
pssh -h <(echo "${TARGETS}") -i -- sudo systemctl start bijwerken-system-upgrade.service --no-block

10
pkgs/bijwerken-poke/default.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, ... }:
pkgs.writeShellApplication {
name = "bijwerken-poke";
text = builtins.readFile ./bijwerken-poke.sh;
runtimeInputs = with pkgs; [
pssh
];
}

14
pkgs/clerie-system-upgrade/clerie-system-upgrade.sh → pkgs/bijwerken-system-upgrade/bijwerken-system-upgrade.sh
View File

@@ -2,16 +2,11 @@
set -euo pipefail set -euo pipefail
ALLOW_REBOOT=
NO_CONFIRM= NO_CONFIRM=
NODE_EXPORTER_METRICS_PATH= NODE_EXPORTER_METRICS_PATH=
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
case $1 in case $1 in
--allow-reboot)
ALLOW_REBOOT=1
shift
;;
--no-confirm) --no-confirm)
NO_CONFIRM=1 NO_CONFIRM=1
shift shift
@@ -45,7 +40,7 @@ if [[ -z $NO_CONFIRM ]]; then
fi fi
echo "Download ${STORE_PATH}" echo "Download ${STORE_PATH}"
nix copy --from "https://nix-cache.clerie.de" "${STORE_PATH}" nix copy --to daemon "${STORE_PATH}"
echo "Add to system profile" echo "Add to system profile"
nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}" nix-env -p "/nix/var/nix/profiles/system" --set "${STORE_PATH}"
@@ -55,7 +50,7 @@ echo "Set as boot target"
if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then if [[ -n "$NODE_EXPORTER_METRICS_PATH" ]]; then
echo "Write monitoring check data" echo "Write monitoring check data"
echo "clerie_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH" echo "bijwerken_system_upgrade_last_check $(date +%s)" > "$NODE_EXPORTER_METRICS_PATH"
fi fi
BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})" BOOTED_SYSTEM_KERNEL="$(readlink /run/booted-system/{initrd,kernel,kernel-modules})"
@@ -63,13 +58,8 @@ ACTIVATING_SYSTEM_KERNEL="$(readlink /nix/var/nix/profiles/system/{initrd,kernel
if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then if [[ "$BOOTED_SYSTEM_KERNEL" != "$ACTIVATING_SYSTEM_KERNEL" ]]; then
echo "Reboot is required" echo "Reboot is required"
if [[ -n "$ALLOW_REBOOT" ]]; then
echo "Rebooting system now" echo "Rebooting system now"
shutdown -r +1 "System update requires reboot" shutdown -r +1 "System update requires reboot"
else
echo "Automatic reboot not allowed (maybe use --allow-reboot next time)"
echo "The system upgrade is staged, please reboot manually soon"
fi
else else
echo "No reboot is required" echo "No reboot is required"
echo "Activating system now" echo "Activating system now"

4
pkgs/clerie-system-upgrade/clerie-system-upgrade.nix → pkgs/bijwerken-system-upgrade/default.nix
View File

@@ -1,8 +1,8 @@
{ pkgs, ... }: { pkgs, ... }:
pkgs.writeShellApplication { pkgs.writeShellApplication {
name = "clerie-system-upgrade"; name = "bijwerken-system-upgrade";
text = builtins.readFile ./clerie-system-upgrade.sh; text = builtins.readFile ./bijwerken-system-upgrade.sh;
runtimeInputs = with pkgs; [ runtimeInputs = with pkgs; [
curl curl
jq jq

7
pkgs/build-support/overlay.nix Normal file
View File

@@ -0,0 +1,7 @@
final: prev:
{
clerie-build-support = {
writePythonScript = final.callPackage ./writePythonScript.nix {};
};
}

37
pkgs/build-support/writePythonScript.nix Normal file
View File

@@ -0,0 +1,37 @@
{
python3,
writeTextFile,
lib,
}:
{
name,
text,
runtimePackages ? ps: [],
pythonPackage ? python3,
meta ? {},
passthru ? {},
derivationArgs ? {},
}:
let
pythonWithPackages = pythonPackage.withPackages runtimePackages;
in writeTextFile {
inherit
name
meta
passthru
derivationArgs
;
executable = true;
destination = "/bin/${name}";
allowSubstitutes = true;
preferLocalBuild = false;
text = ''
#!${lib.getExe pythonWithPackages}
${text}
'';
}

17
lib/ssh-known-hosts.nix → pkgs/clerie-ssh-known-hosts/default.nix
View File

@@ -1,13 +1,22 @@
{
writeTextFile,
}:
let let
stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str; stripR = str: if (builtins.substring ((builtins.stringLength str) - 1) (builtins.stringLength str) str) == "\n" then stripR (builtins.substring 0 ((builtins.stringLength str) - 1) str) else str;
hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../hosts)); hostsWithSshPubkey = builtins.filter (hostname: (builtins.substring 0 1 hostname) != "_" && builtins.pathExists (../../hosts + "/${hostname}/ssh.pub")) (builtins.attrNames (builtins.readDir ../../hosts));
sshkeyList = map (hostname: { sshkeyList = map (hostname: {
name = hostname; name = hostname;
sshPubkey = stripR (builtins.readFile (../hosts + "/${hostname}/ssh.pub")); sshPubkey = stripR (builtins.readFile (../../hosts + "/${hostname}/ssh.pub"));
}) hostsWithSshPubkey; }) hostsWithSshPubkey;
knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: '' knownHosts = builtins.concatStringsSep "" (builtins.map ({name, sshPubkey}: ''
${name} ${sshPubkey} ${name} ${sshPubkey}
${name}.net.clerie.de ${sshPubkey} ${name}.net.clerie.de ${sshPubkey}
'') sshkeyList); '') sshkeyList);
in in writeTextFile {
knownHosts name = "clerie-ssh-known-hosts";
destination = "/known_hosts";
allowSubstitutes = true;
preferLocalBuild = false;
text = knownHosts;
}

16
pkgs/curl-timings/curl-timings.sh Executable file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/env bash
curl -w "Request to %{url}
time_namelookup: %{time_namelookup}s
time_connect: %{time_connect}s
time_appconnect: %{time_appconnect}s
time_pretransfer: %{time_pretransfer}s
time_starttransfer: %{time_starttransfer}s
time_posttransfer: %{time_posttransfer}s
time_queue: %{time_queue}s
time_redirect: %{time_redirect}s
time_starttransfer: %{time_starttransfer}s
time_total: %{time_total}s
" -o /dev/null -s "$@"

12
pkgs/curl-timings/default.nix Normal file
View File

@@ -0,0 +1,12 @@
{
curl,
writeShellApplication,
}:
writeShellApplication {
name = "curl-timings";
text = builtins.readFile ./curl-timings.sh;
runtimeInputs = [
curl
];
}

7
pkgs/generate-blocked-prefixes/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{ pkgs, ... }:
pkgs.clerie-build-support.writePythonScript {
name = "generate-blocked-prefixes";
runtimePackages = ps: with ps; [ requests ];
text = builtins.readFile ./generate-blocked-prefixes.py;
}

39
pkgs/generate-blocked-prefixes/generate-blocked-prefixes.py Executable file
View File

@@ -0,0 +1,39 @@
#!/usr/bin/env python3
import ipaddress
import requests
blocked_asns = [
"45102", # Alibaba (US) Technology Co., Ltd.
]
r = requests.get('https://bgp.tools/table.txt', stream=True, headers={
"User-Agent": "https://git.clerie.de/clerie/nixfiles",
})
selected_ipv6_prefixes = []
selected_ipv4_prefixes = []
for line in r.iter_lines(decode_unicode=True):
prefix_string, asn_string = line.split()
if asn_string in blocked_asns:
prefix = ipaddress.ip_network(prefix_string)
if prefix.version == 6:
selected_ipv6_prefixes.append(prefix)
else:
selected_ipv4_prefixes.append(prefix)
selected_ipv6_prefixes = list(ipaddress.collapse_addresses(selected_ipv6_prefixes))
selected_ipv4_prefixes = list(ipaddress.collapse_addresses(selected_ipv4_prefixes))
selected_ipv6_prefixes.sort()
selected_ipv4_prefixes.sort()
with open("hosts/web-2/blocked-prefixes.txt", "w") as blocked_ips_file:
for ipv6_prefix in selected_ipv6_prefixes:
blocked_ips_file.write(f"ip6tables -I nixos-fw -s {ipv6_prefix} -j nixos-fw-refuse\n")
for ipv4_prefix in selected_ipv4_prefixes:
blocked_ips_file.write(f"iptables -I nixos-fw -s {ipv4_prefix} -j nixos-fw-refuse\n")

11
pkgs/git-show-link/default.nix
View File

@@ -1,13 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
pkgs.writeTextFile { pkgs.clerie-build-support.writePythonScript {
name = "git-show-link"; name = "git-show-link";
executable = true; text = builtins.readFile ./git-show-link.py;
destination = "/bin/git-show-link";
allowSubstitutes = true;
preferLocalBuild = false;
text = ''
#!${pkgs.python3.withPackages (ps: with ps; [])}/bin/python3
${builtins.readFile ./git-show-link.py}
'';
} }

17
pkgs/grow-last-partition-and-filesystem/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{
e2fsprogs,
jq,
parted,
writeShellApplication,
}:
writeShellApplication {
name = "grow-last-partition-and-filesystem";
text = builtins.readFile ./grow-last-partition-and-filesystem.sh;
runtimeInputs = [
e2fsprogs
jq
parted
];
}

29
pkgs/grow-last-partition-and-filesystem/grow-last-partition-and-filesystem.sh Executable file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env bash
set -euo pipefail
if [[ $# -ne 1 ]]; then
echo "Pass device to grow as first argument:"
echo "grow-last-partition-and-filesystem DEVICE"
exit 1
fi
DEVICE="$1"
PARTITIONDATA="$(parted --script --json --fix "${DEVICE}" print)"
PARTNUMBER="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .number')"
PARTNAME="$(echo "${PARTITIONDATA}" | jq -r '.disk.partitions | last | .name')"
echo "Growing partition ${DEVICE}${PARTNUMBER} (${PARTNAME})"
echo
parted "${DEVICE}" resizepart "${PARTNUMBER}" 100%
echo
echo "Resizing filesystem"
echo
resize2fs "${DEVICE}${PARTNUMBER}"
echo "Done."

36
pkgs/overlay.nix
View File

@@ -1 +1,35 @@
final: prev: builtins.mapAttrs (name: value: value final prev) (import ./pkgs.nix) final: prev: {
bijwerken-poke = final.callPackage ./bijwerken-poke {};
bijwerken-system-upgrade = final.callPackage ./bijwerken-system-upgrade {};
clerie-backup = final.callPackage ./clerie-backup {};
clerie-cleanup-branches = final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
clerie-keys = final.callPackage ./clerie-keys {};
clerie-ssh-known-hosts = final.callPackage ./clerie-ssh-known-hosts {};
clerie-system-remote-install = final.callPackage ./clerie-system-remote-install {};
clerie-merge-nixfiles-update = final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
clerie-sops = final.callPackage ./clerie-sops/clerie-sops.nix {};
clerie-sops-config = final.callPackage ./clerie-sops/clerie-sops-config.nix {};
clerie-sops-edit = final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
clerie-update-nixfiles = final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
chromium-incognito = final.callPackage ./chromium-incognito {};
curl-timings = final.callPackage ./curl-timings {};
factorio-launcher = final.callPackage ./factorio-launcher {};
feeds-dir = final.callPackage ./feeds-dir {};
generate-blocked-prefixes = final.callPackage ./generate-blocked-prefixes {};
git-checkout-github-pr = final.callPackage ./git-checkout-github-pr {};
git-diff-word = final.callPackage ./git-diff-word {};
git-pp = final.callPackage ./git-pp {};
git-show-link = final.callPackage ./git-show-link {};
grow-last-partition-and-filesystem = final.callPackage ./grow-last-partition-and-filesystem {};
nix-remove-result-links = final.callPackage ./nix-remove-result-links {};
nixfiles-auto-install = final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
nixfiles-generate-config = final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
nixfiles-generate-backup-secrets = final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-update-ssh-host-keys = final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
pipewire-all-bluetooth = final.callPackage ./pipewire-all-bluetooth {};
print-afra = final.callPackage ./print-afra {};
run-with-docker-group = final.callPackage ./run-with-docker-group {};
ssh-gpg = final.callPackage ./ssh-gpg {};
update-from-hydra = final.callPackage ./update-from-hydra {};
uptimestatus = final.python3.pkgs.callPackage ./uptimestatus {};
}

4
pkgs/overrides/overlay.nix Normal file
View File

@@ -0,0 +1,4 @@
final: prev: {
dino = import ./dino.nix final prev;
xmppc = import ./xmppc.nix final prev;
}

29
pkgs/pipewire-all-bluetooth/all-bluetooth.conf Normal file
View File

@@ -0,0 +1,29 @@
context.modules = [
{ name = libpipewire-module-combine-stream
args = {
combine.mode = sink
node.name = "all-bluetooth"
node.description = "All Bluetooth devices"
combine.latency-compensate = false
combine.props = {
audio.position = [ FL FR ]
}
stream.props = {
}
stream.rules = [
{
matches = [
{
node.name = "~bluez_output.*"
media.class = "Audio/Sink"
}
]
actions = {
create-stream = {
}
}
}
]
}
}
]

9
pkgs/pipewire-all-bluetooth/default.nix Normal file
View File

@@ -0,0 +1,9 @@
{
runCommand,
... }:
runCommand "pipewire-all-bluetooth" {} ''
mkdir -p $out/share/pipewire/pipewire.conf.d
cp ${./all-bluetooth.conf} $out/share/pipewire/pipewire.conf.d/all-bluetooth.conf
''

32
pkgs/pkgs.nix
View File

@@ -1,32 +0,0 @@
{
clerie-backup = final: prev: final.callPackage ./clerie-backup {};
clerie-cleanup-branches = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-cleanup-branches.nix {};
clerie-keys = final: prev: final.callPackage ./clerie-keys {};
clerie-system-remote-install = final: prev: final.callPackage ./clerie-system-remote-install {};
clerie-system-upgrade = final: prev: final.callPackage ./clerie-system-upgrade/clerie-system-upgrade.nix {};
clerie-merge-nixfiles-update = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-merge-nixfiles-update.nix {};
clerie-sops = final: prev: final.callPackage ./clerie-sops/clerie-sops.nix {};
clerie-sops-config = final: prev: final.callPackage ./clerie-sops/clerie-sops-config.nix {};
clerie-sops-edit = final: prev: final.callPackage ./clerie-sops/clerie-sops-edit.nix {};
clerie-update-nixfiles = final: prev: final.callPackage ./clerie-update-nixfiles/clerie-update-nixfiles.nix {};
chromium-incognito = final: prev: final.callPackage ./chromium-incognito {};
factorio-launcher = final: prev: final.callPackage ./factorio-launcher {};
feeds-dir = final: prev: final.callPackage ./feeds-dir {};
git-checkout-github-pr = final: prev: final.callPackage ./git-checkout-github-pr {};
git-diff-word = final: prev: final.callPackage ./git-diff-word {};
git-pp = final: prev: final.callPackage ./git-pp {};
git-show-link = final: prev: final.callPackage ./git-show-link {};
nix-remove-result-links = final: prev: final.callPackage ./nix-remove-result-links {};
nixfiles-auto-install = final: prev: final.callPackage ./nixfiles/nixfiles-auto-install.nix {};
nixfiles-generate-config = final: prev: final.callPackage ./nixfiles/nixfiles-generate-config.nix {};
nixfiles-generate-backup-secrets = final: prev: final.callPackage ./nixfiles/nixfiles-generate-backup-secrets.nix {};
nixfiles-update-ssh-host-keys = final: prev: final.callPackage ./nixfiles/nixfiles-update-ssh-host-keys.nix {};
print-afra = final: prev: final.callPackage ./print-afra {};
run-with-docker-group = final: prev: final.callPackage ./run-with-docker-group {};
ssh-gpg = final: prev: final.callPackage ./ssh-gpg {};
update-from-hydra = final: prev: final.callPackage ./update-from-hydra {};
uptimestatus = final: prev: final.python3.pkgs.callPackage ./uptimestatus {};
dino = final: prev: import ./overrides/dino.nix final prev;
xmppc = final: prev: import ./overrides/xmppc.nix final prev;
}

5
pkgs/uptimestatus/default.nix
View File

@@ -4,6 +4,7 @@
flask, flask,
requests, requests,
python, python,
setuptools,
}: }:
let let
@@ -19,6 +20,10 @@ let
in buildPythonPackage rec { in buildPythonPackage rec {
inherit src pname version; inherit src pname version;
pyproject = true;
build-system = [ setuptools ];
propagatedBuildInputs = [ propagatedBuildInputs = [
flask flask
requests requests

88
profiles/common-nix/default.nix Normal file
View File

@@ -0,0 +1,88 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.profiles.clerie.common-nix;
in {
options.profiles.clerie.common-nix = {
enable = mkEnableOption "Common nix config";
useClerieNixCache = (mkEnableOption "Use nix cache from clerie") // {
default = true;
};
};
config = mkIf config.profiles.clerie.common-nix.enable {
clerie.nixfiles.enable = true;
services.bijwerken.enable = true;
nix.settings = {
trusted-users = [ "@wheel" ];
auto-optimise-store = true;
# Keep buildtime dependencies
keep-outputs = true;
# Build local, when caches are broken
fallback = true;
};
nix.gc = lib.mkDefault {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
nix.settings = {
experimental-features = [
"flakes"
"nix-command"
];
substituters = if cfg.useClerieNixCache then [
"https://nix-cache.clerie.de"
] else [];
trusted-public-keys = if cfg.useClerieNixCache then [
"nix-cache.clerie.de:bAt1GJTS9BOTcXFWj3nURrSlcjqikCev9yDvqArMP5g="
] else [];
};
# Pin current nixpkgs channel and flake registry to the nixpkgs version
# the host got build with
nix.nixPath = lib.mkForce [ "nixpkgs=${lib.cleanSource pkgs.path}" ];
nix.registry = {
"nixpkgs" = lib.mkForce {
from = {
type = "indirect";
id = "nixpkgs";
};
to = {
type = "path";
path = lib.cleanSource pkgs.path;
};
exact = true;
};
"templates" = {
from = {
type = "indirect";
id = "templates";
};
to = {
type = "git";
url = "https://git.clerie.de/clerie/flake-templates.git";
};
};
};
documentation.doc.enable = false;
environment.systemPackages = with pkgs; [
nix-remove-result-links
];
};
}

7
profiles/common-webserver/default.nix
View File

@@ -40,7 +40,12 @@ in {
log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] ' log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent ' '"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'; '"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log vcombined_anon; log_format vcombined_anon_monitoring '$host: $remote_addr_anon - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$server_name" '
'rt="$request_time" uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /var/log/nginx/access.log vcombined_anon_monitoring;
''; '';
virtualHosts = mkIf cfg.httpDefaultVirtualHost { virtualHosts = mkIf cfg.httpDefaultVirtualHost {

1
profiles/common/default.nix
View File

@@ -13,6 +13,7 @@ with lib;
profiles.clerie.common-dns.enable = mkDefault true; profiles.clerie.common-dns.enable = mkDefault true;
profiles.clerie.common-networking.enable = mkDefault true; profiles.clerie.common-networking.enable = mkDefault true;
profiles.clerie.common-nix.enable = mkDefault true;
profiles.clerie.common-webserver.enable = mkDefault true; profiles.clerie.common-webserver.enable = mkDefault true;

3
profiles/default.nix
View File

@@ -6,11 +6,14 @@
./common ./common
./common-dns ./common-dns
./common-networking ./common-networking
./common-nix
./common-webserver ./common-webserver
./cybercluster-vm ./cybercluster-vm
./desktop
./dn42-router ./dn42-router
./fem-net ./fem-net
./firefox ./firefox
./gpg-ssh
./hetzner-cloud ./hetzner-cloud
./hydra-build-machine ./hydra-build-machine
./mercury-vm ./mercury-vm

31
profiles/desktop/audio.nix Normal file
View File

@@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
services.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa = {
enable = true;
support32Bit = true;
};
pulse = {
enable = true;
};
configPackages = [
pkgs.pipewire-all-bluetooth
];
};
environment.systemPackages = with pkgs; [
helvum # pipewire routing gui
];
};
}

30
profiles/desktop/default.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, lib, ... }:
with lib;
{
options.profiles.clerie.desktop = {
enable = mkEnableOption "clerie Desktop Config";
};
imports = [
./audio.nix
./firmware.nix
./fonts.nix
./gnome.nix
./inputs.nix
./networking.nix
./polkit.nix
./power.nix
./printing.nix
./ssh.nix
./xserver.nix
];
config = mkIf config.profiles.clerie.desktop.enable {
security.sudo.wheelNeedsPassword = true;
};
}

13
profiles/desktop/firmware.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, lib, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
services.fwupd.enable = true;
};
}

20
profiles/desktop/fonts.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, lib, pkgs, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
fonts.enableDefaultPackages = true;
fonts.packages = with pkgs; [
roboto
roboto-mono
noto-fonts
noto-fonts-emoji
comfortaa
] ++ (if pkgs ? "noto-fonts-cjk-sans" then [ pkgs.noto-fonts-cjk-sans ] else [ pkgs.noto-fonts-cjk ]);
};
}

69
profiles/desktop/gnome.nix Normal file
View File

@@ -0,0 +1,69 @@
{ config, lib, pkgs, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
services.gnome = {
localsearch.enable = false;
tinysparql.enable = false;
};
environment.gnome.excludePackages = with pkgs; [
baobab
epiphany
gnome-calendar
gnome-clocks
gnome-console
gnome-contacts
gnome-logs
gnome-maps
gnome-music
gnome-tour
gnome-photos
gnome-weather
gnome-connections
simple-scan
yelp
geary
];
environment.systemPackages = with pkgs; [
evolution
gnome-terminal
gnome-tweaks
];
services.gnome.evolution-data-server.enable = true;
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/calendar" = {
show-weekdate = true;
};
"org/gnome/desktop/interface" = {
enable-hot-corners = false;
show-battery-percentage = true;
};
"org/gnome/desktop/notifications" = {
show-in-lock-screen = false;
};
"org/gnome/desktop/sound" = {
event-sounds = false;
};
"org/gnome/gnome-system-monitor" = {
network-in-bits = true;
network-total-in-bits = true;
};
};
}
];
};
};
}

51
profiles/desktop/inputs.nix Normal file
View File

@@ -0,0 +1,51 @@
{ config, lib, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [
"/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal/"
];
mic-mute = [ "<Control>Print" ];
};
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/terminal" = {
name = "Terminal";
binding = "<Primary><Alt>t";
command = "gnome-terminal";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/desktop/peripherals/touchpad" = {
disable-while-typing = false;
edge-scrolling-enabled = false;
natural-scroll = true;
tap-to-click = true;
two-finger-scrolling-enabled = true;
};
};
}
];
};
};
}

20
profiles/desktop/networking.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, lib, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
networking.networkmanager.settings = {
connectivity = {
uri = "http://ping.clerie.de/nm-check.txt";
};
global-dns = {
searches = "net.clerie.de";
};
};
};
}

13
profiles/desktop/polkit.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, lib, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
security.polkit.enable = true;
};
}

50
profiles/desktop/power.nix Normal file
View File

@@ -0,0 +1,50 @@
{ config, lib, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
boot.resumeDevice = lib.optionalString ((lib.length config.swapDevices) > 0) (lib.head config.swapDevices).device;
services.logind = {
lidSwitch = "suspend-then-hibernate";
};
systemd.sleep.extraConfig = ''
HibernateDelaySec=30m
'';
services.upower = {
percentageLow = 20;
percentageCritical = 10;
percentageAction = 8;
};
programs.dconf.profiles = {
user.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
gdm.databases = [
{
settings = {
"org/gnome/settings-daemon/plugins/power" = {
power-button-action = "hibernate";
power-saver-profile-on-low-battery = false;
sleep-inactive-ac-type = "nothing";
};
};
}
];
};
};
}

14
profiles/desktop/printing.nix Normal file
View File

@@ -0,0 +1,14 @@
{ config, lib, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
services.printing.enable = true;
services.avahi.enable = true;
services.avahi.nssmdns4 = true;
};
}

39
profiles/desktop/ssh.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, lib, pkgs, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
profiles.clerie.gpg-ssh.enable = true;
programs.gnupg.agent = {
pinentryPackage = pkgs.pinentry-gtk2;
};
# Do not disable ssh-agent of gnome-keyring, because
# gnupg ssh-agent can't handle normal SSH keys properly
/*
# Disable ssh-agent of gnome-keyring
nixpkgs.overlays = [
(final: prev: {
gnome = prev.gnome // {
gnome-keyring = prev.runCommand "gnome-keyring-ssh-disabled-autostart" {} ''
mkdir -p $out
# Symlink all gnome-keyring binaries
${final.xorg.lndir}/bin/lndir -silent ${prev.gnome.gnome-keyring} $out
# Disable autostart for ssh
rm $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
cat ${prev.gnome.gnome-keyring}/etc/xdg/autostart/gnome-keyring-ssh.desktop > $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
echo "Hidden=true" >> $out/etc/xdg/autostart/gnome-keyring-ssh.desktop
'';
};
})
];
*/
};
}

18
profiles/desktop/xserver.nix Normal file
View File

@@ -0,0 +1,18 @@
{ config, lib, pkgs, ... }:
with lib;
{
config = mkIf config.profiles.clerie.desktop.enable {
services.xserver.enable = true;
services.displayManager.gdm.enable = true;
services.desktopManager.gnome.enable = true;
services.xserver.excludePackages = with pkgs; [
xterm
];
};
}

64
profiles/gpg-ssh/default.nix Normal file
View File

@@ -0,0 +1,64 @@
{ pkgs, lib, config, ... }:
with lib;
let
cfg = config.profiles.clerie.gpg-ssh;
custom_gnupg = pkgs.gnupg.overrideAttrs (final: prev: {
configureFlags = prev.configureFlags ++ [
# Make sure scdaemon never ever again tries to use its own ccid driver
"--disable-ccid-driver"
];
});
in {
options.profiles.clerie.gpg-ssh = {
enable = mkEnableOption "SSH integration for GPG";
};
config = mkIf config.profiles.clerie.gpg-ssh.enable {
programs.gnupg.package = custom_gnupg;
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
pinentryPackage = lib.mkDefault pkgs.pinentry-curses;
};
environment.systemPackages = with pkgs; [
custom_gnupg
yubikey-personalization
openpgp-card-tools
# Add wrapper around ssh that takes the gnupg ssh-agent
# instead of gnome-keyring
ssh-gpg
];
services.pcscd.enable = true;
# pcscd sometimes breaks and seem to need a manual restart
# so we allow users to restart that service themself
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
action.id == "org.freedesktop.systemd1.manage-units"
&& action.lookup("unit") == "pcscd.service"
&& action.lookup("verb") == "restart"
&& subject.isInGroup("users")
) {
return polkit.Result.YES;
}
});
'';
services.udev.packages = with pkgs; [
yubikey-personalization
];
};
}