StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixfmt

Browse source
This commit is contained in:
goeranh 2026-02-25 20:13:18 +01:00
parent 6add85a106
commit 3e82d5f015
No known key found for this signature in database
5 changed files with 173 additions and 166 deletions
Download patch file Download diff file Expand all files Collapse all files

56
flake.nix
View file

@ -34,7 +34,7 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINABEf0jBjtDdezDDtvl1v27l0DbHP2XUgMARTZXC+MR goeranh@node5"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
];
in
in
rec {
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
packages.x86_64-linux =
@ -46,33 +46,39 @@
# run nixos-rebuild switch on the target system
# the config will be built locally and copied over
"${name}-update" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "update" ''
nixos-rebuild switch --flake .#${name} --target-host root@${name}.test.htw.stura-dresden.de
nixos-rebuild switch --flake .#${name} --target-host root@${name}.test.htw.stura-dresden.de
'';
# copy install image to testserver and deploy the specified configuration to it
"${name}-deploy-test" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "deploy" ''
FILENAME="$(ls ${self.packages.x86_64-linux."installer-iso".outPath}/iso)"
scp ${self.packages.x86_64-linux."installer-iso".outPath}/iso/$FILENAME root@10.1.0.17:/var/lib/vz/template/iso/$FILENAME
ssh 10.1.0.17 "qm create $1 --name ${nixosConfigurations.${name}.config.networking.fqdn} --cores 4 --memory 4096 --sata1 file=/var/lib/vz/template/iso/$FILENAME,media=cdrom --scsi1 pool1:32 --scsihw virtio-scsi-single --net0 virtio,bridge=vmbr1 --description \"von goeranh mailserver flake genierierte wegwerf-vm <br> ${nixosConfigurations.${name}.config.networking.fqdn}\""
ssh 10.1.0.17 "qm start $1"
FILENAME="$(ls ${self.packages.x86_64-linux."installer-iso".outPath}/iso)"
scp ${
self.packages.x86_64-linux."installer-iso".outPath
}/iso/$FILENAME root@10.1.0.17:/var/lib/vz/template/iso/$FILENAME
ssh 10.1.0.17 "qm create $1 --name ${
nixosConfigurations.${name}.config.networking.fqdn
} --cores 4 --memory 4096 --sata1 file=/var/lib/vz/template/iso/$FILENAME,media=cdrom --scsi1 pool1:32 --scsihw virtio-scsi-single --net0 virtio,bridge=vmbr1 --description \"von goeranh mailserver flake genierierte wegwerf-vm <br> ${
nixosConfigurations.${name}.config.networking.fqdn
}\""
ssh 10.1.0.17 "qm start $1"
# hardcoded deployment ip
# wait until a connection to port 22 on the deployment ip is reachable
until nc -vzw 2 141.56.51.98 22 2>/dev/null; do echo trying; sleep 2; done
# hardcoded deployment ip
# wait until a connection to port 22 on the deployment ip is reachable
until nc -vzw 2 141.56.51.98 22 2>/dev/null; do echo trying; sleep 2; done
# run nixos-anywhere on the deployment address with the specified configuration
nix run github:nix-community/nixos-anywhere -- --flake .#${name} --target-host root@141.56.51.98
# run nixos-anywhere on the deployment address with the specified configuration
nix run github:nix-community/nixos-anywhere -- --flake .#${name} --target-host root@141.56.51.98
'';
}
)
{ }
( # filter all nixos configs containing installer
builtins.filter (item: !nixpkgs.lib.hasInfix "-" item) (
builtins.attrNames nixosConfigurations
)
) //
(let
(
# filter all nixos configs containing installer
builtins.filter (item: !nixpkgs.lib.hasInfix "-" item) (builtins.attrNames nixosConfigurations)
)
// (
let
iso-config = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
@ -83,10 +89,12 @@
isNormalUser = true;
};
users.users.root.openssh.authorizedKeys.keys = sshkeys;
networking.interfaces.ens18.ipv4.addresses = [{
address = "141.56.51.98";
prefixLength = 24;
}];
networking.interfaces.ens18.ipv4.addresses = [
{
address = "141.56.51.98";
prefixLength = 24;
}
];
services.getty.autologinUser = "root";
services.openssh.enable = true;
system.stateVersion = "25.11";
@ -96,10 +104,12 @@
}
];
};
in {
in
{
installer-iso = iso-config.config.system.build.isoImage;
installer-vm = iso-config.config.system.build.vm;
});
}
);
nixosConfigurations = builtins.foldl' (
result: input:

5
hosts/auth/authentik.nix
View file

@ -44,7 +44,10 @@
systemd.services.authentik-secrets-generator = {
enable = true;
requiredBy = [ "authentik-secrets-setup.service" "authentik-worker.service" ];
requiredBy = [
"authentik-secrets-setup.service"
"authentik-worker.service"
];
script = ''
echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
'';

35
hosts/git/default.nix
View file

@ -29,21 +29,14 @@ in
];
networking.hostName = "git";
networking.domain = "test.htw.stura-dresden.de";
networking.interfaces.ens18.ipv4.addresses = [
{
address = "167.235.225.23";
prefixLength = 32;
address = "141.56.51.97";
prefixLength = 24;
}
];
networking.interfaces.ens18.ipv6.addresses = [
{
address = "2a01:4f8:c012:6bd7::1";
prefixLength = 32;
}
];
networking.defaultGateway.address = "172.31.1.1";
networking.defaultGateway.address = "141.56.51.254";
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
@ -53,30 +46,36 @@ in
services.forgejo = {
enable = true;
settings = {
server = {
PROTOCOL = "http+unix";
HTTP_ADDR = "/var/run/forgejo.sock";
HTTP_ADDR = "/run/forgejo/forgejo.sock";
ROOT_URL = "https://${config.networking.fqdn}";
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = "true";
REGISTER_EMAIL_CONFIRM = "false";
username = "email";
};
service = {
SHOW_REGISTRATION_BUTTON = "false";
};
};
};
services.nginx = {
enable = true;
virtualHosts."git.htw.stura-dresden.de" = {
virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://unix:/var/run/forgejo.sock";
proxyPass = "http://unix:/run/forgejo/forgejo.sock";
};
};
};
# virtualisation.docker.enable = true;
security.acme.acceptTerms = true;
security.acme.defaults.email = "cert@stura.htw-dresden.de";
networking.firewall.allowedTCPPorts = [
25
80

242
hosts/proxy/default.nix
View file

@ -36,7 +36,7 @@
};
};
services = {
services = {
openssh = {
enable = true;
listenAddresses = [
@ -46,135 +46,134 @@ services = {
}
];
};
haproxy =
let
forwards = {
plone = {
dest = "141.56.51.3";
domain = "stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
haproxy =
let
forwards = {
plone = {
dest = "141.56.51.3";
domain = "stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
plone_alt = {
dest = "141.56.51.3";
domain = "www.stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
tix = {
dest = "141.56.51.220";
domain = "tix.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
vot = {
dest = "141.56.51.81";
domain = "vot.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
dat = {
dest = "141.56.51.81";
domain = "dat.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
pro = {
dest = "141.56.51.15";
domain = "pro.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
cloud = {
dest = "141.56.51.16";
domain = "cloud.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
wiki = {
dest = "141.56.51.13";
domain = "wiki.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
};
plone_alt = {
dest = "141.56.51.3";
domain = "www.stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
tix = {
dest = "141.56.51.220";
domain = "tix.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
vot = {
dest = "141.56.51.81";
domain = "vot.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
dat = {
dest = "141.56.51.81";
domain = "dat.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
pro = {
dest = "141.56.51.15";
domain = "pro.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
cloud = {
dest = "141.56.51.16";
domain = "cloud.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
wiki = {
dest = "141.56.51.13";
domain = "wiki.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
};
in{
enable = true;
config = ''
global
log /dev/log local0
maxconn 4096
# for ACME/Let's Encrypt cert + key in one file:
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
crt-base /var/lib/acme
in
{
enable = true;
config = ''
global
log /dev/log local0
maxconn 4096
# for ACME/Let's Encrypt cert + key in one file:
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
crt-base /var/lib/acme
defaults
log global
mode tcp
option tcplog
timeout connect 5s
timeout client 30s
timeout server 30s
defaults
log global
mode tcp
option tcplog
timeout connect 5s
timeout client 30s
timeout server 30s
frontend stats
bind 127.0.0.1:8404
mode http
stats enable
stats uri /stats
stats refresh 10s
stats auth admin:yourpassword
stats show-legends
stats show-node
frontend stats
bind 127.0.0.1:8404
mode http
stats enable
stats uri /stats
stats refresh 10s
stats auth admin:yourpassword
stats show-legends
stats show-node
frontend http-in
bind *:80
frontend http-in
bind *:80
${
lib.foldlAttrs(prev: name: value: prev +
"acl is_${name} hdr(host) -i ${value.domain}\n"
) "" forwards
}
${lib.foldlAttrs (
prev: name: value:
prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
) "" forwards}
${
lib.foldlAttrs(prev: name: value: prev +
"use_backend ${name}_80 if is_${name}\n"
) "" forwards
}
${lib.foldlAttrs (
prev: name: value:
prev + "use_backend ${name}_80 if is_${name}\n"
) "" forwards}
default_backend plone_80
default_backend plone_80
frontend ssh_jump_alt
bind *:2142
mode tcp
timeout client 30m
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
use_backend ssh_srs2
frontend ssh_jump_alt
bind *:2142
mode tcp
timeout client 30m
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
use_backend ssh_srs2
# ---- SNI routing (TCP, peek at handshake) ----
frontend sni_router
bind *:443
mode tcp
tcp-request inspect-delay 1s
tcp-request content accept if { req_ssl_hello_type 1 }
# ---- SNI routing (TCP, peek at handshake) ----
frontend sni_router
bind *:443
mode tcp
tcp-request inspect-delay 1s
tcp-request content accept if { req_ssl_hello_type 1 }
# terminated here
${
lib.foldlAttrs(prev: name: value: prev +
"use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
) "" forwards
}
# terminated here
${lib.foldlAttrs (
prev: name: value:
prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
) "" forwards}
backend ssh_srs2
mode tcp
timeout server 30m
timeout connect 10s
option tcpka
server srs2 141.56.51.2:80 check
backend ssh_srs2
mode tcp
timeout server 30m
timeout connect 10s
option tcpka
server srs2 141.56.51.2:80 check
${
lib.foldlAttrs(prev: name: value: prev +
''
${lib.foldlAttrs (
prev: name: value:
prev
+ ''
backend ${name}_80
mode http
@ -184,14 +183,11 @@ services = {
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
''
) "" forwards
}
'';
};
) "" forwards}
'';
};
};
environment.systemPackages = with pkgs; [
openvpn
tcpdump

1
hosts/redmine/default.nix
View file

@ -19,7 +19,6 @@
];
networking.defaultGateway.address = "141.56.51.254";
security.acme.acceptTerms = true;
security.acme.defaults.email = "cert@stura.htw-dresden.de";