diff --git a/flake.nix b/flake.nix
index f2ff208..6ec8d49 100644
--- a/flake.nix
+++ b/flake.nix
@@ -34,7 +34,7 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINABEf0jBjtDdezDDtvl1v27l0DbHP2XUgMARTZXC+MR goeranh@node5"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
];
- in
+ in
rec {
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
packages.x86_64-linux =
@@ -46,33 +46,39 @@
# run nixos-rebuild switch on the target system
# the config will be built locally and copied over
"${name}-update" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "update" ''
- nixos-rebuild switch --flake .#${name} --target-host root@${name}.test.htw.stura-dresden.de
+ nixos-rebuild switch --flake .#${name} --target-host root@${name}.test.htw.stura-dresden.de
'';
# copy install image to testserver and deploy the specified configuration to it
"${name}-deploy-test" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "deploy" ''
- FILENAME="$(ls ${self.packages.x86_64-linux."installer-iso".outPath}/iso)"
- scp ${self.packages.x86_64-linux."installer-iso".outPath}/iso/$FILENAME root@10.1.0.17:/var/lib/vz/template/iso/$FILENAME
- ssh 10.1.0.17 "qm create $1 --name ${nixosConfigurations.${name}.config.networking.fqdn} --cores 4 --memory 4096 --sata1 file=/var/lib/vz/template/iso/$FILENAME,media=cdrom --scsi1 pool1:32 --scsihw virtio-scsi-single --net0 virtio,bridge=vmbr1 --description \"von goeranh mailserver flake genierierte wegwerf-vm
${nixosConfigurations.${name}.config.networking.fqdn}\""
- ssh 10.1.0.17 "qm start $1"
+ FILENAME="$(ls ${self.packages.x86_64-linux."installer-iso".outPath}/iso)"
+ scp ${
+ self.packages.x86_64-linux."installer-iso".outPath
+ }/iso/$FILENAME root@10.1.0.17:/var/lib/vz/template/iso/$FILENAME
+ ssh 10.1.0.17 "qm create $1 --name ${
+ nixosConfigurations.${name}.config.networking.fqdn
+ } --cores 4 --memory 4096 --sata1 file=/var/lib/vz/template/iso/$FILENAME,media=cdrom --scsi1 pool1:32 --scsihw virtio-scsi-single --net0 virtio,bridge=vmbr1 --description \"von goeranh mailserver flake genierierte wegwerf-vm
${
+ nixosConfigurations.${name}.config.networking.fqdn
+ }\""
+ ssh 10.1.0.17 "qm start $1"
- # hardcoded deployment ip
- # wait until a connection to port 22 on the deployment ip is reachable
- until nc -vzw 2 141.56.51.98 22 2>/dev/null; do echo trying; sleep 2; done
+ # hardcoded deployment ip
+ # wait until a connection to port 22 on the deployment ip is reachable
+ until nc -vzw 2 141.56.51.98 22 2>/dev/null; do echo trying; sleep 2; done
- # run nixos-anywhere on the deployment address with the specified configuration
- nix run github:nix-community/nixos-anywhere -- --flake .#${name} --target-host root@141.56.51.98
+ # run nixos-anywhere on the deployment address with the specified configuration
+ nix run github:nix-community/nixos-anywhere -- --flake .#${name} --target-host root@141.56.51.98
'';
}
)
{ }
- ( # filter all nixos configs containing installer
- builtins.filter (item: !nixpkgs.lib.hasInfix "-" item) (
- builtins.attrNames nixosConfigurations
- )
- ) //
- (let
+ (
+ # filter all nixos configs containing installer
+ builtins.filter (item: !nixpkgs.lib.hasInfix "-" item) (builtins.attrNames nixosConfigurations)
+ )
+ // (
+ let
iso-config = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
@@ -83,10 +89,12 @@
isNormalUser = true;
};
users.users.root.openssh.authorizedKeys.keys = sshkeys;
- networking.interfaces.ens18.ipv4.addresses = [{
- address = "141.56.51.98";
- prefixLength = 24;
- }];
+ networking.interfaces.ens18.ipv4.addresses = [
+ {
+ address = "141.56.51.98";
+ prefixLength = 24;
+ }
+ ];
services.getty.autologinUser = "root";
services.openssh.enable = true;
system.stateVersion = "25.11";
@@ -96,10 +104,12 @@
}
];
};
- in {
+ in
+ {
installer-iso = iso-config.config.system.build.isoImage;
installer-vm = iso-config.config.system.build.vm;
- });
+ }
+ );
nixosConfigurations = builtins.foldl' (
result: input:
diff --git a/hosts/auth/authentik.nix b/hosts/auth/authentik.nix
index fa390e4..c7e1c3f 100644
--- a/hosts/auth/authentik.nix
+++ b/hosts/auth/authentik.nix
@@ -44,7 +44,10 @@
systemd.services.authentik-secrets-generator = {
enable = true;
- requiredBy = [ "authentik-secrets-setup.service" "authentik-worker.service" ];
+ requiredBy = [
+ "authentik-secrets-setup.service"
+ "authentik-worker.service"
+ ];
script = ''
echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
'';
diff --git a/hosts/git/default.nix b/hosts/git/default.nix
index 88c398e..f08bec2 100644
--- a/hosts/git/default.nix
+++ b/hosts/git/default.nix
@@ -29,21 +29,14 @@ in
];
networking.hostName = "git";
- networking.domain = "test.htw.stura-dresden.de";
networking.interfaces.ens18.ipv4.addresses = [
{
- address = "167.235.225.23";
- prefixLength = 32;
+ address = "141.56.51.97";
+ prefixLength = 24;
}
];
- networking.interfaces.ens18.ipv6.addresses = [
- {
- address = "2a01:4f8:c012:6bd7::1";
- prefixLength = 32;
- }
- ];
- networking.defaultGateway.address = "172.31.1.1";
+ networking.defaultGateway.address = "141.56.51.254";
networking.nameservers = [
"9.9.9.9"
"1.1.1.1"
@@ -53,30 +46,36 @@ in
services.forgejo = {
enable = true;
settings = {
-
+
server = {
PROTOCOL = "http+unix";
- HTTP_ADDR = "/var/run/forgejo.sock";
+ HTTP_ADDR = "/run/forgejo/forgejo.sock";
ROOT_URL = "https://${config.networking.fqdn}";
};
+ oauth2_client = {
+ ENABLE_AUTO_REGISTRATION = "true";
+ REGISTER_EMAIL_CONFIRM = "false";
+ username = "email";
+ };
+ service = {
+ SHOW_REGISTRATION_BUTTON = "false";
+ };
};
};
services.nginx = {
enable = true;
- virtualHosts."git.htw.stura-dresden.de" = {
+ virtualHosts."${config.networking.fqdn}" = {
+ forceSSL = true;
+ enableACME = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
- proxyPass = "http://unix:/var/run/forgejo.sock";
+ proxyPass = "http://unix:/run/forgejo/forgejo.sock";
};
};
};
- # virtualisation.docker.enable = true;
- security.acme.acceptTerms = true;
- security.acme.defaults.email = "cert@stura.htw-dresden.de";
-
networking.firewall.allowedTCPPorts = [
25
80
diff --git a/hosts/proxy/default.nix b/hosts/proxy/default.nix
index 852517d..215b52f 100644
--- a/hosts/proxy/default.nix
+++ b/hosts/proxy/default.nix
@@ -36,7 +36,7 @@
};
};
-services = {
+ services = {
openssh = {
enable = true;
listenAddresses = [
@@ -46,135 +46,134 @@ services = {
}
];
};
- haproxy =
- let
- forwards = {
- plone = {
- dest = "141.56.51.3";
- domain = "stura.htw-dresden.de";
- httpPort = 80;
- httpsPort = 443;
+ haproxy =
+ let
+ forwards = {
+ plone = {
+ dest = "141.56.51.3";
+ domain = "stura.htw-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
+ plone_alt = {
+ dest = "141.56.51.3";
+ domain = "www.stura.htw-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
+ tix = {
+ dest = "141.56.51.220";
+ domain = "tix.htw.stura-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
+ vot = {
+ dest = "141.56.51.81";
+ domain = "vot.htw.stura-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
+ dat = {
+ dest = "141.56.51.81";
+ domain = "dat.htw.stura-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
+ pro = {
+ dest = "141.56.51.15";
+ domain = "pro.htw.stura-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
+ cloud = {
+ dest = "141.56.51.16";
+ domain = "cloud.htw.stura-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
+ wiki = {
+ dest = "141.56.51.13";
+ domain = "wiki.htw.stura-dresden.de";
+ httpPort = 80;
+ httpsPort = 443;
+ };
};
- plone_alt = {
- dest = "141.56.51.3";
- domain = "www.stura.htw-dresden.de";
- httpPort = 80;
- httpsPort = 443;
- };
- tix = {
- dest = "141.56.51.220";
- domain = "tix.htw.stura-dresden.de";
- httpPort = 80;
- httpsPort = 443;
- };
- vot = {
- dest = "141.56.51.81";
- domain = "vot.htw.stura-dresden.de";
- httpPort = 80;
- httpsPort = 443;
- };
- dat = {
- dest = "141.56.51.81";
- domain = "dat.htw.stura-dresden.de";
- httpPort = 80;
- httpsPort = 443;
- };
- pro = {
- dest = "141.56.51.15";
- domain = "pro.htw.stura-dresden.de";
- httpPort = 80;
- httpsPort = 443;
- };
- cloud = {
- dest = "141.56.51.16";
- domain = "cloud.htw.stura-dresden.de";
- httpPort = 80;
- httpsPort = 443;
- };
- wiki = {
- dest = "141.56.51.13";
- domain = "wiki.htw.stura-dresden.de";
- httpPort = 80;
- httpsPort = 443;
- };
- };
- in{
- enable = true;
- config = ''
- global
- log /dev/log local0
- maxconn 4096
- # for ACME/Let's Encrypt cert + key in one file:
- stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
- crt-base /var/lib/acme
+ in
+ {
+ enable = true;
+ config = ''
+ global
+ log /dev/log local0
+ maxconn 4096
+ # for ACME/Let's Encrypt cert + key in one file:
+ stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+ crt-base /var/lib/acme
- defaults
- log global
- mode tcp
- option tcplog
- timeout connect 5s
- timeout client 30s
- timeout server 30s
+ defaults
+ log global
+ mode tcp
+ option tcplog
+ timeout connect 5s
+ timeout client 30s
+ timeout server 30s
- frontend stats
- bind 127.0.0.1:8404
- mode http
- stats enable
- stats uri /stats
- stats refresh 10s
- stats auth admin:yourpassword
- stats show-legends
- stats show-node
+ frontend stats
+ bind 127.0.0.1:8404
+ mode http
+ stats enable
+ stats uri /stats
+ stats refresh 10s
+ stats auth admin:yourpassword
+ stats show-legends
+ stats show-node
- frontend http-in
- bind *:80
+ frontend http-in
+ bind *:80
- ${
- lib.foldlAttrs(prev: name: value: prev +
- "acl is_${name} hdr(host) -i ${value.domain}\n"
- ) "" forwards
- }
+ ${lib.foldlAttrs (
+ prev: name: value:
+ prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
+ ) "" forwards}
- ${
- lib.foldlAttrs(prev: name: value: prev +
- "use_backend ${name}_80 if is_${name}\n"
- ) "" forwards
- }
+ ${lib.foldlAttrs (
+ prev: name: value:
+ prev + "use_backend ${name}_80 if is_${name}\n"
+ ) "" forwards}
- default_backend plone_80
+ default_backend plone_80
- frontend ssh_jump_alt
- bind *:2142
- mode tcp
- timeout client 30m
- log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
- use_backend ssh_srs2
+ frontend ssh_jump_alt
+ bind *:2142
+ mode tcp
+ timeout client 30m
+ log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
+ use_backend ssh_srs2
- # ---- SNI routing (TCP, peek at handshake) ----
- frontend sni_router
- bind *:443
- mode tcp
- tcp-request inspect-delay 1s
- tcp-request content accept if { req_ssl_hello_type 1 }
+ # ---- SNI routing (TCP, peek at handshake) ----
+ frontend sni_router
+ bind *:443
+ mode tcp
+ tcp-request inspect-delay 1s
+ tcp-request content accept if { req_ssl_hello_type 1 }
- # terminated here
- ${
- lib.foldlAttrs(prev: name: value: prev +
- "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
- ) "" forwards
- }
+ # terminated here
+ ${lib.foldlAttrs (
+ prev: name: value:
+ prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
+ ) "" forwards}
- backend ssh_srs2
- mode tcp
- timeout server 30m
- timeout connect 10s
- option tcpka
- server srs2 141.56.51.2:80 check
+ backend ssh_srs2
+ mode tcp
+ timeout server 30m
+ timeout connect 10s
+ option tcpka
+ server srs2 141.56.51.2:80 check
- ${
- lib.foldlAttrs(prev: name: value: prev +
- ''
+ ${lib.foldlAttrs (
+ prev: name: value:
+ prev
+ + ''
backend ${name}_80
mode http
@@ -184,14 +183,11 @@ services = {
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
''
- ) "" forwards
- }
- '';
- };
+ ) "" forwards}
+ '';
+ };
};
-
-
environment.systemPackages = with pkgs; [
openvpn
tcpdump
diff --git a/hosts/redmine/default.nix b/hosts/redmine/default.nix
index e6ada93..a4e3697 100644
--- a/hosts/redmine/default.nix
+++ b/hosts/redmine/default.nix
@@ -19,7 +19,6 @@
];
networking.defaultGateway.address = "141.56.51.254";
-
security.acme.acceptTerms = true;
security.acme.defaults.email = "cert@stura.htw-dresden.de";