StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixfmt

Browse source
This commit is contained in:
goeranh 2026-02-25 20:13:18 +01:00
parent 6add85a106
commit 3e82d5f015
No known key found for this signature in database
5 changed files with 173 additions and 166 deletions
Download patch file Download diff file Expand all files Collapse all files

56
flake.nix
View file

@ -34,7 +34,7 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINABEf0jBjtDdezDDtvl1v27l0DbHP2XUgMARTZXC+MR goeranh@node5" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINABEf0jBjtDdezDDtvl1v27l0DbHP2XUgMARTZXC+MR goeranh@node5"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDmYHNdtPmQqvNINEWJgqEojrye+wQKr0S0VwlGv7xUa goeranh@node7"
]; ];
in in
rec { rec {
formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
packages.x86_64-linux = packages.x86_64-linux =
@ -46,33 +46,39 @@
# run nixos-rebuild switch on the target system # run nixos-rebuild switch on the target system
# the config will be built locally and copied over # the config will be built locally and copied over
"${name}-update" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "update" '' "${name}-update" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "update" ''
nixos-rebuild switch --flake .#${name} --target-host root@${name}.test.htw.stura-dresden.de nixos-rebuild switch --flake .#${name} --target-host root@${name}.test.htw.stura-dresden.de
''; '';
# copy install image to testserver and deploy the specified configuration to it # copy install image to testserver and deploy the specified configuration to it
"${name}-deploy-test" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "deploy" '' "${name}-deploy-test" = nixpkgs.legacyPackages.x86_64-linux.writeShellScriptBin "deploy" ''
FILENAME="$(ls ${self.packages.x86_64-linux."installer-iso".outPath}/iso)" FILENAME="$(ls ${self.packages.x86_64-linux."installer-iso".outPath}/iso)"
scp ${self.packages.x86_64-linux."installer-iso".outPath}/iso/$FILENAME root@10.1.0.17:/var/lib/vz/template/iso/$FILENAME scp ${
ssh 10.1.0.17 "qm create $1 --name ${nixosConfigurations.${name}.config.networking.fqdn} --cores 4 --memory 4096 --sata1 file=/var/lib/vz/template/iso/$FILENAME,media=cdrom --scsi1 pool1:32 --scsihw virtio-scsi-single --net0 virtio,bridge=vmbr1 --description \"von goeranh mailserver flake genierierte wegwerf-vm <br> ${nixosConfigurations.${name}.config.networking.fqdn}\"" self.packages.x86_64-linux."installer-iso".outPath
ssh 10.1.0.17 "qm start $1" }/iso/$FILENAME root@10.1.0.17:/var/lib/vz/template/iso/$FILENAME
ssh 10.1.0.17 "qm create $1 --name ${
nixosConfigurations.${name}.config.networking.fqdn
} --cores 4 --memory 4096 --sata1 file=/var/lib/vz/template/iso/$FILENAME,media=cdrom --scsi1 pool1:32 --scsihw virtio-scsi-single --net0 virtio,bridge=vmbr1 --description \"von goeranh mailserver flake genierierte wegwerf-vm <br> ${
nixosConfigurations.${name}.config.networking.fqdn
}\""
ssh 10.1.0.17 "qm start $1"
# hardcoded deployment ip # hardcoded deployment ip
# wait until a connection to port 22 on the deployment ip is reachable # wait until a connection to port 22 on the deployment ip is reachable
until nc -vzw 2 141.56.51.98 22 2>/dev/null; do echo trying; sleep 2; done until nc -vzw 2 141.56.51.98 22 2>/dev/null; do echo trying; sleep 2; done
# run nixos-anywhere on the deployment address with the specified configuration # run nixos-anywhere on the deployment address with the specified configuration
nix run github:nix-community/nixos-anywhere -- --flake .#${name} --target-host root@141.56.51.98 nix run github:nix-community/nixos-anywhere -- --flake .#${name} --target-host root@141.56.51.98
''; '';
} }
) )
{ } { }
( # filter all nixos configs containing installer (
builtins.filter (item: !nixpkgs.lib.hasInfix "-" item) ( # filter all nixos configs containing installer
builtins.attrNames nixosConfigurations builtins.filter (item: !nixpkgs.lib.hasInfix "-" item) (builtins.attrNames nixosConfigurations)
) )
) // // (
(let let
iso-config = nixpkgs.lib.nixosSystem { iso-config = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
modules = [ modules = [
@ -83,10 +89,12 @@
isNormalUser = true; isNormalUser = true;
}; };
users.users.root.openssh.authorizedKeys.keys = sshkeys; users.users.root.openssh.authorizedKeys.keys = sshkeys;
networking.interfaces.ens18.ipv4.addresses = [{ networking.interfaces.ens18.ipv4.addresses = [
address = "141.56.51.98"; {
prefixLength = 24; address = "141.56.51.98";
}]; prefixLength = 24;
}
];
services.getty.autologinUser = "root"; services.getty.autologinUser = "root";
services.openssh.enable = true; services.openssh.enable = true;
system.stateVersion = "25.11"; system.stateVersion = "25.11";
@ -96,10 +104,12 @@
} }
]; ];
}; };
in { in
{
installer-iso = iso-config.config.system.build.isoImage; installer-iso = iso-config.config.system.build.isoImage;
installer-vm = iso-config.config.system.build.vm; installer-vm = iso-config.config.system.build.vm;
}); }
);
nixosConfigurations = builtins.foldl' ( nixosConfigurations = builtins.foldl' (
result: input: result: input:

5
hosts/auth/authentik.nix
View file

@ -44,7 +44,10 @@
systemd.services.authentik-secrets-generator = { systemd.services.authentik-secrets-generator = {
enable = true; enable = true;
requiredBy = [ "authentik-secrets-setup.service" "authentik-worker.service" ]; requiredBy = [
"authentik-secrets-setup.service"
"authentik-worker.service"
];
script = '' script = ''
echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
''; '';

35
hosts/git/default.nix
View file

@ -29,21 +29,14 @@ in
]; ];
networking.hostName = "git"; networking.hostName = "git";
networking.domain = "test.htw.stura-dresden.de";
networking.interfaces.ens18.ipv4.addresses = [ networking.interfaces.ens18.ipv4.addresses = [
{ {
address = "167.235.225.23"; address = "141.56.51.97";
prefixLength = 32; prefixLength = 24;
} }
]; ];
networking.interfaces.ens18.ipv6.addresses = [ networking.defaultGateway.address = "141.56.51.254";
{
address = "2a01:4f8:c012:6bd7::1";
prefixLength = 32;
}
];
networking.defaultGateway.address = "172.31.1.1";
networking.nameservers = [ networking.nameservers = [
"9.9.9.9" "9.9.9.9"
"1.1.1.1" "1.1.1.1"
@ -53,30 +46,36 @@ in
services.forgejo = { services.forgejo = {
enable = true; enable = true;
settings = { settings = {
server = { server = {
PROTOCOL = "http+unix"; PROTOCOL = "http+unix";
HTTP_ADDR = "/var/run/forgejo.sock"; HTTP_ADDR = "/run/forgejo/forgejo.sock";
ROOT_URL = "https://${config.networking.fqdn}"; ROOT_URL = "https://${config.networking.fqdn}";
}; };
oauth2_client = {
ENABLE_AUTO_REGISTRATION = "true";
REGISTER_EMAIL_CONFIRM = "false";
username = "email";
};
service = {
SHOW_REGISTRATION_BUTTON = "false";
};
}; };
}; };
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts."git.htw.stura-dresden.de" = { virtualHosts."${config.networking.fqdn}" = {
forceSSL = true;
enableACME = true;
locations."/" = { locations."/" = {
recommendedProxySettings = true; recommendedProxySettings = true;
proxyWebsockets = true; proxyWebsockets = true;
proxyPass = "http://unix:/var/run/forgejo.sock"; proxyPass = "http://unix:/run/forgejo/forgejo.sock";
}; };
}; };
}; };
# virtualisation.docker.enable = true;
security.acme.acceptTerms = true;
security.acme.defaults.email = "cert@stura.htw-dresden.de";
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
25 25
80 80

242
hosts/proxy/default.nix
View file

@ -36,7 +36,7 @@
}; };
}; };
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
listenAddresses = [ listenAddresses = [
@ -46,135 +46,134 @@ services = {
} }
]; ];
}; };
haproxy = haproxy =
let let
forwards = { forwards = {
plone = { plone = {
dest = "141.56.51.3"; dest = "141.56.51.3";
domain = "stura.htw-dresden.de"; domain = "stura.htw-dresden.de";
httpPort = 80; httpPort = 80;
httpsPort = 443; httpsPort = 443;
};
plone_alt = {
dest = "141.56.51.3";
domain = "www.stura.htw-dresden.de";
httpPort = 80;
httpsPort = 443;
};
tix = {
dest = "141.56.51.220";
domain = "tix.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
vot = {
dest = "141.56.51.81";
domain = "vot.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
dat = {
dest = "141.56.51.81";
domain = "dat.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
pro = {
dest = "141.56.51.15";
domain = "pro.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
cloud = {
dest = "141.56.51.16";
domain = "cloud.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
wiki = {
dest = "141.56.51.13";
domain = "wiki.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
}; };
plone_alt = { in
dest = "141.56.51.3"; {
domain = "www.stura.htw-dresden.de"; enable = true;
httpPort = 80; config = ''
httpsPort = 443; global
}; log /dev/log local0
tix = { maxconn 4096
dest = "141.56.51.220"; # for ACME/Let's Encrypt cert + key in one file:
domain = "tix.htw.stura-dresden.de"; stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
httpPort = 80; crt-base /var/lib/acme
httpsPort = 443;
};
vot = {
dest = "141.56.51.81";
domain = "vot.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
dat = {
dest = "141.56.51.81";
domain = "dat.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
pro = {
dest = "141.56.51.15";
domain = "pro.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
cloud = {
dest = "141.56.51.16";
domain = "cloud.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
wiki = {
dest = "141.56.51.13";
domain = "wiki.htw.stura-dresden.de";
httpPort = 80;
httpsPort = 443;
};
};
in{
enable = true;
config = ''
global
log /dev/log local0
maxconn 4096
# for ACME/Let's Encrypt cert + key in one file:
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
crt-base /var/lib/acme
defaults defaults
log global log global
mode tcp mode tcp
option tcplog option tcplog
timeout connect 5s timeout connect 5s
timeout client 30s timeout client 30s
timeout server 30s timeout server 30s
frontend stats frontend stats
bind 127.0.0.1:8404 bind 127.0.0.1:8404
mode http mode http
stats enable stats enable
stats uri /stats stats uri /stats
stats refresh 10s stats refresh 10s
stats auth admin:yourpassword stats auth admin:yourpassword
stats show-legends stats show-legends
stats show-node stats show-node
frontend http-in frontend http-in
bind *:80 bind *:80
${ ${lib.foldlAttrs (
lib.foldlAttrs(prev: name: value: prev + prev: name: value:
"acl is_${name} hdr(host) -i ${value.domain}\n" prev + "acl is_${name} hdr(host) -i ${value.domain}\n"
) "" forwards ) "" forwards}
}
${ ${lib.foldlAttrs (
lib.foldlAttrs(prev: name: value: prev + prev: name: value:
"use_backend ${name}_80 if is_${name}\n" prev + "use_backend ${name}_80 if is_${name}\n"
) "" forwards ) "" forwards}
}
default_backend plone_80 default_backend plone_80
frontend ssh_jump_alt frontend ssh_jump_alt
bind *:2142 bind *:2142
mode tcp mode tcp
timeout client 30m timeout client 30m
log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] " log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq dst:%[var(sess.dst)] "
use_backend ssh_srs2 use_backend ssh_srs2
# ---- SNI routing (TCP, peek at handshake) ---- # ---- SNI routing (TCP, peek at handshake) ----
frontend sni_router frontend sni_router
bind *:443 bind *:443
mode tcp mode tcp
tcp-request inspect-delay 1s tcp-request inspect-delay 1s
tcp-request content accept if { req_ssl_hello_type 1 } tcp-request content accept if { req_ssl_hello_type 1 }
# terminated here # terminated here
${ ${lib.foldlAttrs (
lib.foldlAttrs(prev: name: value: prev + prev: name: value:
"use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n" prev + "use_backend ${name}_443 if { req_ssl_sni -i ${value.domain} }\n"
) "" forwards ) "" forwards}
}
backend ssh_srs2 backend ssh_srs2
mode tcp mode tcp
timeout server 30m timeout server 30m
timeout connect 10s timeout connect 10s
option tcpka option tcpka
server srs2 141.56.51.2:80 check server srs2 141.56.51.2:80 check
${ ${lib.foldlAttrs (
lib.foldlAttrs(prev: name: value: prev + prev: name: value:
'' prev
+ ''
backend ${name}_80 backend ${name}_80
mode http mode http
@ -184,14 +183,11 @@ services = {
server ${name} ${value.dest}:${builtins.toString value.httpsPort} check server ${name} ${value.dest}:${builtins.toString value.httpsPort} check
'' ''
) "" forwards ) "" forwards}
} '';
''; };
};
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
openvpn openvpn
tcpdump tcpdump

1
hosts/redmine/default.nix
View file

@ -19,7 +19,6 @@
]; ];
networking.defaultGateway.address = "141.56.51.254"; networking.defaultGateway.address = "141.56.51.254";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;
security.acme.defaults.email = "cert@stura.htw-dresden.de"; security.acme.defaults.email = "cert@stura.htw-dresden.de";