-{ privateFiles }:
{ config, pkgs, lib, ... }:
let
serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
'';
};
normalUsers = serverSpecificConfig.users;
+ userquotas = pkgs.writeScriptBin "user_quotas" ''
+ #!/usr/bin/env bash
+ set -euo pipefail
+
+ if [ `whoami` != "root" ]; then
+ list=$(id -u)
+ else
+ list="${builtins.concatStringsSep " " (lib.mapAttrsToList (n: v: builtins.toString v.uid) normalUsers)}"
+ fi
+
+ get_size () {
+ user=$1
+ home=$((du -sbx /home/$user 2>/dev/null | cut -d" " -f1) || echo 0)
+ nextcloud=$((du -sbx /home/var_lib/nextcloud/data/$user 2>/dev/null | cut -d" " -f1) || echo 0)
+ echo "Home: $(numfmt --to=iec "$home")"
+ echo "Nextcloud: $(numfmt --to=iec "$nextcloud")"
+ echo "Raw: $(($home + $nextcloud))"
+ }
+
+ for user in $list; do
+ group=$(id -ng "$user")
+ size=$(get_size "$group")
+ total=$(echo "$size" | grep ^Raw | cut -d" " -f2)
+ decomp=" $group: $(numfmt --to=iec "$total")"
+ decomp="$decomp;$(echo "$size" | grep -v ^Raw | sed -e "s/^/ /")"
+
+ sponsored=$(getent group $group | cut -d':' -f4)
+ IFS=","
+ for subuser in $sponsored; do
+ size=$(get_size "$subuser")
+ totalsub=$(echo "$size" | grep ^Raw | cut -d" " -f2)
+ total=$(($total + $totalsub))
+ decomp="$decomp; $subuser: $(numfmt --to=iec "$totalsub")"
+ decomp="$decomp;$(echo "$size" | grep -v ^Raw | sed -e "s/^/ /")"
+ done
+ echo "$group: $(numfmt --to=iec "$total")"
+ echo "$decomp" | tr ";" "\n"
+ done
+ '';
sponsoredUser = pkgs.writeScriptBin "sponsored_user" ''
#!/usr/bin/env bash
chmod go-rwx /var/lib/nixos/sponsored_users
echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
(${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF
+ -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
objectClass: inetOrgPerson
cn: $1
userdel -r "$1"
sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
"uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
echo "deleted"
exit 0
if [ "$1" = "$mygroup" ]; then
log "resets web password"
${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
-S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
else
IFS=",";
if [ "$u" = "$1" ]; then
log "resets web password of $1"
${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
- -y /var/secrets/ldap/sync_password \
+ -y ${config.secrets.fullPaths."ldap/sync_password"} \
-S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
exit 0
fi
{
deployment = {
targetUser = "root";
- targetHost = config.hostEnv.ips.main.ip4;
+ targetHost = lib.head config.hostEnv.ips.main.ip4;
substituteOnDestination = true;
};
+ # ssh-keyscan quatresaison | nix-shell -p ssh-to-age --run ssh-to-age
+ secrets.ageKeys = [ "age1yz8u6xvh2fltvyp96ep8crce3qx4tuceyhun6pwddfe0uvcrkarscxl7e7" ];
programs.ssh.package = pkgs.openssh.overrideAttrs(old: {
PATH_PASSWD_PROG = "/run/wrappers/bin/passwd";
imports = builtins.attrValues (import ../..) ++
[ ./quatresaisons/nextcloud.nix ./quatresaisons/databases.nix ];
- myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+ myEnv = import ../../../nixops/secrets/environment.nix;
fileSystems = {
"/" = { device = "/dev/disk/by-uuid/865931b4-c5cc-439f-8e42-8072c7a30634"; fsType = "ext4"; };
deps = [ "secrets" "users" ];
text =
let
- com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";
+ com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
in ''
# Add users
- ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true
+ ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
# Remove obsolete users
${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
'';
};
- secrets.keys = [
- {
- dest = "ldap/sync_password";
+ secrets.keys = {
+ "ldap/sync_password" = {
permissions = "0400";
text = serverSpecificConfig.ldap_sync_password;
- }
- {
- dest = "ldap/ldaptree.ldif";
+ };
+ "ldap/ldaptree.ldif" = {
permissions = "0400";
text = serverSpecificConfig.ldap_service_users
+ (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
sn: ${n}
uid: ${n}
'') normalUsers));
- }
- ];
+ };
+ };
+ myServices.monitoring.enable = true;
myServices.certificates.enable = true;
users.mutableUsers = true;
system.stateVersion = "21.03";
{
commands = [
{ command = "${sponsoredUser}/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
+ { command = "/run/current-system/sw/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
];
users = builtins.attrNames normalUsers;
runAs = "root";
];
environment.systemPackages = [
- sponsoredUser
- pkgs.git
- pkgs.vim
- pkgs.rsync
- pkgs.strace
- pkgs.home-manager
- pkgs.telnet
- pkgs.htop
- pkgs.iftop
- pkgs.bind.dnsutils
- pkgs.httpie
- pkgs.iotop
- pkgs.whois
- pkgs.ngrep
- pkgs.tcpdump
- pkgs.tshark
- pkgs.tcpflow
- pkgs.nmap
- pkgs.p0f
- pkgs.socat
- pkgs.lsof
- pkgs.psmisc
- pkgs.openssl
- pkgs.wget
- pkgs.pv
- pkgs.smartmontools
+ sponsoredUser userquotas
+ pkgs.git pkgs.vim pkgs.rsync pkgs.strace pkgs.home-manager
+ pkgs.inetutils pkgs.htop pkgs.iftop pkgs.bind.dnsutils pkgs.httpie
+ pkgs.iotop pkgs.whois pkgs.ngrep pkgs.tcpdump pkgs.wireshark-cli
+ pkgs.tcpflow pkgs.nmap pkgs.p0f pkgs.socat pkgs.lsof pkgs.psmisc
+ pkgs.openssl pkgs.wget pkgs.pv pkgs.smartmontools pkgs.youtube-dl
+ pkgs.unzip pkgs.octave pkgs.feh pkgs.xv pkgs.sshfs pkgs.gdb
+ pkgs.file pkgs.lynx pkgs.tmux pkgs.awesome pkgs.libreoffice
+ pkgs.evince pkgs.firefox pkgs.xcalib pkgs.python3 pkgs.python2
+ pkgs.xorg.xkbcomp pkgs.subversion pkgs.xclip pkgs.imagemagick
+ pkgs.bc pkgs.sox pkgs.zip pkgs.gnome3.gnome-screenshot
+ pkgs.datadog-process-agent
];
services.websites.env.production = {
'' ];
ips =
let ips = config.hostEnv.ips.main;
- in [ips.ip4] ++ (ips.ip6 or []);
+ in (ips.ip4 or []) ++ (ips.ip6 or []);
fallbackVhost = {
certName = "quatresaisons";
projects / perso / Immae / Config / Nix.git / blobdiff