X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=modules%2Fprivate%2Fsystem%2Fquatresaisons.nix;h=ed6f12904cddac077cfea25f89cadfb06e96e327;hb=c92dab20c2bdb2039f37da4d675609986dc1dc6d;hp=395b604f3ce9b3067d3cf9026a94aafe1e20280f;hpb=75489e72e379af8aeac64bc4967717d9ae776ff0;p=perso%2FImmae%2FConfig%2FNix.git

diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix
index 395b604..ed6f129 100644
--- a/modules/private/system/quatresaisons.nix
+++ b/modules/private/system/quatresaisons.nix
@@ -1,4 +1,3 @@
-{ privateFiles }:
 { config, pkgs, lib, ... }:
 let
   serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons;
@@ -29,6 +28,45 @@ let
     '';
   };
   normalUsers = serverSpecificConfig.users;
+  userquotas = pkgs.writeScriptBin "user_quotas" ''
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    if [ `whoami` != "root" ]; then
+      list=$(id -u)
+    else
+      list="${builtins.concatStringsSep " " (lib.mapAttrsToList (n: v: builtins.toString v.uid) normalUsers)}"
+    fi
+
+    get_size () {
+      user=$1
+      home=$((du -sbx /home/$user 2>/dev/null | cut -d"	" -f1) || echo 0)
+      nextcloud=$((du -sbx /home/var_lib/nextcloud/data/$user 2>/dev/null | cut -d"	" -f1) || echo 0)
+      echo "Home: $(numfmt --to=iec "$home")"
+      echo "Nextcloud: $(numfmt --to=iec "$nextcloud")"
+      echo "Raw: $(($home + $nextcloud))"
+    }
+
+    for user in $list; do
+      group=$(id -ng "$user")
+      size=$(get_size "$group")
+      total=$(echo "$size" | grep ^Raw | cut -d" " -f2)
+      decomp="    $group: $(numfmt --to=iec "$total")"
+      decomp="$decomp;$(echo "$size" | grep -v ^Raw | sed -e "s/^/        /")"
+
+      sponsored=$(getent group $group | cut -d':' -f4)
+      IFS=","
+      for subuser in $sponsored; do
+        size=$(get_size "$subuser")
+        totalsub=$(echo "$size" | grep ^Raw | cut -d" " -f2)
+        total=$(($total + $totalsub))
+        decomp="$decomp;    $subuser: $(numfmt --to=iec "$totalsub")"
+        decomp="$decomp;$(echo "$size" | grep -v ^Raw | sed -e "s/^/        /")"
+      done
+      echo "$group: $(numfmt --to=iec "$total")"
+      echo "$decomp" | tr ";" "\n"
+    done
+  '';
   sponsoredUser = pkgs.writeScriptBin "sponsored_user" ''
     #!/usr/bin/env bash
 
@@ -54,7 +92,7 @@ let
       chmod go-rwx /var/lib/nixos/sponsored_users
       echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users
       (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \
-        -y /var/secrets/ldap/sync_password 2>/dev/null >/dev/null || true) <<EOF
+        -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) <<EOF
     dn: uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org
     objectClass: inetOrgPerson
     cn: $1
@@ -75,7 +113,7 @@ let
         userdel -r "$1"
         sed -i -e "/^$mygroup $1/d" /var/lib/nixos/sponsored_users
         ${pkgs.openldap}/bin/ldapdelete -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
           "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
         echo "deleted"
         exit 0
@@ -104,7 +142,7 @@ let
       if [ "$1" = "$mygroup" ]; then
         log "resets web password"
         ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-          -y /var/secrets/ldap/sync_password \
+          -y ${config.secrets.fullPaths."ldap/sync_password"} \
           -S "uid=$mygroup,ou=users,dc=salle-s,dc=org"
       else
         IFS=",";
@@ -112,7 +150,7 @@ let
         if [ "$u" = "$1" ]; then
           log "resets web password of $1"
           ${pkgs.openldap}/bin/ldappasswd -D cn=root,dc=salle-s,dc=org \
-            -y /var/secrets/ldap/sync_password \
+            -y ${config.secrets.fullPaths."ldap/sync_password"} \
             -S "uid=$1,uid=$mygroup,ou=users,dc=salle-s,dc=org"
           exit 0
         fi
@@ -161,9 +199,11 @@ in
 {
   deployment = {
     targetUser = "root";
-    targetHost = config.hostEnv.ips.main.ip4;
+    targetHost = lib.head config.hostEnv.ips.main.ip4;
     substituteOnDestination = true;
   };
+  # ssh-keyscan quatresaison | nix-shell -p ssh-to-age --run ssh-to-age
+  secrets.ageKeys = [ "age1yz8u6xvh2fltvyp96ep8crce3qx4tuceyhun6pwddfe0uvcrkarscxl7e7" ];
 
   programs.ssh.package = pkgs.openssh.overrideAttrs(old: {
     PATH_PASSWD_PROG = "/run/wrappers/bin/passwd";
@@ -173,7 +213,7 @@ in
   imports = builtins.attrValues (import ../..) ++
     [ ./quatresaisons/nextcloud.nix ./quatresaisons/databases.nix ];
 
-  myEnv = import "${privateFiles}/environment.nix" // { inherit privateFiles; };
+  myEnv = import ../../../nixops/secrets/environment.nix;
 
   fileSystems = {
     "/"     = { device = "/dev/disk/by-uuid/865931b4-c5cc-439f-8e42-8072c7a30634"; fsType = "ext4"; };
@@ -220,10 +260,10 @@ in
     deps = [ "secrets" "users" ];
     text =
       let
-        com = "-D cn=root,dc=salle-s,dc=org -y /var/secrets/ldap/sync_password";
+        com = "-D cn=root,dc=salle-s,dc=org -y ${config.secrets.fullPaths."ldap/sync_password"}";
       in ''
       # Add users
-      ${pkgs.openldap}/bin/ldapadd -c ${com} -f /var/secrets/ldap/ldaptree.ldif 2>/dev/null >/dev/null || true
+      ${pkgs.openldap}/bin/ldapadd -c ${com} -f ${config.secrets.fullPaths."ldap/ldaptree.ldif"} 2>/dev/null >/dev/null || true
 
       # Remove obsolete users
       ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\
@@ -253,14 +293,12 @@ in
     '';
   };
 
-  secrets.keys = [
-    {
-      dest = "ldap/sync_password";
+  secrets.keys = {
+    "ldap/sync_password" = {
       permissions = "0400";
       text = serverSpecificConfig.ldap_sync_password;
-    }
-    {
-      dest = "ldap/ldaptree.ldif";
+    };
+    "ldap/ldaptree.ldif" = {
       permissions = "0400";
       text = serverSpecificConfig.ldap_service_users
         + (builtins.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
@@ -271,9 +309,10 @@ in
         sn: ${n}
         uid: ${n}
       '') normalUsers));
-    }
-  ];
+    };
+  };
 
+  myServices.monitoring.enable = true;
   myServices.certificates.enable = true;
   users.mutableUsers = true;
   system.stateVersion = "21.03";
@@ -333,6 +372,7 @@ in
     {
       commands = [
         { command = "${sponsoredUser}/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/sponsored_user"; options = [ "NOPASSWD" ]; }
       ];
       users = builtins.attrNames normalUsers;
       runAs = "root";
@@ -340,32 +380,18 @@ in
   ];
 
   environment.systemPackages = [
-    sponsoredUser
-    pkgs.git
-    pkgs.vim
-    pkgs.rsync
-    pkgs.strace
-    pkgs.home-manager
-    pkgs.telnet
-    pkgs.htop
-    pkgs.iftop
-    pkgs.bind.dnsutils
-    pkgs.httpie
-    pkgs.iotop
-    pkgs.whois
-    pkgs.ngrep
-    pkgs.tcpdump
-    pkgs.tshark
-    pkgs.tcpflow
-    pkgs.nmap
-    pkgs.p0f
-    pkgs.socat
-    pkgs.lsof
-    pkgs.psmisc
-    pkgs.openssl
-    pkgs.wget
-    pkgs.pv
-    pkgs.smartmontools
+    sponsoredUser userquotas
+    pkgs.git pkgs.vim pkgs.rsync pkgs.strace pkgs.home-manager
+    pkgs.inetutils pkgs.htop pkgs.iftop pkgs.bind.dnsutils pkgs.httpie
+    pkgs.iotop pkgs.whois pkgs.ngrep pkgs.tcpdump pkgs.wireshark-cli
+    pkgs.tcpflow pkgs.nmap pkgs.p0f pkgs.socat pkgs.lsof pkgs.psmisc
+    pkgs.openssl pkgs.wget pkgs.pv pkgs.smartmontools pkgs.youtube-dl
+    pkgs.unzip pkgs.octave pkgs.feh pkgs.xv pkgs.sshfs pkgs.gdb
+    pkgs.file pkgs.lynx pkgs.tmux pkgs.awesome pkgs.libreoffice
+    pkgs.evince pkgs.firefox pkgs.xcalib pkgs.python3 pkgs.python2
+    pkgs.xorg.xkbcomp pkgs.subversion pkgs.xclip pkgs.imagemagick
+    pkgs.bc pkgs.sox pkgs.zip pkgs.gnome3.gnome-screenshot
+    pkgs.datadog-process-agent
   ];
 
   services.websites.env.production = {
@@ -381,7 +407,7 @@ in
       '' ];
     ips =
       let ips = config.hostEnv.ips.main;
-      in [ips.ip4] ++ (ips.ip6 or []);
+      in (ips.ip4 or []) ++ (ips.ip6 or []);
 
     fallbackVhost = {
       certName    = "quatresaisons";