From 1a64deeb894dc95e2645a75771732c6cc53a79ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Wed, 4 Oct 2023 01:35:06 +0200 Subject: Squash changes containing private information There were a lot of changes since the previous commit, but a lot of them contained personnal information about users. All thos changes got stashed into a single commit (history is kept in a different place) and private information was moved in a separate private repository --- modules/private/system/backup-2.nix | 137 ------- modules/private/system/dilion.nix | 242 ------------ modules/private/system/dilion/vms.nix | 185 --------- .../system/dilion/vms/base_configuration.nix | 21 - modules/private/system/dilion/vms/base_image.nix | 94 ----- .../system/dilion/vms/buildbot_configuration.nix | 67 ---- modules/private/system/eldiron.nix | 228 ----------- modules/private/system/monitoring-1.nix | 69 ---- modules/private/system/quatresaisons.nix | 436 --------------------- modules/private/system/quatresaisons/databases.nix | 147 ------- modules/private/system/quatresaisons/landing.yml | 32 -- .../private/system/quatresaisons/landing_4c.yml | 24 -- modules/private/system/quatresaisons/nextcloud.nix | 141 ------- 13 files changed, 1823 deletions(-) delete mode 100644 modules/private/system/backup-2.nix delete mode 100644 modules/private/system/dilion.nix delete mode 100644 modules/private/system/dilion/vms.nix delete mode 100644 modules/private/system/dilion/vms/base_configuration.nix delete mode 100644 modules/private/system/dilion/vms/base_image.nix delete mode 100644 modules/private/system/dilion/vms/buildbot_configuration.nix delete mode 100644 modules/private/system/eldiron.nix delete mode 100644 modules/private/system/monitoring-1.nix delete mode 100644 modules/private/system/quatresaisons.nix delete mode 100644 modules/private/system/quatresaisons/databases.nix delete mode 100644 modules/private/system/quatresaisons/landing.yml delete mode 100644 modules/private/system/quatresaisons/landing_4c.yml delete mode 100644 modules/private/system/quatresaisons/nextcloud.nix (limited to 'modules/private/system') diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix deleted file mode 100644 index c01a666..0000000 --- a/modules/private/system/backup-2.nix +++ /dev/null @@ -1,137 +0,0 @@ -{ config, pkgs, resources, name, ... }: -{ - deployment = { - targetUser = "root"; - targetHost = config.hostEnv.ips.main.ip4; - substituteOnDestination = true; - }; - # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age - secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; - secrets.keys = { - "rsync_backup/identity" = { - user = "backup"; - group = "backup"; - permissions = "0400"; - text = config.myEnv.rsync_backup.ssh_key.private; - }; - "rsync_backup/identity.pub" = { - user = "backup"; - group = "backup"; - permissions = "0444"; - text = config.myEnv.rsync_backup.ssh_key.public; - }; - }; - boot.kernelPackages = pkgs.linuxPackages_latest; - myEnv = import ../../../nixops/secrets/environment.nix; - - imports = [ ] ++ builtins.attrValues (import ../..); - - fileSystems = { - "/backup2" = { - fsType = "ext4"; - device = "UUID=b9425333-f567-435d-94d8-b26c22d93426"; - }; - "/" = { device = "/dev/sda1"; fsType = "ext4"; }; - }; - - networking = { - firewall.enable = true; - interfaces."ens3".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList - (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); - interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList - (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) - config.hostEnv.ips); - defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; - }; - - boot.loader.grub.device = "nodev"; - - myServices.certificates.enable = true; - security.acme.certs."${name}" = { - user = config.services.nginx.user; - group = config.services.nginx.group; - }; - services.nginx = { - enable = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - services.cron = { - mailto = "cron@immae.eu"; - enable = true; - }; - - services.rsyncBackup = { - mountpoint = "/backup2"; - profiles = config.myEnv.rsync_backup.profiles; - ssh_key_public = config.secrets.fullPaths."rsync_backup/identity.pub"; - ssh_key_private = config.secrets.fullPaths."rsync_backup/identity"; - }; - - myServices.mailRelay.enable = true; - myServices.mailBackup.enable = true; - myServices.monitoring.enable = true; - myServices.databasesReplication = { - postgresql = { - enable = true; - base = "/backup2"; - mainPackage = pkgs.postgresql; - hosts = { - eldiron = { - slot = "backup_2"; - connection = "postgresql://backup-2:${config.hostEnv.ldap.password}@eldiron.immae.eu"; - package = pkgs.postgresql; - }; - }; - }; - mariadb = { - enable = true; - base = "/backup2"; - hosts = { - eldiron = { - serverId = 2; - # mysql resolves "backup-2" host and checks the ip, but uses /etc/hosts which only contains ip4 - host = config.myEnv.servers.eldiron.ips.main.ip4; - port = "3306"; - user = "backup-2"; - password = config.hostEnv.ldap.password; - dumpUser = "root"; - dumpPassword = config.myEnv.databases.mysql.systemUsers.root; - }; - }; - }; - redis = { - enable = true; - base = "/backup2"; - hosts = { - eldiron = { - host = "127.0.0.1"; - port = "16379"; - }; - }; - }; - openldap = { - enable = true; - base = "/backup2"; - hosts = { - eldiron = { - url = "ldaps://${config.myEnv.ldap.host}:636"; - dn = config.myEnv.ldap.replication_dn; - password = config.myEnv.ldap.replication_pw; - base = config.myEnv.ldap.base; - }; - }; - }; - }; - - # This value determines the NixOS release with which your system is - # to be compatible, in order to avoid breaking some software such as - # database servers. You should change this only after NixOS release - # notes say you should. - # https://nixos.org/nixos/manual/release-notes.html - system.stateVersion = "20.03"; # Did you read the comment? -} diff --git a/modules/private/system/dilion.nix b/modules/private/system/dilion.nix deleted file mode 100644 index fa92cd9..0000000 --- a/modules/private/system/dilion.nix +++ /dev/null @@ -1,242 +0,0 @@ -{ config, pkgs, name, lib, ... }: -{ - deployment = { - targetUser = "root"; - targetHost = config.hostEnv.ips.main.ip4; - substituteOnDestination = true; - }; - # ssh-keyscan dilion | nix-shell -p ssh-to-age --run ssh-to-age - secrets.ageKeys = [ "age1x49n6qa0arkdpq8530s7umgm0gqkq90exv4jep97q30rfnzknpaqate06a" ]; - nixpkgs.system = lib.mkOverride 900 "x86_64-linux"; - boot = { - loader = { - grub = { - version = 2; - devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" ]; - }; - timeout = 1; - }; - blacklistedKernelModules = [ "nvidiafb" ]; - supportedFilesystems = [ "zfs" ]; - kernelPackages = pkgs.linuxPackages_latest; - kernelModules = [ "kvm-intel" ]; - initrd.availableKernelModules = [ "ahci" "sd_mod" ]; - initrd.secrets = { - "/boot/pass.key" = "/boot/pass.key"; - }; - kernel.sysctl."vm.nr_hugepages" = 256; # for xmr-stak - # available in nixos-20.09 - #zfs.requestEncryptionCredentials = [ "zpool/root" ]; - }; - nix.maxJobs = 8; - powerManagement.cpuFreqGovernor = "powersave"; - hardware.enableRedistributableFirmware = true; - - myEnv = import ../../../nixops/secrets/environment.nix; - - swapDevices = [ { label = "swap"; } ]; - fileSystems = { - "/" = { fsType = "zfs"; device = "zpool/root"; }; - "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/fd1c511e-2bc0-49d5-b8bb-95e7e8c8c816"; }; - "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; - "/home" = { fsType = "zfs"; device = "zpool/root/home"; }; - "/home/immae" = { fsType = "zfs"; device = "zpool/root/home/immae"; }; - "/tmp" = { fsType = "zfs"; device = "zpool/root/tmp"; }; - "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; - "/data" = { fsType = "ext4"; label = "data"; }; - "/nix" = { fsType = "ext4"; label = "nix"; }; - }; - - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="10:bf:48:7f:e6:3b", NAME="eth0" - ''; - - networking = { - hostId = "27c3048d"; # generated with head -c4 /dev/urandom | od -A none -t x4 - firewall.enable = false; - interfaces."eth0".ipv4.addresses = - [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ] - ++ pkgs.lib.attrsets.mapAttrsToList - (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); - interfaces."eth0".ipv6.addresses = - [ { address = "2a01:4f8:141:53e7::"; prefixLength = 64; } ] - ++ pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList - (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) - config.hostEnv.ips); - defaultGateway = { address = "176.9.10.225"; interface = "eth0"; }; - defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; - nameservers = [ - "213.133.98.98" - "213.133.99.99" - "213.133.100.100" - "2a01:4f8:0:a0a1::add:1010" - "2a01:4f8:0:a102::add:9999" - "2a01:4f8:0:a111::add:9898" - ]; - }; - - myServices.ssh.modules = [ config.myServices.ssh.predefinedModules.regular ]; - imports = builtins.attrValues (import ../..) ++ [ ./dilion/vms.nix ]; - - system.nssModules = [ pkgs.libvirt ]; - system.nssDatabases.hosts = lib.mkForce [ "files" "libvirt_guest" "mymachines" "dns" "myhostname" ]; - programs.zsh.enable = true; - - users.users.libvirt = { - hashedPassword = "!"; - shell = pkgs.bashInteractive; - isSystemUser = true; - group = "libvirtd"; - packages = [ pkgs.netcat-openbsd ]; - openssh.authorizedKeys.keys = [ - config.myEnv.buildbot.ssh_key.public - config.myEnv.sshd.rootKeys.ismael_flony - ]; - }; - - users.users.backup = { - hashedPassword = "!"; - isSystemUser = true; - extraGroups = [ "keys" ]; - shell = pkgs.bashInteractive; - openssh.authorizedKeys.keys = let - zreplConfig = config.secrets.fullPaths."zrepl/zrepl.yml"; - in - ["command=\"${pkgs.zrepl}/bin/zrepl stdinserver --config ${zreplConfig} eldiron\",restrict ${config.myEnv.zrepl_backup.ssh_key.public}"]; - }; - security.sudo.extraRules = pkgs.lib.mkAfter [ - { - commands = [ - { command = "/home/immae/.nix-profile/root_scripts/*"; options = [ "NOPASSWD" ]; } - ]; - users = [ "immae" ]; - runAs = "root"; - } - ]; - - system.activationScripts.libvirtd_exports = '' - install -m 0755 -o root -g root -d /var/lib/caldance - ''; - virtualisation.docker.enable = true; - virtualisation.docker.storageDriver = "zfs"; - virtualisation.libvirtd.enable = true; - users.extraUsers.immae.extraGroups = [ "libvirtd" "docker" ]; - systemd.services.libvirtd.postStart = '' - install -m 0770 -g libvirtd -d /var/lib/libvirt/images - ''; - systemd.services.socat-caldance = { - description = "Forward ssh port to caldance"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - serviceConfig = { - ExecStart = "${pkgs.socat}/bin/socat TCP-LISTEN:8022,fork TCP:caldance:22"; - }; - }; - - time.timeZone = "Europe/Paris"; - nix = { - useSandbox = "relaxed"; - extraOptions = '' - keep-outputs = true - keep-derivations = true - allow-unsafe-native-code-during-evaluation = true - experimental-features = nix-command flakes - #Assumed in NUR - allow-import-from-derivation = true - ''; - }; - - security.pki.certificateFiles = [ - (pkgs.fetchurl { - url = "http://downloads.e.eriomem.net/eriomemca.pem"; - sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh"; - }) - ]; - - # This is equivalent to setting environment.sessionVariables.NIX_PATH - nix.nixPath = [ - "home-manager=${pkgs.sources.home-manager.url}" - "nixpkgs=${pkgs.sources.nixpkgs-home-manager.url}" - ]; - nix.binaryCaches = [ "https://hydra.iohk.io" "https://cache.nixos.org" ]; - nix.binaryCachePublicKeys = [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ]; - - myServices.monitoring.enable = true; - myServices.certificates.enable = true; - security.acme.certs."${name}-immae" = config.myServices.certificates.certConfig // { - user = "immae"; - domain = "dilion.immae.eu"; - }; - security.acme.certs."${name}" = { - user = config.services.nginx.user; - group = config.services.nginx.group; - extraDomains = { - "dilion.immae.dev" = null; - "caldance.cs.immae.dev" = null; - }; - }; - services.nginx = { - enable = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedProxySettings = true; - upstreams = { - caldance.servers."caldance:3031" = {}; - }; - virtualHosts = { - "dilion.immae.dev" = { - acmeRoot = config.myServices.certificates.webroot; - useACMEHost = name; - forceSSL = true; - root = "/home/immae/www"; - }; - "caldance.cs.immae.dev" = { - acmeRoot = config.myServices.certificates.webroot; - useACMEHost = name; - forceSSL = true; - locations."/".extraConfig = '' - uwsgi_pass caldance; - ''; - locations."/static/".alias = "/var/lib/caldance/caldance/app/www/static/"; - locations."/media/".alias = "/var/lib/caldance/caldance/media/"; - extraConfig = '' - auth_basic "Authentification requise"; - auth_basic_user_file ${pkgs.writeText "htpasswd" config.myEnv.websites.caldance.integration.password}; - ''; - }; - }; - }; - - systemd.services.zrepl.serviceConfig.RuntimeDirectory = lib.mkForce "zrepl zrepl/stdinserver"; - systemd.services.zrepl.serviceConfig.User = "backup"; - # zfs allow backup create,mount,receive,destroy,rename,snapshot,hold,bookmark,release zpool/backup - services.zrepl = { - enable = true; - config = '' - global: - control: - sockpath: /run/zrepl/control - serve: - stdinserver: - sockdir: /run/zrepl/stdinserver - jobs: - - type: sink - # must not change - name: "backup-from-eldiron" - root_fs: "zpool/backup" - serve: - type: stdinserver - client_identities: - - eldiron - ''; - }; - # This value determines the NixOS release with which your system is - # to be compatible, in order to avoid breaking some software such as - # database servers. You should change this only after NixOS release - # notes say you should. - # https://nixos.org/nixos/manual/release-notes.html - system.stateVersion = "20.03"; # Did you read the comment? -} - diff --git a/modules/private/system/dilion/vms.nix b/modules/private/system/dilion/vms.nix deleted file mode 100644 index af96622..0000000 --- a/modules/private/system/dilion/vms.nix +++ /dev/null @@ -1,185 +0,0 @@ -# inspired from https://nixos.wiki/wiki/Virtualization_in_NixOS -{ config, pkgs, lib, ... }@args: -let - pools = { - niximages = { - type = "dir"; - target = "/etc/libvirtd/base-images"; - }; - buildbot-disks = rec { - preStart = '' - mkdir -p ${target} - ''; - type = "dir"; - target = "/var/lib/libvirt/images/buildbot-disks"; - }; - zfspool = { - # pool-define-as --name zfspool --source-name zpool/libvirt --type zfs - type = "zfs"; - xml = '' - - zpool/libvirt - - ''; - }; - }; - networks = { - immae = { - bridgeNumber = "1"; - ipRange = "192.168.100"; - }; - }; - guests = { - caldance = { - pool = "zfspool"; - cpus = "1"; - memory = "2"; - network = "immae"; - diskSize = "10GiB"; - extraDevicesXML = '' - - - - - ''; - }; - buildbot = { - pool = "zfspool"; - cpus = "1"; - memory = "3"; - network = "immae"; - diskSize = "10GiB"; - destroyVolumeOnExit = true; - }; - }; - toImage = f: "${import ./vms/base_image.nix f (args // { myEnv = config.myEnv; })}/nixos.qcow2"; -in -{ - environment.etc."libvirtd/base-images/nixos.qcow2".source = toImage ./vms/base_configuration.nix; - environment.etc."libvirtd/base-images/buildbot.qcow2".source = toImage ./vms/buildbot_configuration.nix; - systemd.services = lib.mapAttrs' (name: guest: lib.nameValuePair "libvirtd-guest-${name}" { - after = [ "libvirtd.service" "libvirtd-pool-${guest.pool}.service" "libvirtd-network-${guest.network}.service" ]; - requires = [ "libvirtd.service" "libvirtd-pool-${guest.pool}.service" "libvirtd-network-${guest.network}.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - }; - script = - let - xml = pkgs.writeText "libvirt-guest-${name}.xml" - '' - - ${name} - UUID - ${guest.memory} - ${guest.cpus} - - hvm - - - /run/current-system/sw/bin/qemu-system-x86_64 - - - - - ${guest.extraDevicesXML or ""} - - - - - - - - - - - ''; - in - guest.preStart or "" + '' - if ! ${pkgs.libvirt}/bin/virsh vol-key 'guest-${name}' --pool ${guest.pool} &> /dev/null; then - ${pkgs.libvirt}/bin/virsh vol-create-as --pool ${guest.pool} --name 'guest-${name}' --capacity '${guest.diskSize}' - volume_path=$(${pkgs.libvirt}/bin/virsh vol-path --pool ${guest.pool} --vol 'guest-${name}') - ${pkgs.qemu}/bin/qemu-img convert /etc/libvirtd/base-images/nixos.qcow2 $volume_path - fi - uuid="$(${pkgs.libvirt}/bin/virsh domuuid '${name}' || true)" - ${pkgs.libvirt}/bin/virsh define <(sed "s/UUID/$uuid/" '${xml}') - ${pkgs.libvirt}/bin/virsh start '${name}' - ''; - preStop = '' - ${pkgs.libvirt}/bin/virsh shutdown '${name}' - let "timeout = $(date +%s) + 10" - while [ "$(${pkgs.libvirt}/bin/virsh list --name | grep --count '^${name}$')" -gt 0 ]; do - if [ "$(date +%s)" -ge "$timeout" ]; then - # Meh, we warned it... - ${pkgs.libvirt}/bin/virsh destroy '${name}' - else - # The machine is still running, let's give it some time to shut down - sleep 0.5 - fi - done - '' + lib.optionalString (guest.destroyVolumeOnExit or false) '' - if ${pkgs.libvirt}/bin/virsh vol-key 'guest-${name}' --pool ${guest.pool} &> /dev/null; then - ${pkgs.libvirt}/bin/virsh vol-wipe --pool ${guest.pool} --vol 'guest-${name}' || true - ${pkgs.libvirt}/bin/virsh vol-delete --pool ${guest.pool} --vol 'guest-${name}' - fi - ''; - }) guests // (lib.mapAttrs' (name: network: lib.nameValuePair "libvirtd-network-${name}" { - after = [ "libvirtd.service" ]; - requires = [ "libvirtd.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - }; - script = let - xml = pkgs.writeText "libvirt-network-${name}.xml" '' - - ${name} - UUID - - - - - - - - - - ''; - in '' - uuid="$(${pkgs.libvirt}/bin/virsh net-uuid '${name}' || true)" - ${pkgs.libvirt}/bin/virsh net-define <(sed "s/UUID/$uuid/" '${xml}') - ${pkgs.libvirt}/bin/virsh net-start '${name}' - ''; - preStop = '' - ${pkgs.libvirt}/bin/virsh net-destroy '${name}' - ''; - }) networks) // (lib.mapAttrs' (name: pool: lib.nameValuePair "libvirtd-pool-${name}" { - after = [ "libvirtd.service" ]; - requires = [ "libvirtd.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - }; - script = let - xml = pkgs.writeText "libvirt-pool-${name}.xml" '' - - ${name} - UUID - ${pool.xml or ""} - ${if pool ? target then '' - - ${pool.target} - - '' else ""} - - ''; - in pool.preStart or "" + '' - uuid="$(${pkgs.libvirt}/bin/virsh pool-uuid '${name}' || true)" - ${pkgs.libvirt}/bin/virsh pool-define <(sed "s/UUID/$uuid/" '${xml}') - ${pkgs.libvirt}/bin/virsh pool-start '${name}' || true - ''; - }) pools); -} diff --git a/modules/private/system/dilion/vms/base_configuration.nix b/modules/private/system/dilion/vms/base_configuration.nix deleted file mode 100644 index e2caba2..0000000 --- a/modules/private/system/dilion/vms/base_configuration.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, config, ... }@args: -{ - options.myEnv = (import ../../../environment.nix (args // { name = "dummy"; })).options.myEnv; - config = { - fileSystems."/".device = "/dev/disk/by-label/nixos"; - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "virtio_balloon" "virtio_blk" "virtio_pci" "virtio_ring" ]; - boot.loader = { - grub = { - version = 2; - device = "/dev/vda"; - }; - timeout = 0; - }; - services.openssh.enable = true; - networking.firewall.allowedTCPPorts = [ 22 ]; - users = { - mutableUsers = false; - users.root.openssh.authorizedKeys.keys = [ config.myEnv.sshd.rootKeys.immae_dilion ]; - }; - }; -} diff --git a/modules/private/system/dilion/vms/base_image.nix b/modules/private/system/dilion/vms/base_image.nix deleted file mode 100644 index 8de8560..0000000 --- a/modules/private/system/dilion/vms/base_image.nix +++ /dev/null @@ -1,94 +0,0 @@ -configuration_file: { pkgs ? import {}, system ? builtins.currentSystem, myEnv, ... }: -let - config = (import { - inherit system; - modules = [ { - myEnv = myEnv; - imports = [ configuration_file ]; - - # We want our template image to be as small as possible, but the deployed image should be able to be - # of any size. Hence we resize on the first boot. - systemd.services.resize-main-fs = { - wantedBy = [ "multi-user.target" ]; - serviceConfig.Type = "oneshot"; - script = - '' - # Resize main partition to fill whole disk - echo ", +" | ${pkgs.utillinux}/bin/sfdisk /dev/vda --no-reread -N 1 - ${pkgs.parted}/bin/partprobe - # Resize filesystem - ${pkgs.e2fsprogs}/bin/resize2fs /dev/vda1 - ''; - }; - } ]; - }).config; -in pkgs.vmTools.runInLinuxVM ( - pkgs.runCommand "nixos-base-image" - { - memSize = 768; - preVM = - '' - mkdir $out - diskImage=image.qcow2 - ${pkgs.vmTools.qemu}/bin/qemu-img create -f qcow2 $diskImage 2G - mv closure xchg/ - ''; - postVM = - '' - echo compressing VM image... - ${pkgs.vmTools.qemu}/bin/qemu-img convert -c $diskImage -O qcow2 $out/nixos.qcow2 - ''; - buildInputs = [ pkgs.utillinux pkgs.perl pkgs.parted pkgs.e2fsprogs ]; - exportReferencesGraph = - [ "closure" config.system.build.toplevel ]; - } - '' - # Create the partition - parted /dev/vda mklabel msdos - parted /dev/vda -- mkpart primary ext4 1M -1s - - # Format the partition - mkfs.ext4 -L nixos /dev/vda1 - mkdir /mnt - mount /dev/vda1 /mnt - - for dir in dev proc sys; do - mkdir /mnt/$dir - mount --bind /$dir /mnt/$dir - done - - storePaths=$(perl ${pkgs.pathsFromGraph} /tmp/xchg/closure) - echo filling Nix store... - mkdir -p /mnt/nix/store - set -f - cp -prd $storePaths /mnt/nix/store - # The permissions will be set up incorrectly if the host machine is not running NixOS - chown -R 0:30000 /mnt/nix/store - - mkdir -p /mnt/etc/nix - echo 'build-users-group = ' > /mnt/etc/nix/nix.conf - - # Register the paths in the Nix database. - export USER=root - printRegistration=1 perl ${pkgs.pathsFromGraph} /tmp/xchg/closure | \ - chroot /mnt ${config.nix.package.out}/bin/nix-store --load-db - - # Create the system profile to allow nixos-rebuild to work. - chroot /mnt ${config.nix.package.out}/bin/nix-env \ - -p /nix/var/nix/profiles/system --set ${config.system.build.toplevel} - - # `nixos-rebuild' requires an /etc/NIXOS. - mkdir -p /mnt/etc/nixos - touch /mnt/etc/NIXOS - - # `switch-to-configuration' requires a /bin/sh - mkdir -p /mnt/bin - ln -s ${config.system.build.binsh}/bin/sh /mnt/bin/sh - - # Generate the GRUB menu. - chroot /mnt ${config.system.build.toplevel}/bin/switch-to-configuration boot - - umount /mnt/{proc,dev,sys} - umount /mnt - '' -) diff --git a/modules/private/system/dilion/vms/buildbot_configuration.nix b/modules/private/system/dilion/vms/buildbot_configuration.nix deleted file mode 100644 index 05b02d4..0000000 --- a/modules/private/system/dilion/vms/buildbot_configuration.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - imports = [ - - ./base_configuration.nix - ]; - systemd.services.buildbot-worker.serviceConfig.ExecStartPre = let - cfg = config.services.buildbot-worker; - script = pkgs.writeScript "decode-dmi" '' - #!${pkgs.stdenv.shell} - - mkdir -vp "${cfg.buildbotDir}" - varfile=${cfg.buildbotDir}/variables - rm $varfile || true - echo "[DEFAULT]" > $varfile - strings=$(${pkgs.dmidecode}/bin/dmidecode --oem-string count) - for i in $(seq 1 $strings); do - ${pkgs.dmidecode}/bin/dmidecode --oem-string $i >> $varfile - done - chown -R ${cfg.user}:${cfg.group} ${cfg.buildbotDir} - ''; - in - lib.mkForce ["+${script}"]; - systemd.services.buildbot-worker.serviceConfig.ExecStart = let - cfg = config.services.buildbot-worker; - tacFile = pkgs.writeText "buildbot-worker.tac" '' - import os - from io import open - - from buildbot_worker.bot import Worker - from twisted.application import service - - basedir = '${cfg.buildbotDir}' - - # note: this line is matched against to check that this is a worker - # directory; do not edit it. - application = service.Application('buildbot-worker') - - import configparser - config = config = configparser.ConfigParser() - config.read("${cfg.buildbotDir}/variables") - master_url_split = config["DEFAULT"]["buildbot_master_url"].split(':') - buildmaster_host = master_url_split[0] - port = int(master_url_split[1]) - workername = config["DEFAULT"]["buildbot_worker_name"] - - with open('${cfg.workerPassFile}', 'r', encoding='utf-8') as passwd_file: - passwd = passwd_file.read().strip('\r\n') - keepalive = ${toString cfg.keepalive} - umask = None - maxdelay = 300 - numcpus = None - allow_shutdown = None - - s = Worker(buildmaster_host, port, workername, passwd, basedir, - keepalive, umask=umask, maxdelay=maxdelay, - numcpus=numcpus, allow_shutdown=allow_shutdown) - s.setServiceParent(application) - ''; - in - lib.mkForce "${cfg.package.pythonModule.pkgs.twisted}/bin/twistd --nodaemon --pidfile= --logfile - --python ${tacFile}"; - services.buildbot-worker = { - enable = true; - workerPass = config.myEnv.buildbot.workerPassword; - packages = [ pkgs.git pkgs.gzip pkgs.openssh ]; - }; -} diff --git a/modules/private/system/eldiron.nix b/modules/private/system/eldiron.nix deleted file mode 100644 index 8b2784d..0000000 --- a/modules/private/system/eldiron.nix +++ /dev/null @@ -1,228 +0,0 @@ -{ config, pkgs, lib, ... }: -{ - deployment = { - targetUser = "root"; - targetHost = config.hostEnv.ips.main.ip4; - substituteOnDestination = true; - }; - # ssh-keyscan eldiron | nix-shell -p ssh-to-age --run ssh-to-age - secrets.ageKeys = [ "age1dxr5lhvtnjssfaqpnf6qx80h8gfwkxg3tdf35m6n9wljmk7wadfs3kmahj" ]; - boot = { - kernelModules = [ "kvm-intel" ]; - blacklistedKernelModules = [ "nvidiafb" ]; - loader.timeout = 1; - loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; - kernel.sysctl = { - # https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md - "net.ipv4.tcp_sack" = 0; - }; - supportedFilesystems = [ "zfs" ]; - kernelParams = ["zfs.zfs_arc_max=6442450944"]; - kernelPackages = pkgs.linuxPackages_latest; - initrd.availableKernelModules = [ "ahci" "sd_mod" ]; - initrd.secrets = { - "/boot/pass.key" = "/boot/pass.key"; - }; - }; - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="c8:60:00:56:a0:88", NAME="eth0" - ''; - nix.maxJobs = 8; - powerManagement.cpuFreqGovernor = "powersave"; - myEnv = import ../../../nixops/secrets/environment.nix; - - fileSystems = { - # pools: - # zpool: ashift=12 - # zfast: ashift=12 - # zfs: - # zpool/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy - # zpool/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key - # zpool/root/var: atime=on - # zfast/: acltype=posixacl ; xattr=sa ; atime=off ; mountpoint=legacy - # zfast/root: encryption=on ; keyformat=passphrase ; keylocation=file:///boot/pass.key - # zfast/root/etc: ø - # zfast/root/nix: ø - # zfast/root/tmp: async=disabled - # zfast/root/var: atime=on - # zfast/root/var/lib: ø - # zfast/root/var/lib/mysql: logbias=throughput ; atime=off ; primarycache=metadata - # zfast/root/var/lib/postgresql: recordsize=8K ; atime=off ; logbias=throughput - # zfast/root/var/lib/postgresql/11.0: ø - # zfast/root/var/lib/postgresql/11.0/pg_wal: ø - "/" = { fsType = "zfs"; device = "zpool/root"; }; - "/boot" = { fsType = "ext4"; device = "/dev/disk/by-uuid/e6bb18fb-ff56-4b5f-ae9f-e60d40dc0622"; }; - "/etc" = { fsType = "zfs"; device = "zpool/root/etc"; }; - "/nix" = { fsType = "zfs"; device = "zfast/root/nix"; }; - "/tmp" = { fsType = "zfs"; device = "zfast/root/tmp"; }; - "/var" = { fsType = "zfs"; device = "zpool/root/var"; }; - "/var/lib/mysql" = { fsType = "zfs"; device = "zfast/root/var/lib/mysql"; }; - "/var/lib/postgresql" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql"; }; - "/var/lib/postgresql/11.0" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0"; }; - "/var/lib/postgresql/11.0/pg_wal" = { fsType = "zfs"; device = "zfast/root/var/lib/postgresql/11.0/pg_wal"; }; - }; - swapDevices = [ { label = "swap1"; } { label = "swap2"; } ]; - hardware.enableRedistributableFirmware = true; - - services.zfs = { - autoScrub = { - enable = false; - }; - }; - networking = { - hostId = "8262ca33"; # generated with head -c4 /dev/urandom | od -A none -t x4 - firewall.enable = true; - # FIXME: on next reboot, remove the /27 and the localCommands - interfaces."eth0".ipv4.addresses = - pkgs.lib.attrsets.mapAttrsToList - (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips) - ++ [ { address = config.hostEnv.ips.main.ip4; prefixLength = 27; } ]; - interfaces."eth0".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList - (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) - config.hostEnv.ips); - defaultGateway = "176.9.151.65"; - localCommands = '' - # FIXME: Those commands were added by nixops and may not be - # actually needed - ip -6 addr add '2a01:4f8:160:3445::/64' dev 'eth0' || true - ip -4 route change '176.9.151.64/27' via '176.9.151.65' dev 'eth0' || true - ip -6 route add default via 'fe80::1' dev eth0 || true - ''; - nameservers = [ - "213.133.98.98" - "213.133.99.99" - "213.133.100.100" - "2a01:4f8:0:a0a1::add:1010" - "2a01:4f8:0:a102::add:9999" - "2a01:4f8:0:a111::add:9898" - ]; - }; - - imports = builtins.attrValues (import ../..); - - myServices.buildbot.enable = true; - myServices.databases.enable = true; - myServices.gitolite.enable = true; - myServices.monitoring.enable = true; - myServices.irc.enable = true; - myServices.pub.enable = true; - myServices.tasks.enable = true; - myServices.mpd.enable = true; - myServices.dns.enable = true; - myServices.certificates.enable = true; - myServices.websites.enable = true; - myServices.gemini.enable = true; - myServices.mail.enable = true; - myServices.ejabberd.enable = true; - myServices.vpn.enable = true; - myServices.ftp.enable = true; - - services.netdata.enable = true; - services.netdata.config.global."memory mode" = "none"; - services.netdata.config.health."enabled" = "no"; - services.netdata.config.web.mode = "none"; - users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; - environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; - secrets.keys = { - "netdata-stream.conf" = { - user = config.services.netdata.user; - group = config.services.netdata.group; - permissions = "0400"; - text = '' - [stream] - enabled = yes - destination = ${config.myEnv.monitoring.netdata_aggregator} - api key = ${config.myEnv.monitoring.netdata_keys.eldiron} - ''; - }; - "zrepl_backup/identity" = { - user = "root"; - group = "root"; - permissions = "0400"; - text = config.myEnv.zrepl_backup.ssh_key.private; - }; - }; - programs.ssh.knownHosts.dilion = { - hostNames = ["dilion.immae.eu"]; - publicKey = let - profile = config.myEnv.rsync_backup.profiles.dilion; - in - "${profile.host_key_type} ${profile.host_key}"; - }; - - services.cron = { - enable = true; - mailto = "cron@immae.eu"; - systemCronJobs = [ - '' - 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "immae.eu.*Recipient address rejected" - # Need a way to blacklist properly - # 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtpd -g "NOQUEUE:" - 0 0 * * * root journalctl -q --since="25 hours ago" -u postfix -t postfix/smtp -g "status=bounced" - '' - ]; - }; - - environment.systemPackages = [ pkgs.bindfs ]; - - services.zrepl = { - enable = true; - config = let - redis_dump = pkgs.writeScript "redis-dump" '' - #! ${pkgs.stdenv.shell} - ${pkgs.redis}/bin/redis-cli bgsave - ''; - in '' - jobs: - - type: push - # must not change - name: "backup-to-dilion" - filesystems: - "zpool/root": true - "zpool/root/etc": true - "zpool/root/var<": true - connect: - type: ssh+stdinserver - host: dilion.immae.eu - user: backup - port: 22 - identity_file: ${config.secrets.fullPaths."zrepl_backup/identity"} - snapshotting: - type: periodic - prefix: zrepl_ - interval: 1h - #hooks: - # - type: mysql-lock-tables - # dsn: "${config.myEnv.zrepl_backup.mysql.user}:${config.myEnv.zrepl_backup.mysql.password}@tcp(localhost)/" - # filesystems: - # "zpool/root/var": true - # - type: command - # path: ${redis_dump} - # err_is_fatal: false - # filesystems: - # "zpool/root/var": true - send: - encrypted: true - pruning: - keep_sender: - - type: regex - regex: "^manual_.*" - - type: grid - grid: 24x1h | 7x1d | 4x7d | 6x30d - regex: "^zrepl_.*" - keep_receiver: - - type: regex - regex: "^manual_.*" - - type: grid - grid: 6x4h | 7x1d | 4x7d | 6x30d - regex: "^zrepl_.*" - ''; - }; - # This value determines the NixOS release with which your system is - # to be compatible, in order to avoid breaking some software such as - # database servers. You should change this only after NixOS release - # notes say you should. - # https://nixos.org/nixos/manual/release-notes.html - system.stateVersion = "20.03"; # Did you read the comment? -} diff --git a/modules/private/system/monitoring-1.nix b/modules/private/system/monitoring-1.nix deleted file mode 100644 index dea5f45..0000000 --- a/modules/private/system/monitoring-1.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, pkgs, resources, ... }: -{ - deployment = { - targetUser = "root"; - targetHost = config.hostEnv.ips.main.ip4; - substituteOnDestination = true; - }; - # ssh-keyscan monitoring-1 | nix-shell -p ssh-to-age --run ssh-to-age - secrets.ageKeys = [ "age1dn4lzhgxusqrpjjnzm7w8ml39ptf326htuzmpqdqs2gg3wq7cqzqxuvx8k" ]; - boot.kernelPackages = pkgs.linuxPackages_latest; - myEnv = import ../../../nixops/secrets/environment.nix; - - imports = [ ] ++ builtins.attrValues (import ../..); - - myServices.monitoring.enable = true; - myServices.monitoring.master = true; - myServices.status.enable = true; - networking = { - firewall.enable = true; - interfaces."ens3".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList - (n: ips: { address = ips.ip4; prefixLength = 32; }) - (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); - interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList - (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) - config.hostEnv.ips); - defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; - }; - boot.loader.grub.device = "nodev"; - fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; - myServices.mailRelay.enable = true; - - security.pki.certificateFiles = [ - (pkgs.fetchurl { - url = "http://downloads.e.eriomem.net/eriomemca.pem"; - sha256 = "1ixx4c6j3m26j8dp9a3dkvxc80v1nr5aqgmawwgs06bskasqkvvh"; - }) - ]; - - services.netdata.enable = true; - services.netdata.config.web."allow dashboard from" = "localhost"; - services.netdata.config.web."allow badges from" = "*"; - services.netdata.config.web."allow streaming from" = "*"; - services.netdata.config.web."allow netdata.conf from" = "fd*"; - services.netdata.config.web."allow management from" = "fd*"; - networking.firewall.allowedTCPPorts = [ 19999 ]; - environment.etc."netdata/stream.conf".source = config.secrets.fullPaths."netdata-stream.conf"; - - secrets.keys = { - "netdata-stream.conf" = { - user = config.services.netdata.user; - group = config.services.netdata.group; - permissions = "0400"; - text = builtins.concatStringsSep "\n" (pkgs.lib.mapAttrsToList (_: key: '' - [${key}] - enabled = yes - default history = 3600 - default memory = ram - health enabled by default = auto - '') config.myEnv.monitoring.netdata_keys); - }; - }; - users.users."${config.services.netdata.user}".extraGroups = [ "keys" ]; - # This value determines the NixOS release with which your system is - # to be compatible, in order to avoid breaking some software such as - # database servers. You should change this only after NixOS release - # notes say you should. - # https://nixos.org/nixos/manual/release-notes.html - system.stateVersion = "20.03"; # Did you read the comment? -} diff --git a/modules/private/system/quatresaisons.nix b/modules/private/system/quatresaisons.nix deleted file mode 100644 index 82db70f..0000000 --- a/modules/private/system/quatresaisons.nix +++ /dev/null @@ -1,436 +0,0 @@ -{ config, pkgs, lib, ... }: -let - serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; - yarnModules = pkgs.yarn2nix-moretea.mkYarnModules rec { - name = "landing"; - pname = name; - version = "v1.0.0"; - packageJSON = "${pkgs.sources.webapps-landing}/package.json"; - yarnLock = "${pkgs.sources.webapps-landing}/yarn.lock"; - yarnNix = ../websites/tools/tools/landing/yarn-packages.nix; - }; - toLanding = landingConfig: pkgs.stdenv.mkDerivation rec { - pname = "landing"; - version = "v1.0.0"; - src = pkgs.sources.webapps-landing; - - buildInputs = [ yarnModules pkgs.yarn2nix-moretea.yarn ]; - configurePhase = '' - ln -s ${yarnModules}/node_modules . - ''; - buildPhase = '' - yarn build - ''; - installPhase = '' - cp -a dist $out - cp -f ${landingConfig} $out/config.yml - ln -s service-worker.js $out/worker.js - ''; - }; - normalUsers = serverSpecificConfig.users; - sponsoredUser = pkgs.writeScriptBin "sponsored_user" '' - #!/usr/bin/env bash - - set -euo pipefail - [ -z "''${SUDO_USER+x}" ] && echo "Must be run with sudo" && exit 1 - - mygroup=$(id -ng $SUDO_USER) - - sponsored=$(getent group $mygroup | cut -d':' -f4) - - echo "Sponsored users: ''${sponsored:-}" - - log () { - touch /var/log/sponsored_users - chmod go-rwx /var/log/sponsored_users - echo "`date` $mygroup $1" | LANG=C cat -v | tr '\012' ' ' | sed 's:$:\x0a:' >> /var/log/sponsored_users - } - - create_user () { - log "creates $1: $2" - useradd -m -G users,$mygroup -g $mygroup -p '!' "$1" - touch /var/lib/nixos/sponsored_users - chmod go-rwx /var/lib/nixos/sponsored_users - echo "$mygroup $1 $2" >> /var/lib/nixos/sponsored_users - (${pkgs.openldap}/bin/ldapadd -c -D cn=root,dc=salle-s,dc=org \ - -y ${config.secrets.fullPaths."ldap/sync_password"} 2>/dev/null >/dev/null || true) </dev/null >/dev/null || true - - # Remove obsolete users - ${pkgs.openldap}/bin/ldapsearch -LLL ${com} -s one -b "ou=users,dc=salle-s,dc=org" "uid" |\ - grep "^uid" | ${pkgs.gnused}/bin/sed -e "s/uid: //" | while read ldapuser; do - - for user in ${builtins.concatStringsSep " " (builtins.attrNames normalUsers)}; do - if [ "$user" = "$ldapuser" ]; then - continue 2 - fi - done - ${pkgs.openldap}/bin/ldapdelete -r ${com} uid=$ldapuser,ou=users,dc=salle-s,dc=org - done - - # Subusers - if [ -f /var/lib/nixos/sponsored_users ]; then - cat /var/lib/nixos/sponsored_users | while read mainUser subUser name; do - (${pkgs.openldap}/bin/ldapadd -c ${com} 2>/dev/null >/dev/null || true) <s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVhost - Protocols h2 http/1.1 - AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript - '' ]; - ips = - let ips = config.hostEnv.ips.main; - in [ips.ip4] ++ (ips.ip6 or []); - - fallbackVhost = { - certName = "quatresaisons"; - hosts = [ "quatresaisons.immae.eu" ]; - root = pkgs.runCommand "empty" {} "mkdir $out && touch $out/index.html"; - extraConfig = [ "DirectoryIndex index.html" ]; - }; - vhostConfs.salle-s = { - certName = "quatresaisons"; - addToCerts = true; - hosts = [ "salle-s.org" ]; - root = toLanding ./quatresaisons/landing.yml; - extraConfig = [ - '' - - AllowOverride None - Require all granted - DirectoryIndex index.html - - '' - ]; - }; - vhostConfs.tools = { - certName = "quatresaisons"; - addToCerts = true; - hosts = [ "4c.salle-s.org" "quatresaisons.salle-s.org" "quatre-saisons.salle-s.org" ]; - root = toLanding ./quatresaisons/landing_4c.yml; - extraConfig = [ - '' - Alias /charte ${serverSpecificConfig.charte_path} - - AllowOverride None - Require all granted - DirectoryIndex index.html index.txt - - - - AllowOverride None - Require all granted - DirectoryIndex index.html - - '' - ]; - }; - }; - system.activationScripts.httpd = '' - install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php - install -d -m 0750 -o wwwrun -g wwwrun /var/lib/php/sessions - ''; - - services.phpfpm = { - phpOptions = '' - session.save_path = "/var/lib/php/sessions" - post_max_size = 20M - ; 15 days (seconds) - session.gc_maxlifetime = 1296000 - ; 30 days (minutes) - session.cache_expire = 43200 - ''; - settings = { - log_level = "notice"; - }; - }; - -} diff --git a/modules/private/system/quatresaisons/databases.nix b/modules/private/system/quatresaisons/databases.nix deleted file mode 100644 index f7b27e0..0000000 --- a/modules/private/system/quatresaisons/databases.nix +++ /dev/null @@ -1,147 +0,0 @@ -{ pkgs, config, lib, ... }: -{ - config = let - serverSpecificConfig = config.myEnv.serverSpecific.quatresaisons; - phpLdapAdmin = pkgs.webapps.phpldapadmin.override { config = config.secrets.fullPaths."webapps/tools-ldap"; }; - in { - services.postgresql.enable = true; - services.postgresql.package = pkgs.postgresql_12; - services.postgresql.ensureUsers = [ - { name = "naemon"; } - ]; - secrets.keys = { - "ldap/password" = { - permissions = "0400"; - user = "openldap"; - group = "openldap"; - text = "rootpw ${serverSpecificConfig.ldap_root_pw}"; - }; - "webapps/tools-ldap" = { - user = "wwwrun"; - group = "wwwrun"; - permissions = "0400"; - text = '' - custom->appearance['show_clear_password'] = true; - $config->custom->appearance['hide_template_warning'] = true; - $config->custom->appearance['theme'] = "tango"; - $config->custom->appearance['minimalMode'] = false; - $config->custom->appearance['tree'] = 'AJAXTree'; - - $servers = new Datastore(); - - $servers->newServer('ldap_pla'); - $servers->setValue('server','name','LDAP'); - $servers->setValue('server','host','ldap://localhost'); - $servers->setValue('login','auth_type','cookie'); - $servers->setValue('login','bind_id','${serverSpecificConfig.ldap_phpldapadmin_dn}'); - $servers->setValue('login','bind_pass','${serverSpecificConfig.ldap_phpldapadmin_password}'); - $servers->setValue('appearance','pla_password_hash','ssha'); - $servers->setValue('login','attr','uid'); - $servers->setValue('login','fallback_dn',true); - ''; - }; - }; - - users.users.openldap.extraGroups = [ "keys" ]; - services.openldap = { - enable = true; - dataDir = "/var/lib/openldap"; - urlList = [ "ldap://localhost" ]; - logLevel = "none"; - extraConfig = '' - pidfile /run/slapd/slapd.pid - argsfile /run/slapd/slapd.args - - moduleload back_hdb - backend hdb - ''; - - extraDatabaseConfig = '' - moduleload memberof - overlay memberof - - moduleload syncprov - overlay syncprov - syncprov-checkpoint 100 10 - - index objectClass eq - index uid pres,eq - #index uidMember pres,eq - index mail pres,sub,eq - index cn pres,sub,eq - index sn pres,sub,eq - index dc eq - index member eq - index memberOf eq - - # No one must access that information except root - access to attrs=description - by * none - - access to attrs=entry,uid filter="(uid=*)" - by dn.exact="${serverSpecificConfig.ldap_phpldapadmin_dn}" read - by * break - - access to dn.subtree="ou=users,dc=salle-s,dc=org" - by dn.subtree="ou=services,dc=salle-s,dc=org" read - by * break - - access to * - by self read - by anonymous auth - by * break - ''; - rootpwFile = config.secrets.fullPaths."ldap/password"; - suffix = "dc=salle-s,dc=org"; - rootdn = "cn=root,dc=salle-s,dc=org"; - database = "hdb"; - }; - - services.websites.env.production.modules = [ "proxy_fcgi" ]; - services.websites.env.production.vhostConfs.tools.extraConfig = [ - '' - Alias /ldap "${phpLdapAdmin}/htdocs" - - DirectoryIndex index.php - - SetHandler "proxy:unix:${config.services.phpfpm.pools.ldap.socket}|fcgi://localhost" - - - AllowOverride None - Require all granted - - '' - ]; - services.phpfpm.pools.ldap = { - user = "wwwrun"; - group = "wwwrun"; - settings = - let - basedir = builtins.concatStringsSep ":" [ phpLdapAdmin config.secrets.fullPaths."webapps/tools-ldap" ]; - in { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; - "pm" = "ondemand"; - "pm.max_children" = "60"; - "pm.process_idle_timeout" = "60"; - - # Needed to avoid clashes in browser cookies (same domain) - "php_value[session.name]" = "LdapPHPSESSID"; - "php_admin_value[open_basedir]" = "${basedir}:/tmp:/var/lib/php/sessions/phpldapadmin"; - "php_admin_value[session.save_path]" = "/var/lib/php/sessions/phpldapadmin"; - }; - phpPackage = pkgs.php72; - }; - system.activationScripts.ldap = { - deps = [ "users" ]; - text = '' - install -m 0755 -o wwwrun -g wwwrun -d /var/lib/php/sessions/phpldapadmin - ''; - }; - systemd.services.phpfpm-ldap = { - after = lib.mkAfter [ "openldap.service" ]; - wants = [ "openldap.service" ]; - }; - }; -} diff --git a/modules/private/system/quatresaisons/landing.yml b/modules/private/system/quatresaisons/landing.yml deleted file mode 100644 index cf4ba87..0000000 --- a/modules/private/system/quatresaisons/landing.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# Homepage configuration -# See https://fontawesome.com/icons for icons options - -title: "Websites dashboard" -subtitle: "Salle-S" -footer: false -#footer: '

Created with ❤️ with bulma, vuejs & font awesome // Fork me on

' # set false if you want to hide it. - -# Optional navbar -# links: [] # Allows for navbar (dark mode, layout, and search) without any links -links: [] - -# Services -# First level array represent a group. -# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). -services: - - name: "Quatramaran" - items: - - name: "Roundcube" - logo: "assets/tools/roundcube.svg" - url: "https://quatramaran.salle-s.org/roundcube/" - - name: "Les dessous de paillasse" - url: "https://dessous-de-paillasse.salle-s.org" - - name: "Quatre Saisons" - items: - - name: "Charte d’utilisation" - icon: "fas fa-scroll" - url: "https://4c.salle-s.org/charte/" - - name: "Nextcloud" - logo: "assets/tools/nextcloud.png" - url: "https://nextcloud.4c.salle-s.org" diff --git a/modules/private/system/quatresaisons/landing_4c.yml b/modules/private/system/quatresaisons/landing_4c.yml deleted file mode 100644 index 0b9f6b6..0000000 --- a/modules/private/system/quatresaisons/landing_4c.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# Homepage configuration -# See https://fontawesome.com/icons for icons options - -title: "Websites dashboard" -subtitle: "Quatre saisons" -footer: false -#footer: '

Created with ❤️ with bulma, vuejs & font awesome // Fork me on

' # set false if you want to hide it. - -# Optional navbar -# links: [] # Allows for navbar (dark mode, layout, and search) without any links -links: [] - -# Services -# First level array represent a group. -# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed). -services: - - items: - - name: "Charte d’utilisation" - icon: "fas fa-scroll" - url: "https://4c.salle-s.org/charte/" - - name: "Nextcloud" - logo: "assets/tools/nextcloud.png" - url: "https://nextcloud.4c.salle-s.org" diff --git a/modules/private/system/quatresaisons/nextcloud.nix b/modules/private/system/quatresaisons/nextcloud.nix deleted file mode 100644 index 89d69d5..0000000 --- a/modules/private/system/quatresaisons/nextcloud.nix +++ /dev/null @@ -1,141 +0,0 @@ -{ lib, pkgs, config, ... }: -let - nextcloud = pkgs.webapps.nextcloud.withApps (a: [ - a.apporder a.audioplayer a.bookmarks a.calendar a.carnet a.circles - a.contacts a.cookbook a.deck a.extract a.files_markdown - a.files_readmemd a.flowupload a.gpxedit a.gpxpod a.keeweb a.maps - a.metadata a.music a.notes a.ocsms a.passman a.polls a.spreed - a.social a.tasks - ]); - varDir = "/var/lib/nextcloud"; - phpFpm = rec { - basedir = builtins.concatStringsSep ":" ([ nextcloud varDir ] ++ nextcloud.apps); - pool = { - "listen.owner" = "wwwrun"; - "listen.group" = "wwwrun"; - "pm" = "ondemand"; - "pm.max_children" = "60"; - "pm.process_idle_timeout" = "60"; - - "php_admin_value[output_buffering]" = "0"; - "php_admin_value[max_execution_time]" = "1800"; - "php_admin_value[zend_extension]" = "opcache"; - #already enabled by default? - #"php_value[opcache.enable]" = "1"; - "php_value[opcache.enable_cli]" = "1"; - "php_value[opcache.interned_strings_buffer]" = "8"; - "php_value[opcache.max_accelerated_files]" = "10000"; - "php_value[opcache.memory_consumption]" = "128"; - "php_value[opcache.save_comments]" = "1"; - "php_value[opcache.revalidate_freq]" = "1"; - "php_admin_value[memory_limit]" = "512M"; - - "php_admin_value[open_basedir]" = "/run/wrappers/bin/sendmail:${basedir}:/proc/meminfo:/dev/urandom:/proc/self/fd:/tmp"; - "php_admin_value[session.save_path]" = "${varDir}/phpSessions"; - }; - }; -in { - config = { - services.postgresql.ensureDatabases = [ "nextcloud" ]; - services.postgresql.ensureUsers = [ - { name = "nextcloud"; ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; }; } - ]; - services.websites.env.production.modules = [ "proxy_fcgi" ]; - - services.websites.env.production.vhostConfs.cloud = { - certName = "quatresaisons"; - addToCerts = true; - hosts = ["nextcloud.4c.salle-s.org" ]; - root = nextcloud; - extraConfig = - [ - '' - SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 - - AcceptPathInfo On - DirectoryIndex index.php - Options FollowSymlinks - Require all granted - AllowOverride all - - - Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" - - - CGIPassAuth on - SetHandler "proxy:unix:${config.services.phpfpm.pools.nextcloud.socket}|fcgi://localhost" - - - - '' - ]; - }; - services.websites.env.production.vhostConfs.cloud_wait = let - content = pkgs.writeText "contenu" '' - nextcloud est un service qui a besoin de pérennité du nom - "nextcloud.salle-s.org", on va peut-etre y arriver, c'est une - question de jours, voir le message informatique.internet:8017 - ''; - in { - certName = "quatresaisons"; - addToCerts = true; - hosts = ["nextcloud.salle-s.org" ]; - root = content; - extraConfig = - [ - '' - Alias / ${content} - '' - ]; - }; - - users.users.root.packages = let - occ = pkgs.writeScriptBin "nextcloud-occ" '' - #! ${pkgs.stdenv.shell} - cd ${nextcloud} - NEXTCLOUD_CONFIG_DIR="${nextcloud}/config" \ - exec \ - sudo -E -u wwwrun ${pkgs.php74}/bin/php \ - -c ${pkgs.php74}/etc/php.ini \ - occ $* - ''; - in [ occ ]; - - system.activationScripts.nextcloud = { - deps = [ "users" ]; - text = let - confs = lib.attrsets.mapAttrs (n: v: pkgs.writeText "${n}.json" (builtins.toJSON v)) nextcloud.otherConfig; - in - '' - install -m 0755 -o wwwrun -g wwwrun -d ${varDir} - install -m 0755 -o wwwrun -g wwwrun -d ${varDir}/config - install -m 0750 -o wwwrun -g wwwrun -d ${varDir}/phpSessions - ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList (n: v: - "install -D -m 0644 -o wwwrun -g wwwrun -T ${v} ${varDir}/config/${n}.json" - ) confs)} - ''; - }; - services.phpfpm.pools.nextcloud = { - user = "wwwrun"; - group = "wwwrun"; - settings = phpFpm.pool; - phpPackage = pkgs.php74.withExtensions({ enabled, all }: enabled ++ [ all.redis all.apcu all.opcache all.imagick ]); - }; - - services.cron = { - enable = true; - systemCronJobs = let - script = pkgs.writeScriptBin "nextcloud-cron" '' - #! ${pkgs.stdenv.shell} - export LOCALE_ARCHIVE=/run/current-system/sw/lib/locale/locale-archive - export PATH=/run/wrappers/bin:$PATH - ${pkgs.php74}/bin/php -d memory_limit=512M -f ${nextcloud}/cron.php - ''; - in [ - '' - */15 * * * * wwwrun ${script}/bin/nextcloud-cron - '' - ]; - }; - }; -} -- cgit v1.2.3