clan/clan-infra
10
0
Fork 1
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Merge pull request 'flake.lock: Update' (#87) from Mic92-main into main
All checks were successful
build / test (push) Successful in 6s
Details

Browse Source
This commit is contained in:
clan-bot 2023-08-23 13:07:15 +00:00
commit 824ab14d5c
8 changed files with 30 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
flake.lock
View File

@ -19,11 +19,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1692792260, "lastModified": 1692795513,
"narHash": "sha256-jrQeZqD/KsCioCTQt91gW0egvRG9duxPeTuCsSLVXVc=", "narHash": "sha256-0W1GmoRI8Q0YKvhfuz9885YGuDkbzzzKLWfbdlcnMMw=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "7365df338bb75782703be633976ca6add6002e88", "rev": "a642ecfda5e3472af521bfd6f4f466201f4f3ccb",
"revCount": 374, "revCount": 378,
"type": "git", "type": "git",
"url": "https://git.clan.lol/clan/clan-core" "url": "https://git.clan.lol/clan/clan-core"
}, },
@ -206,11 +206,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1692709311, "lastModified": 1692792425,
"narHash": "sha256-juBtQW2dKn8fWc9XbrYqfeq5hIjDZ33fcyzXPqkNueg=", "narHash": "sha256-l8mloOMPXPAqVoz0EajpWvZ7XD8jSV1/yQIeNNc3SM8=",
"owner": "numtide", "owner": "numtide",
"repo": "srvos", "repo": "srvos",
"rev": "1fdce805f65f8d44856b5af1340de0fd6d0811a9", "rev": "46145a1cc93d00ced71c903ec3f9d492af857e2e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -226,11 +226,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1692524468, "lastModified": 1692792358,
"narHash": "sha256-wJffwu1deOgc3c/cBIZQ52dfWfPWBzjOamYBX121hcw=", "narHash": "sha256-yqKPLUvl9lFTy43+GvVRwT39k1qu7Yd0HNktZjRbUP4=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "e2761d701581d8dcc4e0e88aecfde317ddf6f0cd", "rev": "b070c28bf9d7d3ef93084aa47c01b4b6c16cdce4",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
modules/flake-module.nix
View File

@ -5,7 +5,7 @@
inputs.srvos.nixosModules.mixins-telegraf inputs.srvos.nixosModules.mixins-telegraf
# FIXME: switch to VPN later # FIXME: switch to VPN later
{ networking.firewall.allowedTCPPorts = [ 9273 ]; } { networking.firewall.allowedTCPPorts = [ 9273 ]; }
inputs.sops-nix.nixosModules.default inputs.clan-core.nixosModules.secrets
]; ];
hcloud.imports = [ hcloud.imports = [

14
modules/web01/borgbackup.nix
View File

@ -1,14 +1,6 @@
{ config, ... }: { { config, ... }: {
# 100GB storagebox is under the nix-community hetzner account # 100GB storagebox is under the nix-community hetzner account
# $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
sops.secrets.hetzner-borgbackup-ssh = { };
# Also enable ssh support in the storagebox web interface.
# By default the storage box is only accessible from the hetzner network.
# $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
# $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
sops.secrets.hetzner-borgbackup-passphrase = { };
systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [ systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [
"/var/log/telegraf" "/var/log/telegraf"
]; ];
@ -62,10 +54,16 @@
doInit = true; doInit = true;
encryption = { encryption = {
mode = "repokey-blake2"; mode = "repokey-blake2";
# $ nix run nixpkgs#xkcdpass -- -d '-' -n 3 -C capitalize "$@"
passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}"; passCommand = "cat ${config.sops.secrets.hetzner-borgbackup-passphrase.path}";
}; };
compression = "auto,zstd"; compression = "auto,zstd";
startAt = "daily"; startAt = "daily";
# Also enable ssh support in the storagebox web interface.
# By default the storage box is only accessible from the hetzner network.
# $ ssh-keygen -t ed25519 -N "" -f /tmp/ssh_host_ed25519_key
# $ cat /tmp/ssh_host_ed25519_key.pub | ssh -p23 u359378@u359378.your-storagebox.de install-ssh-key
environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
preHook = '' preHook = ''
set -x set -x

3
modules/web01/clan-merge.nix
View File

@ -1,7 +1,4 @@
{ config, self, pkgs, ... }: { { config, self, pkgs, ... }: {
sops.secrets.merge-bot-gitea-token = { };
# service to for automatic merge bot # service to for automatic merge bot
systemd.services.clan-merge = { systemd.services.clan-merge = {
description = "Merge clan.lol PRs automatically"; description = "Merge clan.lol PRs automatically";

1
modules/web01/default.nix
View File

@ -13,4 +13,5 @@
]; ];
services.cloud-init.xfs.enable = true; services.cloud-init.xfs.enable = true;
clan.sops.sopsDirectory = ../../sops;
} }

17
modules/web01/dendrite.nix
View File

@ -25,19 +25,15 @@ let
''; '';
in in
{ {
# $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
sops.secrets.matrix-server-key = { };
# $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
# To create a user:
# $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
# $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
# $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
sops.secrets.registration-secret = { };
services.dendrite = { services.dendrite = {
enable = true; enable = true;
httpPort = 8043; httpPort = 8043;
# $ echo "REGISTRATION_SHARED_SECRET=$(openssl rand -base64 32)"
# To create a user:
# $ password=$(nix run "nixpkgs#xkcdpass" -- -n 3 -d-)
# $ shared_secret=$(sops -d --extract '["registration-secret"]' ./secrets.yaml| sed s/REGISTRATION_SHARED_SECRET=//)
# $ nix shell "nixpkgs#matrix-synapse" -c register_new_matrix_user --password "${password}" --shared-secret "${shared_secret}" "https://matrix.clan.lol:443"
environmentFile = config.sops.secrets.registration-secret.path; environmentFile = config.sops.secrets.registration-secret.path;
settings = { settings = {
@ -122,6 +118,7 @@ in
}; };
systemd.services.dendrite.serviceConfig.LoadCredential = [ systemd.services.dendrite.serviceConfig.LoadCredential = [
# $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
"matrix-server-key:${config.sops.secrets.matrix-server-key.path}" "matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
]; ];

1
modules/web01/harmonia.nix
View File

@ -2,7 +2,6 @@
services.harmonia.enable = true; services.harmonia.enable = true;
# $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub # $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
services.harmonia.signKeyPath = config.sops.secrets.harmonia-key.path; services.harmonia.signKeyPath = config.sops.secrets.harmonia-key.path;
sops.secrets.harmonia-key = { };
services.nginx = { services.nginx = {
package = pkgs.nginxStable.override { package = pkgs.nginxStable.override {

26
modules/web01/jobs.nix
View File

@ -1,16 +1,5 @@
{ config, self, pkgs, lib, ... }: { config, self, pkgs, lib, ... }:
let let
allFlakePackages = [
"job-flake-update-clan-core"
"job-flake-update-clan-homepage"
"job-flake-update-clan-infra"
];
allFlakeJobs = lib.filter (lib.hasPrefix "job-") allFlakePackages;
allSystemdConfigs = map configForJob allFlakeJobs;
configForJob = name: { configForJob = name: {
systemd.timers.${name} = { systemd.timers.${name} = {
description = "Time for flake update workflow"; description = "Time for flake update workflow";
@ -55,16 +44,11 @@ let
}; };
}; };
}; };
in in
{ {
config = lib.mkMerge ( config = lib.mkMerge (map configForJob [
allSystemdConfigs "job-flake-update-clan-core"
++ [ "job-flake-update-clan-homepage"
{ "job-flake-update-clan-infra"
sops.secrets.clan-bot-gitea-token = { }; ]);
sops.secrets.clan-bot-ssh-key = { };
}
]
);
} }