diff options
27 files changed, 0 insertions, 1435 deletions
diff --git a/README.md b/README.md index 8b5df8d..1eddee0 100644 --- a/README.md +++ b/README.md @@ -39,8 +39,6 @@ `kompakt` - Laptop (MBA, Darwin) -`cobalt` - Main server (managed with colmena) - ## Resources + **Flakes** diff --git a/flake.nix b/flake.nix index d8b1284..192e28b 100644 --- a/flake.nix +++ b/flake.nix @@ -32,8 +32,6 @@ nixosConfigurations = import ./nixos inputs; - colmena = import ./nixos/colmena.nix inputs; - darwinConfigurations = import ./darwin inputs; homeConfigurations = import ./home inputs; diff --git a/lib/default.nix b/lib/default.nix index 13164a9..704a15e 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -4,7 +4,6 @@ inputs: mkSystem = import ./mk_system.nix inputs; mkHome = import ./mk_home.nix inputs; mkDarwin = import ./mk_darwin.nix inputs; - mkColmena = import ./mk_colmena.nix inputs; nixosConfigurationsAsPackages = import ./nixos_configurations_as_packages.nix inputs; homeConfigurationsAsPackages = import ./home_configurations_as_packages.nix inputs; } diff --git a/lib/mk_colmena.nix b/lib/mk_colmena.nix deleted file mode 100644 index 82dce9d..0000000 --- a/lib/mk_colmena.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ self, ... } @ args: - -{ name -, system ? "x86_64-linux" -, deployment ? null -, host ? null -, port ? 22 -, tags ? null -, inputs ? null -, ... -}: -let - configFolder = "${self}/nixos"; - entryPoint = "${configFolder}/${name}/configuration.nix"; - hardware = "${configFolder}/${name}/hardware-configuration.nix"; -in -{ - deployment = deployment; - # system = system; - - imports = [ - { - _module.args = args; - networking.hostName = name; - nix.flakes.enable = true; - system.configurationRevision = self.rev or "dirty"; - documentation.man = { enable = true; generateCaches = true; }; - } - entryPoint - hardware - ../nixos/modules/flake.nix - ../nixos/modules/nix.nix - # TODO: implement extraModules - inputs.impermanence.nixosModules.impermanence - inputs.sops-nix.nixosModules.sops - ]; -} diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml index 030fefe..f6cb8c7 100644 --- a/nixos/.sops.yaml +++ b/nixos/.sops.yaml @@ -1,15 +1,9 @@ keys: - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f - - &host_cobalt 9794c486d5673ff6613f6cde774d4895eb911703 creation_rules: - path_regex: alpha/secrets/[^/]+\.yaml$ key_groups: - pgp: - *sefidel - *host_alpha - - path_regex: cobalt/secrets/[^/]+\.yaml$ - key_groups: - - pgp: - - *sefidel - - *host_cobalt diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix deleted file mode 100644 index a3c77da..0000000 --- a/nixos/cobalt/configuration.nix +++ /dev/null @@ -1,145 +0,0 @@ -{ config, pkgs, lib, ... }: -let - ipv4 = { - address = "95.216.74.104"; - gateway = "95.216.74.65"; - netmask = "255.255.255.192"; - prefixLength = 26; # https://www.pawprint.net/designresources/netmask-converter.php - }; - ipv6 = { - address = "2a01:4f9:2b:a98::"; - gateway = "fe80::1"; - prefixLength = 64; - }; - networkInterface = "eth0"; - hostName = "cobalt"; - hostId = "712ae82a"; -in -{ - imports = - [ - ./hardware-configuration.nix - - ./services/acme.nix - ./services/nginx.nix - ./services/fail2ban.nix - ./services/soju.nix - ./services/gitolite.nix - ./services/git-daemon.nix - ./services/cgit.nix - ./services/dendrite.nix - ./services/akkoma.nix - ]; - - boot.supportedFilesystems = [ "zfs" ]; - networking.hostId = hostId; - - boot.loader.grub.enable = true; - # boot.loader.grub.version = 2; - boot.loader.grub.efiSupport = false; - # boot.loader.grub.device = "nodev"; - - # This should be done automatically, but explicitly declare it just in case. - boot.loader.grub.copyKernels = true; - # Make sure that you've listed all of the boot partitions here. - boot.loader.grub.mirroredBoots = [ - { path = "/boot"; devices = [ "/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC17GW7G" ]; } - { path = "/boot-fallback"; devices = [ "/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC17GWB2" ]; } - ]; - - # Boot normally when one of the boot partitions are missing - fileSystems."/boot".options = [ "nofail" ]; - fileSystems."/boot-fallback".options = [ "nofail" ]; - - # Erase your darlings - boot.initrd.postDeviceCommands = lib.mkAfter '' - zfs rollback -r rpool/local/root@blank - ''; - - # NOTE: replace these to boot.initrd.availableKernelModules? - boot.kernelModules = [ "e1000e" ]; - boot.initrd.kernelModules = [ "e1000e" ]; - - boot.kernelParams = [ - # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation. - # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip> - # The server ip refers to the NFS server -- not needed in this case. - "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8" - ]; - - boot.initrd.network.enable = true; - boot.initrd.network.ssh = { - enable = true; - - # Using the same port as the actual SSH will cause clients to throw errors - # related to host key mismatch. - port = 2222; - - # This takes 'path's, not 'string's. - hostKeys = [ - /boot/initrd-ssh-key - /boot-fallback/initrd-ssh-key - ]; - - # Public ssh key to log into the initrd ssh - authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F" ]; - }; - boot.initrd.network.postCommands = '' - cat <<EOF > /root/.profile - if pgrep -x "zfs" > /dev/null - then - zfs load-key -a - killall zfs - else - echo "ZFS is not running -- this could be a sign of failure." - fi - EOF - ''; - - - networking.hostName = hostName; - - networking.useDHCP = false; - networking.interfaces.${networkInterface} = { - ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; }; - ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; }; - }; - networking.defaultGateway = ipv4.gateway; - networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; }; - networking.nameservers = [ "8.8.8.8" ]; - - networking.firewall.enable = true; - - time.timeZone = "UTC"; - - users.users.root.initialHashedPassword = ""; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F" ]; - services.openssh.enable = true; - services.openssh.permitRootLogin = "prohibit-password"; - - services.openssh.hostKeys = [ - { - path = "/persist/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - { - path = "/persist/ssh/ssh_host_rsa_key"; - type = "rsa"; - bits = 4096; - } - ]; - - # impermanence requirement - fileSystems."/persist".neededForBoot = true; - - sops.defaultSopsFile = ./secrets/secrets.yaml; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? -} - diff --git a/nixos/cobalt/hardware-configuration.nix b/nixos/cobalt/hardware-configuration.nix deleted file mode 100644 index 95ecb96..0000000 --- a/nixos/cobalt/hardware-configuration.nix +++ /dev/null @@ -1,65 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "rpool/local/root"; - fsType = "zfs"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/445A-0C55"; - fsType = "vfat"; - }; - - fileSystems."/boot-fallback" = - { - device = "/dev/disk/by-uuid/445C-198F"; - fsType = "vfat"; - }; - - fileSystems."/nix" = - { - device = "rpool/local/nix"; - fsType = "zfs"; - }; - - fileSystems."/home" = - { - device = "rpool/safe/home"; - fsType = "zfs"; - }; - - fileSystems."/persist" = - { - device = "rpool/safe/persist"; - fsType = "zfs"; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`. - networking.useDHCP = lib.mkDefault false; - # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/nixos/cobalt/modules/git-daemon.nix b/nixos/cobalt/modules/git-daemon.nix deleted file mode 100644 index 76b395e..0000000 --- a/nixos/cobalt/modules/git-daemon.nix +++ /dev/null @@ -1,137 +0,0 @@ -{ config, lib, pkgs, ... }: -with lib; -let - - cfg = config.services.gitDaemon; - -in -{ - - ###### interface - - options = { - services.gitDaemon = { - - enable = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Enable Git daemon, which allows public hosting of git repositories - without any access controls. This is mostly intended for read-only access. - - You can allow write access by setting daemon.receivepack configuration - item of the repository to true. This is solely meant for a closed LAN setting - where everybody is friendly. - - If you need any access controls, use something else. - ''; - }; - - basePath = mkOption { - type = types.str; - default = ""; - example = "/srv/git/"; - description = lib.mdDoc '' - Remap all the path requests as relative to the given path. For example, - if you set base-path to /srv/git, then if you later try to pull - git://example.com/hello.git, Git daemon will interpret the path as /srv/git/hello.git. - ''; - }; - - exportAll = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Publish all directories that look like Git repositories (have the objects - and refs subdirectories), even if they do not have the git-daemon-export-ok file. - - If disabled, you need to touch .git/git-daemon-export-ok in each repository - you want the daemon to publish. - - Warning: enabling this without a repository whitelist or basePath - publishes every git repository you have. - ''; - }; - - repositories = mkOption { - type = types.listOf types.str; - default = [ ]; - example = [ "/srv/git" "/home/user/git/repo2" ]; - description = lib.mdDoc '' - A whitelist of paths of git repositories, or directories containing repositories - all of which would be published. Paths must not end in "/". - - Warning: leaving this empty and enabling exportAll publishes all - repositories in your filesystem or basePath if specified. - ''; - }; - - listenAddress = mkOption { - type = types.str; - default = ""; - example = "example.com"; - description = lib.mdDoc "Listen on a specific IP address or hostname."; - }; - - port = mkOption { - type = types.port; - default = 9418; - description = lib.mdDoc "Port to listen on."; - }; - - options = mkOption { - type = types.str; - default = ""; - description = lib.mdDoc "Extra configuration options to be passed to Git daemon."; - }; - - user = mkOption { - type = types.str; - default = "git"; - description = lib.mdDoc "User under which Git daemon would be running."; - }; - - group = mkOption { - type = types.str; - default = "git"; - description = lib.mdDoc "Group under which Git daemon would be running."; - }; - - createUserAndGroup = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - Create the specified group and user. - Disable this option if you want to use the existing user - ''; - }; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - - users.users.${cfg.user} = optionalAttrs (cfg.createUserAndGroup == true) { - uid = config.ids.uids.git; - group = cfg.group; - description = "Git daemon user"; - }; - - users.groups.${cfg.group} = optionalAttrs (cfg.createUserAndGroup == true) { - gid = config.ids.gids.git; - }; - - systemd.services.git-daemon = { - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - script = "${pkgs.git}/bin/git daemon --reuseaddr " - + (optionalString (cfg.basePath != "") "--base-path=${cfg.basePath} ") - + (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ") - + "--port=${toString cfg.port} --user=${cfg.user} --group=${cfg.group} ${cfg.options} " - + "--verbose " + (optionalString cfg.exportAll "--export-all ") + concatStringsSep " " cfg.repositories; - }; - - }; - -} diff --git a/nixos/cobalt/modules/soju.nix b/nixos/cobalt/modules/soju.nix deleted file mode 100644 index d14082c..0000000 --- a/nixos/cobalt/modules/soju.nix +++ /dev/null @@ -1,132 +0,0 @@ -# Not an overlay, module replacement -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.soju; - stateDir = "/var/lib/soju"; - listenCfg = concatMapStringsSep "\n" (l: "listen ${l}") cfg.listen; - tlsCfg = optionalString (cfg.tlsCertificate != null) - "tls ${cfg.tlsCertificate} ${cfg.tlsCertificateKey}"; - logCfg = optionalString cfg.enableMessageLogging - "log fs ${stateDir}/logs"; - - configFile = pkgs.writeText "soju.conf" '' - ${listenCfg} - hostname ${cfg.hostName} - ${tlsCfg} - db sqlite3 ${stateDir}/soju.db - ${logCfg} - http-origin ${concatStringsSep " " cfg.httpOrigins} - accept-proxy-ip ${concatStringsSep " " cfg.acceptProxyIP} - - ${cfg.extraConfig} - ''; -in -{ - ###### interface - - options.services.soju = { - enable = mkEnableOption (lib.mdDoc "soju"); - - listen = mkOption { - type = types.listOf types.str; - default = [ ":6697" ]; - description = lib.mdDoc '' - Where soju should listen for incoming connections. See the - `listen` directive in - {manpage}`soju(1)`. - ''; - }; - - hostName = mkOption { - type = types.str; - default = config.networking.hostName; - defaultText = literalExpression "config.networking.hostName"; - description = lib.mdDoc "Server hostname."; - }; - - tlsCertificate = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/host.cert"; - description = lib.mdDoc "Path to server TLS certificate."; - }; - - tlsCertificateKey = mkOption { - type = types.nullOr types.path; - default = null; - example = "/var/host.key"; - description = lib.mdDoc "Path to server TLS certificate key."; - }; - - enableMessageLogging = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc "Whether to enable message logging."; - }; - - httpOrigins = mkOption { - type = types.listOf types.str; - default = [ ]; - description = lib.mdDoc '' - List of allowed HTTP origins for WebSocket listeners. The parameters are - interpreted as shell patterns, see - {manpage}`glob(7)`. - ''; - }; - - acceptProxyIP = mkOption { - type = types.listOf types.str; - default = [ ]; - description = lib.mdDoc '' - Allow the specified IPs to act as a proxy. Proxys have the ability to - overwrite the remote and local connection addresses (via the X-Forwarded-\* - HTTP header fields). The special name "localhost" accepts the loopback - addresses 127.0.0.0/8 and ::1/128. By default, all IPs are rejected. - ''; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = lib.mdDoc "Lines added verbatim to the configuration file."; - }; - - extraGroups = mkOption { - type = types.listOf types.str; - default = [ ]; - description = lib.mdDoc "Extra groups for the dynamic user."; - }; - }; - - ###### implementation - - config = mkIf cfg.enable { - assertions = [ - { - assertion = (cfg.tlsCertificate != null) == (cfg.tlsCertificateKey != null); - message = '' - services.soju.tlsCertificate and services.soju.tlsCertificateKey - must both be specified to enable TLS. - ''; - } - ]; - - systemd.services.soju = { - description = "soju IRC bouncer"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - serviceConfig = { - DynamicUser = true; - SupplementaryGroups = cfg.extraGroups; - Restart = "always"; - ExecStart = "${pkgs.soju}/bin/soju -config ${configFile}"; - StateDirectory = "soju"; - }; - }; - }; - - meta.maintainers = with maintainers; [ malvo ]; -} diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml deleted file mode 100644 index bbc771a..0000000 --- a/nixos/cobalt/secrets/secrets.yaml +++ /dev/null @@ -1,44 +0,0 @@ -hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str] -matrix-server-key: ENC[AES256_GCM,data:QZD2CkgHco86GQBb3dQKjBX8oRQ44R7lsK+ZOPzCjtE5Su338b8Tzj5NoKepuodRsdprUPO62yTSIbRFA79E34y4T5oXoq4UyFXX32MfsThVaqxPgyGh369jYfTx405RFGCfxLTXwLTrsHeR3oPm3q9QTWOWRwPQw3NWznq0b+0SJLbA8wQx/cE=,iv:wv93ER7yhvNg87EhmMSR3QoK6ThTrBhhhe2f5zGS3mU=,tag:NV8TvGTnTTF0U4LiRAlFcQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-02-06T09:17:19Z" - mac: ENC[AES256_GCM,data:MvOZ8lkcuULUa82fL7DqT2Qkl89+z42O+CivmD1iuFroYQ2NUtLAf5Nn58Ta/Lj8YhI4Y/RiMM8l/1Kbn/FbC6oLMLhj+5P7n3s/4W5tW+OlXgd0qLorZHqdx/WTra84QmoII9KA/F4UHcJML2xbRPGZDZ5m9VkIfgMd3s4r+ps=,iv:z8nx0yqvY1bXOJ2APh6wVyITXOOzpuyZuiHt/PrYDKI=,tag:0pJLyfY8U8tCj2IUFQmz2g==,type:str] - pgp: - - created_at: "2023-02-05T09:56:11Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4Dr9flwPWa1q8SAQdAtFIasB4kQZqTb7d1+2X6i3W7xHM/BnU87nUBzjgARwAw - cDezIZDi9L0IKZt/pui44uCJHBQKLZ9rGHuVKqY3R0Hsv06D2Lmgm6z9agano1JZ - 0l4BUstc9knAl/dqAoNcLs+0Ehb84EYUxPfJowAnZaDbH5oaB0ke24Ug6gpHnejc - 2eilh+Gnu4hEtrob//BQ0FSEn/PlLHjedqKJuJG0+w19sTZD5BPPj2ydbWLU6DYL - =3baE - -----END PGP MESSAGE----- - fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2 - - created_at: "2023-02-05T09:56:11Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA3dNSJXrkRcDAQ/8DD0yVDj+CfykNQ6GupMBfKpNrEByupAijeMQKrPGSLAi - TKI0vi7Bh5UwxbhS9DZWnZqDnApba0/0S4t7oeRNTGjDusZJ4C1pglQY022hRvzh - AGvWwVnilg57ccqWW42eScqGL9ohtRTc2nFjWEXr2rc9w4CyjxzT46ZmYUo1zV7B - XXTn5TdpcRiFx81rvriW+L2BLE4Bd0nUeNxnL7FWG9mO+yaJtuv0lXtO5A3cGTn1 - 0hERax7VyCxzV78PHHtYVzkSY5ZVfpLH8su/Wg3dgMa6goMFmufnXPFr1l3HCQMH - oF2qEaWu3mP8efpSgstCDFMlH+i8wAbhPMFVwcN8kxPox9JACGmlqIvbCgOOwfKQ - eoQKkZPRpNuuK3e/+NddFqf+Eex5lh7v+iFk6PXZWqxzdOAjenWR53Gww5gFBJj+ - bt6qvS/8Z7Hq8zNWD1eHhUj+ywazxuUrtUz7TOMRbfcGqaeFTAJntTc1pIu4GNcA - ut0fSyQr/xoTxv4J1Zyz4GnAzuJKE4fB4LCeonXLwIEU/MsV0sNKwUcgRL4oimYO - xDJ44rbKzHNX1cmmh3bVrdezJSqTNiG/5DCdYi8iqGcUzvUfkhhzT44VcUI7MIgI - VhLLk21M3eITbXKNPbOvkbXm/y1EeDeVNLg1JeqcXA43V5RBOKw3qKFheD+Se3bS - WAHZQxWslmuEvXVgWiewK+sh0x3uY7dCHN3Tcs1dggonAZBD1MIaKNutmPT1h8Nx - NtXsIaXB23oTv5xZ7R6b5B0NnVUFFok4VzYwSZBxPDBX9RQp9ErYX/o= - =uD2V - -----END PGP MESSAGE----- - fp: 9794c486d5673ff6613f6cde774d4895eb911703 - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/nixos/cobalt/services/README.md b/nixos/cobalt/services/README.md deleted file mode 100644 index 89d9ca5..0000000 --- a/nixos/cobalt/services/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# colmena/cobalt/services - -A list of 'pluggable' services. -TODO: this should be moved to /modules/ and -converted to modules. diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix deleted file mode 100644 index f8816d4..0000000 --- a/nixos/cobalt/services/acme.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, ... }: - -let - poorObfuscation = y: x: "${x}@${y}"; -in -{ - sops.secrets.hetzner-dns-key = { - owner = "acme"; - }; - - security.acme = { - acceptTerms = true; - defaults.email = poorObfuscation "sefidel.com" "postmaster"; - certs = { - "sefidel.com" = { - domain = "sefidel.com"; - extraDomainNames = [ - "bouncer.sefidel.com" - "git.sefidel.com" - "matrix.sefidel.com" - "social.sefidel.com" - ]; - dnsProvider = "hetzner"; - dnsPropagationCheck = true; - credentialsFile = config.sops.secrets.hetzner-dns-key.path; - }; - }; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/acme" - ]; -} diff --git a/nixos/cobalt/services/akkoma-assets/blocklist.toml b/nixos/cobalt/services/akkoma-assets/blocklist.toml deleted file mode 100644 index e5eac7a..0000000 --- a/nixos/cobalt/services/akkoma-assets/blocklist.toml +++ /dev/null @@ -1,163 +0,0 @@ -[followers_only] - -[media_nsfw] - -[reject] -"*.tk" = "Free TLD" -"*.ml" = "Free TLD" -"*.ga" = "Free TLD" -"*.cf" = "Free TLD" -"*.gq" = "Free TLD" -# Reject list from chaos.social at 2023-02-06 -"activitypub-proxy.cf" = "Only exists to evade instance blocks, details" -"activitypub-troll.cf" = "Spam" -"aethy.com" = "Lolicon" -"bae.st" = "Discrimination, racism, “free speech zone”" -"baraag.net" = "Lolicon" -"banepo.st" = "Homophobia" -"beefyboys.club" = "Discrimination, racism, “free speech zone”" -"beefyboys.win" = "Discrimination, racism, “free speech zone”" -"beta.birdsite.live" = "Twitter crossposter" -"birb.elfenban.de" = "Twitter crossposter" -"bird.evilcyberhacker.net" = "Twitter crossposter" -"bird.froth.zone" = "Twitter crossposter" -"bird.geiger.ee" = "Twitter crossposter" -"bird.im-in.space" = "Twitter crossposter" -"bird.istheguy.com" = "Twitter crossposter" -"bird.karatek.net" = "Twitter crossposter" -"bird.makeup" = "Twitter crossposter" -"bird.nzbr.de" = "Twitter crossposter" -"bird.r669.live" = "Twitter crossposter" -"bird.seafoam.space" = "Twitter crossposter" -"birdbots.leptonics.com" = "Twitter crossposter" -"birdsite.b93.dece.space" = "Twitter crossposter" -"birdsite.blazelights.dev" = "Twitter crossposter" -"birdsite.frog.fashion" = "Twitter crossposter" -"birdsite.gabeappleton.me" = "Twitter crossposter" -"birdsite.james.moody.name" = "Twitter crossposter" -"birdsite.koyu.space" = "Twitter crossposter" -"birdsite.lakedrops.com" = "Twitter crossposter" -"birdsite.link" = "Twitter crossposter" -"birdsite.monster" = "Twitter crossposter" -"birdsite.oliviaappleton.com" = "Twitter crossposter" -"birdsite.platypush.tech" = "Twitter crossposter" -"birdsite.slashdev.space" = "Twitter crossposter" -"birdsite.tcjc.uk" = "Twitter crossposter" -"birdsite.thorlaksson.com" = "Twitter crossposter" -"birdsite.toot.si" = "Twitter crossposter" -"birdsite.wilde.cloud" = "Twitter crossposter" -"birdsitelive.ffvo.dev" = "Twitter crossposter" -"birdsitelive.kevinyank.com" = "Twitter crossposter" -"birdsitelive.peanutlasko.com" = "Twitter crossposter" -"birdsitelive.treffler.cloud" = "Twitter crossposter" -"bridge.birb.space" = "Twitter crossposter" -"brighteon.social" = "“free speech zone”" -"cawfee.club" = "Discrimination, racism, “free speech zone”" -"childpawn.shop" = "Pedophilia" -"chudbuds.lol" = "Discrimination, racism, “free speech zone”" -"club.darknight-coffee.eu" = "“free speech zone”" -"clubcyberia.co" = "Homophobia" -"clube.social" = "Harassment" -"comfyboy.club" = "Discrimination, racism" -"cum.camp" = "Harassment" -"cum.salon" = "Misogynic, pedophilia" -"daishouri.moe" = "Fascism, openly advertises with swastika" -"detroitriotcity.com" = "Discrimination, racism, “free speech zone”" -"eientei.org" = "Racism, antisemitism" -"eveningzoo.club" = "Discrimination, racism, “free speech zone”" -"f.haeder.net" = "Discrimination" -"freak.university" = "Pedophilia" -"freeatlantis.com" = "Conspiracy theory instance" -"freecumextremist.com" = "Discrimination, racism, “free speech zone”" -"freefedifollowers.ga" = "Follower spam" -"freespeechextremist.com" = "Discrimination, racism, “free speech zone”" -"frennet.link" = "Discrimination, racism, “free speech zone”" -"froth.zone" = "Calls freespeechextremist their local bubble" -"gab.com/.ai, develop.gab.com" = "Discrimination, racism, “free speech zone”" -"gameliberty.club" = "“free speech zone”" -"gegenstimme.tv" = "“free speech zone”" -"genderheretics.xyz" = "Tagline “Now With 41% More Misgendering!”" -"gitmo.life" = "“free speech zone”" -"gleasonator.com" = "Transphobia, TERFs" -"glindr.org" = "Discrimination" -"glowers.club" = "Discrimination, racism, “free speech zone”" -"honkwerx.tech" = "Racism" -"iamterminally.online" = "Discrimination, racism, “free speech zone”" -"iddqd.social" = "Discrimination, racism, “free speech zone”" -"itmslaves.com" = "“free speech zone”, noagenda affiliated" -"jaeger.website" = "Discrimination, racism, “free speech zone”" -"kenfm.quadplay.tv" = "Conspiracy videos" -"kiwifarms.cc" = "Discrimination" -"lgbtfree.zone" = "Racism, transphobia, all that" -"liberdon.com" = "Conspiracy theories, transphobia, racism" -"libre.tube" = "Promotion of violence and murder, multiple other violations of our rules" -"lolicon.rocks" = "Lolicon" -"lolison.top" = "Lolicon, paedophilia" -"mastinator.com" = "Block evasion, unwanted profile mirroring, and more" -"mastodon.network" = "Instance went down, now porn spam" -"mastodon.popps.org" = "Homophobia" -"mastodong.lol" = "Admin maintains and runs activitypub-proxy.cf" -"meta-tube.de" = "Conspiracy, CoVid19 denier videos https://fediblock.org/blocklist/#meta-tube.de" -"midnightride.rs" = "Discrimination" -"misskey-forkbomb.cf" = "Spam" -"morale.ch" = "Antisemitism and more" -"mstdn.foxfam.club" = "Right wing twitter mirror" -"natehiggers.online" = "Racism" -"newjack.city" = "Exclusive to unwanted follow bots" -"nicecrew.digital" = "Discrimination, racism, “free speech zone”" -"noagendasocial.com" = "“free speech zone”, harassment" -"noagendasocial.nl" = "“free speech zone”, harassment" -"noagendatube.com" = "“free speech zone”, harassment" -"ns.auction" = "Racism etc" -"ohai.su" = "Offline" -"pawoo.net" = "Untagged nfsw content, unwanted follow bots, lolicon" -"paypig.org" = "Racism" -"pieville.net" = "Racism, antisemitism" -"pl.serialmay.link" = "Racism, transphobia" -"pl.tkammer.de" = "Transphobia" -"play.xmr.101010.pl" = "Cryptomining" -"pleroma.kitsunemimi.club" = "Discrimination" -"pleroma.narrativerry.xyz" = "Discrimination, racism, “free speech zone”" -"pleroma.nobodyhasthe.biz" = "Doxxing and discrimination" -"pleroma.rareome.ga" = "Doesn’t respect blocks or status privacy, lolicons" -"poa.st" = "Discrimination" -"podcastindex.social" = "noagenda affiliated" -"poster.place" = "Discrimination, racism, “free speech zone”, harassment in response to blocks" -"qoto.org" = "“free speech zone”, harassment" -"rapemeat.solutions" = "Lolicon and also, like, the domain name" -"rdrama.cc" = "Discrimination, “free speech zone”, racism" -"repl.co" = "Spam" -"rojogato.com" = "Harassment, “free speech zone”" -"ryona.agency" = "Alt-right trolls, harassment" -"seal.cafe" = "Discrimination, racism, “free speech zone”" -"shitpost.cloud" = "“Free speech zone”, antisemitism" -"shitposter.club" = "“Free speech zone”" -"shortstackran.ch" = "Racism, homophobia, “free speech zone”" -"shota.house" = "Lolicon" -"skippers-bin.com" = "Same admin as neckbeard.xyz, same behaviour" -"sleepy.cafe" = "Racism, harassment" -"sneak.berlin" = "privacy violation" -"sneed.social" = "Discrimination, racism, “free speech zone”, nationalism, hate speech, completely unmoderated" -"soc.ua-fediland.de" = "Spam" -"social.ancreport.com" = "Discrimination, racism, “free speech zone”" -"social.lovingexpressions.net" = "Transphobia" -"social.teci.world" = "Discrimination, racism, “free speech zone”" -"social.urspringer.de" = "Conspiracy, CoVid19 denier" -"socnet.supes.com" = "Right wing “free speech zone”" -"solagg.com" = "Scammers" -"spinster.xyz" = "Discrimination, TERFs" -"tastingtraffic.net" = "Homophobia" -"truthsocial.co.in" = "Alt-right trolls" -"tube.kenfm.de" = "Right-wing conspiracy videos" -"tube.querdenken-711.de" = "Right-wing onspiracy videos" -"tweet.pasture.moe" = "Twitter crossposter" -"tweetbridge.kogasa.de" = "Twitter crossposter" -"tweets.icu" = "Twitter crossposter" -"twitter.activitypub.actor" = "Twitter crossposter" -"twitter.doesnotexist.club" = "Twitter crossposter" -"twitterbridge.jannis.rocks" = "Twitter crossposter" -"twtr.plus" = "Twitter crossposter" -"varishangout.net" = "Transphobia and racism go unmoderated, aggressive trolling, lolicon permitted in rules" -"wiki-tube.de" = "Right-wing conspiracy videos (initial video welcomes Querdenken and KenFM)" -"wolfgirl.bar" = "Discrimination, homophobia, unmoderated trolling" -"yggdrasil.social" = "Instance rules: “No LGBTQ. Period. No homosexuality. No men who think they’re women or women who think they’re men. No made up genders.”" diff --git a/nixos/cobalt/services/akkoma-assets/logo.png b/nixos/cobalt/services/akkoma-assets/logo.png deleted file mode 100644 index 7744b1a..0000000 --- a/nixos/cobalt/services/akkoma-assets/logo.png +++ /dev/null Binary files differdiff --git a/nixos/cobalt/services/akkoma-assets/logo.svg b/nixos/cobalt/services/akkoma-assets/logo.svg deleted file mode 100644 index 68e647e..0000000 --- a/nixos/cobalt/services/akkoma-assets/logo.svg +++ /dev/null @@ -1,71 +0,0 @@ -<?xml version="1.0" encoding="UTF-8" standalone="no"?> -<svg - xmlns:dc="http://purl.org/dc/elements/1.1/" - xmlns:cc="http://creativecommons.org/ns#" - xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" - xmlns:svg="http://www.w3.org/2000/svg" - xmlns="http://www.w3.org/2000/svg" - xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd" - xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" - version="1.1" - id="svg4485" - width="512" - height="512" - viewBox="0 0 512 512" - sodipodi:docname="logo.svg" - inkscape:version="1.0.1 (3bc2e813f5, 2020-09-07)"> - <metadata - id="metadata4491"> - <rdf:RDF> - <cc:Work - rdf:about=""> - <dc:format>image/svg+xml</dc:format> - <dc:type - rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> - <dc:title /> - </cc:Work> - </rdf:RDF> - </metadata> - <defs - id="defs4489" /> - <sodipodi:namedview - pagecolor="#ffffff" - bordercolor="#666666" - borderopacity="1" - objecttolerance="10" - gridtolerance="10" - guidetolerance="10" - inkscape:pageopacity="0" - inkscape:pageshadow="2" - inkscape:window-width="1274" - inkscape:window-height="1410" - id="namedview4487" - showgrid="false" - inkscape:zoom="1.2636719" - inkscape:cx="305.99333" - inkscape:cy="304.30809" - inkscape:window-x="1280" - inkscape:window-y="22" - inkscape:window-maximized="0" - inkscape:current-layer="g4612" - inkscape:document-rotation="0" /> - <g - id="g4612"> - <g - id="g850" - transform="matrix(0.99659595,0,0,0.99659595,0.37313949,0.87143746)"> - <path - style="opacity:1;fill:#fba457;fill-opacity:1;stroke:#009bff;stroke-width:0;stroke-linecap:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:0.175879" - d="m 194.75841,124.65165 a 20.449443,20.449443 0 0 0 -20.44944,20.44945 v 242.24725 h 65.28091 v -262.6967 z" - id="path4497" /> - <path - style="fill:#fba457;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="M 272.6236,124.65165 V 256 h 45.61799 a 20.449443,20.449443 0 0 0 20.44944,-20.44945 v -110.8989 z" - id="path4516" /> - <path - style="opacity:1;fill:#fba457;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" - d="m 272.6236,322.06744 v 65.28091 h 45.61799 a 20.449443,20.449443 0 0 0 20.44944,-20.44945 v -44.83146 z" - id="path4516-5" /> - </g> - </g> -</svg> diff --git a/nixos/cobalt/services/akkoma-assets/robots.txt b/nixos/cobalt/services/akkoma-assets/robots.txt deleted file mode 100644 index 1f53798..0000000 --- a/nixos/cobalt/services/akkoma-assets/robots.txt +++ /dev/null @@ -1,2 +0,0 @@ -User-agent: * -Disallow: / diff --git a/nixos/cobalt/services/akkoma.nix b/nixos/cobalt/services/akkoma.nix deleted file mode 100644 index c390e7d..0000000 --- a/nixos/cobalt/services/akkoma.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ pkgs, lib, ... }: - -let - poorObfuscation = y: x: "${x}@${y}"; - federation-blocklist = lib.importTOML ./akkoma-assets/blocklist.toml; - - # ifd3f/infra - wrapFile = name: path: - (pkgs.runCommand name { inherit path; } '' - cp -r "$path" "$out" - ''); -in -{ - services.akkoma = { - enable = true; - initDb.enable = true; - - extraStatic = { - "static/logo.svg" = wrapFile "logo.svg" ./akkoma-assets/logo.svg; - "static/logo.png" = wrapFile "logo.png" ./akkoma-assets/logo.png; - }; - config = let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap; - in { - ":pleroma"."Pleroma.Web.Endpoint".url.host = "social.sefidel.com"; - ":pleroma".":media_proxy".enabled = false; - ":pleroma".":instance" = { - name = "Akkoma on sefidel"; - description = "Private akkoma instance"; - email = poorObfuscation "sefidel.com" "postmaster"; - notify_email = poorObfuscation "sefidel.com" "postmaster"; - - registrations_open = false; - invites_enabled = true; - - limit = 5000; - }; - ":pleroma".":frontend_configurations" = { - pleroma_fe = mkMap { - logo = "/static/logo.png"; - }; - }; - ":pleroma".":mrf" = { - policies = map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ]; - }; - ":pleroma".":mrf_simple" = { - followers_only = mkMap federation-blocklist.followers_only; - media_nsfw = mkMap federation-blocklist.media_nsfw; - reject = mkMap federation-blocklist.reject; - }; - }; - - nginx = { - forceSSL = true; - useACMEHost = "sefidel.com"; - }; - }; -} diff --git a/nixos/cobalt/services/cgit.nix b/nixos/cobalt/services/cgit.nix deleted file mode 100644 index c0cd948..0000000 --- a/nixos/cobalt/services/cgit.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ pkgs, ... }: - -{ - services.uwsgi = { - enable = true; - user = "nginx"; - group = "nginx"; - plugins = [ "cgi" ]; - - instance = { - type = "emperor"; - vassals = { - cgit = { - type = "normal"; - master = true; - socket = "/run/uwsgi/cgit.sock"; - procname-master = "uwsgi cgit"; - plugins = [ "cgi" ]; - cgi = "${pkgs.cgit-pink}/cgit/cgit.cgi"; - }; - }; - }; - }; - - users.extraUsers.nginx.extraGroups = [ "git" ]; - - services.nginx.virtualHosts."git.sefidel.com" = { - forceSSL = true; - useACMEHost = "sefidel.com"; - root = "${pkgs.cgit-pink}/cgit"; - locations = { - "/" = { - extraConfig = '' - try_files $uri @cgit; - ''; - }; - "@cgit" = { - extraConfig = '' - uwsgi_pass unix:/run/uwsgi/cgit.sock; - include ${pkgs.nginx}/conf/uwsgi_params; - uwsgi_modifier1 9; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - systemd.services.create-cgit-cache = { - description = "Create cache directory for cgit"; - enable = true; - - script = '' - mkdir -p /run/cgit - chown -R nginx:nginx /run/cgit - ''; - - wantedBy = [ "uwsgi.service" ]; - serviceConfig = { - Type = "oneshot"; - }; - }; - - environment.etc."cgitrc".text = '' - virtual-root=/ - - cache-size=1000 - cache-root=/run/cgit - - root-title=sefidel git - root-desc=Exotic place. - - snapshots=tar.gz zip - - enable-git-config=1 - remove-suffix=1 - - enable-git-clone=1 - enable-index-links=1 - enable-commit-graph=1 - enable-log-filecount=1 - enable-log-linecount=1 - - branch-sort=age - - readme=:README - readme=:readme - readme=:README.md - readme=:readme.md - readme=:README.org - readme=:readme.org - - source-filter=${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py - about-filter=${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh - - section-from-path=2 - - project-list=/var/lib/gitolite/projects.list - scan-path=/var/lib/gitolite/repositories - ''; - - imports = [ - ./nginx.nix - ]; -} diff --git a/nixos/cobalt/services/dendrite.nix b/nixos/cobalt/services/dendrite.nix deleted file mode 100644 index af1af32..0000000 --- a/nixos/cobalt/services/dendrite.nix +++ /dev/null @@ -1,157 +0,0 @@ -{ config, ... }: - -let - database = { - connection_string = "postgres:///dendrite?host=/run/postgresql"; - max_open_conns = 97; - max_idle_conns = 5; - conn_max_lifetime = -1; - }; -in -{ - # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT) - sops.secrets.matrix-server-key = { }; - - services.dendrite = { - enable = true; - settings = { - global = { - server_name = "sefidel.com"; - # `private_key` has the type `path` - # prefix a `/` to make `path` happy - private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key"; - trusted_third_party_id_servers = [ - "matrix.org" - "vector.im" - ]; - metrics.enable = true; - }; - logging = [ - { - type = "std"; - level = "warn"; - } - ]; - app_service_api = { - inherit database; - config_files = [ ]; - }; - client_api = { - registration_disabled = true; - rate_limiting.enabled = false; - # registration_shared_secret = ""; # Initially set this option to configure the admin user. - }; - media_api = { - inherit database; - dynamic_thumbnails = true; - }; - room_server = { - inherit database; - }; - push_server = { - inherit database; - }; - mscs = { - inherit database; - mscs = [ "msc2836" "msc2946" ]; - }; - sync_api = { - inherit database; - real_ip_header = "X-Real-IP"; - }; - key_server = { - inherit database; - }; - federation_api = { - inherit database; - key_perspectives = [ - { - server_name = "matrix.org"; - keys = [ - { - key_id = "ed25519:auto"; - public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw"; - } - { - key_id = "ed25519:a_RXGa"; - public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ"; - } - ]; - } - ]; - prefer_direct_fetch = false; - }; - user_api = { - account_database = database; - device_database = database; - }; - }; - loadCredential = [ "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" ]; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/private/dendrite" - ]; - - services.postgresql.enable = true; - services.postgresql.ensureDatabases = [ "dendrite" ]; - services.postgresql.ensureUsers = [ - { - name = "dendrite"; - ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES"; - } - ]; - - - services.nginx.virtualHosts."matrix.sefidel.com" = { - forceSSL = true; - useACMEHost = "sefidel.com"; - listen = [ - { addr = "0.0.0.0"; port = 443; ssl = true; } - { addr = "[::]"; port = 443; ssl = true; } - { addr = "0.0.0.0"; port = 8448; ssl = true; } - { addr = "[::]"; port = 8448; ssl = true; } - - ]; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_read_timeout 600; - client_max_body_size 50M; - ''; - locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}"; - # TODO: web client - }; - - services.nginx.virtualHosts."sefidel.com" = - let - server-hello = { "m.server" = "matrix.sefidel.com:443"; }; - client-hello = { - "m.homeserver"."base_url" = "https://matrix.sefidel.com"; - "m.identity_server"."base_url" = "https://vector.im"; - }; - in - { - forceSSL = true; - useACMEHost = "sefidel.com"; - locations = { - "/.well-known/matrix/server" = { - extraConfig = '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON server-hello}'; - ''; - }; - "/.well-known/matrix/client" = { - extraConfig = '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON client-hello}'; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8448 ]; -} diff --git a/nixos/cobalt/services/fail2ban.nix b/nixos/cobalt/services/fail2ban.nix deleted file mode 100644 index 9731ef6..0000000 --- a/nixos/cobalt/services/fail2ban.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - services.fail2ban = { - enable = true; - }; -} diff --git a/nixos/cobalt/services/git-daemon.nix b/nixos/cobalt/services/git-daemon.nix deleted file mode 100644 index 21e957e..0000000 --- a/nixos/cobalt/services/git-daemon.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - services.gitDaemon = { - enable = true; - createUserAndGroup = false; - basePath = "/var/lib/gitolite/repositories"; - }; - - networking.firewall.allowedTCPPorts = [ 9418 ]; - - disabledModules = [ "services/networking/git-daemon.nix" ]; - - imports = [ - ../modules/git-daemon.nix - ]; -} diff --git a/nixos/cobalt/services/gitolite-noncore/fix-refs b/nixos/cobalt/services/gitolite-noncore/fix-refs deleted file mode 100644 index 8ffec9e..0000000 --- a/nixos/cobalt/services/gitolite-noncore/fix-refs +++ /dev/null @@ -1,9 +0,0 @@ -[[ $4 == W ]] || exit 0 - -cd $GL_REPO_BASE/$2.git - -head=`git symbolic-ref HEAD` -[[ -f $head ]] || { - set -- refs/heads/* - git symbolic-ref HEAD $1 -} diff --git a/nixos/cobalt/services/gitolite-noncore/rename b/nixos/cobalt/services/gitolite-noncore/rename deleted file mode 100644 index 00aa5ca..0000000 --- a/nixos/cobalt/services/gitolite-noncore/rename +++ /dev/null @@ -1,62 +0,0 @@ - -# Usage: ssh git@host rename [-c] <repo1> <repo2> -# -# Renames repo1 to repo2. You must be the creator of repo1, and have -# create ("C") permissions for repo2, which of course must not exist. -# Alternatively you must be an account admin, that is, you must have -# write access to the gitolite-admin repository. If you have "C" -# permissions for repo2 then you can use the -c option to take over -# as creator of the repository. - -die() { echo "$@" >&2; exit 1; } -usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; } -[ -z "$1" ] && usage -[ "$1" = "-h" ] && usage -[ -z "$GL_USER" ] && die GL_USER not set - -# ---------------------------------------------------------------------- - -if [ "$1" = "-c" ] -then shift - takeover=true -else takeover=false -fi - -from="$1"; shift -to="$1"; shift -[ -z "$to" ] && usage - -topath=$GL_REPO_BASE/$to.git - -checkto() { - gitolite access -q "$to" $GL_USER ^C any || - die "'$to' already exists or you are not allowed to create it" -} - -if gitolite access -q gitolite-admin $GL_USER -then - # the user is an admin so we can avoid most permission checks - if $takeover - then checkto - elif [ -e $topath ] - then die "'$to' already exists" - fi -else - # the user isn't an admin, so do all the checks - checkto - gitolite creator "$from" $GL_USER || - die "'$from' does not exist or you are not allowed to delete it" -fi - -# ---------------------------------------------------------------------- - -mv $GL_REPO_BASE/$from.git $topath -[ $? -ne 0 ] && exit 1 - -$takeover && echo $GL_USER > $topath/gl-creator - -[ -f "$HOME/projects.list" ] && sed "s:$from.git$:$to.git:g" -i "$HOME/projects.list" - -echo "$from renamed to $to" >&2 - -exit diff --git a/nixos/cobalt/services/gitolite.nix b/nixos/cobalt/services/gitolite.nix deleted file mode 100644 index 94c7ac9..0000000 --- a/nixos/cobalt/services/gitolite.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ pkgs, ... }: - -let - # https://groups.google.com/g/gitolite/c/NwZ1-hq9-9E/m/mDbiKyAvDwAJ - fixRefsTrigger = pkgs.writeText "fix-refs" '' - [[ $4 == W ]] || exit 0 - - cd $GL_REPO_BASE/$2.git - - head=`git symbolic-ref HEAD` - [[ -f $head ]] || { - set -- refs/heads/* - git symbolic-ref HEAD $1 - } - ''; -in -{ - services.gitolite = { - enable = true; - user = "git"; - group = "git"; - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F"; - extraGitoliteRc = '' - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = '.*'; - $RC{ROLES}{OWNERS} = 1; - $RC{OWNER_ROLENAME} = 'OWNERS'; - # For some unknown reason, $ENV{HOME} doesn't get resolved to the correct - # directory. - # $RC{LOCAL_CODE} = '$ENV{HOME}/local'; - $RC{LOCAL_CODE} = '/var/lib/gitolite/local'; - push(@{$RC{ENABLE}}, 'D'); - push(@{$RC{ENABLE}}, 'symbolic-ref'); - push(@{$RC{ENABLE}}, 'rename'); - push(@{$RC{POST_GIT}}, 'fix-refs'); - # push(@{$RC{ENABLE}}, 'set-default-roles'); - # push(@{$RC{ENABLE}}, 'create'); - # push(@{$RC{ENABLE}}, 'fork'); - - ''; - }; - - environment.persistence."/persist".directories = [ - "/var/lib/gitolite" - ]; - - system.activationScripts.gitolite-create-local = '' - mkdir -p /var/lib/gitolite/local/triggers - mkdir -p /var/lib/gitolite/local/commands - chown -R git:git /var/lib/gitolite/local - ''; - - systemd.tmpfiles.rules = [ - "C /var/lib/gitolite/local/triggers/fix-refs 755 - - - ${./gitolite-noncore/fix-refs}" - "C /var/lib/gitolite/local/commands/rename 755 - - - ${./gitolite-noncore/rename}" - ]; - - - systemd.timers."gitolite-trash-cleanup" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*-*-* 00:00:00"; - Unit = "gitolite-trash-cleanup.service"; - }; - }; - - systemd.services."gitolite-trash-cleanup" = { - script = '' - set -euo pipefail - if [ ! -d "Trash" ] ; then - echo Trash directory is nonexistent! - echo No operations to perform. Exiting. - exit 0 - fi - - match=$(find Trash -type d -regextype posix-extended -regex ".*/[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}:[0-9]{2}$") - processed_entry=0 - removed_entry=0 - - for dir in $match - do - system_timestamp=$(date +%s) - trash_timestamp=$(basename $dir | sed -e "s/_/ /g" | date -f - +%s) - age=$(( $system_timestamp - $trash_timestamp )) - # Wipe trashes older than 2w - if [[ age -gt 1209600 ]] ; then - echo "Removing '$dir' (age $age)" - rm -rf $dir - ((removed_entry+=1)) - fi - ((processed_entry+=1)) - done - - echo "Directories that needs cleanup:" - find Trash -type d -empty -print -delete - echo "Cleaned empty directories." - - echo "Done! Removed $removed_entry/$processed_entry" - ''; - - path = with pkgs; [ bash util-linux coreutils ]; - - serviceConfig = { - Type = "oneshot"; - User = "git"; - WorkingDirectory = "/var/lib/gitolite/repositories"; - }; - }; -} diff --git a/nixos/cobalt/services/nginx.nix b/nixos/cobalt/services/nginx.nix deleted file mode 100644 index cb5ced3..0000000 --- a/nixos/cobalt/services/nginx.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - services.nginx = { - enable = true; - - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - }; - - users.extraUsers.nginx.extraGroups = [ "acme" ]; - - imports = [ - ./acme.nix - ]; -} diff --git a/nixos/cobalt/services/soju.nix b/nixos/cobalt/services/soju.nix deleted file mode 100644 index bab8a5b..0000000 --- a/nixos/cobalt/services/soju.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, ... }: - -{ - services.soju = { - enable = true; - extraGroups = [ "acme" ]; - hostName = "cobalt.sefidel.com"; - listen = [ - ":6697" - ]; - tlsCertificate = "${config.security.acme.certs."sefidel.com".directory}/cert.pem"; - tlsCertificateKey = "${config.security.acme.certs."sefidel.com".directory}/key.pem"; - }; - - networking.firewall.allowedTCPPorts = [ 6697 ]; - - environment.persistence."/persist".directories = [ - "/var/lib/private/soju" - ]; - - # TODO: remove this once merged - disabledModules = [ "services/networking/soju.nix" ]; - - imports = [ - ./acme.nix - ../modules/soju.nix - ]; -} diff --git a/nixos/colmena.nix b/nixos/colmena.nix deleted file mode 100644 index 99945e6..0000000 --- a/nixos/colmena.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ self, unstable, unstable-small, ... } @ inputs: - -{ - meta = { - nixpkgs = import unstable { - system = "x86_64-linux"; - }; - }; - - defaults = { pkgs, ... }: { - environment.systemPackages = with pkgs; [ - curl - vim - ]; - }; - - cobalt = self.lib.mkColmena { - name = "cobalt"; - system = "x86_64-linux"; - inputs = inputs; - deployment = { - targetHost = "cobalt.sefidel.com"; - targetPort = 22; - targetUser = "root"; - }; - time.timeZone = "UTC"; - }; -} |
