Compare commits
160 commits
v2022.08.3
...
consensus
Author | SHA1 | Date | |
---|---|---|---|
![]() |
7e88a39c6e | ||
![]() |
a900b37202 | ||
![]() |
c963d41c67 | ||
![]() |
b52f777884 | ||
![]() |
3a294f84ff | ||
![]() |
d5d3fd21ca | ||
![]() |
02be2527e3 | ||
![]() |
92a664df68 | ||
![]() |
d21da35c5f | ||
![]() |
afd8e99472 | ||
![]() |
5eec3924c6 | ||
![]() |
503ed02aa2 | ||
![]() |
d3a90a962c | ||
![]() |
af2f1754e5 | ||
![]() |
4c96950ca4 | ||
![]() |
f2c768a6d1 | ||
![]() |
4a456a108c | ||
![]() |
c44133152c | ||
![]() |
c0f9d26343 | ||
![]() |
89f74905cd | ||
![]() |
13cf063ca9 | ||
![]() |
c15ba2bce7 | ||
![]() |
94b0caeacf | ||
![]() |
1310965b48 | ||
![]() |
8759b9c9f6 | ||
![]() |
960816cee5 | ||
![]() |
311481deb6 | ||
![]() |
de9516cc86 | ||
![]() |
66746d3257 | ||
![]() |
eadae376a7 | ||
![]() |
fcabd95e7e | ||
![]() |
3662f9f588 | ||
![]() |
1fb99ab958 | ||
![]() |
5fd853e234 | ||
![]() |
f20358789f | ||
![]() |
6e924f3ba4 | ||
![]() |
fb5c10f3e1 | ||
![]() |
7fbb4f3080 | ||
![]() |
af8990ec90 | ||
![]() |
ac83dfc605 | ||
![]() |
1aa6641b01 | ||
![]() |
3c306ccda6 | ||
![]() |
9d6523abf5 | ||
![]() |
11669558ce | ||
![]() |
8fe2f766d6 | ||
![]() |
e52897cd14 | ||
![]() |
58e12507d2 | ||
![]() |
fe21e0bef9 | ||
![]() |
c3823d0cfb | ||
![]() |
7a263df6d2 | ||
![]() |
84b38568f2 | ||
![]() |
abc2f41ff0 | ||
![]() |
e3fc68d806 | ||
![]() |
eeea217eb2 | ||
![]() |
f5b9083a11 | ||
![]() |
56e8832606 | ||
![]() |
befaeac9ce | ||
![]() |
df0f6a4a41 | ||
![]() |
1d394b6177 | ||
![]() |
8b426775d0 | ||
![]() |
a8dadc39a1 | ||
![]() |
beda9d4167 | ||
![]() |
49906ecad7 | ||
![]() |
53f7767233 | ||
![]() |
ed41aa92c2 | ||
![]() |
62bf0c9262 | ||
![]() |
de6487da57 | ||
![]() |
6cb31fbe9b | ||
![]() |
e763fb28fc | ||
![]() |
77598e1272 | ||
![]() |
483b45b5d5 | ||
![]() |
1789d3ca65 | ||
![]() |
c85b22ac14 | ||
![]() |
7c14230b9e | ||
![]() |
b1dff55731 | ||
![]() |
65e0367c16 | ||
![]() |
1360b7f371 | ||
![]() |
f40abe42cc | ||
![]() |
91f250f228 | ||
![]() |
06f8c4f2d5 | ||
![]() |
61eb14309b | ||
![]() |
83f6fef51e | ||
![]() |
8cc5afa12e | ||
![]() |
a027737475 | ||
![]() |
e05354e291 | ||
![]() |
26ad5717da | ||
![]() |
a296cd5a47 | ||
![]() |
ad98b0cea6 | ||
![]() |
e9477c3d53 | ||
![]() |
42f08a9514 | ||
![]() |
454ecc3d9f | ||
![]() |
5ddc78e076 | ||
![]() |
4e85326392 | ||
![]() |
16a2ea357a | ||
![]() |
72ea288abb | ||
![]() |
b08e13c2a0 | ||
![]() |
63b9735106 | ||
![]() |
4cdbdac8e0 | ||
![]() |
7a3c72e4bd | ||
![]() |
d4409e7892 | ||
![]() |
e1a10f9971 | ||
![]() |
0de194df16 | ||
![]() |
6cabd62238 | ||
![]() |
c47b35f619 | ||
![]() |
8aa2357df5 | ||
![]() |
b5fc3737da | ||
![]() |
61b5205569 | ||
![]() |
55a83742de | ||
![]() |
35d48eb4a6 | ||
![]() |
710902b5ff | ||
![]() |
51bd881112 | ||
![]() |
b4e7f09447 | ||
![]() |
6af966a0fd | ||
![]() |
410932c8f8 | ||
![]() |
40aeb8a1cf | ||
![]() |
1933c157a5 | ||
![]() |
4e08f6c774 | ||
![]() |
849f91fa35 | ||
![]() |
1d7ed0c1ea | ||
![]() |
8723cbec53 | ||
![]() |
b91295b36f | ||
![]() |
27454a11e4 | ||
![]() |
4a6e51a9a7 | ||
![]() |
b141d4a90f | ||
![]() |
ace344f27e | ||
![]() |
cdb41cb22a | ||
![]() |
66fb43735c | ||
![]() |
6a59bf94d0 | ||
![]() |
68b747d9f5 | ||
![]() |
a8b9f9a12d | ||
![]() |
813214d706 | ||
![]() |
fd2fb7b6d5 | ||
![]() |
29c8149294 | ||
![]() |
6eb0977d99 | ||
![]() |
afee38521f | ||
![]() |
2ef3d6a4aa | ||
![]() |
026aaf8deb | ||
![]() |
9e4e10a4b3 | ||
![]() |
049cd1f1a0 | ||
![]() |
64186b83bd | ||
![]() |
3ca1d077fe | ||
![]() |
2c90bd38c8 | ||
![]() |
406835cd39 | ||
![]() |
675e9c65a3 | ||
![]() |
93205656de | ||
![]() |
295e22511c | ||
![]() |
381a5328ed | ||
![]() |
7c7dc2c337 | ||
![]() |
932e3ca2a4 | ||
![]() |
44d897a6e0 | ||
![]() |
3b459b6514 | ||
![]() |
1c2ad165a2 | ||
![]() |
2f827cbd8e | ||
![]() |
f774d1177b | ||
![]() |
f25dddec5e | ||
![]() |
7e3673046c | ||
![]() |
4022037f5f | ||
![]() |
2cc697f5a0 | ||
![]() |
d9a0bc9d53 | ||
![]() |
03da753a6a |
44 changed files with 2585 additions and 304 deletions
.envrc.gitignoreLICENSEREADME.rstdefault.nixflake.lockflake.nix
hardware
hosts
modules/piCommon
networks
nixos
outputs.nixprofiles
bash.nixchrony.nixgitea.nixhakyll-skeleton.nixhost_common.nixlogrotate.nixneovim.nixnix-direnv.nixopenssh.nixreciproka-forgejo.nixreciproka-web.nixresrok-web.nixserver_common.nixtmateServer.nixusers.nixvoc-web.nixzsh.nix
secrets
shell.nix
3
.envrc
3
.envrc
|
@ -1,4 +1,5 @@
|
||||||
use flake
|
use flake
|
||||||
watch_file flake.nix
|
watch_file flake.nix
|
||||||
|
|
||||||
export NIXOPS_DEPLOYMENT=jfdic-ops
|
# Allow ragenix to find it's configuration
|
||||||
|
export RULES=$(realpath ./secrets/secrets.nix)
|
||||||
|
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,2 +1 @@
|
||||||
.direnv
|
.direnv
|
||||||
secrets
|
|
||||||
|
|
2
LICENSE
2
LICENSE
|
@ -1,7 +1,7 @@
|
||||||
ANARCHIST LICENSE
|
ANARCHIST LICENSE
|
||||||
Version 1.0, 1 May, 2021
|
Version 1.0, 1 May, 2021
|
||||||
|
|
||||||
Copyright © 2021 JFDI Collective
|
Copyright © 2024 Reciproka Kolektivo
|
||||||
|
|
||||||
This is Anarchist software, released for free use by individuals and
|
This is Anarchist software, released for free use by individuals and
|
||||||
organizations that do not operate by capitalist principles.
|
organizations that do not operate by capitalist principles.
|
||||||
|
|
23
README.rst
23
README.rst
|
@ -1,10 +1,21 @@
|
||||||
JFDIC Ops
|
Reciproka Kolektivo Ops
|
||||||
=========
|
=======================
|
||||||
|
|
||||||
NixOps_ deployment configuration for `JFDI Collective`_ services.
|
Colmena_ deployment configuration for services hosted by `Reciproka Kolektivo`_ services.
|
||||||
|
|
||||||
The canonical home for this repo is
|
The canonical home for this repo is
|
||||||
https://source.jfdic.org/jfdic/jfdic-ops
|
https://reciproka.dev/reciproka/reciproka-ops
|
||||||
|
|
||||||
.. _NixOps: https://nixos.org/nixops
|
.. _Colmena: https://colmena.cli.rs/
|
||||||
.. _JFDI Collective: https://jfdic.org/
|
.. _Reciproka Kolektivo: https://reciproka.co/
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
|
||||||
|
Building for aarch64 Targets
|
||||||
|
----------------------------
|
||||||
|
|
||||||
|
If you don't have your own ``aarch64`` build server, you can apply to use the
|
||||||
|
`aarch64 build box`_ provided by the `Nix Community`_.
|
||||||
|
|
||||||
|
.. _aarch64 build box: https://github.com/NixOS/aarch64-build-box
|
||||||
|
.. _Nix Community: https://github.com/nix-community
|
||||||
|
|
18
default.nix
Normal file
18
default.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{
|
||||||
|
sources ? import ./nix/sources.nix,
|
||||||
|
system ? builtins.currentSystem,
|
||||||
|
crossSystem ? null,
|
||||||
|
config ? {},
|
||||||
|
alejandraUnstable ? (import sources.nixpkgsUnstable {}).alejandra,
|
||||||
|
} @ args:
|
||||||
|
with import ./nix args; {
|
||||||
|
shell = mkShell {
|
||||||
|
buildInputs = [
|
||||||
|
alejandraUnstable # The Uncompromising Nix Code Formatter
|
||||||
|
colmena
|
||||||
|
niv
|
||||||
|
treefmt # one CLI to format the code tree
|
||||||
|
];
|
||||||
|
NIX_PATH = "nixpkgs=${sources.nixpkgs}";
|
||||||
|
};
|
||||||
|
}
|
1825
flake.lock
generated
1825
flake.lock
generated
File diff suppressed because it is too large
Load diff
25
flake.nix
25
flake.nix
|
@ -1,27 +1,28 @@
|
||||||
{
|
{
|
||||||
description = "jfdic-ops deployment";
|
description = "reciproka-ops deployment";
|
||||||
|
|
||||||
inputs = {
|
inputs = {
|
||||||
|
colmena.url = "github:zhaofengli/colmena/?ref=v0.4.0";
|
||||||
|
ragenix = {
|
||||||
|
url = "github:yaxitech/ragenix";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
};
|
||||||
hakyll-skeleton = {
|
hakyll-skeleton = {
|
||||||
flake = false;
|
url = "git+https://reciproka.dev/reciproka/hakyll-skeleton/?ref=consensus";
|
||||||
url = git+https://source.jfdic.org/jfdic/hakyll-skeleton/?ref=consensus;
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
|
||||||
jfdic-web = {
|
|
||||||
flake = false;
|
|
||||||
url = git+https://source.jfdic.org/JFDIC/jfdic-web/?ref=consensus;
|
|
||||||
};
|
};
|
||||||
|
reciproka-web.url = "git+https://reciproka.dev/reciproka/reciproka-web/?ref=consensus";
|
||||||
resrok-web = {
|
resrok-web = {
|
||||||
flake = false;
|
flake = false;
|
||||||
url = git+https://source.jfdic.org/resrok/resrok-web/?ref=consensus;
|
url = git+https://reciproka.dev/resrok/resrok-web/?ref=consensus;
|
||||||
};
|
};
|
||||||
nix.url = "github:NixOS/nix/?ref=2.10.3";
|
nix.url = github:NixOS/nix/?ref=2.24.6;
|
||||||
nixops.url = github:NixOS/nixops/?ref=master;
|
nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-24.05;
|
||||||
nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-22.05;
|
|
||||||
nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable;
|
nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable;
|
||||||
utils.url = "github:numtide/flake-utils";
|
utils.url = "github:numtide/flake-utils";
|
||||||
voc-web = {
|
voc-web = {
|
||||||
flake = false;
|
flake = false;
|
||||||
url = git+https://source.jfdic.org/voc/voc-web/?ref=consensus;
|
url = git+https://reciproka.dev/voc/voc-web/?ref=consensus;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
51
hardware/binaryLane_vm.nix
Normal file
51
hardware/binaryLane_vm.nix
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
# Configuration common to all Reciproka Kolektivo Binary Lane VMs
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
modulesPath,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
(modulesPath + "/profiles/qemu-guest.nix") # Import the NixOS Qemu guest settings
|
||||||
|
../profiles/host_common.nix
|
||||||
|
../profiles/server_common.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
initrd = {
|
||||||
|
availableKernelModules = ["ata_piix" "sr_mod" "uhci_hcd" "virtio_blk" "virtio_pci"];
|
||||||
|
};
|
||||||
|
loader = {
|
||||||
|
grub = {
|
||||||
|
enable = true;
|
||||||
|
device = "/dev/vda";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# File systems configuration for the Linode VMs
|
||||||
|
fileSystems."/" = {
|
||||||
|
device = "/dev/disk/by-label/nixos";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [
|
||||||
|
{
|
||||||
|
device = "/dev/disk/by-label/swap";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
nix.settings.max-jobs = lib.mkDefault 4;
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
domain = "reciproka.co";
|
||||||
|
useDHCP = lib.mkDefault true;
|
||||||
|
firewall = {
|
||||||
|
enable = true;
|
||||||
|
trustedInterfaces = ["lo"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
|
@ -1,13 +1,14 @@
|
||||||
# Configuration common to all JFDIC Linode VMs
|
# Configuration common to all Reciproka Kolektivo Linode VMs
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
modulesPath,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
# Import the NixOS Qemu guest settings
|
# Import the NixOS Qemu guest settings
|
||||||
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = ["virtio_pci" "ahci" "sd_mod"];
|
boot.initrd.availableKernelModules = ["virtio_pci" "ahci" "sd_mod"];
|
||||||
|
@ -39,5 +40,5 @@
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
nix.maxJobs = lib.mkDefault 4;
|
nix.settings.max-jobs = lib.mkDefault 4;
|
||||||
}
|
}
|
||||||
|
|
80
hardware/pi3B.nix
Normal file
80
hardware/pi3B.nix
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
# Configuration common to all Raspberry Pi 3 Model B devices
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
boot = {
|
||||||
|
initrd = {
|
||||||
|
availableKernelModules = [
|
||||||
|
"bcm2835_dma" # Allows early (earlier) mode setting
|
||||||
|
"i2c_bcm2835" # Allows early (earlier) mode setting
|
||||||
|
"usbhid"
|
||||||
|
"usb_storage"
|
||||||
|
"vc4" # Allows early (earlier) mode setting
|
||||||
|
];
|
||||||
|
};
|
||||||
|
kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
|
||||||
|
kernelParams = [
|
||||||
|
"cma=32M" # Needed for the virtual console to work on the RPi 3
|
||||||
|
"console=ttyS0,115200n8" # Enable the serial console
|
||||||
|
"console=tty0"
|
||||||
|
];
|
||||||
|
loader = {
|
||||||
|
generic-extlinux-compatible = {
|
||||||
|
enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
|
||||||
|
};
|
||||||
|
grub = {
|
||||||
|
enable = false; # NixOS wants to enable GRUB by default.
|
||||||
|
};
|
||||||
|
raspberryPi = {
|
||||||
|
enable = false;
|
||||||
|
version = 3;
|
||||||
|
uboot.enable = true;
|
||||||
|
firmwareConfig = ''
|
||||||
|
arm_64bit=1 # Force kernel loading system to assume a 64-bit kernel
|
||||||
|
hdmi_force_hotplug=1 # Enable headless booting
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# File systems configuration for using the installer's partition layout
|
||||||
|
fileSystems = {
|
||||||
|
"/" = {
|
||||||
|
device = "/dev/disk/by-label/NIXOS_SD";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
"/boot/firmware" = {
|
||||||
|
device = "/dev/disk/by-label/FIRMWARE";
|
||||||
|
fsType = "vfat";
|
||||||
|
# Alternatively, this could be removed from the configuration.
|
||||||
|
# The filesystem is not needed at runtime, it could be treated
|
||||||
|
# as an opaque blob instead of a discrete FAT32 filesystem.
|
||||||
|
options = ["nofail" "noauto"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# !!! Adding a swap file is optional, but strongly recommended!
|
||||||
|
swapDevices = [
|
||||||
|
{
|
||||||
|
device = "/swapfile";
|
||||||
|
size = 1024;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
hardware = {
|
||||||
|
enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
|
||||||
|
};
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
enableB43Firmware = true; # If true, enable Pi wireless firmware
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true; # required by B34Firmare above
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
libraspberrypi # Userland tools for the Raspberry Pi board
|
||||||
|
];
|
||||||
|
}
|
86
hardware/raspberry_pi_3_model_B.nix
Normal file
86
hardware/raspberry_pi_3_model_B.nix
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
# Configuration common to all Raspberry Pi 3 Model B devices
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
boot = {
|
||||||
|
initrd = {
|
||||||
|
availableKernelModules = [
|
||||||
|
"bcm2835_dma" # Allows early (earlier) mode setting
|
||||||
|
"i2c_bcm2835" # Allows early (earlier) mode setting
|
||||||
|
"usbhid"
|
||||||
|
"usb_storage"
|
||||||
|
"vc4" # Allows early (earlier) mode setting
|
||||||
|
];
|
||||||
|
};
|
||||||
|
kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
|
||||||
|
kernelParams = [
|
||||||
|
"cma=320M" # Needed for the virtual console to work on the RPi 3
|
||||||
|
"console=ttyS0,115200n8" # Enable the serial console
|
||||||
|
"console=tty0"
|
||||||
|
];
|
||||||
|
loader = {
|
||||||
|
generic-extlinux-compatible = {
|
||||||
|
enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
|
||||||
|
configurationLimit = 5;
|
||||||
|
};
|
||||||
|
grub = {
|
||||||
|
enable = false; # NixOS wants to enable GRUB by default.
|
||||||
|
};
|
||||||
|
raspberryPi = {
|
||||||
|
enable = false;
|
||||||
|
version = 3;
|
||||||
|
firmwareConfig = ''
|
||||||
|
arm_64bit=1 # Force kernel loading system to assume a 64-bit kernel
|
||||||
|
display_auto_detect=1 # Enable auto detection of screen resolution
|
||||||
|
gpu_mem=128
|
||||||
|
hdmi_force_hotplug=1 # Enable headless booting
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# File systems configuration for using the installer's partition layout
|
||||||
|
fileSystems = {
|
||||||
|
"/" = {
|
||||||
|
device = "/dev/disk/by-label/NIXOS_SD";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
"/boot/firmware" = {
|
||||||
|
device = "/dev/disk/by-label/FIRMWARE";
|
||||||
|
fsType = "vfat";
|
||||||
|
# Alternatively, this could be removed from the configuration.
|
||||||
|
# The filesystem is not needed at runtime, it could be treated
|
||||||
|
# as an opaque blob instead of a discrete FAT32 filesystem.
|
||||||
|
options = ["nofail" "noauto"];
|
||||||
|
};
|
||||||
|
#"/var" = {
|
||||||
|
# device = "/dev/disk/by-label/var";
|
||||||
|
# fsType = "ext4";
|
||||||
|
#};
|
||||||
|
};
|
||||||
|
|
||||||
|
# !!! Adding a swap file is optional, but strongly recommended!
|
||||||
|
swapDevices = [
|
||||||
|
{
|
||||||
|
device = "/swapfile";
|
||||||
|
size = 1024;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
hardware = {
|
||||||
|
enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
|
||||||
|
};
|
||||||
|
|
||||||
|
networking = {
|
||||||
|
enableB43Firmware = true; # If true, enable Pi wireless firmware
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.config.allowUnfree = true; # required by B34Firmare above
|
||||||
|
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
libraspberrypi # Userland tools for the Raspberry Pi board
|
||||||
|
];
|
||||||
|
}
|
|
@ -1,26 +0,0 @@
|
||||||
# NixOps configuration for toscano
|
|
||||||
#
|
|
||||||
# https://en.wikipedia.org/wiki/Joseph_Toscano
|
|
||||||
{
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
imports = [
|
|
||||||
../networks/linode.nix
|
|
||||||
../profiles/gitea.nix
|
|
||||||
../profiles/hakyll-skeleton.nix
|
|
||||||
../profiles/jfdic-web.nix
|
|
||||||
../profiles/resrok-web.nix
|
|
||||||
../profiles/tmateServer.nix
|
|
||||||
../profiles/voc-web.nix
|
|
||||||
../secrets/gitea.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
deployment.targetHost = "45.79.236.198";
|
|
||||||
|
|
||||||
networking.hostName = "toscano";
|
|
||||||
|
|
||||||
system.stateVersion = "21.05"; # The version of NixOS originally installed
|
|
||||||
}
|
|
14
modules/piCommon/default.nix
Normal file
14
modules/piCommon/default.nix
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
# Configuration common to all my servers
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
environment = {
|
||||||
|
# Set the system-wide environment
|
||||||
|
systemPackages = with pkgs; [
|
||||||
|
usbutils # Tools for working with USB devices, such as lsusb
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
# NixOps configuration common to Linode VMs
|
# NixOS configuration common to Linode VMs
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
@ -26,7 +26,7 @@
|
||||||
# Configure firewall defaults:
|
# Configure firewall defaults:
|
||||||
networking = {
|
networking = {
|
||||||
usePredictableInterfaceNames = false; # As per Linode's networking guidlines
|
usePredictableInterfaceNames = false; # As per Linode's networking guidlines
|
||||||
domain = "jfdic.org";
|
domain = "reciproka.co";
|
||||||
interfaces.eth0.useDHCP = true;
|
interfaces.eth0.useDHCP = true;
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# NixOps configuration for the Linode VMs
|
# Nix configuration for the Linode VMs
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
|
26
networks/pi3B_rack.nix
Normal file
26
networks/pi3B_rack.nix
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
# NixOps configuration for the Raspberry Pi 3B Rack
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
|
||||||
|
../hardware/raspberry_pi_3_model_B.nix
|
||||||
|
../profiles/host_common.nix
|
||||||
|
../profiles/server_common.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# Ensure the right package architecture is used
|
||||||
|
nixpkgs.localSystem = {
|
||||||
|
system = "aarch64-linux";
|
||||||
|
config = "aarch64-unknown-linux-gnu";
|
||||||
|
allowUnfree = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.network.networks.eth0.ipv6SendRAConfig = {
|
||||||
|
EmitDNS = true;
|
||||||
|
Managed = true;
|
||||||
|
OtherInformation = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
documentation = {
|
||||||
|
nixos.enable = false; # Save some space by disabling the manual
|
||||||
|
};
|
||||||
|
}
|
32
nixos/configurations.nix
Normal file
32
nixos/configurations.nix
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
{
|
||||||
|
self,
|
||||||
|
nixpkgs,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;
|
||||||
|
customModules = import ../modules/modules-list.nix;
|
||||||
|
baseModules = [
|
||||||
|
# make flake inputs accessiable in NixOS
|
||||||
|
{_module.args.inputs = inputs;}
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
({pkgs, ...}: {
|
||||||
|
nix.nixPath = [
|
||||||
|
"nixpkgs=${pkgs.path}"
|
||||||
|
];
|
||||||
|
nix.extraOptions = ''
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
'';
|
||||||
|
documentation.info.enable = false;
|
||||||
|
})
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
defaultModules = baseModules ++ customModules;
|
||||||
|
deployment = {
|
||||||
|
allowLocalDeployment = true;
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
#toscano = import ./hosts/toscano/configuration.nix;
|
||||||
|
}
|
26
nixos/hosts/flemming/default.nix
Normal file
26
nixos/hosts/flemming/default.nix
Normal file
|
@ -0,0 +1,26 @@
|
||||||
|
# NixOS configuration for flemming
|
||||||
|
#
|
||||||
|
# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
|
||||||
|
# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
|
||||||
|
# grave diggers in Australia
|
||||||
|
#
|
||||||
|
# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
|
||||||
|
# https://slackbastard.anarchobase.com/
|
||||||
|
# https://www.3cr.org.au/yeahnahpasaran
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
../../../networks/pi3B_rack.nix
|
||||||
|
../../../profiles/hakyll-skeleton.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# Comment out deployment when building the SD Image.
|
||||||
|
deployment.targetHost = "10.42.0.202";
|
||||||
|
networking.hostName = "flemming"; # Define your hostname.
|
||||||
|
|
||||||
|
system.stateVersion = "23.11"; # The version of NixOS originally installed
|
||||||
|
}
|
25
nixos/hosts/hollows/default.nix
Normal file
25
nixos/hosts/hollows/default.nix
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# NixOS configuration for flemming
|
||||||
|
#
|
||||||
|
# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
|
||||||
|
# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
|
||||||
|
# grave diggers in Australia
|
||||||
|
#
|
||||||
|
# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
|
||||||
|
# https://slackbastard.anarchobase.com/
|
||||||
|
# https://www.3cr.org.au/yeahnahpasaran
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
../../../networks/pi3B_rack.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# Comment out deployment when building the SD Image.
|
||||||
|
deployment.targetHost = "10.42.0.203";
|
||||||
|
networking.hostName = "hollows"; # Define your hostname.
|
||||||
|
|
||||||
|
system.stateVersion = "22.05"; # The version of NixOS originally installed
|
||||||
|
}
|
33
nixos/hosts/pred/default.nix
Normal file
33
nixos/hosts/pred/default.nix
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
# NixOS configuration for pred
|
||||||
|
#
|
||||||
|
# <predator>, AKA Michael Carlton or just "pred", was an Australian
|
||||||
|
# anarcho-sydnicalist who helped set up Catalyst, a radical community activist
|
||||||
|
# tech collective in Sydney, Australia. They went on to provide information
|
||||||
|
# technology services for a wide range of activist and commmunity based
|
||||||
|
# organisations around both Sydney and Australia. In the process, knowledge was
|
||||||
|
# shared, skills were learned and taught - from building and maintaining
|
||||||
|
# hardware to writing computer code. It was from this original initiative that
|
||||||
|
# an open-posting model of web publishing was developed for the J18 protest
|
||||||
|
# that occured worldwide in 1999. The codebase was named 'Active' and went on
|
||||||
|
# to power the first Indymedia site. As they say, "the rest is history."
|
||||||
|
#
|
||||||
|
# Rest in Power, Pred, we miss ya.
|
||||||
|
#
|
||||||
|
# https://archive.org/stream/PredTxt/Pred-txt_djvu.txt
|
||||||
|
# https://indymedia.org.au/2012/04/25/interview-with-pred-predaor-mike-carlton.html
|
||||||
|
# https://www.youtube.com/watch?v=Cfe3ExZivdQ
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
../../../hardware/binaryLane_vm.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
# Comment out deployment when building the SD Image.
|
||||||
|
deployment.targetHost = "203.57.51.158";
|
||||||
|
networking.hostName = "pred"; # Define your hostname.
|
||||||
|
|
||||||
|
system.stateVersion = "23.11"; # The version of NixOS originally installed
|
||||||
|
}
|
39
nixos/hosts/toscano/configuration.nix
Normal file
39
nixos/hosts/toscano/configuration.nix
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
# Nix configuration for toscano
|
||||||
|
#
|
||||||
|
# Dr Joseph Toscano has presented an anarchist analysis on local, national and
|
||||||
|
# international news and events that has been distributed nationally on the
|
||||||
|
# Community Radio Network since 1977.
|
||||||
|
#
|
||||||
|
# https://en.wikipedia.org/wiki/Joseph_Toscano
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = [
|
||||||
|
../../../networks/linode.nix
|
||||||
|
../../../profiles/reciproka-web.nix
|
||||||
|
../../../profiles/reciproka-forgejo.nix
|
||||||
|
../../../profiles/resrok-web.nix
|
||||||
|
../../../profiles/tmateServer.nix
|
||||||
|
../../../profiles/voc-web.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
age.secrets = {
|
||||||
|
forgejo = {
|
||||||
|
file = ../../../secrets/forgejo.age;
|
||||||
|
owner = "forgejo";
|
||||||
|
group = "forgejo";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
deployment = {
|
||||||
|
tags = ["infra"];
|
||||||
|
targetHost = "45.79.236.198";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.hostName = "toscano";
|
||||||
|
|
||||||
|
system.stateVersion = "21.05"; # The version of NixOS originally installed
|
||||||
|
}
|
59
outputs.nix
59
outputs.nix
|
@ -1,9 +1,10 @@
|
||||||
{
|
{
|
||||||
self,
|
self,
|
||||||
hakyll-skeleton,
|
hakyll-skeleton,
|
||||||
jfdic-web,
|
reciproka-web,
|
||||||
|
ragenix,
|
||||||
|
colmena,
|
||||||
nix,
|
nix,
|
||||||
nixops,
|
|
||||||
nixpkgs,
|
nixpkgs,
|
||||||
nixpkgsUnstable,
|
nixpkgsUnstable,
|
||||||
resrok-web,
|
resrok-web,
|
||||||
|
@ -12,32 +13,56 @@
|
||||||
...
|
...
|
||||||
} @ inputs:
|
} @ inputs:
|
||||||
(utils.lib.eachDefaultSystem (system: let
|
(utils.lib.eachDefaultSystem (system: let
|
||||||
pkgs =
|
pkgs = nixpkgs.legacyPackages."${system}";
|
||||||
nixpkgs.legacyPackages."${system}";
|
|
||||||
in {
|
in {
|
||||||
devShell =
|
devShell =
|
||||||
pkgs.callPackage
|
pkgs.callPackage
|
||||||
./shell.nix {
|
./shell.nix {
|
||||||
inherit (nix.packages."${pkgs.system}") nix;
|
inherit (nix.packages."${pkgs.system}") nix;
|
||||||
|
inherit (ragenix.packages."${pkgs.system}") ragenix;
|
||||||
|
inherit (colmena.packages."${pkgs.system}") colmena;
|
||||||
inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
|
inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
|
||||||
nixops = nixops.defaultPackage."${pkgs.system}";
|
|
||||||
};
|
};
|
||||||
}))
|
}))
|
||||||
// {
|
// {
|
||||||
nixopsConfigurations.default = {
|
colmena = {
|
||||||
inherit nixpkgs;
|
meta = {
|
||||||
network = {
|
description = "NixOS deployment for Reciproka Kolektivo";
|
||||||
description = "jfdic-ops nodes";
|
name = "reciproka-ops";
|
||||||
enableRollback = true;
|
nixpkgs = import nixpkgs {
|
||||||
storage.legacy = {
|
system = "x86_64-linux";
|
||||||
databasefile = "~/.nixops/deployments.nixops";
|
overlays = [];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
defaults = {
|
defaults = {pkgs, ...}: {
|
||||||
system.autoUpgrade.enable = false; # Disabled as it conflicts with NixOps
|
imports = [
|
||||||
_module.args.inputs = inputs; # make flake inputs accessiable in NixOS
|
ragenix.nixosModules.default
|
||||||
imports = [./profiles/host_common.nix];
|
];
|
||||||
|
};
|
||||||
|
flemming = {
|
||||||
|
imports = [
|
||||||
|
./nixos/hosts/flemming
|
||||||
|
];
|
||||||
|
};
|
||||||
|
hollows = {
|
||||||
|
imports = [
|
||||||
|
./nixos/hosts/hollows
|
||||||
|
];
|
||||||
|
};
|
||||||
|
pred = {
|
||||||
|
imports = [
|
||||||
|
./nixos/hosts/pred
|
||||||
|
];
|
||||||
|
};
|
||||||
|
toscano = {
|
||||||
|
imports = [
|
||||||
|
./nixos/hosts/toscano/configuration.nix
|
||||||
|
];
|
||||||
};
|
};
|
||||||
toscano = import ./hosts/toscano.nix;
|
|
||||||
};
|
};
|
||||||
|
# The below lines are in the wrong place
|
||||||
|
#nixosConfigurations = import ./nixos/configurations.nix (inputs
|
||||||
|
# // {
|
||||||
|
# inherit inputs;
|
||||||
|
# });
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Configuration common to all JFDIC servers
|
# Configuration common to all Reciproka Kolektivo servers
|
||||||
{config, ...}: {
|
{config, ...}: {
|
||||||
# Program defaults for all hosts
|
# Program defaults for all hosts
|
||||||
programs.bash = {
|
programs.bash = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# NixOps configuration for the hosts running a Chrony service
|
# Nix configuration for the hosts running a Chrony service
|
||||||
{config, ...}: {
|
{config, ...}: {
|
||||||
services.chrony = {
|
services.chrony = {
|
||||||
enable = true; # Enable Chrony
|
enable = true; # Enable Chrony
|
||||||
|
|
|
@ -1,103 +0,0 @@
|
||||||
# NixOps configuration for the hosts running Gitea
|
|
||||||
{
|
|
||||||
config,
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
services.gitea = {
|
|
||||||
enable = true; # Enable Gitea
|
|
||||||
appName = "JFDI Collective: Gitea Service"; # Give the site a name
|
|
||||||
database = {
|
|
||||||
type = "postgres"; # Database type
|
|
||||||
passwordFile = "/run/keys/gitea-dbpass"; # Where to find the password
|
|
||||||
};
|
|
||||||
disableRegistration = true;
|
|
||||||
domain = "source.jfdic.org"; # Domain name
|
|
||||||
rootUrl = "https://source.jfdic.org/"; # Root web URL
|
|
||||||
httpPort = 3002; # Provided unique port
|
|
||||||
settings = let
|
|
||||||
docutils = pkgs.python37.withPackages (ps:
|
|
||||||
with ps; [
|
|
||||||
docutils # Provides rendering of ReStructured Text files
|
|
||||||
pygments # Provides syntax highlighting
|
|
||||||
]);
|
|
||||||
in {
|
|
||||||
mailer = {
|
|
||||||
ENABLED = true;
|
|
||||||
FROM = "source@jfdic.org";
|
|
||||||
};
|
|
||||||
repository = {
|
|
||||||
DEFAULT_BRANCH = "consensus";
|
|
||||||
};
|
|
||||||
service = {
|
|
||||||
REGISTER_EMAIL_CONFIRM = true;
|
|
||||||
};
|
|
||||||
"markup.restructuredtext" = {
|
|
||||||
ENABLED = true;
|
|
||||||
FILE_EXTENSIONS = ".rst";
|
|
||||||
RENDER_COMMAND = "${docutils}/bin/rst2html.py";
|
|
||||||
IS_INPUT_FILE = false;
|
|
||||||
};
|
|
||||||
ui = {
|
|
||||||
DEFAULT_THEME = "gitea"; # Set the default theme
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd = {
|
|
||||||
services = {
|
|
||||||
gitea = {
|
|
||||||
# Ensure gitea starts after nixops keys are loaded
|
|
||||||
after = ["gitea-dbpass-key.service"];
|
|
||||||
wants = ["gitea-dbpass-key.service"];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services.postgresql = {
|
|
||||||
enable = true; # Ensure postgresql is enabled
|
|
||||||
authentication = ''
|
|
||||||
local gitea all ident map=gitea-users
|
|
||||||
'';
|
|
||||||
identMap =
|
|
||||||
# Map the gitea user to postgresql
|
|
||||||
''
|
|
||||||
gitea-users gitea gitea
|
|
||||||
'';
|
|
||||||
ensureDatabases = ["gitea"]; # Ensure the database persists
|
|
||||||
ensureUsers = [
|
|
||||||
{
|
|
||||||
name = "gitea"; # Ensure the database user persists
|
|
||||||
ensurePermissions = {
|
|
||||||
# Ensure the database permissions persist
|
|
||||||
"DATABASE gitea" = "ALL PRIVILEGES";
|
|
||||||
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx = {
|
|
||||||
enable = true; # Enable Nginx
|
|
||||||
recommendedGzipSettings = true;
|
|
||||||
recommendedOptimisation = true;
|
|
||||||
recommendedProxySettings = true;
|
|
||||||
recommendedTlsSettings = true;
|
|
||||||
virtualHosts."source.jfdic.org" = {
|
|
||||||
# Gitea hostname
|
|
||||||
enableACME = true; # Use ACME certs
|
|
||||||
forceSSL = true; # Force SSL
|
|
||||||
locations."/".proxyPass = "http://localhost:3002/"; # Proxy Gitea
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
security.acme = {
|
|
||||||
acceptTerms = true;
|
|
||||||
certs = {
|
|
||||||
"source.jfdic.org".email = "source@jfdic.org";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups.keys.members = ["gitea"]; # Required due to NixOps issue #1204
|
|
||||||
}
|
|
|
@ -1,13 +1,13 @@
|
||||||
# NixOps configuration for deploying the JFDIC website
|
# NixOS configuration for deploying the Reciproka Kolektivo website
|
||||||
{
|
{
|
||||||
self,
|
self,
|
||||||
config,
|
config,
|
||||||
inputs,
|
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
hakyll-skeleton = import inputs.hakyll-skeleton {};
|
flake = builtins.getFlake (toString ../.);
|
||||||
webdomain = "skeleton.jfdic.org";
|
hakyll-skeleton = flake.inputs.hakyll-skeleton.packages."${pkgs.system}".default;
|
||||||
|
webdomain = "skeleton.reciproka.dev";
|
||||||
in {
|
in {
|
||||||
environment.sessionVariables = {
|
environment.sessionVariables = {
|
||||||
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
|
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Configuration common to all JFDIC servers
|
# Configuration common to all Reciproka Kolektivo servers
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
@ -17,9 +17,7 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
# Common boot settings
|
# Common boot settings
|
||||||
boot = {
|
boot.tmp.cleanOnBoot = true; # Clean /tmp on reboot ;
|
||||||
cleanTmpDir = true; # Clean /tmp on reboot
|
|
||||||
};
|
|
||||||
|
|
||||||
# Select internationalisation properties.
|
# Select internationalisation properties.
|
||||||
i18n = {
|
i18n = {
|
||||||
|
@ -29,7 +27,7 @@
|
||||||
# Set the defaul console properties
|
# Set the defaul console properties
|
||||||
console = {
|
console = {
|
||||||
keyMap = "us"; # Set the default console key map
|
keyMap = "us"; # Set the default console key map
|
||||||
font = "ter-powerline-v16Rv"; # Set the default console font
|
font = "ter-powerline-v32n"; # Set the default console font
|
||||||
};
|
};
|
||||||
|
|
||||||
time.timeZone = "Etc/UTC";
|
time.timeZone = "Etc/UTC";
|
||||||
|
@ -40,12 +38,14 @@
|
||||||
security.sudo.wheelNeedsPassword = false;
|
security.sudo.wheelNeedsPassword = false;
|
||||||
|
|
||||||
# Configure and install required fonts
|
# Configure and install required fonts
|
||||||
fonts.enableDefaultFonts = true;
|
fonts = {
|
||||||
fonts.fontDir.enable = true;
|
enableDefaultPackages = true;
|
||||||
fonts.fonts = with pkgs; [
|
fontDir.enable = true;
|
||||||
powerline-fonts # Required for Powerline prompts
|
packages = with pkgs; [
|
||||||
];
|
powerline-fonts # Required for Powerline prompts
|
||||||
fonts.fontconfig.includeUserConf = false;
|
];
|
||||||
|
fontconfig.includeUserConf = false;
|
||||||
|
};
|
||||||
|
|
||||||
# Adapted from gchristensen and clever
|
# Adapted from gchristensen and clever
|
||||||
nix = {
|
nix = {
|
||||||
|
@ -56,7 +56,7 @@
|
||||||
cfg =
|
cfg =
|
||||||
pkgs.writeText "configuration.nix"
|
pkgs.writeText "configuration.nix"
|
||||||
''
|
''
|
||||||
assert builtins.trace "This system is managed by NixOps." false;
|
assert builtins.trace "This system is managed by Colmena." false;
|
||||||
{}
|
{}
|
||||||
'';
|
'';
|
||||||
in "nixos-config=${cfg}")
|
in "nixos-config=${cfg}")
|
||||||
|
@ -69,12 +69,14 @@
|
||||||
dates = "weekly";
|
dates = "weekly";
|
||||||
options = "--delete-older-than 90d";
|
options = "--delete-older-than 90d";
|
||||||
};
|
};
|
||||||
autoOptimiseStore = true;
|
|
||||||
extraOptions = ''
|
extraOptions = ''
|
||||||
show-trace = true # Enable --show-trace by default for nix
|
show-trace = true # Enable --show-trace by default for nix
|
||||||
builders-use-substitutes = true # Set builders to use caches
|
builders-use-substitutes = true # Set builders to use caches
|
||||||
'';
|
'';
|
||||||
trustedUsers = ["fiscalvelvetpoet"];
|
settings = {
|
||||||
|
auto-optimise-store = true;
|
||||||
|
trusted-users = ["fiscalvelvetpoet"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
system.extraSystemBuilderCmds = ''
|
system.extraSystemBuilderCmds = ''
|
||||||
|
@ -106,6 +108,6 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Users common across JFDIC Ops:
|
# Users common across Reciproka Ops:
|
||||||
users.mutableUsers = false; # Remove any users not defined in here
|
users.mutableUsers = false; # Remove any users not defined in here
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# logrotate configuration for NixOS / NixOps
|
# logrotate configuration for NixOS
|
||||||
{config, ...}: {
|
{config, ...}: {
|
||||||
services.logrotate = {
|
services.logrotate = {
|
||||||
enable = true; # Enable the logrotate service
|
enable = true; # Enable the logrotate service
|
||||||
|
|
|
@ -157,7 +157,7 @@
|
||||||
set undodir=/tmp/.vim-undo-dir
|
set undodir=/tmp/.vim-undo-dir
|
||||||
set undofile
|
set undofile
|
||||||
|
|
||||||
" JFDIC Markdown environment
|
" Reciproka Kolektivo Markdown environment
|
||||||
function! MarkdownSettings()
|
function! MarkdownSettings()
|
||||||
set textwidth=79
|
set textwidth=79
|
||||||
set spell spelllang=en_au
|
set spell spelllang=en_au
|
||||||
|
@ -165,7 +165,7 @@
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.mdwn :call MarkdownSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.mdwn :call MarkdownSettings()
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.md :call MarkdownSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.md :call MarkdownSettings()
|
||||||
|
|
||||||
" JFDIC ReStructured Text environment
|
" Reciproka Kolektivo ReStructured Text environment
|
||||||
function! ReStructuredSettings()
|
function! ReStructuredSettings()
|
||||||
set textwidth=79
|
set textwidth=79
|
||||||
set spell spelllang=en_au
|
set spell spelllang=en_au
|
||||||
|
@ -176,14 +176,14 @@
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.rst :call ReStructuredSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.rst :call ReStructuredSettings()
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.txt :call ReStructuredSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.txt :call ReStructuredSettings()
|
||||||
|
|
||||||
" JFDIC LaTeX environment:
|
" Reciproka Kolektivo LaTeX environment:
|
||||||
function! LaTeXSettings()
|
function! LaTeXSettings()
|
||||||
set textwidth=79
|
set textwidth=79
|
||||||
set spell spelllang=en_au
|
set spell spelllang=en_au
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.tex :call LaTeXSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.tex :call LaTeXSettings()
|
||||||
|
|
||||||
" Settings for JFDIC Haskell environment:
|
" Settings for Reciproka Kolektivo Haskell environment:
|
||||||
function! HaskellSettings()
|
function! HaskellSettings()
|
||||||
set tabstop=2
|
set tabstop=2
|
||||||
set shiftwidth=2
|
set shiftwidth=2
|
||||||
|
@ -192,7 +192,7 @@
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.hs :call HaskellSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.hs :call HaskellSettings()
|
||||||
|
|
||||||
" Settings for JFDIC Nix environment:
|
" Settings for Reciproka Kolektivo Nix environment:
|
||||||
function! NixSettings()
|
function! NixSettings()
|
||||||
set tabstop=2
|
set tabstop=2
|
||||||
set shiftwidth=2
|
set shiftwidth=2
|
||||||
|
@ -202,7 +202,7 @@
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.nix :call NixSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.nix :call NixSettings()
|
||||||
|
|
||||||
" Settings for JFDIC Cue environment:
|
" Settings for Reciproka Kolektivo Cue environment:
|
||||||
function! CueSettings()
|
function! CueSettings()
|
||||||
set noexpandtab
|
set noexpandtab
|
||||||
set tabstop=2
|
set tabstop=2
|
||||||
|
@ -212,7 +212,7 @@
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.cue :call CueSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.cue :call CueSettings()
|
||||||
|
|
||||||
" Settings for JFDIC Rust environment:
|
" Settings for Reciproka Kolektivo Rust environment:
|
||||||
function! RustSettings()
|
function! RustSettings()
|
||||||
set tabstop=4
|
set tabstop=4
|
||||||
set shiftwidth=4
|
set shiftwidth=4
|
||||||
|
@ -222,7 +222,7 @@
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.rs :call RustSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.rs :call RustSettings()
|
||||||
|
|
||||||
" Settings for JFDIC Crystal environment:
|
" Settings for Reciproka Kolektivo Crystal environment:
|
||||||
function! CrystalSettings()
|
function! CrystalSettings()
|
||||||
set tabstop=2
|
set tabstop=2
|
||||||
set shiftwidth=2
|
set shiftwidth=2
|
||||||
|
@ -232,7 +232,7 @@
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.cr :call CrystalSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.cr :call CrystalSettings()
|
||||||
|
|
||||||
" Settings for JFDIC Golang environment:
|
" Settings for Reciproka Kolektivo Golang environment:
|
||||||
function! GoSettings()
|
function! GoSettings()
|
||||||
set tabstop=7
|
set tabstop=7
|
||||||
set shiftwidth=7
|
set shiftwidth=7
|
||||||
|
@ -240,7 +240,7 @@
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.go :call GoSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.go :call GoSettings()
|
||||||
|
|
||||||
" Settings for JFDIC Python environment:
|
" Settings for Reciproka Kolektivo Python environment:
|
||||||
function! PythonSettings()
|
function! PythonSettings()
|
||||||
set tabstop=4
|
set tabstop=4
|
||||||
set shiftwidth=4
|
set shiftwidth=4
|
||||||
|
@ -250,7 +250,7 @@
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.py :call PythonSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.py :call PythonSettings()
|
||||||
|
|
||||||
" JFDIC Mutt environment
|
" Reciproka Kolektivo Mutt environment
|
||||||
function! MuttSettings()
|
function! MuttSettings()
|
||||||
set textwidth=79
|
set textwidth=79
|
||||||
set spell spelllang=en_au
|
set spell spelllang=en_au
|
||||||
|
@ -261,7 +261,7 @@
|
||||||
autocmd BufNewFile,BufFilePre,BufRead mutt-* :call MuttSettings()
|
autocmd BufNewFile,BufFilePre,BufRead mutt-* :call MuttSettings()
|
||||||
autocmd BufNewFile,BufFilePre,BufRead neomutt-* :call MuttSettings()
|
autocmd BufNewFile,BufFilePre,BufRead neomutt-* :call MuttSettings()
|
||||||
|
|
||||||
" Settings for JFDIC C environment:
|
" Settings for Reciproka Kolektivo C environment:
|
||||||
function! CSettings()
|
function! CSettings()
|
||||||
set tabstop=2
|
set tabstop=2
|
||||||
set shiftwidth=2
|
set shiftwidth=2
|
||||||
|
@ -270,7 +270,7 @@
|
||||||
endfunction
|
endfunction
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.c :call CSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.c :call CSettings()
|
||||||
|
|
||||||
" Settings for JFDIC YAML environment:
|
" Settings for Reciproka Kolektivo YAML environment:
|
||||||
function! YAMLSettings()
|
function! YAMLSettings()
|
||||||
set tabstop=2
|
set tabstop=2
|
||||||
set shiftwidth=2
|
set shiftwidth=2
|
||||||
|
@ -284,7 +284,7 @@
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.yaml :call YAMLSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.yaml :call YAMLSettings()
|
||||||
autocmd BufNewFile,BufFilePre,BufRead *.yml :call YAMLSettings()
|
autocmd BufNewFile,BufFilePre,BufRead *.yml :call YAMLSettings()
|
||||||
|
|
||||||
" Settings for JFDIC Bash environment:
|
" Settings for Reciproka Kolektivo Bash environment:
|
||||||
function! BashSettings()
|
function! BashSettings()
|
||||||
set tabstop=4
|
set tabstop=4
|
||||||
set shiftwidth=4
|
set shiftwidth=4
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# NixOps configuration nix-direnv
|
# Nix configuration nix-direnv
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
@ -16,11 +16,11 @@
|
||||||
environment = {
|
environment = {
|
||||||
systemPackages = with pkgs; [
|
systemPackages = with pkgs; [
|
||||||
direnv # A shell extension that manages your environment
|
direnv # A shell extension that manages your environment
|
||||||
nix-direnv # A fast, persistent use_nix implementation for direnv
|
#nix-direnv # A fast, persistent use_nix implementation for direnv
|
||||||
];
|
|
||||||
pathsToLink = [
|
|
||||||
"/share/nix-direnv"
|
|
||||||
];
|
];
|
||||||
|
# pathsToLink = [
|
||||||
|
# "/share/nix-direnv"
|
||||||
|
# ];
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs.overlays = [
|
nixpkgs.overlays = [
|
||||||
|
|
|
@ -7,9 +7,6 @@
|
||||||
}: {
|
}: {
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true; # Enable the OpenSSH daemon.
|
enable = true; # Enable the OpenSSH daemon.
|
||||||
permitRootLogin = "prohibit-password";
|
|
||||||
kbdInteractiveAuthentication = false;
|
|
||||||
passwordAuthentication = false;
|
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
hostKeys = [
|
hostKeys = [
|
||||||
{
|
{
|
||||||
|
@ -17,5 +14,10 @@
|
||||||
type = "ed25519";
|
type = "ed25519";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
settings = {
|
||||||
|
KbdInteractiveAuthentication = false;
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
PermitRootLogin = "prohibit-password";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
118
profiles/reciproka-forgejo.nix
Normal file
118
profiles/reciproka-forgejo.nix
Normal file
|
@ -0,0 +1,118 @@
|
||||||
|
# Nix configuration for the Reciproka Kolectivo Forgejo service
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: let
|
||||||
|
flake = builtins.getFlake (toString ../.);
|
||||||
|
nixpkgsUnstable = flake.inputs.nixpkgsUnstable;
|
||||||
|
in {
|
||||||
|
services.forgejo = {
|
||||||
|
enable = true; # Enable Forgejo
|
||||||
|
appName = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
|
||||||
|
database = {
|
||||||
|
type = "postgres"; # Database type
|
||||||
|
passwordFile = config.age.secrets.forgejo.path;
|
||||||
|
};
|
||||||
|
domain = "reciproka.dev"; # Domain name
|
||||||
|
httpPort = 3002; # Provided unique port
|
||||||
|
rootUrl = "https://reciproka.dev/"; # Root web URL
|
||||||
|
settings = let
|
||||||
|
DEFAULT.APP_NAME = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
|
||||||
|
server = {
|
||||||
|
DOMAIN = "reciproka.dev"; # Domain name
|
||||||
|
HTTP_PORT = 3002; # Provided unique port
|
||||||
|
ROOT_URL = "https://reciproka.dev/"; # Root web URL
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
mailer = {
|
||||||
|
ENABLED = true;
|
||||||
|
FROM = "fonto@reciproka.dev";
|
||||||
|
};
|
||||||
|
repository = {
|
||||||
|
DEFAULT_BRANCH = "consensus";
|
||||||
|
};
|
||||||
|
service = {
|
||||||
|
DISABLE_REGISTRATION = true;
|
||||||
|
REGISTER_EMAIL_CONFIRM = true;
|
||||||
|
};
|
||||||
|
"markup.restructuredtext" = {
|
||||||
|
ENABLED = true;
|
||||||
|
FILE_EXTENSIONS = ".rst";
|
||||||
|
RENDER_COMMAND = "timeout 30s ${pkgs.pandoc}/bin/pandoc +RTS -M512M -RTS -f rst";
|
||||||
|
IS_INPUT_FILE = false;
|
||||||
|
};
|
||||||
|
ui = {
|
||||||
|
DEFAULT_THEME = "forgejo-auto"; # Set the default theme
|
||||||
|
THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,forgejo";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd = {
|
||||||
|
services = {
|
||||||
|
forgejo = {
|
||||||
|
# Ensure forgejo starts after keys are loaded
|
||||||
|
after = ["forgejo-dbpass-key.service"];
|
||||||
|
wants = ["forgejo-dbpass-key.service"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true; # Ensure postgresql is enabled
|
||||||
|
authentication = ''
|
||||||
|
local forgejo all ident map=forgejo-users
|
||||||
|
'';
|
||||||
|
identMap =
|
||||||
|
# Map the forgejo user to postgresql
|
||||||
|
''
|
||||||
|
forgejo-users forgejo forgejo
|
||||||
|
'';
|
||||||
|
ensureDatabases = ["forgejo"]; # Ensure the database persists
|
||||||
|
ensureUsers = [
|
||||||
|
{
|
||||||
|
name = "forgejo"; # Ensure the database user persists
|
||||||
|
ensureDBOwnership = true;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
package = pkgs.postgresql_16;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.postgresqlBackup = {
|
||||||
|
enable = true;
|
||||||
|
compression = "zstd";
|
||||||
|
databases = ["forgejo"];
|
||||||
|
startAt = "*-*-* 15:00:00";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true; # Enable Nginx
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
recommendedOptimisation = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
virtualHosts."source.jfdic.org" = {
|
||||||
|
enableACME = true; # Use ACME certs
|
||||||
|
forceSSL = true; # Force SSL
|
||||||
|
locations."/" = {
|
||||||
|
return = "301 https://reciproka.dev$request_uri";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
virtualHosts."reciproka.dev" = {
|
||||||
|
# Forgejo hostname
|
||||||
|
enableACME = true; # Use ACME certs
|
||||||
|
forceSSL = true; # Force SSL
|
||||||
|
locations."/".proxyPass = "http://localhost:3002/"; # Proxy Forgejo
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
certs = {
|
||||||
|
"reciproka.dev".email = "admin@reciproka.co";
|
||||||
|
"source.jfdic.org".email = "admin@reciproka.co";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,13 +1,13 @@
|
||||||
# NixOps configuration for deploying the JFDIC website
|
# Nix configuration for deploying the Reciproka Kolektivo website
|
||||||
{
|
{
|
||||||
self,
|
self,
|
||||||
config,
|
config,
|
||||||
inputs,
|
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
jfdic-web = import inputs.jfdic-web {};
|
flake = builtins.getFlake (toString ../.);
|
||||||
webdomain = "jfdic.org";
|
reciproka-web = flake.inputs.reciproka-web.packages."${pkgs.system}".default;
|
||||||
|
webdomain = "reciproka.net";
|
||||||
in {
|
in {
|
||||||
environment.sessionVariables = {
|
environment.sessionVariables = {
|
||||||
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
|
LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
|
||||||
|
@ -24,11 +24,18 @@ in {
|
||||||
# website hostname
|
# website hostname
|
||||||
enableACME = true; # Use ACME certs
|
enableACME = true; # Use ACME certs
|
||||||
forceSSL = true; # Force SSL
|
forceSSL = true; # Force SSL
|
||||||
root = "${jfdic-web}"; # Wesbite root
|
root = "${reciproka-web}"; # Wesbite root
|
||||||
};
|
};
|
||||||
"www.${webdomain}" = {
|
"www.${webdomain}" = {
|
||||||
# Respect our elders :-)
|
# Respect our elders :-)
|
||||||
locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
|
locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
|
||||||
|
enableACME = true; # Use ACME certs
|
||||||
|
forceSSL = true; # Force SSL
|
||||||
|
};
|
||||||
|
"reciproka.co" = {
|
||||||
|
locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
|
||||||
|
enableACME = true; # Use ACME certs
|
||||||
|
forceSSL = true; # Force SSL
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -36,10 +43,9 @@ in {
|
||||||
security.acme = {
|
security.acme = {
|
||||||
acceptTerms = true;
|
acceptTerms = true;
|
||||||
certs = {
|
certs = {
|
||||||
"${webdomain}" = {
|
"${webdomain}" = {email = "admin@${webdomain}";};
|
||||||
email = "admin@${webdomain}";
|
"www.${webdomain}" = {email = "admin@${webdomain}";};
|
||||||
#group = "matrix-synapse";
|
"reciproka.co" = {email = "admin@${webdomain}";};
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
# NixOps configuration for deploying the JFDIC website
|
# NixOS configuration for deploying the Resilient Rockhampton website
|
||||||
{
|
{
|
||||||
self,
|
self,
|
||||||
config,
|
config,
|
||||||
inputs,
|
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
resrok-web = import inputs.resrok-web {};
|
flake = builtins.getFlake (toString ../.);
|
||||||
|
resrok-web = import flake.inputs.resrok-web {};
|
||||||
webdomain = "resrok.org";
|
webdomain = "resrok.org";
|
||||||
in {
|
in {
|
||||||
environment.sessionVariables = {
|
environment.sessionVariables = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Configuration common to all JFDIC servers
|
# Configuration common to all Reciproka Kolektivo servers
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
@ -7,8 +7,7 @@
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
../profiles/openssh.nix
|
../profiles/openssh.nix
|
||||||
../secrets/user-fiscalvelvetpoet.nix
|
../profiles/users.nix
|
||||||
../secrets/user-root.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
programs.mosh = {
|
programs.mosh = {
|
||||||
|
|
|
@ -3,6 +3,6 @@
|
||||||
services.tmate = {
|
services.tmate = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
sshHostname = "tmate.jfdic.org";
|
sshHostname = "tmate.reciproka.co";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
37
profiles/users.nix
Normal file
37
profiles/users.nix
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
# User configuration common to all Reciproka Kolektivo servers
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
age.secrets = {
|
||||||
|
root.file = ../secrets/root.age;
|
||||||
|
fiscalvelvetpoet.file = ../secrets/fiscalvelvetpoet.age;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Reciproka Ops groups:
|
||||||
|
users.groups.fiscalvelvetpoet.gid = 1000;
|
||||||
|
|
||||||
|
# Reciproka Ops Users
|
||||||
|
users.users.fiscalvelvetpoet = {
|
||||||
|
isNormalUser = true;
|
||||||
|
uid = 1000;
|
||||||
|
group = "fiscalvelvetpoet";
|
||||||
|
extraGroups = ["wheel"];
|
||||||
|
# fix this
|
||||||
|
hashedPasswordFile = config.age.secrets.fiscalvelvetpoet.path;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@reciproka"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.root = {
|
||||||
|
# fix this
|
||||||
|
hashedPasswordFile = config.age.secrets.root.path;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@reciproka"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,12 +1,12 @@
|
||||||
# NixOps configuration for deploying the Voices of Capricornia website
|
# Nix configuration for deploying the Voices of Capricornia website
|
||||||
{
|
{
|
||||||
self,
|
self,
|
||||||
config,
|
config,
|
||||||
inputs,
|
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
voc-web = import inputs.voc-web {};
|
flake = builtins.getFlake (toString ../.);
|
||||||
|
voc-web = import flake.inputs.voc-web {};
|
||||||
webdomain = "voicesofcapricornia.org";
|
webdomain = "voicesofcapricornia.org";
|
||||||
in {
|
in {
|
||||||
environment.sessionVariables = {
|
environment.sessionVariables = {
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Configuration common to all JFDIC servers
|
# Configuration common to all Reciproka Kolektivo servers
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
|
21
secrets/fiscalvelvetpoet.age
Normal file
21
secrets/fiscalvelvetpoet.age
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBSMUhj
|
||||||
|
Zk9XdkxaZkpXYkF3K2lpbkR5dmZYYzJhUi9UanpBVEI1S2IvZXhNCnpyT09mZHNv
|
||||||
|
YktCcUd5Y2w1bnNNajFjaWl6Um9yWFpUTkFGdjRINnZFRW8KLT4gc3NoLWVkMjU1
|
||||||
|
MTkgUWQwZXBRIHE3RXdLUC82TVNJdHIvU2xnWGF1QktCZGkxbFhsT0dxVDRZZWgy
|
||||||
|
aVBUbDQKUkxqdTc5ZlhQaG5OOXhtSVBlR2FCR2c3ZGR2cnFUWnN0WkQxRDRlWlg1
|
||||||
|
YwotPiBzc2gtZWQyNTUxOSB1N1ozancgR2pTOVZ5cGpmdzMzT1ZYelAwTTI1TVpG
|
||||||
|
QUdlZ0xBZEo4NkpoZlZEVGlFTQpFelJDQ0RKaFFsVlRESERmMWJIQjZJcmh1QzBI
|
||||||
|
VFU3QmZGZ2JKcFMyNmJrCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBYSHdCdXJRTUVI
|
||||||
|
eDFJZHRHY2JhUTRha1JNRFg5c3ppbVo0OGdQSXdPOUdJCjBFSTVpd2JWd2xkTjZx
|
||||||
|
VDVuMlVHb1Z1aEhYU2kxWkpwV2hJUDZQRzNkckUKLT4gc3NoLWVkMjU1MTkgZjVU
|
||||||
|
aEFnIG1zay9zeUFtd3dkOTJQUFR6S0ZnUm9jbmQ0TkJQU2pJTTYrMmNEaE5KeTAK
|
||||||
|
WXN2OFM2anNYYXF6Wk9rUnFjQzNGSjdhTGFyVDhhd1dORWxRaUpuRG9XUQotPiBe
|
||||||
|
d3pXUTxFLWdyZWFzZSBvVT16IFw3Oz02IGQ/ZFVjQS4KVnBKTVc0YzR3SEhaOS80
|
||||||
|
bzE1NXMxaHh1QStNaXZ4eGZrbDdrV0k5YW5rQTdKbGJsbzZsRzFLMi9veTAKLS0t
|
||||||
|
IGdEblEzcTdkcWVFVURycTJsTUl5MHEySUdTRTJub1hMVnJNekMxQTAxTGcKot0G
|
||||||
|
3I1FgBm5Hw3MkQXfRdX6FgzAAEmH0t+v8R087u7vDbzVFVwVWGm4qQuHTwYNa1Yu
|
||||||
|
5gcM8LAg9N/ZV6Mc7+OlqKoKTs6S+VhphfbuDPrwJZUJT/OO30MgEdgemZ+JtQoA
|
||||||
|
O5str1O/0MBTQRyqJglcIjD2rPQcl9cZQupvJeaTOkdoLQ3Pv8aUrZBg3yHg6JX4
|
||||||
|
N5siGxgv/NfGcpCvkUM=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
13
secrets/forgejo.age
Normal file
13
secrets/forgejo.age
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBuMjdR
|
||||||
|
ZzN1QTRIend1TWhLSDZzQ0JQUG9tZFdGZUo4QUljV3pnaEdDR1VzCi9PRXFnTDlD
|
||||||
|
NFhtYW4reHphUFFqUVBDd2pxY2liOXgwRUlIZzcvZTdWWTAKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgZjVUaEFnIGRvQUFSMzFzVmZLT0Z4SlczNmdicThCYklBbisvcmlzejI4b3Jm
|
||||||
|
ZVRTVmsKWDlKTkV6STJaSEVDL0tMVmMvcUt0L3pOS0xXU281bjRXSkJDSXloLzZE
|
||||||
|
OAotPiBVLWdyZWFzZSBCZTMgM01ZIEd0OWcKdnMvd0FJOEhmQTdTcElld0JsNXdD
|
||||||
|
bS9hWUtHam1PR0tyTmowck1rVEEzZXc0QjhWNjVNZVU0anRCS1lrMkRtVApQcVdV
|
||||||
|
djJORHppTEFib1VLOC9LbG5OdWhNdEZKWGJyQ3Z6dUFTOEw5WjZsT2E4SDRSSUlK
|
||||||
|
aEpWRUNYRlZTdwotLS0geFBJK21QRGZxd3lZRjZRanhDeFRDTTd6T1p2UGhiNXBm
|
||||||
|
NnhaWkptcDFsYwqWryUWy5DtJHpelFVJu9DnS2rUS9JVnjIHCj2MNYrs6f5cxzZP
|
||||||
|
4+CUjz1Agu+ODFUvsl/ccIvcaS0=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
22
secrets/root.age
Normal file
22
secrets/root.age
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBsWm9s
|
||||||
|
UzB6bzM2VU9IR3Y2MUcrdmtJTk1nM3h0VFV4WFNaaU9pZ0pHMWxBClpiRDZ3VVU1
|
||||||
|
VkE5SHhJZXc4RGJOenY3Qzc1eXN6Y1M2d1ZnU1dIbHFvQUUKLT4gc3NoLWVkMjU1
|
||||||
|
MTkgUWQwZXBRIGVCZURhelZkTFpoRldaVlZoZzVBenBjbEROUlIrTERnN2VpNmhP
|
||||||
|
dVFNSDQKNXNWNU5iOGRBV3ZMVzdSVXRPSTkvQzJpblVsbERJekM0VHdnbEwyd0tG
|
||||||
|
VQotPiBzc2gtZWQyNTUxOSB1N1ozancgY2pvTllQbytTbDBZaHlSbVFxa2ZYbmFt
|
||||||
|
OTlvYTQrMUcybVdJd2gxb2Jsbwo4RXBLMkdYSFY3aHYxSGZnS0h4S21ablBueFBz
|
||||||
|
L2JFaEhaYWR5VFFNQzhVCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBDZGNmblJIWGtx
|
||||||
|
QWhEeldzVGZmUWJ6anM4Y2hTT0tpUVNpNDVyRDJRQ240Clk2bmpCVlI4RWduRS80
|
||||||
|
cVRVWWwycDdtdVpFS25BSDAzOEh5YUcxdW9GclkKLT4gc3NoLWVkMjU1MTkgZjVU
|
||||||
|
aEFnIDZBbXVIQVdoaVl6TlZXR1FmeEtwL0hBNWc4c0lvSFlQTzZVc1VJZ09PMXcK
|
||||||
|
VnhFVVg4eTZiRU1YbUhxUzJrYXRUeWpVVFdOSWpUNHNvUWZCRXd1U3Y3VQotPiBB
|
||||||
|
IW9WfGMlLWdyZWFzZQo2WmhadWt6cFZ3S2FONDFIWUFPWWpMOXFRT1d2alNPajVI
|
||||||
|
aUJrdmVVT1J1OHA3Uy9LMjdadSs4RnhldGNxWGNtCitJSHhKSlhnMzI0UDdtSFBX
|
||||||
|
T0tuY0NvRkI5Q0F6YkJmSHI3aFlReHJORVNLL1RJMkI5QUt5NllmcGcKLS0tIGFQ
|
||||||
|
YXpDdDhnR05PaGQ0WEdVd2hMUURnRmtnbDVvWkt0ZDNtaVhxT0ZIbFUKcYbxjmgx
|
||||||
|
v7X82tsU3fuTUo9l2q3HmHECwKlvyqsXyyJst+/jJgANfE7/tHm0t6Dm4fPgBvdN
|
||||||
|
0AqTDx1p7PLvfQhMuhD2G9mHGLwcom3xUOI8h6JkMCv+bojWD9RCEB+wsAwfCzVV
|
||||||
|
pStMrMl6copsy1/E4yXkkm+kBgIMFeGzQvRyZ+UCri0rjzsGFQWEgUgD3fFcNJIq
|
||||||
|
HCYi0uW970YK2qI=
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
22
secrets/secrets.nix
Normal file
22
secrets/secrets.nix
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
# Used by ragenix nix only.
|
||||||
|
# Ensure that $RULES has been set via direnv
|
||||||
|
# Edit a key: `agenix -i ~/.ssh/id_ed25519 -e secrets/someKey.age`
|
||||||
|
# run `ragenix -r -i /path/to/your/key` after modifying any keys below
|
||||||
|
#
|
||||||
|
# Re-keying is required after adding new hosts or keys:
|
||||||
|
# run `ragenix -r -i /path/to/your/key`
|
||||||
|
let
|
||||||
|
fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
|
||||||
|
ops = [fiscalvelvetpoet];
|
||||||
|
users = [fiscalvelvetpoet];
|
||||||
|
|
||||||
|
flemming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK16f3Fjj0BY9vjtXahezMAP3I329hHEQXCceRTkr+Yu";
|
||||||
|
hollows = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGB8EUbqoarM4GmPgE2DBF4z/L6wVNc+lF27Z83XDUz";
|
||||||
|
pred = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMK5BOK1ldtZ+SV4QxfNm/PfOLOWv3/VHf/JbdMMoMzw";
|
||||||
|
toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
|
||||||
|
systems = [flemming hollows pred toscano];
|
||||||
|
in {
|
||||||
|
"root.age".publicKeys = ops ++ systems;
|
||||||
|
"fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;
|
||||||
|
"forgejo.age".publicKeys = [fiscalvelvetpoet toscano];
|
||||||
|
}
|
|
@ -1,16 +1,19 @@
|
||||||
{
|
{
|
||||||
pkgs ? import <nixpkgs> {},
|
pkgs ? import <nixpkgs> {},
|
||||||
|
ragenix,
|
||||||
alejandra,
|
alejandra,
|
||||||
mkShell,
|
mkShell,
|
||||||
nixops,
|
colmena,
|
||||||
nix,
|
nix,
|
||||||
}:
|
}:
|
||||||
with pkgs;
|
with pkgs;
|
||||||
mkShell {
|
mkShell {
|
||||||
buildInputs = [
|
buildInputs = [
|
||||||
|
ragenix # CLI management of secrets encrypted via existing SSH keys
|
||||||
alejandra # The Uncompromising Nix Code Formatter
|
alejandra # The Uncompromising Nix Code Formatter
|
||||||
nixops
|
colmena # simple, stateless NixOS deployment tool
|
||||||
nix
|
nix # Powerful package manager that makes package management reliable and reproducible
|
||||||
|
tea # Gitea official CLI client
|
||||||
treefmt # one CLI to format the code tree
|
treefmt # one CLI to format the code tree
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue