kevin/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

Compare commits

base: kevin:main
Branches Tags
kevin:main
kevin:cowsay
kevin:pulls/kevin/key
kevin:ci/pixelfed
kevin:pixelfed-ci
Fediversity:main
Fediversity:ci/pixelfed
Fediversity:pixelfed-ci
..
compare: kevin:ci/pixelfed
Branches Tags
kevin:main
kevin:cowsay
kevin:pulls/kevin/key
kevin:ci/pixelfed
kevin:pixelfed-ci
Fediversity:main
Fediversity:ci/pixelfed
Fediversity:pixelfed-ci

7 commits
main ... ci/pixelfe

Author SHA1 Message Date
Nicolas “Niols” Jeannerod
ce88f65f9a
Even longer waits 2025-01-28 12:13:11 +01:00
Nicolas “Niols” Jeannerod
7ec70e00ef
Run the Pixelfed test in CI 2025-01-27 17:51:13 +01:00
Nicolas “Niols” Jeannerod
4d478ab463
Full rework of the Pixelfed test 2025-01-27 17:51:13 +01:00
Nicolas “Niols” Jeannerod
8d0e93abe0
Fix Pixelfed service 2025-01-27 17:51:13 +01:00
Nicolas “Niols” Jeannerod
930fd91e39
Clean up Mastodon and Peertube tests 2025-01-27 17:51:13 +01:00
Nicolas “Niols” Jeannerod
f15669e51e
Clean up VM options 2025-01-27 17:51:13 +01:00
Nicolas “Niols” Jeannerod
a740364f04
Enable CI on all ci/** branches 2025-01-27 15:27:15 +01:00
67 changed files with 1160 additions and 1759 deletions
Show stats Expand all files Collapse all files

10
.envrc
View file

@ -1,10 +0,0 @@
#!/usr/bin/env bash
# the shebang is ignored, but nice for editors
# shellcheck shell=bash
if type -P lorri &>/dev/null; then
eval "$(lorri direnv --flake .)"
else
echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
use flake
fi

7
.forgejo/workflows/ci.yaml
View file

@ -7,6 +7,7 @@ on:
push:
branches:
- main
- ci/**
jobs:
check-pre-commit:
@ -27,3 +28,9 @@ jobs:
steps:
- uses: actions/checkout@v4
- run: nix build .#checks.x86_64-linux.peertube -L
check-pixelfed:
runs-on: native
steps:
- uses: actions/checkout@v4
- run: nix build .#checks.x86_64-linux.pixelfed -L

1
.gitignore vendored
View file

@ -6,6 +6,7 @@ tmp/
.proxmox
/.pre-commit-config.yaml
nixos.qcow2
.envrc
.direnv
result*
.nixos-test-history

4
README.md
View file

@ -24,6 +24,10 @@ details as to what they are for. As an overview:
- [`secrets/`](./secrets) contains the secrets that need to get injected into
machine configurations.
- [`server/`](./server) contains the configuration of the VM hosting the
website. This should be integrated into `infra/` shortly in the future, as
tracked in https://git.fediversity.eu/Fediversity/Fediversity/issues/31.
- [`services/`](./services) contains our effort to make Fediverse applications
work seemlessly together in our specific setting.

6
deployment/proxmox/provision.sh
View file

@ -178,11 +178,7 @@ upload_iso () {
## Remove ISO
remove_iso () {
printf 'Removing ISO for VM %d...\n' $1
proxmox_sync DELETE $apiurl/nodes/$node/storage/local/content/local:iso/installer-fedi$1.iso
printf 'done removing ISO for VM %d.\n' $1
printf 'Removing ISO for VM %d... unsupported for now. (FIXME)\n' $1
}
################################################################################

540
flake.lock generated
View file

@ -8,11 +8,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"type": "github"
},
"original": {
@ -41,16 +41,16 @@
"crane_2": {
"flake": false,
"locked": {
"lastModified": 1727316705,
"narHash": "sha256-/mumx8AQ5xFuCJqxCIOFCHTVlxHkMT21idpbgbm/TIE=",
"lastModified": 1699217310,
"narHash": "sha256-xpW3VFUG7yE6UE6Wl0dhqencuENSkV7qpnpe9I8VbPw=",
"owner": "ipetkov",
"repo": "crane",
"rev": "5b03654ce046b5167e7b0bccbd8244cb56c16f0e",
"rev": "d535642bbe6f377077f7c23f0febb78b1463f449",
"type": "github"
},
"original": {
"owner": "ipetkov",
"ref": "v0.19.0",
"ref": "v0.15.0",
"repo": "crane",
"type": "github"
}
@ -82,11 +82,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1738148035,
"narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
"lastModified": 1731274291,
"narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=",
"owner": "nix-community",
"repo": "disko",
"rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
"rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc",
"type": "github"
},
"original": {
@ -106,11 +106,11 @@
"pyproject-nix": "pyproject-nix"
},
"locked": {
"lastModified": 1735160684,
"narHash": "sha256-n5CwhmqKxifuD4Sq4WuRP/h5LO6f23cGnSAuJemnd/4=",
"lastModified": 1732214960,
"narHash": "sha256-ViyEMSYwaza6y55XTDrsRi2K4YKCLsefMTorjWSE27s=",
"owner": "nix-community",
"repo": "dream2nix",
"rev": "8ce6284ff58208ed8961681276f82c2f8f978ef4",
"rev": "a8dac99db44307fdecead13a39c584b97812d0d4",
"type": "github"
},
"original": {
@ -123,7 +123,6 @@
"inputs": {
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nix-cargo-integration",
"nixpkgs"
],
@ -131,11 +130,11 @@
"pyproject-nix": "pyproject-nix_2"
},
"locked": {
"lastModified": 1735160684,
"narHash": "sha256-n5CwhmqKxifuD4Sq4WuRP/h5LO6f23cGnSAuJemnd/4=",
"lastModified": 1722526955,
"narHash": "sha256-fFS8aDnfK9Qfm2FLnQ8pqWk8FzvFEv5LvTuZTZLREnc=",
"owner": "nix-community",
"repo": "dream2nix",
"rev": "8ce6284ff58208ed8961681276f82c2f8f978ef4",
"rev": "3fd4c14d3683baac8d1f94286ae14fe160888b51",
"type": "github"
},
"original": {
@ -163,11 +162,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -208,48 +207,16 @@
"type": "github"
}
},
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_6": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
@ -263,11 +230,11 @@
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
@ -285,11 +252,11 @@
]
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
@ -317,38 +284,19 @@
}
},
"flake-parts_5": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib_4"
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_6": {
"inputs": {
"nixpkgs-lib": [
"nixops4-nixos",
"nixops4",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"lastModified": 1719994518,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
"type": "github"
},
"original": {
@ -361,14 +309,15 @@
"inputs": {
"flake-compat": "flake-compat",
"gitignore": "gitignore",
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_3",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1737465171,
"narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"lastModified": 1730814269,
"narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"rev": "d70155fdc00df4628446352fc58adc640cd705c2",
"type": "github"
},
"original": {
@ -399,70 +348,11 @@
]
},
"locked": {
"lastModified": 1734279981,
"narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=",
"lastModified": 1721042469,
"narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"git-hooks-nix_2": {
"inputs": {
"flake-compat": "flake-compat_4",
"gitignore": "gitignore_2",
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1737465171,
"narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"git-hooks-nix_3": {
"inputs": {
"flake-compat": [
"nixops4-nixos",
"nixops4",
"nix"
],
"gitignore": [
"nixops4-nixos",
"nixops4",
"nix"
],
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nix",
"nixpkgs"
],
"nixpkgs-stable": [
"nixops4-nixos",
"nixops4",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1734279981,
"narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785",
"rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
"type": "github"
},
"original": {
@ -492,28 +382,6 @@
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"nixops4-nixos",
"git-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -535,6 +403,39 @@
"type": "github"
}
},
"libgit2": {
"flake": false,
"locked": {
"lastModified": 1715853528,
"narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
"owner": "libgit2",
"repo": "libgit2",
"rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
"type": "github"
},
"original": {
"owner": "libgit2",
"ref": "v1.8.1",
"repo": "libgit2",
"type": "github"
}
},
"libgit2_2": {
"flake": false,
"locked": {
"lastModified": 1724328629,
"narHash": "sha256-7SuD4k+ORwFPwDm5Qr5eSV6GMVWjMfFed9KYi8riUQo=",
"owner": "libgit2",
"repo": "libgit2",
"rev": "782e29c906f6e44b120843356f286b6a97d89f88",
"type": "github"
},
"original": {
"owner": "libgit2",
"repo": "libgit2",
"type": "github"
}
},
"mk-naked-shell": {
"flake": false,
"locked": {
@ -572,6 +473,7 @@
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts_3",
"git-hooks-nix": "git-hooks-nix",
"libgit2": "libgit2",
"nixpkgs": [
"nixops4",
"nixpkgs"
@ -580,11 +482,11 @@
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1736342444,
"narHash": "sha256-u6OD0BH+UxyfrWMMpBfM5cz/TDWU9lxJOujgzqBnN9A=",
"lastModified": 1732892090,
"narHash": "sha256-Ka/uNdaqpTAiVL++4MPHg8fG5o1tiJeY6G2t5UiKhd8=",
"owner": "NixOS",
"repo": "nix",
"rev": "5230d3ecc4cd3a3d965902a56b5a21bcc99821c3",
"rev": "64000481168d1da9d2519f055dd1fdee22275c21",
"type": "github"
},
"original": {
@ -608,11 +510,11 @@
"treefmt": "treefmt"
},
"locked": {
"lastModified": 1736316962,
"narHash": "sha256-nOWLP6pSblYrCipiBb7/SQpGhNe7AHT8m9f++b8/Ni4=",
"lastModified": 1733033761,
"narHash": "sha256-g7TCUozMeW3q5Uc+wmZI64yzFucQ3SYlZQepo7prarA=",
"owner": "yusdacra",
"repo": "nix-cargo-integration",
"rev": "1ce1f666c955e73f65de74f3a8c3ca2c3e5d741b",
"rev": "413617712f5189397cdf602485f89bf2b0a0e4af",
"type": "github"
},
"original": {
@ -628,7 +530,6 @@
"mk-naked-shell": "mk-naked-shell_2",
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nixpkgs"
],
"parts": "parts_2",
@ -636,11 +537,11 @@
"treefmt": "treefmt_2"
},
"locked": {
"lastModified": 1736316962,
"narHash": "sha256-nOWLP6pSblYrCipiBb7/SQpGhNe7AHT8m9f++b8/Ni4=",
"lastModified": 1724393640,
"narHash": "sha256-fjwO6Pv3d35F6UErY42hc7zXJr6ek0LhSZlgEu+eI04=",
"owner": "yusdacra",
"repo": "nix-cargo-integration",
"rev": "1ce1f666c955e73f65de74f3a8c3ca2c3e5d741b",
"rev": "3a8e3bb661db28522aa2d4a55f1fccf9f95ec33e",
"type": "github"
},
"original": {
@ -651,29 +552,29 @@
},
"nix_2": {
"inputs": {
"flake-compat": "flake-compat_5",
"flake-parts": "flake-parts_6",
"git-hooks-nix": "git-hooks-nix_3",
"flake-compat": "flake-compat_4",
"flake-parts": "flake-parts_5",
"libgit2": "libgit2_2",
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nixpkgs"
],
"nixpkgs-23-11": "nixpkgs-23-11_2",
"nixpkgs-regression": "nixpkgs-regression_2"
"nixpkgs-regression": "nixpkgs-regression_2",
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1736342444,
"narHash": "sha256-u6OD0BH+UxyfrWMMpBfM5cz/TDWU9lxJOujgzqBnN9A=",
"lastModified": 1719448136,
"narHash": "sha256-ya0iofP+QysNzN7Gx7Btfe83ZW1YLpSdkccUNMnbBFQ=",
"owner": "NixOS",
"repo": "nix",
"rev": "5230d3ecc4cd3a3d965902a56b5a21bcc99821c3",
"rev": "ed129267dcd7dd2cce48c09b17aefd6cfc488bcd",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nix",
"rev": "ed129267dcd7dd2cce48c09b17aefd6cfc488bcd",
"type": "github"
}
},
@ -686,11 +587,11 @@
"nixpkgs-old": "nixpkgs-old"
},
"locked": {
"lastModified": 1738308843,
"narHash": "sha256-I/+T3qhlcHDP628UjWqugdFKHEsjIA3blWqnoPxQTQ0=",
"lastModified": 1733171846,
"narHash": "sha256-MmWzxuH9bwBIM7/LQsJc6x/7S2YofWWPqwzLaqqudDQ=",
"owner": "nixops4",
"repo": "nixops4",
"rev": "7e83532e61aa70bccffea93d82e311e0ce07a4d1",
"rev": "b9dc536b7a0ea6dd947949c59c545e7fa604351a",
"type": "github"
},
"original": {
@ -702,49 +603,21 @@
"nixops4-nixos": {
"inputs": {
"flake-parts": "flake-parts_4",
"git-hooks-nix": "git-hooks-nix_2",
"nixops4": "nixops4_2",
"nixops4-nixos": [
"nixops4-nixos"
],
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nixpkgs"
]
},
"locked": {
"lastModified": 1738310839,
"narHash": "sha256-dWTVaxENWTq6s7mO7xDxt2ml7pEHSYfHkm5h4yCQnIA=",
"owner": "nixops4",
"repo": "nixops4-nixos",
"rev": "65fe4b132fe299e03ee387d67d3fee1eb4593f4f",
"type": "github"
},
"original": {
"owner": "nixops4",
"repo": "nixops4-nixos",
"type": "github"
}
},
"nixops4_2": {
"inputs": {
"flake-parts": "flake-parts_5",
"nix": "nix_2",
"nix-cargo-integration": "nix-cargo-integration_2",
"nixpkgs": "nixpkgs_6",
"nixpkgs-old": "nixpkgs-old_2"
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1738308843,
"narHash": "sha256-I/+T3qhlcHDP628UjWqugdFKHEsjIA3blWqnoPxQTQ0=",
"lastModified": 1727424043,
"narHash": "sha256-00Tm2hCF8xBZk4HmzsaoPGtvRVamq3OujE5xWyHm8FI=",
"owner": "nixops4",
"repo": "nixops4",
"rev": "7e83532e61aa70bccffea93d82e311e0ce07a4d1",
"rev": "924af9b0f3666f22c638c02a21bc73a2ba002674",
"type": "github"
},
"original": {
"owner": "nixops4",
"ref": "eval",
"repo": "nixops4",
"type": "github"
}
@ -799,26 +672,26 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"lastModified": 1730504152,
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
}
},
"nixpkgs-lib_2": {
"locked": {
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"lastModified": 1730504152,
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
}
},
"nixpkgs-lib_3": {
@ -833,41 +706,13 @@
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
}
},
"nixpkgs-lib_4": {
"locked": {
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
}
},
"nixpkgs-old": {
"locked": {
"lastModified": 1735563628,
"narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
"lastModified": 1733016324,
"narHash": "sha256-8qwPSE2g1othR1u4uP86NXxm6i7E9nHPyJX3m3lx7Q4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-old_2": {
"locked": {
"lastModified": 1735563628,
"narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
"rev": "7e1ca67996afd8233d9033edd26e442836cc2ad6",
"type": "github"
},
"original": {
@ -909,13 +754,29 @@
"type": "github"
}
},
"nixpkgs_2": {
"nixpkgs-stable": {
"locked": {
"lastModified": 1737879851,
"narHash": "sha256-H+FXIKj//kmFHTTW4DFeOjR7F1z2/3eb2iwN6Me4YZk=",
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5d3221fd57cc442a1a522a15eb5f58230f45a304",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1730958623,
"narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "85f7e662eda4fa3a995556527c87b2524b691933",
"type": "github"
},
"original": {
@ -927,11 +788,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1730768919,
"narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
"lastModified": 1730958623,
"narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
"rev": "85f7e662eda4fa3a995556527c87b2524b691933",
"type": "github"
},
"original": {
@ -943,11 +804,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1737469691,
"narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"lastModified": 1732837521,
"narHash": "sha256-jNRNr49UiuIwaarqijgdTR2qLPifxsVhlJrKzQ8XUIE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"rev": "970e93b9f82e2a0f3675757eb0bfc73297cc6370",
"type": "github"
},
"original": {
@ -959,27 +820,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1730768919,
"narHash": "sha256-8AKquNnnSaJRXZxc5YmF/WfmxiHX6MMZZasRP6RRQkE=",
"lastModified": 1724819573,
"narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a04d33c0c3f1a59a2c1cb0c6e34cd24500e5a1dc",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1737469691,
"narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",
"rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
"type": "github"
},
"original": {
@ -989,13 +834,13 @@
"type": "github"
}
},
"nixpkgs_7": {
"nixpkgs_6": {
"locked": {
"lastModified": 1738163270,
"narHash": "sha256-B/7Y1v4y+msFFBW1JAdFjNvVthvNdJKiN6EGRPnqfno=",
"lastModified": 1734323986,
"narHash": "sha256-m/lh6hYMIWDYHCAsn81CDAiXoT3gmxXI9J987W5tZrE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "59e618d90c065f55ae48446f307e8c09565d5ab0",
"rev": "394571358ce82dff7411395829aa6a3aad45b907",
"type": "github"
},
"original": {
@ -1014,11 +859,11 @@
]
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
@ -1031,17 +876,16 @@
"inputs": {
"nixpkgs-lib": [
"nixops4-nixos",
"nixops4",
"nix-cargo-integration",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
@ -1050,6 +894,41 @@
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": [
"nixops4-nixos",
"nix"
],
"gitignore": [
"nixops4-nixos",
"nix"
],
"nixpkgs": [
"nixops4-nixos",
"nix",
"nixpkgs"
],
"nixpkgs-stable": [
"nixops4-nixos",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1724857454,
"narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"purescript-overlay": {
"inputs": {
"flake-compat": "flake-compat_3",
@ -1077,10 +956,8 @@
},
"purescript-overlay_2": {
"inputs": {
"flake-compat": "flake-compat_6",
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nix-cargo-integration",
"dream2nix",
"nixpkgs"
@ -1088,11 +965,11 @@
"slimlock": "slimlock_2"
},
"locked": {
"lastModified": 1728546539,
"narHash": "sha256-Sws7w0tlnjD+Bjck1nv29NjC5DbL6nH5auL9Ex9Iz2A=",
"lastModified": 1696022621,
"narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=",
"owner": "thomashoneyman",
"repo": "purescript-overlay",
"rev": "4ad4c15d07bd899d7346b331f377606631eb0ee4",
"rev": "047c7933abd6da8aa239904422e22d190ce55ead",
"type": "github"
},
"original": {
@ -1143,7 +1020,7 @@
"git-hooks": "git-hooks",
"nixops4": "nixops4",
"nixops4-nixos": "nixops4-nixos",
"nixpkgs": "nixpkgs_7"
"nixpkgs": "nixpkgs_6"
}
},
"rust-overlay": {
@ -1155,11 +1032,11 @@
]
},
"locked": {
"lastModified": 1736303309,
"narHash": "sha256-IKrk7RL+Q/2NC6+Ql6dwwCNZI6T6JH2grTdJaVWHF0A=",
"lastModified": 1733020719,
"narHash": "sha256-Chv9+3zrf1DhdB9JyskjoV0vJbCQEgkVqrU3p4RPLv8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a0b81d4fa349d9af1765b0f0b4a899c13776f706",
"rev": "8e18f10703112e6c33e1c0d8b93e8305f6f0a75c",
"type": "github"
},
"original": {
@ -1169,20 +1046,13 @@
}
},
"rust-overlay_2": {
"inputs": {
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nix-cargo-integration",
"nixpkgs"
]
},
"flake": false,
"locked": {
"lastModified": 1736303309,
"narHash": "sha256-IKrk7RL+Q/2NC6+Ql6dwwCNZI6T6JH2grTdJaVWHF0A=",
"lastModified": 1724379657,
"narHash": "sha256-+CFDh1FUgyY7q0FiWhKJpHS7LlD3KbiqN5Z4Z+4bGmc=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a0b81d4fa349d9af1765b0f0b4a899c13776f706",
"rev": "a18034322c7703fcfe5d7352a77981ba4a936a61",
"type": "github"
},
"original": {
@ -1219,7 +1089,6 @@
"inputs": {
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nix-cargo-integration",
"dream2nix",
"purescript-overlay",
@ -1227,11 +1096,11 @@
]
},
"locked": {
"lastModified": 1688756706,
"narHash": "sha256-xzkkMv3neJJJ89zo3o2ojp7nFeaZc2G0fYwNXNJRFlo=",
"lastModified": 1688610262,
"narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=",
"owner": "thomashoneyman",
"repo": "slimlock",
"rev": "cf72723f59e2340d24881fd7bf61cb113b4c407c",
"rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6",
"type": "github"
},
"original": {
@ -1264,11 +1133,11 @@
]
},
"locked": {
"lastModified": 1736154270,
"narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"lastModified": 1732894027,
"narHash": "sha256-2qbdorpq0TXHBWbVXaTqKoikN4bqAtAplTwGuII+oAc=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"rev": "6209c381904cab55796c5d7350e89681d3b2a8ef",
"type": "github"
},
"original": {
@ -1281,17 +1150,16 @@
"inputs": {
"nixpkgs": [
"nixops4-nixos",
"nixops4",
"nix-cargo-integration",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736154270,
"narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"lastModified": 1724338379,
"narHash": "sha256-kKJtaiU5Ou+e/0Qs7SICXF22DLx4V/WhG1P6+k4yeOE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"rev": "070f834771efa715f3e74cd8ab93ecc96fabc951",
"type": "github"
},
"original": {

7
flake.nix
View file

@ -8,7 +8,7 @@
disko.url = "github:nix-community/disko";
nixops4.url = "github:nixops4/nixops4";
nixops4-nixos.url = "github:nixops4/nixops4-nixos";
nixops4-nixos.url = "github:nixops4/nixops4/eval";
};
outputs =
@ -23,11 +23,13 @@
imports = [
inputs.git-hooks.flakeModule
inputs.nixops4.modules.flake.default
inputs.nixops4-nixos.modules.flake.default
./deployment/flake-part.nix
./infra/flake-part.nix
./keys/flake-part.nix
./services/flake-part.nix
./secrets/flake-part.nix
];
perSystem =
@ -51,7 +53,6 @@
"keys"
"secrets"
"services"
"panel"
];
files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";
in

27
infra/README.org
View file

@ -1,49 +1,26 @@
#+title: Infra
This directory contains the definition of the VMs that host our infrastructure.
* NixOps4
Their configuration can be updated via NixOps4. Run
#+begin_src sh
nixops4 deployments list
#+end_src
to see the available deployments. This should be done from the root of the
repository, otherwise NixOps4 will fail with something like:
#+begin_src
nixops4 error: evaluation: error:
… while calling the 'getFlake' builtin
error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist, evaluation: error:
… while calling the 'getFlake' builtin
error: path '/nix/store/05nn7krhvi8wkcyl6bsysznlv60g5rrf-source/flake.nix' does not exist
#+end_src
Then, given a deployment (eg. ~git~), run
to see the available deployments. Given a deployment (eg. ~git~), run
#+begin_src sh
nixops4 apply <deployment>
#+end_src
Alternatively, to run the ~default~ deployment, run
#+begin_src sh
nixops4 apply
#+end_src
* Deployments
- default :: Contains everything
- ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
runners
- ~web~ :: Machines hosting our online content, eg. the website or the wiki
- ~other~ :: Machines without a specific purpose
* Machines
* Procolix machines
These machines are hosted on the Procolix Proxmox instance, to which
non-Procolix members of the project do not have access. They host our stable

0
infra/common/nixos/default.nix → infra/common/default.nix
View file

0
infra/common/nixos/hardware.nix → infra/common/hardware.nix
View file

24
infra/common/nixos/networking.nix → infra/common/networking.nix
View file

@ -1,10 +1,18 @@
{ config, lib, ... }:
let
inherit (lib) mkDefault;
inherit (lib) mkOption mkDefault;
in
{
options = {
procolix.vm = {
name = mkOption { };
ip4 = mkOption { };
ip6 = mkOption { };
};
};
config = {
services.openssh = {
enable = true;
@ -12,8 +20,8 @@ in
};
networking = {
hostName = config.procolixVm.name;
domain = config.procolixVm.domain;
hostName = config.procolix.vm.name;
domain = "procolix.com";
## REVIEW: Do we actually need that, considering that we have static IPs?
useDHCP = mkDefault true;
@ -23,14 +31,16 @@ in
ipv4 = {
addresses = [
{
inherit (config.procolixVm.ipv4) address prefixLength;
address = config.procolix.vm.ip4;
prefixLength = 24;
}
];
};
ipv6 = {
addresses = [
{
inherit (config.procolixVm.ipv6) address prefixLength;
address = config.procolix.vm.ip6;
prefixLength = 64;
}
];
};
@ -38,11 +48,11 @@ in
};
defaultGateway = {
address = config.procolixVm.ipv4.gateway;
address = "185.206.232.1";
interface = "eth0";
};
defaultGateway6 = {
address = config.procolixVm.ipv6.gateway;
address = "2a00:51c0:12:1201::1";
interface = "eth0";
};

0
infra/common/nixos/nftables-ruleset.nft → infra/common/nftables-ruleset.nft
View file

81
infra/common/options.nix
View file

@ -1,81 +0,0 @@
{ lib, ... }:
let
inherit (lib) mkOption;
in
{
options.procolixVm = {
name = mkOption {
description = ''
The name of the machine. Most of the time, this will look like `vm02XXX`
or `fediYYY`.
'';
};
domain = mkOption {
description = ''
The domain hosting the machine. Most of the time, this will be either of
`procolix.com`, `fediversity.eu` or `abundos.eu`.
'';
default = "procolix.com";
};
ipv4 = {
address = mkOption {
description = ''
The IP address of the machine, version 4. It will be injected as a
value in `networking.interfaces.eth0`, but it will also be used to
communicate with the machine via NixOps4.
'';
};
prefixLength = mkOption {
description = ''
The subnet mask of the interface, specified as the number of bits in
the prefix.
'';
default = 24;
};
gateway = mkOption {
description = ''
The IP address of the default gateway.
'';
default = "185.206.232.1"; # FIXME: compute default from `address` and `prefixLength`.
};
};
ipv6 = {
address = mkOption {
description = ''
The IP address of the machine, version 6. It will be injected as a
value in `networking.interfaces.eth0`, but it will also be used to
communicate with the machine via NixOps4.
'';
};
prefixLength = mkOption {
description = ''
The subnet mask of the interface, specified as the number of bits in
the prefix.
'';
default = 64;
};
gateway = mkOption {
description = ''
The IP address of the default gateway.
'';
default = "2a00:51c0:12:1201::1"; # FIXME: compute default from `address` and `prefixLength`.
};
};
hostPublicKey = mkOption {
description = ''
The host public key of the machine. It is used to filter Age secrets and
only keep the relevant ones, and to feed to NixOps4.
'';
};
};
}

57
infra/common/resource.nix
View file

@ -1,57 +0,0 @@
{
inputs,
lib,
config,
...
}:
let
inherit (lib) attrValues elem;
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
inherit (lib.strings) removeSuffix;
secretsPrefix = ../../secrets;
secrets = import (secretsPrefix + "/secrets.nix");
keys = import ../../keys;
hostPublicKey = keys.systems.${config.procolixVm.name};
in
{
imports = [ ./options.nix ];
ssh = {
host = config.procolixVm.ipv4.address;
hostPublicKey = hostPublicKey;
};
nixpkgs = inputs.nixpkgs;
## The configuration of the machine. We strive to keep in this file only the
## options that really need to be injected from the resource. Everything else
## should go into the `./nixos` subdirectory.
nixos.module = {
imports = [
inputs.agenix.nixosModules.default
./options.nix
./nixos
];
## Inject the shared options from the resource's `config` into the NixOS
## configuration.
procolixVm = config.procolixVm;
## Read all the secrets, filter the ones that are supposed to be readable
## with this host's public key, and add them correctly to the configuration
## as `age.secrets.<name>.file`.
age.secrets = concatMapAttrs (
name: secret:
optionalAttrs (elem hostPublicKey secret.publicKeys) ({
${removeSuffix ".age" name}.file = secretsPrefix + "/${name}";
})
) secrets;
## FIXME: Remove direct root authentication once the NixOps4 NixOS provider
## supports users with password-less sudo.
users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
};
}

7
infra/common/nixos/users.nix → infra/common/users.nix
View file

@ -30,4 +30,11 @@
security.sudo.wheelNeedsPassword = false;
nix.settings.trusted-users = [ "@wheel" ];
## FIXME: Remove direct root authentication once NixOps4 supports users with
## password-less sudo.
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
];
}

56
infra/fedi300/default.nix
View file

@ -1,34 +1,34 @@
{
procolixVm = {
domain = "fediversity.eu";
{ lib, ... }:
ipv4 = {
address = "95.215.187.30";
gateway = "95.215.187.1";
};
ipv6 = {
address = "2a00:51c0:12:1305::30";
gateway = "2a00:51c0:13:1305::1";
};
{
imports = [
../common
./forgejo-actions-runner.nix
];
procolix.vm = {
name = "fedi300";
ip4 = "95.215.187.30";
ip6 = "2a00:51c0:12:1305::30";
};
nixos.module = {
imports = [
./forgejo-actions-runner.nix
## FIXME: We should just have an option under `procolix.vm` to distinguish
## between Procolix VMs and Fediversity ones.
networking.domain = lib.mkForce "fediversity.eu";
networking.defaultGateway.address = lib.mkForce "95.215.187.1";
networking.defaultGateway6.address = lib.mkForce "2a00:51c0:13:1305::1";
fileSystems."/" = {
device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1A4E-07F4";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
fileSystems."/" = {
device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1A4E-07F4";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
}

152
infra/flake-part.nix
View file

@ -1,45 +1,117 @@
{ self, inputs, ... }:
{
inputs,
lib,
...
}:
let
inherit (lib) attrValues concatLists mapAttrs;
inherit (lib.attrsets) genAttrs;
addDefaultDeployment =
deployments: deployments // { default = concatLists (attrValues deployments); };
makeDeployments = mapAttrs (
_: vmNames:
nixops4Deployments.git =
{ providers, ... }:
{
providers.local = inputs.nixops4.modules.nixops4Provider.local;
resources = genAttrs vmNames (vmName: {
_module.args = { inherit inputs; };
type = providers.local.exec;
imports = [
inputs.nixops4-nixos.modules.nixops4Resource.nixos
./common/resource.nix
(./. + "/${vmName}")
];
procolixVm.name = vmName;
});
}
);
providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
in
{
nixops4Deployments = makeDeployments (addDefaultDeployment {
git = [
"vm02116"
"fedi300"
];
web = [ "vm02187" ];
other = [
"vm02179"
"vm02186"
];
});
resources = {
vm02116 = {
type = providers.local.exec;
imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
ssh = {
host = "185.206.232.34";
opts = "";
hostPublicKey = self.keys.systems.vm02116;
};
nixpkgs = inputs.nixpkgs;
nixos.module = {
imports = [
./vm02116
self.nixosModules.ageSecrets
{ fediversity.hostPublicKey = self.keys.systems.vm02116; }
];
};
};
fedi300 = {
type = providers.local.exec;
imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
ssh = {
host = "95.215.187.30";
opts = "";
hostPublicKey = self.keys.systems.fedi300;
};
nixpkgs = inputs.nixpkgs;
nixos.module = {
imports = [
./fedi300
self.nixosModules.ageSecrets
{ fediversity.hostPublicKey = self.keys.systems.fedi300; }
];
};
};
};
};
nixops4Deployments.web =
{ providers, ... }:
{
providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
resources = {
vm02187 = {
type = providers.local.exec;
imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
ssh = {
host = "185.206.232.187";
opts = "";
hostPublicKey = self.keys.systems.vm02187;
};
nixpkgs = inputs.nixpkgs;
nixos.module = {
imports = [
./vm02187
self.nixosModules.ageSecrets
{ fediversity.hostPublicKey = self.keys.systems.vm02187; }
];
};
};
};
};
nixops4Deployments.other =
{ providers, ... }:
{
providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
resources = {
vm02179 = {
type = providers.local.exec;
imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
ssh = {
host = "185.206.232.179";
opts = "";
hostPublicKey = self.keys.systems.vm02179;
};
nixpkgs = inputs.nixpkgs;
nixos.module = {
imports = [
./vm02179
self.nixosModules.ageSecrets
{ fediversity.hostPublicKey = self.keys.systems.vm02179; }
];
};
};
vm02186 = {
type = providers.local.exec;
imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
ssh = {
host = "185.206.232.186";
opts = "";
hostPublicKey = self.keys.systems.vm02186;
};
nixpkgs = inputs.nixpkgs;
nixos.module = {
imports = [
./vm02186
self.nixosModules.ageSecrets
{ fediversity.hostPublicKey = self.keys.systems.vm02186; }
];
};
};
};
};
}

42
infra/vm02116/default.nix
View file

@ -1,28 +1,28 @@
{
procolixVm = {
ipv4.address = "185.206.232.34";
ipv6.address = "2a00:51c0:12:1201::20";
imports = [
../common
./forgejo.nix
];
procolix.vm = {
name = "vm02116";
ip4 = "185.206.232.34";
ip6 = "2a00:51c0:12:1201::20";
};
nixos.module = {
imports = [
./forgejo.nix
];
## vm02116 is running on old hardware based on a Xen VM environment, so it
## needs these extra options. Once the VM gets moved to a newer node, these
## two options can safely be removed.
boot.initrd.availableKernelModules = [ "xen_blkfront" ];
services.xe-guest-utilities.enable = true;
## vm02116 is running on old hardware based on a Xen VM environment, so it
## needs these extra options. Once the VM gets moved to a newer node, these
## two options can safely be removed.
boot.initrd.availableKernelModules = [ "xen_blkfront" ];
services.xe-guest-utilities.enable = true;
fileSystems."/" = {
device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2CE2-1173";
fsType = "vfat";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/2CE2-1173";
fsType = "vfat";
};
}

35
infra/vm02179/default.nix
View file

@ -1,22 +1,25 @@
{
procolixVm = {
ipv4.address = "185.206.232.179";
ipv6.address = "2a00:51c0:12:1201::179";
imports = [
../common
];
procolix.vm = {
name = "vm02179";
ip4 = "185.206.232.179";
ip6 = "2a00:51c0:12:1201::179";
};
nixos.module = {
fileSystems."/" = {
device = "/dev/disk/by-uuid/119863f8-55cf-4e2f-ac17-27599a63f241";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/119863f8-55cf-4e2f-ac17-27599a63f241";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/D9F4-9BF0";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/D9F4-9BF0";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
}

35
infra/vm02186/default.nix
View file

@ -1,22 +1,25 @@
{
procolixVm = {
ipv4.address = "185.206.232.186";
ipv6.address = "2a00:51c0:12:1201::186";
imports = [
../common
];
procolix.vm = {
name = "vm02186";
ip4 = "185.206.232.186";
ip6 = "2a00:51c0:12:1201::186";
};
nixos.module = {
fileSystems."/" = {
device = "/dev/disk/by-uuid/833ac0f9-ad8c-45ae-a9bf-5844e378c44a";
fsType = "ext4";
};
fileSystems."/" = {
device = "/dev/disk/by-uuid/833ac0f9-ad8c-45ae-a9bf-5844e378c44a";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B4D5-3AF9";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B4D5-3AF9";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
}

40
infra/vm02187/default.nix
View file

@ -1,26 +1,26 @@
{
procolixVm = {
ipv4.address = "185.206.232.187";
ipv6.address = "2a00:51c0:12:1201::187";
imports = [
../common
./wiki.nix
];
procolix.vm = {
name = "vm02187";
ip4 = "185.206.232.187";
ip6 = "2a00:51c0:12:1201::187";
};
nixos.module = {
imports = [
./wiki.nix
fileSystems."/" = {
device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/6AB5-4FA8";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
fileSystems."/" = {
device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/6AB5-4FA8";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
};
}

32
keys/README.md
View file

@ -1,32 +0,0 @@
# Keys
This directory contains the SSH public keys of both contributors to the projects
and systems that we administrate. Keys are used both for [secrets](../secrets)
decryption and [infra](../infra) management.
Which private keys can be used to decrypt secrets is defined in
[`secrets.nix`](../secrets/secrets.nix) as _all the contributors_ as well as the
specific systems that need access to the secret in question. Adding a
contributor of system's key to a secret requires rekeying the secret, which can
only be done by some key that had already access to it. (Alternatively, one can
overwrite a secret without knowing its contents.)
In infra management, the systems' keys are used for security reasons; they
identify the machine that we are talking to. The contributor keys are used to
give access to the `root` user on these machines, which allows, among other
things, to deploy their configurations with NixOps4.
## Adding a contributor
Adding a contributor consists of three steps:
1. The contributor in question adds a file with their key to the
`./contributors` directory, and opens a pull request with it.
2. An already-existing contributor uses their keys to [re-key the secrets](../secrets#adding-a-contributor), taking that new key into
account.
3. An already-existing contributor redeploys the [infrastructure](../infra) to take into
account the new access.
4. The pull request is accepted and merged.

1
keys/contributors/kevin
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpebsCsP+GUMZ2SeVKsuDMwLTQ8H1Ny3oVgf73jsgMg hedgehog 2025

1
keys/contributors/kiara
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHTIqF4CAylSxKPiSo5JOPuocn0y2z38wOSsQ1MUaZ2 kiara@procolix.eu

3
keys/flake-part.nix Normal file
View file

@ -0,0 +1,3 @@
{
flake.keys = import ./.;
}

1
keys/systems/vm02117.pub
View file

@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOrmZ9eMPLDSiayphFhPi7vry5P2VlEr7BvIjtnpN7Td

10
panel/.envrc
View file

@ -1,10 +0,0 @@
#!/usr/bin/env bash
# the shebang is ignored, but nice for editors
# shellcheck shell=bash
if type -P lorri &>/dev/null; then
eval "$(lorri direnv)"
else
echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
use_nix
fi

13
panel/.gitignore vendored
View file

@ -1,13 +0,0 @@
# Nix
.direnv
result*
# Python
*.pyc
__pycache__
# Django, application-specific
db.sqlite3
src/db.sqlite3
src/static
.credentials

46
panel/README.md
View file

@ -1,46 +0,0 @@
# Fediversity Panel
The Fediversity Panel is a web service for managing Fediversity deployments with a graphical user interface, written in Django.
## Development
- To obtain all tools related to this project, enter the development environment with `nix-shell`.
If you want to do that automatically on entering this directory:
- [Set up `direnv`](https://github.com/nix-community/nix-direnv#installation)
- Run `direnv allow` in the directory where repository is stored on your machine
> **Note**
>
> This is a security boundary, and allows automatically running code from this repository on your machine.
- Run NixOS integration tests and Django unit tests:
```bash
nix-build -A tests
```
- List all available Django management commands with:
```shell-session
manage
```
- Run the server locally
```shell-session
manage runserver
```
- Whenever you add a field in the database schema, run:
```console
manage makemigrations
```
Then before starting the server again, run:
```
manage migrate
```

53
panel/default.nix
View file

@ -1,53 +0,0 @@
{
system ? builtins.currentSystem,
sources ? import ../npins,
pkgs ? import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
},
}:
let
package =
let
callPackage = pkgs.lib.callPackageWith (pkgs // pkgs.python3.pkgs);
in
callPackage ./nix/package.nix { };
pkgs' = pkgs.extend (_final: _prev: { panel = package; });
manage = pkgs.writeScriptBin "manage" ''
exec ${pkgs.lib.getExe pkgs.python3} ${toString ./src/manage.py} $@
'';
in
{
shell = pkgs.mkShellNoCC {
inputsFrom = [ package ];
packages = [
pkgs.npins
manage
];
env = {
NPINS_DIRECTORY = toString ../npins;
};
shellHook = ''
# in production, secrets are passed via CREDENTIALS_DIRECTORY by systemd.
# use this directory for testing with local secrets
mkdir -p .credentials
echo secret > ${builtins.toString ./.credentials}/SECRET_KEY
export CREDENTIALS_DIRECTORY=${builtins.toString ./.credentials}
export DATABASE_URL="sqlite:///${toString ./src}/db.sqlite3"
'';
};
tests = pkgs'.callPackage ./nix/tests.nix { };
inherit package;
# re-export inputs so they can be overridden granularly
# (they can't be accessed from the outside any other way)
inherit
sources
system
pkgs
;
}

199
panel/nix/configuration.nix
View file

@ -1,199 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib)
concatStringsSep
mapAttrsToList
mkDefault
mkEnableOption
mkIf
mkOption
mkPackageOption
optionalString
types
;
inherit (pkgs) writeShellApplication;
# TODO: configure the name globally for everywhere it's used
name = "panel";
cfg = config.services.${name};
database-url = "sqlite:////var/lib/${name}/db.sqlite3";
python-environment = pkgs.python3.withPackages (
ps: with ps; [
cfg.package
uvicorn
]
);
configFile = pkgs.concatText "configuration.py" [
((pkgs.formats.pythonVars { }).generate "settings.py" cfg.settings)
(builtins.toFile "extra-settings.py" cfg.extra-settings)
];
manage-service = writeShellApplication {
name = "manage";
text = ''exec ${cfg.package}/bin/manage.py "$@"'';
};
manage-admin = writeShellApplication {
# This allows running the `manage` command in the system environment, e.g. to initialise an admin user
# Executing
name = "manage";
text =
''
systemd-run --pty \
--same-dir \
--wait \
--collect \
--service-type=exec \
--unit "manage-${name}.service" \
--property "User=${name}" \
--property "Group=${name}" \
--property "Environment=DATABASE_URL=${database-url} USER_SETTINGS_FILE=${configFile}" \
''
+ optionalString (credentials != [ ]) (
(concatStringsSep " \\\n" (map (cred: "--property 'LoadCredential=${cred}'") credentials)) + " \\\n"
)
+ ''
${lib.getExe manage-service} "$@"
'';
};
credentials = mapAttrsToList (name: secretPath: "${name}:${secretPath}") cfg.secrets;
in
# TODO: for a more clever and generic way of running Django services:
# https://git.dgnum.eu/mdebray/djangonix/
# unlicensed at the time of writing, but surely worth taking some inspiration from...
{
options.services.${name} = {
enable = mkEnableOption "Service configuration for `${name}`";
# NOTE: this requires that the package is present in `pkgs`
package = mkPackageOption pkgs name { };
production = mkOption {
type = types.bool;
default = true;
};
restart = mkOption {
description = "systemd restart behavior";
type = types.enum [
"no"
"on-success"
"on-failure"
"on-abnormal"
"on-abort"
"always"
];
default = "always";
};
domain = mkOption { type = types.str; };
host = mkOption {
type = types.str;
default = "127.0.0.1";
};
port = mkOption {
type = types.port;
default = 8000;
};
settings = mkOption {
type = types.attrsOf types.anything;
default = {
STATIC_ROOT = mkDefault "/var/lib/${name}/static";
DEBUG = mkDefault false;
ALLOWED_HOSTS = mkDefault [
cfg.domain
cfg.host
"localhost"
"[::1]"
];
CSRF_TRUSTED_ORIGINS = mkDefault [ "https://${cfg.domain}" ];
COMPRESS_OFFLINE = true;
LIBSASS_OUTPUT_STYLE = "compressed";
};
description = ''
Django configuration as an attribute set.
Name-value pairs will be converted to Python variable assignments.
'';
};
extra-settings = mkOption {
type = types.lines;
default = "";
description = ''
Django configuration written in Python verbatim.
Contents will be appended to the definitions in `settings`.
'';
};
secrets = mkOption {
type = types.attrsOf types.path;
default = { };
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ manage-admin ];
services = {
nginx.enable = true;
nginx.virtualHosts = {
${cfg.domain} =
{
locations = {
"/".proxyPass = "http://localhost:${toString cfg.port}";
"/static/".alias = "/var/lib/${name}/static/";
};
}
// lib.optionalAttrs cfg.production {
enableACME = true;
forceSSL = true;
};
};
};
users.users.${name} = {
isSystemUser = true;
group = name;
};
users.groups.${name} = { };
systemd.services.${name} = {
description = "${name} ASGI server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = [
python-environment
manage-service
];
preStart = ''
# Auto-migrate on first run or if the package has changed
versionFile="/var/lib/${name}/package-version"
if [[ $(cat "$versionFile" 2>/dev/null) != ${cfg.package} ]]; then
manage migrate --no-input
manage collectstatic --no-input --clear
manage compress --force
echo ${cfg.package} > "$versionFile"
fi
'';
script = ''
uvicorn ${name}.asgi:application --host ${cfg.host} --port ${toString cfg.port}
'';
serviceConfig = {
Restart = "always";
User = name;
WorkingDirectory = "/var/lib/${name}";
StateDirectory = name;
RuntimeDirectory = name;
LogsDirectory = name;
} // lib.optionalAttrs (credentials != [ ]) { LoadCredential = credentials; };
environment = {
USER_SETTINGS_FILE = "${configFile}";
DATABASE_URL = database-url;
};
};
};
}

57
panel/nix/package.nix
View file

@ -1,57 +0,0 @@
{
lib,
buildPythonPackage,
setuptools,
django_4,
django-compressor,
django-libsass,
dj-database-url,
}:
let
src =
with lib.fileset;
toSource {
root = ../src;
fileset = intersection (gitTracked ../../.) ../src;
};
pyproject = with lib; fromTOML pyproject-toml;
# TODO: define this globally
name = "panel";
# TODO: we may want this in a file so it's easier to read statically
version = "0.0.0";
pyproject-toml = ''
[project]
name = "Fediversity-Panel"
version = "${version}"
[tool.setuptools]
packages = [ "${name}" ]
include-package-data = true
'';
in
buildPythonPackage {
pname = name;
inherit (pyproject.project) version;
pyproject = true;
inherit src;
preBuild = ''
echo "recursive-include ${name} *" > MANIFEST.in
cp ${builtins.toFile "source" pyproject-toml} pyproject.toml
'';
propagatedBuildInputs = [
setuptools
django_4
django-compressor
django-libsass
dj-database-url
];
postInstall = ''
mkdir -p $out/bin
cp -v ${src}/manage.py $out/bin/manage.py
chmod +x $out/bin/manage.py
wrapProgram $out/bin/manage.py --prefix PYTHONPATH : "$PYTHONPATH"
'';
}

62
panel/nix/tests.nix
View file

@ -1,62 +0,0 @@
{ lib, pkgs }:
let
# TODO: specify project/service name globally
name = "panel";
defaults = {
services.${name} = {
enable = true;
production = false;
restart = "no";
domain = "example.com";
secrets = {
SECRET_KEY = pkgs.writeText "SECRET_KEY" "secret";
};
};
virtualisation = {
memorySize = 2048;
cores = 2;
};
};
in
lib.mapAttrs (name: test: pkgs.testers.runNixOSTest (test // { inherit name; })) {
application-tests = {
inherit defaults;
nodes.server = _: { imports = [ ./configuration.nix ]; };
# run all application-level tests managed by Django
# https://docs.djangoproject.com/en/5.0/topics/testing/overview/
testScript = ''
server.succeed("manage test")
'';
};
admin = {
inherit defaults;
nodes.server = _: { imports = [ ./configuration.nix ]; };
# check that the admin interface is served
testScript = ''
server.wait_for_unit("multi-user.target")
server.wait_for_unit("${name}.service")
server.wait_for_open_port(8000)
server.succeed("curl --fail -L -H 'Host: example.org' http://localhost/admin")
'';
};
sass-processing = {
inherit defaults;
nodes.server = _: { imports = [ ./configuration.nix ]; };
extraPythonPackages = ps: with ps; [ beautifulsoup4 ];
skipTypeCheck = true;
# check that stylesheets are pre-processed and served
testScript = ''
from bs4 import BeautifulSoup
server.wait_for_unit("multi-user.target")
server.wait_for_unit("${name}.service")
server.wait_for_open_port(8000)
stdout = server.succeed("curl --fail -H 'Host: example.org' http://localhost")
# the CSS is auto-generated with a hash in the file name
html = BeautifulSoup(stdout, 'html.parser')
css = html.find('link', type="text/css")['href']
server.succeed(f"curl --fail -H 'Host: example.org' http://localhost/{css}")
'';
};
}

22
panel/src/manage.py
View file

@ -1,22 +0,0 @@
#!/nix/store/px2nj16i5gc3d4mnw5l1nclfdxhry61p-python3-3.12.7/bin/python
"""Django's command-line utility for administrative tasks."""
import os
import sys
def main():
"""Run administrative tasks."""
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'panel.settings')
try:
from django.core.management import execute_from_command_line
except ImportError as exc:
raise ImportError(
"Couldn't import Django. Are you sure it's installed and "
"available on your PYTHONPATH environment variable? Did you "
"forget to activate a virtual environment?"
) from exc
execute_from_command_line(sys.argv)
if __name__ == '__main__':
main()

0
panel/src/panel/__init__.py
View file

16
panel/src/panel/asgi.py
View file

@ -1,16 +0,0 @@
"""
ASGI config for panel project.
It exposes the ASGI callable as a module-level variable named ``application``.
For more information on this file, see
https://docs.djangoproject.com/en/4.2/howto/deployment/asgi/
"""
import os
from django.core.asgi import get_asgi_application
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'panel.settings')
application = get_asgi_application()

171
panel/src/panel/settings.py
View file

@ -1,171 +0,0 @@
"""
Django settings for panel project.
Generated by 'django-admin startproject' using Django 4.2.16.
For more information on this file, see
https://docs.djangoproject.com/en/4.2/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/4.2/ref/settings/
"""
import sys
import os
import importlib.util
import dj_database_url
from os import environ as env
from pathlib import Path
# Build paths inside the project like this: BASE_DIR / 'subdir'.
BASE_DIR = Path(__file__).resolve().parent.parent
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/4.2/howto/deployment/checklist/
def get_secret(name: str, encoding: str = "utf-8") -> str:
credentials_dir = env.get("CREDENTIALS_DIRECTORY")
if credentials_dir is None:
raise RuntimeError("No credentials directory available.")
try:
with open(f"{credentials_dir}/{name}", encoding=encoding) as f:
secret = f.read().removesuffix("\n")
except FileNotFoundError:
raise RuntimeError(f"No secret named {name} found in {credentials_dir}.")
return secret
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = get_secret("SECRET_KEY")
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
ALLOWED_HOSTS = []
# Application definition
INSTALLED_APPS = [
"panel",
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'compressor',
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'panel.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
WSGI_APPLICATION = 'panel.wsgi.application'
# Database
# https://docs.djangoproject.com/en/4.2/ref/settings/#databases
# https://github.com/jazzband/dj-database-url
DATABASES = {
'default': dj_database_url.config(),
}
# Password validation
# https://docs.djangoproject.com/en/4.2/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/4.2/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_TZ = True
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/4.2/howto/static-files/
STATIC_URL = 'static/'
STATIC_ROOT = os.path.join(BASE_DIR, "static/")
STATICFILES_FINDERS = [
"django.contrib.staticfiles.finders.FileSystemFinder",
"django.contrib.staticfiles.finders.AppDirectoriesFinder",
"compressor.finders.CompressorFinder",
]
STATICFILES_STORAGE = 'django.contrib.staticfiles.storage.ManifestStaticFilesStorage'
COMPRESS_PRECOMPILERS = [
("text/x-sass", "django_libsass.SassCompiler"),
]
# Default primary key field type
# https://docs.djangoproject.com/en/4.2/ref/settings/#default-auto-field
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
# Customization via user settings
# This must be at the end, as it must be able to override the above
# TODO: we may want to do this with a flat environment instead, and get all values from `os.environ.get()`.
# this would make it more obvious which moving parts there are, if that environment is specified for development/staging/production in a visible place.
user_settings_file = env.get("USER_SETTINGS_FILE", None)
if user_settings_file is not None:
spec = importlib.util.spec_from_file_location("user_settings", user_settings_file)
if spec is None or spec.loader is None:
raise RuntimeError("User settings specification failed!")
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
sys.modules["user_settings"] = module
from user_settings import * # noqa: F403 # pyright: ignore [reportMissingImports]

5
panel/src/panel/static/style.sass
View file

@ -1,5 +0,0 @@
body
padding: 0
margin: 0
font-family: sans-serif
box-sizing: border-box

29
panel/src/panel/templates/base.html
View file

@ -1,29 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>{% block title %}Fediversity Panel{% endblock %}</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
{% load compress %}
{% compress css %}
<link rel="stylesheet" type="text/x-sass" href="/static/style.sass" />
{% endcompress %}
{% block extra_head %}{% endblock extra_head %}
</head>
<body>
{% block navigation %}
<nav>
</nav>
{% endblock navigation %}
{% block layout %}
<article>
{% block content %}{% endblock content %}
</article>
{% endblock layout %}
</body>
</html>

7
panel/src/panel/templates/index.html
View file

@ -1,7 +0,0 @@
{% extends "base.html" %}
{% block content %}
<h1>Fediversity Panel</h1>
<p>Hello world!</p>
{% endblock %}

24
panel/src/panel/urls.py
View file

@ -1,24 +0,0 @@
"""
URL configuration for panel project.
The `urlpatterns` list routes URLs to views. For more information please see:
https://docs.djangoproject.com/en/4.2/topics/http/urls/
Examples:
Function views
1. Add an import: from my_app import views
2. Add a URL to urlpatterns: path('', views.home, name='home')
Class-based views
1. Add an import: from other_app.views import Home
2. Add a URL to urlpatterns: path('', Home.as_view(), name='home')
Including another URLconf
1. Import the include() function: from django.urls import include, path
2. Add a URL to urlpatterns: path('blog/', include('blog.urls'))
"""
from django.contrib import admin
from django.urls import path
from panel import views
urlpatterns = [
path('admin/', admin.site.urls),
path('', views.Index.as_view(), name='index'),
]

4
panel/src/panel/views.py
View file

@ -1,4 +0,0 @@
from django.views.generic import TemplateView
class Index(TemplateView):
template_name = 'index.html'

16
panel/src/panel/wsgi.py
View file

@ -1,16 +0,0 @@
"""
WSGI config for panel project.
It exposes the WSGI callable as a module-level variable named ``application``.
For more information on this file, see
https://docs.djangoproject.com/en/4.2/howto/deployment/wsgi/
"""
import os
from django.core.wsgi import get_wsgi_application
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'panel.settings')
application = get_wsgi_application()

5
secrets/README.md
View file

@ -49,8 +49,3 @@ As an example, let us add a secret in a file “cheeses” whose content should
service that you are using must be able to read from a file at runtime, and
if the NixOS default module options do not provide that, you must find a way
around it.
### Adding a contributor
Rekeying can be done by running `agenix --rekey` (or `-r` for
short) in the current directory. This requires access to the secrets using [contributor keys](../keys).

39
secrets/flake-part.nix Normal file
View file

@ -0,0 +1,39 @@
{
inputs,
lib,
...
}:
let
inherit (builtins) elem;
inherit (lib.attrsets) concatMapAttrs optionalAttrs;
inherit (lib.strings) removeSuffix;
secrets = import ./secrets.nix;
in
{
flake = {
inherit secrets;
nixosModules.ageSecrets = (
{ config, ... }:
{
imports = [ inputs.agenix.nixosModules.default ];
options.fediversity.hostPublicKey = lib.mkOption {
description = ''
The host public key of the machine. It is used in particular
to filter Age secrets and only keep the relevant ones.
'';
};
config.age.secrets = concatMapAttrs (
name: secret:
optionalAttrs (elem config.fediversity.hostPublicKey secret.publicKeys) ({
${removeSuffix ".age" name}.file = ./. + "/${name}";
})
) secrets;
}
);
};
}

BIN
secrets/forgejo-database-password.age
View file

Binary file not shown.

17
secrets/forgejo-email-password.age
View file

@ -1,11 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 ofQnlg dmH3/gWbrhiYDSEzfEvwto/7ULietn9DHs7bqNRLuDE
na8BTt4OCwwwJb/NNkUU1NWZKzsMyW84REcaz0bEX7c
-> ssh-ed25519 COspvA bk/ixd0gon+sxmhW+OBGY9sRaCVOZ267TELGFkkuUxs
Y+XnlUVETv4fqA5uGd3VaHIs4mAJQQw+xmGweWPOP70
-> ssh-ed25519 1MUEqQ /mf6QgPlFqYGdQJHJbe2TEIusTxw0ftsemWst07nW3I
SLzAtO31Evm/mOheVhMmV6QKoaNG0KYnIUaeThrp3CU
-> ssh-ed25519 Fa25Dw HzNVxKLwujLVxs37JczAImZwE3CsSVbBbN7yCvvvQQU
yHh5wFtGdHgCZsuY70VVCeW+q3Tj3pJKclkVFXKZiPU
--- bi4B3ePG1HS3N5Y3civ4tvTZTk5dERKu4+LJwsN7Los
ƒ%ŠåÚ;"Úq1v}Öþ¾ü:iÑê]â™ØjA0eåÇ°q÷À®<7F>
-> ssh-ed25519 1MUEqQ Y+wylE1yiRBPh5aX3LNeX7/5YQ/EfPOplCBmIoR69yA
Vfvi1DZo927okyWLcfoVhVOada5bVdgcLXWzroIycGU
-> ssh-ed25519 Fa25Dw PFDPqt30lbvvf1Mu/AVMKfv/XyC2fIfnpvKrmyjDiRw
S9Qn+jNMpS4T5OlTIq0SFMTyKlq4Sz7ADdtKDuQoGB4
--- 8/wxDtoP6ZfHqvQS8ld264jPEunSzbFP7Yqy664fyQ0
<>õCÉs±<73>%}+Õ xÎ¥NX¤^‚Ø»ŞË
s<EFBFBD>$bİbæÙ<C3A6>ò€õ©N

16
secrets/forgejo-runner-token.age
View file

@ -1,11 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 ofQnlg 42Tz44DFTDA7OdAqynPLKsAYJctXivj3wWkkIwYTInM
pQ5rW2TH4IK/kjcLNOmkLgKMAuD/yzw9nOZn2NZNOv8
-> ssh-ed25519 COspvA iYtbO/GMmP2g+82xxPrvDsye2p+FpqGpG1a+Fr1jql0
LYTL9v1c5UcikMIN2ivCLzzAtlKaY7z3PVJW/8OxrLM
-> ssh-ed25519 1MUEqQ 2JWKsR0gWXjustfZtj5Zg6aEflw+tMJ+Ii0k1FtdKVQ
lo534OLXItxUMRN/hZ351PLTYVYC9KjXJ8WrlqP4XVM
-> ssh-ed25519 rJoYaw ePSTkrq9Nxk9kzAZR0O6P2KU8WZ40+/X7gI587WqRhk
pQC9YAZdnKIyZ6ueN9iM+iAL9fkt0Dzo9WGfhTRABG4
--- CWPCtLLBJ+OYjuocYoSgOd0r7/nUIewTeMWbQx8MHXQ
>";ýùc¹LSm{Òžô/ðšHÂ*"¾ß´.rÍ<72>bVo+WZO^§~òÀÉ”w]1h=™¡­ªHÚ­·SîtˆÐš,Erg¢—n
-> ssh-ed25519 1MUEqQ QbrQLCnwsw79a0fjmKK0nSHl6n/+qRGg9E2vwufiCDM
z7SiyeLgJK7ueDyox4eXLxYNjJUPD2N4V+2IyV6Yibc
-> ssh-ed25519 rJoYaw jn0foZgtavsFhVVoXKHkp+1ZU1SeFqkff2D89I5k3iQ
YA58TNYkEhBvNHuSBfZv1uxaeJoQ1T4Wb+VswWgi5ck
--- crnhqJNO+eMBMgAgJjQsS0EOxee/UazYlssOXxlcp1g
šU$1Óȱ{²Ëôil©Î_èâÖ yŸG´äå)(·<1D>ñ“D\òY÷ã`ß¿³ð2<C3B0>½/lÆ¢w­å•Ân¸ŸO«C³

BIN
secrets/wiki-basicauth-htpasswd.age
View file

Binary file not shown.

16
secrets/wiki-password.age
View file

@ -1,11 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 ofQnlg fc4Kx1F73+x5k20ZAr+nwJ2//MKSbW0XrPwidaw3O34
/sVyDyaHqBqWgB4aEBYCB9n0cVzEWUTdgqKvM4aAzJ8
-> ssh-ed25519 COspvA pfbE6BX+5WeYtuCfL1kRdnD3tVOV33fEJR4G0EndGBA
ssywMgaFasyglxpIMjn9xxQViV5srAz8qS7t3aIJjnM
-> ssh-ed25519 1MUEqQ sqw/QOSTfTBzC2YOEDLzkB51VnGPZcz9JX5JYZ+/hjg
p2pa5eakbFbNDhOfDZaXvb69ACh/F/2lFDTUQc4WlZ4
-> ssh-ed25519 dgBsjw QaKOQLbsEpD71x7Hk3ZoZV3/xgxv4+jG1wWiKmrhOik
wyJP3apJB9jBcAOMK0D72lD7FqCkBEuwX0UyCvqOUJc
--- J/CTHVy20+V7iS/R0LeeUNzIxE6dU3lnVWAFHyEjbE8
^TG™ÃÔUë•9óÁ) ]6èn<C3A8>…<CíýÐ|ñ¥€If…Ä1ò³*9ä&MJS= TÔÆXéKol{I
-> ssh-ed25519 1MUEqQ yJ53uyB0OqgbyZS+0Qu/glWZGqx8ALEr2Z0hKUrQgUg
Ewvye5oREhNCASqyql56m2mNbAGnK69fVkjZ0N2ILMk
-> ssh-ed25519 dgBsjw glI8t7C/N4BqpnuZlCnv6TFb+YUQn+0oAjbJI7GrzWw
qFxxFVt2R6FkupbP7qErZ+VFHYwEHVmY4iC6hyEf+Vg
--- fQbt68Fdj7wk8mWFx0W0Z1iRbkWxxK7+zIKw/v+BCE0
¢OÕ+Q±×‰F¾^0縿9ãÕ?\TeËB(ügs½³°¹'—™7…ì§ÁˆŒ(ÁO=>³<)h`qè&<26>^

BIN
secrets/wiki-smtp-password.age
View file

Binary file not shown.

15
server/README.md Normal file
View file

@ -0,0 +1,15 @@
# fediversity.eu webserver
This directory contains the configuration for the server hosting https://fediversity.eu
Build the configuration:
```bash
nix-build -A machine
```
Deploy via SSH:
```bash
env SSH_OPTS="..." nix-shell --run deploy-webserver
```

275
server/configuration.nix Normal file
View file

@ -0,0 +1,275 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
services.nginx.enable = true;
services.nginx.virtualHosts."www.oid.foundation" = {
useACMEHost = "oid.foundation";
forceSSL = true;
globalRedirect = "oid.foundation";
};
services.nginx.virtualHosts."oid.foundation" = {
enableACME = true;
forceSSL = true;
root = "/var/www/oid.foundation";
};
services.nginx.virtualHosts."fediversity.eu" = {
useACMEHost = "www.fediversity.eu";
forceSSL = true;
globalRedirect = "www.fediversity.eu";
locations."/.well-known/matrix/client" = {
extraConfig = ''
return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
'';
};
locations."/.well-known/matrix/server" = {
extraConfig = ''
return 200 '{"m.server": "matrix.fediversity.eu:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
'';
};
};
services.nginx.virtualHosts."www.fediversity.eu" = {
enableACME = true;
forceSSL = true;
root = "${(import ../website { }).build}";
locations."/.well-known/matrix/client" = {
extraConfig = ''
return 200 '{"m.homeserver": {"base_url": "https://matrix.fediversity.eu", "public_baseurl": "https://matrix.fediversity.eu"}}';
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
'';
};
locations."/.well-known/matrix/server" = {
extraConfig = ''
return 200 '{"m.server": "matrix.fediversity.eu:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization";
'';
};
};
security.acme = {
acceptTerms = true;
defaults.email = "beheer@procolix.com";
certs."www.fediversity.eu".extraDomainNames = [ "fediversity.eu" ];
certs."oid.foundation".extraDomainNames = [ "www.oid.foundation" ];
};
networking = {
hostName = "vm02117";
domain = "procolix.com";
interfaces = {
eth0 = {
ipv4 = {
addresses = [
{
address = "185.206.232.106";
prefixLength = 24;
}
];
};
ipv6 = {
addresses = [
{
address = "2a00:51c0:12:1201::106";
prefixLength = 64;
}
];
};
};
};
defaultGateway = {
address = "185.206.232.1";
interface = "eth0";
};
defaultGateway6 = {
address = "2a00:51c0:12:1201::1";
interface = "eth0";
};
nameservers = [ "95.215.185.6" "95.215.185.7" ];
firewall.enable = false;
nftables = {
enable = true;
ruleset = ''
#!/usr/sbin/nft -f
flush ruleset
########### define usefull variables here #####################
define wan = eth0
define ssh_allow = {
83.161.147.127/32, # host801 ipv4
95.215.185.92/32, # host088 ipv4
95.215.185.211/32, # host089 ipv4
95.215.185.34/32, # nagios2 ipv4
95.215.185.181/32, # ansible.procolix.com
95.215.185.235, # ansible-hq
185.206.232.76, # vpn4
}
define snmp_allow = {
95.215.185.31/32, # cacti ipv4
}
define nrpe_allow = {
95.215.185.34/32, # nagios2 ipv4
}
########### here starts the automated bit #####################
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
# established/related connections
ct state established,related accept
ct state invalid drop
# Limit ping requests.
ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop
# loopback interface
iifname lo accept
# icmp
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept
# Without the nd-* ones ipv6 will not work.
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept
# open tcp ports: sshd (22)
ip saddr $ssh_allow tcp dport {ssh} accept
# open tcp ports: snmp (161)
ip saddr $snmp_allow udp dport {snmp} accept
# open tcp ports: nrpe (5666)
ip saddr $nrpe_allow tcp dport {nrpe} accept
# open tcp ports: http (80,443)
tcp dport {http,https} accept
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table ip nat {
chain postrouting {
}
chain prerouting {
}
}
'';
};
};
# Set your time zone.
time.timeZone = "Europe/Amsterdam";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
security.sudo.wheelNeedsPassword = false;
# Define a user account. Don't forget to set a password with passwd.
users.users.procolix = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1"
"ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2"
];
packages = with pkgs; [
];
};
users.users.laurens = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBbK4ZB0Xnpf8yyK4QOI2HvjgQINI3GKi7/O2VEsYXUb laurenshof@Laurenss-MacBook-Air.local"
];
packages = with pkgs; [
];
};
users.users.valentin = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
];
packages = with pkgs; [
];
};
users.users.niols = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
];
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
(pkgs.vim_configurable.customize {
name = "vim";
vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
start = [ vim-nix ]; # load plugin on startup
};
vimrcConfig.customRC = ''
" your custom vimrc
set nocompatible
set backspace=indent,eol,start
" Turn on syntax highlighting by default
syntax on
" ...
'';
})
wget
git
];
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
services.openssh.settings.PasswordAuthentication = false;
# Enable xe-guest-utilities
services.xe-guest-utilities.enable = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.11"; # Did you read the comment?
}

46
server/default.nix Normal file
View file

@ -0,0 +1,46 @@
{ sources ? import ../website/npins
, system ? builtins.currentSystem
, pkgs ? import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
}
, lib ? import "${sources.nixpkgs}/lib"
}:
let
# TODO: don't hard code target hosts; wire all of it up with NixOps4
host = "vm02117.procolix.com";
deploy = pkgs.writeShellApplication {
name = "deploy-webserver";
text = ''
# HACK: decouple system evaluation from shell evaluation
# the structured way for using this hack is encoded in https://github.com/fricklerhandwerk/lazy-drv
result="$(nix-build ${toString ./.} -A machine --no-out-link --eval-store auto --store ssh-ng://${host})"
# shellcheck disable=SC2087
ssh ${host} << EOF
sudo nix-env -p /nix/var/nix/profiles/system --set "$result"
sudo "$result"/bin/switch-to-configuration switch
EOF
'';
};
nixos-configuration = config:
import "${pkgs.path}/nixos/lib/eval-config.nix" {
modules = [
config
];
system = null;
};
in
rec {
nixos = nixos-configuration ./configuration.nix;
machine = nixos.config.system.build.toplevel;
shell = pkgs.mkShellNoCC {
packages = with pkgs; [
deploy
];
env = {
# TODO: reusing other pins for now; wire up the whole repo to use the same dependencies
NPINS_DIRECTORY = toString ../website/npins;
};
};
}

34
server/hardware-configuration.nix Normal file
View file

@ -0,0 +1,34 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ ];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sr_mod" "xen_blkfront" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5aa392a8-c9ba-4181-976f-b3b30db350a1";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/FC6D-610F";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enX0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

0
panel/shell.nix → server/shell.nix
View file

10
services/fediversity/pixelfed.nix
View file

@ -13,6 +13,14 @@ in
}:
lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
## Pixelfed as packaged in nixpkgs has a permission issue that prevents Nginx
## from being able to serving the images. We fix it here, but this should be
## upstreamed. See https://github.com/NixOS/nixpkgs/issues/235147
services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
patches = (old.patches or [ ]) ++ [ ./pixelfed-group-permissions.patch ];
});
services.garage = {
ensureBuckets = {
pixelfed = {
@ -61,6 +69,8 @@ lib.mkIf (config.fediversity.enable && config.fediversity.pixelfed.enable) {
};
};
users.users.nginx.extraGroups = [ "pixelfed" ];
services.pixelfed.settings = {
## NOTE: This depends on the targets, eg. universities might want control
## over who has an account. We probably want a universal

2
services/flake-part.nix
View file

@ -8,8 +8,8 @@
{
checks = {
mastodon = import ./tests/mastodon.nix { inherit self pkgs; };
pixelfed-garage = import ./tests/pixelfed-garage.nix { inherit self pkgs; };
peertube = import ./tests/peertube.nix { inherit self pkgs; };
pixelfed = import ./tests/pixelfed.nix { inherit self pkgs; };
};
};
}

3
services/tests/mastodon.nix
View file

@ -8,9 +8,6 @@
let
lib = pkgs.lib;
## FIXME: this binding was not used, but maybe we want a side-effect or something?
# rebuildableTest = import ./rebuildableTest.nix pkgs;
testImage = pkgs.copyPathToStore ./green.png;
testImageColour = "#00FF00";

47
services/tests/peertube.nix
View file

@ -1,4 +1,6 @@
## This file is a basic test of Peertube functionalities.
##
## NOTE: This test needs Peertube >= 6.3.
{ pkgs, self }:
@ -12,7 +14,11 @@ let
pkgs.writers.writePython3Bin "post-video-in-browser"
{
libraries = with pkgs.python3Packages; [ selenium ];
flakeIgnore = [ "E501" ]; # welcome to the 21st century
flakeIgnore = [
"E302"
"E305"
"E501" # welcome to the 21st century
];
}
''
import sys
@ -24,31 +30,18 @@ let
from selenium.webdriver.support.ui import WebDriverWait
from selenium.common.exceptions import NoSuchElementException
print("Create and configure driver...", file=sys.stderr)
options = Options()
print("########################################", file=sys.stderr)
print("A", file=sys.stderr)
options.add_argument("--headless")
print("########################################", file=sys.stderr)
print("B", file=sys.stderr)
service = webdriver.FirefoxService(executable_path="${lib.getExe pkgs.geckodriver}")
print("########################################", file=sys.stderr)
print("C", file=sys.stderr)
driver = webdriver.Firefox(options=options, service=service)
print("########################################", file=sys.stderr)
print("D", file=sys.stderr)
driver.set_window_size(4096, 2160)
print("########################################", file=sys.stderr)
print("E", file=sys.stderr)
driver.implicitly_wait(360)
print("########################################", file=sys.stderr)
print("F", file=sys.stderr)
wait = WebDriverWait(driver, timeout=360, poll_frequency=10)
print("########################################", file=sys.stderr)
############################################################
# Login
def load(driver, page):
print(f"Loading page {page}...", file=sys.stderr)
driver.get(page)
@ -84,7 +77,6 @@ let
print(f"Done loading page {page}.", file=sys.stderr)
############################################################
# Upload video and take a screenshot
@ -115,9 +107,9 @@ let
# driver.find_element(By.XPATH, "//*[contains(text(), 'Failed to play video')]")
#
# def detect_image_in_screen(d):
# print("Taking a screenshot...", file=sys.stderr)
# print(" Taking a screenshot...", file=sys.stderr)
# d.save_screenshot("/screenshot.png")
# print("Checking it...", file=sys.stderr)
# print(" Checking it...", file=sys.stderr)
# displayed_colours = subprocess.run(
# [
# "magick",
@ -132,7 +124,10 @@ let
# text=True,
# check=True,
# ).stdout
# return bool(re.match(".*#${testVideoColour}.*", displayed_colours, re.S))
# result = bool(re.search("${testVideoColour}", displayed_colours, re.IGNORECASE))
# if not result:
# print(" Could not find the video in the screenshot.", file=sys.stderr)
# return result
#
# print("Wait until the image shows in screen...", file=sys.stderr)
# wait.until(detect_image_in_screen)
@ -175,11 +170,6 @@ pkgs.nixosTest {
../vm/interactive-vm.nix
];
virtualisation = {
memorySize = lib.mkVMOverride 8192;
cores = 8;
};
environment.systemPackages = with pkgs; [
python3
firefox-unwrapped
@ -192,15 +182,15 @@ pkgs.nixosTest {
expect
];
## FIXME: The CI is very slow, so the default timeout of 120s is not
## good enough. We bump it drastically.
systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600;
environment.variables = {
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.peertube.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.peertube.secret;
PT_INITIAL_ROOT_PASSWORD = "testtest";
};
## FIXME: The CI is very slow, so the default timeout of 120s is not
## good enough. We bump it drastically.
systemd.services.postgresql.serviceConfig.TimeoutSec = lib.mkForce 3600;
};
};
@ -211,7 +201,6 @@ pkgs.nixosTest {
# FIXME: I think this trick to look for a password can be replaced by
# services.peertube.serviceEnvironmentFile.PT_INITIAL_ROOT_PASSWORD=testtest
with subtest("Peertube starts"):
server.wait_for_unit("peertube.service")
root_password = server.succeed("acquire-root-password").rstrip()

222
services/tests/pixelfed-garage.nix
View file

@ -1,222 +0,0 @@
{ pkgs, self }:
let
lib = pkgs.lib;
## FIXME: this binding was not used but maybe we want a side effect or something?
# rebuildableTest = import ./rebuildableTest.nix pkgs;
email = "test@test.com";
password = "testtest";
# FIXME: Replace all the By.XPATH by By.CSS_SELECTOR.
seleniumImports = ''
import sys
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.chrome.options import Options
'';
seleniumSetup = ''
print("Create and configure driver...", file=sys.stderr)
options = Options()
# options.add_argument("--headless=new")
service = webdriver.ChromeService(executable_path="${lib.getExe pkgs.chromedriver}") # noqa: E501
driver = webdriver.Chrome(options=options, service=service)
driver.implicitly_wait(30)
driver.set_window_size(1280, 960)
'';
seleniumPixelfedLogin = ''
print("Open login page...", file=sys.stderr)
driver.get("http://pixelfed.localhost/login")
print("Enter email...", file=sys.stderr)
driver.find_element(By.ID, "email").send_keys("${email}")
print("Enter password...", file=sys.stderr)
driver.find_element(By.ID, "password").send_keys("${password}")
# FIXME: This is disgusting. Find instead the input type submit in the form
# with action ending in "/login".
print("Click Login button...", file=sys.stderr)
driver.find_element(By.XPATH, "//button[normalize-space()='Login']").click()
'';
## NOTE: `path` must be a valid python string, either a variable or _quoted_.
seleniumTakeScreenshot = path: ''
print("Take screenshot...", file=sys.stderr)
if not driver.save_screenshot(${path}):
raise Exception("selenium could not save screenshot")
'';
seleniumQuit = ''
print("Quitting...", file=sys.stderr)
driver.quit()
'';
seleniumScriptPostPicture =
pkgs.writers.writePython3Bin "selenium-script-post-picture"
{ libraries = with pkgs.python3Packages; [ selenium ]; }
''
import os
import time
${seleniumImports}
from selenium.webdriver.support.wait import WebDriverWait
${seleniumSetup}
${seleniumPixelfedLogin}
time.sleep(3)
media_path = os.environ['POST_MEDIA']
# Find the new post form, fill it in with our pictureand a caption.
print("Click on Create New Post...", file=sys.stderr)
driver.find_element(By.LINK_TEXT, "Create New Post").click()
print("Add file to input element...", file=sys.stderr)
driver.find_element(By.XPATH, "//input[@type='file']").send_keys(media_path)
print("Add a caption", file=sys.stderr)
driver.find_element(By.CSS_SELECTOR, ".media-body textarea").send_keys(
"Fediversity test of image upload to pixelfed with garage storage."
)
time.sleep(3)
print("Click on Post button...", file=sys.stderr)
driver.find_element(By.LINK_TEXT, "Post").click()
# Wait until the post loads, and in particular its picture, then take a
# screenshot of the whole page.
print("Wait for post and image to be loaded...", file=sys.stderr)
img = driver.find_element(
By.XPATH,
"//div[@class='timeline-status-component-content']//img"
)
WebDriverWait(driver, timeout=10).until(
lambda d: d.execute_script("return arguments[0].complete", img)
)
time.sleep(3)
${seleniumTakeScreenshot "\"/home/selenium/screenshot.png\""}
${seleniumQuit}'';
seleniumScriptGetSrc =
pkgs.writers.writePython3Bin "selenium-script-get-src"
{ libraries = with pkgs.python3Packages; [ selenium ]; }
''
${seleniumImports}
${seleniumSetup}
${seleniumPixelfedLogin}
img = driver.find_element(
By.XPATH,
"//div[@class='timeline-status-component-content']//img"
)
# REVIEW: Need to wait for it to be loaded?
print(img.get_attribute('src'))
${seleniumQuit}'';
in
pkgs.nixosTest {
name = "test-pixelfed-garage";
nodes = {
server =
{ config, ... }:
{
services = {
xserver = {
enable = true;
displayManager.lightdm.enable = true;
desktopManager.lxqt.enable = true;
};
displayManager.autoLogin = {
enable = true;
user = "selenium";
};
};
virtualisation.resolution = {
x = 1680;
y = 1050;
};
virtualisation = {
memorySize = lib.mkVMOverride 8192;
cores = 8;
};
imports = with self.nixosModules; [
fediversity
../vm/garage-vm.nix
../vm/pixelfed-vm.nix
];
# TODO: pair down
environment.systemPackages = with pkgs; [
python3
chromium
chromedriver
xh
seleniumScriptPostPicture
seleniumScriptGetSrc
helix
imagemagick
];
environment.variables = {
POST_MEDIA = ./fediversity.png;
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
## without this we get frivolous errors in the logs
MC_REGION = "garage";
};
# chrome does not like being run as root
users.users.selenium = {
isNormalUser = true;
};
};
};
testScript =
{ nodes, ... }:
''
import re
server.start()
with subtest("Pixelfed starts"):
server.wait_for_unit("phpfpm-pixelfed.service")
with subtest("Account creation"):
server.succeed("pixelfed-manage user:create --name=test --username=test --email=${email} --password=${password} --confirm_email=1")
# NOTE: This could in theory give a false positive if pixelfed changes it's
# colorscheme to include pure green. (see same problem in mastodon-garage.nix).
# TODO: For instance: post a red image and check that the green pixel IS NOT
# there, then post a green image and check that the green pixel IS there.
with subtest("Image displays"):
server.succeed("su - selenium -c 'selenium-script-post-picture ${email} ${password}'")
server.copy_from_vm("/home/selenium/screenshot.png", "")
displayed_colors = server.succeed("magick /home/selenium/screenshot.png -define histogram:unique-colors=true -format %c histogram:info:")
# check that the green image displayed somewhere
image_check = re.match(".*#FF0500.*", displayed_colors, re.S)
if image_check is None:
raise Exception("cannot detect the uploaded image on pixelfed page.")
with subtest("access garage"):
server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY")
server.succeed("mc ls garage/pixelfed")
with subtest("access image in garage"):
image = server.succeed("mc find garage --regex '\\.png' --ignore '*_thumb.png'")
image = image.rstrip()
if image == "":
raise Exception("image posted to Pixelfed did not get stored in garage")
server.succeed(f"mc cat {image} >/garage-image.png")
garage_image_hash = server.succeed("identify -quiet -format '%#' /garage-image.png")
image_hash = server.succeed("identify -quiet -format '%#' $POST_MEDIA")
if garage_image_hash != image_hash:
raise Exception("image stored in garage did not match image uploaded")
with subtest("Check that image comes from garage"):
src = server.succeed("su - selenium -c 'selenium-script-get-src ${email} ${password}'")
if not src.startswith("${nodes.server.fediversity.internal.garage.web.urlForBucket "pixelfed"}"):
raise Exception("image does not come from garage")
'';
}

191
services/tests/pixelfed.nix Normal file
View file

@ -0,0 +1,191 @@
{ pkgs, self }:
let
lib = pkgs.lib;
email = "test@test.com";
password = "testtest";
testPicture = pkgs.copyPathToStore ./green.png;
testPictureColour = "#00FF00";
seleniumScriptPostPicture =
garageBucketUrl:
pkgs.writers.writePython3Bin "selenium-script-post-picture"
{
libraries = with pkgs.python3Packages; [ selenium ];
flakeIgnore = [
"E302"
"E305"
"E501" # welcome to the 21st century
];
}
''
import re
import subprocess
import sys
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.firefox.options import Options
from selenium.webdriver.support.ui import WebDriverWait
print("Create and configure driver...", file=sys.stderr)
options = Options()
options.add_argument("--headless")
service = webdriver.FirefoxService(executable_path="${lib.getExe pkgs.geckodriver}")
driver = webdriver.Firefox(options=options, service=service)
driver.set_window_size(4096, 2160)
driver.implicitly_wait(360)
wait = WebDriverWait(driver, timeout=1080, poll_frequency=120)
############################################################
# Login
print("Open login page...", file=sys.stderr)
driver.get("http://pixelfed.localhost/login")
print("Enter email...", file=sys.stderr)
driver.find_element(By.ID, "email").send_keys("${email}")
print("Enter password...", file=sys.stderr)
driver.find_element(By.ID, "password").send_keys("${password}")
print("Click Login button...", file=sys.stderr)
driver.find_element(By.XPATH, "//button[normalize-space()='Login']").click()
############################################################
# Post picture
# Find the new post form, fill it in with our picture.
print("Click on Create New Post...", file=sys.stderr)
driver.find_element(By.LINK_TEXT, "Create New Post").click()
print("Add file to input element...", file=sys.stderr)
driver.find_element(By.XPATH, "//input[@type='file']").send_keys("${testPicture}")
print("Click on Post button...", file=sys.stderr)
driver.find_element(By.LINK_TEXT, "Post").click()
# Wait until the post loads, and in particular its picture, then take a
# screenshot of the whole page.
print("Wait for post and picture to be loaded...", file=sys.stderr)
img = driver.find_element(By.XPATH, "//div[@class='timeline-status-component-content']//img")
wait.until(lambda d: d.execute_script("return arguments[0].complete", img))
############################################################
# Check that the picture actually shows
def detect_picture_in_screen(d):
print(" Taking a screenshot...", file=sys.stderr)
d.save_screenshot("/home/selenium/screenshot.png")
print(" Checking it...", file=sys.stderr)
displayed_colours = subprocess.run(
[
"magick",
"/home/selenium/screenshot.png",
"-define",
"histogram:unique-colors=true",
"-format",
"%c",
"histogram:info:",
],
capture_output=True,
text=True,
check=True,
).stdout
result = bool(re.search("${testPictureColour}", displayed_colours, re.IGNORECASE))
if not result:
print(" Could not find the picture in the screenshot.", file=sys.stderr)
return result
print("Wait until the picture shows in screen...", file=sys.stderr)
wait.until(detect_picture_in_screen)
print("Picture detected!", file=sys.stderr)
############################################################
# Check that the picture gets to Garage
def detect_src_in_garage(d):
print(" Reload the timeline...", file=sys.stderr)
driver.get("http://pixelfed.localhost/")
print(" Getting the picture's src and checking it...", file=sys.stderr)
img = driver.find_element(By.XPATH, "//div[@class='timeline-status-component-content']//img")
result = img.get_attribute('src').startswith("${garageBucketUrl}")
if not result:
print(" The picture's src does not point to Garage.", file=sys.stderr)
return result
print("Wait until the picture's src points to Garage...", file=sys.stderr)
wait.until(detect_src_in_garage)
print("Picture's src points to Garage!", file=sys.stderr)
############################################################
print("Done; bye!", file=sys.stderr)
driver.close()
'';
in
pkgs.nixosTest {
name = "pixelfed";
nodes = {
server =
{ config, ... }:
{
imports = with self.nixosModules; [
fediversity
../vm/garage-vm.nix
../vm/pixelfed-vm.nix
../vm/interactive-vm.nix
];
environment.systemPackages = with pkgs; [
python3
firefox-unwrapped
geckodriver
xh
(seleniumScriptPostPicture (config.fediversity.internal.garage.web.urlForBucket "pixelfed"))
helix
imagemagick
];
environment.variables = {
AWS_ACCESS_KEY_ID = config.services.garage.ensureKeys.pixelfed.id;
AWS_SECRET_ACCESS_KEY = config.services.garage.ensureKeys.pixelfed.secret;
## without this we get frivolous errors in the logs
MC_REGION = "garage";
};
# Do not run Selenium scripts as root
users.users.selenium.isNormalUser = true;
};
};
testScript =
{ nodes, ... }:
''
server.start()
with subtest("Pixelfed starts"):
server.wait_for_unit("phpfpm-pixelfed.service")
server.succeed("pixelfed-manage user:create --name=test --username=test --email=${email} --password=${password} --confirm_email=1")
# NOTE: This could in theory give a false positive if pixelfed changes it's
# colorscheme to include pure green. (see same problem in mastodon-garage.nix).
# TODO: For instance: post a red picture and check that the green pixel IS NOT
# there, then post a green picture and check that the green pixel IS there.
with subtest("Post an picture in the browser"):
server.succeed("su - selenium -c 'selenium-script-post-picture ${email} ${password}'")
server.copy_from_vm("/home/selenium/screenshot.png", "")
with subtest("Find picture in garage"):
server.succeed("mc alias set garage ${nodes.server.fediversity.internal.garage.api.url} --api s3v4 --path off $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY")
picture = server.succeed("mc find garage --regex '\\.png' --ignore '*_thumb.png'")
picture = picture.rstrip()
if picture == "":
raise Exception("Could not find any _thumb.png picture stored in Garage")
server.succeed(f"mc cat {picture} > /picture.png")
garage_hash = server.succeed("identify -quiet -format '%#' /picture.png")
hash = server.succeed("identify -quiet -format '%#' ${testPicture}")
if garage_hash != hash:
raise Exception("The picture stored in Garage does not correspond to the original one.")
'';
}

1
services/vm/garage-vm.nix
View file

@ -28,7 +28,6 @@ in
inherit value;
}) (filterAttrs (_: { website, ... }: website) cfg.ensureBuckets);
virtualisation.diskSize = 2048;
virtualisation.forwardPorts = [
{
from = "host";

69
services/vm/interactive-vm.nix
View file

@ -1,9 +1,19 @@
# customize nixos-rebuild build-vm to be a bit more convenient
{ pkgs, ... }:
{ pkgs, lib, ... }:
let
inherit (lib) mkForce;
in
{
# let us log in
users.mutableUsers = false;
users.users.root.hashedPassword = "";
users = {
mutableUsers = false;
users.root = {
hashedPassword = "";
hashedPasswordFile = mkForce null;
};
};
services.openssh = {
enable = true;
settings = {
@ -13,16 +23,11 @@
};
};
# automatically log in
services.getty.autologinUser = "root";
services.getty.helpLine = ''
Type `C-a c` to access the qemu console
Type `C-a x` to quit
'';
# access to convenient things
environment.systemPackages = with pkgs; [
w3m
python3
w3m
xterm # for `resize`
];
environment.loginShellInit = ''
@ -32,23 +37,27 @@
extra-experimental-features = nix-command flakes
'';
virtualisation.memorySize = 2048;
virtualisation = {
memorySize = 8192;
diskSize = 2048;
cores = 8;
virtualisation.forwardPorts = [
{
from = "host";
host.port = 22222;
guest.port = 22;
}
{
from = "host";
host.port = 8080;
guest.port = 80;
}
{
from = "host";
host.port = 8443;
guest.port = 443;
}
];
forwardPorts = [
{
from = "host";
host.port = 22222;
guest.port = 22;
}
{
from = "host";
host.port = 8080;
guest.port = 80;
}
{
from = "host";
host.port = 8443;
guest.port = 443;
}
];
};
}

8
website/default.nix
View file

@ -1,4 +1,4 @@
{ sources ? import ../npins
{ sources ? import ./npins
, system ? builtins.currentSystem
, pkgs ? import sources.nixpkgs {
inherit system;
@ -65,12 +65,12 @@ rec {
tests = with pkgs; with lib;
let
source = fileset.toSource {
root = ../.;
root = ./.;
fileset = fileset.unions [
./default.nix
./tests.nix
./lib.nix
../npins
./npins
];
};
in
@ -86,7 +86,7 @@ rec {
# adding it verbatim will result in <hash'>-<hash>-source, so rename it first
cp -r ${sources.nixpkgs} source
nix-store --add --store "$HOME" source
${getExe nix-unit} --gc-roots-dir "$HOME" --store "$HOME" ${source}/website/tests.nix "$@"
${getExe nix-unit} --gc-roots-dir "$HOME" --store "$HOME" ${source}/tests.nix "$@"
touch $out
'';
}

0
npins/default.nix → website/npins/default.nix
View file

0
npins/sources.json → website/npins/sources.json
View file