From 4c62d9a41845632afd11603fb4c10b0b3fd7a7af Mon Sep 17 00:00:00 2001 From: tanneberger Date: Sun, 9 Jun 2024 17:55:24 +0200 Subject: [PATCH 1/6] formatting and updating to 24.05 --- flake.lock | 38 ++++++++++----------- flake.nix | 40 +++++++++++------------ hosts/notice-me-senpai/grafana.nix | 2 +- hosts/tram-borzoi/postgres.nix | 5 +-- modules/TLMS/base.nix | 1 + modules/TLMS/wg.nix | 3 +- modules/data-hoarder/kindergarten.nix | 9 ++--- modules/data-hoarder/nginx.nix | 3 +- modules/data-hoarder/postgres.nix | 31 +++++++++--------- modules/data-hoarder/secrets.nix | 3 +- modules/data-hoarder/website.nix | 12 +++---- modules/traffic-stop-box/radio-config.nix | 22 +++++++------ 12 files changed, 87 insertions(+), 82 deletions(-) diff --git a/flake.lock b/flake.lock index f759826..89d57d5 100644 --- a/flake.lock +++ b/flake.lock @@ -350,11 +350,11 @@ "pnpm2nix": "pnpm2nix" }, "locked": { - "lastModified": 1715280755, - "narHash": "sha256-zVkHdgFmpJ1NCmp1AQ18oT5QsbEewyqkH67wZP0uzRo=", + "lastModified": 1716148172, + "narHash": "sha256-+rKHw/bkFXiqPtVRtY/A5ER0DDdgp4aFn/6iGoE4y8s=", "owner": "tlm-solutions", "repo": "kindergarten", - "rev": "3df46c35ba76ed22e25161c7cea0ae3cedf22631", + "rev": "7f9f8d229528ee4542a4734423af26d2eb6c6b24", "type": "github" }, "original": { @@ -399,11 +399,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1714764302, - "narHash": "sha256-MmIZR67wOP3Nr9b3XpsvHSZSTDcTmd9cQn2Z8pW1/Hw=", + "lastModified": 1717441449, + "narHash": "sha256-juxjgmLnFbl+/hhIO2cVtIa6caCO4pLKlZWUMwAOznM=", "owner": "astro", "repo": "microvm.nix", - "rev": "e9977efbe34b554c3e393dc9a18509905a4080e5", + "rev": "e3a4dd5b381fb580804105594cc9c71dc45abdb5", "type": "github" }, "original": { @@ -482,11 +482,11 @@ ] }, "locked": { - "lastModified": 1713520724, - "narHash": "sha256-CO8MmVDmqZX2FovL75pu5BvwhW+Vugc7Q6ze7Hj8heI=", + "lastModified": 1717067539, + "narHash": "sha256-oIs5EF+6VpHJRvvpVWuqCYJMMVW/6h59aYUv9lABLtY=", "owner": "nix-community", "repo": "naersk", - "rev": "c5037590290c6c7dae2e42e7da1e247e54ed2d49", + "rev": "fa19d8c135e776dc97f4dcca08656a0eeb28d5c0", "type": "github" }, "original": { @@ -513,11 +513,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1714858427, - "narHash": "sha256-tCxeDP4C1pWe2rYY3IIhdA40Ujz32Ufd4tcrHPSKx2M=", + "lastModified": 1717880976, + "narHash": "sha256-BRvSCsKtDUr83NEtbGfHLUOdDK0Cgbezj2PtcHnz+sQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b980b91038fc4b09067ef97bbe5ad07eecca1e76", + "rev": "4913a7c3d8b8d00cb9476a6bd730ff57777f740c", "type": "github" }, "original": { @@ -593,16 +593,16 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1715106579, - "narHash": "sha256-gZMgKEGiK6YrwGBiccZ1gemiUwjsZ1Zv49KYOgmX2fY=", + "lastModified": 1717696253, + "narHash": "sha256-1+ua0ggXlYYPLTmMl3YeYYsBXDSCqT+Gw3u6l4gvMhA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8be0d8a1ed4f96d99b09aa616e2afd47acc3da89", + "rev": "9b5328b7f761a7bbdc0e332ac4cf076a3eedb89b", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } @@ -823,11 +823,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1715244550, - "narHash": "sha256-ffOZL3eaZz5Y1nQ9muC36wBCWwS1hSRLhUzlA9hV2oI=", + "lastModified": 1717902109, + "narHash": "sha256-OQTjaEZcByyVmHwJlKp/8SE9ikC4w+mFd3X0jJs6wiA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "0dc50257c00ee3c65fef3a255f6564cfbfe6eb7f", + "rev": "f0922ad001829b400f0160ba85b47d252fa3d925", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 24c65f8..0feac3f 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ }; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05"; # naersk and flake utils are not used by this flake directly, but needed # for the follows in all the other ones. @@ -177,27 +177,27 @@ # function that generates a system with the given number generate_system = (id: - let - myRegistry = registry.traffic-stop-box."${toString id}"; - in + let + myRegistry = registry.traffic-stop-box."${toString id}"; + in { "${myRegistry.hostName}" = { - system = myRegistry.arch; - specialArgs = { inherit self inputs; registry = myRegistry; }; - modules = - [ - # box-specific config - ./hosts/traffic-stop-box/${toString id} - - # default modules - sops-nix.nixosModules.sops - ./modules/traffic-stop-box - ./modules/TLMS - { - deployment-TLMS.monitoring.enable = myRegistry.monitoring; - } - ] ++ stop-box-modules; - }; + system = myRegistry.arch; + specialArgs = { inherit self inputs; registry = myRegistry; }; + modules = + [ + # box-specific config + ./hosts/traffic-stop-box/${toString id} + + # default modules + sops-nix.nixosModules.sops + ./modules/traffic-stop-box + ./modules/TLMS + { + deployment-TLMS.monitoring.enable = myRegistry.monitoring; + } + ] ++ stop-box-modules; + }; } ); diff --git a/hosts/notice-me-senpai/grafana.nix b/hosts/notice-me-senpai/grafana.nix index de4b3cd..637de63 100644 --- a/hosts/notice-me-senpai/grafana.nix +++ b/hosts/notice-me-senpai/grafana.nix @@ -59,7 +59,7 @@ in } // ( if exporter == "r09-receiver" then { scrape_interval = "10s"; - } else {} + } else { } ); # generate scraper config diff --git a/hosts/tram-borzoi/postgres.nix b/hosts/tram-borzoi/postgres.nix index a584455..dd64321 100644 --- a/hosts/tram-borzoi/postgres.nix +++ b/hosts/tram-borzoi/postgres.nix @@ -33,10 +33,7 @@ } { name = "borzoi"; - ensurePermissions = { - "DATABASE borzoi" = "ALL PRIVILEGES"; - "ALL TABLES IN SCHEMA public" = "ALL"; - }; + ensureDBOwnership = true; } ]; }; diff --git a/modules/TLMS/base.nix b/modules/TLMS/base.nix index 208711d..cf573f7 100644 --- a/modules/TLMS/base.nix +++ b/modules/TLMS/base.nix @@ -88,6 +88,7 @@ in users.motd = if config.networking.hostName == "data-hoarder" then prodMotd else regMotd; + programs.screen.enable = true; programs.screen.screenrc = '' defscrollback 10000 diff --git a/modules/TLMS/wg.nix b/modules/TLMS/wg.nix index f3f7501..0acc0e9 100644 --- a/modules/TLMS/wg.nix +++ b/modules/TLMS/wg.nix @@ -45,7 +45,8 @@ in endpointRegistries = let ep = (lib.filter - (x: x.wgAddr4 != registry.wgAddr4 && (!isNull x.publicWireguardEndpoint)) registries); + (x: x.wgAddr4 != registry.wgAddr4 && (!isNull x.publicWireguardEndpoint)) + registries); in assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep; diff --git a/modules/data-hoarder/kindergarten.nix b/modules/data-hoarder/kindergarten.nix index d1b3585..71fdc4b 100644 --- a/modules/data-hoarder/kindergarten.nix +++ b/modules/data-hoarder/kindergarten.nix @@ -16,10 +16,11 @@ enableACME = true; forceSSL = true; locations."~ ^/(de|en)" = { - root = if (config.deployment-TLMS.domain == "tlm.solutions") then - "${pkgs.kindergarten}" - else - "${pkgs.kindergarten-staging}"; + root = + if (config.deployment-TLMS.domain == "tlm.solutions") then + "${pkgs.kindergarten}" + else + "${pkgs.kindergarten-staging}"; # index = "index.html"; tryFiles = "$uri /$1/index.html =404"; extraConfig = '' diff --git a/modules/data-hoarder/nginx.nix b/modules/data-hoarder/nginx.nix index bc9ec0f..45f194d 100644 --- a/modules/data-hoarder/nginx.nix +++ b/modules/data-hoarder/nginx.nix @@ -20,7 +20,8 @@ let # STS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ''; -in { +in +{ networking.firewall.allowedTCPPorts = [ 80 443 ]; security.acme.acceptTerms = true; diff --git a/modules/data-hoarder/postgres.nix b/modules/data-hoarder/postgres.nix index 0e774f8..09525c9 100644 --- a/modules/data-hoarder/postgres.nix +++ b/modules/data-hoarder/postgres.nix @@ -1,28 +1,29 @@ { lib, pkgs, config, inputs, self, registry, ... }: { services.postgresql = { - inherit (registry.postgres) port; + settings.port = registry.port; enable = true; enableTCPIP = true; - authentication = let - senpai-ip = - self.unevaluatedNixosConfigurations.notice-me-senpai.specialArgs.registry.wgAddr4; - in pkgs.lib.mkOverride 10 '' - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - host tlms grafana ${senpai-ip}/32 scram-sha-256 - ''; + authentication = + let + senpai-ip = + self.unevaluatedNixosConfigurations.notice-me-senpai.specialArgs.registry.wgAddr4; + in + pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + host tlms grafana ${senpai-ip}/32 scram-sha-256 + ''; package = pkgs.postgresql_14; ensureDatabases = [ "tlms" ]; ensureUsers = [ - { name = "grafana"; } { name = "tlms"; - ensurePermissions = { - "DATABASE tlms" = "ALL PRIVILEGES"; - "ALL TABLES IN SCHEMA public" = "ALL"; - }; + ensureDBOwnership = true; + } + { + name = "grafana"; } ]; }; diff --git a/modules/data-hoarder/secrets.nix b/modules/data-hoarder/secrets.nix index e5cc2fd..aa2fb11 100644 --- a/modules/data-hoarder/secrets.nix +++ b/modules/data-hoarder/secrets.nix @@ -4,7 +4,8 @@ let data-accumulator-user = config.TLMS.dataAccumulator.user; trekkie-user = config.TLMS.trekkie.user; chemo-user = config.TLMS.chemo.user; -in { +in +{ sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; users.groups = { diff --git a/modules/data-hoarder/website.nix b/modules/data-hoarder/website.nix index 964007f..64bf79a 100644 --- a/modules/data-hoarder/website.nix +++ b/modules/data-hoarder/website.nix @@ -4,12 +4,12 @@ virtualHosts = { "${(builtins.replaceStrings [ "tlm.solutions" ] [ "dvb.solutions" ] config.deployment-TLMS.domain)}" = { - enableACME = true; - forceSSL = true; - extraConfig = '' - rewrite ^ https://kid.${config.deployment-TLMS.domain}/ permanent; - ''; - }; + enableACME = true; + forceSSL = true; + extraConfig = '' + rewrite ^ https://kid.${config.deployment-TLMS.domain}/ permanent; + ''; + }; "${config.deployment-TLMS.domain}" = { enableACME = true; forceSSL = true; diff --git a/modules/traffic-stop-box/radio-config.nix b/modules/traffic-stop-box/radio-config.nix index 98b49c8..e528202 100644 --- a/modules/traffic-stop-box/radio-config.nix +++ b/modules/traffic-stop-box/radio-config.nix @@ -8,14 +8,16 @@ } // registry.r09-receiver; # find all the servers with data-accumulator configured - TLMS.telegramDecoder = let - registries = builtins.attrValues (builtins.mapAttrs (name: value: value.specialArgs.registry) self.unevaluatedNixosConfigurations); - filteredDataHoarders = builtins.filter (other: other ? port-data_accumulator) registries; - urlFromRegistry = other: "http://${other.wgAddr4}:${toString other.port-data_accumulator.port}"; - in { - enable = true; - server = builtins.map urlFromRegistry filteredDataHoarders; - configFile = registry.telegramDecoderConfig; - authTokenFile = config.sops.secrets.telegram-decoder-token.path; - }; + TLMS.telegramDecoder = + let + registries = builtins.attrValues (builtins.mapAttrs (name: value: value.specialArgs.registry) self.unevaluatedNixosConfigurations); + filteredDataHoarders = builtins.filter (other: other ? port-data_accumulator) registries; + urlFromRegistry = other: "http://${other.wgAddr4}:${toString other.port-data_accumulator.port}"; + in + { + enable = true; + server = builtins.map urlFromRegistry filteredDataHoarders; + configFile = registry.telegramDecoderConfig; + authTokenFile = config.sops.secrets.telegram-decoder-token.path; + }; } From 47125b928853968c7a19411c594131c47d9c4789 Mon Sep 17 00:00:00 2001 From: tanneberger Date: Sun, 9 Jun 2024 18:07:49 +0200 Subject: [PATCH 2/6] fixing registry --- modules/data-hoarder/postgres.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/data-hoarder/postgres.nix b/modules/data-hoarder/postgres.nix index 09525c9..91a3289 100644 --- a/modules/data-hoarder/postgres.nix +++ b/modules/data-hoarder/postgres.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, inputs, self, registry, ... }: { services.postgresql = { - settings.port = registry.port; + settings.port = registry.postgres.port; enable = true; enableTCPIP = true; authentication = From 2e6c5f4080223d8aed1c3529474983ea998dc259 Mon Sep 17 00:00:00 2001 From: tanneberger Date: Sun, 9 Jun 2024 18:32:36 +0200 Subject: [PATCH 3/6] open port in uranus --- hosts/uranus/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/uranus/default.nix b/hosts/uranus/default.nix index 39a14f9..414163e 100644 --- a/hosts/uranus/default.nix +++ b/hosts/uranus/default.nix @@ -86,6 +86,8 @@ in }; + networking.firewall.allowedTCPPorts = [ 80 443 8080 22 ]; + users.motd = lib.mkForce (builtins.readFile ./motd.txt); # This value determines the NixOS release from which the default From 3acd70b609cc6b122c4d1915915fc2d022771157 Mon Sep 17 00:00:00 2001 From: tanneberger Date: Sun, 9 Jun 2024 18:47:37 +0200 Subject: [PATCH 4/6] auto update db --- hosts/uranus/jupyter-container.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/uranus/jupyter-container.nix b/hosts/uranus/jupyter-container.nix index be17404..4cb55c2 100644 --- a/hosts/uranus/jupyter-container.nix +++ b/hosts/uranus/jupyter-container.nix @@ -70,6 +70,8 @@ pkgs.dockerTools.buildImage { jupyterlab \ jupyterhub + # upgrading the db + jupyterhub upgrade-db # off to the races jupyterhub --ip=${bind-ip} --port=${toString bind-port} -f /jupyterhub-config.py From a2c0a9eeb0cdf250190755d6ee6b97f6ab80afa9 Mon Sep 17 00:00:00 2001 From: tanneberger Date: Sun, 9 Jun 2024 19:10:39 +0200 Subject: [PATCH 5/6] fixing allowed_users --- hosts/uranus/jupyter-container.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/uranus/jupyter-container.nix b/hosts/uranus/jupyter-container.nix index 4cb55c2..081289e 100644 --- a/hosts/uranus/jupyter-container.nix +++ b/hosts/uranus/jupyter-container.nix @@ -42,7 +42,7 @@ pkgs.dockerTools.buildImage { c = get_config() c.PAMAuthenticator.admin_groups = {'${jupyterAdminGroup}'} - + c.Authenticator.allowed_users = {'marenz', 'oxa', 'tassilo'} c.Spawner.notebook_dir='/workdir' c.Spawner.default_url='/lab' ''; From 6f3b557e9eb22eb862c7afde7453962c86455a43 Mon Sep 17 00:00:00 2001 From: Marcel Date: Mon, 10 Jun 2024 13:33:05 +0200 Subject: [PATCH 6/6] kindergarten: cleanup --- flake.lock | 80 +++++++++++++++++++++++---- flake.nix | 1 - modules/data-hoarder/kindergarten.nix | 10 +--- 3 files changed, 71 insertions(+), 20 deletions(-) diff --git a/flake.lock b/flake.lock index 89d57d5..5e2ab44 100644 --- a/flake.lock +++ b/flake.lock @@ -298,6 +298,41 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "funnel": { "inputs": { "json-structs": "json-structs", @@ -341,20 +376,18 @@ }, "kindergarten": { "inputs": { - "flake-utils": [ - "flake-utils" - ], + "flake-utils": "flake-utils_2", "nixpkgs": [ "nixpkgs" ], "pnpm2nix": "pnpm2nix" }, "locked": { - "lastModified": 1716148172, - "narHash": "sha256-+rKHw/bkFXiqPtVRtY/A5ER0DDdgp4aFn/6iGoE4y8s=", + "lastModified": 1718019089, + "narHash": "sha256-bZELxLQjx8jzxj2KOSCxhI7UWpbYOJ2xl5H1F6kmCzs=", "owner": "tlm-solutions", "repo": "kindergarten", - "rev": "7f9f8d229528ee4542a4734423af26d2eb6c6b24", + "rev": "c2cab4e71ce6d508b822ac91ef8614069db645f1", "type": "github" }, "original": { @@ -625,10 +658,7 @@ }, "pnpm2nix": { "inputs": { - "flake-utils": [ - "kindergarten", - "flake-utils" - ], + "flake-utils": "flake-utils_3", "nixpkgs": [ "kindergarten", "nixpkgs" @@ -882,6 +912,36 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "telegram-decoder": { "inputs": { "naersk": [ diff --git a/flake.nix b/flake.nix index 0feac3f..9beab91 100644 --- a/flake.nix +++ b/flake.nix @@ -52,7 +52,6 @@ url = "github:tlm-solutions/kindergarten"; inputs = { nixpkgs.follows = "nixpkgs"; - flake-utils.follows = "flake-utils"; }; }; diff --git a/modules/data-hoarder/kindergarten.nix b/modules/data-hoarder/kindergarten.nix index 71fdc4b..acf3734 100644 --- a/modules/data-hoarder/kindergarten.nix +++ b/modules/data-hoarder/kindergarten.nix @@ -16,16 +16,8 @@ enableACME = true; forceSSL = true; locations."~ ^/(de|en)" = { - root = - if (config.deployment-TLMS.domain == "tlm.solutions") then - "${pkgs.kindergarten}" - else - "${pkgs.kindergarten-staging}"; - # index = "index.html"; + root = "${pkgs.kindergarten.override {inherit (config.deployment-TLMS ) domain; }}"; tryFiles = "$uri /$1/index.html =404"; - extraConfig = '' - more_set_headers "Access-Control-Allow-Credentials: true"; - ''; }; locations."~ ^/(?!en|de)" = { extraConfig = ''