Merge remote-tracking branch 'origin/master'

tlm-solutions · Jun 15, 2024 · 924920f · 924920f
2 parents f8f9bd7 + 6f3b557
commit 924920f
Show file tree

Hide file tree

Showing 14 changed files with 155 additions and 95 deletions.
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -5,7 +5,7 @@
   };
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
 
     # naersk and flake utils are not used by this flake directly, but needed
     # for the follows in all the other ones.
@@ -52,7 +52,6 @@
       url = "github:tlm-solutions/kindergarten";
       inputs = {
         nixpkgs.follows = "nixpkgs";
-        flake-utils.follows = "flake-utils";
       };
     };
 
@@ -177,27 +176,27 @@
 
       # function that generates a system with the given number
       generate_system = (id:
-      let
-        myRegistry = registry.traffic-stop-box."${toString id}";
-      in
+        let
+          myRegistry = registry.traffic-stop-box."${toString id}";
+        in
         {
           "${myRegistry.hostName}" = {
-              system = myRegistry.arch;
-              specialArgs = { inherit self inputs; registry = myRegistry; };
-              modules =
-                [
-                  # box-specific config
-                  ./hosts/traffic-stop-box/${toString id}
-
-                  # default modules
-                  sops-nix.nixosModules.sops
-                  ./modules/traffic-stop-box
-                  ./modules/TLMS
-                  {
-                    deployment-TLMS.monitoring.enable = myRegistry.monitoring;
-                  }
-                ] ++ stop-box-modules;
-            };
+            system = myRegistry.arch;
+            specialArgs = { inherit self inputs; registry = myRegistry; };
+            modules =
+              [
+                # box-specific config
+                ./hosts/traffic-stop-box/${toString id}
+
+                # default modules
+                sops-nix.nixosModules.sops
+                ./modules/traffic-stop-box
+                ./modules/TLMS
+                {
+                  deployment-TLMS.monitoring.enable = myRegistry.monitoring;
+                }
+              ] ++ stop-box-modules;
+          };
         }
       );
 

diff --git a/hosts/notice-me-senpai/grafana.nix b/hosts/notice-me-senpai/grafana.nix
@@ -59,7 +59,7 @@ in
             } // (
               if exporter == "r09-receiver" then {
                 scrape_interval = "10s";
-              } else {}
+              } else { }
             );
 
             # generate scraper config

diff --git a/hosts/tram-borzoi/postgres.nix b/hosts/tram-borzoi/postgres.nix
@@ -33,10 +33,7 @@
       }
       {
         name = "borzoi";
-        ensurePermissions = {
-          "DATABASE borzoi" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL";
-        };
+        ensureDBOwnership = true;
       }
     ];
   };

diff --git a/hosts/uranus/default.nix b/hosts/uranus/default.nix
@@ -86,6 +86,8 @@ in
 
   };
 
+  networking.firewall.allowedTCPPorts = [ 80 443 8080 22 ];
+
   users.motd = lib.mkForce (builtins.readFile ./motd.txt);
 
   # This value determines the NixOS release from which the default

diff --git a/hosts/uranus/jupyter-container.nix b/hosts/uranus/jupyter-container.nix
@@ -42,7 +42,7 @@ pkgs.dockerTools.buildImage {
         c = get_config()
 
         c.PAMAuthenticator.admin_groups = {'${jupyterAdminGroup}'}
-
+        c.Authenticator.allowed_users = {'marenz', 'oxa', 'tassilo'}
         c.Spawner.notebook_dir='/workdir'
         c.Spawner.default_url='/lab'
       '';
@@ -70,6 +70,8 @@ pkgs.dockerTools.buildImage {
                          jupyterlab \
                          jupyterhub
 
+        # upgrading the db
+        jupyterhub upgrade-db
 
         # off to the races
         jupyterhub --ip=${bind-ip} --port=${toString bind-port} -f /jupyterhub-config.py

diff --git a/modules/TLMS/base.nix b/modules/TLMS/base.nix
@@ -88,6 +88,7 @@ in
 
   users.motd = if config.networking.hostName == "data-hoarder" then prodMotd else regMotd;
 
+  programs.screen.enable = true;
   programs.screen.screenrc = ''
     defscrollback 10000
 

diff --git a/modules/TLMS/wg.nix b/modules/TLMS/wg.nix
@@ -45,7 +45,8 @@ in
       endpointRegistries =
         let
           ep = (lib.filter
-            (x: x.wgAddr4 != registry.wgAddr4 && (!isNull x.publicWireguardEndpoint)) registries);
+            (x: x.wgAddr4 != registry.wgAddr4 && (!isNull x.publicWireguardEndpoint))
+            registries);
         in
         assert lib.assertMsg (lib.length ep == 1) "there should be exactly one endpoint"; ep;
 

diff --git a/modules/data-hoarder/kindergarten.nix b/modules/data-hoarder/kindergarten.nix
@@ -16,15 +16,8 @@
         enableACME = true;
         forceSSL = true;
         locations."~ ^/(de|en)" = {
-          root = if (config.deployment-TLMS.domain == "tlm.solutions") then
-            "${pkgs.kindergarten}"
-          else
-            "${pkgs.kindergarten-staging}";
-          # index = "index.html";
+          root = "${pkgs.kindergarten.override {inherit (config.deployment-TLMS ) domain; }}";
           tryFiles = "$uri /$1/index.html =404";
-          extraConfig = ''
-            more_set_headers "Access-Control-Allow-Credentials: true";
-          '';
         };
         locations."~ ^/(?!en|de)" = {
           extraConfig = ''

diff --git a/modules/data-hoarder/nginx.nix b/modules/data-hoarder/nginx.nix
@@ -20,7 +20,8 @@ let
     # STS
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
   '';
-in {
+in
+{
   networking.firewall.allowedTCPPorts = [ 80 443 ];
 
   security.acme.acceptTerms = true;

diff --git a/modules/data-hoarder/postgres.nix b/modules/data-hoarder/postgres.nix
@@ -1,28 +1,29 @@
 { lib, pkgs, config, inputs, self, registry, ... }: {
 
   services.postgresql = {
-    inherit (registry.postgres) port;
+    settings.port = registry.postgres.port;
     enable = true;
     enableTCPIP = true;
-    authentication = let
-      senpai-ip =
-        self.unevaluatedNixosConfigurations.notice-me-senpai.specialArgs.registry.wgAddr4;
-    in pkgs.lib.mkOverride 10 ''
-      local	all	all	trust
-      host	all	all	127.0.0.1/32	trust
-      host	all	all	::1/128	trust
-      host	tlms	grafana	${senpai-ip}/32	scram-sha-256
-    '';
+    authentication =
+      let
+        senpai-ip =
+          self.unevaluatedNixosConfigurations.notice-me-senpai.specialArgs.registry.wgAddr4;
+      in
+      pkgs.lib.mkOverride 10 ''
+        local	all	all	trust
+        host	all	all	127.0.0.1/32	trust
+        host	all	all	::1/128	trust
+        host	tlms	grafana	${senpai-ip}/32	scram-sha-256
+      '';
     package = pkgs.postgresql_14;
     ensureDatabases = [ "tlms" ];
     ensureUsers = [
-      { name = "grafana"; }
       {
         name = "tlms";
-        ensurePermissions = {
-          "DATABASE tlms" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL";
-        };
+        ensureDBOwnership = true;
+      }
+      {
+        name = "grafana";
       }
     ];
   };