phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update inputs to fix OpenSSH CVE-2024-6387

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-07-02 18:16:26 +02:00
parent 781d6dcfac
commit 053fd23097
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
8 changed files with 118 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

118
flake.lock generated
View file

@ -23,11 +23,11 @@
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1715699772, "lastModified": 1718194053,
"narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=", "narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell", "owner": "serokell",
"repo": "deploy-rs", "repo": "deploy-rs",
"rev": "b3ea6f333f9057b77efd9091119ba67089399ced", "rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -55,11 +55,11 @@
"flake-compat_2": { "flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1668681692, "lastModified": 1696426674,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -73,11 +73,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1712623723, "lastModified": 1719541573,
"narHash": "sha256-jPD5+M+QPyMRk52zfFMIeHdv7yXYJ/yNGqwS0PhYF+E=", "narHash": "sha256-9j8Rtv5UWsD4A3jAh8MpopNGmftSAoI8htssmXLu8jU=",
"owner": "reckenrode", "owner": "reckenrode",
"repo": "nix-foundryvtt", "repo": "nix-foundryvtt",
"rev": "6025615b431170558c3c13f16b549fc0126425e1", "rev": "1176cc325e5e1d46c7a018663a8e02e699e838ec",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -102,43 +102,28 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs-23_05": { "nixpkgs-24_05": {
"locked": { "locked": {
"lastModified": 1704290814, "lastModified": 1717144377,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "id": "nixpkgs",
"ref": "nixos-23.05", "ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1716061101, "lastModified": 1719663039,
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=", "narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2", "rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -150,11 +135,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1716330097, "lastModified": 1719848872,
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=", "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2", "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -166,43 +151,43 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1701389149, "lastModified": 1718437845,
"narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=", "narHash": "sha256-ZT7Oc1g4I4pHVGGjQFnewFVDRLH5cIZhEzODLz9YXeY=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c", "rev": "752c634c09ceb50c45e751f8791cb45cb3d46c9e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-23.11", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1716361217, "lastModified": 1719838683,
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=", "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f", "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "nixos",
"ref": "nixos-23.11", "ref": "nixos-24.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1705856552, "lastModified": 1717602782,
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -226,21 +211,20 @@
"blobs": "blobs", "blobs": "blobs",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_4", "nixpkgs": "nixpkgs_4",
"nixpkgs-23_05": "nixpkgs-23_05", "nixpkgs-24_05": "nixpkgs-24_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"utils": "utils_2" "utils": "utils_2"
}, },
"locked": { "locked": {
"lastModified": 1706219574, "lastModified": 1718084203,
"narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=", "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf", "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
"owner": "simple-nixos-mailserver", "owner": "simple-nixos-mailserver",
"ref": "nixos-23.11", "ref": "nixos-24.05",
"repo": "nixos-mailserver", "repo": "nixos-mailserver",
"type": "gitlab" "type": "gitlab"
} }
@ -253,11 +237,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1716400300, "lastModified": 1719873517,
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=", "narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "b549832718b8946e875c016a4785d204fcfc2e53", "rev": "a11224af8d824935f363928074b4717ca2e280db",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -281,6 +265,21 @@
"type": "github" "type": "github"
} }
}, },
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems"
@ -300,12 +299,15 @@
} }
}, },
"utils_2": { "utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": { "locked": {
"lastModified": 1605370193, "lastModified": 1709126324,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=", "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d", "rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github" "type": "github"
}, },
"original": { "original": {

6
flake.nix
View file

@ -1,12 +1,12 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.url = "github:serokell/deploy-rs";
simple-nixos-mailserver.url = simple-nixos-mailserver.url =
"gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11"; "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
foundryvtt.url = "github:reckenrode/nix-foundryvtt"; foundryvtt.url = "github:reckenrode/nix-foundryvtt";
}; };
@ -73,7 +73,7 @@
}; };
storage1 = nixpkgs.lib.nixosSystem { storage1 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux";
specialArgs = { inherit nixpkgs; }; specialArgs = { inherit nixpkgs inputs; };
modules = [ modules = [
defaultModuleArgs defaultModuleArgs
sops-nix.nixosModules.sops sops-nix.nixosModules.sops

90
modules/gitlab-runner.nix
View file

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
let let cfg = config.custom.services.gitlab-runner;
cfg = config.custom.services.gitlab-runner; in {
in
{
options.custom.services.gitlab-runner = { options.custom.services.gitlab-runner = {
enable = mkEnableOption "gitlab-runner"; enable = mkEnableOption "gitlab-runner";
}; };
@ -35,58 +33,52 @@ in
}; };
}; };
config = config = let hostConfig = config;
let in args@{ config, ... }: {
hostConfig = config;
in
args@{ config, ... }: {
nix = { nix = {
package = pkgs.nixUnstable; package = pkgs.nixVersions.latest;
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
'';
};
environment.systemPackages = with pkgs; [
git
htop
nload
];
users.groups.gitlab-runner = { };
users.users.gitlab-runner = {
isSystemUser = true;
group = config.users.groups.gitlab-runner.name;
};
programs.ssh.extraConfig = ''
StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
''; '';
};
services = { environment.systemPackages = with pkgs; [ git htop nload ];
openssh.enable = true;
gitlab-runner = { users.groups.gitlab-runner = { };
enable = true; users.users.gitlab-runner = {
services = { isSystemUser = true;
shell = { group = config.users.groups.gitlab-runner.name;
registrationConfigFile = hostConfig.sops.secrets.runnerRegistrationConfig.path; };
executor = "shell";
tagList = [ "nix" ]; programs.ssh.extraConfig = ''
}; StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null
'';
services = {
openssh.enable = true;
gitlab-runner = {
enable = true;
services = {
shell = {
registrationConfigFile =
hostConfig.sops.secrets.runnerRegistrationConfig.path;
executor = "shell";
tagList = [ "nix" ];
}; };
}; };
}; };
systemd.services.gitlab-runner.serviceConfig = {
DynamicUser = lib.mkForce false;
User = config.users.users.gitlab-runner.name;
Group = config.users.groups.gitlab-runner.name;
};
system.stateVersion = "22.05";
}; };
systemd.services.gitlab-runner.serviceConfig = {
DynamicUser = lib.mkForce false;
User = config.users.users.gitlab-runner.name;
Group = config.users.groups.gitlab-runner.name;
};
system.stateVersion = "22.05";
};
}; };
}; };
} }

10
modules/grafana.nix
View file

@ -126,10 +126,12 @@ in {
max_chunk_age = "1h"; max_chunk_age = "1h";
chunk_target_size = 999999; chunk_target_size = 999999;
chunk_retain_period = "30s"; chunk_retain_period = "30s";
max_transfer_retries = 0;
}; };
limits_config = { ingestion_rate_mb = 16; }; limits_config = {
ingestion_rate_mb = 16;
allow_structured_metadata = false;
};
schema_config = { schema_config = {
configs = [{ configs = [{
@ -150,7 +152,6 @@ in {
"${config.services.loki.dataDir}/boltdb-index"; "${config.services.loki.dataDir}/boltdb-index";
cache_location = "${config.services.loki.dataDir}/boltdb-cache"; cache_location = "${config.services.loki.dataDir}/boltdb-cache";
cache_ttl = "24h"; cache_ttl = "24h";
shared_store = "filesystem";
}; };
filesystem = { filesystem = {
@ -163,7 +164,7 @@ in {
reject_old_samples_max_age = "168h"; reject_old_samples_max_age = "168h";
}; };
chunk_store_config = { max_look_back_period = "0s"; }; querier.engine.max_look_back_period = "0s";
table_manager = { table_manager = {
retention_deletes_enabled = false; retention_deletes_enabled = false;
@ -172,7 +173,6 @@ in {
compactor = { compactor = {
working_directory = "${config.services.loki.dataDir}"; working_directory = "${config.services.loki.dataDir}";
shared_store = "filesystem";
compactor_ring = { kvstore = { store = "inmemory"; }; }; compactor_ring = { kvstore = { store = "inmemory"; }; };
}; };

8
modules/nextcloud.nix
View file

@ -74,11 +74,13 @@ in {
dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}"; dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}";
adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}"; adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}";
adminuser = "root"; adminuser = "root";
overwriteProtocol = "https";
defaultPhoneRegion = "BE";
}; };
extraOptions = { maintenance_window_start = 1; }; settings = {
overwriteProtocol = "https";
default_phone_region = "BE";
maintenance_window_start = 1;
};
phpOptions = { phpOptions = {
short_open_tag = "Off"; short_open_tag = "Off";

2
modules/postgresql.nix
View file

@ -56,7 +56,7 @@ in {
script = '' script = ''
set -u set -u
PSQL() { PSQL() {
psql --port=${toString pgsql.port} "$@" psql --port=${toString pgsql.settings.port} "$@"
} }
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"' PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'

2
profiles/db.nix
View file

@ -3,7 +3,7 @@
networking.firewall.interfaces."eth1".allowedTCPPorts = [ networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port config.services.prometheus.exporters.node.port
config.services.postgresql.port config.services.postgresql.settings.port
]; ];
sops.secrets = { sops.secrets = {

2
profiles/storage.nix
View file

@ -272,10 +272,12 @@
services.foundryvtt = { services.foundryvtt = {
enable = true; enable = true;
package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_11;
hostName = "vtt.${config.networking.domain}"; hostName = "vtt.${config.networking.domain}";
language = "fr.core"; language = "fr.core";
proxyPort = 443; proxyPort = 443;
proxySSL = true; proxySSL = true;
upnp = false;
}; };
services.nginx.virtualHosts."vtt.${config.networking.domain}" = { services.nginx.virtualHosts."vtt.${config.networking.domain}" = {