phfroidmont/self-hosting
1
0
Fork 0
mirror of https://github.com/phfroidmont/self-hosting.git synced 2025-12-25 05:36:59 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update inputs to fix OpenSSH CVE-2024-6387

Browse source
This commit is contained in:
Paul-Henri Froidmont 2024-07-02 18:16:26 +02:00
parent 781d6dcfac
commit 053fd23097
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
8 changed files with 118 additions and 120 deletions
Download patch file Download diff file Expand all files Collapse all files

118
flake.lock generated
View file

@ -23,11 +23,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1715699772,
"narHash": "sha256-sKhqIgucN5sI/7UQgBwsonzR4fONjfMr9OcHK/vPits=",
"lastModified": 1718194053,
"narHash": "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "b3ea6f333f9057b77efd9091119ba67089399ced",
"rev": "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a",
"type": "github"
},
"original": {
@ -55,11 +55,11 @@
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -73,11 +73,11 @@
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1712623723,
"narHash": "sha256-jPD5+M+QPyMRk52zfFMIeHdv7yXYJ/yNGqwS0PhYF+E=",
"lastModified": 1719541573,
"narHash": "sha256-9j8Rtv5UWsD4A3jAh8MpopNGmftSAoI8htssmXLu8jU=",
"owner": "reckenrode",
"repo": "nix-foundryvtt",
"rev": "6025615b431170558c3c13f16b549fc0126425e1",
"rev": "1176cc325e5e1d46c7a018663a8e02e699e838ec",
"type": "github"
},
"original": {
@ -102,43 +102,28 @@
"type": "github"
}
},
"nixpkgs-23_05": {
"nixpkgs-24_05": {
"locked": {
"lastModified": 1704290814,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=",
"lastModified": 1717144377,
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421",
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.05",
"type": "indirect"
}
},
"nixpkgs-23_11": {
"locked": {
"lastModified": 1706098335,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-23.11",
"ref": "nixos-24.05",
"type": "indirect"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1716061101,
"narHash": "sha256-H0eCta7ahEgloGIwE/ihkyGstOGu+kQwAiHvwVoXaA0=",
"lastModified": 1719663039,
"narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e7cc61784ddf51c81487637b3031a6dd2d6673a2",
"rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
"type": "github"
},
"original": {
@ -150,11 +135,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1716330097,
"narHash": "sha256-8BO3B7e3BiyIDsaKA0tY8O88rClYRTjvAp66y+VBUeU=",
"lastModified": 1719848872,
"narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5710852ba686cc1fd0d3b8e22b3117d43ba374c2",
"rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
"type": "github"
},
"original": {
@ -166,43 +151,43 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1701389149,
"narHash": "sha256-rU1suTIEd5DGCaAXKW6yHoCfR1mnYjOXQFOaH7M23js=",
"lastModified": 1718437845,
"narHash": "sha256-ZT7Oc1g4I4pHVGGjQFnewFVDRLH5cIZhEzODLz9YXeY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5de0b32be6e85dc1a9404c75131316e4ffbc634c",
"rev": "752c634c09ceb50c45e751f8791cb45cb3d46c9e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1716361217,
"narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
"lastModified": 1719838683,
"narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
"rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.11",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1705856552,
"narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=",
"lastModified": 1717602782,
"narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d",
"rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
"type": "github"
},
"original": {
@ -226,21 +211,20 @@
"blobs": "blobs",
"flake-compat": "flake-compat_2",
"nixpkgs": "nixpkgs_4",
"nixpkgs-23_05": "nixpkgs-23_05",
"nixpkgs-23_11": "nixpkgs-23_11",
"nixpkgs-24_05": "nixpkgs-24_05",
"utils": "utils_2"
},
"locked": {
"lastModified": 1706219574,
"narHash": "sha256-qO+8UErk+bXCq2ybHU4GzXG4Ejk4Tk0rnnTPNyypW4g=",
"lastModified": 1718084203,
"narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "e47f3719f1db3e0961a4358d4cb234a0acaa7baf",
"rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
"type": "gitlab"
},
"original": {
"owner": "simple-nixos-mailserver",
"ref": "nixos-23.11",
"ref": "nixos-24.05",
"repo": "nixos-mailserver",
"type": "gitlab"
}
@ -253,11 +237,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1716400300,
"narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
"lastModified": 1719873517,
"narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b549832718b8946e875c016a4785d204fcfc2e53",
"rev": "a11224af8d824935f363928074b4717ca2e280db",
"type": "github"
},
"original": {
@ -281,6 +265,21 @@
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems"
@ -300,12 +299,15 @@
}
},
"utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1605370193,
"narHash": "sha256-YyMTf3URDL/otKdKgtoMChu4vfVL3vCMkRqpGifhUn0=",
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5021eac20303a61fafe17224c087f5519baed54d",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {

6
flake.nix
View file

@ -1,12 +1,12 @@
{
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.url = "github:serokell/deploy-rs";
simple-nixos-mailserver.url =
"gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
"gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
foundryvtt.url = "github:reckenrode/nix-foundryvtt";
};
@ -73,7 +73,7 @@
};
storage1 = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit nixpkgs; };
specialArgs = { inherit nixpkgs inputs; };
modules = [
defaultModuleArgs
sops-nix.nixosModules.sops

24
modules/gitlab-runner.nix
View file

@ -1,9 +1,7 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.custom.services.gitlab-runner;
in
{
let cfg = config.custom.services.gitlab-runner;
in {
options.custom.services.gitlab-runner = {
enable = mkEnableOption "gitlab-runner";
};
@ -35,24 +33,17 @@ in
};
};
config =
let
hostConfig = config;
in
args@{ config, ... }: {
config = let hostConfig = config;
in args@{ config, ... }: {
nix = {
package = pkgs.nixUnstable;
package = pkgs.nixVersions.latest;
extraOptions = ''
experimental-features = nix-command flakes
'';
};
environment.systemPackages = with pkgs; [
git
htop
nload
];
environment.systemPackages = with pkgs; [ git htop nload ];
users.groups.gitlab-runner = { };
users.users.gitlab-runner = {
@ -71,7 +62,8 @@ in
enable = true;
services = {
shell = {
registrationConfigFile = hostConfig.sops.secrets.runnerRegistrationConfig.path;
registrationConfigFile =
hostConfig.sops.secrets.runnerRegistrationConfig.path;
executor = "shell";
tagList = [ "nix" ];
};

10
modules/grafana.nix
View file

@ -126,10 +126,12 @@ in {
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
limits_config = { ingestion_rate_mb = 16; };
limits_config = {
ingestion_rate_mb = 16;
allow_structured_metadata = false;
};
schema_config = {
configs = [{
@ -150,7 +152,6 @@ in {
"${config.services.loki.dataDir}/boltdb-index";
cache_location = "${config.services.loki.dataDir}/boltdb-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem = {
@ -163,7 +164,7 @@ in {
reject_old_samples_max_age = "168h";
};
chunk_store_config = { max_look_back_period = "0s"; };
querier.engine.max_look_back_period = "0s";
table_manager = {
retention_deletes_enabled = false;
@ -172,7 +173,6 @@ in {
compactor = {
working_directory = "${config.services.loki.dataDir}";
shared_store = "filesystem";
compactor_ring = { kvstore = { store = "inmemory"; }; };
};

8
modules/nextcloud.nix
View file

@ -74,11 +74,13 @@ in {
dbpassFile = "${config.sops.secrets.nextcloudDbPassword.path}";
adminpassFile = "${config.sops.secrets.nextcloudAdminPassword.path}";
adminuser = "root";
overwriteProtocol = "https";
defaultPhoneRegion = "BE";
};
extraOptions = { maintenance_window_start = 1; };
settings = {
overwriteProtocol = "https";
default_phone_region = "BE";
maintenance_window_start = 1;
};
phpOptions = {
short_open_tag = "Off";

2
modules/postgresql.nix
View file

@ -56,7 +56,7 @@ in {
script = ''
set -u
PSQL() {
psql --port=${toString pgsql.port} "$@"
psql --port=${toString pgsql.settings.port} "$@"
}
PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname = 'synapse'" | grep -q 1 || PSQL -tAc 'CREATE ROLE "synapse"'

2
profiles/db.nix
View file

@ -3,7 +3,7 @@
networking.firewall.interfaces."eth1".allowedTCPPorts = [
config.services.prometheus.exporters.node.port
config.services.postgresql.port
config.services.postgresql.settings.port
];
sops.secrets = {

2
profiles/storage.nix
View file

@ -272,10 +272,12 @@
services.foundryvtt = {
enable = true;
package = inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_11;
hostName = "vtt.${config.networking.domain}";
language = "fr.core";
proxyPort = 443;
proxySSL = true;
upnp = false;
};
services.nginx.virtualHosts."vtt.${config.networking.domain}" = {