chore: decomission nuage

feat(gustave): use upstream readeck
chore: update deps
2025-03-24 04:40:53 +01:00 · 2025-02-02 17:44:12 +01:00 · 2025-02-02 17:44:03 +01:00 · 2025-02-02 17:42:35 +01:00 · 2025-02-02 17:42:21 +01:00 · 2025-02-02 16:57:24 +01:00
11 changed files with 37 additions and 379 deletions
--- a/lib/mkmachine.nix
+++ b/lib/mkmachine.nix
@ -55,7 +55,6 @@ import "${nixpkgs}/nixos/lib/eval-config.nix" {
          keycloak-keywind = prev.pkgs.callPackage ../packages/keycloak-keywind { };
          hydrasect = prev.pkgs.callPackage ../packages/hydrasect { };
          codeberg-pages-custom = prev.pkgs.callPackage ../packages/codeberg-pages-custom { };
          readeck = prev.pkgs.callPackage ../packages/readeck { };
          uptime-kuma-beta = prev.pkgs.callPackage ../packages/uptime-kuma-beta { };
        })
--- a/lon.lock
+++ b/lon.lock
@ -7,9 +7,9 @@
      "owner": "ryantm",
      "repo": "agenix",
      "branch": "main",
-      "revision": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
+      "revision": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
-      "url": "https://github.com/ryantm/agenix/archive/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41.tar.gz",
+      "url": "https://github.com/ryantm/agenix/archive/e600439ec4c273cf11e06fe4d9d906fb98fa097c.tar.gz",
-      "hash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU="
+      "hash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA="
    },
    "buildbot-nix": {
      "type": "GitHub",
@ -37,9 +37,9 @@
      "owner": "nix-community",
      "repo": "disko",
      "branch": "master",
-      "revision": "f720e64ec37fa16ebba6354eadf310f81555cc07",
+      "revision": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
-      "url": "https://github.com/nix-community/disko/archive/f720e64ec37fa16ebba6354eadf310f81555cc07.tar.gz",
+      "url": "https://github.com/nix-community/disko/archive/18d0a984cc2bc82cf61df19523a34ad463aa7f54.tar.gz",
-      "hash": "sha256-8hKhPQuMtXfJi+4lPvw3FBk/zSJVHeb726Zo0uF1PP8="
+      "hash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo="
    },
    "dns": {
      "type": "GitHub",
@ -57,9 +57,9 @@
      "owner": "cachix",
      "repo": "git-hooks.nix",
      "branch": "master",
-      "revision": "a5a961387e75ae44cc20f0a57ae463da5e959656",
+      "revision": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/a5a961387e75ae44cc20f0a57ae463da5e959656.tar.gz",
+      "url": "https://github.com/cachix/git-hooks.nix/archive/9364dc02281ce2d37a1f55b6e51f7c0f65a75f17.tar.gz",
-      "hash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110="
+      "hash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg="
    },
    "home-manager": {
      "type": "GitHub",
@ -77,9 +77,9 @@
      "owner": "nix-community",
      "repo": "home-manager",
      "branch": "master",
-      "revision": "fc52a210b60f2f52c74eac41a8647c1573d2071d",
+      "revision": "18fa9f323d8adbb0b7b8b98a8488db308210ed93",
-      "url": "https://github.com/nix-community/home-manager/archive/fc52a210b60f2f52c74eac41a8647c1573d2071d.tar.gz",
+      "url": "https://github.com/nix-community/home-manager/archive/18fa9f323d8adbb0b7b8b98a8488db308210ed93.tar.gz",
-      "hash": "sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m+Yq++C9AyE="
+      "hash": "sha256-4ATtQqBlgsGqkHTemta0ydY6f7JBRXz4Hf574NHQpkg="
    },
    "impermanence": {
      "type": "GitHub",
@ -87,9 +87,9 @@
      "owner": "nix-community",
      "repo": "impermanence",
      "branch": "master",
-      "revision": "c64bed13b562fc3bb454b48773d4155023ac31b7",
+      "revision": "4b3e914cdf97a5b536a889e939fb2fd2b043a170",
-      "url": "https://github.com/nix-community/impermanence/archive/c64bed13b562fc3bb454b48773d4155023ac31b7.tar.gz",
+      "url": "https://github.com/nix-community/impermanence/archive/4b3e914cdf97a5b536a889e939fb2fd2b043a170.tar.gz",
-      "hash": "sha256-1Zl9xahw399UiZSJ9Vxs1W4WRFjO1SsNdVZQD4nghz0="
+      "hash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI="
    },
    "lanzaboote": {
      "type": "GitHub",
@ -97,9 +97,9 @@
      "owner": "nix-community",
      "repo": "lanzaboote",
      "branch": "master",
-      "revision": "93e6f0d77548be8757c11ebda5c4235ef4f3bc67",
+      "revision": "a65905a09e2c43ff63be8c0e86a93712361f871e",
-      "url": "https://github.com/nix-community/lanzaboote/archive/93e6f0d77548be8757c11ebda5c4235ef4f3bc67.tar.gz",
+      "url": "https://github.com/nix-community/lanzaboote/archive/a65905a09e2c43ff63be8c0e86a93712361f871e.tar.gz",
-      "hash": "sha256-S9MgfQjNt4J3I7obdLOVY23h+Yl/hnyibwGfOl+1uOE="
+      "hash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU="
    },
    "lila": {
      "type": "GitHub",
@ -127,9 +127,9 @@
      "owner": "mic92",
      "repo": "nix-index-database",
      "branch": "main",
-      "revision": "271e5bd7c57e1f001693799518b10a02d1123b12",
+      "revision": "46a8f5fc9552b776bfc5c5c96ea3bede33f68f52",
-      "url": "https://github.com/mic92/nix-index-database/archive/271e5bd7c57e1f001693799518b10a02d1123b12.tar.gz",
+      "url": "https://github.com/mic92/nix-index-database/archive/46a8f5fc9552b776bfc5c5c96ea3bede33f68f52.tar.gz",
-      "hash": "sha256-8uolHABgroXqzs03QdulHp8H9e5kWQZnnhcda1MKbBM="
+      "hash": "sha256-PZhUjtvQZOH3PO0EYdTpQvcqkgkq1NkP2A6w9SPHYsk="
    },
    "nixos-anywhere": {
      "type": "GitHub",
@ -137,9 +137,9 @@
      "owner": "nix-community",
      "repo": "nixos-anywhere",
      "branch": "main",
-      "revision": "97b45ac774699b1cfd267e98a8bdecb74bace593",
+      "revision": "d4a3ecf32bd3cc9d243e0a2f37de91bc84b14216",
-      "url": "https://github.com/nix-community/nixos-anywhere/archive/97b45ac774699b1cfd267e98a8bdecb74bace593.tar.gz",
+      "url": "https://github.com/nix-community/nixos-anywhere/archive/d4a3ecf32bd3cc9d243e0a2f37de91bc84b14216.tar.gz",
-      "hash": "sha256-aoTJqEImmpgsol+TyDASuyHW6tuL7NIS8gusUJ/kxyk="
+      "hash": "sha256-2s+b7M2UayudwHQTVSo2RSF1sKbasqCXHYbE3XStVVI="
    },
    "nixpkgs": {
      "type": "GitHub",
@ -147,9 +147,9 @@
      "owner": "nixos",
      "repo": "nixpkgs",
      "branch": "nixos-24.11",
-      "revision": "635e887b48521e912a516625eee7df6cf0eba9c1",
+      "revision": "f6687779bf4c396250831aa5a32cbfeb85bb07a3",
-      "url": "https://github.com/nixos/nixpkgs/archive/635e887b48521e912a516625eee7df6cf0eba9c1.tar.gz",
+      "url": "https://github.com/nixos/nixpkgs/archive/f6687779bf4c396250831aa5a32cbfeb85bb07a3.tar.gz",
-      "hash": "sha256-vH5mXxEvZeoGNkqKoCluhTGfoeXCZ1seYhC2pbMN0sg="
+      "hash": "sha256-5+Hmo4nbqw8FrW85FlNm4IIrRnZ7bn0cmXlScNsNRLo="
    },
    "proxmox": {
      "type": "GitHub",
@ -176,9 +176,9 @@
      "owner": "nixos",
      "repo": "nixpkgs",
      "branch": "nixos-unstable",
-      "revision": "9abb87b552b7f55ac8916b6fc9e5cb486656a2f3",
+      "revision": "3a228057f5b619feb3186e986dbe76278d707b6e",
-      "url": "https://github.com/nixos/nixpkgs/archive/9abb87b552b7f55ac8916b6fc9e5cb486656a2f3.tar.gz",
+      "url": "https://github.com/nixos/nixpkgs/archive/3a228057f5b619feb3186e986dbe76278d707b6e.tar.gz",
-      "hash": "sha256-qwpCtZhSsSNQtK4xYGzMiyEDhkNzOCz/Vfu4oL2ETsQ="
+      "hash": "sha256-xvTo0Aw0+veek7hvEVLzErmJyQkEcRk6PSR4zsRQFEc="
    }
  }
 }
--- a/machines/gallifrey/home-julien.nix
+++ b/machines/gallifrey/home-julien.nix
@ -100,7 +100,6 @@
        zotero
        emacsPackages.jinx
        hunspellDicts.en_US
        rstudio
        forge-sparks
        citations
        blanket
--- a/machines/gustave/default.nix
+++ b/machines/gustave/default.nix
@ -18,6 +18,7 @@
    ./nextcloud.nix
    ./glance.nix
    ./syncthing.nix
    "${inputs.unstable}/nixos/modules/services/web-apps/readeck.nix"
  ];
  machine.meta = {
--- a/machines/gustave/readeck.nix
+++ b/machines/gustave/readeck.nix
@ -1,4 +1,7 @@
-{ config, ... }:
+{ config, inputs, ... }:
 let
  inherit (import inputs.unstable { }) readeck;
 in
 {
  age.secrets."readeck-config".file = ../../secrets/readeck-config.age;
@ -13,6 +16,7 @@
  services.readeck = {
    enable = true;
-    configPath = config.age.secrets."readeck-config".path;
+    package = readeck;
    environmentFile = config.age.secrets."readeck-config".path;
  };
 }
--- a/machines/nuage/default.nix
+++ b/machines/nuage/default.nix
@ -1,153 +0,0 @@
 {
  config,
  pkgs,
  inputs,
  profiles,
  ...
 }:
 {
  imports = [
    ./hardware.nix
    ./home-julien.nix
  ];
  machine.meta = {
    arch = "x86_64-linux";
    nixpkgs_version = inputs.nixpkgs;
    hm_version = inputs.home-manager;
    profiles = with profiles; [
      vm-simple-network
      server
      behind-sniproxy
    ];
    ips = {
      public.ipv4 = "82.67.34.230";
      local.ipv4 = "192.168.0.101";
      vpn.ipv4 = "100.100.45.28";
      public.ipv6 = "2a01:e0a:de4:a0e1:95c9:b2e2:e999:1a45";
      vpn.ipv6 = "fd7a:115c:a1e0::1c";
    };
  };
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  boot.loader.grub.useOSProber = true;
  deployment.tags = [ "server" ];
  luj.nginx.enable = true;
  services.mysql.enable = true;
  services.mysql.package = pkgs.mariadb;
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud30;
    https = true;
    hostName = "nuage.malka.family";
    settings.overwriteProtocol = "https";
    config = {
      dbtype = "mysql";
      dbuser = "test";
      dbhost = "localhost"; # nextcloud will add /.s.PGSQL.5432 by itself
      dbname = "nuage";
      dbpassFile = "/srv/nextclouddbpass";
      adminpassFile = "/srv/nextcloudadminpass";
      adminuser = "admin";
    };
  };
  virtualisation = {
    podman = {
      enable = true;
      defaultNetwork.settings = {
        dns_enable = true;
        ipv6_enabled = true;
      };
    };
  };
  virtualisation.oci-containers = {
    containers.collabora = {
      image = "collabora/code";
      imageFile = pkgs.dockerTools.pullImage {
        imageName = "collabora/code";
        imageDigest = "sha256:07da8a191b37058514dfdf921ea8c2270c6634fa659acee774cf8594f86950e4";
        sha256 = "sha256-5oaz07NQScHUVN/HznzZGQ2bGrU/V1GhI+9btXHz0GM=";
      };
      ports = [ "9980:9980" ];
      environment = {
        domain = "nuage.malka.family";
        extra_params = "--o:ssl.enable=false --o:ssl.termination=true --o:remote_font_config.url=https://cloud.dgnum.eu/apps/richdocuments/settings/fonts.json";
      };
      extraOptions = [
        "--network=host"
        "--cap-add"
        "MKNOD"
        "--cap-add"
        "SYS_ADMIN"
      ];
    };
  };
  services.nginx.virtualHosts = {
    "collabora.luj.fr" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        # static files
        location ^~ /browser {
          proxy_pass http://127.0.0.1:9980;
          proxy_set_header Host $host;
        }
        # WOPI discovery URL
        location ^~ /hosting/discovery {
          proxy_pass http://127.0.0.1:9980;
          proxy_set_header Host $host;
        }
        # Capabilities
        location ^~ /hosting/capabilities {
          proxy_pass http://127.0.0.1:9980;
          proxy_set_header Host $host;
        }
        # main websocket
        location ~ ^/cool/(.*)/ws$ {
          proxy_pass http://127.0.0.1:9980;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
          proxy_read_timeout 36000s;
        }
        # download, presentation and image upload
        location ~ ^/(c|l)ool {
          proxy_pass http://127.0.0.1:9980;
          proxy_set_header Host $host;
        }
        # Admin Console websocket
        location ^~ /cool/adminws {
          proxy_pass http://127.0.0.1:9980;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          proxy_set_header Host $host;
          proxy_read_timeout 36000s;
        }
      '';
    };
  };
  services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
    forceSSL = true;
    enableACME = true;
  };
  system.stateVersion = "22.05";
 }
--- a/machines/nuage/hardware.nix
+++ b/machines/nuage/hardware.nix
@ -1,38 +0,0 @@
 {
  config,
  lib,
  modulesPath,
  ...
 }:
 {
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
  boot.initrd.availableKernelModules = [
    "ata_piix"
    "uhci_hcd"
    "virtio_pci"
    "virtio_scsi"
    "sd_mod"
    "sr_mod"
  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  fileSystems."/" = {
    device = "/dev/disk/by-uuid/7b68596b-75f2-457f-a43c-7b39a2f08437";
    fsType = "ext4";
  };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/machines/nuage/home-julien.nix
+++ b/machines/nuage/home-julien.nix
@ -1 +0,0 @@
 _: { luj.hmgr.julien = { }; }
--- a/modules/readeck/default.nix
+++ b/modules/readeck/default.nix
@ -1,71 +0,0 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 with lib;
 let
  cfg = config.services.readeck;
 in
 {
  meta.maintainers = [ lib.maintainers.julienmalka ];
  options = {
    services.readeck = {
      enable = mkEnableOption "Readeck";
      package = mkPackageOption pkgs "readeck" { };
      configPath = mkOption {
        type = with types; nullOr str;
        default = null;
        description = "Path to file containing config.";
      };
    };
  };
  config = mkIf cfg.enable {
    systemd.services.readeck = {
      description = "Readeck";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "simple";
        StateDirectory = "readeck";
        LoadCredential = "config:${cfg.configPath}";
        WorkingDirectory = "/var/lib/readeck";
        DynamicUser = true;
        ExecStart = "${lib.getExe cfg.package} serve -config \${CREDENTIALS_DIRECTORY}/config";
        ProtectSystem = "full";
        SystemCallArchitectures = "native";
        MemoryDenyWriteExecute = true;
        NoNewPrivileges = true;
        PrivateTmp = true;
        PrivateDevices = true;
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
          "AF_UNIX"
          "AF_NETLINK"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        DevicePolicy = "closed";
        ProtectClock = true;
        ProtectHostname = true;
        ProtectProc = "invisible";
        ProtectControlGroups = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        LockPersonality = true;
        Restart = "on-failure";
      };
    };
  };
 }
--- a/packages/readeck/default.nix
+++ b/packages/readeck/default.nix
@ -1,82 +0,0 @@
 {
  fetchFromGitea,
  fetchNpmDeps,
  buildGoModule,
  nodejs,
  npmHooks,
  lib,
 }:
 let
  file-compose = buildGoModule rec {
    pname = "file-compose";
    version = "unstable-2023-10-21";
    src = fetchFromGitea {
      domain = "codeberg.org";
      owner = "readeck";
      repo = "file-compose";
      rev = "afa938655d412556a0db74b202f9bcc1c40d8579";
      hash = "sha256-rMANRqUQRQ8ahlxuH1sWjlGpNvbReBOXIkmBim/wU2o=";
    };
    vendorHash = "sha256-Qwixx3Evbf+53OFeS3Zr7QCkRMfgqc9hUA4eqEBaY0c=";
  };
 in
 buildGoModule rec {
  pname = "readeck";
  version = "0.16.0";
  src = fetchFromGitea {
    domain = "codeberg.org";
    owner = "readeck";
    repo = "readeck";
    rev = version;
    hash = "sha256-jRfB7OqE6N8AdXojEn0bYfSScOa8Mpr0s4YtqcQ8V6U=";
  };
  nativeBuildInputs = [
    nodejs
    npmHooks.npmConfigHook
  ];
  npmRoot = "web";
  NODE_PATH = "$npmDeps";
  preBuild = ''
    make web-build
    ${file-compose}/bin/file-compose -format json docs/api/api.yaml docs/assets/api.json
    go run ./tools/docs docs/src docs/assets
  '';
  tags = [
    "netgo"
    "osusergo"
    "sqlite_omit_load_extension"
    "sqlite_foreign_keys"
    "sqlite_json1"
    "sqlite_fts5"
    "sqlite_secure_delete"
  ];
  overrideModAttrs = oldAttrs: {
    # Do not add `npmConfigHook` to `goModules`
    nativeBuildInputs = lib.remove npmHooks.npmConfigHook oldAttrs.nativeBuildInputs;
    # Do not run `preBuild` when building `goModules`
    preBuild = null;
  };
  npmDeps = fetchNpmDeps {
    src = "${src}/web";
    hash = "sha256-D9G1m8nChHNAlLKfhph4gJoV8aKA2le0dZtDHobotlU=";
  };
  vendorHash = "sha256-RaIcXplmtcgKndRlt0HDG/lfBPtvbLpkPdj7UEqG5ys=";
  meta.mainProgram = "readeck";
 }
--- a/secrets/readeck-config.age
+++ b/secrets/readeck-config.age
Author	SHA1	Message	Date
Julien Malka	140c84b18b	chore: decomission nuage	2025-02-02 17:44:12 +01:00
Julien Malka	fbe8d060c5	feat(gustave): use upstream readeck	2025-02-02 17:44:03 +01:00
Julien Malka	95d72019e1	chore: update deps	2025-02-02 17:42:35 +01:00
Julien Malka	0a38e4034a	fix(gallifrey): remove rstudio (build failure)	2025-02-02 17:42:21 +01:00
Julien Malka	ad63a9e43a	chore: delete readeck	2025-02-02 16:57:24 +01:00
Julien Malka	5118ad078c	chore: delete readeck as it has been merged upstream	2025-02-02 16:56:47 +01:00