diff --git a/non-critical-infra/hosts/caliban.nixos.org/default.nix b/non-critical-infra/hosts/caliban.nixos.org/default.nix index 8b268543..c5ea015b 100644 --- a/non-critical-infra/hosts/caliban.nixos.org/default.nix +++ b/non-critical-infra/hosts/caliban.nixos.org/default.nix @@ -13,6 +13,7 @@ ../../modules/matrix-synapse.nix ../../modules/owncast.nix ../../modules/vaultwarden.nix + ./limesurvey-tmp.nix ]; # Bootloader. diff --git a/non-critical-infra/hosts/caliban.nixos.org/limesurvey-tmp.nix b/non-critical-infra/hosts/caliban.nixos.org/limesurvey-tmp.nix new file mode 100644 index 00000000..2fae3b42 --- /dev/null +++ b/non-critical-infra/hosts/caliban.nixos.org/limesurvey-tmp.nix @@ -0,0 +1,31 @@ +# the content of this file should be put in the modules folder once the actual module has been upstreamed +# PR: https://github.com/NixOS/nixpkgs/pull/325665/ +{ config, pkgs, ... }: +{ + disabledModules = [ "services/web-apps/limesurvey.nix" ]; + + imports = [ ../../modules/limesurvey.nix ]; + + services.limesurvey = { + enable = true; + encryptionKeyFile = config.sops.secrets.limesurvey-encryption-key.path; + encryptionNonceFile = config.sops.secrets.limesurvey-encryption-nonce.path; + virtualHost = { + serverName = "survey.nixos.org"; + enableACME = true; + forceSSL = true; + }; + }; + + sops.secrets.limesurvey-encryption-key = { + format = "binary"; + sopsFile = ../../secrets/limesurvey-encryption-key.caliban; + }; + + sops.secrets.limesurvey-encryption-nonce = { + format = "binary"; + sopsFile = ../../secrets/limesurvey-encryption-nonce.caliban; + }; + + +} diff --git a/non-critical-infra/modules/limesurvey.nix b/non-critical-infra/modules/limesurvey.nix new file mode 100644 index 00000000..a799406e --- /dev/null +++ b/non-critical-infra/modules/limesurvey.nix @@ -0,0 +1,373 @@ +{ config, lib, pkgs, inputs, ... }: + +let + + inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption mkPackageOption; + inherit (lib) literalExpression mapAttrs optional optionalString types recursiveUpdate; + + cfg = config.services.limesurvey; + fpm = config.services.phpfpm.pools.limesurvey; + + user = "limesurvey"; + group = config.services.nginx.group; + stateDir = "/var/lib/limesurvey"; + + configType = with types; oneOf [ (attrsOf configType) str int bool ] // { + description = "limesurvey config type (str, int, bool or attribute set thereof)"; + }; + + limesurveyConfig = pkgs.writeText "config.php" '' + [ + 'encryptionnonce' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_nonce')), + 'encryptionsecretboxkey' => \trim(\file_get_contents(\getenv('CREDENTIALS_DIRECTORY') . DIRECTORY_SEPARATOR . 'encryption_key')), + ] + ] + ); + ?> + ''; + + mysqlLocal = cfg.database.createLocally && cfg.database.type == "mysql"; + pgsqlLocal = cfg.database.createLocally && cfg.database.type == "pgsql"; + +in +{ + # interface + + options.services.limesurvey = { + enable = mkEnableOption "Limesurvey web application"; + + package = mkPackageOption pkgs "limesurvey" { }; + + encryptionKey = mkOption { + type = types.nullOr types.str; + default = null; + visible = false; + description = '' + This is a 32-byte key used to encrypt variables in the database. + You _must_ change this from the default value. + ''; + }; + + encryptionNonce = mkOption { + type = types.nullOr types.str; + default = null; + visible = false; + description = '' + This is a 24-byte nonce used to encrypt variables in the database. + You _must_ change this from the default value. + ''; + }; + + encryptionKeyFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + 32-byte key used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + + encryptionNonceFile = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + 24-byte used to encrypt variables in the database. + + Note: It should be string not a store path in order to prevent the password from being world readable + ''; + }; + + database = { + type = mkOption { + type = types.enum [ "mysql" "pgsql" "odbc" "mssql" ]; + example = "pgsql"; + default = "mysql"; + description = "Database engine to use."; + }; + + dbEngine = mkOption { + type = types.enum [ "MyISAM" "InnoDB" ]; + default = "InnoDB"; + description = "Database storage engine to use."; + }; + + host = mkOption { + type = types.str; + default = "localhost"; + description = "Database host address."; + }; + + port = mkOption { + type = types.port; + default = if cfg.database.type == "pgsql" then 5442 else 3306; + defaultText = literalExpression "3306"; + description = "Database host port."; + }; + + name = mkOption { + type = types.str; + default = "limesurvey"; + description = "Database name."; + }; + + user = mkOption { + type = types.str; + default = "limesurvey"; + description = "Database user."; + }; + + passwordFile = mkOption { + type = types.nullOr types.path; + default = null; + example = "/run/keys/limesurvey-dbpassword"; + description = '' + A file containing the password corresponding to + {option}`database.user`. + ''; + }; + + socket = mkOption { + type = types.nullOr types.path; + default = + if mysqlLocal then "/run/mysqld/mysqld.sock" + else if pgsqlLocal then "/run/postgresql" + else null + ; + defaultText = literalExpression "/run/mysqld/mysqld.sock"; + description = "Path to the unix socket file to use for authentication."; + }; + + createLocally = mkOption { + type = types.bool; + default = cfg.database.type == "mysql"; + defaultText = literalExpression "true"; + description = '' + Create the database and database user locally. + This currently only applies if database type "mysql" is selected. + ''; + }; + }; + + virtualHost = mkOption { + type = types.submodule ( + recursiveUpdate + (import "${inputs.nixpkgs}/nixos/modules/services/web-servers/nginx/vhost-options.nix" { inherit config lib; }) + { } + ); + example = literalExpression '' + { + serverName = "survey.example.org"; + forceSSL = true; + enableACME = true; + } + ''; + description = '' + Nginx configuration can be done by adapting `services.nginx.virtualHosts.`. + See [](#opt-services.nginx.virtualHosts) for further information. + ''; + }; + + poolConfig = mkOption { + type = with types; attrsOf (oneOf [ str int bool ]); + default = { + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 4; + "pm.max_requests" = 500; + }; + description = '' + Options for the LimeSurvey PHP pool. See the documentation on `php-fpm.conf` + for details on configuration directives. + ''; + }; + + config = mkOption { + type = configType; + default = { }; + description = '' + LimeSurvey configuration. Refer to + + for details on supported values. + ''; + }; + }; + + # implementation + + config = mkIf cfg.enable { + + assertions = [ + { + assertion = cfg.database.createLocally -> cfg.database.type == "mysql"; + message = "services.limesurvey.createLocally is currently only supported for database type 'mysql'"; + } + { + assertion = cfg.database.createLocally -> cfg.database.user == user; + message = "services.limesurvey.database.user must be set to ${user} if services.limesurvey.database.createLocally is set true"; + } + { + assertion = cfg.database.createLocally -> cfg.database.socket != null; + message = "services.limesurvey.database.socket must be set if services.limesurvey.database.createLocally is set to true"; + } + { + assertion = cfg.database.createLocally -> cfg.database.passwordFile == null; + message = "a password cannot be specified if services.limesurvey.database.createLocally is set to true"; + } + { + assertion = cfg.encryptionKey != null || cfg.encryptionKeyFile != null; + message = '' + You must set `services.limesurvey.encryptionKeyFile` to a file containing a 32-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the key. + ''; + } + { + assertion = cfg.encryptionNonce != null || cfg.encryptionNonceFile != null; + message = '' + You must set `services.limesurvey.encryptionNonceFile` to a file containing a 24-character uppercase hex string. + + If this message appears when updating your system, please turn off encryption + in the LimeSurvey interface and create backups before filling the nonce. + ''; + } + ]; + + services.limesurvey.config = mapAttrs (name: mkDefault) { + runtimePath = "${stateDir}/tmp/runtime"; + components = { + db = { + connectionString = "${cfg.database.type}:dbname=${cfg.database.name};host=${if pgsqlLocal then cfg.database.socket else cfg.database.host};port=${toString cfg.database.port}" + + optionalString mysqlLocal ";socket=${cfg.database.socket}"; + username = cfg.database.user; + password = mkIf (cfg.database.passwordFile != null) "file_get_contents(\"${toString cfg.database.passwordFile}\");"; + tablePrefix = "limesurvey_"; + }; + assetManager.basePath = "${stateDir}/tmp/assets"; + urlManager = { + urlFormat = "path"; + showScriptName = false; + }; + }; + config = { + tempdir = "${stateDir}/tmp"; + uploaddir = "${stateDir}/upload"; + userquestionthemerootdir = "${stateDir}/upload/themes/question"; + force_ssl = mkIf (cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL) "on"; + config.defaultlang = "en"; + }; + }; + + services.mysql = mkIf mysqlLocal { + enable = true; + package = mkDefault pkgs.mariadb; + ensureDatabases = [ cfg.database.name ]; + ensureUsers = [ + { + name = cfg.database.user; + ensurePermissions = { + "${cfg.database.name}.*" = "SELECT, CREATE, INSERT, UPDATE, DELETE, ALTER, DROP, INDEX"; + }; + } + ]; + }; + + services.phpfpm.pools.limesurvey = { + inherit user group; + phpPackage = pkgs.php81; + phpEnv.DBENGINE = "${cfg.database.dbEngine}"; + phpEnv.LIMESURVEY_CONFIG = "${limesurveyConfig}"; + # App code cannot access credentials directly since the service starts + # with the root user so we copy the credentials to a place accessible to Limesurvey + phpEnv.CREDENTIALS_DIRECTORY = "${stateDir}/credentials"; + settings = { + "listen.owner" = config.services.nginx.user; + "listen.group" = config.services.nginx.group; + } // cfg.poolConfig; + }; + systemd.services.phpfpm-limesurvey.serviceConfig = { + ExecStartPre = pkgs.writeShellScript "limesurvey-phpfpm-exec-pre" '' + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_key "${stateDir}/credentials/encryption_key" + chown ${user}:${group} "${stateDir}/credentials/encryption_key" + cp -f "''${CREDENTIALS_DIRECTORY}"/encryption_nonce "${stateDir}/credentials/encryption_nonce" + chown ${user}:${group} "${stateDir}/credentials/encryption_nonce" + ''; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; + }; + + + services.nginx = { + enable = true; + virtualHosts.${cfg.virtualHost.serverName} = lib.mkMerge [ + cfg.virtualHost + { + root = lib.mkForce "${cfg.package}/share/limesurvey"; + locations = { + "/" = { + index = "index.php"; + tryFiles = "$uri /index.php?$args"; + }; + + "~ \.php$".extraConfig = '' + fastcgi_pass unix:${config.services.phpfpm.pools."limesurvey".socket}; + ''; + "/tmp".root = "/var/lib/limesurvey"; + "/upload/".root = "/var/lib/limesurvey"; + + }; + } + ]; + }; + + systemd.tmpfiles.rules = [ + "d ${stateDir} 0750 ${user} ${group} - -" + "d ${stateDir}/tmp 0750 ${user} ${group} - -" + "d ${stateDir}/tmp/assets 0750 ${user} ${group} - -" + "d ${stateDir}/tmp/runtime 0750 ${user} ${group} - -" + "d ${stateDir}/tmp/upload 0750 ${user} ${group} - -" + "d ${stateDir}/credentials 0700 ${user} ${group} - -" + "C ${stateDir}/upload 0750 ${user} ${group} - ${cfg.package}/share/limesurvey/upload" + ]; + + systemd.services.limesurvey-init = { + wantedBy = [ "multi-user.target" ]; + before = [ "phpfpm-limesurvey.service" ]; + after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; + environment.DBENGINE = "${cfg.database.dbEngine}"; + environment.LIMESURVEY_CONFIG = limesurveyConfig; + script = '' + # update or install the database as required + ${pkgs.php81}/bin/php ${cfg.package}/share/limesurvey/application/commands/console.php updatedb || \ + ${pkgs.php81}/bin/php ${cfg.package}/share/limesurvey/application/commands/console.php install admin password admin admin@example.com verbose + ''; + serviceConfig = { + User = user; + Group = group; + Type = "oneshot"; + LoadCredential = [ + "encryption_key:${if cfg.encryptionKeyFile != null then cfg.encryptionKeyFile else pkgs.writeText "key" cfg.encryptionKey}" + "encryption_nonce:${if cfg.encryptionNonceFile != null then cfg.encryptionNonceFile else pkgs.writeText "nonce" cfg.encryptionKey}" + ]; + }; + }; + + systemd.services.nginx.after = optional mysqlLocal "mysql.service" ++ optional pgsqlLocal "postgresql.service"; + + users.users.${user} = { + group = group; + isSystemUser = true; + }; + + }; +} + diff --git a/non-critical-infra/secrets/limesurvey-encryption-key.caliban b/non-critical-infra/secrets/limesurvey-encryption-key.caliban new file mode 100644 index 00000000..e3c5de47 --- /dev/null +++ b/non-critical-infra/secrets/limesurvey-encryption-key.caliban @@ -0,0 +1,32 @@ +{ + "data": "ENC[AES256_GCM,data:dV2y0TNxJ4prwwmKI9U1V+gVuO4AInOW4rRNl55jg4X+FyI81K6xGWFnmTwgvPornrGslw7KXnX03LNsA8HAyWE=,iv:arEPrkNSzi1lUUc0Lutfa1pDFrEKe6GQdhm2bHsZ8AE=,tag:n2Q9TQS8/b7Lbun4qK3pjA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0WmxKM2wvS29WMitIUGdP\ncFNGU1l4QllmNXM4d01GV1dOQ09ZY0pIaUZNCkExV1NKMDRtN2dlZUx3Q3Vab013\ncTB2VHBUci8vckNFbzV5RWl6K1lHNWsKLS0tIHZQMlRjczBtWDB1N3cvSkZWeS9m\nczI4aEdRQzJlcGpEelBhWTJYQnVLL2cK852vurEJeIV31PthknDZT9FAOf7mnu4n\nW596ge/xVlNVcXqQaoLZzt/Ndm8ZaRg6xz/CztOZZiQ8MzHYqSILrA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd05xa0hjVXRPTEtIbU9F\nbXRWTFBlUkxYNW1lN0t0a1ppN3BvUTFwVTBzCmdRRVN2K00xOVJ1aDZobG1NUC9X\nTVluZVJmaXg0SnNUaUJUV0dzQmx3RU0KLS0tIFBnVlcrOEd5SnczSlFXYkxTR21C\nSFpQVkhqdUt1ZW0vNkduYTBBVHpQN2MKUVpKaUE0+ZYmT0TKdbvsKEWn/KnJhX6I\nJcigMBkg+l6u83s64Uz7sBMrh48Ab4rdfnMv0G3bTjEBqGAG2SFHNw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL1BGMWZZakRIT2lkb2hT\nc3dBL2VTQ0xWcEVCWXBUaU1LdlRQUHg3ZWg4CkhaS2YvMzRiRWVwd3RwYTBFRnJT\nbVNaR0lNRG0zWjlWMUprQ2x2cU1nVU0KLS0tIG52MmRkQkFVYTdnQ1BTVG1TaTU1\naEN5YWw1QktoWnc4YlRvWGh4T1BMbU0KFKc/frIPVeTELKXawQz0P8PhtW67NF1z\n5+d2XKxL/VQIUNGx4551Ofx+V5FqJejjvtkZixdzWGh+Izez/nqhUQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjS1JSbHJaRU5YQzVZLzJS\ndGJ3R1ZUamRtZUxVMjV5VERLeGN5ZW9paHg0ClJMZUhTaytPWkpQdUZ4WUdiMjZT\nc0F5UVJqb01IRlY0aHJwWCt1VG52N1kKLS0tIEVPRmc1ZlVrUmdCb0I4dllnNzND\nRHpqbXNYU1Qza0NweWJnMEJVRGhqSzAKuqXPT4CK8WEQ+vVrH6qpvqZsMHbuNf+b\n6ra4xetfIo+gczDBlXpYi5d0W+UWFjfi32h6y9daVP8MabBb2R1tHw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-07-15T11:56:59Z", + "mac": "ENC[AES256_GCM,data:k8dCiufWeCKrgj+fTGRphr832bGlXza03F4PgaWkfI7IAZQ97iWRD6wO6fko9GKlKBeEy7e/n6Hm8k4F74l9giKTdXq4lhQ3GqdV7h9JzJATxnKs9JYtjd44ihNIiLwBofHDOGq1BEIY/BTn2Z6EqGlwyaK/2EJIXXm56y7UpoI=,iv:zt0itYzXcTVlfGr8l4kL/fBeTjE7r9+fdv5BiBx3lf0=,tag:9dhatpgwMLmTz5XNu9uaag==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/non-critical-infra/secrets/limesurvey-encryption-nonce.caliban b/non-critical-infra/secrets/limesurvey-encryption-nonce.caliban new file mode 100644 index 00000000..f4390229 --- /dev/null +++ b/non-critical-infra/secrets/limesurvey-encryption-nonce.caliban @@ -0,0 +1,32 @@ +{ + "data": "ENC[AES256_GCM,data:oimvox9BzWi6Ho5F8itxFWKEr2xfL2gKTlQUpvNJmbhm3qo8YN3FFmoowJVFwMYlcg==,iv:LLSZ9m/aMOQkqd16K0p2xjWBL/EKyn8RE7VZmHAhkcU=,tag:wFOZfp5NQUNpP8NmRWGRxg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1sv307kkrxwgjah8pjpap5kzl4j2r6fqr3vg234n7m32chlchs9lsey7nlq", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4V1daYkxVWlBmcEN0V25r\nVzVDb3c1UnB0RlkxQ0owRFF4MWgrdGN2VmxBCjNZMTkvV0xkQ1pLaHdyOXl5KzM2\nQ3RYY2Y0OXY2aGU5ckxCb3pNNzF6UUUKLS0tIEcvUDNSTm9sbDVwQkVyemIzaFd1\ncVhGOE9ET1BqcHdKMk5QdzFVOTdnblUKv6HaoDUXBSK8kGXMdD5jG4Z5/0ata06d\nF3peMh6Eskfo+x6iS+goqsaZQS+QuCTkecEUqvgtwa586H4BjzBHaw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1j3mkgedmeru63vwww6m44zfw09tg8yw6xdzstaq7ejfkvgcau40qwakm8x", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtdStmZWk4RG00WGtLdnRx\nQ1o3M0d0Mi9XNldoSkFsVTZoTU1MRmFhYlUwCk1GdnZTeHlsVVlaNDg4SGJ3Rk5B\ndnVOTVBWd1Z1dy94c3lyVlpub1Y3TkUKLS0tIElkWlRaSzVvWjhLR2VsRHVObm54\nSmhMZHdOVkpJNE5VdGdmdVIyMW5JWFkKmiNeh3bRixVDzl6UbsU/250RckJJA/Ki\nl7V3C2YnsndU4N/0nedy2Zsy9hjVWNonO3eDnNKzW1ayRYnmXShzjQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1qlwzeg37fwwn2l6fm3quvkn787nn0m89xrjtrhgf9uedtfv2kqlqnec976", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbUtWbHg4U2NzL2NQUmdT\nUlR5RUdFWEZBWk1jdGpNa2ZYSGdoeXR0blZBCkF4SVQvQ0tTdFR6aHgzdWdKZmxC\nSkVGbS84dkExVyszSm1ocVdScVJjck0KLS0tIGRodm5sTjRsZ2lmRmhzV05OekFH\nQ2dYNThzUU1kU3ZBTDV0ZmU5T1RpUzgK+Y+Ka+t/Zh3lO6xCvctZXNKuW+NDKnBL\nOTzZ6ZpAjY2X6JcJqVQJOU/3NXnTvOiTWKrIRao316O1mysYe0rbWw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1jrh8yyq3swjru09s75s4mspu0mphh7h6z54z946raa9wx3pcdegq0x8t4h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvc2FXMkN0SGRBZUFwaW1E\nL1p1NmV2cjhmN3BTMHptUURLRHN6TFV1Q0VNCmcyNGo3bXFKblFzc2hROFVmNE5a\nR0pFenY4YXljZkVNUEhvYisyUXVuMDgKLS0tIHZVK2V2T24rU1RRby9SL1VpT3du\nUmxObExlVWdMNFNvOElVU3BkSFlNQlEKp9hrLKiu72qRniD4i7oU+zOujUY5CiN4\nyajcqJmq31LOVOHHv2/kcozS4smqlidGU/PwqK03GhSWkBXoG+E81g==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-07-15T11:56:30Z", + "mac": "ENC[AES256_GCM,data:j+Wql6qwEKcZOgOWAYs5MhtbsvUNzjXjst7ge5hxdvqS13iFTfKsiUSpmG/K1Nrxz4swCI9N4VVov9Brg7LuDIP4v4b5r5BEhGDMkSvJKarSfVddEkwcw/HYYpILQUKc+cogLZ2CqctiMB4ViD0+XX1Nl/1+IO5JvMLSjHkqPMo=,iv:7WQ6kw10TrgJdZjaTFHnzzFRzHhS5i1O97vw3md4fKI=,tag:iq5Wx4SYpoDXWe7Wq3M9ww==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/terraform/dns.tf b/terraform/dns.tf index 06e20cbe..9cf848b7 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -96,16 +96,6 @@ locals { type = "AAAA" value = "2a01:4f8:162:71eb::" }, - { - hostname = "survey.nixos.org" - type = "A" - value = "54.72.253.2" - }, - { - hostname = "survey.nixos.org" - type = "AAAA" - value = "2a01:4f8:c0c:6e2c::1" - }, { hostname = "reproducible.nixos.org" type = "CNAME" @@ -302,7 +292,7 @@ locals { value = "v=DMARC1; p=none" }, { - hostname = "survey.staging.nixos.org" + hostname = "survey.nixos.org" type = "CNAME" value = "caliban.nixos.org" },