From 31a081ffb80ab1d1517a3147ad4db8b8e0ee901d Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Aug 2025 21:02:53 +0200 Subject: [PATCH 1/6] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/216c1318892aa8236e38dcbc6dfd976f5eff4e48?narHash=sha256-QokKO2Ofo4hW5XvcMdZ89XEPAyFo6vqz7yCD5fx9wFw%3D' (2025-08-11) → 'github:NixOS/nixpkgs/0ee3848fea3e9c7dadf47cf1e89f8c13878e9f6f?narHash=sha256-zyEsoxHTMIbyYWpc4n%2BjiKwZ9TcIE4DPotdxAe2Jrso%3D' (2025-08-20) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/cfa72d41e8b342aea82ee6ae28ecfc2293ac599b?narHash=sha256-8sbLVtESf/0gBp522Bz7TSvgulzTOFx9/wG92tBM4GE%3D' (2025-08-12) → 'github:NixOS/nixpkgs/b0eccfbc0168243438e8a6747fcdfb1bb796a3f7?narHash=sha256-AdVENrXoFws0sENT2Sz9SMavbqVJnATmCODuqJ7GcSs%3D' (2025-08-20) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/cca779286a4dfd33a04d11954829dfeca0904b79?narHash=sha256-F/EzILKOWZ4UvCbj655MLAf2EfjbhFbz1iKrxaJxmuk%3D' (2025-08-12) → 'github:NixOS/nixpkgs/25bf5c5df47ae79b24fbae8d0d3f6480dadde3ed?narHash=sha256-YO9q05I%2Bvi6zrHpxeBcDnQYKX7TS4T3SxPXYd6N00XA%3D' (2025-08-20) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/53007af63fade28853408370c4c600a63dd97f41?narHash=sha256-BW3ktviEhfCN/z3%2BkEyzpDKAI8qFTwO7%2BS0NVA0C90o%3D' (2025-05-23) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/f5936247dbdb8501221978562ab0b302dd75456c?narHash=sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI%3D' (2025-08-13) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 443432b..525502b 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1754951463, - "narHash": "sha256-QokKO2Ofo4hW5XvcMdZ89XEPAyFo6vqz7yCD5fx9wFw=", + "lastModified": 1755678965, + "narHash": "sha256-zyEsoxHTMIbyYWpc4n+jiKwZ9TcIE4DPotdxAe2Jrso=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "216c1318892aa8236e38dcbc6dfd976f5eff4e48", + "rev": "0ee3848fea3e9c7dadf47cf1e89f8c13878e9f6f", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1754986950, - "narHash": "sha256-8sbLVtESf/0gBp522Bz7TSvgulzTOFx9/wG92tBM4GE=", + "lastModified": 1755716446, + "narHash": "sha256-AdVENrXoFws0sENT2Sz9SMavbqVJnATmCODuqJ7GcSs=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cfa72d41e8b342aea82ee6ae28ecfc2293ac599b", + "rev": "b0eccfbc0168243438e8a6747fcdfb1bb796a3f7", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1754975461, - "narHash": "sha256-F/EzILKOWZ4UvCbj655MLAf2EfjbhFbz1iKrxaJxmuk=", + "lastModified": 1755672759, + "narHash": "sha256-YO9q05I+vi6zrHpxeBcDnQYKX7TS4T3SxPXYd6N00XA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cca779286a4dfd33a04d11954829dfeca0904b79", + "rev": "25bf5c5df47ae79b24fbae8d0d3f6480dadde3ed", "type": "github" }, "original": { @@ -214,11 +214,11 @@ "nixpkgs-25_05": "nixpkgs-25_05" }, "locked": { - "lastModified": 1747965231, - "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=", + "lastModified": 1755110674, + "narHash": "sha256-PigqTAGkdBYXVFWsJnqcirrLeFqRFN4PFigLA8FzxeI=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "53007af63fade28853408370c4c600a63dd97f41", + "rev": "f5936247dbdb8501221978562ab0b302dd75456c", "type": "gitlab" }, "original": { From 55a984b03cdca23d1697f62657e681a2f5adf096 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Aug 2025 21:12:30 +0200 Subject: [PATCH 2/6] Remove security.acme.preliminarySelfsigned option as it no longer has an effect --- config/common/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/config/common/default.nix b/config/common/default.nix index c8930ec..459289f 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -41,7 +41,6 @@ security.acme = { defaults.email = "acme@grzb.de"; acceptTerms = true; - preliminarySelfsigned = true; }; # Print the ed25519 public ssh host key to console when booting From bb51d64a9aa713edb4395e35e368ad9109af92c6 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Aug 2025 22:35:36 +0200 Subject: [PATCH 3/6] Update mastodon to 4.4.3 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index bae9b17..b459fce 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.4.1"; + version = "4.4.3"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-hu6AmR0CvI3lVixJ2UmWY3KAlWbqYULCQAjRGJcuIhc="; + sha256 = "sha256-HFvsf8uNP5TV6vPaIkWKnuOKExQhgvrhyRWf3OCqIDk="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; From 25592dff5db709c64e835bc76fd9a8116410abd1 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Aug 2025 22:51:37 +0200 Subject: [PATCH 4/6] Update mastodon tangerine UI to 2.4.4 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index b459fce..c1c839b 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,8 +2,8 @@ let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; - rev = "v2.4.3"; - hash = "sha256-OThT3fp676RMfYY3ehzM4DnAlJOqdPoYIHpoBbN/RHQ="; + rev = "v2.4.4"; + hash = "sha256-58xiS2yzv4z24IULJQWpkqV1Op6e+U6SFd1XjpAB6Go="; }; mastodonModern = pkgs.fetchgit { url = "https://git.gay/freeplay/Mastodon-Modern.git"; From 71f7131b7d096c5cd15f0f3cd5fa0c4f1e19730e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 20 Aug 2025 22:58:15 +0200 Subject: [PATCH 5/6] Update element-web to 1.11.109 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 0cdedaf..433da35 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.106"; + elementWebVersion = "1.11.109"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo="; + sha256 = "sha256-eKPClYJxUhCJznI1+dv9w2h0CoSKgZsBZCsuM3KH5ag="; }; elementWebSecurityHeaders = '' # Configuration best practices From 139033130f48be7f9edae9d235d928c9e5faa59c Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 22 Aug 2025 18:47:20 +0200 Subject: [PATCH 6/6] Enable metrics for matrix-synapse --- config/hosts/matrix/configuration.nix | 2 +- config/hosts/matrix/matrix-synapse.nix | 53 +++++++++++++++++--------- config/hosts/metrics/nginx.nix | 19 --------- config/hosts/metrics/prometheus.nix | 18 ++++++++- 4 files changed, 52 insertions(+), 40 deletions(-) diff --git a/config/hosts/matrix/configuration.nix b/config/hosts/matrix/configuration.nix index 9ffa4c6..a52998c 100644 --- a/config/hosts/matrix/configuration.nix +++ b/config/hosts/matrix/configuration.nix @@ -9,7 +9,7 @@ hostName = "matrix"; firewall = { enable = true; - allowedTCPPorts = [ 80 8443 8448 ]; + allowedTCPPorts = [ 80 8443 8448 9000 ]; }; }; diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 82b82e1..371eb95 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -3,26 +3,40 @@ services.matrix-synapse = { enable = true; settings = { - listeners = [{ - port = 8008; - bind_addresses = [ - "::1" - "127.0.0.1" - ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - compress = true; - names = [ "client" ]; - } - { + listeners = [ + { + port = 8008; + bind_addresses = [ + "::1" + "127.0.0.1" + ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + compress = true; + names = [ "client" ]; + } + { + compress = false; + names = [ "federation" ]; + } + ]; + } + { + port = 9000; + type = "http"; + tls = false; + bind_addresses = [ + "0.0.0.0" + ]; + resources = [{ + names = [ "metrics" ]; compress = false; - names = [ "federation" ]; - } - ]; - }]; + }]; + } + ]; server_name = "nekover.se"; public_baseurl = "https://matrix.nekover.se"; database = { @@ -40,6 +54,7 @@ signing_key_path = "/secrets/matrix-homeserver-signing-key.secret"; admin_contact = "mailto:admin@nekover.se"; web_client_location = "https://element.nekover.se"; + enable_metrics = true; turn_uris = [ "turns:turn.nekover.se?transport=udp" "turns:turn.nekover.se?transport=tcp" diff --git a/config/hosts/metrics/nginx.nix b/config/hosts/metrics/nginx.nix index aefb0b5..9e31454 100644 --- a/config/hosts/metrics/nginx.nix +++ b/config/hosts/metrics/nginx.nix @@ -22,25 +22,6 @@ proxyWebsockets = true; }; }; - "alertmanager.grzb.de"= { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://${config.services.prometheus.alertmanager.listenAddress}:${builtins.toString config.services.prometheus.alertmanager.port}"; - proxyWebsockets = true; - }; - }; }; }; } diff --git a/config/hosts/metrics/prometheus.nix b/config/hosts/metrics/prometheus.nix index 236fb58..0163c43 100644 --- a/config/hosts/metrics/prometheus.nix +++ b/config/hosts/metrics/prometheus.nix @@ -1,8 +1,16 @@ -{ hosts, ... }: +{ hosts, pkgs, ... }: +let + # https://github.com/element-hq/synapse/tree/master/contrib/prometheus/ + synapseRules = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/prometheus/synapse-v2.rules"; + hash = "sha256-WldlBdCMzul49OlFhJMsrx4MYFakHTa36Y9HnV22EwI="; + }; +in { services.prometheus = { enable = true; retentionTime = "90d"; + ruleFiles = [ synapseRules ]; scrapeConfigs = [ { job_name = "node"; @@ -15,6 +23,14 @@ }; }) (builtins.attrNames hosts); } + { + job_name = "synapse"; + scrape_interval = "15s"; + metrics_path = "/_synapse/metrics"; + static_configs = [{ + targets = [ "matrix.vs.grzb.de:9000" ]; + }]; + } ]; }; }