From 954f7d4d086cdefbcdc954c74e3e81187b34b842 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 5 Jan 2026 20:21:52 +0100 Subject: [PATCH 01/16] tweak forgejo service configuration a bit making it nicer - Enable Git LFS support, since it's nice to have. - Enable offline mode to avoid relying on CDNs (and to not use Gravatar). - Enable notification mails for repo activity. - Put setting for default repo units into "repository" category as the "repo" category doesn't exist. - Also disable all repo units except code, as they mostly aren't needed for private repos and can be easily enabled on-demand. --- config/hosts/forgejo/forgejo.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index c60c00f..2b2aea8 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -4,6 +4,7 @@ enable = true; package = pkgs.forgejo; database.type = "postgres"; + lfs.enable = true; settings = { DEFAULT = { @@ -17,6 +18,7 @@ ROOT_URL = "https://git.nekover.se/"; # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # Doesn't need to be set. + OFFLINE_MODE = true; }; admin = { DISABLE_REGULAR_ORG_CREATION = false; @@ -34,11 +36,10 @@ DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; - }; - repo = { - DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; + ENABLE_NOTIFY_MAIL = true; }; repository = { + DEFAULT_REPO_UNITS = "repo.code"; ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; From 399f53fc3e9acbbecc77ee9c58c171e4baf9da65 Mon Sep 17 00:00:00 2001 From: fi Date: Tue, 6 Jan 2026 00:25:12 +0100 Subject: [PATCH 02/16] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/f376a52d0dc796aec60b5606a2676240ff1565b9' (2025-12-08) → 'github:NixOS/nixpkgs/044f759a4f4629f2be41e59b859753a091e3c089' (2026-01-04) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/a0ea537a4fc4c49fb1e226317829c8b32ed95d0e' (2025-12-08) → 'github:NixOS/nixpkgs/4220734816a0091405c33fe4c113be021c8e9c34' (2026-01-05) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/fc2de1563f89f0843eba27f14576d261df0e3b80' (2025-12-08) → 'github:NixOS/nixpkgs/1e46161ce72e20c156dd2225d7517421236c0f22' (2026-01-05) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/a14fe3b293ec2720e5b7fc72ad136d22967e12ba' (2025-11-26) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/23f0a53ca6e58e61e1ea2b86791c69b79c91656d' (2025-12-24) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index 1ba87cf..e969f1e 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1765178948, - "narHash": "sha256-Kb3mIrj4xLg2LeMvok0tpiGPis1VnrNJO0l4kW+0xmc=", + "lastModified": 1767563445, + "narHash": "sha256-GIyPDpWOR7a3k3yY9cPz5ymyFGxZmOG4e/FseY6e33A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "f376a52d0dc796aec60b5606a2676240ff1565b9", + "rev": "044f759a4f4629f2be41e59b859753a091e3c089", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1765227377, - "narHash": "sha256-OeTF3YNuXZxN4TxluVEdCG32e5/0pYDb5exWe0RrQBY=", + "lastModified": 1767655107, + "narHash": "sha256-tor/rdUa5baQBwPXnYI+hi7BbISEE7888OUMtNfV2Pk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a0ea537a4fc4c49fb1e226317829c8b32ed95d0e", + "rev": "4220734816a0091405c33fe4c113be021c8e9c34", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1765183668, - "narHash": "sha256-TBA7CE44IHYfvOPBWcyLncpVrrKEiXWPdOrF8CD6W84=", + "lastModified": 1767636954, + "narHash": "sha256-YTRtm37AfpZTQj+3LmNpPVAJ9aTmpiPKvHhtF7EFulE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fc2de1563f89f0843eba27f14576d261df0e3b80", + "rev": "1e46161ce72e20c156dd2225d7517421236c0f22", "type": "github" }, "original": { @@ -197,11 +197,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1764185122, - "narHash": "sha256-+HUOwSIFLoyett2cvRjuFIbhobpHallfP9J2cia1apo=", + "lastModified": 1766537863, + "narHash": "sha256-HEt+wbazRgJYeY+lgj65bxhPyVc4x7NEB2bs5NU6DF8=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "a14fe3b293ec2720e5b7fc72ad136d22967e12ba", + "rev": "23f0a53ca6e58e61e1ea2b86791c69b79c91656d", "type": "gitlab" }, "original": { From 770ba36ffcf6aec809acd63903e25fabbd02397e Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 17:19:30 +0100 Subject: [PATCH 03/16] Remove invalid password complexity setting in MAS config Should be a value between 0 and 4. Default is 3. --- config/hosts/matrix/matrix-authentication-service.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix index 53674ad..3e307f7 100644 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -63,8 +63,7 @@ let version = 2; algorithm = "argon2id"; } - ]; - minimum_complexity = 8; + ]; }; }; masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings); From 8fe546c3fe4af3fb6f556eebf3637d980df582fd Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 17:39:39 +0100 Subject: [PATCH 04/16] Enable MAS admin cli --- config/hosts/matrix/matrix-authentication-service.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix index 3e307f7..e13bdd9 100644 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -33,6 +33,17 @@ let }]; proxy_protocol = false; } + { + name = "admin"; + resources = [{ + name = "adminapi"; + }]; + binds = [{ + host = "localhost"; + port = 8083; + }]; + proxy_protocol = false; + } ]; trusted_proxies = [ "192.168.0.0/16" From 4bfcfe355c47d2719b4820fce5460e50ad96030e Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 17:56:04 +0100 Subject: [PATCH 05/16] Expose matrix admin api on management VPN --- config/hosts/matrix/nginx.nix | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index ce3ab3d..ab35ad3 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -34,6 +34,19 @@ client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; }; + "~ ^/_synapse/admin" = { + # Only proxy to the local host on IPv4, because localhost doesn't seem to work + # even if matrix-synapse is listening on ::1 as well. + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Restrict access to admin API. + allow 172.21.87.0/24; # management VPN + deny all; + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; + }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; @@ -51,8 +64,18 @@ port = 80; } ]; - locations."/" = { - proxyPass = "http://localhost:8080"; + locations = { + "/" = { + proxyPass = "http://localhost:8080"; + }; + "~ ^/api/admin" = { + proxyPass = "http://localhost:8082"; + extraConfig = '' + # Restrict access to admin API. + allow 172.21.87.0/24; # management VPN + deny all; + ''; + }; }; extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; From 98b3e14bd6ba088799f0fe2e68dc9e837d5f1645 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 18 Jan 2026 18:05:04 +0100 Subject: [PATCH 06/16] Host element-admin on web-public-2 --- config/hosts/matrix/nginx.nix | 2 +- config/hosts/web-public-2/nginx.nix | 1 + .../web-public-2/virtualHosts/default.nix | 1 + .../virtualHosts/element-admin.nekover.se.nix | 95 +++++++++++++++++++ 4 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index ab35ad3..f4ddec6 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -69,7 +69,7 @@ proxyPass = "http://localhost:8080"; }; "~ ^/api/admin" = { - proxyPass = "http://localhost:8082"; + proxyPass = "http://localhost:8083"; extraConfig = '' # Restrict access to admin API. allow 172.21.87.0/24; # management VPN diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 608d6a7..066f3d2 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -19,6 +19,7 @@ anisync.grzb.de 127.0.0.1:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; + element-admin.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; gameserver.grzb.de 127.0.0.1:8443; git.grzb.de 127.0.0.1:8443; diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index 53294f7..445a087 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -4,6 +4,7 @@ ./acme-challenge.nix ./anisync.grzb.de.nix ./element.nekover.se.nix + ./element-admin.nekover.se.nix ./gameserver.grzb.de.nix ./git.grzb.de.nix ./mewtube.nekover.se.nix diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix new file mode 100644 index 0000000..69c3a9a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix @@ -0,0 +1,95 @@ +{ config, pkgs, ... }: + +let + elementAdminVersion = "0.1.10"; + elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { + pname = "element-admin"; + version = elementAdminVersion; + + src = pkgs.fetchzip { + url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; + sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI="; + }; + + nativeBuildInputs = [ + pkgs.nodejs + pkgs.pnpm.configHook + ]; + + pnpmDeps = pkgs.pnpm.fetchDeps { + inherit (finalAttrs) pname version src; + fetcherVersion = 2; + hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4="; + }; + + buildPhase = '' + pnpm build + ''; + + installPhase = '' + cp -a dist $out + ''; + }); +in +{ + services.nginx.virtualHosts."element-admin.nekover.se" = { + forceSSL = true; + enableACME = true; + + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + + root = elementAdmin; + + locations."/assets" = { + extraConfig = '' + expires 1y; + add_header Cache-Control "public, max-age=31536000, immutable"; + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + ''; + }; + + locations."/" = { + index = "/index.html"; + tryFiles = "$uri $uri/ /"; + extraConfig = '' + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + ''; + }; + + extraConfig = '' + # Security headers. + add_header X-Frame-Options "DENY" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; + add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; + + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 127.0.0.1; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; +} From 6daef62b6047f10e304b9229034ea052428810b9 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 11 Feb 2026 17:16:34 +0100 Subject: [PATCH 07/16] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/032a1878682fafe829edfcf5fdfad635a2efe748' (2025-11-27) → 'github:nix-community/nixos-generators/8946737ff703382fda7623b9fab071d037e897d5' (2026-01-30) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/044f759a4f4629f2be41e59b859753a091e3c089' (2026-01-04) → 'github:NixOS/nixpkgs/08ebc444a070153227d6f45acf979f4d5f1f97f9' (2026-02-11) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/4220734816a0091405c33fe4c113be021c8e9c34' (2026-01-05) → 'github:NixOS/nixpkgs/8605a9be3795437e3717dab6c542d2d571369e70' (2026-02-11) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/1e46161ce72e20c156dd2225d7517421236c0f22' (2026-01-05) → 'github:NixOS/nixpkgs/d9ca3a4b73f19ea147c9d977d3dde8f612ac648f' (2026-02-11) --- flake.lock | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/flake.lock b/flake.lock index e969f1e..06a3d59 100644 --- a/flake.lock +++ b/flake.lock @@ -103,11 +103,11 @@ ] }, "locked": { - "lastModified": 1764234087, - "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", + "lastModified": 1769813415, + "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", + "rev": "8946737ff703382fda7623b9fab071d037e897d5", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1767563445, - "narHash": "sha256-GIyPDpWOR7a3k3yY9cPz5ymyFGxZmOG4e/FseY6e33A=", + "lastModified": 1770802195, + "narHash": "sha256-vabHY4acHLmaB7Ak9FKzk2wSEKhAS/yXL7SBySB/S5U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "044f759a4f4629f2be41e59b859753a091e3c089", + "rev": "08ebc444a070153227d6f45acf979f4d5f1f97f9", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1767655107, - "narHash": "sha256-tor/rdUa5baQBwPXnYI+hi7BbISEE7888OUMtNfV2Pk=", + "lastModified": 1770824979, + "narHash": "sha256-OedDmV9we3oOdiz9xjLiQCajwRa8WWcE/rOF3y/VlVc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4220734816a0091405c33fe4c113be021c8e9c34", + "rev": "8605a9be3795437e3717dab6c542d2d571369e70", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1767636954, - "narHash": "sha256-YTRtm37AfpZTQj+3LmNpPVAJ9aTmpiPKvHhtF7EFulE=", + "lastModified": 1770818322, + "narHash": "sha256-tttCN+yrhM7svQW6DqtS3JV9POrRJAaS/e0xuUHBTEM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1e46161ce72e20c156dd2225d7517421236c0f22", + "rev": "d9ca3a4b73f19ea147c9d977d3dde8f612ac648f", "type": "github" }, "original": { From 459ac4c3143de7127634c7b91c4eeb363978c37e Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 11 Feb 2026 17:18:55 +0100 Subject: [PATCH 08/16] Update mastodon to 4.5.6 and remove fedi fetcher --- .../containers/fedifetcher/default.nix | 23 ---------- .../containers/fedifetcher/fedifetcher.nix | 42 ------------------- config/hosts/mastodon/default.nix | 1 - config/hosts/mastodon/mastodon.nix | 8 ++-- config/hosts/mastodon/secrets.nix | 8 ---- 5 files changed, 4 insertions(+), 78 deletions(-) delete mode 100644 config/hosts/mastodon/containers/fedifetcher/default.nix delete mode 100644 config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix diff --git a/config/hosts/mastodon/containers/fedifetcher/default.nix b/config/hosts/mastodon/containers/fedifetcher/default.nix deleted file mode 100644 index 3f2617e..0000000 --- a/config/hosts/mastodon/containers/fedifetcher/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ nixpkgs-unstable, ... }: -{ - containers.fedifetcher = { - nixpkgs = nixpkgs-unstable; - autoStart = true; - - bindMounts = { - "/secrets" = { - hostPath = "/secrets-fedifetcher"; - isReadOnly = true; - }; - }; - - config = { ... }: { - imports = [ - ./fedifetcher.nix - ]; - - networking.useHostResolvConf = true; - system.stateVersion = "24.05"; - }; - }; -} diff --git a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix deleted file mode 100644 index 7194c25..0000000 --- a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ pkgs, lib, ... }: -{ - # config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix - systemd.services.fedifetcher = { - path = [ pkgs.fedifetcher ]; - description = "fetch fedi posts"; - script = '' - fedifetcher - ''; - environment = lib.mapAttrs' (n: v: - (lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n) - (builtins.toString v))) { - server = "social.nekover.se"; - state-dir = "/var/lib/fedifetcher"; - lock-file = "/run/fedifetcher/fedifetcher.lock"; - from-lists = 1; - from-notifications = 1; - max-bookmarks = 80; - max-favourites = 40; - max-follow-requests = 80; - max-followers = 80; - max-followings = 80; - remember-hosts-for-days = 30; - remember-users-for-hours = 168; - reply-interval-in-hours = 2; - }; - serviceConfig = { - DynamicUser = true; - User = "fedifetcher"; - RuntimeDirectory = "fedifetcher"; - RuntimeDirectoryPreserve = true; - StateDirectory = "fedifetcher"; - UMask = "0077"; - EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ]; - }; - }; - - systemd.timers.fedifetcher = { - wantedBy = [ "multi-user.target" ]; - timerConfig = { OnCalendar = "*:0/5"; }; - }; -} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index dc52ff4..5651eb8 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,6 +5,5 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix - ./containers/fedifetcher ]; } diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index aa4fea4..06d516d 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,8 +2,8 @@ let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; - rev = "v2.5.2"; - hash = "sha256-RJPP3QynE42cr9Km8twyZrHiZnhMdNcYOOJ7nW0mx1c="; + rev = "v2.5.3"; + hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE="; }; mastodonModern = pkgs.fetchgit { url = "https://git.gay/freeplay/Mastodon-Modern.git"; @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.2"; + version = "4.5.6"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-LePly+CcM+Dv6ipX9jIWWKhy2PiF1j8vgc9CXn2o+DQ="; + sha256 = "sha256-m2LDNyv2jxsp5zPKOfQWvtBG8bD8iuBWBEoz+L0OvNk="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 986a64b..88413c7 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -57,13 +57,5 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "mastodon-fedifetcher-access-token.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ]; - destDir = "/secrets-fedifetcher"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; }; } From 9862a9d21be5e7539a3ac5d50aac19a8f60b74d3 Mon Sep 17 00:00:00 2001 From: fi Date: Wed, 11 Feb 2026 18:01:46 +0100 Subject: [PATCH 09/16] Update element-web to 1.12.10 --- config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 7576beb..74b7820 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.12.2"; + elementWebVersion = "1.12.10"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-EZtySIQHgb+Boq97LhzFYKTEO///6YMH3O2DrAy+7Fs="; + sha256 = "sha256-YpxfV4BCXh2fffQvVsZGOfK82TpGzg6uOx7iUPqiXVE="; }; elementWebSecurityHeaders = '' # Configuration best practices From 17ddc2f9c9ae8a22dea2b43ec51c60d93d29c9b6 Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 30 Mar 2026 22:25:39 +0200 Subject: [PATCH 10/16] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/08ebc444a070153227d6f45acf979f4d5f1f97f9' (2026-02-11) → 'github:NixOS/nixpkgs/56ed9a39b84feaee9624111dc86869d19f4c22f3' (2026-03-30) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/8605a9be3795437e3717dab6c542d2d571369e70' (2026-02-11) → 'github:NixOS/nixpkgs/98ce05a593c5d9655ddbd09fd81f7679381b5392' (2026-03-30) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/d9ca3a4b73f19ea147c9d977d3dde8f612ac648f' (2026-02-11) → 'github:NixOS/nixpkgs/318977b8e175faba256cb35e0ca6810c7d87edf2' (2026-03-30) • Updated input 'simple-nixos-mailserver': 'gitlab:simple-nixos-mailserver/nixos-mailserver/23f0a53ca6e58e61e1ea2b86791c69b79c91656d' (2025-12-24) → 'gitlab:simple-nixos-mailserver/nixos-mailserver/25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5' (2026-03-19) • Updated input 'simple-nixos-mailserver/flake-compat': 'github:edolstra/flake-compat/f387cd2afec9419c8ee37694406ca490c3f34ee5' (2025-10-27) → 'github:edolstra/flake-compat/5edf11c44bc78a0d334f6334cdaf7d60d732daab' (2025-12-29) • Updated input 'simple-nixos-mailserver/git-hooks': 'github:cachix/git-hooks.nix/7275fa67fbbb75891c16d9dee7d88e58aea2d761' (2025-11-16) → 'github:cachix/git-hooks.nix/8baab586afc9c9b57645a734c820e4ac0a604af9' (2026-03-07) • Updated input 'simple-nixos-mailserver/nixpkgs': 'github:NixOS/nixpkgs/a320ce8e6e2cc6b4397eef214d202a50a4583829' (2025-11-24) → 'github:NixOS/nixpkgs/826430a188181a750ffa5948daff334039c5d741' (2026-03-18) --- flake.lock | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/flake.lock b/flake.lock index 06a3d59..5799be2 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1761588595, - "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", + "lastModified": 1767039857, + "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", "owner": "edolstra", "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", "type": "github" }, "original": { @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1763319842, - "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", + "lastModified": 1772893680, + "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", + "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1770802195, - "narHash": "sha256-vabHY4acHLmaB7Ak9FKzk2wSEKhAS/yXL7SBySB/S5U=", + "lastModified": 1774874205, + "narHash": "sha256-VE0in9sSq+lG7CnUuTmTDN40x9yro31jbbKf278KfEI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "08ebc444a070153227d6f45acf979f4d5f1f97f9", + "rev": "56ed9a39b84feaee9624111dc86869d19f4c22f3", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1770824979, - "narHash": "sha256-OedDmV9we3oOdiz9xjLiQCajwRa8WWcE/rOF3y/VlVc=", + "lastModified": 1774901935, + "narHash": "sha256-fOCFYA0KrRAFyktwwkDXCSwaBRKu3iGS1ohC0oW7Ge0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8605a9be3795437e3717dab6c542d2d571369e70", + "rev": "98ce05a593c5d9655ddbd09fd81f7679381b5392", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1770818322, - "narHash": "sha256-tttCN+yrhM7svQW6DqtS3JV9POrRJAaS/e0xuUHBTEM=", + "lastModified": 1774890975, + "narHash": "sha256-pj6ACZ2cgiTPTlJ/QgXmJxREsP41m8bHZ41aNr3nK1g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d9ca3a4b73f19ea147c9d977d3dde8f612ac648f", + "rev": "318977b8e175faba256cb35e0ca6810c7d87edf2", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1764020296, - "narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=", + "lastModified": 1773831496, + "narHash": "sha256-JW2/QPyCVzmouqEp1H9kNa8JXd7xEhlam9sy3TYfhDY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829", + "rev": "826430a188181a750ffa5948daff334039c5d741", "type": "github" }, "original": { @@ -197,11 +197,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1766537863, - "narHash": "sha256-HEt+wbazRgJYeY+lgj65bxhPyVc4x7NEB2bs5NU6DF8=", + "lastModified": 1773912645, + "narHash": "sha256-QHzRqq6gh+t3F/QU9DkP7X63dDDcuIQmaDz12p7ANTg=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "23f0a53ca6e58e61e1ea2b86791c69b79c91656d", + "rev": "25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5", "type": "gitlab" }, "original": { From 39be09bb6b3b2142f770ba394f79057afe886b13 Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 3 Apr 2026 22:51:49 +0200 Subject: [PATCH 11/16] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/56ed9a39b84feaee9624111dc86869d19f4c22f3' (2026-03-30) → 'github:NixOS/nixpkgs/0aecba5a03727e1ac2d66378907d9a6e9c8266d0' (2026-04-03) • Updated input 'nixpkgs-master': 'github:NixOS/nixpkgs/98ce05a593c5d9655ddbd09fd81f7679381b5392' (2026-03-30) → 'github:NixOS/nixpkgs/942d1c86a6642bff0c4a440d30a7669a7a18a903' (2026-04-03) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/318977b8e175faba256cb35e0ca6810c7d87edf2' (2026-03-30) → 'github:NixOS/nixpkgs/0eac666efaa8a9afea2821f9efc7921b4ef39b4e' (2026-04-03) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 5799be2..895cec4 100644 --- a/flake.lock +++ b/flake.lock @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1774874205, - "narHash": "sha256-VE0in9sSq+lG7CnUuTmTDN40x9yro31jbbKf278KfEI=", + "lastModified": 1775189162, + "narHash": "sha256-fjEpcsJ0KDZ363xd+3OhOGq3AC1juI23Xas548ZPZEk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "56ed9a39b84feaee9624111dc86869d19f4c22f3", + "rev": "0aecba5a03727e1ac2d66378907d9a6e9c8266d0", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1774901935, - "narHash": "sha256-fOCFYA0KrRAFyktwwkDXCSwaBRKu3iGS1ohC0oW7Ge0=", + "lastModified": 1775248990, + "narHash": "sha256-H/G80K7f3ZrPP8PAmSCG/pJh59zMscPA6UaiWdKgTdg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "98ce05a593c5d9655ddbd09fd81f7679381b5392", + "rev": "942d1c86a6642bff0c4a440d30a7669a7a18a903", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1774890975, - "narHash": "sha256-pj6ACZ2cgiTPTlJ/QgXmJxREsP41m8bHZ41aNr3nK1g=", + "lastModified": 1775231746, + "narHash": "sha256-EFaDQ0rnuSjKfC/DUKHS4toV4rEBuWhSgyX2Yy0kp00=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "318977b8e175faba256cb35e0ca6810c7d87edf2", + "rev": "0eac666efaa8a9afea2821f9efc7921b4ef39b4e", "type": "github" }, "original": { From 5e2c28fd13670aeb9d8f51db9aaa2a5d3ee3066a Mon Sep 17 00:00:00 2001 From: fi Date: Fri, 3 Apr 2026 22:55:02 +0200 Subject: [PATCH 12/16] Update mastodon to 4.5.8 --- config/hosts/mastodon/mastodon.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 06d516d..dcb2498 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.6"; + version = "4.5.8"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-m2LDNyv2jxsp5zPKOfQWvtBG8bD8iuBWBEoz+L0OvNk="; + sha256 = "sha256-03PdAB9KOvMgQJPx+7ik13QE18fjdLIab7zEXaPc4nk="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; From 051571d200c9baf235d61ca51704a3cbd4f32a38 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 4 Apr 2026 00:02:07 +0200 Subject: [PATCH 13/16] Add default grafana secret key for metrics-nekomesh --- config/hosts/metrics-nekomesh/grafana.nix | 1 + config/hosts/metrics-nekomesh/secrets.nix | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 7697748..8c4255d 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -13,6 +13,7 @@ admin_user = "admin"; admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; admin_email = "fi@nekover.se"; + secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}"; }; smtp = { enabled = true; diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix index ef6bcec..8014354 100644 --- a/config/hosts/metrics-nekomesh/secrets.nix +++ b/config/hosts/metrics-nekomesh/secrets.nix @@ -17,6 +17,14 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "metrics-nekomesh-grafana-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/secret-key" ]; + destDir = "/secrets"; + user = "grafana"; + group = "grafana"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; "mail-nekomesh-nekover-se.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; destDir = "/secrets"; From d793308ebef77258c7a0f7cc2718a28971d0e9b3 Mon Sep 17 00:00:00 2001 From: fi Date: Sat, 4 Apr 2026 00:38:54 +0200 Subject: [PATCH 14/16] Add stardew ssh key --- config/users/colmena-deploy/default.nix | 1 + config/users/fi/default.nix | 1 + config/users/yuri/default.nix | 1 + 3 files changed, 3 insertions(+) diff --git a/config/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix index cc4029b..2ebb9a8 100644 --- a/config/users/colmena-deploy/default.nix +++ b/config/users/colmena-deploy/default.nix @@ -8,6 +8,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix index 6aed7cf..54881d6 100644 --- a/config/users/fi/default.nix +++ b/config/users/fi/default.nix @@ -8,6 +8,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/yuri/default.nix b/config/users/yuri/default.nix index 4b2b8ac..f4ca1c7 100644 --- a/config/users/yuri/default.nix +++ b/config/users/yuri/default.nix @@ -7,6 +7,7 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } From 654a8459ebbbbc49eccdc5b4ea4c7ff4b382e16d Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 5 Apr 2026 18:31:16 +0200 Subject: [PATCH 15/16] Route IPv6 traffic via valkyrie --- config/hosts/forgejo/nginx.nix | 3 ++- config/hosts/hydra/nginx.nix | 6 +++-- config/hosts/ikiwiki/nginx.nix | 3 ++- config/hosts/keycloak/nginx.nix | 3 ++- config/hosts/mastodon/nginx.nix | 3 ++- config/hosts/matrix/nginx.nix | 9 ++++--- config/hosts/metrics-nekomesh/nginx.nix | 3 ++- config/hosts/nextcloud/nextcloud.nix | 3 ++- config/hosts/searx/nginx.nix | 3 ++- config/hosts/valkyrie/nginx.nix | 26 +++++++++++++++++++ config/hosts/web-public-2/nginx.nix | 1 - .../virtualHosts/element-admin.nekover.se.nix | 5 ++-- .../virtualHosts/element.nekover.se.nix | 5 ++-- .../web-public-2/virtualHosts/nekover.se.nix | 3 ++- 14 files changed, 58 insertions(+), 18 deletions(-) diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix index 6df90b1..3602209 100644 --- a/config/hosts/forgejo/nginx.nix +++ b/config/hosts/forgejo/nginx.nix @@ -29,7 +29,8 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix index 5a15fe1..9aadd25 100644 --- a/config/hosts/hydra/nginx.nix +++ b/config/hosts/hydra/nginx.nix @@ -16,7 +16,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -33,7 +34,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 4bbcf0a..9f6462e 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -39,7 +39,8 @@ in }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index c82597d..e9b46cd 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -27,7 +27,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index 72aec08..02a0d0a 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -57,7 +57,8 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index f4ddec6..c9548b2 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -51,7 +51,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -80,7 +81,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; @@ -103,7 +105,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index e2fc483..a754cb6 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -23,7 +23,8 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 88b842a..f27c9a6 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -44,7 +44,8 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix index a84c171..9283018 100644 --- a/config/hosts/searx/nginx.nix +++ b/config/hosts/searx/nginx.nix @@ -21,7 +21,8 @@ proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index fae78f0..dae48ad 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -33,5 +33,31 @@ }; }; }; + + streamConfig = '' + map $ssl_preread_server_name $address { + cloud.nekover.se 10.202.41.122:8443; + element.nekover.se 10.202.41.100:8443; + element-admin.nekover.se 10.202.41.100:8443; + fi.nekover.se 10.202.41.125:8443; + git.nekover.se 10.202.41.106:8443; + hydra.nekover.se 10.202.41.121:8443; + id.nekover.se 10.202.41.124:8443; + mas.nekover.se 10.202.41.112:8443; + matrix.nekover.se 10.202.41.112:8443; + matrix-rtc.nekover.se 10.202.41.112:8443; + mesh.nekover.se 10.202.41.126:8443; + nekover.se 10.202.41.100:8443; + nix-cache.nekover.se 10.202.41.121:8443; + searx.nekover.se 10.202.41.105:8443; + social.nekover.se 10.202.41.104:8443; + } + server { + listen [::]:443; + proxy_pass $address; + ssl_preread on; + proxy_protocol on; + } + ''; }; } diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 066f3d2..45e48f8 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -38,7 +38,6 @@ } server { listen 0.0.0.0:443; - listen [::]:443; proxy_pass $address; ssl_preread on; proxy_protocol on; diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix index 69c3a9a..d6af438 100644 --- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix @@ -37,7 +37,7 @@ in enableACME = true; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -86,7 +86,8 @@ in # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 74b7820..6e61d6c 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -28,7 +28,7 @@ in ]; }; listen = [{ - addr = "localhost"; + addr = "0.0.0.0"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -60,7 +60,8 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 40ee30d..233a49c 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -23,7 +23,8 @@ ''; }; extraConfig = '' - set_real_ip_from 127.0.0.1; + set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 + set_real_ip_from 10.203.10.3; # IPv6 from valkyrie real_ip_header proxy_protocol; ''; }; From 44215ecfc92054f69f230348071b01639eb050b8 Mon Sep 17 00:00:00 2001 From: fi Date: Sun, 5 Apr 2026 23:59:35 +0200 Subject: [PATCH 16/16] Remove obsolete configuration --- config/hosts/navidrome/configuration.nix | 33 ------------------- config/hosts/navidrome/default.nix | 7 ---- config/hosts/navidrome/navidrome.nix | 9 ----- config/hosts/navidrome/nginx.nix | 24 -------------- config/hosts/navidrome/secrets.nix | 13 -------- config/hosts/netbox/configuration.nix | 17 ---------- config/hosts/netbox/default.nix | 8 ----- config/hosts/netbox/netbox.nix | 8 ----- config/hosts/netbox/nginx.nix | 29 ---------------- config/hosts/netbox/secrets.nix | 11 ------- config/hosts/nitter/configuration.nix | 17 ---------- config/hosts/nitter/default.nix | 8 ----- config/hosts/nitter/nginx.nix | 23 ------------- config/hosts/nitter/nitter.nix | 21 ------------ config/hosts/paperless/configuration.nix | 17 ---------- config/hosts/paperless/default.nix | 9 ----- .../paperless/hardware-configuration.nix | 30 ----------------- config/hosts/paperless/nginx.nix | 31 ----------------- config/hosts/paperless/paperless.nix | 8 ----- config/hosts/paperless/secrets.nix | 21 ------------ config/hosts/web-public-1/configuration.nix | 17 ---------- config/hosts/web-public-1/default.nix | 7 ---- config/hosts/web-public-1/nginx.nix | 10 ------ .../virtualHosts/acme-challenge.nix | 18 ---------- .../web-public-1/virtualHosts/default.nix | 16 --------- config/hosts/web-public-2/nginx.nix | 4 --- .../virtualHosts/anisync.grzb.de.nix | 23 ------------- .../web-public-2/virtualHosts/default.nix | 4 --- .../virtualHosts/gameserver.grzb.de.nix | 28 ---------------- .../web-public-2/virtualHosts/git.grzb.de.nix | 30 ----------------- .../virtualHosts/mewtube.nekover.se.nix | 20 ----------- 31 files changed, 521 deletions(-) delete mode 100644 config/hosts/navidrome/configuration.nix delete mode 100644 config/hosts/navidrome/default.nix delete mode 100644 config/hosts/navidrome/navidrome.nix delete mode 100644 config/hosts/navidrome/nginx.nix delete mode 100644 config/hosts/navidrome/secrets.nix delete mode 100644 config/hosts/netbox/configuration.nix delete mode 100644 config/hosts/netbox/default.nix delete mode 100644 config/hosts/netbox/netbox.nix delete mode 100644 config/hosts/netbox/nginx.nix delete mode 100644 config/hosts/netbox/secrets.nix delete mode 100644 config/hosts/nitter/configuration.nix delete mode 100644 config/hosts/nitter/default.nix delete mode 100644 config/hosts/nitter/nginx.nix delete mode 100644 config/hosts/nitter/nitter.nix delete mode 100644 config/hosts/paperless/configuration.nix delete mode 100644 config/hosts/paperless/default.nix delete mode 100644 config/hosts/paperless/hardware-configuration.nix delete mode 100644 config/hosts/paperless/nginx.nix delete mode 100644 config/hosts/paperless/paperless.nix delete mode 100644 config/hosts/paperless/secrets.nix delete mode 100644 config/hosts/web-public-1/configuration.nix delete mode 100644 config/hosts/web-public-1/default.nix delete mode 100644 config/hosts/web-public-1/nginx.nix delete mode 100644 config/hosts/web-public-1/virtualHosts/acme-challenge.nix delete mode 100644 config/hosts/web-public-1/virtualHosts/default.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/git.grzb.de.nix delete mode 100644 config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix deleted file mode 100644 index 581a631..0000000 --- a/config/hosts/navidrome/configuration.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "navidrome"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - fileSystems = { - "/mnt/music" = { - device = "//10.202.40.5/music-ro"; - fsType = "cifs"; - options = [ - "username=navidrome" - "credentials=/secrets/navidrome-samba-credentials.secret" - "iocharset=utf8" - "vers=3.1.1" - "uid=navidrome" - "gid=navidrome" - "_netdev" - ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix deleted file mode 100644 index 00d4a90..0000000 --- a/config/hosts/navidrome/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: { - imports = [ - ./configuration.nix - ./navidrome.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix deleted file mode 100644 index 74e3a1d..0000000 --- a/config/hosts/navidrome/navidrome.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: { - services.navidrome = { - enable = true; - settings = { - Address = "unix:/run/navidrome/navidrome.socket"; - MusicFolder = "/mnt/music"; - }; - }; -} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix deleted file mode 100644 index eef60dd..0000000 --- a/config/hosts/navidrome/nginx.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ ... }: { - services.nginx = { - enable = true; - user = "navidrome"; - virtualHosts."navidrome.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://unix:/run/navidrome/navidrome.socket"; - }; - }; - }; -} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix deleted file mode 100644 index a11e957..0000000 --- a/config/hosts/navidrome/secrets.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "navidrome-samba-credentials.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix deleted file mode 100644 index 5bf8422..0000000 --- a/config/hosts/netbox/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "netbox"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix deleted file mode 100644 index 5dd147b..0000000 --- a/config/hosts/netbox/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./netbox.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix deleted file mode 100644 index b9ba2ad..0000000 --- a/config/hosts/netbox/netbox.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - services.netbox = { - enable = true; - package = pkgs.netbox; - secretKeyFile = "/secrets/netbox-secret-key.secret"; - }; -} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix deleted file mode 100644 index a2d1782..0000000 --- a/config/hosts/netbox/nginx.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - clientMaxBodySize = "25m"; - user = "netbox"; - virtualHosts."netbox.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/static/" = { - alias = "${config.services.netbox.dataDir}/static/"; - }; - locations."/" = { - proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; - }; - }; - }; -} diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix deleted file mode 100644 index 216aca4..0000000 --- a/config/hosts/netbox/secrets.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys."netbox-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; - destDir = "/secrets"; - user = "netbox"; - group = "netbox"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; -} diff --git a/config/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix deleted file mode 100644 index bc54db7..0000000 --- a/config/hosts/nitter/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "nitter"; - firewall = { - enable = true; - allowedTCPPorts = [ 8443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/nitter/default.nix b/config/hosts/nitter/default.nix deleted file mode 100644 index 6aae884..0000000 --- a/config/hosts/nitter/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./nginx.nix - ./nitter.nix - ]; -} diff --git a/config/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix deleted file mode 100644 index 862405c..0000000 --- a/config/hosts/nitter/nginx.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - virtualHosts."birdsite.nekover.se" = { - forceSSL = true; - enableACME = true; - locations."/robots.txt" = { - return = "200 \"User-agent: *\\nDisallow: /\\n\""; - }; - locations."/" = { - proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; - proxyWebsockets = true; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - - set_real_ip_from 10.202.41.100; - real_ip_header proxy_protocol; - ''; - }; - }; -} diff --git a/config/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix deleted file mode 100644 index 94165c4..0000000 --- a/config/hosts/nitter/nitter.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ ... }: -{ - services.nitter = { - enable = true; - - server = { - title = "Birdsite"; - https = true; - address = "127.0.0.1"; - port = 8080; - hostname = "birdsite.nekover.se"; - }; - - preferences = { - theme = "Mastodon"; - replaceTwitter = "birdsite.nekover.se"; - infiniteScroll = true; - hlsPlayback = true; - }; - }; -} diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix deleted file mode 100644 index 494f08c..0000000 --- a/config/hosts/paperless/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "paperless"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix deleted file mode 100644 index e6ebeed..0000000 --- a/config/hosts/paperless/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./hardware-configuration.nix - ./nginx.nix - ./paperless.nix - ]; -} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix deleted file mode 100644 index 17b9b66..0000000 --- a/config/hosts/paperless/hardware-configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -{ - fileSystems = { - "/mnt/data" = { - device = "/dev/disk/by-label/data"; - fsType = "ext4"; - autoFormat = true; - autoResize = true; - }; - "/mnt/paperless-consume" = { - device = "//10.201.40.10/paperless-consume"; - fsType = "cifs"; - options = [ - "username=paperless" - "credentials=/secrets/paperless-samba-credentials.secret" - "iocharset=utf8" - "vers=3.1.1" - "uid=paperless" - "gid=paperless" - "_netdev" - ]; - }; - "/var/lib/paperless" = { - depends = [ "/mnt/data" ]; - device = "/mnt/data/paperless"; - fsType = "none"; - options = [ "bind" ]; - }; - }; -} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix deleted file mode 100644 index e4a2131..0000000 --- a/config/hosts/paperless/nginx.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - virtualHosts."paperless.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; - proxyWebsockets = true; - extraConfig = '' - add_header Referrer-Policy "strict-origin-when-cross-origin"; - ''; - }; - extraConfig = '' - client_max_body_size 100M; - ''; - }; - }; -} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix deleted file mode 100644 index 1def83d..0000000 --- a/config/hosts/paperless/paperless.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - services.paperless = { - enable = true; - consumptionDir = "/mnt/paperless-consume"; - passwordFile = "/secrets/paperless-admin-password.secret"; - }; -} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix deleted file mode 100644 index 6726881..0000000 --- a/config/hosts/paperless/secrets.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "paperless-admin-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; - destDir = "/secrets"; - user = "paperless"; - group = "paperless"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "paperless-samba-credentials.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix deleted file mode 100644 index 7f3b8fa..0000000 --- a/config/hosts/web-public-1/configuration.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - boot.loader.grub = { - enable = true; - device = "/dev/vda"; - }; - - networking = { - hostName = "web-public-1"; - firewall = { - enable = true; - allowedTCPPorts = [ 80 443 ]; - }; - }; - - system.stateVersion = "23.05"; -} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix deleted file mode 100644 index 3db73ca..0000000 --- a/config/hosts/web-public-1/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: -{ - imports = [ - ./configuration.nix - ./nginx.nix - ]; -} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix deleted file mode 100644 index 0453a73..0000000 --- a/config/hosts/web-public-1/nginx.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: -{ - imports = [ - ./virtualHosts - ]; - - services.nginx = { - enable = true; - }; -} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix deleted file mode 100644 index c9b7e61..0000000 --- a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: -let - acmeDomainMap = { - "paperless.grzb.de" = "paperless.wg.grzb.de"; - "navidrome.grzb.de" = "navidrome.wg.grzb.de"; - }; -in -{ - services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."^~ /.well-known/acme-challenge/" = { - proxyPass = "http://${target}:80"; - }; - }) acmeDomainMap); -} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix deleted file mode 100644 index e191a9c..0000000 --- a/config/hosts/web-public-1/virtualHosts/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ ... }: -{ - imports = [ - ./acme-challenge.nix - ]; - - services.nginx.virtualHosts."_" = { - listen = [{ - addr = "0.0.0.0"; - port = 80; - }]; - locations."/" = { - return = "301 https://$host$request_uri"; - }; - }; -} diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 45e48f8..1e51d61 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -16,20 +16,16 @@ stream { map $ssl_preread_server_name $address { - anisync.grzb.de 127.0.0.1:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; element-admin.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; - gameserver.grzb.de 127.0.0.1:8443; - git.grzb.de 127.0.0.1:8443; git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443; - mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix deleted file mode 100644 index 9a3950a..0000000 --- a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."anisync.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://anisync.vs.grzb.de:8080"; - proxyWebsockets = true; - }; - extraConfig = '' - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index 445a087..fc2b409 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -2,12 +2,8 @@ { imports = [ ./acme-challenge.nix - ./anisync.grzb.de.nix ./element.nekover.se.nix ./element-admin.nekover.se.nix - ./gameserver.grzb.de.nix - ./git.grzb.de.nix - ./mewtube.nekover.se.nix ./nekover.se.nix ]; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix deleted file mode 100644 index c746f3d..0000000 --- a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."gameserver.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://pterodactyl.vs.grzb.de"; - extraConfig = '' - proxy_redirect off; - proxy_buffering off; - proxy_request_buffering off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix deleted file mode 100644 index ac9eefb..0000000 --- a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."git.grzb.de" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://gitlab.vs.grzb.de:80"; - extraConfig = '' - gzip off; - proxy_read_timeout 300; - proxy_connect_timeout 300; - proxy_redirect off; - ''; - }; - extraConfig = '' - client_max_body_size 1024m; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; - - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix deleted file mode 100644 index 1ab842a..0000000 --- a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ ... }: -{ - services.nginx.virtualHosts."mewtube.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [{ - addr = "localhost"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - locations."/" = { - proxyPass = "http://cloudtube.vs.grzb.de:10412"; - }; - extraConfig = '' - set_real_ip_from 127.0.0.1; - real_ip_header proxy_protocol; - ''; - }; -}