diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index b5d0211..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,96 +0,0 @@ -keys: - - &admin_age_fi age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - &host_age_coturn age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l - - &host_age_forgejo age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk - - &host_age_ikiwiki age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 - - &host_age_jellyfin age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt - - &host_age_keycloak age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd - - &host_age_lifeline age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua - - &host_age_mail-1 age1hny8kwx0uymselgas25q558ruxxdv7lgtu9d5rnd6x9w3nysk4zqumzzrp - - &host_age_mastodon age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30 - - &host_age_matrix age1g60l5mu08xrwfw7uptwcwde8kp9dacs4ltqv2ndjskpy8z5sqakqssxxq5 - - &host_age_metrics age1lrtengtdc0nzpagr8fkp5mwqda66jqr0s2h3wsxcdscmalp8n3js3r0e3n - - &host_age_metrics-nekomesh age1rh7zgp445t39c7tmh84r30e9edju8gmtn84u7rjwhmyntzkugucq5x0xse - - &host_age_nextcloud age1lvlmct30jtg7p4qpf8evtjlld6g74q2ckh803hd3ynr7cz7zlceq84flwu - - &host_age_searx age17h3js5v8s5vezcankky6kqxcrvtfxanmvhp3axmnqs4y9s2lr9yqvc6zrn - - &host_age_torrent age1m37wtvp7fpavaygn2jc6kq2gtuvgvf0jgwwhd3p5862djv5segqs97mg7c - - &host_age_valkyrie age1guqc5pnajp2whkla6vws4yqnpe5hq4z89w6te3n5yql5pugzfqlqczjlee -creation_rules: - - path_regex: config/hosts/coturn/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_coturn - - path_regex: config/hosts/forgejo/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_forgejo - - path_regex: config/hosts/ikiwiki/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_ikiwiki - - path_regex: config/hosts/jellyfin/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_jellyfin - - path_regex: config/hosts/keycloak/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_keycloak - - path_regex: config/hosts/lifeline/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_lifeline - - path_regex: config/hosts/mail-1/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_mail-1 - - path_regex: config/hosts/mastodon/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_mastodon - - path_regex: config/hosts/matrix/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_matrix - - path_regex: config/hosts/metrics/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_metrics - - path_regex: config/hosts/metrics-nekomesh/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_metrics-nekomesh - - path_regex: config/hosts/nextcloud/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_nextcloud - - path_regex: config/hosts/searx/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_searx - - path_regex: config/hosts/torrent/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_torrent - - path_regex: config/hosts/valkyrie/.* - key_groups: - - age: - - *admin_age_fi - - *host_age_valkyrie -stores: - yaml: - indent: 2 diff --git a/config/common/default.nix b/config/common/default.nix index 0fa2d0b..c8930ec 100644 --- a/config/common/default.nix +++ b/config/common/default.nix @@ -35,13 +35,13 @@ parted tmux nano - ssh-to-age tcpdump ]; security.acme = { defaults.email = "acme@grzb.de"; acceptTerms = true; + preliminarySelfsigned = true; }; # Print the ed25519 public ssh host key to console when booting diff --git a/config/hosts/coturn/coturn.nix b/config/hosts/coturn/coturn.nix index 0b266ba..719c872 100644 --- a/config/hosts/coturn/coturn.nix +++ b/config/hosts/coturn/coturn.nix @@ -5,7 +5,7 @@ min-port = 49200; max-port = 49500; use-auth-secret = true; - static-auth-secret-file = "/run/secrets/static-auth-secret"; + static-auth-secret-file = "/secrets/static-auth-secret.secret"; realm = "turn.nekover.se"; cert = "${config.security.acme.certs."turn.nekover.se".directory}/fullchain.pem"; pkey = "${config.security.acme.certs."turn.nekover.se".directory}/key.pem"; @@ -42,11 +42,4 @@ total-quota=1200 ''; }; - - sops.secrets."static-auth-secret" = { - mode = "0440"; - owner = "turnserver"; - group = "turnserver"; - restartUnits = [ "coturn.service" ]; - }; } diff --git a/config/hosts/coturn/default.nix b/config/hosts/coturn/default.nix index 36644a0..bc32a3d 100644 --- a/config/hosts/coturn/default.nix +++ b/config/hosts/coturn/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./acme.nix ./coturn.nix - ./sops.nix ]; } diff --git a/config/hosts/coturn/secrets.nix b/config/hosts/coturn/secrets.nix new file mode 100644 index 0000000..48fd211 --- /dev/null +++ b/config/hosts/coturn/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv,... }: +{ + deployment.keys."static-auth-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "coturn/static-auth-secret" ]; + destDir = "/secrets"; + user = "turnserver"; + group = "turnserver"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/coturn/secrets.yaml b/config/hosts/coturn/secrets.yaml deleted file mode 100644 index d90c1c5..0000000 --- a/config/hosts/coturn/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -static-auth-secret: ENC[AES256_GCM,data:af5cjUSeiCEtYki85h+XoJW5FKY4X18i6zOBZnH64Ju/LwA/yUemA8co17TG5cQnc/sw1pz6LySL2DOq/Gj42g==,iv:Yne84/VLN0jCSulA5OQ0UKbQWkqWBmHYogDuAngAp48=,tag:wJ/4yGnbypjTo/akV3P9ZA==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMXRScDR1NzhzZGRXYUZQ - ZGpRYUlOUWZTVHQvdUlrSG5SRWM2ME9sdUVZCldCZkZ0SXdqUjBVNlRnckg3N0dS - S0s2NkRnQys2SGJKSTdiUWlnbTg1dkEKLS0tIGthb0FESjAyMjlEbnV4S0lPOHda - S1ZBOWdTSmNRQXMvUGJnd05sK1Q2Qk0KHseEBDVLeSWHdgrYyITRuJyp3orrjwwS - 04ORMniHR7ymHzRPvm3oX/jkFD0iJEmk8clgm/Gcn2AQ7xXeJO7Vnw== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmemxWRnFLMFVEcVZCb3BT - MStWU21kcnF5enpleWt3dFdaMHo3RzJGaENNClU2M2tmdE0zd2pXWUJHQkV5Mkhi - a0lIbHJmWDN6UXhVeTZId3RhcEd5TWcKLS0tIFRlSUNQN0pGYmtiOGxJS0pJY0tQ - YjFzS205QklRZWdPbklIRzVzbFFPT2sKCXra+DUchbomy9pe2HJAbhAF1mstgUcv - NalettWmuLXe2B0WjC9fAy2AAJS6kysEbUh960suzSPLTqTce0MGfA== - -----END AGE ENCRYPTED FILE----- - recipient: age1vnrtarxwmqxflh2sxe2s49ldfzkve268hx62x4ltv38h3emv8dqspu028l - lastmodified: "2026-05-16T23:13:15Z" - mac: ENC[AES256_GCM,data:PxX20JAaYhj3DE1KjakVmVucL7jjZU0vh5vnSNmKLgqedJiV2ZqEXpF4s1WPgYTY723aLiWDLw/8kTF/VmvMs8zOdGSkIhojWIWFE6I2yq1MjlawXuUhGpe6C1XGQ+w0KTqzyJLxyIsUSH24GqPHmLRMStE7bYdr0a4lRBHEyqE=,iv:6tXoqhG1XqDAz4SZSIxFCi01Be76/dV4vFPwv3lkcps=,tag:ytLoh7gJ+Iuqv5AwhDElrw==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/coturn/sops.nix b/config/hosts/coturn/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/coturn/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/forgejo/default.nix b/config/hosts/forgejo/default.nix index 7de3a33..d71bcad 100644 --- a/config/hosts/forgejo/default.nix +++ b/config/hosts/forgejo/default.nix @@ -5,6 +5,5 @@ ./forgejo.nix ./redis.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index 21e9269..45961cf 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -1,10 +1,9 @@ -{ pkgs, ... }: +{ ... }: { services.forgejo = { enable = true; - package = pkgs.forgejo; database.type = "postgres"; - lfs.enable = true; + mailerPasswordFile = "/secrets/forgejo-mailer-password.secret"; settings = { DEFAULT = { @@ -18,7 +17,6 @@ ROOT_URL = "https://git.nekover.se/"; # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # Doesn't need to be set. - OFFLINE_MODE = true; }; admin = { DISABLE_REGULAR_ORG_CREATION = false; @@ -36,10 +34,11 @@ DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; - ENABLE_NOTIFY_MAIL = true; + }; + repo = { + DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; }; repository = { - DEFAULT_REPO_UNITS = "repo.code"; ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; @@ -61,13 +60,5 @@ HOST = "redis+socket:///run/redis-forgejo/redis.sock"; }; }; - secrets.mailer.PASSWD = "/run/secrets/forgejo-mailer-password"; - }; - - sops.secrets."forgejo-mailer-password" = { - mode = "0440"; - owner = "forgejo"; - group = "forgejo"; - restartUnits = [ "forgejo.service" ]; }; } diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix index 3602209..6df90b1 100644 --- a/config/hosts/forgejo/nginx.nix +++ b/config/hosts/forgejo/nginx.nix @@ -29,8 +29,7 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/forgejo/secrets.nix b/config/hosts/forgejo/secrets.nix new file mode 100644 index 0000000..5c23295 --- /dev/null +++ b/config/hosts/forgejo/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "forgejo-mailer-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mail/forgejo-nekover-se" ]; + destDir = "/secrets"; + user = "forgejo"; + group = "forgejo"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/forgejo/secrets.yaml b/config/hosts/forgejo/secrets.yaml deleted file mode 100644 index e4a1309..0000000 --- a/config/hosts/forgejo/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -forgejo-mailer-password: ENC[AES256_GCM,data:bFUrFyE/reeTtKZCrb1T1CG8Ng9QbDwZo9AdxU67i8uNmKcn93k3dqY70tSqBTAc9hpsXyW3UTKnPpk+ffb0mw==,iv:p16td5KV0rTmrrtX8FMojotEa+2oiFmVizkc6mt9QyI=,tag:czg/IlNLkx75m2iSddUkUw==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNjVaNlFWeG9vMW4vM2R3 - bWQyVk9jN1VkUUczbTBzUmdpZ2NyWlV4aVFjCmZwa0lDcXUzVDM4d1Mwa1B4Qm9q - WjVKMXJBRVNtc0JzcmE0Y20zdCtzM3cKLS0tIEJWanpwZHdPMGJiL0lkME9yVGQ1 - a3ZvRGV3VENIbmlubG16MWF3SkdyQ00KZj5vuzVyCqbLH5gnQjhRpOfHtIB3RVZC - m+VdnnAFIfShrxwfOekVavffaHmG3PWS7RUKoeZNSdtz1ScuwfazPw== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYOEdadnQvSW1mcE9hSmFL - aFlqdHpTejNZRXJCbTh4WjQyQXVobitaa2hFCjV1RU9UOGlqaXhIckNLMmYwb0s2 - eHY2VVpiQThzQUNuS1FLbFd3V2NGZk0KLS0tIGdOK3VEOUlNcldBQ1haRHhVS0cw - N3ZoNWlVK2trVkJLQlhnaHFueFdqVEkK800paYmP1opnW7o2V8f2zzWNR5tOVYGs - fl+SA7hE7uTpRrrGfuZq0jQgWOaeAbJ3+PzRuSrVlrXdWIyipcZM2Q== - -----END AGE ENCRYPTED FILE----- - recipient: age1d5y8dx3e8pksvxr8fv8f02v0y7qg7kuwpxpmxksp7xlvrcpfju5sdz6guk - lastmodified: "2026-05-17T00:50:59Z" - mac: ENC[AES256_GCM,data:I3a9s9i6sFVTRQIAj94YZNyxQsDIWIvRhy9M/e6iMYpvoQyxFvMD3xAE0NQ1uX1QgMoi+6njTc8AmTXFJvSfoiqtVfHQH+HkLPMR27DZUY6kgZGMvUVswioSKfaF8fZxGEyWRPAuTDlynfOsGpr4Tqt5U8NBiYL1FDD6CPALaiY=,iv:RUbSPPTR6cTWwzvbnQRA/f9AjjjOpQUiEBrWvxqCpTQ=,tag:GcGsBgxWU/AXm06FkUI1LA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/forgejo/sops.nix b/config/hosts/forgejo/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/forgejo/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix new file mode 100644 index 0000000..9b554d8 --- /dev/null +++ b/config/hosts/hydra/configuration.nix @@ -0,0 +1,51 @@ +{ ... }: +{ + boot = { + loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + binfmt.emulatedSystems = [ + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; + }; + + networking = { + hostName = "hydra"; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; + }; + + users.users.builder = { + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK/plZfxF/RtB+pJsUYx9HUgRcB56EoO0uj+j3AGzZta root@cherry" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeIiHkHA5c6/jZx+BB28c5wchdzlFI7R1gbvNmPyoOg root@kiara" + ]; + }; + + nix = { + settings = { + trusted-users = [ "builder" ]; + allowed-uris = "http:// https://"; + }; + buildMachines = [ + { + hostName = "localhost"; + systems = [ + "x86_64-linux" + "armv6l-linux" + "armv7l-linux" + "aarch64-linux" + ]; + } + ]; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/metrics-nekomesh/default.nix b/config/hosts/hydra/default.nix similarity index 50% rename from config/hosts/metrics-nekomesh/default.nix rename to config/hosts/hydra/default.nix index cc0af5c..aeffee1 100644 --- a/config/hosts/metrics-nekomesh/default.nix +++ b/config/hosts/hydra/default.nix @@ -2,10 +2,8 @@ { imports = [ ./configuration.nix - ./grafana.nix - ./neo4j.nix - ./prometheus.nix + ./hydra.nix + ./nix-serve.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix new file mode 100644 index 0000000..c8d4c3f --- /dev/null +++ b/config/hosts/hydra/hydra.nix @@ -0,0 +1,14 @@ +{ ... }: +{ + services.hydra = { + enable = true; + hydraURL = "https://hydra.nekover.se"; + listenHost = "localhost"; + port = 3001; + useSubstitutes = true; + notificationSender = "hydra@robot.grzb.de"; + extraConfig = " + binary_cache_public_uri = https://nix-cache.nekover.se + "; + }; +} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix new file mode 100644 index 0000000..5a15fe1 --- /dev/null +++ b/config/hosts/hydra/nginx.nix @@ -0,0 +1,42 @@ +{ ... }: +{ + services.nginx = { + enable = true; + virtualHosts = { + "hydra.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + proxyPass = "http://localhost:3001"; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + "nix-cache.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ { + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + proxyPass = "http://localhost:5005"; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; + }; +} diff --git a/config/hosts/hydra/nix-serve.nix b/config/hosts/hydra/nix-serve.nix new file mode 100644 index 0000000..75c18cb --- /dev/null +++ b/config/hosts/hydra/nix-serve.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + services.nix-serve = { + enable = true; + port = 5005; + bindAddress = "localhost"; + secretKeyFile = "/secrets/signing-key.secret"; + }; +} diff --git a/config/hosts/hydra/secrets.nix b/config/hosts/hydra/secrets.nix new file mode 100644 index 0000000..43329f7 --- /dev/null +++ b/config/hosts/hydra/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."signing-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "hydra/signing-key" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/ikiwiki/default.nix b/config/hosts/ikiwiki/default.nix index 32d16c7..bc9766c 100644 --- a/config/hosts/ikiwiki/default.nix +++ b/config/hosts/ikiwiki/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./ikiwiki.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/ikiwiki/ikiwiki.nix b/config/hosts/ikiwiki/ikiwiki.nix index 73688a8..3a501e6 100644 --- a/config/hosts/ikiwiki/ikiwiki.nix +++ b/config/hosts/ikiwiki/ikiwiki.nix @@ -133,4 +133,26 @@ in "multi-user.target" ]; }; + + systemd.services.ikiwiki-auth-setup = { + description = "Setup auth subdirectory for ikiwiki.cgi"; + + script = '' + mkdir -p ${ikiwikiSettings.destdir}/auth + if [ ! -f ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi ]; then + ln -s ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi + fi + ''; + + serviceConfig = { + Type = "simple"; + User = config.users.users.ikiwiki.name; + Group = config.users.users.ikiwiki.group; + Requires = [ "ikiwiki-settings-setup.service" ]; + }; + + wantedBy = [ + "multi-user.target" + ]; + }; } diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 6b09cb0..4bbcf0a 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -26,7 +26,7 @@ in tryFiles = "$uri $uri/ =404"; }; "~ .cgi" = { - basicAuthFile = "/run/secrets/auth_file"; + basicAuthFile = "/secrets/ikiwiki-auth-file.secret"; extraConfig = '' gzip off; fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address}; @@ -39,17 +39,9 @@ in }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; }; - - sops.secrets."auth_file" = { - mode = "0440"; - owner = "nginx"; - group = "nginx"; - restartUnits = [ "nginx.service" ]; - }; } diff --git a/config/hosts/ikiwiki/secrets.nix b/config/hosts/ikiwiki/secrets.nix new file mode 100644 index 0000000..d366c75 --- /dev/null +++ b/config/hosts/ikiwiki/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."ikiwiki-auth-file.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ]; + destDir = "/secrets"; + user = "nginx"; + group = "nginx"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/ikiwiki/secrets.yaml b/config/hosts/ikiwiki/secrets.yaml deleted file mode 100644 index a707f57..0000000 --- a/config/hosts/ikiwiki/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -auth_file: ENC[AES256_GCM,data:5/uT1sIOI95LNA9YFWh3I9J2PCZmz/J38YxVsKVWFHfJdZUOQpSW6ekjX7StP/svtv6Tp0AonnvcKfRcyPYn,iv:NKdWae+EihasTMV24Hk+dKJG8032mWu+RWItWs0b6RE=,tag:WBM6pXlKaDXOMnBWGBLJWg==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArNDZLcEFGRHczMHg3S0w3 - eTNvNGI5TXBWTTc1eXAzZStlSmZTQ3NkdTA4CmlYVEF1NWhldVZuZmwzTUU0NG5j - UFhvU3Q3Q1BvVHhrODJWc296UUo0TmMKLS0tIFFlUGRYVDNNYm40cXhlZ004eFk5 - b3BnLzBjZFpjVDN2clZaTGlWV29NVUEKsdK4V5Og+bK26Gl6HTkOBtFrHfr1RFYu - zWNGQ3skkvATO/ypa0zFf3+qnupCTTO5emwscoRK8ZZFVgSswdnbIA== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPOUJXWW95OXlEZFFwbHlp - RzJJMDFJU2pUTjltZ1JaWjE5c0xPY0hvNUdZCk5uWk9kdlRWNTNVUUVmT3VVeE9j - ajNNeVlZcEw4WFdqZ2QwTXl2MlhVZ2cKLS0tIFVVUXJtWkhtREFsdXp5ODZkOTA1 - b1h3THFYSU1yblM0WmdxTUVtZG1OYVUK5tmcOX+jOdbSD1YCPqcAeoGF8ny61lWY - xwguejMeVZ/pCjO/qf3tb+MUlInPMXva59FelGd3nz6cbVqbeWtxSQ== - -----END AGE ENCRYPTED FILE----- - recipient: age1st5axcrn2s09effsjp6gl89rnwd967y007pzpzamlqydrpf7yeeqjwtnx0 - lastmodified: "2026-05-16T22:13:21Z" - mac: ENC[AES256_GCM,data:McAN1DueAhDBAY8kloB5l8M0pLIeswtnCxBtMYFyzBaY2Z43gNetBwdpzs5sL4nEmAZGPJ9AjXJVSmjb1tOn3BF8X5n6/9F7DzvHT7ukpIjumGC0KeB0QfaIGgKJyo7koISIVlGFZAwgcf1fQwaKZsYzfOGelj7UNrzFCjArK+Y=,iv:oZUmzcEr08jROw24J2fXQ4EjEJH3vzYysdy51vEtUNM=,tag:QJjNb/YvuZrZtQD9QE1Z3g==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/ikiwiki/sops.nix b/config/hosts/ikiwiki/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/ikiwiki/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/jellyfin/default.nix b/config/hosts/jellyfin/default.nix index 70a20a7..33e2290 100644 --- a/config/hosts/jellyfin/default.nix +++ b/config/hosts/jellyfin/default.nix @@ -5,6 +5,5 @@ ./hardware-configuration.nix ./jellyfin.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/jellyfin/hardware-configuration.nix b/config/hosts/jellyfin/hardware-configuration.nix index f89a9e5..764a903 100644 --- a/config/hosts/jellyfin/hardware-configuration.nix +++ b/config/hosts/jellyfin/hardware-configuration.nix @@ -5,7 +5,7 @@ fsType = "cifs"; options = [ "username=jellyfin" - "credentials=/run/secrets/samba-credentials" + "credentials=/secrets/samba-credentials.secret" "iocharset=utf8" "vers=3.1.1" "uid=jellyfin" @@ -13,10 +13,4 @@ "_netdev" ]; }; - - sops.secrets."samba-credentials" = { - mode = "0440"; - owner = "root"; - group = "root"; - }; } diff --git a/config/hosts/jellyfin/secrets.nix b/config/hosts/jellyfin/secrets.nix new file mode 100644 index 0000000..922d4c4 --- /dev/null +++ b/config/hosts/jellyfin/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "jellyfin/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/jellyfin/secrets.yaml b/config/hosts/jellyfin/secrets.yaml deleted file mode 100644 index c4653bc..0000000 --- a/config/hosts/jellyfin/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -samba-credentials: ENC[AES256_GCM,data:9txZMLLwlyAMzI3Naag3tUD1zSXLAf/zoJFoJZYTChhmkPpuhuuaIANFcYmH2sUYSsvZLXlbBuLXRryjTix0zK9ZfkZW8/R1vg==,iv:cF3S9S2+Vk+VAb8gyFyxZ12fqmohHSD3GG0fTILrxRM=,tag:m4BqpUlKmUoPbXTEjFmjaA==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzb3dQYWM4SHVraHFPZEx6 - aGpDcTEyVjZ6Y0h6YzM4aVliRXpqZFpLcnprCmNEOHFrby9IdEE1MTZIYWxrS3BS - ZHZTSmYxUW9pek5XblIyZ2FDVlV0TEkKLS0tIEN6NnErRXI3ejc3cVBiSVR6NlpC - a2tnWWxDaXgwQ3hmc0dreTNIRnl0cTAKCSaj/epLw16tVDX4OMCzutxlnARL8MDf - pUVDonkZ7sB7d1+mnyG+gMQuFDhiDcV9WS2h3M83xoSKoHnCkca9Ew== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbUdFMlZvVXlzc3FPSmE4 - Rk1jeUpDVUJMeUlJZDlYeHhwK2l6UkJNRVFVCjNUVS9ZMjI2ME9qTFM0Umc3dXZC - Z0todzhYSXZ5Yk5odUdOZGg3VnE3QW8KLS0tIGd1emhUMFVHT3JiZ1JhY0FWOU1i - cW9PWk9oRHZGeFlSdlVLSlJ6TVg4WnMKikUhDJNyuKdiazCUcKBo834NO3U6ZfjB - GbDn3wUKb465CDYw7GPcvZtM2mNufsoInZh+Oq/07Hi+seAXfX2y7A== - -----END AGE ENCRYPTED FILE----- - recipient: age10huhyn3va02zjysyanf8fd6lpfvjv3k3u6qymanz9jtcmfp3kqfskth7yt - lastmodified: "2026-05-17T00:58:22Z" - mac: ENC[AES256_GCM,data:0WF8JU4d+5nHHB5iBmqdS6TkZem2AHrYNx6zDm4yoIKip7ZVTfCPCyhZ4c3QseEBn1G2IXsTMEtIk6RVI2JigSJPLjyXOTJOeWjVtPD5+1I+mrU7z+YWN+sK5i4F1hQX7/E4JbTDh/h+NbqZ6I9pBq7Nm12QUtZdp/7R5qChXs4=,iv:DBdSDx/X8fh7SXiC073AtDMPDB9idKItzEz2fl7xe+g=,tag:0O1pZp6+Y2Uf2DlijwZLeg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/jellyfin/sops.nix b/config/hosts/jellyfin/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/jellyfin/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/jellyseerr/configuration.nix b/config/hosts/jellyseerr/configuration.nix index cf03358..05b8f3f 100644 --- a/config/hosts/jellyseerr/configuration.nix +++ b/config/hosts/jellyseerr/configuration.nix @@ -10,7 +10,6 @@ firewall = { allowedTCPPorts = [ 80 443 ]; }; - nameservers = [ "193.138.218.74" ]; extraHosts = '' 10.202.46.101 jellyfin.grzb.de @@ -19,10 +18,5 @@ ''; }; - services.resolved = { - enable = true; - fallbackDns = [ ]; - }; - system.stateVersion = "23.11"; } diff --git a/config/hosts/jellyseerr/jellyseerr.nix b/config/hosts/jellyseerr/jellyseerr.nix index 8e406b0..bd473b0 100644 --- a/config/hosts/jellyseerr/jellyseerr.nix +++ b/config/hosts/jellyseerr/jellyseerr.nix @@ -1,15 +1,6 @@ -{ pkgs, ... }: -let - jellyseerrOverlay = final: prev: { - jellyseerr = prev.jellyseerr.overrideAttrs (finalAttr: previousAttr: { - dontCheckForBrokenSymlinks = true; - }); - }; - pkgs-overlay = pkgs.extend jellyseerrOverlay; -in +{ ... }: { services.jellyseerr = { enable = true; - package = pkgs-overlay.jellyseerr; }; } diff --git a/config/hosts/keycloak/default.nix b/config/hosts/keycloak/default.nix index 83d170e..6289ce6 100644 --- a/config/hosts/keycloak/default.nix +++ b/config/hosts/keycloak/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./keycloak.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix index a069fd1..79e9a96 100644 --- a/config/hosts/keycloak/keycloak.nix +++ b/config/hosts/keycloak/keycloak.nix @@ -3,20 +3,13 @@ services.keycloak = { enable = true; settings = { - hostname = "https://id.nekover.se"; - hostname-admin = "https://keycloak-admin.nekover.se"; - proxy-headers = "xforwarded"; - http-enabled = true; + hostname = "id.nekover.se"; + hostname-admin = "keycloak-admin.nekover.se"; + hostname-strict-backchannel = true; + proxy = "edge"; http-host = "127.0.0.1"; http-port = 8080; }; - database.passwordFile = "/run/secrets/keycloak-database-password"; - }; - - sops.secrets."keycloak-database-password" = { - mode = "0440"; - owner = "root"; - group = "systemd-network"; - restartUnits = [ "keycloak.service" ]; + database.passwordFile = "/secrets/keycloak-database-password.secret"; }; } diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index e9b46cd..0c83ea0 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -27,8 +27,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; add_header Strict-Transport-Security "max-age=63072000" always; @@ -42,13 +41,6 @@ proxy_buffer_size 128k; proxy_buffers 8 128k; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port 443; - # This is https in any case. - proxy_set_header X-Forwarded-Proto https; # Hide the X-Forwarded header. proxy_hide_header X-Forwarded; # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that @@ -104,13 +96,6 @@ proxy_buffer_size 128k; proxy_buffers 8 128k; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port 443; - # This is https in any case. - proxy_set_header X-Forwarded-Proto https; # Hide the X-Forwarded header. proxy_hide_header X-Forwarded; # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that diff --git a/config/hosts/keycloak/secrets.nix b/config/hosts/keycloak/secrets.nix new file mode 100644 index 0000000..984e9ad --- /dev/null +++ b/config/hosts/keycloak/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "keycloak-database-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "keycloak/database-password" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/keycloak/secrets.yaml b/config/hosts/keycloak/secrets.yaml deleted file mode 100644 index a84ab28..0000000 --- a/config/hosts/keycloak/secrets.yaml +++ /dev/null @@ -1,25 +0,0 @@ -keycloak-database-password: ENC[AES256_GCM,data:2Jk0wskmlpdpaZj05MX4YRRDR75eAkk5eDNNOTSA9+dN8OGkUWdI0CX9ZdQFUB31GiRaLZQ4I9gwnIc2sIxzuA==,iv:4fq+safzIGC21NFTaHsIfgZwuKelQyxttEeW7Pp09v8=,tag:c7LO34hJqi1yEwQ+cQc0Dg==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArR0Y2ZVg4S1FDYmRlS0xL - VWlJVzNvdHVXanBMN043QjcxVjd5bFk5d21JCnVzYVcwT2tnQS9jblhVQUFaNWZD - L0owQ1hhUFdhNVAzaVJNbWhQaEdXZlUKLS0tIFZFOFpKUklKNVJFRS9ZY1JaeS9D - RnF5YjRmbXRaY3h1MU5PWEZETGh0N2cKIwZg6mMY8c3VpE9hAk9bcFXLyzl7J/4M - BIh7C+yZbD7bL92TEP3gTpW+EsGiJl2LCq7NVVuDkboYuJ6kAqLppg== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS25mcEErQ1pUMTV6U1h4 - WXduajlyTFFncXdhZ09BdXg4amV4V0xMalFNCm85dk1ldUlHTytXRDJLcjIyN2M2 - ZmVFVG1YcWhnTmwySmFRUDhEMkVyb1EKLS0tIHVDVkc3QytPU3pQTWxMSG1TRFdI - LzVUdGUrZmVTa1RqRHNWaFFhY09ySEUKFrN7X2ir3gwL/S91mychdjXi2oBPEPr9 - aizXtIk0JX6SzrP/Oy0mYROeEEEUfPVBBypEUlBjlyeSyathmEoVLQ== - -----END AGE ENCRYPTED FILE----- - recipient: age15kluaw2krucmc0j98zfk0s5tkwqer0ax6jva458zukzrgnqjqc9q7s88yd - lastmodified: "2026-05-17T01:07:49Z" - mac: ENC[AES256_GCM,data:fAOsq2jrl8dTvQSn+Cp0sxuU5AuOdnm97LBIyPY71KbxMAY0vn/RDvhszvskMIE25JWGuZROnFoYmrkUqSp/pxG9gvcPQ6keW9WMr09YFli4u1tvADl6Ag+OkcgDe2UP1aPRkW6i7sGpq7Wfv/3G8HNMLgywhyiAA2XICymbDBI=,iv:ChOk26gheG2ErLVqt/rrMw1MxuOmEA595fay6pGUCcc=,tag:8wGA4YZa+ZyNDIBz/d1DUg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/keycloak/sops.nix b/config/hosts/keycloak/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/keycloak/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/lifeline/configuration.nix b/config/hosts/lifeline/configuration.nix index 788c3fc..500c407 100644 --- a/config/hosts/lifeline/configuration.nix +++ b/config/hosts/lifeline/configuration.nix @@ -26,7 +26,7 @@ { name = "mail-2"; publicKey = "OIBOJlFzzM3P/u1ftVW2HWt8kA6NveB4PaBOIXhCYhM="; - presharedKeyFile = "/run/secrets/wireguard-lifeline-mail-2-lifeline-psk"; + presharedKeyFile = "/secrets/wireguard-lifeline-mail-2-lifeline-psk.secret"; allowedIPs = [ "172.18.50.2/32" ]; } ]; @@ -38,7 +38,7 @@ ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 172.18.50.0/24 -o ens6 -j MASQUERADE ''; - privateKeyFile = "/run/secrets/wireguard-lifeline-wg0-privatekey"; + privateKeyFile = "/secrets/wireguard-lifeline-wg0-privatekey.secret"; }; }; nat = { @@ -62,19 +62,5 @@ services.prometheus.exporters.node.enable = false; - sops.secrets."wireguard-lifeline-mail-2-lifeline-psk" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; - }; - - sops.secrets."wireguard-lifeline-wg0-privatekey" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "wireguard-wg0.service" ]; - }; - system.stateVersion = "23.05"; } diff --git a/config/hosts/lifeline/default.nix b/config/hosts/lifeline/default.nix index 36dea6d..9d284a8 100644 --- a/config/hosts/lifeline/default.nix +++ b/config/hosts/lifeline/default.nix @@ -3,6 +3,5 @@ imports = [ ./configuration.nix ./hardware-configuration.nix - ./sops.nix ]; } diff --git a/config/hosts/lifeline/secrets.nix b/config/hosts/lifeline/secrets.nix new file mode 100644 index 0000000..f2b6e23 --- /dev/null +++ b/config/hosts/lifeline/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-lifeline-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-lifeline-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/lifeline/secrets.yaml b/config/hosts/lifeline/secrets.yaml deleted file mode 100644 index 01b2010..0000000 --- a/config/hosts/lifeline/secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -wireguard-lifeline-wg0-privatekey: ENC[AES256_GCM,data:yUIu+AC24/84w0GQPko64E89ZjzMoaa0Z8J2IFY8wDmCw+z1Als0h42XB5U=,iv:2pmy0FyeyvHbRRYnog9mth7hWfMt4mNe8/dSK3eYd2E=,tag:/gRbYT8EnbDRiFN0Ohu4ng==,type:str] -wireguard-lifeline-mail-2-lifeline-psk: ENC[AES256_GCM,data:IvgVTsgFfONCm3OJ8iKtwRUY6uTEZfpyGubm/iysOySebPuDg+/AGNUu5ZQ=,iv:HZpAqLLt/cDQo51+koS3nZ1mkN0ZmqCY7gedx6PHthM=,tag:klM8lxBmZvXn3XUD/duGMA==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLcGo4RTJsQnZWWXBadjAz - YW5VcFBwWUxUR2N2d092WmN6LzdkaStaVVNJCkdWLzF4ZU4rY3pPLzc1YUZUb2hM - bHNiRkhabG1ON2YzemdCMjQwOW5hdG8KLS0tIER4RGdZNkN4U0dTekx6MURpY0oz - ZURQbEF0c2VXNFFRVEI5YjUydzNQVTQK6Q3yE+P41Ukay2h2RVXHcCbE19piBwHa - Gdxok7ObnjTBpFxWuz4Sqvozb4R9dbkTPtSp72Yjv78QBinLmWGJ/A== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlemExaHpsTFBEYjJURjNp - WmluaHcwaUtyNmRINEJ6NXlFVWplZm9YeEJvCktMM2N0dWFxYUFKM25EdVo0RmNG - MDYzcFFnOG95SXdrU3VzWmdqQ3U0L2cKLS0tIGhHUmNNS0w0bzhhdHgzL1hYQjRr - SEczcDdWMnh3aThXK3JrLzkrTEZ0TkUKexB+HBUOWSsel9sNgUHnj5NJdj8zZX/C - XB4W6fwzMxPHHknk1y/4z/F8oNnUzXmh3QfT/15glDmmCpyM3PGWVw== - -----END AGE ENCRYPTED FILE----- - recipient: age1pmx78vda0c2qnn8epvkavl26e2939uj65608fdq959ds60d58ucsqwxsua - lastmodified: "2026-05-17T01:24:39Z" - mac: ENC[AES256_GCM,data:JyTfrwkD8GxbzzuK1CsBRr8+Hxheu1gvB2KP3jGJkvLktzzNLYH7qq7JJu2oP6X18MMa+dlMuY9lHosoWy+wA34kgrtBVqtCfTnOx3jafwfLdNVBVTORN8h7so1N0KKwuSJnFL6BqMWhiQiPVOENGThqlIqKDwSiP3hyfFLDBuM=,iv:0IkM76X2Ly3hil7XneURzQk4wVUJy/bs/9zX3r9cTVo=,tag:vC7HDnB6WCTTy5MSh4tDDg==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/lifeline/sops.nix b/config/hosts/lifeline/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/lifeline/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index c94de3b..2418afc 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -15,20 +15,28 @@ ]; routes = [ { - Gateway = "10.202.41.1"; - Destination = "10.201.0.0/16"; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.201.0.0/16"; + }; } { - Gateway = "10.202.41.1"; - Destination = "10.202.0.0/16"; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.202.0.0/16"; + }; } { - Gateway = "10.202.41.1"; - Destination = "172.21.87.0/24"; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "172.21.87.0/24"; + }; } { - Gateway = "10.202.41.1"; - Destination = "212.53.203.19/32"; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "212.53.203.19/32"; + }; } ]; linkConfig.RequiredForOnline = "routable"; @@ -54,11 +62,13 @@ PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; }; wireguardPeers = [{ - PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; - PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; - Endpoint = "212.53.203.19:51822"; - AllowedIPs = [ "0.0.0.0/0" ]; - PersistentKeepalive = 25; + wireguardPeerConfig = { + PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; + PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + Endpoint = "212.53.203.19:51822"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; }]; }; }; diff --git a/config/hosts/mail-1/default.nix b/config/hosts/mail-1/default.nix index 28a5bdc..5537841 100644 --- a/config/hosts/mail-1/default.nix +++ b/config/hosts/mail-1/default.nix @@ -3,6 +3,5 @@ imports = [ ./configuration.nix ./simple-nixos-mailserver.nix - ./sops.nix ]; } diff --git a/config/hosts/mail-1/secrets.nix b/config/hosts/mail-1/secrets.nix index c7dd92c..581461f 100644 --- a/config/hosts/mail-1/secrets.nix +++ b/config/hosts/mail-1/secrets.nix @@ -73,14 +73,6 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "mail-nekomesh-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; "mail-social-nekover-se.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mail/social-nekover-se" ]; destDir = "/secrets"; diff --git a/config/hosts/mail-1/simple-nixos-mailserver.nix b/config/hosts/mail-1/simple-nixos-mailserver.nix index 15318e8..a4b426a 100644 --- a/config/hosts/mail-1/simple-nixos-mailserver.nix +++ b/config/hosts/mail-1/simple-nixos-mailserver.nix @@ -4,7 +4,6 @@ simple-nixos-mailserver.nixosModule { mailserver = { enable = true; - stateVersion = 3; openFirewall = true; fqdn = "mail-1.grzb.de"; enableImap = false; @@ -47,11 +46,6 @@ sendOnly = true; aliases = [ "nyareply@nekover.se" ]; }; - "nekomesh@nekover.se" = { - hashedPasswordFile = "/secrets/mail-nekomesh-nekover-se.secret"; - sendOnly = true; - aliases = [ "nyareply@nekover.se" ]; - }; "social@nekover.se" = { hashedPasswordFile = "/secrets/mail-social-nekover-se.secret"; sendOnly = true; @@ -75,8 +69,8 @@ services.postfix = { transport = "relay:[mail-2.grzb.de]"; - settings.main = { - proxy_interfaces = "212.53.203.19"; - }; + extraConfig = '' + proxy_interfaces = 212.53.203.19 + ''; }; } diff --git a/config/hosts/mail-1/sops.nix b/config/hosts/mail-1/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/mail-1/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/mail-2/acme.nix b/config/hosts/mail-2/acme.nix new file mode 100644 index 0000000..c6a353c --- /dev/null +++ b/config/hosts/mail-2/acme.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + security.acme.certs = { + "mail-2.grzb.de" = { + listenHTTP = ":80"; + reloadServices = [ "postfix.service" ]; + }; + }; +} diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix new file mode 100644 index 0000000..b4a7192 --- /dev/null +++ b/config/hosts/mail-2/configuration.nix @@ -0,0 +1,91 @@ +{ pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + systemd.network = { + enable = true; + networks = { + "enp6s18" = { + matchConfig.Name = "enp6s18"; + address = [ + "10.201.41.100/24" + ]; + routes = [ + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.201.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.202.0.0/16"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "172.21.87.0/24"; + }; + } + { + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "217.160.117.160/32"; + }; + } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + "wg0" = { + matchConfig.Name = "wg0"; + address = [ + "172.18.50.2/24" + ]; + DHCP = "no"; + gateway = [ + "172.18.50.1" + ]; + }; + }; + netdevs = { + "wg0" = { + netdevConfig = { + Kind = "wireguard"; + Name = "wg0"; + }; + wireguardConfig = { + PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret"; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; + PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; + Endpoint = "217.160.117.160:51820"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; + }]; + }; + }; + }; + + networking = { + hostName = "mail-2"; + useDHCP = false; + firewall = { + enable = true; + allowedTCPPorts = [ 25 80 ]; + }; + }; + + environment.systemPackages = with pkgs; [ + wireguard-tools + ]; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/mail-2/default.nix b/config/hosts/mail-2/default.nix new file mode 100644 index 0000000..ab5c757 --- /dev/null +++ b/config/hosts/mail-2/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./postfix.nix + ./acme.nix + ]; +} diff --git a/config/hosts/mail-2/postfix.nix b/config/hosts/mail-2/postfix.nix new file mode 100644 index 0000000..b7e54f3 --- /dev/null +++ b/config/hosts/mail-2/postfix.nix @@ -0,0 +1,37 @@ +{ config, ... }: +{ + # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup + services.postfix = { + enable = true; + hostname = "mail-2.grzb.de"; + relayDomains = [ + "grzb.de" + "nekover.se" + ]; + sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem"; + sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem"; + extraConfig = '' + message_size_limit = 20971520 + smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination + proxy_interfaces = 217.160.117.160 + relay_recipient_maps = + smtp_tls_ciphers = high + smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtp_tls_mandatory_ciphers = high + smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_auth_only = yes + smtpd_tls_ciphers = high + smtpd_tls_eecdh_grade = ultra + smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_loglevel = 1 + smtpd_tls_mandatory_ciphers = high + smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL + smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3 + tls_preempt_cipherlist = yes + tls_random_source = dev:/dev/urandom + ''; + }; +} diff --git a/config/hosts/mail-2/secrets.nix b/config/hosts/mail-2/secrets.nix new file mode 100644 index 0000000..67beb5b --- /dev/null +++ b/config/hosts/mail-2/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "wireguard-mail-2-wg0-privatekey.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/mail-2-wg0-privatekey" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "wireguard-lifeline-mail-2-mail-2-psk.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "wireguard/lifeline-mail-2/psk" ]; + destDir = "/secrets"; + user = "root"; + group = "systemd-network"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/mastodon/containers/fedifetcher/default.nix b/config/hosts/mastodon/containers/fedifetcher/default.nix new file mode 100644 index 0000000..3f2617e --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/default.nix @@ -0,0 +1,23 @@ +{ nixpkgs-unstable, ... }: +{ + containers.fedifetcher = { + nixpkgs = nixpkgs-unstable; + autoStart = true; + + bindMounts = { + "/secrets" = { + hostPath = "/secrets-fedifetcher"; + isReadOnly = true; + }; + }; + + config = { ... }: { + imports = [ + ./fedifetcher.nix + ]; + + networking.useHostResolvConf = true; + system.stateVersion = "24.05"; + }; + }; +} diff --git a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix new file mode 100644 index 0000000..7194c25 --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, ... }: +{ + # config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix + systemd.services.fedifetcher = { + path = [ pkgs.fedifetcher ]; + description = "fetch fedi posts"; + script = '' + fedifetcher + ''; + environment = lib.mapAttrs' (n: v: + (lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n) + (builtins.toString v))) { + server = "social.nekover.se"; + state-dir = "/var/lib/fedifetcher"; + lock-file = "/run/fedifetcher/fedifetcher.lock"; + from-lists = 1; + from-notifications = 1; + max-bookmarks = 80; + max-favourites = 40; + max-follow-requests = 80; + max-followers = 80; + max-followings = 80; + remember-hosts-for-days = 30; + remember-users-for-hours = 168; + reply-interval-in-hours = 2; + }; + serviceConfig = { + DynamicUser = true; + User = "fedifetcher"; + RuntimeDirectory = "fedifetcher"; + RuntimeDirectoryPreserve = true; + StateDirectory = "fedifetcher"; + UMask = "0077"; + EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ]; + }; + }; + + systemd.timers.fedifetcher = { + wantedBy = [ "multi-user.target" ]; + timerConfig = { OnCalendar = "*:0/5"; }; + }; +} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index 5166081..dc52ff4 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,6 +5,6 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix - ./sops.nix + ./containers/fedifetcher ]; } diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index 51b3afe..ed168ff 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -1,46 +1,35 @@ -{ pkgs, nixpkgs-unstable, ... }: +{ pkgs, ... }: let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; - rev = "v2.5.3"; - hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE="; - }; - mastodonModern = pkgs.fetchgit { - url = "https://git.gay/freeplay/Mastodon-Modern.git"; - rev = "f899b68740e25e17ed600e38657d0ef94c92b293"; - hash = "sha256-+HQ7+Ypv540qB7ACfROJs8JUuqvMzaveKOdBsAfr3D4="; + rev = "v2.2"; + hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ="; }; mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-NtdJWMi8/siduX2iFD+GAsK9J+Y6T/tZ/fXqb/QH284="; + hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.9"; + version = "4.3.1"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-EXMJWdcuvQWe2cXONlcN/oB4b0nXwDqRT+miIB7P7js="; + sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4="; }; - # mastodon ships with broken symlinks, disable the check for that for now - dontCheckForBrokenSymlinks = true; installPhase = '' cp -r ./ $out/ cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/ - echo "@import 'mastodon/variables'; - @import 'application';" >> $out/app/javascript/styles/modern-dark.scss - cat ${mastodonModern}/modern.css >> $out/app/javascript/styles/modern-dark.scss echo "tangerineui: styles/tangerineui.scss tangerineui-purple: styles/tangerineui-purple.scss tangerineui-cherry: styles/tangerineui-cherry.scss - tangerineui-lagoon: styles/tangerineui-lagoon.scss - modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml + tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml ''; }; - patches = prev.mastodon.src.patches ++ [ + patches = [ "${mastodonNekoversePatches}/patches/001_increase_image_dimensions_limit.patch" "${mastodonNekoversePatches}/patches/002_disable_image_reprocessing.patch" "${mastodonNekoversePatches}/patches/003_make_toot_cute.patch" @@ -49,8 +38,7 @@ let "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch" ]; }; - yarnHash = prev.mastodon.src.yarnHash; - yarnMissingHashes = prev.mastodon.src.yarnMissingHashes; + yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg="; }); }; pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; @@ -62,6 +50,7 @@ in package = pkgs-overlay.mastodon; localDomain = "social.nekover.se"; secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; + otpSecretFile = "/secrets/mastodon-otp-secret.secret"; vapidPublicKeyFile = "${vapidPublicKey}"; vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; smtp = { @@ -90,8 +79,6 @@ in OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback"; OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout"; - FETCH_REPLIES_ENABLED = "true"; - AUTHORIZED_FETCH = "true"; }; extraEnvFiles = [ "/secrets/mastodon-keycloak-client-secret.secret" diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index 02a0d0a..f195089 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -3,7 +3,6 @@ services.nginx = { enable = true; group = "mastodon"; - clientMaxBodySize = "200m"; upstreams.streaming = { extraConfig = '' least_conn; @@ -57,8 +56,7 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 88413c7..1389353 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -9,6 +9,14 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-otp-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; "mastodon-vapid-private-key.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ]; destDir = "/secrets"; @@ -57,5 +65,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-fedifetcher-access-token.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ]; + destDir = "/secrets-fedifetcher"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/mastodon/secrets.yaml b/config/hosts/mastodon/secrets.yaml deleted file mode 100644 index 0858aac..0000000 --- a/config/hosts/mastodon/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -mastodon-secret-key-base: ENC[AES256_GCM,data:GP8mtL5hkDqNjbiqONXJNDX+e9RuOejnAxX0fk1gvVR+Xkb99/wNPun1p85AVOv1rn8n0H4X8aZwPK/P2lljyGWs4RSwYaLOMMoowSu+QwDYzK2+uf2lsiM5esOAr/rfuX1BZIEnrJPYAIZYtTIBTyrMN9zTtPvyBaPn4cL0sKQ=,iv:jxy37Sa3ywLhVSYhgiC1spky6psxZzso74es5CnBObw=,tag:+nW6SxoYJgcSU2r6d2J00g==,type:str] -mastodon-vapid-private-key: ENC[AES256_GCM,data:mE29UuQGzQ/LPrvop0zODM3tI/DOXsCPemh/5Y7VribAUq25Fftoo3tWEbk=,iv:qJTJL4g9AOcPJIP9IWnSso6ECs3sSiubW9SNUaYIcXE=,tag:OnhsJeWYLDFMlmVsLf4syw==,type:str] -mastodon-email-smtp-pass: ENC[AES256_GCM,data:8UcjUSZMuUPZvc1hM79XGjor0LuKcGg8qLr/oFggcTMtQ9+ff2QHGaZFiHRcNFibdp0IexO2PDy0yMF5qivxJA==,iv:fd3vv21PnC2M/Ptdwy2j6vn+juWrEnZKtTtzhS71igI=,tag:8nmdu2TD0TTmCfA+kIkb4Q==,type:str] -mastodon-keycloak-client-secret: ENC[AES256_GCM,data:jLDVhGhUUI5o2UjHolahncXXiqHHyFT/SavQTaUTlaSje3l2khvAIzmEn8TfC6FrF8BMjzI=,iv:Hq5XrtpnFYnIxrIb8rX5PDL7z7bLuOrtTTubm7HsE88=,tag:ayNJWs3UROd/sBQ5rnuv6w==,type:str] -mastodon-active-record-encryption-primary-key: ENC[AES256_GCM,data:H45LQ1gXCaepRe1ftap5ruWwC7ThI8m/EBtKdqP8QHQ=,iv:wAYQW7INq36GscjdaldCCS0RpjYuemtveoNdeqS1wz0=,tag:hjlXqo9WmE57fENQZaRCXA==,type:str] -mastodon-active-record-encryption-key-derivation-salt: ENC[AES256_GCM,data:DeeXCelirIcDyTDdPeKoaAeD2jzWGLU3p28e5JX8m9E=,iv:yQcddWeesrMWgIAj/MnBwPUwikk2VHAbNDFs0r5Fp0Q=,tag:H6boQ5IEGEhx5Ha15eEUhw==,type:str] -mastodon-active-record-encryption-deterministic-key: ENC[AES256_GCM,data:yrakH+MxQ8/SmAtLOvGcyIAjfbVdb8NgqYqpm+ALKA0=,iv:ZbagvnAPTLBmzxAdXZ0Ecat0jTpeRWiudpk3U+1hEXE=,tag:pnF87Gg4nTRC1YVK1bbGCw==,type:str] -sops: - age: - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTDB3d1FFWjY2LzhZUmVP - S1BicjRhc2ZzWWMvb2xjT1lzVVY3Z2hqYW53CndNaGJ6NXkyamg0a1BIdzlVL214 - dk5SbDFDdVNGNnp1citjZkQ3UTNHcUUKLS0tIGwvOHl4RUErRjR3Nm1paGVmZEhX - a1N2SlZlY05aN2hEcXlGdnA0ZndlUjgK01enGoJvkN5YMbm38wcRYaM1ogzybJIL - OTig1Fg2CopEmaE/Y6bpuMFIyCFXZDhJQ3LaI+0kydzPGB2nZyWZ2g== - -----END AGE ENCRYPTED FILE----- - recipient: age1tf38ae8yzzzmtjp5cjyemf0a8cksq62dz0x0hsntyhsjk5pq6s6q3v9nm7 - - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtbnFPOEJVWXAxTEpiNUgw - SDliL3hZeWpaK3JMN0hyV09jUTBSV2pYN2gwCmd2STBsYzhNYlpWRzhCUWZhZ1Rw - Yzdta25vN0NKeTFXWXRiUWZsTGVaY28KLS0tIC8yUERNWHNqTTFQazQzRkYvNk9K - TjlQaVRFdXJ6WVRIVnczYmlFc2t6S2MK5wnjZnhL+GK1eXnANSDe5zcsZdb5N715 - odb/rjaIvUKaSUkmJfQK954pCBsiJXnURt5FKLnOGHtlQmt0kyg8dQ== - -----END AGE ENCRYPTED FILE----- - recipient: age1r60mmmeulm33h0trc0y870dml5hzhglyjv4wecyjy2858pg8u47s793r30 - lastmodified: "2026-05-17T01:44:58Z" - mac: ENC[AES256_GCM,data:DV91qRrbXxS+yvknPuLjRWYdsJdWtODy9q2onrSpWv6P7YR1siNFNpDyioMLKLRby80kY1R1zSofiaepVmP/nWtqtSDsq/plNWIZi7FR7X0TG0hNc3S6GJ0UatXVxOGp6LxvO2doVIMUs3LKd4+16FFMQYEQJ35VbuYFVhWw5SU=,iv:zVmZ7Ho28I9y7IvCULWehzJB64FSLLaspa/Rj+EJpX0=,tag:HRBTVgvm8pZvUgFBqjCEoQ==,type:str] - unencrypted_suffix: _unencrypted - version: 3.13.0 diff --git a/config/hosts/mastodon/sops.nix b/config/hosts/mastodon/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/mastodon/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/matrix/configuration.nix b/config/hosts/matrix/configuration.nix index a52998c..9ffa4c6 100644 --- a/config/hosts/matrix/configuration.nix +++ b/config/hosts/matrix/configuration.nix @@ -9,7 +9,7 @@ hostName = "matrix"; firewall = { enable = true; - allowedTCPPorts = [ 80 8443 8448 9000 ]; + allowedTCPPorts = [ 80 8443 8448 ]; }; }; diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix index 8dbb1ac..27528b7 100644 --- a/config/hosts/matrix/default.nix +++ b/config/hosts/matrix/default.nix @@ -2,12 +2,9 @@ { imports = [ ./configuration.nix - ./element-call.nix ./hardware-configuration.nix ./postgresql.nix - ./matrix-authentication-service.nix ./matrix-synapse.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/matrix/element-call.nix b/config/hosts/matrix/element-call.nix deleted file mode 100644 index db988b9..0000000 --- a/config/hosts/matrix/element-call.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ ... }: -{ - services.livekit = { - enable = true; - settings.rtc.use_external_ip = true; - openFirewall = true; - keyFile = "/secrets/matrix-livekit-secret-key.secret"; - }; - services.lk-jwt-service = { - enable = true; - port = 8082; - livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu"; - keyFile = "/secrets/matrix-livekit-secret-key.secret"; - }; - systemd.services.lk-jwt-service.environment = { - LIVEKIT_FULL_ACCESS_HOMESERVERS = "nekover.se"; - }; -} diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix deleted file mode 100644 index e13bdd9..0000000 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ pkgs, ... }: -let - masSettings = { - http = { - listeners = [ - { - name = "web"; - resources = [ - { name = "discovery"; } - { name = "human"; } - { name = "oauth"; } - { name = "compat"; } - { name = "graphql"; } - { - name = "assets"; - path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/"; - } - ]; - binds = [{ - host = "localhost"; - port = 8080; - }]; - proxy_protocol = false; - } - { - name = "internal"; - resources = [{ - name = "health"; - }]; - binds = [{ - host = "localhost"; - port = 8081; - }]; - proxy_protocol = false; - } - { - name = "admin"; - resources = [{ - name = "adminapi"; - }]; - binds = [{ - host = "localhost"; - port = 8083; - }]; - proxy_protocol = false; - } - ]; - trusted_proxies = [ - "192.168.0.0/16" - "172.16.0.0/12" - "10.0.0.0/10" - "127.0.0.1/8" - "fd00::/8" - "::1/128" - ]; - public_base = "https://mas.nekover.se"; - }; - database = { - uri = "postgresql://mas_user:mas@localhost/mas"; - max_connections = 10; - min_connections = 0; - connect_timeout = 30; - idle_timeout = 600; - max_lifetime = 1800; - }; - passwords = { - enabled = true; - schemes = [ - { - version = 1; - algorithm = "bcrypt"; - } - { - version = 2; - algorithm = "argon2id"; - } - ]; - }; - }; - masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings); -in -{ - environment.systemPackages = with pkgs; [ - matrix-authentication-service - ]; - - systemd.services.matrix-authentication-service = { - description = "Matrix Authentication Service"; - after = [ "network-online.target" "postgresql.service" ]; - requires = [ "postgresql.service" ]; - wants = [ "network-online.target" ]; - - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret"; - WorkingDirectory = "${pkgs.matrix-authentication-service}"; - User = "matrix-synapse"; - Group = "matrix-synapse"; - }; - - wantedBy = [ - "multi-user.target" - ]; - }; -} diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 371eb95..7f339bf 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -3,40 +3,26 @@ services.matrix-synapse = { enable = true; settings = { - listeners = [ - { - port = 8008; - bind_addresses = [ - "::1" - "127.0.0.1" - ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - compress = true; - names = [ "client" ]; - } - { - compress = false; - names = [ "federation" ]; - } - ]; - } - { - port = 9000; - type = "http"; - tls = false; - bind_addresses = [ - "0.0.0.0" - ]; - resources = [{ - names = [ "metrics" ]; + listeners = [{ + port = 8008; + bind_addresses = [ + "::1" + "127.0.0.1" + ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + compress = true; + names = [ "client" ]; + } + { compress = false; - }]; - } - ]; + names = [ "federation" ]; + } + ]; + }]; server_name = "nekover.se"; public_baseurl = "https://matrix.nekover.se"; database = { @@ -54,42 +40,19 @@ signing_key_path = "/secrets/matrix-homeserver-signing-key.secret"; admin_contact = "mailto:admin@nekover.se"; web_client_location = "https://element.nekover.se"; - enable_metrics = true; turn_uris = [ "turns:turn.nekover.se?transport=udp" "turns:turn.nekover.se?transport=tcp" ]; turn_user_lifetime = 86400000; turn_allow_guests = true; - experimental_features = { - # MSC3266: Room summary API. Used for knocking over federation - msc3266_enabled = true; - # MSC4222 needed for syncv2 state_after. This allow clients to - # correctly track the state of the room. - msc4222_enabled = true; - }; - # The maximum allowed duration by which sent events can be delayed, as - # per MSC4140. - max_event_delay_duration = "24h"; - rc_message = { - # This needs to match at least e2ee key sharing frequency plus a bit of headroom - # Note key sharing events are bursty - per_second = 0.5; - burst_count = 30; - }; - rc_delayed_event_mgmt = { - # This needs to match at least the heart-beat frequency plus a bit of headroom - # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s - per_second = 1; - burst_count = 20; - }; }; extras = [ "oidc" ]; extraConfigFiles = [ "/secrets/matrix-registration-shared-secret.secret" "/secrets/matrix-turn-shared-secret.secret" "/secrets/matrix-email-smtp-pass.secret" - "/secrets/matrix-homeserver-mas-config.secret" + "/secrets/matrix-keycloak-client-secret.secret" ]; }; } diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 0e419bc..1b28649 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -2,127 +2,40 @@ { services.nginx = { enable = true; - virtualHosts = { - "matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - proxyProtocol = true; - } - ]; - locations = { - "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { - proxyPass = "http://localhost:8009"; - priority = 998; - }; - "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = { - proxyPass = "http://localhost:8080"; - priority = 999; - }; - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://localhost:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; - }; - "~ ^/_synapse/admin" = { - # Only proxy to the local host on IPv4, because localhost doesn't seem to work - # even if matrix-synapse is listening on ::1 as well. - proxyPass = "http://127.0.0.1:8008"; - extraConfig = '' - # Restrict access to admin API. - allow 172.21.87.0/24; # management VPN - deny all; - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; - }; + virtualHosts."matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + ]; + locations = { + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://127.0.0.1:8009"; + priority = 999; + }; + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; }; - extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - real_ip_header proxy_protocol; - ''; - }; - "mas.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations = { - "/" = { - proxyPass = "http://localhost:8080"; - }; - "~ ^/api/admin" = { - proxyPass = "http://localhost:8083"; - extraConfig = '' - # Restrict access to admin API. - allow 172.21.87.0/24; # management VPN - deny all; - ''; - }; - }; - extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - real_ip_header proxy_protocol; - ''; - }; - "matrix-rtc.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - locations."^~ /livekit/jwt/" = { - proxyPass = "http://localhost:8082/"; - }; - locations."^~ /livekit/sfu/" = { - proxyPass = "http://localhost:7880/"; - proxyWebsockets = true; - }; - extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - real_ip_header proxy_protocol; - ''; }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; }; }; } diff --git a/config/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix index 06d10e2..03b753a 100644 --- a/config/hosts/matrix/postgresql.nix +++ b/config/hosts/matrix/postgresql.nix @@ -8,11 +8,6 @@ TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; - CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas'; - CREATE DATABASE "mas" WITH OWNER "mas_user" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; ''; }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 5121ded..a95309e 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -33,29 +33,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "matrix-homeserver-mas-config.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ]; + "matrix-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ]; destDir = "/secrets"; user = "matrix-synapse"; group = "matrix-synapse"; permissions = "0640"; uploadAt = "pre-activation"; }; - "matrix-mas-secret-config.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "matrix-livekit-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; }; } diff --git a/config/hosts/matrix/sops.nix b/config/hosts/matrix/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/matrix/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix deleted file mode 100644 index 8c4255d..0000000 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, ... }: -{ - services.grafana = { - enable = true; - settings = { - server = { - domain = "mesh.nekover.se"; - root_url = "https://${config.services.grafana.settings.server.domain}"; - }; - security = { - cookie_secure = true; - cookie_samesite = "strict"; - admin_user = "admin"; - admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; - admin_email = "fi@nekover.se"; - secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}"; - }; - smtp = { - enabled = true; - host = "mail.grzb.de:465"; - user = "nekomesh@grzb.de"; - password = "$__file{/secrets/mail-nekomesh-nekover-se.secret}"; - from_address = "nyareply@nekover.se"; - from_name = "Nekomesh"; - startTLS_policy = "NoStartTLS"; - }; - "auth.generic_oauth" = { - enabled = true; - name = "Nekoverse ID"; - allow_sign_up = true; - client_id = "nekomesh"; - client_secret = "$__file{/secrets/metrics-nekomesh-grafana-keycloak-client-secret.secret}"; - scopes = "openid email profile offline_access roles"; - email_attribute_path = "email"; - login_attribute_path = "preferred_username"; - name_attribute_path = "preferred_username"; - auth_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/auth"; - token_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/token"; - api_url = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/userinfo"; - use_refresh_token = true; - allow_assign_grafana_admin = true; - role_attribute_strict = true; - role_attribute_path = "contains(resource_access.nekomesh.roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(resource_access.nekomesh.roles[*], 'admin') && 'Admin' || contains(resource_access.nekomesh.roles[*], 'editor') && 'Editor' || 'Viewer'"; - }; - }; - provision.datasources.settings.datasources = [ - { - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:${builtins.toString config.services.prometheus.port}"; - isDefault = true; - } - ]; - }; -} diff --git a/config/hosts/metrics-nekomesh/neo4j.nix b/config/hosts/metrics-nekomesh/neo4j.nix deleted file mode 100644 index 053999e..0000000 --- a/config/hosts/metrics-nekomesh/neo4j.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: -{ - services.neo4j = { - enable = true; - https.enable = false; - bolt.tlsLevel = "DISABLED"; - defaultListenAddress = "0.0.0.0"; - }; -} diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix deleted file mode 100644 index a754cb6..0000000 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, ... }: -{ - services.nginx = { - enable = true; - virtualHosts = { - ${config.services.grafana.settings.server.domain} = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - extraParameters = [ "proxy_protocol" ]; - } - ]; - locations."/" = { - proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - }; - extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - real_ip_header proxy_protocol; - ''; - }; - }; - }; -} diff --git a/config/hosts/metrics-nekomesh/prometheus.nix b/config/hosts/metrics-nekomesh/prometheus.nix deleted file mode 100644 index 7da0d65..0000000 --- a/config/hosts/metrics-nekomesh/prometheus.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ ... }: -{ - services.prometheus = { - enable = true; - retentionTime = "2y"; - scrapeConfigs = [ - { - job_name = "meshcore_repeater_telemetry"; - scrape_interval = "15m"; - static_configs = [{ - targets = [ "localhost:9091" ]; - }]; - } - ]; - pushgateway = { - enable = true; - web.external-url = "metrics-nekomesh.vs.grzb.de:9091"; - }; - }; -} diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix deleted file mode 100644 index 8014354..0000000 --- a/config/hosts/metrics-nekomesh/secrets.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ keyCommandEnv, ... }: -{ - deployment.keys = { - "metrics-nekomesh-grafana-admin-password.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/admin-password" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "metrics-nekomesh-grafana-keycloak-client-secret.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/keycloak-client-secret" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "metrics-nekomesh-grafana-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/secret-key" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "mail-nekomesh-nekover-se.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - }; -} diff --git a/config/hosts/metrics-nekomesh/sops.nix b/config/hosts/metrics-nekomesh/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/metrics-nekomesh/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/metrics/default.nix b/config/hosts/metrics/default.nix index ea9bd08..ef5c25c 100644 --- a/config/hosts/metrics/default.nix +++ b/config/hosts/metrics/default.nix @@ -5,6 +5,5 @@ ./grafana.nix ./prometheus.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/metrics/prometheus.nix b/config/hosts/metrics/prometheus.nix index 53e313c..c4b45b1 100644 --- a/config/hosts/metrics/prometheus.nix +++ b/config/hosts/metrics/prometheus.nix @@ -1,16 +1,7 @@ -{ hosts, pkgs, ... }: -let - # https://github.com/element-hq/synapse/tree/master/contrib/prometheus/ - synapseRules = pkgs.fetchurl { - url = "https://raw.githubusercontent.com/element-hq/synapse/refs/heads/master/contrib/prometheus/synapse-v2.rules"; - hash = "sha256-X6GHOUDIMUat7R/yIfrIdO8ehomYiwDBFe3TUQYXDWQ="; - }; -in +{ hosts, ... }: { services.prometheus = { enable = true; - retentionTime = "90d"; - ruleFiles = [ synapseRules ]; scrapeConfigs = [ { job_name = "node"; @@ -23,14 +14,6 @@ in }; }) (builtins.attrNames hosts); } - { - job_name = "synapse"; - scrape_interval = "15s"; - metrics_path = "/_synapse/metrics"; - static_configs = [{ - targets = [ "matrix.vs.grzb.de:9000" ]; - }]; - } ]; }; } diff --git a/config/hosts/metrics/sops.nix b/config/hosts/metrics/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/metrics/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix new file mode 100644 index 0000000..581a631 --- /dev/null +++ b/config/hosts/navidrome/configuration.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "navidrome"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + fileSystems = { + "/mnt/music" = { + device = "//10.202.40.5/music-ro"; + fsType = "cifs"; + options = [ + "username=navidrome" + "credentials=/secrets/navidrome-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=navidrome" + "gid=navidrome" + "_netdev" + ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix new file mode 100644 index 0000000..00d4a90 --- /dev/null +++ b/config/hosts/navidrome/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./navidrome.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix new file mode 100644 index 0000000..74e3a1d --- /dev/null +++ b/config/hosts/navidrome/navidrome.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.navidrome = { + enable = true; + settings = { + Address = "unix:/run/navidrome/navidrome.socket"; + MusicFolder = "/mnt/music"; + }; + }; +} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix new file mode 100644 index 0000000..eef60dd --- /dev/null +++ b/config/hosts/navidrome/nginx.nix @@ -0,0 +1,24 @@ +{ ... }: { + services.nginx = { + enable = true; + user = "navidrome"; + virtualHosts."navidrome.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://unix:/run/navidrome/navidrome.socket"; + }; + }; + }; +} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix new file mode 100644 index 0000000..a11e957 --- /dev/null +++ b/config/hosts/navidrome/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "navidrome-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/metrics-nekomesh/configuration.nix b/config/hosts/netbox/configuration.nix similarity index 56% rename from config/hosts/metrics-nekomesh/configuration.nix rename to config/hosts/netbox/configuration.nix index 03a11b7..5bf8422 100644 --- a/config/hosts/metrics-nekomesh/configuration.nix +++ b/config/hosts/netbox/configuration.nix @@ -6,12 +6,12 @@ }; networking = { - hostName = "metrics-nekomesh"; + hostName = "netbox"; firewall = { enable = true; - allowedTCPPorts = [ 80 7474 7687 8443 9091 ]; + allowedTCPPorts = [ 80 443 ]; }; }; - system.stateVersion = "25.11"; + system.stateVersion = "23.05"; } diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix new file mode 100644 index 0000000..5dd147b --- /dev/null +++ b/config/hosts/netbox/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./netbox.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix new file mode 100644 index 0000000..b9ba2ad --- /dev/null +++ b/config/hosts/netbox/netbox.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + services.netbox = { + enable = true; + package = pkgs.netbox; + secretKeyFile = "/secrets/netbox-secret-key.secret"; + }; +} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix new file mode 100644 index 0000000..a2d1782 --- /dev/null +++ b/config/hosts/netbox/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + clientMaxBodySize = "25m"; + user = "netbox"; + virtualHosts."netbox.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + locations."/" = { + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; + }; + }; + }; +} diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix new file mode 100644 index 0000000..216aca4 --- /dev/null +++ b/config/hosts/netbox/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."netbox-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; + destDir = "/secrets"; + user = "netbox"; + group = "netbox"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/nextcloud/default.nix b/config/hosts/nextcloud/default.nix index 5c78b7a..9677aef 100644 --- a/config/hosts/nextcloud/default.nix +++ b/config/hosts/nextcloud/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./hardware-configuration.nix ./nextcloud.nix - ./sops.nix ]; } diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index f27c9a6..0b1f3a2 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -2,7 +2,7 @@ { services.nextcloud = { enable = true; - package = pkgs.nextcloud32; + package = pkgs.nextcloud29; hostName = "cloud.nekover.se"; https = true; config = { @@ -23,7 +23,7 @@ mail_from_address = "cloud"; mail_domain = "nekover.se"; mail_smtpauthtype = "LOGIN"; - mail_smtpauth = true; + mail_smtpauth = 1; mail_smtphost = "mail-1.grzb.de"; mail_smtpport = 465; mail_smtpname = "cloud@nekover.se"; @@ -44,8 +44,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/nextcloud/sops.nix b/config/hosts/nextcloud/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/nextcloud/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix new file mode 100644 index 0000000..bc54db7 --- /dev/null +++ b/config/hosts/nitter/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "nitter"; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/nitter/default.nix b/config/hosts/nitter/default.nix new file mode 100644 index 0000000..6aae884 --- /dev/null +++ b/config/hosts/nitter/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./nitter.nix + ]; +} diff --git a/config/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix new file mode 100644 index 0000000..862405c --- /dev/null +++ b/config/hosts/nitter/nginx.nix @@ -0,0 +1,23 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + locations."/" = { + proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; + proxyWebsockets = true; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix new file mode 100644 index 0000000..94165c4 --- /dev/null +++ b/config/hosts/nitter/nitter.nix @@ -0,0 +1,21 @@ +{ ... }: +{ + services.nitter = { + enable = true; + + server = { + title = "Birdsite"; + https = true; + address = "127.0.0.1"; + port = 8080; + hostname = "birdsite.nekover.se"; + }; + + preferences = { + theme = "Mastodon"; + replaceTwitter = "birdsite.nekover.se"; + infiniteScroll = true; + hlsPlayback = true; + }; + }; +} diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix new file mode 100644 index 0000000..494f08c --- /dev/null +++ b/config/hosts/paperless/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "paperless"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix new file mode 100644 index 0000000..e6ebeed --- /dev/null +++ b/config/hosts/paperless/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./nginx.nix + ./paperless.nix + ]; +} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix new file mode 100644 index 0000000..17b9b66 --- /dev/null +++ b/config/hosts/paperless/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + }; + "/mnt/paperless-consume" = { + device = "//10.201.40.10/paperless-consume"; + fsType = "cifs"; + options = [ + "username=paperless" + "credentials=/secrets/paperless-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=paperless" + "gid=paperless" + "_netdev" + ]; + }; + "/var/lib/paperless" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/paperless"; + fsType = "none"; + options = [ "bind" ]; + }; + }; +} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix new file mode 100644 index 0000000..e4a2131 --- /dev/null +++ b/config/hosts/paperless/nginx.nix @@ -0,0 +1,31 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."paperless.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; + proxyWebsockets = true; + extraConfig = '' + add_header Referrer-Policy "strict-origin-when-cross-origin"; + ''; + }; + extraConfig = '' + client_max_body_size 100M; + ''; + }; + }; +} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix new file mode 100644 index 0000000..1def83d --- /dev/null +++ b/config/hosts/paperless/paperless.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.paperless = { + enable = true; + consumptionDir = "/mnt/paperless-consume"; + passwordFile = "/secrets/paperless-admin-password.secret"; + }; +} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix new file mode 100644 index 0000000..6726881 --- /dev/null +++ b/config/hosts/paperless/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "paperless-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "paperless-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/searx/default.nix b/config/hosts/searx/default.nix index ab8d68f..ee2a678 100644 --- a/config/hosts/searx/default.nix +++ b/config/hosts/searx/default.nix @@ -4,6 +4,5 @@ ./configuration.nix ./nginx.nix ./searx.nix - ./sops.nix ]; } diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix index 9283018..a84c171 100644 --- a/config/hosts/searx/nginx.nix +++ b/config/hosts/searx/nginx.nix @@ -21,8 +21,7 @@ proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/searx/sops.nix b/config/hosts/searx/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/searx/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/torrent/configuration.nix b/config/hosts/torrent/configuration.nix index 83dbdab..610fde4 100644 --- a/config/hosts/torrent/configuration.nix +++ b/config/hosts/torrent/configuration.nix @@ -25,5 +25,5 @@ }; }; - system.stateVersion = "24.11"; + system.stateVersion = "23.11"; } diff --git a/config/hosts/torrent/default.nix b/config/hosts/torrent/default.nix index d10522c..dc6a854 100644 --- a/config/hosts/torrent/default.nix +++ b/config/hosts/torrent/default.nix @@ -7,6 +7,5 @@ ./radarr.nix ./sonarr.nix ./nginx.nix - ./sops.nix ]; } diff --git a/config/hosts/torrent/jackett.nix b/config/hosts/torrent/jackett.nix index 675576f..6aa6e5e 100644 --- a/config/hosts/torrent/jackett.nix +++ b/config/hosts/torrent/jackett.nix @@ -1,8 +1,8 @@ -{ nixpkgs-master, ... }: +{ nixpkgs-unstable, ... }: { services.jackett = { enable = true; - # use package from master to work around faulty test in older jackett version - package = nixpkgs-master.legacyPackages."x86_64-linux".jackett; + # use package from unstable to work around faulty test in older jackett version + package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett; }; } diff --git a/config/hosts/torrent/sonarr.nix b/config/hosts/torrent/sonarr.nix index 19c66ca..fb0186a 100644 --- a/config/hosts/torrent/sonarr.nix +++ b/config/hosts/torrent/sonarr.nix @@ -1,17 +1,5 @@ { ... }: { - # The sonarr package is dependend on .NET 6 which is marked as insecure. - # It doesn't seem to build with the later .NET versions. - # In the meantime allow the installation of these insecure packages since sonarr is only reachable locally. - nixpkgs.config = { - permittedInsecurePackages = [ - "aspnetcore-runtime-wrapped-6.0.36" - "aspnetcore-runtime-6.0.36" - "dotnet-sdk-wrapped-6.0.428" - "dotnet-sdk-6.0.428" - ]; - }; - services.sonarr = { enable = true; user = "torrent"; diff --git a/config/hosts/torrent/sops.nix b/config/hosts/torrent/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/torrent/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index e581f8c..f4e2db5 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -7,7 +7,7 @@ nftables.enable = true; firewall = { enable = true; - allowedTCPPorts = [ 80 443 8448 ]; + allowedTCPPorts = [ 80 443 ]; allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; }; wireguard = { @@ -96,5 +96,5 @@ services.prometheus.exporters.node.enable = false; - system.stateVersion = "24.11"; + system.stateVersion = "23.05"; } diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix index 7f55ea4..ca36384 100644 --- a/config/hosts/valkyrie/containers/uptime-kuma/default.nix +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -1,6 +1,7 @@ -{ ... }: +{ nixpkgs-unstable, ... }: { containers.uptime-kuma = { + nixpkgs = nixpkgs-unstable; autoStart = true; config = { ... }: { networking.useHostResolvConf = true; diff --git a/config/hosts/valkyrie/default.nix b/config/hosts/valkyrie/default.nix index 1f91238..68a1b85 100644 --- a/config/hosts/valkyrie/default.nix +++ b/config/hosts/valkyrie/default.nix @@ -5,6 +5,5 @@ ./nginx.nix ./containers/uptime-kuma ./services.nix - ./sops.nix ]; } diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index 2ea8db8..fae78f0 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -33,35 +33,5 @@ }; }; }; - - streamConfig = '' - map $ssl_preread_server_name $address { - cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 10.202.41.100:8443; - element-admin.nekover.se 10.202.41.100:8443; - fi.nekover.se 10.202.41.125:8443; - git.nekover.se 10.202.41.106:8443; - id.nekover.se 10.202.41.124:8443; - mas.nekover.se 10.202.41.112:8443; - matrix.nekover.se 10.202.41.112:8443; - matrix-rtc.nekover.se 10.202.41.112:8443; - mesh.nekover.se 10.202.41.126:8443; - nekover.se 10.202.41.100:8443; - nix-cache.nekover.se 10.202.41.121:8443; - searx.nekover.se 10.202.41.105:8443; - social.nekover.se 10.202.41.104:8443; - } - server { - listen [::]:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - server { - listen [::]:8448; - proxy_pass 10.202.41.112:8448; # matrix federation port - proxy_protocol on; - } - ''; }; } diff --git a/config/hosts/valkyrie/sops.nix b/config/hosts/valkyrie/sops.nix deleted file mode 100644 index 78dc2c8..0000000 --- a/config/hosts/valkyrie/sops.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ ... }: -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix new file mode 100644 index 0000000..7f3b8fa --- /dev/null +++ b/config/hosts/web-public-1/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-1"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/config/hosts/web-public-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix new file mode 100644 index 0000000..0453a73 --- /dev/null +++ b/config/hosts/web-public-1/nginx.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./virtualHosts + ]; + + services.nginx = { + enable = true; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..c9b7e61 --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix @@ -0,0 +1,18 @@ +{ ... }: +let + acmeDomainMap = { + "paperless.grzb.de" = "paperless.wg.grzb.de"; + "navidrome.grzb.de" = "navidrome.wg.grzb.de"; + }; +in +{ + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://${target}:80"; + }; + }) acmeDomainMap); +} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix new file mode 100644 index 0000000..e191a9c --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/default.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + imports = [ + ./acme-challenge.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/config/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix index e942787..94e74b6 100644 --- a/config/hosts/web-public-2/configuration.nix +++ b/config/hosts/web-public-2/configuration.nix @@ -21,7 +21,7 @@ hostName = "web-public-2"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 5000 8443 8448 ]; + allowedTCPPorts = [ 80 443 5000 8448 ]; }; }; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 87a1ec9..1f14695 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -16,32 +16,30 @@ stream { map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; + birdsite.nekover.se 10.202.41.107:8443; cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 10.202.41.100:8443; - element-admin.nekover.se 10.202.41.100:8443; + element.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; git.nekover.se 10.202.41.106:8443; + hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; - mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; - matrix-rtc.nekover.se 10.202.41.112:8443; - nekover.se 10.202.41.100:8443; - mesh.nekover.se 10.202.41.126:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; searx.nekover.se 10.202.41.105:8443; social.nekover.se 10.202.41.104:8443; } server { listen 0.0.0.0:443; + listen [::]:443; proxy_pass $address; ssl_preread on; proxy_protocol on; } - server { - listen 0.0.0.0:8448; - proxy_pass 10.202.41.112:8448; # matrix federation port - proxy_protocol on; - } } ''; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index b3d0cc4..59b9d3a 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -1,13 +1,9 @@ { ... }: let acmeDomainMap = { - "alertmanager.grzb.de" = "metrics.vs.grzb.de"; "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de"; - "mas.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; - "matrix-rtc.nekover.se" = "matrix.vs.grzb.de"; - "mesh.nekover.se" = "metrics-nekomesh.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix new file mode 100644 index 0000000..9a3950a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + services.nginx.virtualHosts."anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index fc2b409..53294f7 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -2,8 +2,11 @@ { imports = [ ./acme-challenge.nix + ./anisync.grzb.de.nix ./element.nekover.se.nix - ./element-admin.nekover.se.nix + ./gameserver.grzb.de.nix + ./git.grzb.de.nix + ./mewtube.nekover.se.nix ./nekover.se.nix ]; diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix deleted file mode 100644 index cb8a45a..0000000 --- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ config, pkgs, ... }: - -let - elementAdminVersion = "0.1.11"; - elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { - pname = "element-admin"; - version = elementAdminVersion; - - src = pkgs.fetchzip { - url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; - sha256 = "sha256-tSUTDPspQJjvP1KN4nUr4LYyjNQFj4pKMMA8JmavIxo="; - }; - - nativeBuildInputs = [ - pkgs.nodejs - pkgs.pnpm.configHook - ]; - - pnpmDeps = pkgs.pnpm.fetchDeps { - inherit (finalAttrs) pname version src; - fetcherVersion = 2; - hash = "sha256-Hf4PWey5bczSNbc3QQ9z9X3OVUZ7VHXw7BHGQqJWPac="; - }; - - buildPhase = '' - pnpm build - ''; - - installPhase = '' - cp -a dist $out - ''; - }); -in -{ - services.nginx.virtualHosts."element-admin.nekover.se" = { - forceSSL = true; - enableACME = true; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - - root = elementAdmin; - - locations."/assets" = { - extraConfig = '' - expires 1y; - add_header Cache-Control "public, max-age=31536000, immutable"; - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - ''; - }; - - locations."/" = { - index = "/index.html"; - tryFiles = "$uri $uri/ /"; - extraConfig = '' - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - ''; - }; - - extraConfig = '' - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index d60f70b..c2d71d6 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.12.17"; + elementWebVersion = "1.11.77"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-ZlL4lQar/nEqA/1Js/aQvlnscWfb41oPbK69jSL9584="; + sha256 = "sha256-O5Dt54fBoKalaeevBn7px/06Kiuhf6mvogLk4Bvvnrg="; }; elementWebSecurityHeaders = '' # Configuration best practices @@ -28,7 +28,7 @@ in ]; }; listen = [{ - addr = "0.0.0.0"; + addr = "localhost"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -60,8 +60,7 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix new file mode 100644 index 0000000..c746f3d --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + services.nginx.virtualHosts."gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix new file mode 100644 index 0000000..ac9eefb --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + services.nginx.virtualHosts."git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix new file mode 100644 index 0000000..1ab842a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -0,0 +1,20 @@ +{ ... }: +{ + services.nginx.virtualHosts."mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index f33a3b9..08a61ea 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -4,7 +4,7 @@ forceSSL = true; enableACME = true; listen = [{ - addr = "0.0.0.0"; + addr = "localhost"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -16,22 +16,14 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"},\"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix-rtc.nekover.se/livekit/jwt\"}, {\"type\": \"nextgen_new_foci_type\", \"props_for_nextgen_foci\": \"val\"}]}'"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - ''; - }; - locations."/.well-known/matrix/support" = { - return = "200 '{\"contacts\": [{\"email_address\": \"admin@nekover.se\", \"role\": \"m.role.admin\"}]}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; ''; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; }; diff --git a/config/nixos-generators/default.nix b/config/nixos-generators/default.nix index c7a930e..2cda85e 100644 --- a/config/nixos-generators/default.nix +++ b/config/nixos-generators/default.nix @@ -10,5 +10,5 @@ firewall.enable = true; }; - system.stateVersion = "24.11"; + system.stateVersion = "23.05"; } diff --git a/config/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix index 2ebb9a8..cc4029b 100644 --- a/config/users/colmena-deploy/default.nix +++ b/config/users/colmena-deploy/default.nix @@ -8,7 +8,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix index 54881d6..2039f05 100644 --- a/config/users/fi/default.nix +++ b/config/users/fi/default.nix @@ -7,8 +7,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/yuri/default.nix b/config/users/yuri/default.nix index f4ca1c7..4b2b8ac 100644 --- a/config/users/yuri/default.nix +++ b/config/users/yuri/default.nix @@ -7,7 +7,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/flake.lock b/flake.lock index 548d0bc..8e74f17 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1767039857, - "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -32,61 +32,13 @@ "type": "github" } }, - "git-hooks": { - "inputs": { - "flake-compat": [ - "simple-nixos-mailserver", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "simple-nixos-mailserver", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1772893680, - "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "simple-nixos-mailserver", - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, "nixlib": { "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "lastModified": 1731805462, + "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734", "type": "github" }, "original": { @@ -103,11 +55,11 @@ ] }, "locked": { - "lastModified": 1769813415, - "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", + "lastModified": 1732151224, + "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "8946737ff703382fda7623b9fab071d037e897d5", + "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c", "type": "github" }, "original": { @@ -118,27 +70,42 @@ }, "nixpkgs": { "locked": { - "lastModified": 1778947228, - "narHash": "sha256-z1PIyRIm5nlh6sB4I4ObT42O6IT5zuFzQK0RtvRoL/c=", + "lastModified": 1731842749, + "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ff5e747c5f45865599ba7387244212420558e83c", + "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.11-small", + "ref": "nixos-24.05-small", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-master": { + "nixpkgs-24_05": { "locked": { - "lastModified": 1778973839, - "narHash": "sha256-gnglqTdKUK1UlKfq+ZRXmxWW+MRhbpOi3DzjTp2zqRU=", + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b6aac1076920329e7863e9fb607d4d1811ea16f3", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1732154639, + "narHash": "sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "516819d9b5b97ee1f461aecb4caed7aa6b769d5d", "type": "github" }, "original": { @@ -150,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1778930970, - "narHash": "sha256-FqqcYr0c5in/HRL5bkRWykAGp/Q10Vj/zUiSr1P8URE=", + "lastModified": 1732136765, + "narHash": "sha256-622zKMMp0mw2a+fJJoVQdNmxwRGDkWsDTn5OSPK8DLk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5a51fe22e18a6ce886b3cffa4c255378c151323c", + "rev": "e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2", "type": "github" }, "original": { @@ -166,18 +133,17 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1773831496, - "narHash": "sha256-JW2/QPyCVzmouqEp1H9kNa8JXd7xEhlam9sy3TYfhDY=", + "lastModified": 1717602782, + "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "826430a188181a750ffa5948daff334039c5d741", + "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-25.11-small", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" } }, "root": { @@ -186,49 +152,62 @@ "nixpkgs": "nixpkgs", "nixpkgs-master": "nixpkgs-master", "nixpkgs-unstable": "nixpkgs-unstable", - "simple-nixos-mailserver": "simple-nixos-mailserver", - "sops-nix": "sops-nix" + "simple-nixos-mailserver": "simple-nixos-mailserver" } }, "simple-nixos-mailserver": { "inputs": { "blobs": "blobs", "flake-compat": "flake-compat", - "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_2", + "nixpkgs-24_05": "nixpkgs-24_05", + "utils": "utils" }, "locked": { - "lastModified": 1773912645, - "narHash": "sha256-QHzRqq6gh+t3F/QU9DkP7X63dDDcuIQmaDz12p7ANTg=", + "lastModified": 1718084203, + "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5", + "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-25.11", + "ref": "nixos-24.05", "repo": "nixos-mailserver", "type": "gitlab" } }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, + "systems": { "locked": { - "lastModified": 1777944972, - "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "c591bf665727040c6cc5cb409079acb22dcce33c", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "type": "github" }, "original": { - "owner": "Mic92", - "repo": "sops-nix", + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", "type": "github" } } diff --git a/flake.nix b/flake.nix index 0e09394..5cf2232 100644 --- a/flake.nix +++ b/flake.nix @@ -1,20 +1,16 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.11"; - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; - outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, sops-nix, ... }@inputs: + outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: let hosts = import ./hosts.nix inputs; helper = import ./helper.nix inputs; @@ -35,11 +31,17 @@ inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; # Provide environment for secret key command - keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ]; + keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; + hydraJobs = { + nixConfigurations = builtins.mapAttrs (host: helper.generateNixConfiguration host { + inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; + }) hosts; + }; + # Generate a base VM image for Proxmox with `nix build .#base-proxmox` packages.x86_64-linux = { base-proxmox = nixos-generators.nixosGenerate { diff --git a/hosts.nix b/hosts.nix index 83e3a63..cd5f347 100644 --- a/hosts.nix +++ b/hosts.nix @@ -1,4 +1,4 @@ -{ nixpkgs, nixpkgs-unstable, nixpkgs-master, sops-nix, ... }: +{ nixpkgs, nixpkgs-unstable, ... }: let # Set of environment specific modules environments = { @@ -22,11 +22,14 @@ let modules = [ ./config/common ./config/hosts/${name} - sops-nix.nixosModules.sops ] ++ (if environment != "" then environments.${environment} else []); }) hosts; in generateDefaults { + hydra = { + site = "vs"; + environment = "proxmox"; + }; ikiwiki = { site = "vs"; environment = "proxmox"; @@ -36,7 +39,6 @@ in environment = "proxmox"; }; jellyfin = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; @@ -65,7 +67,6 @@ in environment = "proxmox"; }; matrix = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; @@ -73,8 +74,7 @@ in site = "vs"; environment = "proxmox"; }; - metrics-nekomesh = { - hostNixpkgs = nixpkgs-unstable; + netbox = { site = "vs"; environment = "proxmox"; }; @@ -82,6 +82,10 @@ in site = "vs"; environment = "proxmox"; }; + nitter = { + site = "vs"; + environment = "proxmox"; + }; coturn = { site = "vs"; environment = "proxmox"; @@ -92,7 +96,6 @@ in environment = "proxmox"; }; torrent = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; diff --git a/pkgs/wireguard-nat-nftables/default.nix b/pkgs/wireguard-nat-nftables/default.nix index af3f46c..3ce972e 100644 --- a/pkgs/wireguard-nat-nftables/default.nix +++ b/pkgs/wireguard-nat-nftables/default.nix @@ -2,8 +2,6 @@ pkgs.python3Packages.buildPythonApplication { pname = "wireguard-nat-nftables"; version = "0.0.1"; - pyproject = true; - build-system = [ pkgs.python3Packages.setuptools ]; propagatedBuildInputs = with pkgs; [ wireguard-tools