diff --git a/config/hosts/ikiwiki/ikiwiki.nix b/config/hosts/ikiwiki/ikiwiki.nix index dff935c..3a501e6 100644 --- a/config/hosts/ikiwiki/ikiwiki.nix +++ b/config/hosts/ikiwiki/ikiwiki.nix @@ -11,7 +11,7 @@ let ''; ikiwikiSettings = { wikiname = "fi-zone"; - adminemail = "fi@ikiwiki.vs.grzb.de"; + adminemail = "fiona@grzb.de"; adminuser = [ "fi" ]; @@ -22,6 +22,7 @@ let cgiurl = "https://fi.nekover.se/ikiwiki.cgi"; reverse_proxy = 0; cgi_wrapper = "${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi"; + cgiauthurl = "https://fi.nekover.se/auth/ikiwiki.cgi"; cgi_wrappermode = "06755"; cgi_overload_delay = ""; cgi_overload_message = ""; @@ -30,6 +31,7 @@ let add_plugins = [ "goodstuff" "websetup" + "httpauth" ]; disable_plugins = []; templatedir = "${ikiwikiBootstrapTheme}"; @@ -71,33 +73,20 @@ let ikiwikiSettingsHeader ((pkgs.formats.yaml { }).generate "fi-zone-settings" ikiwikiSettings) ]; - ikiwikiSetupAutomator = pkgs.writeScript "fi-zone.initial.setup" '' - #!${pkgs.perl}/bin/perl - require IkiWiki::Setup::Automator; - IkiWiki::Setup::Automator->import( - wikiname => '${ikiwikiSettings.wikiname}', - adminuser => ['fi'], - srcdir => '${ikiwikiSettings.srcdir}', - destdir => '${ikiwikiSettings.destdir}', - dumpsetup => '${ikiwikiSettings.wikiname}.setup', - url => '${ikiwikiSettings.url}', - cgiurl => '${ikiwikiSettings.cgiurl}', - cgi_wrapper => '${ikiwikiSettings.cgi_wrapper}', - adminemail => '${ikiwikiSettings.adminemail}', - add_plugins => [qw{goodstuff websetup}], - disable_plugins => [qw{}], - libdir => '${ikiwikiSettings.libdir}', - rss => 1, - atom => 1, - syslog => 1, - ) - ''; in { environment.systemPackages = with pkgs; [ ikiwiki-full ]; + users = { + users.ikiwiki = { + isSystemUser = true; + group = "ikiwiki"; + }; + groups.ikiwiki = {}; + }; + services.fcgiwrap.instances."ikiwiki" = { socket = { user = config.services.nginx.user; @@ -109,21 +98,19 @@ in }; }; - systemd.services.ikiwiki-initial-setup = { - description = "Run the initial setup of ikiwiki and set permissions."; + systemd.services.ikiwiki-directory-setup = { + description = "Setup ikiwiki directory structure."; script = '' mkdir -p ${ikiwikiDataPath} - chown ${config.services.nginx.user}:${config.services.nginx.group} ${ikiwikiDataPath} - if [ ! -d "${ikiwikiSettings.srcdir}" ]; then - ${pkgs.sudo}/bin/sudo -u ${config.services.nginx.user} ${pkgs.ikiwiki-full}/bin/ikiwiki --setup ${ikiwikiSetupAutomator} - fi + mkdir -p ${ikiwikiDataPath}/fi-zone/.ikiwiki + touch ${ikiwikiDataPath}/fi-zone/.ikiwiki/lockfile + chown -R ${config.users.users.ikiwiki.name}:${config.users.users.ikiwiki.group} ${ikiwikiDataPath} ''; serviceConfig = { Type = "simple"; User = "root"; - Group = "root"; }; wantedBy = [ @@ -137,13 +124,35 @@ in serviceConfig = { Type = "simple"; ExecStart = "${pkgs.ikiwiki-full}/bin/ikiwiki --setup ${ikiwikiSettingsFile}"; - User = config.services.nginx.user; - Group = config.services.nginx.group; - Requires = [ "ikiwiki-initial-setup.service" ]; + User = config.users.users.ikiwiki.name; + Group = config.users.users.ikiwiki.group; + Requires = [ "ikiwiki-directory-setup.service" ]; }; wantedBy = [ "multi-user.target" ]; - }; + }; + + systemd.services.ikiwiki-auth-setup = { + description = "Setup auth subdirectory for ikiwiki.cgi"; + + script = '' + mkdir -p ${ikiwikiSettings.destdir}/auth + if [ ! -f ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi ]; then + ln -s ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi + fi + ''; + + serviceConfig = { + Type = "simple"; + User = config.users.users.ikiwiki.name; + Group = config.users.users.ikiwiki.group; + Requires = [ "ikiwiki-settings-setup.service" ]; + }; + + wantedBy = [ + "multi-user.target" + ]; + }; } diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index c3e0760..18cd2a7 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -26,12 +26,16 @@ in tryFiles = "$uri $uri/ =404"; }; "~ .cgi" = { + basicAuth = { + fi = "test"; + }; extraConfig = '' gzip off; fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address}; fastcgi_index ikiwiki.cgi; fastcgi_param SCRIPT_FILENAME ${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi; fastcgi_param DOCUMENT_ROOT ${ikiwikiDataPath}/public_html/fi-zone; + fastcgi_param REMOTE_USER $remote_user if_not_empty; include ${pkgs.nginx}/conf/fastcgi_params; ''; }; diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index e719484..7f339bf 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ ... }: { services.matrix-synapse = { enable = true; @@ -55,12 +55,4 @@ "/secrets/matrix-keycloak-client-secret.secret" ]; }; - - services.matrix-sliding-sync = { - enable = true; - settings = { - SYNCV3_SERVER = config.services.matrix-synapse.settings.public_baseurl; - }; - environmentFile = "/secrets/matrix-SYNCV3_SECRET.secret"; - }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 68e4771..a95309e 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -33,14 +33,6 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "matrix-SYNCV3_SECRET.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/SYNCV3_SECRET" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; "matrix-keycloak-client-secret.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ]; destDir = "/secrets"; diff --git a/config/hosts/torrent/qbittorrent-nox/services.nix b/config/hosts/torrent/qbittorrent-nox/services.nix index 4050e15..71d22f8 100644 --- a/config/hosts/torrent/qbittorrent-nox/services.nix +++ b/config/hosts/torrent/qbittorrent-nox/services.nix @@ -2,9 +2,9 @@ # - https://github.com/NixOS/nixpkgs/issues/236736#issuecomment-1704670598 # - https://nixos.org/manual/nixos/stable/#sect-nixos-systemd-nixos -{ pkgs, ... }: +{ nixpkgs-unstable, ... }: { - systemd.packages = [ pkgs.qbittorrent-nox ]; + systemd.packages = [ nixpkgs-unstable.legacyPackages."x86_64-linux".qbittorrent-nox ]; systemd.services."qbittorrent-nox@torrent" = { overrideStrategy = "asDropin"; diff --git a/flake.lock b/flake.lock index 8912e2b..8e74f17 100644 --- a/flake.lock +++ b/flake.lock @@ -34,11 +34,11 @@ }, "nixlib": { "locked": { - "lastModified": 1729386149, - "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", + "lastModified": 1731805462, + "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "cce4521b6df014e79a7b7afc58c703ed683c916e", + "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734", "type": "github" }, "original": { @@ -55,11 +55,11 @@ ] }, "locked": { - "lastModified": 1729472750, - "narHash": "sha256-s93LPHi5BN7I2xSGNAFWiYb8WRsPvT1LE9ZjZBrpFlg=", + "lastModified": 1732151224, + "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "7c60ba4bc8d6aa2ba3e5b0f6ceb9fc07bc261565", + "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c", "type": "github" }, "original": { @@ -70,11 +70,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1730963269, - "narHash": "sha256-rz30HrFYCHiWEBCKHMffHbMdWJ35hEkcRVU0h7ms3x0=", + "lastModified": 1731842749, + "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "83fb6c028368e465cd19bb127b86f971a5e41ebc", + "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682", "type": "github" }, "original": { @@ -101,11 +101,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1730992357, - "narHash": "sha256-YsODAqOF2xAHyK4+pKiS9nmGu+vQW+9kc5P7uRCirIM=", + "lastModified": 1732154639, + "narHash": "sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b651050919c85b9131fa0d2640115ffd9266daad", + "rev": "516819d9b5b97ee1f461aecb4caed7aa6b769d5d", "type": "github" }, "original": { @@ -117,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730945957, - "narHash": "sha256-fhkxOv9RGEoPZNyl7VOpHf0Xoqc+bu0J/uW3BSg7tOs=", + "lastModified": 1732136765, + "narHash": "sha256-622zKMMp0mw2a+fJJoVQdNmxwRGDkWsDTn5OSPK8DLk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0093b93ec307d42f51ced7ce90dda6c37516e98a", + "rev": "e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2", "type": "github" }, "original": { diff --git a/hosts.nix b/hosts.nix index 4515394..cd5f347 100644 --- a/hosts.nix +++ b/hosts.nix @@ -61,10 +61,6 @@ in site = "vs"; environment = "proxmox"; }; - mail-2 = { - site = "wg"; - environment = "proxmox"; - }; mastodon = { hostNixpkgs = nixpkgs-unstable; site = "vs"; @@ -78,11 +74,6 @@ in site = "vs"; environment = "proxmox"; }; - navidrome = { - hostNixpkgs = nixpkgs-unstable; - site = "wg"; - environment = "proxmox"; - }; netbox = { site = "vs"; environment = "proxmox"; @@ -95,10 +86,6 @@ in site = "vs"; environment = "proxmox"; }; - paperless = { - site = "wg"; - environment = "proxmox"; - }; coturn = { site = "vs"; environment = "proxmox"; @@ -120,10 +107,6 @@ in site = "af"; environment = "openstack"; }; - web-public-1 = { - site = "wg"; - environment = "proxmox"; - }; web-public-2 = { site = "vs"; environment = "proxmox";