diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index c60c00f..45961cf 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -1,9 +1,9 @@ -{ pkgs, ... }: +{ ... }: { services.forgejo = { enable = true; - package = pkgs.forgejo; database.type = "postgres"; + mailerPasswordFile = "/secrets/forgejo-mailer-password.secret"; settings = { DEFAULT = { @@ -60,6 +60,5 @@ HOST = "redis+socket:///run/redis-forgejo/redis.sock"; }; }; - secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret"; }; } diff --git a/config/hosts/ikiwiki/ikiwiki.nix b/config/hosts/ikiwiki/ikiwiki.nix index 73688a8..3a501e6 100644 --- a/config/hosts/ikiwiki/ikiwiki.nix +++ b/config/hosts/ikiwiki/ikiwiki.nix @@ -133,4 +133,26 @@ in "multi-user.target" ]; }; + + systemd.services.ikiwiki-auth-setup = { + description = "Setup auth subdirectory for ikiwiki.cgi"; + + script = '' + mkdir -p ${ikiwikiSettings.destdir}/auth + if [ ! -f ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi ]; then + ln -s ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi + fi + ''; + + serviceConfig = { + Type = "simple"; + User = config.users.users.ikiwiki.name; + Group = config.users.users.ikiwiki.group; + Requires = [ "ikiwiki-settings-setup.service" ]; + }; + + wantedBy = [ + "multi-user.target" + ]; + }; } diff --git a/config/hosts/jellyseerr/configuration.nix b/config/hosts/jellyseerr/configuration.nix index cf03358..05b8f3f 100644 --- a/config/hosts/jellyseerr/configuration.nix +++ b/config/hosts/jellyseerr/configuration.nix @@ -10,7 +10,6 @@ firewall = { allowedTCPPorts = [ 80 443 ]; }; - nameservers = [ "193.138.218.74" ]; extraHosts = '' 10.202.46.101 jellyfin.grzb.de @@ -19,10 +18,5 @@ ''; }; - services.resolved = { - enable = true; - fallbackDns = [ ]; - }; - system.stateVersion = "23.11"; } diff --git a/config/hosts/jellyseerr/jellyseerr.nix b/config/hosts/jellyseerr/jellyseerr.nix index 8e406b0..bd473b0 100644 --- a/config/hosts/jellyseerr/jellyseerr.nix +++ b/config/hosts/jellyseerr/jellyseerr.nix @@ -1,15 +1,6 @@ -{ pkgs, ... }: -let - jellyseerrOverlay = final: prev: { - jellyseerr = prev.jellyseerr.overrideAttrs (finalAttr: previousAttr: { - dontCheckForBrokenSymlinks = true; - }); - }; - pkgs-overlay = pkgs.extend jellyseerrOverlay; -in +{ ... }: { services.jellyseerr = { enable = true; - package = pkgs-overlay.jellyseerr; }; } diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix index 2ae957b..79e9a96 100644 --- a/config/hosts/keycloak/keycloak.nix +++ b/config/hosts/keycloak/keycloak.nix @@ -3,10 +3,10 @@ services.keycloak = { enable = true; settings = { - hostname = "https://id.nekover.se"; - hostname-admin = "https://keycloak-admin.nekover.se"; - proxy-headers = "xforwarded"; - http-enabled = true; + hostname = "id.nekover.se"; + hostname-admin = "keycloak-admin.nekover.se"; + hostname-strict-backchannel = true; + proxy = "edge"; http-host = "127.0.0.1"; http-port = 8080; }; diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index c82597d..0c83ea0 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -41,13 +41,6 @@ proxy_buffer_size 128k; proxy_buffers 8 128k; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port 443; - # This is https in any case. - proxy_set_header X-Forwarded-Proto https; # Hide the X-Forwarded header. proxy_hide_header X-Forwarded; # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that @@ -103,13 +96,6 @@ proxy_buffer_size 128k; proxy_buffers 8 128k; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Port 443; - # This is https in any case. - proxy_set_header X-Forwarded-Proto https; # Hide the X-Forwarded header. proxy_hide_header X-Forwarded; # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix index c94de3b..2418afc 100644 --- a/config/hosts/mail-1/configuration.nix +++ b/config/hosts/mail-1/configuration.nix @@ -15,20 +15,28 @@ ]; routes = [ { - Gateway = "10.202.41.1"; - Destination = "10.201.0.0/16"; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.201.0.0/16"; + }; } { - Gateway = "10.202.41.1"; - Destination = "10.202.0.0/16"; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "10.202.0.0/16"; + }; } { - Gateway = "10.202.41.1"; - Destination = "172.21.87.0/24"; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "172.21.87.0/24"; + }; } { - Gateway = "10.202.41.1"; - Destination = "212.53.203.19/32"; + routeConfig = { + Gateway = "10.202.41.1"; + Destination = "212.53.203.19/32"; + }; } ]; linkConfig.RequiredForOnline = "routable"; @@ -54,11 +62,13 @@ PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret"; }; wireguardPeers = [{ - PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; - PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; - Endpoint = "212.53.203.19:51822"; - AllowedIPs = [ "0.0.0.0/0" ]; - PersistentKeepalive = 25; + wireguardPeerConfig = { + PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ="; + PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret"; + Endpoint = "212.53.203.19:51822"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; }]; }; }; diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix index f1fa002..b4a7192 100644 --- a/config/hosts/mail-2/configuration.nix +++ b/config/hosts/mail-2/configuration.nix @@ -15,20 +15,28 @@ ]; routes = [ { - Gateway = "10.201.41.1"; - Destination = "10.201.0.0/16"; + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.201.0.0/16"; + }; } { - Gateway = "10.201.41.1"; - Destination = "10.202.0.0/16"; + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "10.202.0.0/16"; + }; } { - Gateway = "10.201.41.1"; - Destination = "172.21.87.0/24"; + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "172.21.87.0/24"; + }; } { - Gateway = "10.201.41.1"; - Destination = "217.160.117.160/32"; + routeConfig = { + Gateway = "10.201.41.1"; + Destination = "217.160.117.160/32"; + }; } ]; linkConfig.RequiredForOnline = "routable"; @@ -54,11 +62,13 @@ PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret"; }; wireguardPeers = [{ - PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; - PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; - Endpoint = "217.160.117.160:51820"; - AllowedIPs = [ "0.0.0.0/0" ]; - PersistentKeepalive = 25; + wireguardPeerConfig = { + PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4="; + PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret"; + Endpoint = "217.160.117.160:51820"; + AllowedIPs = [ "0.0.0.0/0" ]; + PersistentKeepalive = 25; + }; }]; }; }; diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index bae9b17..ed168ff 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,42 +2,31 @@ let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; - rev = "v2.4.3"; - hash = "sha256-OThT3fp676RMfYY3ehzM4DnAlJOqdPoYIHpoBbN/RHQ="; - }; - mastodonModern = pkgs.fetchgit { - url = "https://git.gay/freeplay/Mastodon-Modern.git"; - rev = "9f8db85eda2a65aa020ab6b81d100a121d39d4c4"; - hash = "sha256-W6zwjAjBGARiRPM0hWCnq63nIT2Or0SOQq82bpNtqAk="; + rev = "v2.2"; + hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ="; }; mastodonNekoversePatches = pkgs.fetchgit { url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git"; - hash = "sha256-NtdJWMi8/siduX2iFD+GAsK9J+Y6T/tZ/fXqb/QH284="; + hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU="; }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.4.1"; + version = "4.3.1"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-hu6AmR0CvI3lVixJ2UmWY3KAlWbqYULCQAjRGJcuIhc="; + sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4="; }; - # mastodon ships with broken symlinks, disable the check for that for now - dontCheckForBrokenSymlinks = true; installPhase = '' cp -r ./ $out/ cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/ - echo "@import 'mastodon/variables'; - @import 'application';" >> $out/app/javascript/styles/modern-dark.scss - cat ${mastodonModern}/modern.css >> $out/app/javascript/styles/modern-dark.scss echo "tangerineui: styles/tangerineui.scss tangerineui-purple: styles/tangerineui-purple.scss tangerineui-cherry: styles/tangerineui-cherry.scss - tangerineui-lagoon: styles/tangerineui-lagoon.scss - modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml + tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml ''; }; patches = [ @@ -49,8 +38,7 @@ let "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch" ]; }; - yarnHash = prev.mastodon.src.yarnHash; - yarnMissingHashes = prev.mastodon.src.yarnMissingHashes; + yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg="; }); }; pkgs-overlay = pkgs.extend mastodonNekoverseOverlay; @@ -62,6 +50,7 @@ in package = pkgs-overlay.mastodon; localDomain = "social.nekover.se"; secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret"; + otpSecretFile = "/secrets/mastodon-otp-secret.secret"; vapidPublicKeyFile = "${vapidPublicKey}"; vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret"; smtp = { @@ -90,8 +79,6 @@ in OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback"; OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true"; OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout"; - FETCH_REPLIES_ENABLED = "true"; - AUTHORIZED_FETCH = "true"; }; extraEnvFiles = [ "/secrets/mastodon-keycloak-client-secret.secret" diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 986a64b..1389353 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -9,6 +9,14 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-otp-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ]; + destDir = "/secrets"; + user = "mastodon"; + group = "mastodon"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; "mastodon-vapid-private-key.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ]; destDir = "/secrets"; diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix index c6cd79a..27528b7 100644 --- a/config/hosts/matrix/default.nix +++ b/config/hosts/matrix/default.nix @@ -2,10 +2,8 @@ { imports = [ ./configuration.nix - ./element-call.nix ./hardware-configuration.nix ./postgresql.nix - ./matrix-authentication-service.nix ./matrix-synapse.nix ./nginx.nix ]; diff --git a/config/hosts/matrix/element-call.nix b/config/hosts/matrix/element-call.nix deleted file mode 100644 index 1c8b442..0000000 --- a/config/hosts/matrix/element-call.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: -{ - services.livekit = { - enable = true; - settings.rtc.use_external_ip = true; - openFirewall = true; - keyFile = "/secrets/matrix-livekit-secret-key.secret"; - }; - services.lk-jwt-service = { - enable = true; - port = 8082; - livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu"; - keyFile = "/secrets/matrix-livekit-secret-key.secret"; - }; -} diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix deleted file mode 100644 index 53674ad..0000000 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ pkgs, ... }: -let - masSettings = { - http = { - listeners = [ - { - name = "web"; - resources = [ - { name = "discovery"; } - { name = "human"; } - { name = "oauth"; } - { name = "compat"; } - { name = "graphql"; } - { - name = "assets"; - path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/"; - } - ]; - binds = [{ - host = "localhost"; - port = 8080; - }]; - proxy_protocol = false; - } - { - name = "internal"; - resources = [{ - name = "health"; - }]; - binds = [{ - host = "localhost"; - port = 8081; - }]; - proxy_protocol = false; - } - ]; - trusted_proxies = [ - "192.168.0.0/16" - "172.16.0.0/12" - "10.0.0.0/10" - "127.0.0.1/8" - "fd00::/8" - "::1/128" - ]; - public_base = "https://mas.nekover.se"; - }; - database = { - uri = "postgresql://mas_user:mas@localhost/mas"; - max_connections = 10; - min_connections = 0; - connect_timeout = 30; - idle_timeout = 600; - max_lifetime = 1800; - }; - passwords = { - enabled = true; - schemes = [ - { - version = 1; - algorithm = "bcrypt"; - } - { - version = 2; - algorithm = "argon2id"; - } - ]; - minimum_complexity = 8; - }; - }; - masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings); -in -{ - environment.systemPackages = with pkgs; [ - matrix-authentication-service - ]; - - systemd.services.matrix-authentication-service = { - description = "Matrix Authentication Service"; - after = [ "network-online.target" "postgresql.service" ]; - requires = [ "postgresql.service" ]; - wants = [ "network-online.target" ]; - - serviceConfig = { - Type = "simple"; - ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret"; - WorkingDirectory = "${pkgs.matrix-authentication-service}"; - User = "matrix-synapse"; - Group = "matrix-synapse"; - }; - - wantedBy = [ - "multi-user.target" - ]; - }; -} diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix index 82b82e1..7f339bf 100644 --- a/config/hosts/matrix/matrix-synapse.nix +++ b/config/hosts/matrix/matrix-synapse.nix @@ -46,35 +46,13 @@ ]; turn_user_lifetime = 86400000; turn_allow_guests = true; - experimental_features = { - # MSC3266: Room summary API. Used for knocking over federation - msc3266_enabled = true; - # MSC4222 needed for syncv2 state_after. This allow clients to - # correctly track the state of the room. - msc4222_enabled = true; - }; - # The maximum allowed duration by which sent events can be delayed, as - # per MSC4140. - max_event_delay_duration = "24h"; - rc_message = { - # This needs to match at least e2ee key sharing frequency plus a bit of headroom - # Note key sharing events are bursty - per_second = 0.5; - burst_count = 30; - }; - rc_delayed_event_mgmt = { - # This needs to match at least the heart-beat frequency plus a bit of headroom - # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s - per_second = 1; - burst_count = 20; - }; }; extras = [ "oidc" ]; extraConfigFiles = [ "/secrets/matrix-registration-shared-secret.secret" "/secrets/matrix-turn-shared-secret.secret" "/secrets/matrix-email-smtp-pass.secret" - "/secrets/matrix-homeserver-mas-config.secret" + "/secrets/matrix-keycloak-client-secret.secret" ]; }; } diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index ce3ab3d..1b28649 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -2,88 +2,40 @@ { services.nginx = { enable = true; - virtualHosts = { - "matrix.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 8448; - ssl = true; - } - ]; - locations = { - "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { - proxyPass = "http://localhost:8009"; - priority = 998; - }; - "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = { - proxyPass = "http://localhost:8080"; - priority = 999; - }; - "~ ^(/_matrix|/_synapse/client)" = { - proxyPass = "http://localhost:8008"; - extraConfig = '' - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; - }; + virtualHosts."matrix.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 8448; + ssl = true; + } + ]; + locations = { + "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = { + proxyPass = "http://127.0.0.1:8009"; + priority = 999; + }; + "~ ^(/_matrix|/_synapse/client)" = { + proxyPass = "http://127.0.0.1:8008"; + extraConfig = '' + # Nginx by default only allows file uploads up to 1M in size + # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml + client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; + ''; }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - - set_real_ip_from 10.202.41.100; - real_ip_header proxy_protocol; - ''; }; - "mas.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - ]; - locations."/" = { - proxyPass = "http://localhost:8080"; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; - real_ip_header proxy_protocol; - ''; - }; - "matrix-rtc.nekover.se" = { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - ]; - locations."^~ /livekit/jwt/" = { - proxyPass = "http://localhost:8082/"; - }; - locations."^~ /livekit/sfu/" = { - proxyPass = "http://localhost:7880/"; - proxyWebsockets = true; - }; - extraConfig = '' - listen 0.0.0.0:8443 http2 ssl proxy_protocol; - - set_real_ip_from 10.202.41.100; - real_ip_header proxy_protocol; - ''; - }; + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; }; }; } diff --git a/config/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix index 06d10e2..03b753a 100644 --- a/config/hosts/matrix/postgresql.nix +++ b/config/hosts/matrix/postgresql.nix @@ -8,11 +8,6 @@ TEMPLATE template0 LC_COLLATE = "C" LC_CTYPE = "C"; - CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas'; - CREATE DATABASE "mas" WITH OWNER "mas_user" - TEMPLATE template0 - LC_COLLATE = "C" - LC_CTYPE = "C"; ''; }; } diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix index 5121ded..a95309e 100644 --- a/config/hosts/matrix/secrets.nix +++ b/config/hosts/matrix/secrets.nix @@ -33,29 +33,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "matrix-homeserver-mas-config.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ]; + "matrix-keycloak-client-secret.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ]; destDir = "/secrets"; user = "matrix-synapse"; group = "matrix-synapse"; permissions = "0640"; uploadAt = "pre-activation"; }; - "matrix-mas-secret-config.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ]; - destDir = "/secrets"; - user = "matrix-synapse"; - group = "matrix-synapse"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; - "matrix-livekit-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ]; - destDir = "/secrets"; - user = "root"; - group = "root"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; }; } diff --git a/config/hosts/metrics/nginx.nix b/config/hosts/metrics/nginx.nix index aefb0b5..9e31454 100644 --- a/config/hosts/metrics/nginx.nix +++ b/config/hosts/metrics/nginx.nix @@ -22,25 +22,6 @@ proxyWebsockets = true; }; }; - "alertmanager.grzb.de"= { - forceSSL = true; - enableACME = true; - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - ]; - locations."/" = { - proxyPass = "http://${config.services.prometheus.alertmanager.listenAddress}:${builtins.toString config.services.prometheus.alertmanager.port}"; - proxyWebsockets = true; - }; - }; }; }; } diff --git a/config/hosts/metrics/prometheus.nix b/config/hosts/metrics/prometheus.nix index 236fb58..c4b45b1 100644 --- a/config/hosts/metrics/prometheus.nix +++ b/config/hosts/metrics/prometheus.nix @@ -2,7 +2,6 @@ { services.prometheus = { enable = true; - retentionTime = "90d"; scrapeConfigs = [ { job_name = "node"; diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index 4adb1cf..0b1f3a2 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -2,7 +2,7 @@ { services.nextcloud = { enable = true; - package = pkgs.nextcloud31; + package = pkgs.nextcloud29; hostName = "cloud.nekover.se"; https = true; config = { diff --git a/config/hosts/torrent/configuration.nix b/config/hosts/torrent/configuration.nix index 83dbdab..610fde4 100644 --- a/config/hosts/torrent/configuration.nix +++ b/config/hosts/torrent/configuration.nix @@ -25,5 +25,5 @@ }; }; - system.stateVersion = "24.11"; + system.stateVersion = "23.11"; } diff --git a/config/hosts/torrent/jackett.nix b/config/hosts/torrent/jackett.nix index 675576f..6aa6e5e 100644 --- a/config/hosts/torrent/jackett.nix +++ b/config/hosts/torrent/jackett.nix @@ -1,8 +1,8 @@ -{ nixpkgs-master, ... }: +{ nixpkgs-unstable, ... }: { services.jackett = { enable = true; - # use package from master to work around faulty test in older jackett version - package = nixpkgs-master.legacyPackages."x86_64-linux".jackett; + # use package from unstable to work around faulty test in older jackett version + package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett; }; } diff --git a/config/hosts/torrent/sonarr.nix b/config/hosts/torrent/sonarr.nix index 19c66ca..fb0186a 100644 --- a/config/hosts/torrent/sonarr.nix +++ b/config/hosts/torrent/sonarr.nix @@ -1,17 +1,5 @@ { ... }: { - # The sonarr package is dependend on .NET 6 which is marked as insecure. - # It doesn't seem to build with the later .NET versions. - # In the meantime allow the installation of these insecure packages since sonarr is only reachable locally. - nixpkgs.config = { - permittedInsecurePackages = [ - "aspnetcore-runtime-wrapped-6.0.36" - "aspnetcore-runtime-6.0.36" - "dotnet-sdk-wrapped-6.0.428" - "dotnet-sdk-6.0.428" - ]; - }; - services.sonarr = { enable = true; user = "torrent"; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index aca6e04..f4e2db5 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -96,5 +96,5 @@ services.prometheus.exporters.node.enable = false; - system.stateVersion = "24.11"; + system.stateVersion = "23.05"; } diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix index 7f55ea4..ca36384 100644 --- a/config/hosts/valkyrie/containers/uptime-kuma/default.nix +++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix @@ -1,6 +1,7 @@ -{ ... }: +{ nixpkgs-unstable, ... }: { containers.uptime-kuma = { + nixpkgs = nixpkgs-unstable; autoStart = true; config = { ... }: { networking.useHostResolvConf = true; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 73699fb..1f14695 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -17,6 +17,7 @@ stream { map $ssl_preread_server_name $address { anisync.grzb.de 127.0.0.1:8443; + birdsite.nekover.se 10.202.41.107:8443; cloud.nekover.se 10.202.41.122:8443; element.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; @@ -25,9 +26,7 @@ git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; - mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; - matrix-rtc.nekover.se 10.202.41.112:8443; mewtube.nekover.se 127.0.0.1:8443; nekover.se 127.0.0.1:8443; nix-cache.nekover.se 10.202.41.121:8443; diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix index 38d2804..59b9d3a 100644 --- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix +++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix @@ -1,12 +1,9 @@ { ... }: let acmeDomainMap = { - "alertmanager.grzb.de" = "metrics.vs.grzb.de"; "jellyfin.grzb.de" = "jellyfin.vs.grzb.de"; "mail-1.grzb.de" = "mail-1.vs.grzb.de"; - "mas.nekover.se" = "matrix.vs.grzb.de"; "matrix.nekover.se" = "matrix.vs.grzb.de"; - "matrix-rtc.nekover.se" = "matrix.vs.grzb.de"; "netbox.grzb.de" = "netbox.vs.grzb.de"; "git.nekover.se" = "forgejo.vs.grzb.de"; "grafana.grzb.de" = "metrics.vs.grzb.de"; diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index 0cdedaf..c2d71d6 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.11.106"; + elementWebVersion = "1.11.77"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo="; + sha256 = "sha256-O5Dt54fBoKalaeevBn7px/06Kiuhf6mvogLk4Bvvnrg="; }; elementWebSecurityHeaders = '' # Configuration best practices diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index 40ee30d..08a61ea 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -16,7 +16,7 @@ ''; }; locations."/.well-known/matrix/client" = { - return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"},\"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix-rtc.nekover.se/livekit/jwt\"}, {\"type\": \"nextgen_new_foci_type\", \"props_for_nextgen_foci\": \"val\"}]}'"; + return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'"; extraConfig = '' default_type application/json; add_header Access-Control-Allow-Origin *; diff --git a/config/nixos-generators/default.nix b/config/nixos-generators/default.nix index c7a930e..2cda85e 100644 --- a/config/nixos-generators/default.nix +++ b/config/nixos-generators/default.nix @@ -10,5 +10,5 @@ firewall.enable = true; }; - system.stateVersion = "24.11"; + system.stateVersion = "23.05"; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix index 6aed7cf..2039f05 100644 --- a/config/users/fi/default.nix +++ b/config/users/fi/default.nix @@ -7,7 +7,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara" ]; }; } diff --git a/flake.lock b/flake.lock index ea029c5..8e74f17 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", "type": "github" }, "original": { @@ -32,61 +32,13 @@ "type": "github" } }, - "git-hooks": { - "inputs": { - "flake-compat": [ - "simple-nixos-mailserver", - "flake-compat" - ], - "gitignore": "gitignore", - "nixpkgs": [ - "simple-nixos-mailserver", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1742649964, - "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=", - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "simple-nixos-mailserver", - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, "nixlib": { "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", + "lastModified": 1731805462, + "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", + "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734", "type": "github" }, "original": { @@ -103,11 +55,11 @@ ] }, "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", + "lastModified": 1732151224, + "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", + "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c", "type": "github" }, "original": { @@ -118,43 +70,42 @@ }, "nixpkgs": { "locked": { - "lastModified": 1753328706, - "narHash": "sha256-Ho3kXSPtqLGRlvW3SeOc0QyB7fGyHXB2EuieEpe+U4I=", + "lastModified": 1731842749, + "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "25ff20a127c4136c63c44d718db4d82695cb999a", + "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05-small", + "ref": "nixos-24.05-small", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-25_05": { + "nixpkgs-24_05": { "locked": { - "lastModified": 1747610100, - "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=", + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" } }, "nixpkgs-master": { "locked": { - "lastModified": 1753374531, - "narHash": "sha256-JA3/3NyPVTgRBjjgbHLC+7NMfQS8yiwtZ8bsChitegU=", + "lastModified": 1732154639, + "narHash": "sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3f3185053e60aba5d036f8d37a5e56861d357e20", + "rev": "516819d9b5b97ee1f461aecb4caed7aa6b769d5d", "type": "github" }, "original": { @@ -166,11 +117,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1753290466, - "narHash": "sha256-Df8wnrToZpzjqFJWhvaUUvwypj1bKM3JY6zSskwETmc=", + "lastModified": 1732136765, + "narHash": "sha256-622zKMMp0mw2a+fJJoVQdNmxwRGDkWsDTn5OSPK8DLk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1744f3daf87f5bb4b2b08f6298a55b6a88ea8308", + "rev": "e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2", "type": "github" }, "original": { @@ -182,18 +133,17 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1747179050, - "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=", + "lastModified": 1717602782, + "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e", + "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6", "type": "github" }, "original": { - "owner": "NixOS", + "id": "nixpkgs", "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "type": "indirect" } }, "root": { @@ -209,24 +159,57 @@ "inputs": { "blobs": "blobs", "flake-compat": "flake-compat", - "git-hooks": "git-hooks", "nixpkgs": "nixpkgs_2", - "nixpkgs-25_05": "nixpkgs-25_05" + "nixpkgs-24_05": "nixpkgs-24_05", + "utils": "utils" }, "locked": { - "lastModified": 1747965231, - "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=", + "lastModified": 1718084203, + "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "53007af63fade28853408370c4c600a63dd97f41", + "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-25.05", + "ref": "nixos-24.05", "repo": "nixos-mailserver", "type": "gitlab" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1709126324, + "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "d465f4819400de7c8d874d50b982301f28a84605", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index a2a822f..5cf2232 100644 --- a/flake.nix +++ b/flake.nix @@ -1,13 +1,13 @@ { inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05-small"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small"; nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-master.url = "github:NixOS/nixpkgs/master"; nixos-generators = { url = "github:nix-community/nixos-generators"; inputs.nixpkgs.follows = "nixpkgs"; }; - simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05"; + simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05"; }; outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs: @@ -31,7 +31,7 @@ inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver; # Provide environment for secret key command - keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ]; + keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ]; }; }; } // builtins.mapAttrs (helper.generateColmenaHost) hosts; diff --git a/hosts.nix b/hosts.nix index 1c5e6db..cd5f347 100644 --- a/hosts.nix +++ b/hosts.nix @@ -39,7 +39,6 @@ in environment = "proxmox"; }; jellyfin = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; @@ -68,7 +67,6 @@ in environment = "proxmox"; }; matrix = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; }; @@ -84,6 +82,10 @@ in site = "vs"; environment = "proxmox"; }; + nitter = { + site = "vs"; + environment = "proxmox"; + }; coturn = { site = "vs"; environment = "proxmox"; @@ -94,7 +96,6 @@ in environment = "proxmox"; }; torrent = { - hostNixpkgs = nixpkgs-unstable; site = "vs"; environment = "proxmox"; };