From b54be988ccc09e62843fd09c6f3a5aacf504b0ad Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 12 Nov 2024 21:32:47 +0100
Subject: [PATCH 01/60] Setup ikiwiki host

---
 config/hosts/ikiwiki/configuration.nix        |  27 +++
 config/hosts/ikiwiki/default.nix              |   8 +
 config/hosts/ikiwiki/ikiwiki.nix              | 158 ++++++++++++++++++
 config/hosts/ikiwiki/nginx.nix                |  47 ++++++
 config/hosts/ikiwiki/secrets.nix              |  11 ++
 config/hosts/web-public-2/nginx.nix           |   1 +
 .../virtualHosts/acme-challenge.nix           |   1 +
 hosts.nix                                     |   4 +
 8 files changed, 257 insertions(+)
 create mode 100644 config/hosts/ikiwiki/configuration.nix
 create mode 100644 config/hosts/ikiwiki/default.nix
 create mode 100644 config/hosts/ikiwiki/ikiwiki.nix
 create mode 100644 config/hosts/ikiwiki/nginx.nix
 create mode 100644 config/hosts/ikiwiki/secrets.nix

diff --git a/config/hosts/ikiwiki/configuration.nix b/config/hosts/ikiwiki/configuration.nix
new file mode 100644
index 0000000..632c401
--- /dev/null
+++ b/config/hosts/ikiwiki/configuration.nix
@@ -0,0 +1,27 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {    
+    hostName = "ikiwiki";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 8443 ];
+    };
+  };
+
+  fileSystems = {
+    # partition data disk with `sudo mkfs.ext4 /dev/vdx`
+    # label data disk with `e2label /dev/vdx "data"`
+    "/mnt/data" = {
+      device = "/dev/disk/by-label/data";
+      fsType = "ext4";
+      autoResize = true;
+    };
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/ikiwiki/default.nix b/config/hosts/ikiwiki/default.nix
new file mode 100644
index 0000000..bc9766c
--- /dev/null
+++ b/config/hosts/ikiwiki/default.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./ikiwiki.nix
+    ./nginx.nix
+  ];
+}
diff --git a/config/hosts/ikiwiki/ikiwiki.nix b/config/hosts/ikiwiki/ikiwiki.nix
new file mode 100644
index 0000000..3a501e6
--- /dev/null
+++ b/config/hosts/ikiwiki/ikiwiki.nix
@@ -0,0 +1,158 @@
+{ pkgs, config, ... }:
+let
+  ikiwikiBootstrapTheme = pkgs.fetchgit {
+    url = "https://github.com/dequis/ikiwiki-bootstrap-theme.git";
+    rev = "afaedf8460d03664be6f590cf632b8be05de77dc";
+    hash = "sha256-iX/onqrsvzJdDrJ7WoQMnlAQtOA+rmi+esv25/IOsq8=";
+  }; # TODO: fork and set link color to #6d2bff or something
+  ikiwikiDataPath = "/mnt/data/ikiwiki";
+  ikiwikiSettingsHeader = pkgs.writeText "ikiwiki-settings-header" ''
+    # IkiWiki::Setup::Yaml - YAML formatted setup file
+  '';
+  ikiwikiSettings = {
+    wikiname = "fi-zone";
+    adminemail = "fiona@grzb.de";
+    adminuser = [
+      "fi"
+    ];
+    banned_users = [];
+    srcdir = "${ikiwikiDataPath}/fi-zone";
+    destdir = "${ikiwikiDataPath}/public_html/fi-zone";
+    url = "https://fi.nekover.se/";
+    cgiurl = "https://fi.nekover.se/ikiwiki.cgi";
+    reverse_proxy = 0;
+    cgi_wrapper = "${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi";
+    cgiauthurl = "https://fi.nekover.se/auth/ikiwiki.cgi";
+    cgi_wrappermode = "06755";
+    cgi_overload_delay = "";
+    cgi_overload_message = "";
+    only_committed_changes = 0;
+    rcs = "";
+    add_plugins = [
+      "goodstuff"
+      "websetup"
+      "httpauth"
+    ];
+    disable_plugins = [];
+    templatedir = "${ikiwikiBootstrapTheme}";
+    underlaydir = "${pkgs.ikiwiki-full}/share/ikiwiki/basewiki";
+    usedirs = 1;
+    prefix_directives = 1;
+    indexpages = 0;
+    discussion = 0;
+    html5 = 1;
+    sslcookie = 1;
+    default_pageext = "mdwn";
+    htmlext = "html";
+    timeformat = "%c";
+    userdir = "";
+    numbacklinks = 10;
+    hardlink = 0;
+    libdirs = [];
+    libdir = "${ikiwikiDataPath}/.ikiwiki";
+    ENV = {};
+    timezone = ":/etc/localtime";
+    wiki_file_chars = "-[:alnum:]+/.:_";
+    allow_symlinks_before_srcdir = 0;
+    cookiejar = {
+      file = "${ikiwikiDataPath}/.ikiwiki/cookies";
+    };
+    useragent = "ikiwiki/${pkgs.ikiwiki-full.version}";
+    responsive_layout = 1;
+    deterministic = 0;
+    rss = 1;
+    atom = 1;
+    blogspam_pagespec = "postcomment(*)";
+    locked_pages = "* and !postcomment(*)";
+    comments_pagespec = "posts/* and !*/Discussion";
+    archive_pagespec = "page(posts/*) and !*/Discussion";
+    global_sidebars = 0;
+    tagbase = "tags";
+  };
+  ikiwikiSettingsFile = pkgs.concatText "fi-zone.setup" [
+    ikiwikiSettingsHeader
+    ((pkgs.formats.yaml { }).generate "fi-zone-settings" ikiwikiSettings)
+  ];
+in
+{
+  environment.systemPackages = with pkgs; [
+    ikiwiki-full
+  ];
+
+  users = {
+    users.ikiwiki = {
+      isSystemUser = true;
+      group = "ikiwiki";
+    };
+    groups.ikiwiki = {};
+  };
+
+  services.fcgiwrap.instances."ikiwiki" = {
+    socket = {
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
+    process = {
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
+  };
+
+  systemd.services.ikiwiki-directory-setup = {
+    description = "Setup ikiwiki directory structure.";
+
+    script = ''
+      mkdir -p ${ikiwikiDataPath}
+      mkdir -p ${ikiwikiDataPath}/fi-zone/.ikiwiki
+      touch ${ikiwikiDataPath}/fi-zone/.ikiwiki/lockfile
+      chown -R ${config.users.users.ikiwiki.name}:${config.users.users.ikiwiki.group} ${ikiwikiDataPath}
+    '';
+
+    serviceConfig = {
+      Type = "simple";
+      User = "root";
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+
+  systemd.services.ikiwiki-settings-setup = {
+    description = "Setup ikiwiki with configuration managed by NixOS.";
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.ikiwiki-full}/bin/ikiwiki --setup ${ikiwikiSettingsFile}";
+      User = config.users.users.ikiwiki.name;
+      Group = config.users.users.ikiwiki.group;
+      Requires = [ "ikiwiki-directory-setup.service" ];
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+
+  systemd.services.ikiwiki-auth-setup = {
+    description = "Setup auth subdirectory for ikiwiki.cgi";
+
+    script = ''
+      mkdir -p ${ikiwikiSettings.destdir}/auth
+      if [ ! -f ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi ]; then
+        ln -s ${ikiwikiSettings.cgi_wrapper} ${ikiwikiSettings.destdir}/auth/ikiwiki.cgi
+      fi
+    '';
+
+    serviceConfig = {
+      Type = "simple";
+      User = config.users.users.ikiwiki.name;
+      Group = config.users.users.ikiwiki.group;
+      Requires = [ "ikiwiki-settings-setup.service" ];
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+}
diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix
new file mode 100644
index 0000000..4bbcf0a
--- /dev/null
+++ b/config/hosts/ikiwiki/nginx.nix
@@ -0,0 +1,47 @@
+{ pkgs, config, ... }:
+let
+  ikiwikiDataPath = "/mnt/data/ikiwiki";
+in
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."fi.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+      root = "${ikiwikiDataPath}/public_html/fi-zone";
+      locations = {
+        "/" = {
+          tryFiles = "$uri $uri/ =404";
+        };
+        "~ .cgi" = {
+          basicAuthFile = "/secrets/ikiwiki-auth-file.secret";
+          extraConfig = ''
+            gzip off;
+            fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
+            fastcgi_index ikiwiki.cgi;
+            fastcgi_param SCRIPT_FILENAME ${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi;
+            fastcgi_param DOCUMENT_ROOT ${ikiwikiDataPath}/public_html/fi-zone;
+            fastcgi_param REMOTE_USER $remote_user if_not_empty;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+          '';
+        };
+      };
+      extraConfig = ''
+        set_real_ip_from 10.202.41.100;
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/ikiwiki/secrets.nix b/config/hosts/ikiwiki/secrets.nix
new file mode 100644
index 0000000..d366c75
--- /dev/null
+++ b/config/hosts/ikiwiki/secrets.nix
@@ -0,0 +1,11 @@
+{ keyCommandEnv, ... }:
+{
+  deployment.keys."ikiwiki-auth-file.secret" = {
+    keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ];
+    destDir = "/secrets";
+    user = "nginx";
+    group = "nginx";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}
diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix
index 8debb31..1f14695 100644
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@@ -20,6 +20,7 @@
           birdsite.nekover.se 10.202.41.107:8443;
           cloud.nekover.se 10.202.41.122:8443;
           element.nekover.se 127.0.0.1:8443;
+          fi.nekover.se 10.202.41.125:8443;
           gameserver.grzb.de 127.0.0.1:8443;
           git.grzb.de 127.0.0.1:8443;
           git.nekover.se 10.202.41.106:8443;
diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
index 558aa95..59b9d3a 100644
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@@ -7,6 +7,7 @@ let
     "netbox.grzb.de" = "netbox.vs.grzb.de";
     "git.nekover.se" = "forgejo.vs.grzb.de";
     "grafana.grzb.de" = "metrics.vs.grzb.de";
+    "fi.nekover.se" = "ikiwiki.vs.grzb.de";
     "jackett.grzb.de" = "torrent.vs.grzb.de";
     "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de";
     "keycloak-admin.nekover.se" = "keycloak.vs.grzb.de";
diff --git a/hosts.nix b/hosts.nix
index 17e93a6..cd5f347 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -30,6 +30,10 @@ in
       site = "vs";
       environment = "proxmox";
     };
+    ikiwiki = {
+      site = "vs";
+      environment = "proxmox";
+    };
     iperf = {
       site = "vs";
       environment = "proxmox";

From 3b8eb289a687685984e1d19236a686b17ae5a5bd Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 12 Nov 2024 21:32:47 +0100
Subject: [PATCH 02/60] Setup ikiwiki host

---
 config/hosts/ikiwiki/configuration.nix        |  27 ++++
 config/hosts/ikiwiki/default.nix              |   8 ++
 config/hosts/ikiwiki/ikiwiki.nix              | 136 ++++++++++++++++++
 config/hosts/ikiwiki/nginx.nix                |  47 ++++++
 config/hosts/ikiwiki/secrets.nix              |  11 ++
 config/hosts/web-public-2/nginx.nix           |   1 +
 .../virtualHosts/acme-challenge.nix           |   1 +
 hosts.nix                                     |   4 +
 8 files changed, 235 insertions(+)
 create mode 100644 config/hosts/ikiwiki/configuration.nix
 create mode 100644 config/hosts/ikiwiki/default.nix
 create mode 100644 config/hosts/ikiwiki/ikiwiki.nix
 create mode 100644 config/hosts/ikiwiki/nginx.nix
 create mode 100644 config/hosts/ikiwiki/secrets.nix

diff --git a/config/hosts/ikiwiki/configuration.nix b/config/hosts/ikiwiki/configuration.nix
new file mode 100644
index 0000000..632c401
--- /dev/null
+++ b/config/hosts/ikiwiki/configuration.nix
@@ -0,0 +1,27 @@
+{ ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    device = "/dev/vda";
+  };
+
+  networking = {    
+    hostName = "ikiwiki";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 8443 ];
+    };
+  };
+
+  fileSystems = {
+    # partition data disk with `sudo mkfs.ext4 /dev/vdx`
+    # label data disk with `e2label /dev/vdx "data"`
+    "/mnt/data" = {
+      device = "/dev/disk/by-label/data";
+      fsType = "ext4";
+      autoResize = true;
+    };
+  };
+
+  system.stateVersion = "24.05";
+}
diff --git a/config/hosts/ikiwiki/default.nix b/config/hosts/ikiwiki/default.nix
new file mode 100644
index 0000000..bc9766c
--- /dev/null
+++ b/config/hosts/ikiwiki/default.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./ikiwiki.nix
+    ./nginx.nix
+  ];
+}
diff --git a/config/hosts/ikiwiki/ikiwiki.nix b/config/hosts/ikiwiki/ikiwiki.nix
new file mode 100644
index 0000000..73688a8
--- /dev/null
+++ b/config/hosts/ikiwiki/ikiwiki.nix
@@ -0,0 +1,136 @@
+{ pkgs, config, ... }:
+let
+  ikiwikiBootstrapTheme = pkgs.fetchgit {
+    url = "https://github.com/dequis/ikiwiki-bootstrap-theme.git";
+    rev = "afaedf8460d03664be6f590cf632b8be05de77dc";
+    hash = "sha256-iX/onqrsvzJdDrJ7WoQMnlAQtOA+rmi+esv25/IOsq8=";
+  }; # TODO: fork and set link color to #6d2bff or something
+  ikiwikiDataPath = "/mnt/data/ikiwiki";
+  ikiwikiSettingsHeader = pkgs.writeText "ikiwiki-settings-header" ''
+    # IkiWiki::Setup::Yaml - YAML formatted setup file
+  '';
+  ikiwikiSettings = {
+    wikiname = "fi-zone";
+    adminemail = "fiona@grzb.de";
+    adminuser = [
+      "fi"
+    ];
+    banned_users = [];
+    srcdir = "${ikiwikiDataPath}/fi-zone";
+    destdir = "${ikiwikiDataPath}/public_html/fi-zone";
+    url = "https://fi.nekover.se/";
+    cgiurl = "https://fi.nekover.se/ikiwiki.cgi";
+    reverse_proxy = 0;
+    cgi_wrapper = "${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi";
+    cgiauthurl = "https://fi.nekover.se/auth/ikiwiki.cgi";
+    cgi_wrappermode = "06755";
+    cgi_overload_delay = "";
+    cgi_overload_message = "";
+    only_committed_changes = 0;
+    rcs = "";
+    add_plugins = [
+      "goodstuff"
+      "websetup"
+      "httpauth"
+    ];
+    disable_plugins = [];
+    templatedir = "${ikiwikiBootstrapTheme}";
+    underlaydir = "${pkgs.ikiwiki-full}/share/ikiwiki/basewiki";
+    usedirs = 1;
+    prefix_directives = 1;
+    indexpages = 0;
+    discussion = 0;
+    html5 = 1;
+    sslcookie = 1;
+    default_pageext = "mdwn";
+    htmlext = "html";
+    timeformat = "%c";
+    userdir = "";
+    numbacklinks = 10;
+    hardlink = 0;
+    libdirs = [];
+    libdir = "${ikiwikiDataPath}/.ikiwiki";
+    ENV = {};
+    timezone = ":/etc/localtime";
+    wiki_file_chars = "-[:alnum:]+/.:_";
+    allow_symlinks_before_srcdir = 0;
+    cookiejar = {
+      file = "${ikiwikiDataPath}/.ikiwiki/cookies";
+    };
+    useragent = "ikiwiki/${pkgs.ikiwiki-full.version}";
+    responsive_layout = 1;
+    deterministic = 0;
+    rss = 1;
+    atom = 1;
+    blogspam_pagespec = "postcomment(*)";
+    locked_pages = "* and !postcomment(*)";
+    comments_pagespec = "posts/* and !*/Discussion";
+    archive_pagespec = "page(posts/*) and !*/Discussion";
+    global_sidebars = 0;
+    tagbase = "tags";
+  };
+  ikiwikiSettingsFile = pkgs.concatText "fi-zone.setup" [
+    ikiwikiSettingsHeader
+    ((pkgs.formats.yaml { }).generate "fi-zone-settings" ikiwikiSettings)
+  ];
+in
+{
+  environment.systemPackages = with pkgs; [
+    ikiwiki-full
+  ];
+
+  users = {
+    users.ikiwiki = {
+      isSystemUser = true;
+      group = "ikiwiki";
+    };
+    groups.ikiwiki = {};
+  };
+
+  services.fcgiwrap.instances."ikiwiki" = {
+    socket = {
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
+    process = {
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+    };
+  };
+
+  systemd.services.ikiwiki-directory-setup = {
+    description = "Setup ikiwiki directory structure.";
+
+    script = ''
+      mkdir -p ${ikiwikiDataPath}
+      mkdir -p ${ikiwikiDataPath}/fi-zone/.ikiwiki
+      touch ${ikiwikiDataPath}/fi-zone/.ikiwiki/lockfile
+      chown -R ${config.users.users.ikiwiki.name}:${config.users.users.ikiwiki.group} ${ikiwikiDataPath}
+    '';
+
+    serviceConfig = {
+      Type = "simple";
+      User = "root";
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+
+  systemd.services.ikiwiki-settings-setup = {
+    description = "Setup ikiwiki with configuration managed by NixOS.";
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.ikiwiki-full}/bin/ikiwiki --setup ${ikiwikiSettingsFile}";
+      User = config.users.users.ikiwiki.name;
+      Group = config.users.users.ikiwiki.group;
+      Requires = [ "ikiwiki-directory-setup.service" ];
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+}
diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix
new file mode 100644
index 0000000..4bbcf0a
--- /dev/null
+++ b/config/hosts/ikiwiki/nginx.nix
@@ -0,0 +1,47 @@
+{ pkgs, config, ... }:
+let
+  ikiwikiDataPath = "/mnt/data/ikiwiki";
+in
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."fi.nekover.se" = {
+      forceSSL = true;
+      enableACME = true;
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 80;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+      root = "${ikiwikiDataPath}/public_html/fi-zone";
+      locations = {
+        "/" = {
+          tryFiles = "$uri $uri/ =404";
+        };
+        "~ .cgi" = {
+          basicAuthFile = "/secrets/ikiwiki-auth-file.secret";
+          extraConfig = ''
+            gzip off;
+            fastcgi_pass unix:${config.services.fcgiwrap.instances."ikiwiki".socket.address};
+            fastcgi_index ikiwiki.cgi;
+            fastcgi_param SCRIPT_FILENAME ${ikiwikiDataPath}/public_html/fi-zone/ikiwiki.cgi;
+            fastcgi_param DOCUMENT_ROOT ${ikiwikiDataPath}/public_html/fi-zone;
+            fastcgi_param REMOTE_USER $remote_user if_not_empty;
+            include ${pkgs.nginx}/conf/fastcgi_params;
+          '';
+        };
+      };
+      extraConfig = ''
+        set_real_ip_from 10.202.41.100;
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+}
diff --git a/config/hosts/ikiwiki/secrets.nix b/config/hosts/ikiwiki/secrets.nix
new file mode 100644
index 0000000..d366c75
--- /dev/null
+++ b/config/hosts/ikiwiki/secrets.nix
@@ -0,0 +1,11 @@
+{ keyCommandEnv, ... }:
+{
+  deployment.keys."ikiwiki-auth-file.secret" = {
+    keyCommand = keyCommandEnv ++ [ "pass" "ikiwiki/auth-file" ];
+    destDir = "/secrets";
+    user = "nginx";
+    group = "nginx";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}
diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix
index 8debb31..1f14695 100644
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@@ -20,6 +20,7 @@
           birdsite.nekover.se 10.202.41.107:8443;
           cloud.nekover.se 10.202.41.122:8443;
           element.nekover.se 127.0.0.1:8443;
+          fi.nekover.se 10.202.41.125:8443;
           gameserver.grzb.de 127.0.0.1:8443;
           git.grzb.de 127.0.0.1:8443;
           git.nekover.se 10.202.41.106:8443;
diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
index 558aa95..59b9d3a 100644
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@@ -7,6 +7,7 @@ let
     "netbox.grzb.de" = "netbox.vs.grzb.de";
     "git.nekover.se" = "forgejo.vs.grzb.de";
     "grafana.grzb.de" = "metrics.vs.grzb.de";
+    "fi.nekover.se" = "ikiwiki.vs.grzb.de";
     "jackett.grzb.de" = "torrent.vs.grzb.de";
     "jellyseerr.grzb.de" = "jellyseerr.vs.grzb.de";
     "keycloak-admin.nekover.se" = "keycloak.vs.grzb.de";
diff --git a/hosts.nix b/hosts.nix
index 17e93a6..cd5f347 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -30,6 +30,10 @@ in
       site = "vs";
       environment = "proxmox";
     };
+    ikiwiki = {
+      site = "vs";
+      environment = "proxmox";
+    };
     iperf = {
       site = "vs";
       environment = "proxmox";

From c121374856ff474357d929118fe57eff882453f3 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 24 Nov 2024 21:42:26 +0100
Subject: [PATCH 03/60] Use sonarr package from unstable

---
 config/hosts/torrent/sonarr.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/hosts/torrent/sonarr.nix b/config/hosts/torrent/sonarr.nix
index fb0186a..83318db 100644
--- a/config/hosts/torrent/sonarr.nix
+++ b/config/hosts/torrent/sonarr.nix
@@ -1,7 +1,8 @@
-{ ... }:
+{ nixpkgs-unstable, ... }:
 {
   services.sonarr = {
     enable = true;
+    package = nixpkgs-unstable.legacyPackages."x86_64-linux".sonarr;
     user = "torrent";
     group = "torrent";
   };

From 8bd9ccc4a3d2b0a8c687c2b1dba9d1d1c40921f2 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 24 Nov 2024 21:43:47 +0100
Subject: [PATCH 04/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/bf6132dc791dbdff8b6894c3a85eb27ad8255682?narHash=sha256-aNc8irVBH7sM5cGDvqdOueg8S%2BfGakf0rEMRGfGwWZw%3D' (2024-11-17)
  → 'github:NixOS/nixpkgs/df94f897ffe1af1bcd60cb68697c5d8e6431346e?narHash=sha256-aspop5sCDNpDMS23BplGFtQDadwkSb/sOxpuC3lafvo%3D' (2024-11-22)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/516819d9b5b97ee1f461aecb4caed7aa6b769d5d?narHash=sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g%3D' (2024-11-21)
  → 'github:NixOS/nixpkgs/4a58b6f6b83d29354def3125c45530d7e1bda0fd?narHash=sha256-1wRCB9ZbD%2B9fQ/JL2nllb4vH6J3ojSHew6FazRPjqqc%3D' (2024-11-24)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2?narHash=sha256-622zKMMp0mw2a%2BfJJoVQdNmxwRGDkWsDTn5OSPK8DLk%3D' (2024-11-20)
  → 'github:NixOS/nixpkgs/2570b87e71ea16daadf0a93f1eae2d3ad4478a94?narHash=sha256-yXqgr%2BGiC/RBr8n/6Bn9eRagitXbKXNcoSaZUCovuwI%3D' (2024-11-24)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8e74f17..8a0ffe5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1731842749,
-        "narHash": "sha256-aNc8irVBH7sM5cGDvqdOueg8S+fGakf0rEMRGfGwWZw=",
+        "lastModified": 1732244845,
+        "narHash": "sha256-aspop5sCDNpDMS23BplGFtQDadwkSb/sOxpuC3lafvo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bf6132dc791dbdff8b6894c3a85eb27ad8255682",
+        "rev": "df94f897ffe1af1bcd60cb68697c5d8e6431346e",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1732154639,
-        "narHash": "sha256-GeEhJmh0/KEQmoe4Lmsv9VC0SrQn4K9V27KbHJ0Zs/g=",
+        "lastModified": 1732479666,
+        "narHash": "sha256-1wRCB9ZbD+9fQ/JL2nllb4vH6J3ojSHew6FazRPjqqc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "516819d9b5b97ee1f461aecb4caed7aa6b769d5d",
+        "rev": "4a58b6f6b83d29354def3125c45530d7e1bda0fd",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1732136765,
-        "narHash": "sha256-622zKMMp0mw2a+fJJoVQdNmxwRGDkWsDTn5OSPK8DLk=",
+        "lastModified": 1732446744,
+        "narHash": "sha256-yXqgr+GiC/RBr8n/6Bn9eRagitXbKXNcoSaZUCovuwI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e35b0f3f9787cfe51f406f7dd5a4446a858bfdb2",
+        "rev": "2570b87e71ea16daadf0a93f1eae2d3ad4478a94",
         "type": "github"
       },
       "original": {

From 34725c3aebc4da3820d070e9c096cfad75bcca7f Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 24 Nov 2024 21:44:26 +0100
Subject: [PATCH 05/60] Remove nitter from hosts as it is broken anyway

---
 hosts.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/hosts.nix b/hosts.nix
index cd5f347..5111f63 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -82,10 +82,6 @@ in
       site = "vs";
       environment = "proxmox";
     };
-    nitter = {
-      site = "vs";
-      environment = "proxmox";
-    };
     coturn = {
       site = "vs";
       environment = "proxmox";

From 73fbb131594e7bdbb1e07803729a4a35bf78e863 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 30 Nov 2024 20:43:41 +0100
Subject: [PATCH 06/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c?narHash=sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos%3D' (2024-11-21)
  → 'github:nix-community/nixos-generators/098e8b6ff72c86944a8d54b64ddd7b7e6635830a?narHash=sha256-/MNhZLR0eh9z/d3l%2Bammq%2BF5XxHln0RHgO4Bhtjr0IM%3D' (2024-11-25)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/b9f04e3cf71c23bea21d2768051e6b3068d44734?narHash=sha256-yhEMW4MBi%2BIAyEJyiKbnFvY1uARyMKJpLUhkczI49wk%3D' (2024-11-17)
  → 'github:nix-community/nixpkgs.lib/87b6978992e2eb605732fba842cad0a7e14b2047?narHash=sha256-/hxIKRTBsdrnudJWDGaBN8wIjHovqVAVxXdi8ByVtck%3D' (2024-11-24)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/df94f897ffe1af1bcd60cb68697c5d8e6431346e?narHash=sha256-aspop5sCDNpDMS23BplGFtQDadwkSb/sOxpuC3lafvo%3D' (2024-11-22)
  → 'github:NixOS/nixpkgs/a8efa95d1333890ed4ae98f5d111bb06a6d65f75?narHash=sha256-gdO2r0%2BfFU%2B/1lMvMXrtzbpQQVn72KLu5L9trMze/OY%3D' (2024-11-30)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/4a58b6f6b83d29354def3125c45530d7e1bda0fd?narHash=sha256-1wRCB9ZbD%2B9fQ/JL2nllb4vH6J3ojSHew6FazRPjqqc%3D' (2024-11-24)
  → 'github:NixOS/nixpkgs/5054b0739dea9b00d382b4ba38314df10bb398d4?narHash=sha256-AXsoqwHW7O8RXDednxutMFLgQhYgjrBWU1rRM/Y3Ywc%3D' (2024-11-30)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/2570b87e71ea16daadf0a93f1eae2d3ad4478a94?narHash=sha256-yXqgr%2BGiC/RBr8n/6Bn9eRagitXbKXNcoSaZUCovuwI%3D' (2024-11-24)
  → 'github:NixOS/nixpkgs/57feb2a16f705eeffb075888d92a986e66473012?narHash=sha256-ndq0dD5E6FkqwmNYFS1wUAHa/5HixS3jLjulogM%2B7/E%3D' (2024-11-30)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8a0ffe5..9288d61 100644
--- a/flake.lock
+++ b/flake.lock
@@ -34,11 +34,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1731805462,
-        "narHash": "sha256-yhEMW4MBi+IAyEJyiKbnFvY1uARyMKJpLUhkczI49wk=",
+        "lastModified": 1732410305,
+        "narHash": "sha256-/hxIKRTBsdrnudJWDGaBN8wIjHovqVAVxXdi8ByVtck=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "b9f04e3cf71c23bea21d2768051e6b3068d44734",
+        "rev": "87b6978992e2eb605732fba842cad0a7e14b2047",
         "type": "github"
       },
       "original": {
@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732151224,
-        "narHash": "sha256-5IgpueM8SGLOadzUJK6Gk37zEBXGd56BkNOtoWmnZos=",
+        "lastModified": 1732496924,
+        "narHash": "sha256-/MNhZLR0eh9z/d3l+ammq+F5XxHln0RHgO4Bhtjr0IM=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "3280fdde8c8f0276c9f5286ad5c0f433dfa5d56c",
+        "rev": "098e8b6ff72c86944a8d54b64ddd7b7e6635830a",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1732244845,
-        "narHash": "sha256-aspop5sCDNpDMS23BplGFtQDadwkSb/sOxpuC3lafvo=",
+        "lastModified": 1732965619,
+        "narHash": "sha256-gdO2r0+fFU+/1lMvMXrtzbpQQVn72KLu5L9trMze/OY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "df94f897ffe1af1bcd60cb68697c5d8e6431346e",
+        "rev": "a8efa95d1333890ed4ae98f5d111bb06a6d65f75",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1732479666,
-        "narHash": "sha256-1wRCB9ZbD+9fQ/JL2nllb4vH6J3ojSHew6FazRPjqqc=",
+        "lastModified": 1732995703,
+        "narHash": "sha256-AXsoqwHW7O8RXDednxutMFLgQhYgjrBWU1rRM/Y3Ywc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4a58b6f6b83d29354def3125c45530d7e1bda0fd",
+        "rev": "5054b0739dea9b00d382b4ba38314df10bb398d4",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1732446744,
-        "narHash": "sha256-yXqgr+GiC/RBr8n/6Bn9eRagitXbKXNcoSaZUCovuwI=",
+        "lastModified": 1732951447,
+        "narHash": "sha256-ndq0dD5E6FkqwmNYFS1wUAHa/5HixS3jLjulogM+7/E=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2570b87e71ea16daadf0a93f1eae2d3ad4478a94",
+        "rev": "57feb2a16f705eeffb075888d92a986e66473012",
         "type": "github"
       },
       "original": {

From c750f33102f1621e4cb0e6592b20e37007232dfc Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 30 Nov 2024 21:14:49 +0100
Subject: [PATCH 07/60] Set nixpkgs to 24.11

---
 flake.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index 5cf2232..bd9834f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
     nixpkgs-master.url = "github:NixOS/nixpkgs/master";
     nixos-generators = {

From c973f90cb74d0fae559cf3ee09c19d207286afa2 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 30 Nov 2024 21:15:53 +0100
Subject: [PATCH 08/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/a8efa95d1333890ed4ae98f5d111bb06a6d65f75?narHash=sha256-gdO2r0%2BfFU%2B/1lMvMXrtzbpQQVn72KLu5L9trMze/OY%3D' (2024-11-30)
  → 'github:NixOS/nixpkgs/809802e9ab4b56e7a3db576832e95e3f7b74781a?narHash=sha256-RvyWCxT6O9ugSqSXHAMaFTIZtKS7SBHdUHKLoPW1/xg%3D' (2024-11-30)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/5054b0739dea9b00d382b4ba38314df10bb398d4?narHash=sha256-AXsoqwHW7O8RXDednxutMFLgQhYgjrBWU1rRM/Y3Ywc%3D' (2024-11-30)
  → 'github:NixOS/nixpkgs/33b9d57c656e65a9c88c5f34e4eb00b83e2b0ca9?narHash=sha256-9Vvu3a1ep1LB6F/kVE2hHH2HQzhSFtUyJYiJRkUkC4Q%3D' (2024-11-30)
---
 flake.lock | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 9288d61..7f16841 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,16 +70,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1732965619,
-        "narHash": "sha256-gdO2r0+fFU+/1lMvMXrtzbpQQVn72KLu5L9trMze/OY=",
+        "lastModified": 1732954812,
+        "narHash": "sha256-RvyWCxT6O9ugSqSXHAMaFTIZtKS7SBHdUHKLoPW1/xg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a8efa95d1333890ed4ae98f5d111bb06a6d65f75",
+        "rev": "809802e9ab4b56e7a3db576832e95e3f7b74781a",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05-small",
+        "ref": "nixos-24.11-small",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1732995703,
-        "narHash": "sha256-AXsoqwHW7O8RXDednxutMFLgQhYgjrBWU1rRM/Y3Ywc=",
+        "lastModified": 1732997066,
+        "narHash": "sha256-9Vvu3a1ep1LB6F/kVE2hHH2HQzhSFtUyJYiJRkUkC4Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5054b0739dea9b00d382b4ba38314df10bb398d4",
+        "rev": "33b9d57c656e65a9c88c5f34e4eb00b83e2b0ca9",
         "type": "github"
       },
       "original": {

From 74c12e9658bd456aa0a411653e07c01ee8ffc798 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 1 Dec 2024 00:35:31 +0100
Subject: [PATCH 09/60] Update module options to be compatible with nixpkgs
 24.11

---
 config/hosts/forgejo/forgejo.nix       |  2 +-
 config/hosts/keycloak/keycloak.nix     |  8 +++---
 config/hosts/mail-1/configuration.nix  | 36 ++++++++++----------------
 config/hosts/mail-2/configuration.nix  | 36 ++++++++++----------------
 config/hosts/nextcloud/nextcloud.nix   |  2 +-
 config/hosts/torrent/configuration.nix |  2 +-
 config/hosts/torrent/sonarr.nix        | 15 +++++++++--
 hosts.nix                              |  1 +
 8 files changed, 47 insertions(+), 55 deletions(-)

diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix
index 45961cf..0f07af2 100644
--- a/config/hosts/forgejo/forgejo.nix
+++ b/config/hosts/forgejo/forgejo.nix
@@ -3,7 +3,6 @@
   services.forgejo = {
     enable = true;
     database.type = "postgres";
-    mailerPasswordFile = "/secrets/forgejo-mailer-password.secret";
 
     settings = {
       DEFAULT = {
@@ -60,5 +59,6 @@
         HOST = "redis+socket:///run/redis-forgejo/redis.sock";
       };
     };
+    secrets.mailer.PASSWD = "/secrets/forgejo-mailer-password.secret";
   };
 }
diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix
index 79e9a96..e8e38c3 100644
--- a/config/hosts/keycloak/keycloak.nix
+++ b/config/hosts/keycloak/keycloak.nix
@@ -3,10 +3,10 @@
   services.keycloak = {
     enable = true;
     settings = {
-      hostname = "id.nekover.se";
-      hostname-admin = "keycloak-admin.nekover.se";
-      hostname-strict-backchannel = true;
-      proxy = "edge";
+      hostname = "https://id.nekover.se";
+      hostname-admin = "https://keycloak-admin.nekover.se";
+      proxy-headers = "forwarded";
+      http-enabled = true;
       http-host = "127.0.0.1";
       http-port = 8080;
     };
diff --git a/config/hosts/mail-1/configuration.nix b/config/hosts/mail-1/configuration.nix
index 2418afc..c94de3b 100644
--- a/config/hosts/mail-1/configuration.nix
+++ b/config/hosts/mail-1/configuration.nix
@@ -15,28 +15,20 @@
         ];
         routes = [
           {
-            routeConfig = {
-              Gateway = "10.202.41.1";
-              Destination = "10.201.0.0/16";
-            };
+            Gateway = "10.202.41.1";
+            Destination = "10.201.0.0/16";
           }
           {
-            routeConfig = {
-              Gateway = "10.202.41.1";
-              Destination = "10.202.0.0/16";
-            };
+            Gateway = "10.202.41.1";
+            Destination = "10.202.0.0/16";
           }
           {
-            routeConfig = {
-              Gateway = "10.202.41.1";
-              Destination = "172.21.87.0/24";
-            };
+            Gateway = "10.202.41.1";
+            Destination = "172.21.87.0/24";
           }
           {
-            routeConfig = {
-              Gateway = "10.202.41.1";
-              Destination = "212.53.203.19/32";
-            };
+            Gateway = "10.202.41.1";
+            Destination = "212.53.203.19/32";
           }
         ];
         linkConfig.RequiredForOnline = "routable";
@@ -62,13 +54,11 @@
           PrivateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
         };
         wireguardPeers = [{
-          wireguardPeerConfig = {
-            PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
-            PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
-            Endpoint = "212.53.203.19:51822";
-            AllowedIPs = [ "0.0.0.0/0" ];
-            PersistentKeepalive = 25;
-          };
+          PublicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
+          PresharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
+          Endpoint = "212.53.203.19:51822";
+          AllowedIPs = [ "0.0.0.0/0" ];
+          PersistentKeepalive = 25;
         }];
       };
     };
diff --git a/config/hosts/mail-2/configuration.nix b/config/hosts/mail-2/configuration.nix
index b4a7192..f1fa002 100644
--- a/config/hosts/mail-2/configuration.nix
+++ b/config/hosts/mail-2/configuration.nix
@@ -15,28 +15,20 @@
         ];
         routes = [
           {
-            routeConfig = {
-              Gateway = "10.201.41.1";
-              Destination = "10.201.0.0/16";
-            };
+            Gateway = "10.201.41.1";
+            Destination = "10.201.0.0/16";
           }
           {
-            routeConfig = {
-              Gateway = "10.201.41.1";
-              Destination = "10.202.0.0/16";
-            };
+            Gateway = "10.201.41.1";
+            Destination = "10.202.0.0/16";
           }
           {
-            routeConfig = {
-              Gateway = "10.201.41.1";
-              Destination = "172.21.87.0/24";
-            };
+            Gateway = "10.201.41.1";
+            Destination = "172.21.87.0/24";
           }
           {
-            routeConfig = {
-              Gateway = "10.201.41.1";
-              Destination = "217.160.117.160/32";
-            };
+            Gateway = "10.201.41.1";
+            Destination = "217.160.117.160/32";
           }
         ];
         linkConfig.RequiredForOnline = "routable";
@@ -62,13 +54,11 @@
           PrivateKeyFile = "/secrets/wireguard-mail-2-wg0-privatekey.secret";
         };
         wireguardPeers = [{
-          wireguardPeerConfig = {
-            PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
-            PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
-            Endpoint = "217.160.117.160:51820";
-            AllowedIPs = [ "0.0.0.0/0" ];
-            PersistentKeepalive = 25;
-          };
+          PublicKey = "Nnf7x+Yd+l8ZkK2BTq1lK3iiTYgdrgL9PQ/je8smug4=";
+          PresharedKeyFile = "/secrets/wireguard-lifeline-mail-2-mail-2-psk.secret";
+          Endpoint = "217.160.117.160:51820";
+          AllowedIPs = [ "0.0.0.0/0" ];
+          PersistentKeepalive = 25;
         }];
       };
     };
diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix
index 0b1f3a2..6adfeae 100644
--- a/config/hosts/nextcloud/nextcloud.nix
+++ b/config/hosts/nextcloud/nextcloud.nix
@@ -2,7 +2,7 @@
 {
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud29;
+    package = pkgs.nextcloud30;
     hostName = "cloud.nekover.se";
     https = true;
     config = {
diff --git a/config/hosts/torrent/configuration.nix b/config/hosts/torrent/configuration.nix
index 610fde4..83dbdab 100644
--- a/config/hosts/torrent/configuration.nix
+++ b/config/hosts/torrent/configuration.nix
@@ -25,5 +25,5 @@
     };
   };
 
-  system.stateVersion = "23.11";
+  system.stateVersion = "24.11";
 }
diff --git a/config/hosts/torrent/sonarr.nix b/config/hosts/torrent/sonarr.nix
index 83318db..19c66ca 100644
--- a/config/hosts/torrent/sonarr.nix
+++ b/config/hosts/torrent/sonarr.nix
@@ -1,8 +1,19 @@
-{ nixpkgs-unstable, ... }:
+{ ... }:
 {
+  # The sonarr package is dependend on .NET 6 which is marked as insecure.
+  # It doesn't seem to build with the later .NET versions.
+  # In the meantime allow the installation of these insecure packages since sonarr is only reachable locally.
+  nixpkgs.config = {
+    permittedInsecurePackages = [
+      "aspnetcore-runtime-wrapped-6.0.36"
+      "aspnetcore-runtime-6.0.36"
+      "dotnet-sdk-wrapped-6.0.428"
+      "dotnet-sdk-6.0.428"
+    ];
+  };
+
   services.sonarr = {
     enable = true;
-    package = nixpkgs-unstable.legacyPackages."x86_64-linux".sonarr;
     user = "torrent";
     group = "torrent";
   };
diff --git a/hosts.nix b/hosts.nix
index 5111f63..fc029b7 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -92,6 +92,7 @@ in
       environment = "proxmox";
     };
     torrent = {
+      hostNixpkgs = nixpkgs-unstable;
       site = "vs";
       environment = "proxmox";
     };

From d1c2c643bc20cd8318aa2270540e3f5682445225 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 1 Dec 2024 18:03:00 +0100
Subject: [PATCH 10/60] Raise system.stateVersion of proxmox template to 24.11

---
 config/nixos-generators/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/nixos-generators/default.nix b/config/nixos-generators/default.nix
index 2cda85e..c7a930e 100644
--- a/config/nixos-generators/default.nix
+++ b/config/nixos-generators/default.nix
@@ -10,5 +10,5 @@
     firewall.enable = true;
   };
 
-  system.stateVersion = "23.05";
+  system.stateVersion = "24.11";
 }

From 9cbb3b1f37fb7fa891689dbbffe61ac6a03e5a44 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 14 Dec 2024 21:59:10 +0100
Subject: [PATCH 11/60] Update mastodon to 4.3.2

---
 config/hosts/mastodon/mastodon.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index ed168ff..43bca3e 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -11,14 +11,14 @@ let
   };
   mastodonNekoverseOverlay = final: prev: {
     mastodon = (prev.mastodon.override rec {
-      version = "4.3.1";
+      version = "4.3.2";
       srcOverride = final.applyPatches {
         src = pkgs.stdenv.mkDerivation {
           name = "mastodonWithThemes";
           src = pkgs.fetchgit {
             url = "https://github.com/mastodon/mastodon.git";
             rev = "v${version}";
-            sha256 = "sha256-JlpQGyVPTLcB3RcWMBrmYc1AAUT1JLfS4IDas9ZoWh4=";
+            sha256 = "sha256-A1sSUBtlztKFsZ3TY/c9CXFV8LhttRW2JmSU0QSVOIg=";
           };
           installPhase = ''
             cp -r ./ $out/

From cfec34b2926907397c9bfad49ba102c87b42003d Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 14 Dec 2024 22:34:28 +0100
Subject: [PATCH 12/60] Add mastodon-modern theme

---
 config/hosts/mastodon/mastodon.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index 43bca3e..18c25e0 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -5,6 +5,11 @@ let
     rev = "v2.2";
     hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ=";
   };
+  mastodonModern = pkgs.fetchgit {
+    url = "https://git.gay/freeplay/Mastodon-Modern.git";
+    rev = "e9e53496789234d5782b5b3d97ed66a130b1678a";
+    hash = "sha256-lUq57Gbr1UCMVGoO4xTT3wYPNwohdepxSPCX+WP6AS8=";
+  };
   mastodonNekoversePatches = pkgs.fetchgit {
     url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
     hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU=";
@@ -23,10 +28,14 @@ let
           installPhase = ''
             cp -r ./ $out/
             cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/
+            echo "@import 'mastodon/variables';
+            @import 'application';" >> $out/app/javascript/styles/modern-dark.scss
+            cat ${mastodonModern}/modern.css >> $out/app/javascript/styles/modern-dark.scss
             echo "tangerineui: styles/tangerineui.scss
             tangerineui-purple: styles/tangerineui-purple.scss
             tangerineui-cherry: styles/tangerineui-cherry.scss
-            tangerineui-lagoon: styles/tangerineui-lagoon.scss" >> $out/config/themes.yml
+            tangerineui-lagoon: styles/tangerineui-lagoon.scss
+            modern-dark: styles/modern-dark.scss" >> $out/config/themes.yml
           '';
         };
         patches = [

From 36491b8e1727817691a51983d6ec52ebe94446ab Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 14 Dec 2024 22:56:30 +0100
Subject: [PATCH 13/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/098e8b6ff72c86944a8d54b64ddd7b7e6635830a?narHash=sha256-/MNhZLR0eh9z/d3l%2Bammq%2BF5XxHln0RHgO4Bhtjr0IM%3D' (2024-11-25)
  → 'github:nix-community/nixos-generators/d162ffdf0a30f3d19e67df5091d6744ab8b9229f?narHash=sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM%3D' (2024-12-12)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/87b6978992e2eb605732fba842cad0a7e14b2047?narHash=sha256-/hxIKRTBsdrnudJWDGaBN8wIjHovqVAVxXdi8ByVtck%3D' (2024-11-24)
  → 'github:nix-community/nixpkgs.lib/f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b?narHash=sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s%3D' (2024-12-08)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/809802e9ab4b56e7a3db576832e95e3f7b74781a?narHash=sha256-RvyWCxT6O9ugSqSXHAMaFTIZtKS7SBHdUHKLoPW1/xg%3D' (2024-11-30)
  → 'github:NixOS/nixpkgs/8e21c38b7d24eadf3ef672a65a1cc927015d2197?narHash=sha256-x5OW9e2w1y/7UKvZK0m9vXddociX9cF1F1Cg9/uA/Ts%3D' (2024-12-13)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/33b9d57c656e65a9c88c5f34e4eb00b83e2b0ca9?narHash=sha256-9Vvu3a1ep1LB6F/kVE2hHH2HQzhSFtUyJYiJRkUkC4Q%3D' (2024-11-30)
  → 'github:NixOS/nixpkgs/5e28b3fe1a979e365d90172558616c08d114d753?narHash=sha256-tWCGLhWSc3BqDrQIapnpU8JCW228NrZeVHzJbEAoJN0%3D' (2024-12-14)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/57feb2a16f705eeffb075888d92a986e66473012?narHash=sha256-ndq0dD5E6FkqwmNYFS1wUAHa/5HixS3jLjulogM%2B7/E%3D' (2024-11-30)
  → 'github:NixOS/nixpkgs/119bb2941c87b630c56b5e36b9ed63e3daa0e2d3?narHash=sha256-I8cMXXWtf/%2B3DJT3QGm9BAp/b1oOCdKfgvpZ5XAUnp4%3D' (2024-12-14)
---
 flake.lock | 30 +++++++++++++++---------------
 flake.nix  |  2 +-
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7f16841..7e5177b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -34,11 +34,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1732410305,
-        "narHash": "sha256-/hxIKRTBsdrnudJWDGaBN8wIjHovqVAVxXdi8ByVtck=",
+        "lastModified": 1733620091,
+        "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "87b6978992e2eb605732fba842cad0a7e14b2047",
+        "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
         "type": "github"
       },
       "original": {
@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1732496924,
-        "narHash": "sha256-/MNhZLR0eh9z/d3l+ammq+F5XxHln0RHgO4Bhtjr0IM=",
+        "lastModified": 1733965598,
+        "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "098e8b6ff72c86944a8d54b64ddd7b7e6635830a",
+        "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1732954812,
-        "narHash": "sha256-RvyWCxT6O9ugSqSXHAMaFTIZtKS7SBHdUHKLoPW1/xg=",
+        "lastModified": 1734078800,
+        "narHash": "sha256-x5OW9e2w1y/7UKvZK0m9vXddociX9cF1F1Cg9/uA/Ts=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "809802e9ab4b56e7a3db576832e95e3f7b74781a",
+        "rev": "8e21c38b7d24eadf3ef672a65a1cc927015d2197",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1732997066,
-        "narHash": "sha256-9Vvu3a1ep1LB6F/kVE2hHH2HQzhSFtUyJYiJRkUkC4Q=",
+        "lastModified": 1734212916,
+        "narHash": "sha256-tWCGLhWSc3BqDrQIapnpU8JCW228NrZeVHzJbEAoJN0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "33b9d57c656e65a9c88c5f34e4eb00b83e2b0ca9",
+        "rev": "5e28b3fe1a979e365d90172558616c08d114d753",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1732951447,
-        "narHash": "sha256-ndq0dD5E6FkqwmNYFS1wUAHa/5HixS3jLjulogM+7/E=",
+        "lastModified": 1734187240,
+        "narHash": "sha256-I8cMXXWtf/+3DJT3QGm9BAp/b1oOCdKfgvpZ5XAUnp4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "57feb2a16f705eeffb075888d92a986e66473012",
+        "rev": "119bb2941c87b630c56b5e36b9ed63e3daa0e2d3",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index bd9834f..e5a6b25 100644
--- a/flake.nix
+++ b/flake.nix
@@ -31,7 +31,7 @@
           inherit nixpkgs-unstable nixpkgs-master hosts simple-nixos-mailserver;
 
           # Provide environment for secret key command
-          keyCommandEnv = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" ];
+          keyCommandEnv = [ "env" "GNUPGHOME=/home/fi/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/fi/pass/infra" ];
         };
       };
     } // builtins.mapAttrs (helper.generateColmenaHost) hosts;

From e241baf97f7ebcaf5f4ae2436ac8353e8a9f09eb Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Fri, 3 Jan 2025 20:00:21 +0100
Subject: [PATCH 14/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d162ffdf0a30f3d19e67df5091d6744ab8b9229f?narHash=sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM%3D' (2024-12-12)
  → 'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4?narHash=sha256-A7CTIQ8SW0hfbhKlwK%2BvSsu4pD%2BOaelw3v6goX6go%2BU%3D' (2024-12-23)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b?narHash=sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s%3D' (2024-12-08)
  → 'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c?narHash=sha256-dPhc%2Bf2wkmhMqMIfq%2BhColJdysgVxKP9ilZ5bR0NRZI%3D' (2024-12-22)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8e21c38b7d24eadf3ef672a65a1cc927015d2197?narHash=sha256-x5OW9e2w1y/7UKvZK0m9vXddociX9cF1F1Cg9/uA/Ts%3D' (2024-12-13)
  → 'github:NixOS/nixpkgs/f079a96bc6e7643ce88b49a1f4390424a6e1b04a?narHash=sha256-H69U4f1a0cULUyhBZMO/LkVf/96i/MCbD1pflVcGVUo%3D' (2025-01-02)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/5e28b3fe1a979e365d90172558616c08d114d753?narHash=sha256-tWCGLhWSc3BqDrQIapnpU8JCW228NrZeVHzJbEAoJN0%3D' (2024-12-14)
  → 'github:NixOS/nixpkgs/a5af1da13031048da9c54fdd9c6aef0889585fc1?narHash=sha256-3TceuzEunxCRAYGsimgh2Uz8ZoukMuxPkiHRR0qXOOU%3D' (2025-01-03)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/119bb2941c87b630c56b5e36b9ed63e3daa0e2d3?narHash=sha256-I8cMXXWtf/%2B3DJT3QGm9BAp/b1oOCdKfgvpZ5XAUnp4%3D' (2024-12-14)
  → 'github:NixOS/nixpkgs/4138c1b330db6ac6f67abcc9988202e231b3ec54?narHash=sha256-KY5WZZ0kNBcWZtecGWoMKkkCx4aQGEQgQXuBz%2BWTq20%3D' (2025-01-03)
• Updated input 'simple-nixos-mailserver':
    'gitlab:simple-nixos-mailserver/nixos-mailserver/29916981e7b3b5782dc5085ad18490113f8ff63b?narHash=sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI%3D' (2024-06-11)
  → 'gitlab:simple-nixos-mailserver/nixos-mailserver/636b82f4175e3f6b1e80d2189bb0469e2ae01a55?narHash=sha256-G0fB1YBlkalu8lLGRB07K8CpUWNVd%2BunfrjNomSL7SM%3D' (2024-12-22)
---
 flake.lock | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7e5177b..8f35667 100644
--- a/flake.lock
+++ b/flake.lock
@@ -34,11 +34,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1733620091,
-        "narHash": "sha256-5WoMeCkaXqTZwwCNLRzyLxEJn8ISwjx4cNqLgqKwg9s=",
+        "lastModified": 1734829460,
+        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "f4dc9a6c02e5e14d91d158522f69f6ab4194eb5b",
+        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
         "type": "github"
       },
       "original": {
@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733965598,
-        "narHash": "sha256-0tlZU8xfQGPcBOdXZee7P3vJLyPjTrXw7WbIgXD34gM=",
+        "lastModified": 1734915500,
+        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d162ffdf0a30f3d19e67df5091d6744ab8b9229f",
+        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1734078800,
-        "narHash": "sha256-x5OW9e2w1y/7UKvZK0m9vXddociX9cF1F1Cg9/uA/Ts=",
+        "lastModified": 1735862185,
+        "narHash": "sha256-H69U4f1a0cULUyhBZMO/LkVf/96i/MCbD1pflVcGVUo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8e21c38b7d24eadf3ef672a65a1cc927015d2197",
+        "rev": "f079a96bc6e7643ce88b49a1f4390424a6e1b04a",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1734212916,
-        "narHash": "sha256-tWCGLhWSc3BqDrQIapnpU8JCW228NrZeVHzJbEAoJN0=",
+        "lastModified": 1735930172,
+        "narHash": "sha256-3TceuzEunxCRAYGsimgh2Uz8ZoukMuxPkiHRR0qXOOU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5e28b3fe1a979e365d90172558616c08d114d753",
+        "rev": "a5af1da13031048da9c54fdd9c6aef0889585fc1",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1734187240,
-        "narHash": "sha256-I8cMXXWtf/+3DJT3QGm9BAp/b1oOCdKfgvpZ5XAUnp4=",
+        "lastModified": 1735888521,
+        "narHash": "sha256-KY5WZZ0kNBcWZtecGWoMKkkCx4aQGEQgQXuBz+WTq20=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "119bb2941c87b630c56b5e36b9ed63e3daa0e2d3",
+        "rev": "4138c1b330db6ac6f67abcc9988202e231b3ec54",
         "type": "github"
       },
       "original": {
@@ -164,11 +164,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1718084203,
-        "narHash": "sha256-Cx1xoVfSMv1XDLgKg08CUd1EoTYWB45VmB9XIQzhmzI=",
+        "lastModified": 1734885828,
+        "narHash": "sha256-G0fB1YBlkalu8lLGRB07K8CpUWNVd+unfrjNomSL7SM=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "29916981e7b3b5782dc5085ad18490113f8ff63b",
+        "rev": "636b82f4175e3f6b1e80d2189bb0469e2ae01a55",
         "type": "gitlab"
       },
       "original": {

From 4d9b86b260d14b2c31f2065852bde355a74a99bf Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Mon, 6 Jan 2025 23:59:51 +0100
Subject: [PATCH 15/60] Use jackett package from master to work around faulty
 test in older jackett version

---
 config/hosts/torrent/jackett.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/hosts/torrent/jackett.nix b/config/hosts/torrent/jackett.nix
index 6aa6e5e..675576f 100644
--- a/config/hosts/torrent/jackett.nix
+++ b/config/hosts/torrent/jackett.nix
@@ -1,8 +1,8 @@
-{ nixpkgs-unstable, ... }:
+{ nixpkgs-master, ... }:
 {
   services.jackett = {
     enable = true;
-    # use package from unstable to work around faulty test in older jackett version
-    package = nixpkgs-unstable.legacyPackages."x86_64-linux".jackett;
+    # use package from master to work around faulty test in older jackett version
+    package = nixpkgs-master.legacyPackages."x86_64-linux".jackett;
   };
 }

From c530631ef8c11898b536d6923b9fd72ea4d4e1f5 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 7 Jan 2025 00:04:36 +0100
Subject: [PATCH 16/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/f079a96bc6e7643ce88b49a1f4390424a6e1b04a?narHash=sha256-H69U4f1a0cULUyhBZMO/LkVf/96i/MCbD1pflVcGVUo%3D' (2025-01-02)
  → 'github:NixOS/nixpkgs/bd27be8c9381a66288504d5266db495de571d7bf?narHash=sha256-vL6dGj%2B0w%2Bl1cK4duEokolgmx4Hu3O1TPjpD6Dfd7oY%3D' (2025-01-06)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/a5af1da13031048da9c54fdd9c6aef0889585fc1?narHash=sha256-3TceuzEunxCRAYGsimgh2Uz8ZoukMuxPkiHRR0qXOOU%3D' (2025-01-03)
  → 'github:NixOS/nixpkgs/6199c32fe66a688ce7c3483de2b05b358ab7a0a6?narHash=sha256-y1OxajWQrxP7naHYPoUCrf4AAhEqOGwpNbj%2BqBXSn5s%3D' (2025-01-06)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/4138c1b330db6ac6f67abcc9988202e231b3ec54?narHash=sha256-KY5WZZ0kNBcWZtecGWoMKkkCx4aQGEQgQXuBz%2BWTq20%3D' (2025-01-03)
  → 'github:NixOS/nixpkgs/9f46f57b78d2ef865cd8c58eff8d430bb62a471a?narHash=sha256-AdKOlljgcTLOrJb3HFpaaoHWJhFrkVeT9HbRm0JvcwE%3D' (2025-01-06)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8f35667..f2eb41a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1735862185,
-        "narHash": "sha256-H69U4f1a0cULUyhBZMO/LkVf/96i/MCbD1pflVcGVUo=",
+        "lastModified": 1736167739,
+        "narHash": "sha256-vL6dGj+0w+l1cK4duEokolgmx4Hu3O1TPjpD6Dfd7oY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f079a96bc6e7643ce88b49a1f4390424a6e1b04a",
+        "rev": "bd27be8c9381a66288504d5266db495de571d7bf",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1735930172,
-        "narHash": "sha256-3TceuzEunxCRAYGsimgh2Uz8ZoukMuxPkiHRR0qXOOU=",
+        "lastModified": 1736204625,
+        "narHash": "sha256-y1OxajWQrxP7naHYPoUCrf4AAhEqOGwpNbj+qBXSn5s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a5af1da13031048da9c54fdd9c6aef0889585fc1",
+        "rev": "6199c32fe66a688ce7c3483de2b05b358ab7a0a6",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1735888521,
-        "narHash": "sha256-KY5WZZ0kNBcWZtecGWoMKkkCx4aQGEQgQXuBz+WTq20=",
+        "lastModified": 1736165148,
+        "narHash": "sha256-AdKOlljgcTLOrJb3HFpaaoHWJhFrkVeT9HbRm0JvcwE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4138c1b330db6ac6f67abcc9988202e231b3ec54",
+        "rev": "9f46f57b78d2ef865cd8c58eff8d430bb62a471a",
         "type": "github"
       },
       "original": {

From 8cea8e0fe6d4daad01d884a5e8f93cef2c1e1119 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 15 Jan 2025 20:09:38 +0100
Subject: [PATCH 17/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4?narHash=sha256-A7CTIQ8SW0hfbhKlwK%2BvSsu4pD%2BOaelw3v6goX6go%2BU%3D' (2024-12-23)
  → 'github:nix-community/nixos-generators/74b8e31dd709760c86eed16b6c1d0b88d7360937?narHash=sha256-mvTZ7fLKA6ggGnA8GZwcXV57EvVReRTCfi26xc08Q3g%3D' (2025-01-13)
• Updated input 'nixos-generators/nixlib':
    'github:nix-community/nixpkgs.lib/0a31e8d833173ae63e43fd9dbff1ccf09c4f778c?narHash=sha256-dPhc%2Bf2wkmhMqMIfq%2BhColJdysgVxKP9ilZ5bR0NRZI%3D' (2024-12-22)
  → 'github:nix-community/nixpkgs.lib/1418bc28a52126761c02dd3d89b2d8ca0f521181?narHash=sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s%3D' (2025-01-12)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/bd27be8c9381a66288504d5266db495de571d7bf?narHash=sha256-vL6dGj%2B0w%2Bl1cK4duEokolgmx4Hu3O1TPjpD6Dfd7oY%3D' (2025-01-06)
  → 'github:NixOS/nixpkgs/e24b4c09e963677b1beea49d411cd315a024ad3a?narHash=sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ%3D' (2025-01-15)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/6199c32fe66a688ce7c3483de2b05b358ab7a0a6?narHash=sha256-y1OxajWQrxP7naHYPoUCrf4AAhEqOGwpNbj%2BqBXSn5s%3D' (2025-01-06)
  → 'github:NixOS/nixpkgs/b16e3d70060653b149ecb5ce014229b06fc6314e?narHash=sha256-IiP%2B6VTVnE1r4aDQxkIcHsnfOoFVIqAwAo4Tend%2B8R4%3D' (2025-01-15)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/9f46f57b78d2ef865cd8c58eff8d430bb62a471a?narHash=sha256-AdKOlljgcTLOrJb3HFpaaoHWJhFrkVeT9HbRm0JvcwE%3D' (2025-01-06)
  → 'github:NixOS/nixpkgs/79fb36c527a228a09f0064dbadf16ea0c53558bb?narHash=sha256-%2BOXbtG8uquUww0cDW6FSbjhJHpx4bA1uqPpMd4Vo9ZI%3D' (2025-01-15)
---
 flake.lock | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/flake.lock b/flake.lock
index f2eb41a..22eda58 100644
--- a/flake.lock
+++ b/flake.lock
@@ -34,11 +34,11 @@
     },
     "nixlib": {
       "locked": {
-        "lastModified": 1734829460,
-        "narHash": "sha256-dPhc+f2wkmhMqMIfq+hColJdysgVxKP9ilZ5bR0NRZI=",
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "0a31e8d833173ae63e43fd9dbff1ccf09c4f778c",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
         "type": "github"
       },
       "original": {
@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734915500,
-        "narHash": "sha256-A7CTIQ8SW0hfbhKlwK+vSsu4pD+Oaelw3v6goX6go+U=",
+        "lastModified": 1736730523,
+        "narHash": "sha256-mvTZ7fLKA6ggGnA8GZwcXV57EvVReRTCfi26xc08Q3g=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "051d1b2dda3b2e81b38d82e2b691e5c2f4d335f4",
+        "rev": "74b8e31dd709760c86eed16b6c1d0b88d7360937",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1736167739,
-        "narHash": "sha256-vL6dGj+0w+l1cK4duEokolgmx4Hu3O1TPjpD6Dfd7oY=",
+        "lastModified": 1736916166,
+        "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bd27be8c9381a66288504d5266db495de571d7bf",
+        "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1736204625,
-        "narHash": "sha256-y1OxajWQrxP7naHYPoUCrf4AAhEqOGwpNbj+qBXSn5s=",
+        "lastModified": 1736968098,
+        "narHash": "sha256-IiP+6VTVnE1r4aDQxkIcHsnfOoFVIqAwAo4Tend+8R4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6199c32fe66a688ce7c3483de2b05b358ab7a0a6",
+        "rev": "b16e3d70060653b149ecb5ce014229b06fc6314e",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1736165148,
-        "narHash": "sha256-AdKOlljgcTLOrJb3HFpaaoHWJhFrkVeT9HbRm0JvcwE=",
+        "lastModified": 1736924247,
+        "narHash": "sha256-+OXbtG8uquUww0cDW6FSbjhJHpx4bA1uqPpMd4Vo9ZI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9f46f57b78d2ef865cd8c58eff8d430bb62a471a",
+        "rev": "79fb36c527a228a09f0064dbadf16ea0c53558bb",
         "type": "github"
       },
       "original": {

From 5e4bfb17fb086fe726bf5231e62789933733ccbb Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 21 Jan 2025 18:19:26 +0100
Subject: [PATCH 18/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/74b8e31dd709760c86eed16b6c1d0b88d7360937?narHash=sha256-mvTZ7fLKA6ggGnA8GZwcXV57EvVReRTCfi26xc08Q3g%3D' (2025-01-13)
  → 'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453?narHash=sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL%2BtIBm49vpepwL1MQ%3D' (2025-01-16)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/e24b4c09e963677b1beea49d411cd315a024ad3a?narHash=sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ%3D' (2025-01-15)
  → 'github:NixOS/nixpkgs/6b90f6de986555ac39fc69c438d1192a397bf686?narHash=sha256-IT0B8bzp0JHYlMZ62qFdwKrj9zxdn3AEAsByXFWMcY4%3D' (2025-01-20)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/b16e3d70060653b149ecb5ce014229b06fc6314e?narHash=sha256-IiP%2B6VTVnE1r4aDQxkIcHsnfOoFVIqAwAo4Tend%2B8R4%3D' (2025-01-15)
  → 'github:NixOS/nixpkgs/8f02b83dbc10aeeb27d2b4cb7d15f2611b2706b4?narHash=sha256-q8Na0pUQaVGyYRMq%2BM4VejamPtNfnmQC92sJmmkqAy4%3D' (2025-01-21)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/79fb36c527a228a09f0064dbadf16ea0c53558bb?narHash=sha256-%2BOXbtG8uquUww0cDW6FSbjhJHpx4bA1uqPpMd4Vo9ZI%3D' (2025-01-15)
  → 'github:NixOS/nixpkgs/2582766522e754520bf3f883f06560f89870a5ba?narHash=sha256-GG0myEzULU7uiwoNGnwqiclki%2BJg8dPG6nv7yKo7lMc%3D' (2025-01-21)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 22eda58..cc86f81 100644
--- a/flake.lock
+++ b/flake.lock
@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1736730523,
-        "narHash": "sha256-mvTZ7fLKA6ggGnA8GZwcXV57EvVReRTCfi26xc08Q3g=",
+        "lastModified": 1737057290,
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "74b8e31dd709760c86eed16b6c1d0b88d7360937",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1736916166,
-        "narHash": "sha256-puPDoVKxkuNmYIGMpMQiK8bEjaACcCksolsG36gdaNQ=",
+        "lastModified": 1737362405,
+        "narHash": "sha256-IT0B8bzp0JHYlMZ62qFdwKrj9zxdn3AEAsByXFWMcY4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e24b4c09e963677b1beea49d411cd315a024ad3a",
+        "rev": "6b90f6de986555ac39fc69c438d1192a397bf686",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1736968098,
-        "narHash": "sha256-IiP+6VTVnE1r4aDQxkIcHsnfOoFVIqAwAo4Tend+8R4=",
+        "lastModified": 1737479843,
+        "narHash": "sha256-q8Na0pUQaVGyYRMq+M4VejamPtNfnmQC92sJmmkqAy4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b16e3d70060653b149ecb5ce014229b06fc6314e",
+        "rev": "8f02b83dbc10aeeb27d2b4cb7d15f2611b2706b4",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1736924247,
-        "narHash": "sha256-+OXbtG8uquUww0cDW6FSbjhJHpx4bA1uqPpMd4Vo9ZI=",
+        "lastModified": 1737469477,
+        "narHash": "sha256-GG0myEzULU7uiwoNGnwqiclki+Jg8dPG6nv7yKo7lMc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "79fb36c527a228a09f0064dbadf16ea0c53558bb",
+        "rev": "2582766522e754520bf3f883f06560f89870a5ba",
         "type": "github"
       },
       "original": {

From e2ff9244c223eef51d4081847c5ecaf5f8f3c36b Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 21 Jan 2025 18:36:50 +0100
Subject: [PATCH 19/60] Update mastodon to 4.3.3

---
 config/hosts/mastodon/mastodon.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index 18c25e0..e7a3024 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -16,14 +16,14 @@ let
   };
   mastodonNekoverseOverlay = final: prev: {
     mastodon = (prev.mastodon.override rec {
-      version = "4.3.2";
+      version = "4.3.3";
       srcOverride = final.applyPatches {
         src = pkgs.stdenv.mkDerivation {
           name = "mastodonWithThemes";
           src = pkgs.fetchgit {
             url = "https://github.com/mastodon/mastodon.git";
             rev = "v${version}";
-            sha256 = "sha256-A1sSUBtlztKFsZ3TY/c9CXFV8LhttRW2JmSU0QSVOIg=";
+            sha256 = "sha256-6FyLhRy+/uW+RYt+IRHpkTABjKGTQYjR/4GSPN+GlGY=";
           };
           installPhase = ''
             cp -r ./ $out/

From a709d4d7c30933b55fa7079f25f4c555194bef17 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 21 Jan 2025 19:11:29 +0100
Subject: [PATCH 20/60] Bump valkyrie system.stateVersion to 24.11

---
 config/hosts/valkyrie/configuration.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix
index f4e2db5..aca6e04 100644
--- a/config/hosts/valkyrie/configuration.nix
+++ b/config/hosts/valkyrie/configuration.nix
@@ -96,5 +96,5 @@
 
   services.prometheus.exporters.node.enable = false;
 
-  system.stateVersion = "23.05";
+  system.stateVersion = "24.11";
 }

From 893e94895496fe7736f6f33219c34fa22e321cc5 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 21 Jan 2025 19:13:45 +0100
Subject: [PATCH 21/60] Use stable nixpkgs for valkyrie uptime-kuma container

---
 config/hosts/valkyrie/containers/uptime-kuma/default.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/config/hosts/valkyrie/containers/uptime-kuma/default.nix b/config/hosts/valkyrie/containers/uptime-kuma/default.nix
index ca36384..7f55ea4 100644
--- a/config/hosts/valkyrie/containers/uptime-kuma/default.nix
+++ b/config/hosts/valkyrie/containers/uptime-kuma/default.nix
@@ -1,7 +1,6 @@
-{ nixpkgs-unstable, ... }:
+{ ... }:
 {
   containers.uptime-kuma = {
-    nixpkgs = nixpkgs-unstable;
     autoStart = true;
     config = { ... }: {
       networking.useHostResolvConf = true;

From 80558926839edefa8f129a1be06f077436043e1a Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 5 Feb 2025 22:29:51 +0100
Subject: [PATCH 22/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/6b90f6de986555ac39fc69c438d1192a397bf686?narHash=sha256-IT0B8bzp0JHYlMZ62qFdwKrj9zxdn3AEAsByXFWMcY4%3D' (2025-01-20)
  → 'github:NixOS/nixpkgs/2912b26f2abf86ef1d61f3e821a4f696e7676624?narHash=sha256-yhRbvMTZRP8plyZvhDkN6P/ZRdz581PoIFxipduSU6o%3D' (2025-02-05)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/8f02b83dbc10aeeb27d2b4cb7d15f2611b2706b4?narHash=sha256-q8Na0pUQaVGyYRMq%2BM4VejamPtNfnmQC92sJmmkqAy4%3D' (2025-01-21)
  → 'github:NixOS/nixpkgs/e43c53cfc11b8ea55791429e22280783f840fe4d?narHash=sha256-ke9hUOSayBqpxn%2Bd/qvPWvhfERY4t9ubBRw5h/i2wsI%3D' (2025-02-05)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/2582766522e754520bf3f883f06560f89870a5ba?narHash=sha256-GG0myEzULU7uiwoNGnwqiclki%2BJg8dPG6nv7yKo7lMc%3D' (2025-01-21)
  → 'github:NixOS/nixpkgs/ceaea203f3ae1787b1bd13f021f686391696fc5b?narHash=sha256-CZ8T4vP3ag2hwkpSZjatxJb55ouszvmnWw09qxGW9TU%3D' (2025-02-05)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index cc86f81..7539436 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1737362405,
-        "narHash": "sha256-IT0B8bzp0JHYlMZ62qFdwKrj9zxdn3AEAsByXFWMcY4=",
+        "lastModified": 1738755945,
+        "narHash": "sha256-yhRbvMTZRP8plyZvhDkN6P/ZRdz581PoIFxipduSU6o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6b90f6de986555ac39fc69c438d1192a397bf686",
+        "rev": "2912b26f2abf86ef1d61f3e821a4f696e7676624",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1737479843,
-        "narHash": "sha256-q8Na0pUQaVGyYRMq+M4VejamPtNfnmQC92sJmmkqAy4=",
+        "lastModified": 1738790909,
+        "narHash": "sha256-ke9hUOSayBqpxn+d/qvPWvhfERY4t9ubBRw5h/i2wsI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8f02b83dbc10aeeb27d2b4cb7d15f2611b2706b4",
+        "rev": "e43c53cfc11b8ea55791429e22280783f840fe4d",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1737469477,
-        "narHash": "sha256-GG0myEzULU7uiwoNGnwqiclki+Jg8dPG6nv7yKo7lMc=",
+        "lastModified": 1738758495,
+        "narHash": "sha256-CZ8T4vP3ag2hwkpSZjatxJb55ouszvmnWw09qxGW9TU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2582766522e754520bf3f883f06560f89870a5ba",
+        "rev": "ceaea203f3ae1787b1bd13f021f686391696fc5b",
         "type": "github"
       },
       "original": {

From c174f625c8601da1cd6a9db97d8109c2e4b0f14c Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Thu, 6 Feb 2025 00:06:42 +0100
Subject: [PATCH 23/60] Add matrix-authentication-service package to matrix
 host

---
 config/hosts/matrix/matrix-synapse.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix
index 7f339bf..8d74f50 100644
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@@ -1,5 +1,9 @@
-{ ... }:
+{ pkgs, ... }:
 {
+  environment.systemPackages = with pkgs; [
+    matrix-authentication-service
+    syn2mas
+  ];
   services.matrix-synapse = {
     enable = true;
     settings = {

From e484360f9177e4b86ddc013753d776fd119a04fb Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 11 Feb 2025 18:24:45 +0100
Subject: [PATCH 24/60] Use the X-Forwarded-* headers for keycloak instead of
 Forwarded

This also explicitly sets X-Forwarded-Proto to https which fixes
the warning "Non-secure context detected; cookies are not secured,
and will not be available in cross-origin POST requests" which
prevented the user account management page to load.
---
 config/hosts/keycloak/keycloak.nix |  2 +-
 config/hosts/keycloak/nginx.nix    | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/config/hosts/keycloak/keycloak.nix b/config/hosts/keycloak/keycloak.nix
index e8e38c3..2ae957b 100644
--- a/config/hosts/keycloak/keycloak.nix
+++ b/config/hosts/keycloak/keycloak.nix
@@ -5,7 +5,7 @@
     settings = {
       hostname = "https://id.nekover.se";
       hostname-admin = "https://keycloak-admin.nekover.se";
-      proxy-headers = "forwarded";
+      proxy-headers = "xforwarded";
       http-enabled = true;
       http-host = "127.0.0.1";
       http-port = 8080;
diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix
index 0c83ea0..c82597d 100644
--- a/config/hosts/keycloak/nginx.nix
+++ b/config/hosts/keycloak/nginx.nix
@@ -41,6 +41,13 @@
           proxy_buffer_size 128k;
           proxy_buffers 8 128k;
 
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Port 443;
+          # This is https in any case.
+          proxy_set_header X-Forwarded-Proto https;
           # Hide the X-Forwarded header.
           proxy_hide_header X-Forwarded;
           # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
@@ -96,6 +103,13 @@
           proxy_buffer_size 128k;
           proxy_buffers 8 128k;
 
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Port 443;
+          # This is https in any case.
+          proxy_set_header X-Forwarded-Proto https;
           # Hide the X-Forwarded header.
           proxy_hide_header X-Forwarded;
           # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that

From 881189eb6237b44b67ca5f594fcff6ead10b1da3 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Tue, 11 Feb 2025 23:09:22 +0100
Subject: [PATCH 25/60] Configure matrix-authentication-service

---
 config/hosts/matrix/default.nix               |  1 +
 .../matrix/matrix-authentication-service.nix  | 94 +++++++++++++++++++
 config/hosts/matrix/matrix-synapse.nix        |  8 +-
 config/hosts/matrix/nginx.nix                 | 89 +++++++++++-------
 config/hosts/matrix/postgresql.nix            |  5 +
 config/hosts/matrix/secrets.nix               | 12 ++-
 config/hosts/web-public-2/nginx.nix           |  2 +-
 .../virtualHosts/acme-challenge.nix           |  1 +
 .../web-public-2/virtualHosts/nekover.se.nix  |  2 +-
 9 files changed, 172 insertions(+), 42 deletions(-)
 create mode 100644 config/hosts/matrix/matrix-authentication-service.nix

diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix
index 27528b7..5cafdf8 100644
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
@@ -4,6 +4,7 @@
     ./configuration.nix
     ./hardware-configuration.nix
     ./postgresql.nix
+    ./matrix-authentication-service.nix
     ./matrix-synapse.nix
     ./nginx.nix
   ];
diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix
new file mode 100644
index 0000000..6c69834
--- /dev/null
+++ b/config/hosts/matrix/matrix-authentication-service.nix
@@ -0,0 +1,94 @@
+{ pkgs, ... }:
+let
+  masSettings = {
+    http = {
+      listeners = [
+        {
+          name = "web";
+          resources = [
+            { name = "discovery"; }
+            { name = "human"; }
+            { name = "oauth"; }
+            { name = "compat"; }
+            { name = "graphql"; }
+            { 
+              name = "assets";
+              path = "${pkgs.matrix-authentication-service}/share/matrix-authentication-service/assets/";
+            }
+          ];
+          binds = [{
+            host = "localhost";
+            port = 8080;
+          }];
+          proxy_protocol = false;
+        }
+        {
+          name = "internal";
+          resources = [{
+            name = "health";
+          }];
+          binds = [{
+            host = "localhost";
+            port = 8081;
+          }];
+          proxy_protocol = false;
+        }
+      ];
+      trusted_proxies = [
+        "192.168.0.0/16"
+        "172.16.0.0/12"
+        "10.0.0.0/10"
+        "127.0.0.1/8"
+        "fd00::/8"
+        "::1/128"
+      ];
+      public_base = "https://mas.nekover.se";
+    };
+    database = {
+      uri = "postgresql://mas_user:mas@localhost/mas";
+      max_connections = 10;
+      min_connections = 0;
+      connect_timeout = 30;
+      idle_timeout = 600;
+      max_lifetime = 1800;
+    };
+    passwords = {
+      enabled = true;
+      schemes = [
+        {
+          version = 1;
+          algorithm = "bcrypt";
+        }
+        {
+          version = 2;
+          algorithm = "argon2id";
+        }
+      ]; 
+      minimum_complexity = 8;
+    };
+  };
+  masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings);
+in
+{
+  environment.systemPackages = with pkgs; [
+    matrix-authentication-service
+    syn2mas
+  ];
+
+
+  systemd.services.matrix-authentication-service = {
+    description = "Matrix Authentication Service";
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masSettingsFile} --config=/secrets/matrix-mas-secret-config.secret";
+      WorkingDirectory = "${pkgs.matrix-authentication-service}";
+      User = "matrix-synapse";
+      Group = "matrix-synapse";
+    };
+
+    wantedBy = [
+      "multi-user.target"
+    ];
+  };
+}
diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix
index 8d74f50..85e6735 100644
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@@ -1,9 +1,5 @@
-{ pkgs, ... }:
+{ ... }:
 {
-  environment.systemPackages = with pkgs; [
-    matrix-authentication-service
-    syn2mas
-  ];
   services.matrix-synapse = {
     enable = true;
     settings = {
@@ -56,7 +52,7 @@
       "/secrets/matrix-registration-shared-secret.secret"
       "/secrets/matrix-turn-shared-secret.secret"
       "/secrets/matrix-email-smtp-pass.secret"
-      "/secrets/matrix-keycloak-client-secret.secret"
+      "/secrets/matrix-homeserver-mas-config.secret"
     ];
   };
 }
diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix
index 1b28649..518fe1a 100644
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@@ -2,40 +2,65 @@
 {
   services.nginx = {
     enable = true;
-    virtualHosts."matrix.nekover.se" = {
-      forceSSL = true;
-      enableACME = true;
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 80;
-        }
-        {
-          addr = "0.0.0.0";
-          port = 8448;
-          ssl = true;
-        }
-      ];
-      locations = {
-        "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
-          proxyPass = "http://127.0.0.1:8009";
-          priority = 999;
+    virtualHosts = {
+      "matrix.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 8448;
+            ssl = true;
+          }
+        ];
+        locations = {
+          "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
+            proxyPass = "http://localhost:8009";
+            priority = 998;
+          };
+          "~ ^/_matrix/client/(.*)/(login|logout|refresh)" = {
+            proxyPass = "http://localhost:8080";
+            priority = 999;
+          };
+          "~ ^(/_matrix|/_synapse/client)" = {
+            proxyPass = "http://localhost:8008";
+            extraConfig = ''
+              # Nginx by default only allows file uploads up to 1M in size
+              # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+              client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
+            '';
+          };
         };
-        "~ ^(/_matrix|/_synapse/client)" = {
-          proxyPass = "http://127.0.0.1:8008";
-          extraConfig = ''
-            # Nginx by default only allows file uploads up to 1M in size
-            # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
-            client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
-          '';
-        };
-      };
-      extraConfig = ''
-        listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+        extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
 
-        set_real_ip_from 10.202.41.100;
-        real_ip_header proxy_protocol;
-      '';
+          set_real_ip_from 10.202.41.100;
+          real_ip_header proxy_protocol;
+        '';
+      };
+      "mas.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://localhost:8080";
+        };
+        extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
+          set_real_ip_from 10.202.41.100;
+          real_ip_header proxy_protocol;
+        '';
+      };
     };
   };
 }
diff --git a/config/hosts/matrix/postgresql.nix b/config/hosts/matrix/postgresql.nix
index 03b753a..06d10e2 100644
--- a/config/hosts/matrix/postgresql.nix
+++ b/config/hosts/matrix/postgresql.nix
@@ -8,6 +8,11 @@
         TEMPLATE template0
         LC_COLLATE = "C"
         LC_CTYPE = "C";
+      CREATE ROLE "mas_user" WITH LOGIN PASSWORD 'mas';
+      CREATE DATABASE "mas" WITH OWNER "mas_user"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
     '';
   };
 }
diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix
index a95309e..24573fb 100644
--- a/config/hosts/matrix/secrets.nix
+++ b/config/hosts/matrix/secrets.nix
@@ -33,8 +33,16 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
-    "matrix-keycloak-client-secret.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "matrix/keycloak-client-secret" ];
+    "matrix-homeserver-mas-config.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/homeserver-mas-config" ];
+      destDir = "/secrets";
+      user = "matrix-synapse";
+      group = "matrix-synapse";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
+    "matrix-mas-secret-config.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/mas-secret-config" ];
       destDir = "/secrets";
       user = "matrix-synapse";
       group = "matrix-synapse";
diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix
index 1f14695..d2386b1 100644
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@@ -17,7 +17,6 @@
       stream {
         map $ssl_preread_server_name $address {
           anisync.grzb.de 127.0.0.1:8443;
-          birdsite.nekover.se 10.202.41.107:8443;
           cloud.nekover.se 10.202.41.122:8443;
           element.nekover.se 127.0.0.1:8443;
           fi.nekover.se 10.202.41.125:8443;
@@ -26,6 +25,7 @@
           git.nekover.se 10.202.41.106:8443;
           hydra.nekover.se 10.202.41.121:8443;
           id.nekover.se 10.202.41.124:8443;
+          mas.nekover.se 10.202.41.112:8443;
           matrix.nekover.se 10.202.41.112:8443;
           mewtube.nekover.se 127.0.0.1:8443;
           nekover.se 127.0.0.1:8443;
diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
index 59b9d3a..06f828b 100644
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@@ -3,6 +3,7 @@ let
   acmeDomainMap = {
     "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
     "mail-1.grzb.de" = "mail-1.vs.grzb.de";
+    "mas.nekover.se" = "matrix.vs.grzb.de";
     "matrix.nekover.se" = "matrix.vs.grzb.de";
     "netbox.grzb.de" = "netbox.vs.grzb.de";
     "git.nekover.se" = "forgejo.vs.grzb.de";
diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
index 08a61ea..a6a0ef5 100644
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@@ -16,7 +16,7 @@
       '';
     };
     locations."/.well-known/matrix/client" = {
-      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://id.nekover.se/realms/nekoverse\", \"account\": \"https://id.nekover.se/realms/nekoverse/account/\"}}'";
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}}'";
       extraConfig = ''
         default_type application/json;
         add_header Access-Control-Allow-Origin *;

From 6dae3c7b299f2cde2dd78b1c9df8983fe5c1962c Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 12 Feb 2025 01:38:58 +0100
Subject: [PATCH 26/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/2912b26f2abf86ef1d61f3e821a4f696e7676624?narHash=sha256-yhRbvMTZRP8plyZvhDkN6P/ZRdz581PoIFxipduSU6o%3D' (2025-02-05)
  → 'github:NixOS/nixpkgs/8ae4ee7978617d3af98721a62f14f25befc0beef?narHash=sha256-2h/5uQaKwQeRXIgpOJpzgeO3qe93AonbJFk0CxTSygY%3D' (2025-02-10)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/e43c53cfc11b8ea55791429e22280783f840fe4d?narHash=sha256-ke9hUOSayBqpxn%2Bd/qvPWvhfERY4t9ubBRw5h/i2wsI%3D' (2025-02-05)
  → 'github:NixOS/nixpkgs/83a2581c81ff5b06f7c1a4e7cc736a455dfcf7b4?narHash=sha256-L8Tq1dnW96U70vrNpCCGCLHz4rX1GhNRCrRI/iox9wc%3D' (2025-02-12)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/ceaea203f3ae1787b1bd13f021f686391696fc5b?narHash=sha256-CZ8T4vP3ag2hwkpSZjatxJb55ouszvmnWw09qxGW9TU%3D' (2025-02-05)
  → 'github:NixOS/nixpkgs/6cc4213488e886db863878a1e3dc26cc932d38b8?narHash=sha256-c/Z/6gZLN8BIpYh1B3qMzEn0TArjf4F2lmy59lDLVBM%3D' (2025-02-11)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7539436..9645052 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1738755945,
-        "narHash": "sha256-yhRbvMTZRP8plyZvhDkN6P/ZRdz581PoIFxipduSU6o=",
+        "lastModified": 1739188370,
+        "narHash": "sha256-2h/5uQaKwQeRXIgpOJpzgeO3qe93AonbJFk0CxTSygY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2912b26f2abf86ef1d61f3e821a4f696e7676624",
+        "rev": "8ae4ee7978617d3af98721a62f14f25befc0beef",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1738790909,
-        "narHash": "sha256-ke9hUOSayBqpxn+d/qvPWvhfERY4t9ubBRw5h/i2wsI=",
+        "lastModified": 1739319052,
+        "narHash": "sha256-L8Tq1dnW96U70vrNpCCGCLHz4rX1GhNRCrRI/iox9wc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e43c53cfc11b8ea55791429e22280783f840fe4d",
+        "rev": "83a2581c81ff5b06f7c1a4e7cc736a455dfcf7b4",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1738758495,
-        "narHash": "sha256-CZ8T4vP3ag2hwkpSZjatxJb55ouszvmnWw09qxGW9TU=",
+        "lastModified": 1739303263,
+        "narHash": "sha256-c/Z/6gZLN8BIpYh1B3qMzEn0TArjf4F2lmy59lDLVBM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ceaea203f3ae1787b1bd13f021f686391696fc5b",
+        "rev": "6cc4213488e886db863878a1e3dc26cc932d38b8",
         "type": "github"
       },
       "original": {

From 1368fd86636f1d682ed56a8365237e14edbc462b Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 12 Feb 2025 01:54:38 +0100
Subject: [PATCH 27/60] Don't check for broken symlinks when building mastodon

Mastodon ships with broken symlinks. When building mastodon
the check for that needs to be disabled.
---
 config/hosts/mastodon/mastodon.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index e7a3024..5aa22ad 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -25,6 +25,8 @@ let
             rev = "v${version}";
             sha256 = "sha256-6FyLhRy+/uW+RYt+IRHpkTABjKGTQYjR/4GSPN+GlGY=";
           };
+          # mastodon ships with broken symlinks, disable the check for that for now
+          dontCheckForBrokenSymlinks = true;
           installPhase = ''
             cp -r ./ $out/
             cp -r ${tangerineUI}/mastodon/app/javascript/styles/* $out/app/javascript/styles/
@@ -48,6 +50,14 @@ let
         ];
       };
       yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg=";
+    }).overrideAttrs (old: {
+      mastodonModules = old.mastodonModules.overrideAttrs (old: {
+        # FIXME: Remove once fixed in nixpkgs. See https://github.com/NixOS/nixpkgs/issues/380366
+        postBuild = ''
+          # Remove workspace "package" as it contains broken symlinks
+          rm -r ~/node_modules/@mastodon
+        '';
+      });
     });
   };
   pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;

From d8364d07c345783460e567af8ad6d4ef047c5cc0 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Fri, 14 Feb 2025 13:20:51 +0100
Subject: [PATCH 28/60] Specify dependencies on other services for matrix
 authentication service

Fixes matrix authentication service crashing on startup after a host reboot
because the network is down.
---
 config/hosts/matrix/matrix-authentication-service.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix
index 6c69834..8c8ce91 100644
--- a/config/hosts/matrix/matrix-authentication-service.nix
+++ b/config/hosts/matrix/matrix-authentication-service.nix
@@ -78,6 +78,9 @@ in
 
   systemd.services.matrix-authentication-service = {
     description = "Matrix Authentication Service";
+    after = [ "network-online.target" "postgresql.service" ];
+    requires = [ "postgresql.service" ];
+    wants = [ "network-online.target" ];
 
     serviceConfig = {
       Type = "simple";

From f2d49cbc15ce51c6939e254b3fbc3b776929ca25 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 15 Feb 2025 15:48:18 +0100
Subject: [PATCH 29/60] Enable systemd-resolved for jellyseerr

---
 config/hosts/jellyseerr/configuration.nix |  6 ++++++
 config/hosts/jellyseerr/jellyseerr.nix    | 11 ++++++++++-
 hosts.nix                                 |  1 +
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/config/hosts/jellyseerr/configuration.nix b/config/hosts/jellyseerr/configuration.nix
index 05b8f3f..cf03358 100644
--- a/config/hosts/jellyseerr/configuration.nix
+++ b/config/hosts/jellyseerr/configuration.nix
@@ -10,6 +10,7 @@
     firewall = {
       allowedTCPPorts = [ 80 443 ];
     };
+    nameservers = [ "193.138.218.74" ];
     extraHosts =
       ''
         10.202.46.101 jellyfin.grzb.de
@@ -18,5 +19,10 @@
       '';
   };
 
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ ];
+  };
+
   system.stateVersion = "23.11";
 }
diff --git a/config/hosts/jellyseerr/jellyseerr.nix b/config/hosts/jellyseerr/jellyseerr.nix
index bd473b0..8e406b0 100644
--- a/config/hosts/jellyseerr/jellyseerr.nix
+++ b/config/hosts/jellyseerr/jellyseerr.nix
@@ -1,6 +1,15 @@
-{ ... }:
+{ pkgs, ... }:
+let
+  jellyseerrOverlay = final: prev: {
+    jellyseerr = prev.jellyseerr.overrideAttrs (finalAttr: previousAttr: {
+      dontCheckForBrokenSymlinks = true;
+    });
+  };
+  pkgs-overlay = pkgs.extend jellyseerrOverlay;
+in
 {
   services.jellyseerr = {
     enable = true;
+    package = pkgs-overlay.jellyseerr;
   };
 }
diff --git a/hosts.nix b/hosts.nix
index fc029b7..1dfc6fc 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -39,6 +39,7 @@ in
       environment = "proxmox";
     };
     jellyfin = {
+      hostNixpkgs = nixpkgs-unstable;
       site = "vs";
       environment = "proxmox";
     };

From 1f8814bf3068076c1deee8504b745aeebbea4e07 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 23 Feb 2025 18:42:28 +0100
Subject: [PATCH 30/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8ae4ee7978617d3af98721a62f14f25befc0beef?narHash=sha256-2h/5uQaKwQeRXIgpOJpzgeO3qe93AonbJFk0CxTSygY%3D' (2025-02-10)
  → 'github:NixOS/nixpkgs/2ebb630421d52099270cee0ae14f4fa9ebbe3cdf?narHash=sha256-EJB%2BlbxCkATB8F37DTmEPzfMtiQmyPY0HtgsmJOzKy0%3D' (2025-02-23)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/83a2581c81ff5b06f7c1a4e7cc736a455dfcf7b4?narHash=sha256-L8Tq1dnW96U70vrNpCCGCLHz4rX1GhNRCrRI/iox9wc%3D' (2025-02-12)
  → 'github:NixOS/nixpkgs/b3a411b68f567a7251485e58901e9b7e5269ca9d?narHash=sha256-iTpw0TQ1FM9I4IE7vLOS/zAYANS//R79nCU352ZeclE%3D' (2025-02-23)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/6cc4213488e886db863878a1e3dc26cc932d38b8?narHash=sha256-c/Z/6gZLN8BIpYh1B3qMzEn0TArjf4F2lmy59lDLVBM%3D' (2025-02-11)
  → 'github:NixOS/nixpkgs/b7fe81518095c48a8ba94fc7cfe5c0fc8370851b?narHash=sha256-eDAiNagpMExcLoSIgjdef2ZYyvjuy1VTF8r9OZXCMGc%3D' (2025-02-23)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 9645052..ffdb21e 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1739188370,
-        "narHash": "sha256-2h/5uQaKwQeRXIgpOJpzgeO3qe93AonbJFk0CxTSygY=",
+        "lastModified": 1740273543,
+        "narHash": "sha256-EJB+lbxCkATB8F37DTmEPzfMtiQmyPY0HtgsmJOzKy0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8ae4ee7978617d3af98721a62f14f25befc0beef",
+        "rev": "2ebb630421d52099270cee0ae14f4fa9ebbe3cdf",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1739319052,
-        "narHash": "sha256-L8Tq1dnW96U70vrNpCCGCLHz4rX1GhNRCrRI/iox9wc=",
+        "lastModified": 1740331832,
+        "narHash": "sha256-iTpw0TQ1FM9I4IE7vLOS/zAYANS//R79nCU352ZeclE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "83a2581c81ff5b06f7c1a4e7cc736a455dfcf7b4",
+        "rev": "b3a411b68f567a7251485e58901e9b7e5269ca9d",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1739303263,
-        "narHash": "sha256-c/Z/6gZLN8BIpYh1B3qMzEn0TArjf4F2lmy59lDLVBM=",
+        "lastModified": 1740301968,
+        "narHash": "sha256-eDAiNagpMExcLoSIgjdef2ZYyvjuy1VTF8r9OZXCMGc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6cc4213488e886db863878a1e3dc26cc932d38b8",
+        "rev": "b7fe81518095c48a8ba94fc7cfe5c0fc8370851b",
         "type": "github"
       },
       "original": {

From 2b94a2bbf4ae30637351769fcdeb9e8f524ff0b7 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 23 Feb 2025 18:50:46 +0100
Subject: [PATCH 31/60] ~/node_modules/@mastodon doesn't need to be removed
 anymore for building mastodon

---
 config/hosts/mastodon/mastodon.nix | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index 5aa22ad..29d674e 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -50,14 +50,6 @@ let
         ];
       };
       yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg=";
-    }).overrideAttrs (old: {
-      mastodonModules = old.mastodonModules.overrideAttrs (old: {
-        # FIXME: Remove once fixed in nixpkgs. See https://github.com/NixOS/nixpkgs/issues/380366
-        postBuild = ''
-          # Remove workspace "package" as it contains broken symlinks
-          rm -r ~/node_modules/@mastodon
-        '';
-      });
     });
   };
   pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;

From 4661715e04f92d3b13c779381fe650fee2b20bb4 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Thu, 6 Mar 2025 17:22:25 +0100
Subject: [PATCH 32/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453?narHash=sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL%2BtIBm49vpepwL1MQ%3D' (2025-01-16)
  → 'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565?narHash=sha256-Co2kAD2SZalOm%2B5zoxmzEVZNvZ17TyafuFsD46BwSdY%3D' (2025-03-02)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/2ebb630421d52099270cee0ae14f4fa9ebbe3cdf?narHash=sha256-EJB%2BlbxCkATB8F37DTmEPzfMtiQmyPY0HtgsmJOzKy0%3D' (2025-02-23)
  → 'github:NixOS/nixpkgs/1907ea1e8f63d206c8bf7991552a539f8a4baeaa?narHash=sha256-WU1ktX7V2RwyPS0BSgdOjHc0vc/rDJtr22tzd5u3t%2BU%3D' (2025-03-06)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/b3a411b68f567a7251485e58901e9b7e5269ca9d?narHash=sha256-iTpw0TQ1FM9I4IE7vLOS/zAYANS//R79nCU352ZeclE%3D' (2025-02-23)
  → 'github:NixOS/nixpkgs/14a4a1f82773653ac1ac16ed577e42d927380802?narHash=sha256-rS7qyqAQp6h0t3aS%2BFQgzliGV%2BOmh/4TdVnVnRSsGvg%3D' (2025-03-06)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/b7fe81518095c48a8ba94fc7cfe5c0fc8370851b?narHash=sha256-eDAiNagpMExcLoSIgjdef2ZYyvjuy1VTF8r9OZXCMGc%3D' (2025-02-23)
  → 'github:NixOS/nixpkgs/ffe8d1b1030b5de6eba761102ee34b6e41d040ee?narHash=sha256-/mxmUVd%2BAE2bTmulNfM7yICocUvavlFQHcMYK67z3qI%3D' (2025-03-06)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index ffdb21e..b83d314 100644
--- a/flake.lock
+++ b/flake.lock
@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1737057290,
-        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
+        "lastModified": 1740947705,
+        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
+        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1740273543,
-        "narHash": "sha256-EJB+lbxCkATB8F37DTmEPzfMtiQmyPY0HtgsmJOzKy0=",
+        "lastModified": 1741237477,
+        "narHash": "sha256-WU1ktX7V2RwyPS0BSgdOjHc0vc/rDJtr22tzd5u3t+U=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2ebb630421d52099270cee0ae14f4fa9ebbe3cdf",
+        "rev": "1907ea1e8f63d206c8bf7991552a539f8a4baeaa",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1740331832,
-        "narHash": "sha256-iTpw0TQ1FM9I4IE7vLOS/zAYANS//R79nCU352ZeclE=",
+        "lastModified": 1741277795,
+        "narHash": "sha256-rS7qyqAQp6h0t3aS+FQgzliGV+Omh/4TdVnVnRSsGvg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b3a411b68f567a7251485e58901e9b7e5269ca9d",
+        "rev": "14a4a1f82773653ac1ac16ed577e42d927380802",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1740301968,
-        "narHash": "sha256-eDAiNagpMExcLoSIgjdef2ZYyvjuy1VTF8r9OZXCMGc=",
+        "lastModified": 1741241576,
+        "narHash": "sha256-/mxmUVd+AE2bTmulNfM7yICocUvavlFQHcMYK67z3qI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b7fe81518095c48a8ba94fc7cfe5c0fc8370851b",
+        "rev": "ffe8d1b1030b5de6eba761102ee34b6e41d040ee",
         "type": "github"
       },
       "original": {

From 223739213da2ba69254b5611296bc4a0cf5f2935 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Thu, 6 Mar 2025 17:22:50 +0100
Subject: [PATCH 33/60] Update mastodon to 4.3.4

---
 config/hosts/mastodon/mastodon.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index 29d674e..d8ba670 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -16,14 +16,14 @@ let
   };
   mastodonNekoverseOverlay = final: prev: {
     mastodon = (prev.mastodon.override rec {
-      version = "4.3.3";
+      version = "4.3.4";
       srcOverride = final.applyPatches {
         src = pkgs.stdenv.mkDerivation {
           name = "mastodonWithThemes";
           src = pkgs.fetchgit {
             url = "https://github.com/mastodon/mastodon.git";
             rev = "v${version}";
-            sha256 = "sha256-6FyLhRy+/uW+RYt+IRHpkTABjKGTQYjR/4GSPN+GlGY=";
+            sha256 = "sha256-2FpiFSK9CBm7eHqVvV8pPp6fLc5jCcUektpSyxNnXtw=";
           };
           # mastodon ships with broken symlinks, disable the check for that for now
           dontCheckForBrokenSymlinks = true;

From addd97d0e1665589ec55473faab7b940090064e7 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Fri, 14 Mar 2025 20:08:14 +0100
Subject: [PATCH 34/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/1907ea1e8f63d206c8bf7991552a539f8a4baeaa?narHash=sha256-WU1ktX7V2RwyPS0BSgdOjHc0vc/rDJtr22tzd5u3t%2BU%3D' (2025-03-06)
  → 'github:NixOS/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4?narHash=sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi%2BDoPrceQrZ0%3D' (2025-03-14)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/14a4a1f82773653ac1ac16ed577e42d927380802?narHash=sha256-rS7qyqAQp6h0t3aS%2BFQgzliGV%2BOmh/4TdVnVnRSsGvg%3D' (2025-03-06)
  → 'github:NixOS/nixpkgs/342c4f300b6f44fd495aefcfb5f84dec4293b32b?narHash=sha256-E0s6stImFTz6weqhEQjvbKH5NdmX8zvztOQNJ80e5v4%3D' (2025-03-14)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/ffe8d1b1030b5de6eba761102ee34b6e41d040ee?narHash=sha256-/mxmUVd%2BAE2bTmulNfM7yICocUvavlFQHcMYK67z3qI%3D' (2025-03-06)
  → 'github:NixOS/nixpkgs/845dc1e9cbc2e48640b8968af58b4a19db67aa8f?narHash=sha256-pSGMbfkxF7TSeco54W%2BB1q%2Bg22YCVp1qXHgtrdgtyR4%3D' (2025-03-14)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index b83d314..421e924 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1741237477,
-        "narHash": "sha256-WU1ktX7V2RwyPS0BSgdOjHc0vc/rDJtr22tzd5u3t+U=",
+        "lastModified": 1741969460,
+        "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1907ea1e8f63d206c8bf7991552a539f8a4baeaa",
+        "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1741277795,
-        "narHash": "sha256-rS7qyqAQp6h0t3aS+FQgzliGV+Omh/4TdVnVnRSsGvg=",
+        "lastModified": 1741978821,
+        "narHash": "sha256-E0s6stImFTz6weqhEQjvbKH5NdmX8zvztOQNJ80e5v4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "14a4a1f82773653ac1ac16ed577e42d927380802",
+        "rev": "342c4f300b6f44fd495aefcfb5f84dec4293b32b",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1741241576,
-        "narHash": "sha256-/mxmUVd+AE2bTmulNfM7yICocUvavlFQHcMYK67z3qI=",
+        "lastModified": 1741960758,
+        "narHash": "sha256-pSGMbfkxF7TSeco54W+B1q+g22YCVp1qXHgtrdgtyR4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ffe8d1b1030b5de6eba761102ee34b6e41d040ee",
+        "rev": "845dc1e9cbc2e48640b8968af58b4a19db67aa8f",
         "type": "github"
       },
       "original": {

From 5cbae7e96b72b92800037e0eb26f8456dd48256d Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Fri, 14 Mar 2025 20:26:50 +0100
Subject: [PATCH 35/60] Update mastodon to 4.3.6

---
 config/hosts/mastodon/mastodon.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index d8ba670..b9dced2 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -16,14 +16,14 @@ let
   };
   mastodonNekoverseOverlay = final: prev: {
     mastodon = (prev.mastodon.override rec {
-      version = "4.3.4";
+      version = "4.3.6";
       srcOverride = final.applyPatches {
         src = pkgs.stdenv.mkDerivation {
           name = "mastodonWithThemes";
           src = pkgs.fetchgit {
             url = "https://github.com/mastodon/mastodon.git";
             rev = "v${version}";
-            sha256 = "sha256-2FpiFSK9CBm7eHqVvV8pPp6fLc5jCcUektpSyxNnXtw=";
+            sha256 = "";
           };
           # mastodon ships with broken symlinks, disable the check for that for now
           dontCheckForBrokenSymlinks = true;

From cd85c316366eb42cd654125bfbe7a73bc50cbcb2 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 2 Apr 2025 17:10:46 +0200
Subject: [PATCH 36/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/507911df8c35939050ae324caccc7cf4ffb76565?narHash=sha256-Co2kAD2SZalOm%2B5zoxmzEVZNvZ17TyafuFsD46BwSdY%3D' (2025-03-02)
  → 'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11?narHash=sha256-QaMEhcnscfF2MqB7flZr%2BsLJMMYZPnvqO4NYf9B4G38%3D' (2025-03-21)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/68612419aa6c9fd5b178b81e6fabbdf46d300ea4?narHash=sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi%2BDoPrceQrZ0%3D' (2025-03-14)
  → 'github:NixOS/nixpkgs/44a69ed688786e98a101f02b712c313f1ade37ab?narHash=sha256-vXiKURtntURybE6FMNFAVpRPr8%2Be8KoLPrYs9TGuAKc%3D' (2025-04-02)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/342c4f300b6f44fd495aefcfb5f84dec4293b32b?narHash=sha256-E0s6stImFTz6weqhEQjvbKH5NdmX8zvztOQNJ80e5v4%3D' (2025-03-14)
  → 'github:NixOS/nixpkgs/11ecec8be63d64b605ea5d30da79a7367e5c868f?narHash=sha256-2ROph1CeLSNAeHPTSXqzvxkFvn7zhZ1PE/3/cr/AI90%3D' (2025-04-02)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/845dc1e9cbc2e48640b8968af58b4a19db67aa8f?narHash=sha256-pSGMbfkxF7TSeco54W%2BB1q%2Bg22YCVp1qXHgtrdgtyR4%3D' (2025-03-14)
  → 'github:NixOS/nixpkgs/155d1c0aa91f1e7a11693ee96e385bbea87a5a65?narHash=sha256-ZBkvD/Iqx8wKeOirnIbczCj6cxuXFVsmKZ0SeZ1vdfU%3D' (2025-04-02)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 421e924..b289f6c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740947705,
-        "narHash": "sha256-Co2kAD2SZalOm+5zoxmzEVZNvZ17TyafuFsD46BwSdY=",
+        "lastModified": 1742568034,
+        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "507911df8c35939050ae324caccc7cf4ffb76565",
+        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1741969460,
-        "narHash": "sha256-SCNxTTBfMJV7XuTcLUfdAd6cgCGsazzi+DoPrceQrZ0=",
+        "lastModified": 1743576891,
+        "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "68612419aa6c9fd5b178b81e6fabbdf46d300ea4",
+        "rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1741978821,
-        "narHash": "sha256-E0s6stImFTz6weqhEQjvbKH5NdmX8zvztOQNJ80e5v4=",
+        "lastModified": 1743605787,
+        "narHash": "sha256-2ROph1CeLSNAeHPTSXqzvxkFvn7zhZ1PE/3/cr/AI90=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "342c4f300b6f44fd495aefcfb5f84dec4293b32b",
+        "rev": "11ecec8be63d64b605ea5d30da79a7367e5c868f",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1741960758,
-        "narHash": "sha256-pSGMbfkxF7TSeco54W+B1q+g22YCVp1qXHgtrdgtyR4=",
+        "lastModified": 1743601945,
+        "narHash": "sha256-ZBkvD/Iqx8wKeOirnIbczCj6cxuXFVsmKZ0SeZ1vdfU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "845dc1e9cbc2e48640b8968af58b4a19db67aa8f",
+        "rev": "155d1c0aa91f1e7a11693ee96e385bbea87a5a65",
         "type": "github"
       },
       "original": {

From e5a5e5423dcd2e31a3bb2ee2fba14f390058fbd8 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 2 Apr 2025 18:29:52 +0200
Subject: [PATCH 37/60] Update mastodon to 4.3.7

---
 config/hosts/mastodon/mastodon.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index b9dced2..c0207d8 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -16,14 +16,14 @@ let
   };
   mastodonNekoverseOverlay = final: prev: {
     mastodon = (prev.mastodon.override rec {
-      version = "4.3.6";
+      version = "4.3.7";
       srcOverride = final.applyPatches {
         src = pkgs.stdenv.mkDerivation {
           name = "mastodonWithThemes";
           src = pkgs.fetchgit {
             url = "https://github.com/mastodon/mastodon.git";
             rev = "v${version}";
-            sha256 = "";
+            sha256 = "sha256-KmeWBMuyJ/ZdZnFXAlpvgXV+J8IZrcaTXvvui4l6mjY=";
           };
           # mastodon ships with broken symlinks, disable the check for that for now
           dontCheckForBrokenSymlinks = true;

From 94518bb723434f98903622808563766d8fd0c7d7 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 2 Apr 2025 18:42:12 +0200
Subject: [PATCH 38/60] Update element-web to 1.11.96

---
 config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
index c2d71d6..12ad7fa 100644
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@@ -1,9 +1,9 @@
 { pkgs, ... }:
 let
-  elementWebVersion = "1.11.77";
+  elementWebVersion = "1.11.96";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-O5Dt54fBoKalaeevBn7px/06Kiuhf6mvogLk4Bvvnrg=";
+    sha256 = "sha256-zm+mpcHF2rLk2ejwzCOpqHe2mnegHm3ZtJ2v7KC4oxU=";
   };
   elementWebSecurityHeaders = ''
   	# Configuration best practices

From 568463021459fed68092dda0806e32a57351c5a7 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 7 May 2025 04:09:56 +0200
Subject: [PATCH 39/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/44a69ed688786e98a101f02b712c313f1ade37ab?narHash=sha256-vXiKURtntURybE6FMNFAVpRPr8%2Be8KoLPrYs9TGuAKc%3D' (2025-04-02)
  → 'github:NixOS/nixpkgs/d30125e98b05342aaa8b0013fe3e8425292ac795?narHash=sha256-8jOl5/c44D%2BRHr4KIPeo0e0XvwQ5U1gb79amV8EVUpY%3D' (2025-05-06)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/11ecec8be63d64b605ea5d30da79a7367e5c868f?narHash=sha256-2ROph1CeLSNAeHPTSXqzvxkFvn7zhZ1PE/3/cr/AI90%3D' (2025-04-02)
  → 'github:NixOS/nixpkgs/b3582c75c7f21ce0b429898980eddbbf05c68e55?narHash=sha256-FshoQvr6Aor5SnORVvh/ZdJ1Sa2U4ZrIMwKBX5k2wu0%3D' (2025-05-07)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/155d1c0aa91f1e7a11693ee96e385bbea87a5a65?narHash=sha256-ZBkvD/Iqx8wKeOirnIbczCj6cxuXFVsmKZ0SeZ1vdfU%3D' (2025-04-02)
  → 'github:NixOS/nixpkgs/e7072d135f40c89bbb37fc5316dd9723967ee06a?narHash=sha256-0Z63BzW9BrNpRcEmhP%2Bwsb5CPQR0TiHy7UrQ0eb%2BDU0%3D' (2025-05-06)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index b289f6c..0562d58 100644
--- a/flake.lock
+++ b/flake.lock
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1743576891,
-        "narHash": "sha256-vXiKURtntURybE6FMNFAVpRPr8+e8KoLPrYs9TGuAKc=",
+        "lastModified": 1746561604,
+        "narHash": "sha256-8jOl5/c44D+RHr4KIPeo0e0XvwQ5U1gb79amV8EVUpY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "44a69ed688786e98a101f02b712c313f1ade37ab",
+        "rev": "d30125e98b05342aaa8b0013fe3e8425292ac795",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1743605787,
-        "narHash": "sha256-2ROph1CeLSNAeHPTSXqzvxkFvn7zhZ1PE/3/cr/AI90=",
+        "lastModified": 1746576598,
+        "narHash": "sha256-FshoQvr6Aor5SnORVvh/ZdJ1Sa2U4ZrIMwKBX5k2wu0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "11ecec8be63d64b605ea5d30da79a7367e5c868f",
+        "rev": "b3582c75c7f21ce0b429898980eddbbf05c68e55",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1743601945,
-        "narHash": "sha256-ZBkvD/Iqx8wKeOirnIbczCj6cxuXFVsmKZ0SeZ1vdfU=",
+        "lastModified": 1746554066,
+        "narHash": "sha256-0Z63BzW9BrNpRcEmhP+wsb5CPQR0TiHy7UrQ0eb+DU0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "155d1c0aa91f1e7a11693ee96e385bbea87a5a65",
+        "rev": "e7072d135f40c89bbb37fc5316dd9723967ee06a",
         "type": "github"
       },
       "original": {

From a2ce398565167b2667bf1189ee8e1998ad7e695c Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 7 May 2025 04:30:49 +0200
Subject: [PATCH 40/60] Update mastodon yarnHash

---
 config/hosts/mastodon/mastodon.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index c0207d8..993f43e 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -49,7 +49,7 @@ let
           "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch"
         ];
       };
-      yarnHash = "sha256-e5c04M6XplAgaVyldU5HmYMYtY3MAWs+a8Z/BGSyGBg=";
+      yarnHash = "sha256-IC4d/skIHEzJPuKlq4rMAqV+ydqquA6toq4WWCfuDxo=";
     });
   };
   pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;

From e99c3eea156e6cd9483fd47641139a69ae33f64c Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 7 May 2025 05:09:07 +0200
Subject: [PATCH 41/60] Setup element-call

---
 config/hosts/matrix/default.nix               |  1 +
 config/hosts/matrix/element-call.nix          | 15 ++++++++++++
 config/hosts/matrix/matrix-synapse.nix        | 22 ++++++++++++++++++
 config/hosts/matrix/nginx.nix                 | 23 +++++++++++++++++++
 config/hosts/matrix/secrets.nix               |  8 +++++++
 config/hosts/web-public-2/nginx.nix           |  1 +
 .../virtualHosts/acme-challenge.nix           |  1 +
 .../web-public-2/virtualHosts/nekover.se.nix  |  2 +-
 hosts.nix                                     |  1 +
 9 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 config/hosts/matrix/element-call.nix

diff --git a/config/hosts/matrix/default.nix b/config/hosts/matrix/default.nix
index 5cafdf8..c6cd79a 100644
--- a/config/hosts/matrix/default.nix
+++ b/config/hosts/matrix/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./configuration.nix
+    ./element-call.nix
     ./hardware-configuration.nix
     ./postgresql.nix
     ./matrix-authentication-service.nix
diff --git a/config/hosts/matrix/element-call.nix b/config/hosts/matrix/element-call.nix
new file mode 100644
index 0000000..1c8b442
--- /dev/null
+++ b/config/hosts/matrix/element-call.nix
@@ -0,0 +1,15 @@
+{ ... }:
+{
+  services.livekit = {
+    enable = true;
+    settings.rtc.use_external_ip = true;
+    openFirewall = true;
+    keyFile = "/secrets/matrix-livekit-secret-key.secret";
+  };
+  services.lk-jwt-service = {
+    enable = true;
+    port = 8082;
+    livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu";
+    keyFile = "/secrets/matrix-livekit-secret-key.secret";
+  };
+}
diff --git a/config/hosts/matrix/matrix-synapse.nix b/config/hosts/matrix/matrix-synapse.nix
index 85e6735..82b82e1 100644
--- a/config/hosts/matrix/matrix-synapse.nix
+++ b/config/hosts/matrix/matrix-synapse.nix
@@ -46,6 +46,28 @@
       ];
       turn_user_lifetime = 86400000;
       turn_allow_guests = true;
+      experimental_features = {
+        # MSC3266: Room summary API. Used for knocking over federation
+        msc3266_enabled = true;
+        # MSC4222 needed for syncv2 state_after. This allow clients to
+        # correctly track the state of the room.
+        msc4222_enabled = true;
+      };
+      # The maximum allowed duration by which sent events can be delayed, as
+      # per MSC4140.
+      max_event_delay_duration = "24h";
+      rc_message = {
+        # This needs to match at least e2ee key sharing frequency plus a bit of headroom
+        # Note key sharing events are bursty
+        per_second = 0.5;
+        burst_count = 30;
+      };
+      rc_delayed_event_mgmt = {
+        # This needs to match at least the heart-beat frequency plus a bit of headroom
+        # Currently the heart-beat is every 5 seconds which translates into a rate of 0.2s
+        per_second = 1;
+        burst_count = 20;
+      };
     };
     extras = [ "oidc" ];
     extraConfigFiles = [
diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix
index 518fe1a..ce3ab3d 100644
--- a/config/hosts/matrix/nginx.nix
+++ b/config/hosts/matrix/nginx.nix
@@ -57,6 +57,29 @@
         extraConfig = ''
           listen 0.0.0.0:8443 http2 ssl proxy_protocol;
 
+          set_real_ip_from 10.202.41.100;
+          real_ip_header proxy_protocol;
+        '';
+      };
+      "matrix-rtc.nekover.se" = {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+        ];
+        locations."^~ /livekit/jwt/" = {
+          proxyPass = "http://localhost:8082/";
+        };
+        locations."^~ /livekit/sfu/" = {
+          proxyPass = "http://localhost:7880/";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          listen 0.0.0.0:8443 http2 ssl proxy_protocol;
+
           set_real_ip_from 10.202.41.100;
           real_ip_header proxy_protocol;
         '';
diff --git a/config/hosts/matrix/secrets.nix b/config/hosts/matrix/secrets.nix
index 24573fb..5121ded 100644
--- a/config/hosts/matrix/secrets.nix
+++ b/config/hosts/matrix/secrets.nix
@@ -49,5 +49,13 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
+    "matrix-livekit-secret-key.secret" = {
+      keyCommand = keyCommandEnv ++ [ "pass" "matrix/livekit-secret-key" ];
+      destDir = "/secrets";
+      user = "root";
+      group = "root";
+      permissions = "0640";
+      uploadAt = "pre-activation";
+    };
   };
 }
diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix
index d2386b1..73699fb 100644
--- a/config/hosts/web-public-2/nginx.nix
+++ b/config/hosts/web-public-2/nginx.nix
@@ -27,6 +27,7 @@
           id.nekover.se 10.202.41.124:8443;
           mas.nekover.se 10.202.41.112:8443;
           matrix.nekover.se 10.202.41.112:8443;
+          matrix-rtc.nekover.se 10.202.41.112:8443;
           mewtube.nekover.se 127.0.0.1:8443;
           nekover.se 127.0.0.1:8443;
           nix-cache.nekover.se 10.202.41.121:8443;
diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
index 06f828b..8f38379 100644
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@@ -5,6 +5,7 @@ let
     "mail-1.grzb.de" = "mail-1.vs.grzb.de";
     "mas.nekover.se" = "matrix.vs.grzb.de";
     "matrix.nekover.se" = "matrix.vs.grzb.de";
+    "matrix-rtc.nekover.se" = "matrix.vs.grzb.de";
     "netbox.grzb.de" = "netbox.vs.grzb.de";
     "git.nekover.se" = "forgejo.vs.grzb.de";
     "grafana.grzb.de" = "metrics.vs.grzb.de";
diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
index a6a0ef5..40ee30d 100644
--- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix
@@ -16,7 +16,7 @@
       '';
     };
     locations."/.well-known/matrix/client" = {
-      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"}, \"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}}'";
+      return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.nekover.se\"}, \"m.identity_server\": {\"base_url\": \"https://vector.im\"}, \"org.matrix.msc3575.proxy\": {\"url\": \"https://matrix.nekover.se\"},\"org.matrix.msc2965.authentication\": {\"issuer\": \"https://mas.nekover.se\", \"account\": \"https://mas.nekover.se/account\"}, \"org.matrix.msc4143.rtc_foci\": [{\"type\": \"livekit\", \"livekit_service_url\": \"https://matrix-rtc.nekover.se/livekit/jwt\"}, {\"type\": \"nextgen_new_foci_type\", \"props_for_nextgen_foci\": \"val\"}]}'";
       extraConfig = ''
         default_type application/json;
         add_header Access-Control-Allow-Origin *;
diff --git a/hosts.nix b/hosts.nix
index 1dfc6fc..1c5e6db 100644
--- a/hosts.nix
+++ b/hosts.nix
@@ -68,6 +68,7 @@ in
       environment = "proxmox";
     };
     matrix = {
+      hostNixpkgs = nixpkgs-unstable;
       site = "vs";
       environment = "proxmox";
     };

From 9c6e4a572284716cbfb77308976a84964b456e2e Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sat, 14 Jun 2025 17:37:52 +0200
Subject: [PATCH 42/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/42ee229088490e3777ed7d1162cb9e9d8c3dbb11?narHash=sha256-QaMEhcnscfF2MqB7flZr%2BsLJMMYZPnvqO4NYf9B4G38%3D' (2025-03-21)
  → 'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc?narHash=sha256-Obh50J%2BO9jhUM/FgXtI3he/QRNiV9%2BJ53%2Bl%2BRlKSaAk%3D' (2025-05-19)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/d30125e98b05342aaa8b0013fe3e8425292ac795?narHash=sha256-8jOl5/c44D%2BRHr4KIPeo0e0XvwQ5U1gb79amV8EVUpY%3D' (2025-05-06)
  → 'github:NixOS/nixpkgs/6a06b272523a606c55f7bac29477a091c775d89b?narHash=sha256-WWUjx/6D%2BxmE6boM31L31nM/8csI79BuLgGytZHByz4%3D' (2025-06-14)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/b3582c75c7f21ce0b429898980eddbbf05c68e55?narHash=sha256-FshoQvr6Aor5SnORVvh/ZdJ1Sa2U4ZrIMwKBX5k2wu0%3D' (2025-05-07)
  → 'github:NixOS/nixpkgs/2756c1e5dc0ad0a66f679918a2ec017399bba1a4?narHash=sha256-4/xR/fd5INr/8CWVc4uTnSAYF%2BsoQsgyqubFBQoCtU8%3D' (2025-06-14)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/e7072d135f40c89bbb37fc5316dd9723967ee06a?narHash=sha256-0Z63BzW9BrNpRcEmhP%2Bwsb5CPQR0TiHy7UrQ0eb%2BDU0%3D' (2025-05-06)
  → 'github:NixOS/nixpkgs/ba48a1f6ce571455cb631dee840c6cd401ea4adb?narHash=sha256-6%2BAmSZBogyr1zbVc2k4IBcmY/Yt39mC4%2BcfZi0n/AAA%3D' (2025-06-14)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 0562d58..fcf19c8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -55,11 +55,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742568034,
-        "narHash": "sha256-QaMEhcnscfF2MqB7flZr+sLJMMYZPnvqO4NYf9B4G38=",
+        "lastModified": 1747663185,
+        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "42ee229088490e3777ed7d1162cb9e9d8c3dbb11",
+        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1746561604,
-        "narHash": "sha256-8jOl5/c44D+RHr4KIPeo0e0XvwQ5U1gb79amV8EVUpY=",
+        "lastModified": 1749866762,
+        "narHash": "sha256-WWUjx/6D+xmE6boM31L31nM/8csI79BuLgGytZHByz4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d30125e98b05342aaa8b0013fe3e8425292ac795",
+        "rev": "6a06b272523a606c55f7bac29477a091c775d89b",
         "type": "github"
       },
       "original": {
@@ -101,11 +101,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1746576598,
-        "narHash": "sha256-FshoQvr6Aor5SnORVvh/ZdJ1Sa2U4ZrIMwKBX5k2wu0=",
+        "lastModified": 1749914561,
+        "narHash": "sha256-4/xR/fd5INr/8CWVc4uTnSAYF+soQsgyqubFBQoCtU8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "b3582c75c7f21ce0b429898980eddbbf05c68e55",
+        "rev": "2756c1e5dc0ad0a66f679918a2ec017399bba1a4",
         "type": "github"
       },
       "original": {
@@ -117,11 +117,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1746554066,
-        "narHash": "sha256-0Z63BzW9BrNpRcEmhP+wsb5CPQR0TiHy7UrQ0eb+DU0=",
+        "lastModified": 1749896453,
+        "narHash": "sha256-6+AmSZBogyr1zbVc2k4IBcmY/Yt39mC4+cfZi0n/AAA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e7072d135f40c89bbb37fc5316dd9723967ee06a",
+        "rev": "ba48a1f6ce571455cb631dee840c6cd401ea4adb",
         "type": "github"
       },
       "original": {

From 5fa52dfdd8e81bedf0565e41e65adaca19a03aad Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sat, 14 Jun 2025 19:16:47 +0200
Subject: [PATCH 43/60] Update mastodon to 4.3.8

---
 config/hosts/mastodon/mastodon.nix | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index 993f43e..d9c9f71 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -2,13 +2,13 @@
 let
   tangerineUI = pkgs.fetchgit {
     url = "https://github.com/nileane/TangerineUI-for-Mastodon.git";
-    rev = "v2.2";
-    hash = "sha256-KyXDnpZh1DrY59jvdU42UicgBVvEGtvAGeU1mNxJauQ=";
+    rev = "v2.3";
+    hash = "sha256-Yl5UOjcp0Q3WpiLgfjQFVVEQs4WlVUSBCS7kuO+39wQ=";
   };
   mastodonModern = pkgs.fetchgit {
     url = "https://git.gay/freeplay/Mastodon-Modern.git";
-    rev = "e9e53496789234d5782b5b3d97ed66a130b1678a";
-    hash = "sha256-lUq57Gbr1UCMVGoO4xTT3wYPNwohdepxSPCX+WP6AS8=";
+    rev = "5dc82786107bfb4dc4786571160d63a59cc609d6";
+    hash = "sha256-0qr+PN1eTR2iqicJEEUskm0DchpZhocEVwoHfwOvHMw=";
   };
   mastodonNekoversePatches = pkgs.fetchgit {
     url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
@@ -16,14 +16,14 @@ let
   };
   mastodonNekoverseOverlay = final: prev: {
     mastodon = (prev.mastodon.override rec {
-      version = "4.3.7";
+      version = "4.3.8";
       srcOverride = final.applyPatches {
         src = pkgs.stdenv.mkDerivation {
           name = "mastodonWithThemes";
           src = pkgs.fetchgit {
             url = "https://github.com/mastodon/mastodon.git";
             rev = "v${version}";
-            sha256 = "sha256-KmeWBMuyJ/ZdZnFXAlpvgXV+J8IZrcaTXvvui4l6mjY=";
+            sha256 = "sha256-08AApylDOz8oExZ0cRaZTgNAuP+1wiLkx0SDhkO2fMM=";
           };
           # mastodon ships with broken symlinks, disable the check for that for now
           dontCheckForBrokenSymlinks = true;
@@ -50,6 +50,7 @@ let
         ];
       };
       yarnHash = "sha256-IC4d/skIHEzJPuKlq4rMAqV+ydqquA6toq4WWCfuDxo=";
+      yarnMissingHashes = null;
     });
   };
   pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;

From 95e5264c78f450fc7ca5b36f82e800b30db3fad2 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sat, 14 Jun 2025 20:57:13 +0200
Subject: [PATCH 44/60] Set nixpkgs to 25.05

---
 flake.lock | 127 ++++++++++++++++++++++++++++++-----------------------
 flake.nix  |   4 +-
 2 files changed, 74 insertions(+), 57 deletions(-)

diff --git a/flake.lock b/flake.lock
index fcf19c8..756fecc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -32,6 +32,54 @@
         "type": "github"
       }
     },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "simple-nixos-mailserver",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "simple-nixos-mailserver",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749636823,
+        "narHash": "sha256-WUaIlOlPLyPgz9be7fqWJA5iG6rHcGRtLERSCfUDne4=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "623c56286de5a3193aa38891a6991b28f9bab056",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "simple-nixos-mailserver",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
     "nixlib": {
       "locked": {
         "lastModified": 1736643958,
@@ -70,33 +118,34 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1749866762,
-        "narHash": "sha256-WWUjx/6D+xmE6boM31L31nM/8csI79BuLgGytZHByz4=",
+        "lastModified": 1749882819,
+        "narHash": "sha256-cKo4Kczm4e7IY1fix2Tj9Kn+UUHVR1Goy42mz2hUGng=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6a06b272523a606c55f7bac29477a091c775d89b",
+        "rev": "db926a14a923e4b14d474577efac0b6d93900941",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11-small",
+        "ref": "nixos-25.05-small",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
-    "nixpkgs-24_05": {
+    "nixpkgs-25_05": {
       "locked": {
-        "lastModified": 1717144377,
-        "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
+        "lastModified": 1749727998,
+        "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "805a384895c696f802a9bf5bf4720f37385df547",
+        "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "ref": "nixos-24.05",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-master": {
@@ -133,17 +182,18 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1717602782,
-        "narHash": "sha256-pL9jeus5QpX5R+9rsp3hhZ+uplVHscNJh8n8VpqscM0=",
+        "lastModified": 1749794982,
+        "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e8057b67ebf307f01bdcc8fba94d94f75039d1f6",
+        "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "NixOS",
         "ref": "nixos-unstable",
-        "type": "indirect"
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "root": {
@@ -159,57 +209,24 @@
       "inputs": {
         "blobs": "blobs",
         "flake-compat": "flake-compat",
+        "git-hooks": "git-hooks",
         "nixpkgs": "nixpkgs_2",
-        "nixpkgs-24_05": "nixpkgs-24_05",
-        "utils": "utils"
+        "nixpkgs-25_05": "nixpkgs-25_05"
       },
       "locked": {
-        "lastModified": 1734885828,
-        "narHash": "sha256-G0fB1YBlkalu8lLGRB07K8CpUWNVd+unfrjNomSL7SM=",
+        "lastModified": 1747965231,
+        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "636b82f4175e3f6b1e80d2189bb0469e2ae01a55",
+        "rev": "53007af63fade28853408370c4c600a63dd97f41",
         "type": "gitlab"
       },
       "original": {
         "owner": "simple-nixos-mailserver",
-        "ref": "nixos-24.05",
+        "ref": "nixos-25.05",
         "repo": "nixos-mailserver",
         "type": "gitlab"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1709126324,
-        "narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "d465f4819400de7c8d874d50b982301f28a84605",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index e5a6b25..a2a822f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,13 +1,13 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05-small";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable-small";
     nixpkgs-master.url = "github:NixOS/nixpkgs/master";
     nixos-generators = {
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-24.05";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
   };
 
   outputs = { self, nixpkgs, nixpkgs-unstable, nixpkgs-master, nixos-generators, simple-nixos-mailserver, ... }@inputs:

From fa0c4cabccf0e0b66dcb5612d6e3a0411adead6d Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Sat, 14 Jun 2025 21:26:57 +0200
Subject: [PATCH 45/60] Update nextcloud to Nextcloud 31

---
 config/hosts/nextcloud/nextcloud.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix
index 6adfeae..4adb1cf 100644
--- a/config/hosts/nextcloud/nextcloud.nix
+++ b/config/hosts/nextcloud/nextcloud.nix
@@ -2,7 +2,7 @@
 {
   services.nextcloud = {
     enable = true;
-    package = pkgs.nextcloud30;
+    package = pkgs.nextcloud31;
     hostName = "cloud.nekover.se";
     https = true;
     config = {

From 50cd2305c4a696c94fc78e2fd134aaaf0df688f5 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 10 May 2025 00:10:09 +0200
Subject: [PATCH 46/60] Enable prometheus alertmanager

---
 config/hosts/metrics/nginx.nix                | 19 +++++++++++++++++++
 config/hosts/metrics/prometheus.nix           |  6 ++++++
 .../virtualHosts/acme-challenge.nix           |  1 +
 3 files changed, 26 insertions(+)

diff --git a/config/hosts/metrics/nginx.nix b/config/hosts/metrics/nginx.nix
index 9e31454..aefb0b5 100644
--- a/config/hosts/metrics/nginx.nix
+++ b/config/hosts/metrics/nginx.nix
@@ -22,6 +22,25 @@
           proxyWebsockets = true;
         };
       };
+      "alertmanager.grzb.de"= {
+        forceSSL = true;
+        enableACME = true;
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 80;
+          }
+          {
+            addr = "0.0.0.0";
+            port = 443;
+            ssl = true;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://${config.services.prometheus.alertmanager.listenAddress}:${builtins.toString config.services.prometheus.alertmanager.port}";
+          proxyWebsockets = true;
+        };
+      };
     };
   };
 }
diff --git a/config/hosts/metrics/prometheus.nix b/config/hosts/metrics/prometheus.nix
index c4b45b1..b45eb94 100644
--- a/config/hosts/metrics/prometheus.nix
+++ b/config/hosts/metrics/prometheus.nix
@@ -2,6 +2,7 @@
 {
   services.prometheus = {
     enable = true;
+    retentionTime = "90d";
     scrapeConfigs = [
       {
         job_name = "node";
@@ -15,5 +16,10 @@
         }) (builtins.attrNames hosts);
       }
     ];
+    alertmanager = {
+      enable = true;
+      listenAddress = "localhost";
+      webExternalUrl = "https://alertmanager.grzb.de";
+    };
   };
 }
diff --git a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
index 8f38379..38d2804 100644
--- a/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
+++ b/config/hosts/web-public-2/virtualHosts/acme-challenge.nix
@@ -1,6 +1,7 @@
 { ... }:
 let
   acmeDomainMap = {
+    "alertmanager.grzb.de" = "metrics.vs.grzb.de";
     "jellyfin.grzb.de" = "jellyfin.vs.grzb.de";
     "mail-1.grzb.de" = "mail-1.vs.grzb.de";
     "mas.nekover.se" = "matrix.vs.grzb.de";

From 26ab8bc86e7b79d86db506aa9b04faf1f4ef1711 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 15 Jun 2025 21:43:21 +0200
Subject: [PATCH 47/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/db926a14a923e4b14d474577efac0b6d93900941?narHash=sha256-cKo4Kczm4e7IY1fix2Tj9Kn%2BUUHVR1Goy42mz2hUGng%3D' (2025-06-14)
  → 'github:NixOS/nixpkgs/309c59af092b9044a9edfc781cfbf6aa258403c9?narHash=sha256-BpIk0JqIzN9Ws4keIaf2FquNF46W5oyjhi2g0cGp3ks%3D' (2025-06-15)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/2756c1e5dc0ad0a66f679918a2ec017399bba1a4?narHash=sha256-4/xR/fd5INr/8CWVc4uTnSAYF%2BsoQsgyqubFBQoCtU8%3D' (2025-06-14)
  → 'github:NixOS/nixpkgs/edcaeb67ef6ef8d57443ddc35be953d8ac39258b?narHash=sha256-lO6pbyJy8AlmCH50M9Am1L6BmvrGwI6qqQYhyBp/DQI%3D' (2025-06-15)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/ba48a1f6ce571455cb631dee840c6cd401ea4adb?narHash=sha256-6%2BAmSZBogyr1zbVc2k4IBcmY/Yt39mC4%2BcfZi0n/AAA%3D' (2025-06-14)
  → 'github:NixOS/nixpkgs/68eb4789b2a9881bcaad2f88fb3771bc7c7f24fa?narHash=sha256-y6frNvpXfbFWfzcCXs1WTRb0ynRbov0sWT9XJPBe%2BgQ%3D' (2025-06-15)
• Updated input 'simple-nixos-mailserver/flake-compat':
    'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33?narHash=sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U%3D' (2023-10-04)
  → 'github:edolstra/flake-compat/9100a0f413b0c601e0533d1d94ffd501ce2e7885?narHash=sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX%2BfjA8Xf8PUmqCY%3D' (2025-05-12)
• Updated input 'simple-nixos-mailserver/git-hooks':
    'github:cachix/git-hooks.nix/623c56286de5a3193aa38891a6991b28f9bab056?narHash=sha256-WUaIlOlPLyPgz9be7fqWJA5iG6rHcGRtLERSCfUDne4%3D' (2025-06-11)
  → 'github:cachix/git-hooks.nix/dcf5072734cb576d2b0c59b2ac44f5050b5eac82?narHash=sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco%3D' (2025-03-22)
• Updated input 'simple-nixos-mailserver/nixpkgs':
    'github:NixOS/nixpkgs/ee930f9755f58096ac6e8ca94a1887e0534e2d81?narHash=sha256-Kh9K4taXbVuaLC0IL%2B9HcfvxsSUx8dPB5s5weJcc9pc%3D' (2025-06-13)
  → 'github:NixOS/nixpkgs/adaa24fbf46737f3f1b5497bf64bae750f82942e?narHash=sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY%3D' (2025-05-13)
• Updated input 'simple-nixos-mailserver/nixpkgs-25_05':
    'github:NixOS/nixpkgs/fd487183437963a59ba763c0cc4f27e3447dd6dd?narHash=sha256-mHv/yeUbmL91/TvV95p%2BmBVahm9mdQMJoqaTVTALaFw%3D' (2025-06-12)
  → 'github:NixOS/nixpkgs/ca49c4304acf0973078db0a9d200fd2bae75676d?narHash=sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh%2BR0EKZfroAc%3D' (2025-05-18)
---
 flake.lock | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/flake.lock b/flake.lock
index 756fecc..79452d8 100644
--- a/flake.lock
+++ b/flake.lock
@@ -19,11 +19,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
@@ -45,11 +45,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1749636823,
-        "narHash": "sha256-WUaIlOlPLyPgz9be7fqWJA5iG6rHcGRtLERSCfUDne4=",
+        "lastModified": 1742649964,
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "623c56286de5a3193aa38891a6991b28f9bab056",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
         "type": "github"
       },
       "original": {
@@ -118,11 +118,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1749882819,
-        "narHash": "sha256-cKo4Kczm4e7IY1fix2Tj9Kn+UUHVR1Goy42mz2hUGng=",
+        "lastModified": 1749997939,
+        "narHash": "sha256-BpIk0JqIzN9Ws4keIaf2FquNF46W5oyjhi2g0cGp3ks=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "db926a14a923e4b14d474577efac0b6d93900941",
+        "rev": "309c59af092b9044a9edfc781cfbf6aa258403c9",
         "type": "github"
       },
       "original": {
@@ -134,11 +134,11 @@
     },
     "nixpkgs-25_05": {
       "locked": {
-        "lastModified": 1749727998,
-        "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=",
+        "lastModified": 1747610100,
+        "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd",
+        "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
         "type": "github"
       },
       "original": {
@@ -150,11 +150,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1749914561,
-        "narHash": "sha256-4/xR/fd5INr/8CWVc4uTnSAYF+soQsgyqubFBQoCtU8=",
+        "lastModified": 1750014763,
+        "narHash": "sha256-lO6pbyJy8AlmCH50M9Am1L6BmvrGwI6qqQYhyBp/DQI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "2756c1e5dc0ad0a66f679918a2ec017399bba1a4",
+        "rev": "edcaeb67ef6ef8d57443ddc35be953d8ac39258b",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1749896453,
-        "narHash": "sha256-6+AmSZBogyr1zbVc2k4IBcmY/Yt39mC4+cfZi0n/AAA=",
+        "lastModified": 1749984698,
+        "narHash": "sha256-y6frNvpXfbFWfzcCXs1WTRb0ynRbov0sWT9XJPBe+gQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ba48a1f6ce571455cb631dee840c6cd401ea4adb",
+        "rev": "68eb4789b2a9881bcaad2f88fb3771bc7c7f24fa",
         "type": "github"
       },
       "original": {
@@ -182,11 +182,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1749794982,
-        "narHash": "sha256-Kh9K4taXbVuaLC0IL+9HcfvxsSUx8dPB5s5weJcc9pc=",
+        "lastModified": 1747179050,
+        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ee930f9755f58096ac6e8ca94a1887e0534e2d81",
+        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
         "type": "github"
       },
       "original": {

From 2765e926445498962b5e6c1cd1250f2dc7fee1de Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 29 Jun 2025 21:40:34 +0200
Subject: [PATCH 48/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/309c59af092b9044a9edfc781cfbf6aa258403c9?narHash=sha256-BpIk0JqIzN9Ws4keIaf2FquNF46W5oyjhi2g0cGp3ks%3D' (2025-06-15)
  → 'github:NixOS/nixpkgs/7821ec89cbd9ae16ac64a896695f69010a14d296?narHash=sha256-Vev0zwGq3SdXWYUYa%2BzMLI0vyqIaYbSwZzAEqHNaG1c%3D' (2025-06-29)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/edcaeb67ef6ef8d57443ddc35be953d8ac39258b?narHash=sha256-lO6pbyJy8AlmCH50M9Am1L6BmvrGwI6qqQYhyBp/DQI%3D' (2025-06-15)
  → 'github:NixOS/nixpkgs/6193b8d04ba5a5358cac7402b51948fe70b33b19?narHash=sha256-3SkElpRtpLPPUsD2Th60pznnT5Y3wKjOwivSAekPPpI%3D' (2025-06-29)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/68eb4789b2a9881bcaad2f88fb3771bc7c7f24fa?narHash=sha256-y6frNvpXfbFWfzcCXs1WTRb0ynRbov0sWT9XJPBe%2BgQ%3D' (2025-06-15)
  → 'github:NixOS/nixpkgs/650e71cbf76de8dd16f5648a96981b726c4ef8fe?narHash=sha256-omYD%2BH5LlSihz2DRfv90I8Oeo7JNEwvcHPHX%2B6nMIM4%3D' (2025-06-29)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 79452d8..34cb259 100644
--- a/flake.lock
+++ b/flake.lock
@@ -118,11 +118,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1749997939,
-        "narHash": "sha256-BpIk0JqIzN9Ws4keIaf2FquNF46W5oyjhi2g0cGp3ks=",
+        "lastModified": 1751201298,
+        "narHash": "sha256-Vev0zwGq3SdXWYUYa+zMLI0vyqIaYbSwZzAEqHNaG1c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "309c59af092b9044a9edfc781cfbf6aa258403c9",
+        "rev": "7821ec89cbd9ae16ac64a896695f69010a14d296",
         "type": "github"
       },
       "original": {
@@ -150,11 +150,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1750014763,
-        "narHash": "sha256-lO6pbyJy8AlmCH50M9Am1L6BmvrGwI6qqQYhyBp/DQI=",
+        "lastModified": 1751225728,
+        "narHash": "sha256-3SkElpRtpLPPUsD2Th60pznnT5Y3wKjOwivSAekPPpI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "edcaeb67ef6ef8d57443ddc35be953d8ac39258b",
+        "rev": "6193b8d04ba5a5358cac7402b51948fe70b33b19",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1749984698,
-        "narHash": "sha256-y6frNvpXfbFWfzcCXs1WTRb0ynRbov0sWT9XJPBe+gQ=",
+        "lastModified": 1751203939,
+        "narHash": "sha256-omYD+H5LlSihz2DRfv90I8Oeo7JNEwvcHPHX+6nMIM4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "68eb4789b2a9881bcaad2f88fb3771bc7c7f24fa",
+        "rev": "650e71cbf76de8dd16f5648a96981b726c4ef8fe",
         "type": "github"
       },
       "original": {

From 2133779fe2cbacdf6078417e18980b1e173843e7 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sun, 29 Jun 2025 21:46:42 +0200
Subject: [PATCH 49/60] Disable alertmanager for now

---
 config/hosts/metrics/prometheus.nix | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/config/hosts/metrics/prometheus.nix b/config/hosts/metrics/prometheus.nix
index b45eb94..236fb58 100644
--- a/config/hosts/metrics/prometheus.nix
+++ b/config/hosts/metrics/prometheus.nix
@@ -16,10 +16,5 @@
         }) (builtins.attrNames hosts);
       }
     ];
-    alertmanager = {
-      enable = true;
-      listenAddress = "localhost";
-      webExternalUrl = "https://alertmanager.grzb.de";
-    };
   };
 }

From ef2841f187fd90232651bf8dfedcb5a53178c980 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Fri, 4 Jul 2025 21:12:38 +0200
Subject: [PATCH 50/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/7821ec89cbd9ae16ac64a896695f69010a14d296?narHash=sha256-Vev0zwGq3SdXWYUYa%2BzMLI0vyqIaYbSwZzAEqHNaG1c%3D' (2025-06-29)
  → 'github:NixOS/nixpkgs/7a732ed41ca0dd64b4b71b563ab9805a80a7d693?narHash=sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA%3D' (2025-07-03)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/6193b8d04ba5a5358cac7402b51948fe70b33b19?narHash=sha256-3SkElpRtpLPPUsD2Th60pznnT5Y3wKjOwivSAekPPpI%3D' (2025-06-29)
  → 'github:NixOS/nixpkgs/e1dca425c33650ae9ea15e577012d49586f29cef?narHash=sha256-2QDfhYjPFui9iQNTXBLcbffWVWbYLntm9EM/eFU3kX8%3D' (2025-07-04)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/650e71cbf76de8dd16f5648a96981b726c4ef8fe?narHash=sha256-omYD%2BH5LlSihz2DRfv90I8Oeo7JNEwvcHPHX%2B6nMIM4%3D' (2025-06-29)
  → 'github:NixOS/nixpkgs/a2867cc3f8acc944cb19fe0b73c840e9fa1ba589?narHash=sha256-5aZFBHQNQzrfCisewtYBDNbiKcHbxPYChiP4dkEcSXQ%3D' (2025-07-04)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 34cb259..8c02ce9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -118,11 +118,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1751201298,
-        "narHash": "sha256-Vev0zwGq3SdXWYUYa+zMLI0vyqIaYbSwZzAEqHNaG1c=",
+        "lastModified": 1751582995,
+        "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7821ec89cbd9ae16ac64a896695f69010a14d296",
+        "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
         "type": "github"
       },
       "original": {
@@ -150,11 +150,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1751225728,
-        "narHash": "sha256-3SkElpRtpLPPUsD2Th60pznnT5Y3wKjOwivSAekPPpI=",
+        "lastModified": 1751655236,
+        "narHash": "sha256-2QDfhYjPFui9iQNTXBLcbffWVWbYLntm9EM/eFU3kX8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6193b8d04ba5a5358cac7402b51948fe70b33b19",
+        "rev": "e1dca425c33650ae9ea15e577012d49586f29cef",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1751203939,
-        "narHash": "sha256-omYD+H5LlSihz2DRfv90I8Oeo7JNEwvcHPHX+6nMIM4=",
+        "lastModified": 1751619433,
+        "narHash": "sha256-5aZFBHQNQzrfCisewtYBDNbiKcHbxPYChiP4dkEcSXQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "650e71cbf76de8dd16f5648a96981b726c4ef8fe",
+        "rev": "a2867cc3f8acc944cb19fe0b73c840e9fa1ba589",
         "type": "github"
       },
       "original": {

From b966bb235b6e459a3022e6d3d42bb991aeb8e1a5 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 5 Jul 2025 00:34:00 +0200
Subject: [PATCH 51/60] Update mastodon 4.3.9

---
 config/hosts/mastodon/mastodon.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index d9c9f71..e5249d8 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -16,14 +16,14 @@ let
   };
   mastodonNekoverseOverlay = final: prev: {
     mastodon = (prev.mastodon.override rec {
-      version = "4.3.8";
+      version = "4.3.9";
       srcOverride = final.applyPatches {
         src = pkgs.stdenv.mkDerivation {
           name = "mastodonWithThemes";
           src = pkgs.fetchgit {
             url = "https://github.com/mastodon/mastodon.git";
             rev = "v${version}";
-            sha256 = "sha256-08AApylDOz8oExZ0cRaZTgNAuP+1wiLkx0SDhkO2fMM=";
+            sha256 = "sha256-A2WxVwaarT866s97uwfStBVtv7T5czF7ymRswtZ2K4M=";
           };
           # mastodon ships with broken symlinks, disable the check for that for now
           dontCheckForBrokenSymlinks = true;

From 99a626a90d834186352e799176c7b8cbe31f56e1 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Thu, 10 Jul 2025 20:59:24 +0200
Subject: [PATCH 52/60] Update element-web to 1.11.105

---
 config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
index 12ad7fa..d963302 100644
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@@ -1,9 +1,9 @@
 { pkgs, ... }:
 let
-  elementWebVersion = "1.11.96";
+  elementWebVersion = "1.11.105";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-zm+mpcHF2rLk2ejwzCOpqHe2mnegHm3ZtJ2v7KC4oxU=";
+    sha256 = "sha256-fuiXudYnZRf37R8e1+g0bqw5UUV+dbluTOXAHe9PSHs=";
   };
   elementWebSecurityHeaders = ''
   	# Configuration best practices

From 992959801aecce9985ac4f7286ca8a0df4506a50 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Thu, 10 Jul 2025 21:04:29 +0200
Subject: [PATCH 53/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc?narHash=sha256-Obh50J%2BO9jhUM/FgXtI3he/QRNiV9%2BJ53%2Bl%2BRlKSaAk%3D' (2025-05-19)
  → 'github:nix-community/nixos-generators/032decf9db65efed428afd2fa39d80f7089085eb?narHash=sha256-PeSkNMvkpEvts%2B9DjFiop1iT2JuBpyknmBUs0Un0a4I%3D' (2025-07-07)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/7a732ed41ca0dd64b4b71b563ab9805a80a7d693?narHash=sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA%3D' (2025-07-03)
  → 'github:NixOS/nixpkgs/0d81cd273efaaca0aa5c9685a462c6b91fc704fd?narHash=sha256-TPZMmQNsGdsZcsTz%2BMbunpJ2k1H/IIrOUFhRhggVjCI%3D' (2025-07-10)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/e1dca425c33650ae9ea15e577012d49586f29cef?narHash=sha256-2QDfhYjPFui9iQNTXBLcbffWVWbYLntm9EM/eFU3kX8%3D' (2025-07-04)
  → 'github:NixOS/nixpkgs/9f59c3509790d97927db3158a5d57db640a1ffbd?narHash=sha256-7pIGMCV944sxrrfPcdz2FkY8ZrBhVZERRq1BkkXnmKk%3D' (2025-07-10)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/a2867cc3f8acc944cb19fe0b73c840e9fa1ba589?narHash=sha256-5aZFBHQNQzrfCisewtYBDNbiKcHbxPYChiP4dkEcSXQ%3D' (2025-07-04)
  → 'github:NixOS/nixpkgs/40de82b434526744da778ed53c742c1282d9e75e?narHash=sha256-5rWuf6RAlMDp/CAEuyYEz7ryxzgjxOCgUDhWEef864c%3D' (2025-07-10)
---
 flake.lock | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8c02ce9..f8a97fd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -103,11 +103,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747663185,
-        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
+        "lastModified": 1751903740,
+        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
+        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
         "type": "github"
       },
       "original": {
@@ -118,11 +118,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1751582995,
-        "narHash": "sha256-u7ubvtxdTnFPpV27AHpgoKn7qHuE7sgWgza/1oj5nzA=",
+        "lastModified": 1752140043,
+        "narHash": "sha256-TPZMmQNsGdsZcsTz+MbunpJ2k1H/IIrOUFhRhggVjCI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "7a732ed41ca0dd64b4b71b563ab9805a80a7d693",
+        "rev": "0d81cd273efaaca0aa5c9685a462c6b91fc704fd",
         "type": "github"
       },
       "original": {
@@ -150,11 +150,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1751655236,
-        "narHash": "sha256-2QDfhYjPFui9iQNTXBLcbffWVWbYLntm9EM/eFU3kX8=",
+        "lastModified": 1752174206,
+        "narHash": "sha256-7pIGMCV944sxrrfPcdz2FkY8ZrBhVZERRq1BkkXnmKk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e1dca425c33650ae9ea15e577012d49586f29cef",
+        "rev": "9f59c3509790d97927db3158a5d57db640a1ffbd",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1751619433,
-        "narHash": "sha256-5aZFBHQNQzrfCisewtYBDNbiKcHbxPYChiP4dkEcSXQ=",
+        "lastModified": 1752124863,
+        "narHash": "sha256-5rWuf6RAlMDp/CAEuyYEz7ryxzgjxOCgUDhWEef864c=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a2867cc3f8acc944cb19fe0b73c840e9fa1ba589",
+        "rev": "40de82b434526744da778ed53c742c1282d9e75e",
         "type": "github"
       },
       "original": {

From 4c1dba2f8d11c95f90dac8b828c34734906f6b9e Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 16 Jul 2025 18:16:02 +0200
Subject: [PATCH 54/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/0d81cd273efaaca0aa5c9685a462c6b91fc704fd?narHash=sha256-TPZMmQNsGdsZcsTz%2BMbunpJ2k1H/IIrOUFhRhggVjCI%3D' (2025-07-10)
  → 'github:NixOS/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e?narHash=sha256-f3pO%2B9lg66mV7IMmmIqG4PL3223TYMlnlw%2Bpnpelbss%3D' (2025-07-15)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/9f59c3509790d97927db3158a5d57db640a1ffbd?narHash=sha256-7pIGMCV944sxrrfPcdz2FkY8ZrBhVZERRq1BkkXnmKk%3D' (2025-07-10)
  → 'github:NixOS/nixpkgs/a0b29e1b8d072a9f472500997c58252d064c5285?narHash=sha256-TRvw/iAyDqMoRe58kCE6d9FvlsXcdqCTt6w8qRio9U8%3D' (2025-07-16)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/40de82b434526744da778ed53c742c1282d9e75e?narHash=sha256-5rWuf6RAlMDp/CAEuyYEz7ryxzgjxOCgUDhWEef864c%3D' (2025-07-10)
  → 'github:NixOS/nixpkgs/9100a4f6bf446603b9575927c8585162f9ec9aa6?narHash=sha256-oeRcp4VEyZ/3ZgfRRoq60/08l2zy0K53l8MdfSIYd24%3D' (2025-07-16)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index f8a97fd..e7d24fc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -118,11 +118,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1752140043,
-        "narHash": "sha256-TPZMmQNsGdsZcsTz+MbunpJ2k1H/IIrOUFhRhggVjCI=",
+        "lastModified": 1752620740,
+        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0d81cd273efaaca0aa5c9685a462c6b91fc704fd",
+        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
         "type": "github"
       },
       "original": {
@@ -150,11 +150,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1752174206,
-        "narHash": "sha256-7pIGMCV944sxrrfPcdz2FkY8ZrBhVZERRq1BkkXnmKk=",
+        "lastModified": 1752682292,
+        "narHash": "sha256-TRvw/iAyDqMoRe58kCE6d9FvlsXcdqCTt6w8qRio9U8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9f59c3509790d97927db3158a5d57db640a1ffbd",
+        "rev": "a0b29e1b8d072a9f472500997c58252d064c5285",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1752124863,
-        "narHash": "sha256-5rWuf6RAlMDp/CAEuyYEz7ryxzgjxOCgUDhWEef864c=",
+        "lastModified": 1752644555,
+        "narHash": "sha256-oeRcp4VEyZ/3ZgfRRoq60/08l2zy0K53l8MdfSIYd24=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "40de82b434526744da778ed53c742c1282d9e75e",
+        "rev": "9100a4f6bf446603b9575927c8585162f9ec9aa6",
         "type": "github"
       },
       "original": {

From 0b594524243746f966879737466e0b5cf16cbb41 Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Wed, 16 Jul 2025 18:25:56 +0200
Subject: [PATCH 55/60] Update mastodon to v4.4.1

---
 config/hosts/mastodon/mastodon.nix | 21 +++++++++++----------
 config/hosts/mastodon/secrets.nix  |  8 --------
 2 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix
index e5249d8..bae9b17 100644
--- a/config/hosts/mastodon/mastodon.nix
+++ b/config/hosts/mastodon/mastodon.nix
@@ -2,28 +2,28 @@
 let
   tangerineUI = pkgs.fetchgit {
     url = "https://github.com/nileane/TangerineUI-for-Mastodon.git";
-    rev = "v2.3";
-    hash = "sha256-Yl5UOjcp0Q3WpiLgfjQFVVEQs4WlVUSBCS7kuO+39wQ=";
+    rev = "v2.4.3";
+    hash = "sha256-OThT3fp676RMfYY3ehzM4DnAlJOqdPoYIHpoBbN/RHQ=";
   };
   mastodonModern = pkgs.fetchgit {
     url = "https://git.gay/freeplay/Mastodon-Modern.git";
-    rev = "5dc82786107bfb4dc4786571160d63a59cc609d6";
-    hash = "sha256-0qr+PN1eTR2iqicJEEUskm0DchpZhocEVwoHfwOvHMw=";
+    rev = "9f8db85eda2a65aa020ab6b81d100a121d39d4c4";
+    hash = "sha256-W6zwjAjBGARiRPM0hWCnq63nIT2Or0SOQq82bpNtqAk=";
   };
   mastodonNekoversePatches = pkgs.fetchgit {
     url = "https://github.com/yuri-qq/nekoverse-mastodon-patches.git";
-    hash = "sha256-3jWbKll5RGB1vfEmONVivzGYcoONEkBEHh/rOt9LXlU=";
+    hash = "sha256-NtdJWMi8/siduX2iFD+GAsK9J+Y6T/tZ/fXqb/QH284=";
   };
   mastodonNekoverseOverlay = final: prev: {
     mastodon = (prev.mastodon.override rec {
-      version = "4.3.9";
+      version = "4.4.1";
       srcOverride = final.applyPatches {
         src = pkgs.stdenv.mkDerivation {
           name = "mastodonWithThemes";
           src = pkgs.fetchgit {
             url = "https://github.com/mastodon/mastodon.git";
             rev = "v${version}";
-            sha256 = "sha256-A2WxVwaarT866s97uwfStBVtv7T5czF7ymRswtZ2K4M=";
+            sha256 = "sha256-hu6AmR0CvI3lVixJ2UmWY3KAlWbqYULCQAjRGJcuIhc=";
           };
           # mastodon ships with broken symlinks, disable the check for that for now
           dontCheckForBrokenSymlinks = true;
@@ -49,8 +49,8 @@ let
           "${mastodonNekoversePatches}/patches/006_increase_toot_character_limit.patch"
         ];
       };
-      yarnHash = "sha256-IC4d/skIHEzJPuKlq4rMAqV+ydqquA6toq4WWCfuDxo=";
-      yarnMissingHashes = null;
+      yarnHash = prev.mastodon.src.yarnHash;
+      yarnMissingHashes = prev.mastodon.src.yarnMissingHashes;
     });
   };
   pkgs-overlay = pkgs.extend mastodonNekoverseOverlay;
@@ -62,7 +62,6 @@ in
     package = pkgs-overlay.mastodon;
     localDomain = "social.nekover.se";
     secretKeyBaseFile = "/secrets/mastodon-secret-key-base.secret";
-    otpSecretFile = "/secrets/mastodon-otp-secret.secret";
     vapidPublicKeyFile = "${vapidPublicKey}";
     vapidPrivateKeyFile = "/secrets/mastodon-vapid-private-key.secret";
     smtp = {
@@ -91,6 +90,8 @@ in
       OIDC_REDIRECT_URI = "https://social.nekover.se/auth/auth/openid_connect/callback";
       OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
       OIDC_END_SESSION_ENDPOINT = "https://id.nekover.se/realms/nekoverse/protocol/openid-connect/logout";
+      FETCH_REPLIES_ENABLED = "true";
+      AUTHORIZED_FETCH = "true";
     };
     extraEnvFiles = [
       "/secrets/mastodon-keycloak-client-secret.secret"
diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix
index 1389353..986a64b 100644
--- a/config/hosts/mastodon/secrets.nix
+++ b/config/hosts/mastodon/secrets.nix
@@ -9,14 +9,6 @@
       permissions = "0640";
       uploadAt = "pre-activation";
     };
-    "mastodon-otp-secret.secret" = {
-      keyCommand = keyCommandEnv ++ [ "pass" "mastodon/otp-secret" ];
-      destDir = "/secrets";
-      user = "mastodon";
-      group = "mastodon";
-      permissions = "0640";
-      uploadAt = "pre-activation";
-    };
     "mastodon-vapid-private-key.secret" = {
       keyCommand = keyCommandEnv ++ [ "pass" "mastodon/vapid-private-key" ];
       destDir = "/secrets";

From 779e5767d8337b826a5a865086803c6fcee33e5f Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 19 Jul 2025 01:22:45 +0200
Subject: [PATCH 56/60] Remove syn2mas package from matrix host

---
 config/hosts/matrix/matrix-authentication-service.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix
index 8c8ce91..53674ad 100644
--- a/config/hosts/matrix/matrix-authentication-service.nix
+++ b/config/hosts/matrix/matrix-authentication-service.nix
@@ -72,10 +72,8 @@ in
 {
   environment.systemPackages = with pkgs; [
     matrix-authentication-service
-    syn2mas
   ];
 
-
   systemd.services.matrix-authentication-service = {
     description = "Matrix Authentication Service";
     after = [ "network-online.target" "postgresql.service" ];

From 0ec4c301083d0d3c0703b6147ff48cbdeb171b1b Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Sat, 19 Jul 2025 01:30:38 +0200
Subject: [PATCH 57/60] Update element-web to 1.11.106

---
 config/hosts/web-public-2/virtualHosts/element.nekover.se.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
index d963302..0cdedaf 100644
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@@ -1,9 +1,9 @@
 { pkgs, ... }:
 let
-  elementWebVersion = "1.11.105";
+  elementWebVersion = "1.11.106";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-fuiXudYnZRf37R8e1+g0bqw5UUV+dbluTOXAHe9PSHs=";
+    sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo=";
   };
   elementWebSecurityHeaders = ''
   	# Configuration best practices

From f1dfb9bc88958a44d26d2dd022d568fe1fecd677 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Thu, 24 Jul 2025 19:14:19 +0200
Subject: [PATCH 58/60] flake.lock: Update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e?narHash=sha256-f3pO%2B9lg66mV7IMmmIqG4PL3223TYMlnlw%2Bpnpelbss%3D' (2025-07-15)
  → 'github:NixOS/nixpkgs/25ff20a127c4136c63c44d718db4d82695cb999a?narHash=sha256-Ho3kXSPtqLGRlvW3SeOc0QyB7fGyHXB2EuieEpe%2BU4I%3D' (2025-07-24)
• Updated input 'nixpkgs-master':
    'github:NixOS/nixpkgs/a0b29e1b8d072a9f472500997c58252d064c5285?narHash=sha256-TRvw/iAyDqMoRe58kCE6d9FvlsXcdqCTt6w8qRio9U8%3D' (2025-07-16)
  → 'github:NixOS/nixpkgs/3f3185053e60aba5d036f8d37a5e56861d357e20?narHash=sha256-JA3/3NyPVTgRBjjgbHLC%2B7NMfQS8yiwtZ8bsChitegU%3D' (2025-07-24)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/9100a4f6bf446603b9575927c8585162f9ec9aa6?narHash=sha256-oeRcp4VEyZ/3ZgfRRoq60/08l2zy0K53l8MdfSIYd24%3D' (2025-07-16)
  → 'github:NixOS/nixpkgs/1744f3daf87f5bb4b2b08f6298a55b6a88ea8308?narHash=sha256-Df8wnrToZpzjqFJWhvaUUvwypj1bKM3JY6zSskwETmc%3D' (2025-07-23)
---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index e7d24fc..ea029c5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -118,11 +118,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1752620740,
-        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
+        "lastModified": 1753328706,
+        "narHash": "sha256-Ho3kXSPtqLGRlvW3SeOc0QyB7fGyHXB2EuieEpe+U4I=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
+        "rev": "25ff20a127c4136c63c44d718db4d82695cb999a",
         "type": "github"
       },
       "original": {
@@ -150,11 +150,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1752682292,
-        "narHash": "sha256-TRvw/iAyDqMoRe58kCE6d9FvlsXcdqCTt6w8qRio9U8=",
+        "lastModified": 1753374531,
+        "narHash": "sha256-JA3/3NyPVTgRBjjgbHLC+7NMfQS8yiwtZ8bsChitegU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a0b29e1b8d072a9f472500997c58252d064c5285",
+        "rev": "3f3185053e60aba5d036f8d37a5e56861d357e20",
         "type": "github"
       },
       "original": {
@@ -166,11 +166,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1752644555,
-        "narHash": "sha256-oeRcp4VEyZ/3ZgfRRoq60/08l2zy0K53l8MdfSIYd24=",
+        "lastModified": 1753290466,
+        "narHash": "sha256-Df8wnrToZpzjqFJWhvaUUvwypj1bKM3JY6zSskwETmc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9100a4f6bf446603b9575927c8585162f9ec9aa6",
+        "rev": "1744f3daf87f5bb4b2b08f6298a55b6a88ea8308",
         "type": "github"
       },
       "original": {

From d3376837d2816e00ee2a25d96e45ce9edb240706 Mon Sep 17 00:00:00 2001
From: Fiona Grzebien <fiona@grzb.de>
Date: Thu, 24 Jul 2025 21:09:42 +0200
Subject: [PATCH 59/60] Add new SSH key for user fi on kiara

---
 config/users/fi/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix
index 2039f05..6aed7cf 100644
--- a/config/users/fi/default.nix
+++ b/config/users/fi/default.nix
@@ -7,6 +7,7 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara"
     ];
   };
 }

From de9b6a3f2fc63b774c6f45c51b501240911cd3ce Mon Sep 17 00:00:00 2001
From: fi <fiona@grzb.de>
Date: Fri, 25 Jul 2025 03:52:31 +0200
Subject: [PATCH 60/60] Set forgjo package to latest release instead of lts

---
 config/hosts/forgejo/forgejo.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix
index 0f07af2..c60c00f 100644
--- a/config/hosts/forgejo/forgejo.nix
+++ b/config/hosts/forgejo/forgejo.nix
@@ -1,7 +1,8 @@
-{ ... }:
+{ pkgs, ... }:
 {
   services.forgejo = {
     enable = true;
+    package = pkgs.forgejo;
     database.type = "postgres";
 
     settings = {