diff --git a/config/hosts/forgejo/forgejo.nix b/config/hosts/forgejo/forgejo.nix index 2b2aea8..c60c00f 100644 --- a/config/hosts/forgejo/forgejo.nix +++ b/config/hosts/forgejo/forgejo.nix @@ -4,7 +4,6 @@ enable = true; package = pkgs.forgejo; database.type = "postgres"; - lfs.enable = true; settings = { DEFAULT = { @@ -18,7 +17,6 @@ ROOT_URL = "https://git.nekover.se/"; # LOCAL_ROOT_URL is apparently what Forgejo uses to access itself. # Doesn't need to be set. - OFFLINE_MODE = true; }; admin = { DISABLE_REGULAR_ORG_CREATION = false; @@ -36,10 +34,11 @@ DEFAULT_USER_VISIBILITY = "limited"; DEFAULT_KEEP_EMAIL_PRIVATE = true; ENABLE_BASIC_AUTHENTICATION = false; - ENABLE_NOTIFY_MAIL = true; + }; + repo = { + DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls"; }; repository = { - DEFAULT_REPO_UNITS = "repo.code"; ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; diff --git a/config/hosts/forgejo/nginx.nix b/config/hosts/forgejo/nginx.nix index 3602209..6df90b1 100644 --- a/config/hosts/forgejo/nginx.nix +++ b/config/hosts/forgejo/nginx.nix @@ -29,8 +29,7 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix index 9aadd25..5a15fe1 100644 --- a/config/hosts/hydra/nginx.nix +++ b/config/hosts/hydra/nginx.nix @@ -16,8 +16,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; @@ -34,8 +33,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/ikiwiki/nginx.nix b/config/hosts/ikiwiki/nginx.nix index 9f6462e..4bbcf0a 100644 --- a/config/hosts/ikiwiki/nginx.nix +++ b/config/hosts/ikiwiki/nginx.nix @@ -39,8 +39,7 @@ in }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/keycloak/nginx.nix b/config/hosts/keycloak/nginx.nix index e9b46cd..c82597d 100644 --- a/config/hosts/keycloak/nginx.nix +++ b/config/hosts/keycloak/nginx.nix @@ -27,8 +27,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/config/hosts/mastodon/containers/fedifetcher/default.nix b/config/hosts/mastodon/containers/fedifetcher/default.nix new file mode 100644 index 0000000..3f2617e --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/default.nix @@ -0,0 +1,23 @@ +{ nixpkgs-unstable, ... }: +{ + containers.fedifetcher = { + nixpkgs = nixpkgs-unstable; + autoStart = true; + + bindMounts = { + "/secrets" = { + hostPath = "/secrets-fedifetcher"; + isReadOnly = true; + }; + }; + + config = { ... }: { + imports = [ + ./fedifetcher.nix + ]; + + networking.useHostResolvConf = true; + system.stateVersion = "24.05"; + }; + }; +} diff --git a/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix new file mode 100644 index 0000000..7194c25 --- /dev/null +++ b/config/hosts/mastodon/containers/fedifetcher/fedifetcher.nix @@ -0,0 +1,42 @@ +{ pkgs, lib, ... }: +{ + # config copied from https://github.com/arachnist/nibylandia/blob/main/nixos/zorigami/default.nix + systemd.services.fedifetcher = { + path = [ pkgs.fedifetcher ]; + description = "fetch fedi posts"; + script = '' + fedifetcher + ''; + environment = lib.mapAttrs' (n: v: + (lib.nameValuePair ("ff_" + builtins.replaceStrings [ "-" ] [ "_" ] n) + (builtins.toString v))) { + server = "social.nekover.se"; + state-dir = "/var/lib/fedifetcher"; + lock-file = "/run/fedifetcher/fedifetcher.lock"; + from-lists = 1; + from-notifications = 1; + max-bookmarks = 80; + max-favourites = 40; + max-follow-requests = 80; + max-followers = 80; + max-followings = 80; + remember-hosts-for-days = 30; + remember-users-for-hours = 168; + reply-interval-in-hours = 2; + }; + serviceConfig = { + DynamicUser = true; + User = "fedifetcher"; + RuntimeDirectory = "fedifetcher"; + RuntimeDirectoryPreserve = true; + StateDirectory = "fedifetcher"; + UMask = "0077"; + EnvironmentFile = [ "/secrets/mastodon-fedifetcher-access-token.secret" ]; + }; + }; + + systemd.timers.fedifetcher = { + wantedBy = [ "multi-user.target" ]; + timerConfig = { OnCalendar = "*:0/5"; }; + }; +} diff --git a/config/hosts/mastodon/default.nix b/config/hosts/mastodon/default.nix index 5651eb8..dc52ff4 100644 --- a/config/hosts/mastodon/default.nix +++ b/config/hosts/mastodon/default.nix @@ -5,5 +5,6 @@ ./mastodon.nix ./opensearch.nix ./nginx.nix + ./containers/fedifetcher ]; } diff --git a/config/hosts/mastodon/mastodon.nix b/config/hosts/mastodon/mastodon.nix index fd5fa64..aa4fea4 100644 --- a/config/hosts/mastodon/mastodon.nix +++ b/config/hosts/mastodon/mastodon.nix @@ -2,8 +2,8 @@ let tangerineUI = pkgs.fetchgit { url = "https://github.com/nileane/TangerineUI-for-Mastodon.git"; - rev = "v2.5.3"; - hash = "sha256-fs/pwIwXZvSNVmlSG304CMT/hSW/RtrzraMsrhg/TbE="; + rev = "v2.5.2"; + hash = "sha256-RJPP3QynE42cr9Km8twyZrHiZnhMdNcYOOJ7nW0mx1c="; }; mastodonModern = pkgs.fetchgit { url = "https://git.gay/freeplay/Mastodon-Modern.git"; @@ -16,14 +16,14 @@ let }; mastodonNekoverseOverlay = final: prev: { mastodon = (prev.mastodon.override rec { - version = "4.5.9"; + version = "4.5.2"; srcOverride = final.applyPatches { src = pkgs.stdenv.mkDerivation { name = "mastodonWithThemes"; src = pkgs.fetchgit { url = "https://github.com/mastodon/mastodon.git"; rev = "v${version}"; - sha256 = "sha256-EXMJWdcuvQWe2cXONlcN/oB4b0nXwDqRT+miIB7P7js="; + sha256 = "sha256-LePly+CcM+Dv6ipX9jIWWKhy2PiF1j8vgc9CXn2o+DQ="; }; # mastodon ships with broken symlinks, disable the check for that for now dontCheckForBrokenSymlinks = true; diff --git a/config/hosts/mastodon/nginx.nix b/config/hosts/mastodon/nginx.nix index 02a0d0a..72aec08 100644 --- a/config/hosts/mastodon/nginx.nix +++ b/config/hosts/mastodon/nginx.nix @@ -57,8 +57,7 @@ }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/mastodon/secrets.nix b/config/hosts/mastodon/secrets.nix index 88413c7..986a64b 100644 --- a/config/hosts/mastodon/secrets.nix +++ b/config/hosts/mastodon/secrets.nix @@ -57,5 +57,13 @@ permissions = "0640"; uploadAt = "pre-activation"; }; + "mastodon-fedifetcher-access-token.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "mastodon/fedifetcher-access-token" ]; + destDir = "/secrets-fedifetcher"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; }; } diff --git a/config/hosts/matrix/element-call.nix b/config/hosts/matrix/element-call.nix index db988b9..1c8b442 100644 --- a/config/hosts/matrix/element-call.nix +++ b/config/hosts/matrix/element-call.nix @@ -12,7 +12,4 @@ livekitUrl = "wss://matrix-rtc.nekover.se/livekit/sfu"; keyFile = "/secrets/matrix-livekit-secret-key.secret"; }; - systemd.services.lk-jwt-service.environment = { - LIVEKIT_FULL_ACCESS_HOMESERVERS = "nekover.se"; - }; } diff --git a/config/hosts/matrix/matrix-authentication-service.nix b/config/hosts/matrix/matrix-authentication-service.nix index e13bdd9..53674ad 100644 --- a/config/hosts/matrix/matrix-authentication-service.nix +++ b/config/hosts/matrix/matrix-authentication-service.nix @@ -33,17 +33,6 @@ let }]; proxy_protocol = false; } - { - name = "admin"; - resources = [{ - name = "adminapi"; - }]; - binds = [{ - host = "localhost"; - port = 8083; - }]; - proxy_protocol = false; - } ]; trusted_proxies = [ "192.168.0.0/16" @@ -74,7 +63,8 @@ let version = 2; algorithm = "argon2id"; } - ]; + ]; + minimum_complexity = 8; }; }; masSettingsFile = ((pkgs.formats.yaml { }).generate "mas-config" masSettings); diff --git a/config/hosts/matrix/nginx.nix b/config/hosts/matrix/nginx.nix index 0e419bc..ce3ab3d 100644 --- a/config/hosts/matrix/nginx.nix +++ b/config/hosts/matrix/nginx.nix @@ -11,17 +11,10 @@ addr = "0.0.0.0"; port = 80; } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } { addr = "0.0.0.0"; port = 8448; ssl = true; - proxyProtocol = true; } ]; locations = { @@ -41,23 +34,11 @@ client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; ''; }; - "~ ^/_synapse/admin" = { - # Only proxy to the local host on IPv4, because localhost doesn't seem to work - # even if matrix-synapse is listening on ::1 as well. - proxyPass = "http://127.0.0.1:8008"; - extraConfig = '' - # Restrict access to admin API. - allow 172.21.87.0/24; # management VPN - deny all; - # Nginx by default only allows file uploads up to 1M in size - # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml - client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size}; - ''; - }; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; @@ -69,29 +50,14 @@ addr = "0.0.0.0"; port = 80; } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } ]; - locations = { - "/" = { - proxyPass = "http://localhost:8080"; - }; - "~ ^/api/admin" = { - proxyPass = "http://localhost:8083"; - extraConfig = '' - # Restrict access to admin API. - allow 172.21.87.0/24; # management VPN - deny all; - ''; - }; + locations."/" = { + proxyPass = "http://localhost:8080"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; @@ -103,12 +69,6 @@ addr = "0.0.0.0"; port = 80; } - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } ]; locations."^~ /livekit/jwt/" = { proxyPass = "http://localhost:8082/"; @@ -118,8 +78,9 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/grafana.nix b/config/hosts/metrics-nekomesh/grafana.nix index 8c4255d..7697748 100644 --- a/config/hosts/metrics-nekomesh/grafana.nix +++ b/config/hosts/metrics-nekomesh/grafana.nix @@ -13,7 +13,6 @@ admin_user = "admin"; admin_password = "$__file{/secrets/metrics-nekomesh-grafana-admin-password.secret}"; admin_email = "fi@nekover.se"; - secret_key = "$__file{/secrets/metrics-nekomesh-grafana-secret-key.secret}"; }; smtp = { enabled = true; diff --git a/config/hosts/metrics-nekomesh/nginx.nix b/config/hosts/metrics-nekomesh/nginx.nix index a754cb6..e2fc483 100644 --- a/config/hosts/metrics-nekomesh/nginx.nix +++ b/config/hosts/metrics-nekomesh/nginx.nix @@ -23,8 +23,7 @@ proxyWebsockets = true; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/metrics-nekomesh/secrets.nix b/config/hosts/metrics-nekomesh/secrets.nix index 8014354..ef6bcec 100644 --- a/config/hosts/metrics-nekomesh/secrets.nix +++ b/config/hosts/metrics-nekomesh/secrets.nix @@ -17,14 +17,6 @@ permissions = "0640"; uploadAt = "pre-activation"; }; - "metrics-nekomesh-grafana-secret-key.secret" = { - keyCommand = keyCommandEnv ++ [ "pass" "metrics-nekomesh/grafana/secret-key" ]; - destDir = "/secrets"; - user = "grafana"; - group = "grafana"; - permissions = "0640"; - uploadAt = "pre-activation"; - }; "mail-nekomesh-nekover-se.secret" = { keyCommand = keyCommandEnv ++ [ "pass" "mail/nekomesh-nekover-se" ]; destDir = "/secrets"; diff --git a/config/hosts/navidrome/configuration.nix b/config/hosts/navidrome/configuration.nix new file mode 100644 index 0000000..581a631 --- /dev/null +++ b/config/hosts/navidrome/configuration.nix @@ -0,0 +1,33 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "navidrome"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + fileSystems = { + "/mnt/music" = { + device = "//10.202.40.5/music-ro"; + fsType = "cifs"; + options = [ + "username=navidrome" + "credentials=/secrets/navidrome-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=navidrome" + "gid=navidrome" + "_netdev" + ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/navidrome/default.nix b/config/hosts/navidrome/default.nix new file mode 100644 index 0000000..00d4a90 --- /dev/null +++ b/config/hosts/navidrome/default.nix @@ -0,0 +1,7 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./navidrome.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/navidrome/navidrome.nix b/config/hosts/navidrome/navidrome.nix new file mode 100644 index 0000000..74e3a1d --- /dev/null +++ b/config/hosts/navidrome/navidrome.nix @@ -0,0 +1,9 @@ +{ ... }: { + services.navidrome = { + enable = true; + settings = { + Address = "unix:/run/navidrome/navidrome.socket"; + MusicFolder = "/mnt/music"; + }; + }; +} diff --git a/config/hosts/navidrome/nginx.nix b/config/hosts/navidrome/nginx.nix new file mode 100644 index 0000000..eef60dd --- /dev/null +++ b/config/hosts/navidrome/nginx.nix @@ -0,0 +1,24 @@ +{ ... }: { + services.nginx = { + enable = true; + user = "navidrome"; + virtualHosts."navidrome.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://unix:/run/navidrome/navidrome.socket"; + }; + }; + }; +} diff --git a/config/hosts/navidrome/secrets.nix b/config/hosts/navidrome/secrets.nix new file mode 100644 index 0000000..a11e957 --- /dev/null +++ b/config/hosts/navidrome/secrets.nix @@ -0,0 +1,13 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "navidrome-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "navidrome/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/netbox/configuration.nix b/config/hosts/netbox/configuration.nix new file mode 100644 index 0000000..5bf8422 --- /dev/null +++ b/config/hosts/netbox/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "netbox"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/netbox/default.nix b/config/hosts/netbox/default.nix new file mode 100644 index 0000000..5dd147b --- /dev/null +++ b/config/hosts/netbox/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./netbox.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/netbox/netbox.nix b/config/hosts/netbox/netbox.nix new file mode 100644 index 0000000..b9ba2ad --- /dev/null +++ b/config/hosts/netbox/netbox.nix @@ -0,0 +1,8 @@ +{ pkgs, ... }: +{ + services.netbox = { + enable = true; + package = pkgs.netbox; + secretKeyFile = "/secrets/netbox-secret-key.secret"; + }; +} diff --git a/config/hosts/netbox/nginx.nix b/config/hosts/netbox/nginx.nix new file mode 100644 index 0000000..a2d1782 --- /dev/null +++ b/config/hosts/netbox/nginx.nix @@ -0,0 +1,29 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + clientMaxBodySize = "25m"; + user = "netbox"; + virtualHosts."netbox.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/static/" = { + alias = "${config.services.netbox.dataDir}/static/"; + }; + locations."/" = { + proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; + }; + }; + }; +} diff --git a/config/hosts/netbox/secrets.nix b/config/hosts/netbox/secrets.nix new file mode 100644 index 0000000..216aca4 --- /dev/null +++ b/config/hosts/netbox/secrets.nix @@ -0,0 +1,11 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys."netbox-secret-key.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "netbox/secret-key" ]; + destDir = "/secrets"; + user = "netbox"; + group = "netbox"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/config/hosts/nextcloud/nextcloud.nix b/config/hosts/nextcloud/nextcloud.nix index f27c9a6..88b842a 100644 --- a/config/hosts/nextcloud/nextcloud.nix +++ b/config/hosts/nextcloud/nextcloud.nix @@ -44,8 +44,7 @@ extraConfig = '' listen 0.0.0.0:8443 http2 ssl proxy_protocol; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/nitter/configuration.nix b/config/hosts/nitter/configuration.nix new file mode 100644 index 0000000..bc54db7 --- /dev/null +++ b/config/hosts/nitter/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "nitter"; + firewall = { + enable = true; + allowedTCPPorts = [ 8443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/nitter/default.nix b/config/hosts/nitter/default.nix new file mode 100644 index 0000000..6aae884 --- /dev/null +++ b/config/hosts/nitter/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./nitter.nix + ]; +} diff --git a/config/hosts/nitter/nginx.nix b/config/hosts/nitter/nginx.nix new file mode 100644 index 0000000..862405c --- /dev/null +++ b/config/hosts/nitter/nginx.nix @@ -0,0 +1,23 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."birdsite.nekover.se" = { + forceSSL = true; + enableACME = true; + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + locations."/" = { + proxyPass = "http://${config.services.nitter.server.address}:${builtins.toString config.services.nitter.server.port}"; + proxyWebsockets = true; + }; + extraConfig = '' + listen 0.0.0.0:8443 http2 ssl proxy_protocol; + + set_real_ip_from 10.202.41.100; + real_ip_header proxy_protocol; + ''; + }; + }; +} diff --git a/config/hosts/nitter/nitter.nix b/config/hosts/nitter/nitter.nix new file mode 100644 index 0000000..94165c4 --- /dev/null +++ b/config/hosts/nitter/nitter.nix @@ -0,0 +1,21 @@ +{ ... }: +{ + services.nitter = { + enable = true; + + server = { + title = "Birdsite"; + https = true; + address = "127.0.0.1"; + port = 8080; + hostname = "birdsite.nekover.se"; + }; + + preferences = { + theme = "Mastodon"; + replaceTwitter = "birdsite.nekover.se"; + infiniteScroll = true; + hlsPlayback = true; + }; + }; +} diff --git a/config/hosts/paperless/configuration.nix b/config/hosts/paperless/configuration.nix new file mode 100644 index 0000000..494f08c --- /dev/null +++ b/config/hosts/paperless/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "paperless"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/paperless/default.nix b/config/hosts/paperless/default.nix new file mode 100644 index 0000000..e6ebeed --- /dev/null +++ b/config/hosts/paperless/default.nix @@ -0,0 +1,9 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ./nginx.nix + ./paperless.nix + ]; +} diff --git a/config/hosts/paperless/hardware-configuration.nix b/config/hosts/paperless/hardware-configuration.nix new file mode 100644 index 0000000..17b9b66 --- /dev/null +++ b/config/hosts/paperless/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + fileSystems = { + "/mnt/data" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; + autoFormat = true; + autoResize = true; + }; + "/mnt/paperless-consume" = { + device = "//10.201.40.10/paperless-consume"; + fsType = "cifs"; + options = [ + "username=paperless" + "credentials=/secrets/paperless-samba-credentials.secret" + "iocharset=utf8" + "vers=3.1.1" + "uid=paperless" + "gid=paperless" + "_netdev" + ]; + }; + "/var/lib/paperless" = { + depends = [ "/mnt/data" ]; + device = "/mnt/data/paperless"; + fsType = "none"; + options = [ "bind" ]; + }; + }; +} diff --git a/config/hosts/paperless/nginx.nix b/config/hosts/paperless/nginx.nix new file mode 100644 index 0000000..e4a2131 --- /dev/null +++ b/config/hosts/paperless/nginx.nix @@ -0,0 +1,31 @@ +{ config, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."paperless.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [ + { + addr = "0.0.0.0"; + port = 80; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://${config.services.paperless.address}:${builtins.toString config.services.paperless.port}"; + proxyWebsockets = true; + extraConfig = '' + add_header Referrer-Policy "strict-origin-when-cross-origin"; + ''; + }; + extraConfig = '' + client_max_body_size 100M; + ''; + }; + }; +} diff --git a/config/hosts/paperless/paperless.nix b/config/hosts/paperless/paperless.nix new file mode 100644 index 0000000..1def83d --- /dev/null +++ b/config/hosts/paperless/paperless.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.paperless = { + enable = true; + consumptionDir = "/mnt/paperless-consume"; + passwordFile = "/secrets/paperless-admin-password.secret"; + }; +} diff --git a/config/hosts/paperless/secrets.nix b/config/hosts/paperless/secrets.nix new file mode 100644 index 0000000..6726881 --- /dev/null +++ b/config/hosts/paperless/secrets.nix @@ -0,0 +1,21 @@ +{ keyCommandEnv, ... }: +{ + deployment.keys = { + "paperless-admin-password.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/admin-password" ]; + destDir = "/secrets"; + user = "paperless"; + group = "paperless"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + "paperless-samba-credentials.secret" = { + keyCommand = keyCommandEnv ++ [ "pass" "paperless/samba-credentials" ]; + destDir = "/secrets"; + user = "root"; + group = "root"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; + }; +} diff --git a/config/hosts/searx/nginx.nix b/config/hosts/searx/nginx.nix index 9283018..a84c171 100644 --- a/config/hosts/searx/nginx.nix +++ b/config/hosts/searx/nginx.nix @@ -21,8 +21,7 @@ proxyPass = "http://${config.services.searx.settings.server.bind_address}:${builtins.toString config.services.searx.settings.server.port}"; }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 10.202.41.100; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/valkyrie/configuration.nix b/config/hosts/valkyrie/configuration.nix index e581f8c..aca6e04 100644 --- a/config/hosts/valkyrie/configuration.nix +++ b/config/hosts/valkyrie/configuration.nix @@ -7,7 +7,7 @@ nftables.enable = true; firewall = { enable = true; - allowedTCPPorts = [ 80 443 8448 ]; + allowedTCPPorts = [ 80 443 ]; allowedUDPPorts = [ 51820 51821 51822 51824 51827 51828 51829 51830 ]; }; wireguard = { diff --git a/config/hosts/valkyrie/nginx.nix b/config/hosts/valkyrie/nginx.nix index ab96419..fae78f0 100644 --- a/config/hosts/valkyrie/nginx.nix +++ b/config/hosts/valkyrie/nginx.nix @@ -33,36 +33,5 @@ }; }; }; - - streamConfig = '' - map $ssl_preread_server_name $address { - cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 10.202.41.100:8443; - element-admin.nekover.se 10.202.41.100:8443; - fi.nekover.se 10.202.41.125:8443; - git.nekover.se 10.202.41.106:8443; - hydra.nekover.se 10.202.41.121:8443; - id.nekover.se 10.202.41.124:8443; - mas.nekover.se 10.202.41.112:8443; - matrix.nekover.se 10.202.41.112:8443; - matrix-rtc.nekover.se 10.202.41.112:8443; - mesh.nekover.se 10.202.41.126:8443; - nekover.se 10.202.41.100:8443; - nix-cache.nekover.se 10.202.41.121:8443; - searx.nekover.se 10.202.41.105:8443; - social.nekover.se 10.202.41.104:8443; - } - server { - listen [::]:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - server { - listen [::]:8448; - proxy_pass 10.202.41.112:8448; # matrix federation port - proxy_protocol on; - } - ''; }; } diff --git a/config/hosts/web-public-1/configuration.nix b/config/hosts/web-public-1/configuration.nix new file mode 100644 index 0000000..7f3b8fa --- /dev/null +++ b/config/hosts/web-public-1/configuration.nix @@ -0,0 +1,17 @@ +{ ... }: +{ + boot.loader.grub = { + enable = true; + device = "/dev/vda"; + }; + + networking = { + hostName = "web-public-1"; + firewall = { + enable = true; + allowedTCPPorts = [ 80 443 ]; + }; + }; + + system.stateVersion = "23.05"; +} diff --git a/config/hosts/web-public-1/default.nix b/config/hosts/web-public-1/default.nix new file mode 100644 index 0000000..3db73ca --- /dev/null +++ b/config/hosts/web-public-1/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ]; +} diff --git a/config/hosts/web-public-1/nginx.nix b/config/hosts/web-public-1/nginx.nix new file mode 100644 index 0000000..0453a73 --- /dev/null +++ b/config/hosts/web-public-1/nginx.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + imports = [ + ./virtualHosts + ]; + + services.nginx = { + enable = true; + }; +} diff --git a/config/hosts/web-public-1/virtualHosts/acme-challenge.nix b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix new file mode 100644 index 0000000..c9b7e61 --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/acme-challenge.nix @@ -0,0 +1,18 @@ +{ ... }: +let + acmeDomainMap = { + "paperless.grzb.de" = "paperless.wg.grzb.de"; + "navidrome.grzb.de" = "navidrome.wg.grzb.de"; + }; +in +{ + services.nginx.virtualHosts = (builtins.mapAttrs (domain: target: { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."^~ /.well-known/acme-challenge/" = { + proxyPass = "http://${target}:80"; + }; + }) acmeDomainMap); +} diff --git a/config/hosts/web-public-1/virtualHosts/default.nix b/config/hosts/web-public-1/virtualHosts/default.nix new file mode 100644 index 0000000..e191a9c --- /dev/null +++ b/config/hosts/web-public-1/virtualHosts/default.nix @@ -0,0 +1,16 @@ +{ ... }: +{ + imports = [ + ./acme-challenge.nix + ]; + + services.nginx.virtualHosts."_" = { + listen = [{ + addr = "0.0.0.0"; + port = 80; + }]; + locations."/" = { + return = "301 https://$host$request_uri"; + }; + }; +} diff --git a/config/hosts/web-public-2/configuration.nix b/config/hosts/web-public-2/configuration.nix index e942787..94e74b6 100644 --- a/config/hosts/web-public-2/configuration.nix +++ b/config/hosts/web-public-2/configuration.nix @@ -21,7 +21,7 @@ hostName = "web-public-2"; firewall = { enable = true; - allowedTCPPorts = [ 80 443 5000 8443 8448 ]; + allowedTCPPorts = [ 80 443 5000 8448 ]; }; }; diff --git a/config/hosts/web-public-2/nginx.nix b/config/hosts/web-public-2/nginx.nix index 3217be8..608d6a7 100644 --- a/config/hosts/web-public-2/nginx.nix +++ b/config/hosts/web-public-2/nginx.nix @@ -16,17 +16,20 @@ stream { map $ssl_preread_server_name $address { + anisync.grzb.de 127.0.0.1:8443; cloud.nekover.se 10.202.41.122:8443; - element.nekover.se 10.202.41.100:8443; - element-admin.nekover.se 10.202.41.100:8443; + element.nekover.se 127.0.0.1:8443; fi.nekover.se 10.202.41.125:8443; + gameserver.grzb.de 127.0.0.1:8443; + git.grzb.de 127.0.0.1:8443; git.nekover.se 10.202.41.106:8443; hydra.nekover.se 10.202.41.121:8443; id.nekover.se 10.202.41.124:8443; mas.nekover.se 10.202.41.112:8443; matrix.nekover.se 10.202.41.112:8443; matrix-rtc.nekover.se 10.202.41.112:8443; - nekover.se 10.202.41.100:8443; + mewtube.nekover.se 127.0.0.1:8443; + nekover.se 127.0.0.1:8443; mesh.nekover.se 10.202.41.126:8443; nix-cache.nekover.se 10.202.41.121:8443; searx.nekover.se 10.202.41.105:8443; @@ -34,15 +37,11 @@ } server { listen 0.0.0.0:443; + listen [::]:443; proxy_pass $address; ssl_preread on; proxy_protocol on; } - server { - listen 0.0.0.0:8448; - proxy_pass 10.202.41.112:8448; # matrix federation port - proxy_protocol on; - } } ''; diff --git a/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix new file mode 100644 index 0000000..9a3950a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/anisync.grzb.de.nix @@ -0,0 +1,23 @@ +{ ... }: +{ + services.nginx.virtualHosts."anisync.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://anisync.vs.grzb.de:8080"; + proxyWebsockets = true; + }; + extraConfig = '' + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/default.nix b/config/hosts/web-public-2/virtualHosts/default.nix index fc2b409..53294f7 100644 --- a/config/hosts/web-public-2/virtualHosts/default.nix +++ b/config/hosts/web-public-2/virtualHosts/default.nix @@ -2,8 +2,11 @@ { imports = [ ./acme-challenge.nix + ./anisync.grzb.de.nix ./element.nekover.se.nix - ./element-admin.nekover.se.nix + ./gameserver.grzb.de.nix + ./git.grzb.de.nix + ./mewtube.nekover.se.nix ./nekover.se.nix ]; diff --git a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix deleted file mode 100644 index cb8a45a..0000000 --- a/config/hosts/web-public-2/virtualHosts/element-admin.nekover.se.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ config, pkgs, ... }: - -let - elementAdminVersion = "0.1.11"; - elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { - pname = "element-admin"; - version = elementAdminVersion; - - src = pkgs.fetchzip { - url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; - sha256 = "sha256-tSUTDPspQJjvP1KN4nUr4LYyjNQFj4pKMMA8JmavIxo="; - }; - - nativeBuildInputs = [ - pkgs.nodejs - pkgs.pnpm.configHook - ]; - - pnpmDeps = pkgs.pnpm.fetchDeps { - inherit (finalAttrs) pname version src; - fetcherVersion = 2; - hash = "sha256-Hf4PWey5bczSNbc3QQ9z9X3OVUZ7VHXw7BHGQqJWPac="; - }; - - buildPhase = '' - pnpm build - ''; - - installPhase = '' - cp -a dist $out - ''; - }); -in -{ - services.nginx.virtualHosts."element-admin.nekover.se" = { - forceSSL = true; - enableACME = true; - - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - extraParameters = ["proxy_protocol"]; - }]; - - root = elementAdmin; - - locations."/assets" = { - extraConfig = '' - expires 1y; - add_header Cache-Control "public, max-age=31536000, immutable"; - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - ''; - }; - - locations."/" = { - index = "/index.html"; - tryFiles = "$uri $uri/ /"; - extraConfig = '' - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - ''; - }; - - extraConfig = '' - # Security headers. - add_header X-Frame-Options "DENY" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; - add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; - - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; -} diff --git a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix index d60f70b..7576beb 100644 --- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix @@ -1,9 +1,9 @@ { pkgs, ... }: let - elementWebVersion = "1.12.17"; + elementWebVersion = "1.12.2"; element-web = pkgs.fetchzip { url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-ZlL4lQar/nEqA/1Js/aQvlnscWfb41oPbK69jSL9584="; + sha256 = "sha256-EZtySIQHgb+Boq97LhzFYKTEO///6YMH3O2DrAy+7Fs="; }; elementWebSecurityHeaders = '' # Configuration best practices @@ -28,7 +28,7 @@ in ]; }; listen = [{ - addr = "0.0.0.0"; + addr = "localhost"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -60,8 +60,7 @@ in # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; }; diff --git a/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix new file mode 100644 index 0000000..c746f3d --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/gameserver.grzb.de.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + services.nginx.virtualHosts."gameserver.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://pterodactyl.vs.grzb.de"; + extraConfig = '' + proxy_redirect off; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix new file mode 100644 index 0000000..ac9eefb --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/git.grzb.de.nix @@ -0,0 +1,30 @@ +{ ... }: +{ + services.nginx.virtualHosts."git.grzb.de" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://gitlab.vs.grzb.de:80"; + extraConfig = '' + gzip off; + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + ''; + }; + extraConfig = '' + client_max_body_size 1024m; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix new file mode 100644 index 0000000..1ab842a --- /dev/null +++ b/config/hosts/web-public-2/virtualHosts/mewtube.nekover.se.nix @@ -0,0 +1,20 @@ +{ ... }: +{ + services.nginx.virtualHosts."mewtube.nekover.se" = { + forceSSL = true; + enableACME = true; + listen = [{ + addr = "localhost"; + port = 8443; + ssl = true; + extraParameters = ["proxy_protocol"]; + }]; + locations."/" = { + proxyPass = "http://cloudtube.vs.grzb.de:10412"; + }; + extraConfig = '' + set_real_ip_from 127.0.0.1; + real_ip_header proxy_protocol; + ''; + }; +} diff --git a/config/hosts/web-public-2/virtualHosts/nekover.se.nix b/config/hosts/web-public-2/virtualHosts/nekover.se.nix index f33a3b9..40ee30d 100644 --- a/config/hosts/web-public-2/virtualHosts/nekover.se.nix +++ b/config/hosts/web-public-2/virtualHosts/nekover.se.nix @@ -4,7 +4,7 @@ forceSSL = true; enableACME = true; listen = [{ - addr = "0.0.0.0"; + addr = "localhost"; port = 8443; ssl = true; extraParameters = ["proxy_protocol"]; @@ -22,16 +22,8 @@ add_header Access-Control-Allow-Origin *; ''; }; - locations."/.well-known/matrix/support" = { - return = "200 '{\"contacts\": [{\"email_address\": \"admin@nekover.se\", \"role\": \"m.role.admin\"}]}'"; - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - ''; - }; extraConfig = '' - set_real_ip_from 10.202.41.100; # IPv4 from web-public-2 - set_real_ip_from 10.203.10.3; # IPv6 from valkyrie + set_real_ip_from 127.0.0.1; real_ip_header proxy_protocol; ''; }; diff --git a/config/users/colmena-deploy/default.nix b/config/users/colmena-deploy/default.nix index 2ebb9a8..cc4029b 100644 --- a/config/users/colmena-deploy/default.nix +++ b/config/users/colmena-deploy/default.nix @@ -8,7 +8,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/fi/default.nix b/config/users/fi/default.nix index 54881d6..6aed7cf 100644 --- a/config/users/fi/default.nix +++ b/config/users/fi/default.nix @@ -8,7 +8,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE95OjEez/yE+GIaeIoz3OwkXboLboPY4ss9nkt4FLyW fi@kiara" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/config/users/yuri/default.nix b/config/users/yuri/default.nix index f4ca1c7..4b2b8ac 100644 --- a/config/users/yuri/default.nix +++ b/config/users/yuri/default.nix @@ -7,7 +7,6 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDdk3FLQRoCWxdOxg4kHcPqAu3QQOs/rY9na2Al2ilGl yuri@violet" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICuhk+x7msByGFekRmS2SMeTT3sC4I0MtuEQXjN8MZXa fi@cherry" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPPi3G2JfDLJeLVtdF8fEQN9S6W1xfLNmzFm74f0jN6t fi@stardew" ]; }; } diff --git a/flake.lock b/flake.lock index fa8e70b..1ba87cf 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ "flake-compat": { "flake": false, "locked": { - "lastModified": 1767039857, - "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=", + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "owner": "edolstra", "repo": "flake-compat", - "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "type": "github" }, "original": { @@ -45,11 +45,11 @@ ] }, "locked": { - "lastModified": 1772893680, - "narHash": "sha256-JDqZMgxUTCq85ObSaFw0HhE+lvdOre1lx9iI6vYyOEs=", + "lastModified": 1763319842, + "narHash": "sha256-YG19IyrTdnVn0l3DvcUYm85u3PaqBt6tI6VvolcuHnA=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "8baab586afc9c9b57645a734c820e4ac0a604af9", + "rev": "7275fa67fbbb75891c16d9dee7d88e58aea2d761", "type": "github" }, "original": { @@ -103,11 +103,11 @@ ] }, "locked": { - "lastModified": 1769813415, - "narHash": "sha256-nnVmNNKBi1YiBNPhKclNYDORoHkuKipoz7EtVnXO50A=", + "lastModified": 1764234087, + "narHash": "sha256-NHF7QWa0ZPT8hsJrvijREW3+nifmF2rTXgS2v0tpcEA=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "8946737ff703382fda7623b9fab071d037e897d5", + "rev": "032a1878682fafe829edfcf5fdfad635a2efe748", "type": "github" }, "original": { @@ -118,11 +118,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1777554940, - "narHash": "sha256-adRHzYRN0huy51aAykoXC4xxBe84AupPMp81lmoNJHM=", + "lastModified": 1765178948, + "narHash": "sha256-Kb3mIrj4xLg2LeMvok0tpiGPis1VnrNJO0l4kW+0xmc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "7fea5ede44b70af67136a82b41e39878cfb3a51b", + "rev": "f376a52d0dc796aec60b5606a2676240ff1565b9", "type": "github" }, "original": { @@ -134,11 +134,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1777592373, - "narHash": "sha256-/H8BBZdwWPVS9mzK5a8XskmLI+wMf6Zf8d22ZLeWSc4=", + "lastModified": 1765227377, + "narHash": "sha256-OeTF3YNuXZxN4TxluVEdCG32e5/0pYDb5exWe0RrQBY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "6d457375d24d7d6c8b537a161660173ca225dfdf", + "rev": "a0ea537a4fc4c49fb1e226317829c8b32ed95d0e", "type": "github" }, "original": { @@ -150,11 +150,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1777586718, - "narHash": "sha256-XqqAel6imMLIA8ZeX5CNydzOaokD6GIoUf02DuFeWr4=", + "lastModified": 1765183668, + "narHash": "sha256-TBA7CE44IHYfvOPBWcyLncpVrrKEiXWPdOrF8CD6W84=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "417335fe04072fe234d9a566b72d7955df681844", + "rev": "fc2de1563f89f0843eba27f14576d261df0e3b80", "type": "github" }, "original": { @@ -166,11 +166,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1773831496, - "narHash": "sha256-JW2/QPyCVzmouqEp1H9kNa8JXd7xEhlam9sy3TYfhDY=", + "lastModified": 1764020296, + "narHash": "sha256-6zddwDs2n+n01l+1TG6PlyokDdXzu/oBmEejcH5L5+A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "826430a188181a750ffa5948daff334039c5d741", + "rev": "a320ce8e6e2cc6b4397eef214d202a50a4583829", "type": "github" }, "original": { @@ -197,11 +197,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1773912645, - "narHash": "sha256-QHzRqq6gh+t3F/QU9DkP7X63dDDcuIQmaDz12p7ANTg=", + "lastModified": 1764185122, + "narHash": "sha256-+HUOwSIFLoyett2cvRjuFIbhobpHallfP9J2cia1apo=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "25e6dbb8fca3b6e779c5a46fd03bd760b2165bb5", + "rev": "a14fe3b293ec2720e5b7fc72ad136d22967e12ba", "type": "gitlab" }, "original": {